Jason Dions Practice Exam 3 of 5

Ace your homework & exams now with Quizwiz!

Which level of logging should you configure on a Cisco device to be notified whenever they shutdown due to a failure? A.0 B.2 C.5 D.7

A.0 Explanation OBJ-1.2: Cisco log levels range from 0 for emergencies to 7 for debugging. Level 0 is for emergencies, such as when the system is unusable (for example, a device shutting down due to failure). Level 1 is an alert where immediate action is needed. Level 2 is critical and is considered the default logging level. Level 3 is used to log errors. Level 4 is used to log warnings. Level 5 is used to log notifications, which are normal but significant conditions. Level 6 is used to log information messages only. Level 7 is used to log debugging information. Any messages that would appear at or below the number will be logged. For example, setting logging to Level 7 would log everything listed above, but if you set logging to Level 1 then it would only log emergency and alert conditions.

Which of the following provides a standard nomenclature for describing security-related software flaws? A.CVE B.SOX C.SIEM D.VPC

A.CVE Explanation OBJ-2: Common Vulnerabilities and Exposures (CVE) is an element of the Security Content Automation Protocol (SCAP) that provides a standard nomenclature for describing security flaws or vulnerabilities. A SIEM is a solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications. A VPC is a private network segment made available to a single cloud consumer on a public cloud. The Sarbanes-Oxley Act (SOX) dictates requirements for the storage and retention of documents relating to an organization's financial and business operations, including the type of documents to be stored and their retention periods.

An analyst's vulnerability scanner did not have the latest set of signatures installed. Due to this, several unpatched servers may have vulnerabilities that were undetected by their scanner. You have directed the analyst to update their vulnerability scanner with the latest signatures at least 24 hours before conducting any scans, but the results of their scans still appear to be the same. Which of the following logical controls should you use to address this situation? A.Create a script to automatically update the signatures every24 hours B.Ensure the analysts manually validates that the updates are being perfvormed as directed C.Test the vulnerability remediations in a sandbox before deploying them into production D.Configure the vulnerability scanners to run in credentialed mode

A.Create a script to automatically update the signatures every24 hours Explanation OBJ-2: Since the analyst appears to not be installing the latest vulnerability signatures according to your instructions, it would be best to create a script and automate the process to eliminate human error. The script will always ensure that the latest signatures are downloaded and installed in the scanner every 24 hours without any human intervention. While you may want the analyst to manually validate the updates were performed as part of their procedures, this is still error-prone and likely to not be conducted properly. Regardless of whether the scanners are being run in uncredentialed or credentialed mode, they will still miss vulnerabilities if they are using out-of-date signatures. Finally, the option to test the vulnerability remediations in a sandbox is a good suggestion, but it won't solve this scenario since we are concerned with the scanning portion or vulnerability management and not remediation in this question.

You have just run the following commands on your Linux workstation:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-DionTraining:~ root# ls Names.txt DionTraining:~ root# more Names.txt DION DIOn DIon Dion dion DionTraining:~ root# grep -i DION Names.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Which of the following options would be included as part of the output for the grep command issued? (SELECT ALL THAT APPLY) A.DION B.DIOn C.Dion D.Dion E.dion

A.DION B.DIOn C.Dion D.Dion E.dion Explanation OBJ-1: The grep (global search for regular expressions and print) is one of the powerful search tools in Linux. The general syntax for the grep command is "grep [options] pattern [files]. The command searches within the specified files (in this case, the Names.txt file). When the command is issued with the -i optional flag, it treats the specified pattern as case insensitive. Therefore, all uppercase and lowercase variations of the word "DION" will be presented from the file and displayed as the output for the command. By default, grep uses case sensitivity, so "grep DION Names.txt" would only display the output as "DION" and ignore the other variations. As a cybersecurity analyst, grep is one of your most important tools since you can use regular expressions (regex) to find indicators of compromise within your log files quickly using grep.

An analyst is reviewing the configuration of a triple-homed firewall connects to the internet, a private network, and one other network. Which of the following would best describe the third network connected to this firewall? A.DMZ B.Subnet C.NIDS D.GPO

A.DMZ Explanation OBJ-1.3: A triple-homed firewall connects to three networks internal (private), external (internet/public), and the demilitarized zone (DMZ). The demilitarized zone (DMZ) network hosts systems that require access from external hosts. Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system looks like and how it behaves for a defined group of users. A network intrusion detection system (NIDS) is a system that attempts to detect hacking activities, denial of service attacks, or port scans on a computer network or a computer itself. A subnet is a logical subdivision of an IP network.

You identified a critical vulnerability in one of your organization's databases. You researched a solution, but it will require the server to be taken offline during the patch installation. You have received permission from the Change Advisory Board to implement this emergency change at 11 pm once everyone has left the office. It is now 3 pm, what action(s) should you take now to best prepare for implementing this evening's change? (SELECT ALL THAT APPLY) A.Ensure all stakeholders are informed of the planned outage B.Document the change in the change management system C.Take the server offline at 10PM in preparation for the change D.IDentity any potential risks associated with installing the patch E.Take the opportunity to install a new featrure pack that has been requested F.Validate the installation of the patch in a staging environment

A.Ensure all stakeholders are informed of the planned outage B.Document the change in the cha D.IDentity any potential risks associated with installing the patch F.Validate the installation of the patch in a staging environment OBJ-2: You should send out a notification to the key stakeholders to ensure they are notified of the planned outage this evening. You should test and validate the patch in a staging environment prior to installing it on the production server. You should identify any potential risks associated with installing this patch. You should also document the change in the change management system. You should not take the server offline before your change window begins at 11 pm, as this could affect users who are relying on the system. You should not take this opportunity to install any additional software, features, or patches unless you have received approval from the Change Advisory Board (CAB).

A vulnerability scanner has reported that a vulnerability exists on the system. Upon validation of the report, the analyst determines that this reported vulnerability does not exist on the system. What is the proper term for this situation? A.False positive B.False negative C.True positive D. True negative

A.False positive Explanation OBJ-2: A false positive occurs when a vulnerability is detected by a scanner, but the vulnerability does not actually exist on the scanned system. A true positive occurs when a vulnerability is detected by a scanner and the vulnerability exists on the scanned system. A true negative occurs when a vulnerability is not detected by a scanner because the vulnerability does not exist on the scanned system. A false negative occurs when a vulnerability is not detected by a scanner, but the vulnerability does actually exist on the scanned system.

You have just received some unusual alerts on your SIEM dashboard and want to collect the payload associated with it. Which of the following should you implement to effectively collect these malicious payloads that the attackers are sending towards your systems without impacting your organization's normal business operations? A.Honeypot B.Jumpbox C.Sandbox D.Containerization

A.Honeypot Explanation OBJ-1.3: A honeypot is a host set up with the purpose of luring attackers away from the actual network components and/or discovering attack strategies and weaknesses in the security configuration. A jumpbox is a hardened server that provides access to other hosts. A sandbox is a computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Containerization is a type of virtualization applied by a host operating system to provision an isolated execution environment for an application.

Nicole's organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role? A.MSSP B.IaaS C.PaaS

A.MSSP Explanation OBJ-1: A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role.

In a CVSS metric, which of the following is NOT one of the factors that comprise the base score for a given vulnerability? A.Access vector B.Authentication C.Access complexity D.Availability

B.Authentication Explanation OBJ-2: In CVSS 3.1, the base metric is comprised of 8 factors: access vector (AV), access complexity (AC), privileges required (PR), user interaction (UI), scope (S), confidentiality (C), integrity (I), and availability (A).

Your organization's primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. This critical patch was designed to remediate a vulnerability that can allow a malicious actor to remotely execute code on the server over the Internet. You ran a vulnerability scan of the network and determined that all of the servers are still being reported as having the vulnerability. You verified all your scan configurations are correct. Which of the following might be the reason that the scan report still showing the servers as vulnerability? (SELECT ALL THAT APPLY) A.The vulnerability assessment scan is returning a false positive B.The critical patch did not remediate the vulnerability C.You conducted the vulnerability scan without waiting long enough after the patch was installed D.The wrong IP address range was scanned during your vulnerability assessment

A.The vulnerability assessment scan is returning a false positive B.The critical patch did not remediate the vulnerability Explanation OBJ-2: There are two reasonable choices presented: (1) the vulnerability assessment scan is returning a false positive, or (2) this critical patch did not remediate the vulnerability. It is impossible to know which based on the description in the question. If the patch was installed successfully as the question states, then it is possible that the critical patch was coded incorrectly and did not actually remediate the vulnerability. While most operating system vendors do test their patches prior to release to prevent this, with extremely critical patches, they are sometimes rushed into production and the patch does not actually remediate the vulnerability on all systems. When this occurs, the vendor will issue a subsequent patch will be released to fix it and superseded the original patch. The other option is that the vulnerability assessment tool is incorrectly configured and is returning a false positive. This can occur when the signature used to detect the vulnerability is too specific or too generic to actually detect whether the system was patched for the vulnerability or not. The other options are incorrect, as you do not have to wait a certain period of time after installation before scanning, and it is assumed that you are scanning the same IP range both times as you have verified your scan configuration.

You have noticed some unusual network traffic outbound from a certain host. The host is communicating with a known malicious server over port 443 using an encrypted TLS tunnel. You ran a full system anti-virus scan of the host with an updated anti-virus signature file, but the anti-virus did not find any signs of infection. Which of the following has MOST likely occurred? A.Zero-day attack B.Password spraying C.Session hijacking D.Directory traversal

A.Zero-day attack Explanation OBJ-1: Since you scanned the system with the latest anti-virus signatures and did not find any signs of infection, it would most likely be evidence of a zero-day attack. A zero-day attack has a clear sign of compromise (the web tunnel being established to a known malicious server), and the anti-virus doesn't have a signature yet for this particular malware variant. Password spraying occurs when an attacker tries to log in to multiple different user accounts with the same compromised password credentials. Session hijacking is the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. Based on the scenario, it doesn't appear to be session hijacking since the user would not normally attempt to connect to a malicious server. Directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory. A directory traversal is usually indicated by a dot dot slash (../) in the URL being attempted.

Which tool would allow you to identify the operating system of a target by analyzing the responses received from the TCP/IP stack? A.nmap B.dd C.scanf D.msconfig

A.nmap Explanation OBJ-1: The nmap tool can be used to identify the operating system of a target by analyzing the responses received from the TCP/IP stack. Identification of the operating system relies on differences in how operating systems and operating system versions respond to a query, what TCP options they support, what order they send the packets in, and other details that, when combined, can provide a reasonably unique fingerprint for a given TCP stack.

A cybersecurity analyst is attempting to perform an active reconnaissance technique to audit their company's security controls. Which DNS assessment technique would be classified as active? A.A DNS forward to reverse lookup B.A Zone transfer C.A whois query D.Using maltego

B.A Zone transfer Explanation OBJ-1: DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers. DNS zone transfers are an active technique. Performing a whois query is a passive reconnaissance technique that performs a query of the databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information. Performing a DNS forward and reverse lookup zones is an active technique that allows the resolution of names to IP addresses and IP addresses to names. This can be conducted as a passive technique. Maltego is an application software used for open-source intelligence and forensics. It focuses on providing a library of transforms for discovery of data from open sources and visualizing that information in a graph format suitable for link analysis and data mining. It collects this information passively since it can acquire the information from whois lookup servers, a DNS lookup tool using public DNS servers, or even emails and hostnames one can acquire from TheHarvester.

You are reverse engineering a malware sample using the Strings tool when you notice the code inside appears to be obfuscated. You look at the following line of output on your screen: -=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=- ZWNobygiSmFzb24gRGlvbiBjcmVhdGVkIHRoaXMgQ29tcFRJQSBDeVNBKyBwcmFjdGljZSBleGFtIHF1ZXN0aW9uLiBJZiB5b3UgZm91bmQgdGhpcyBxdWVzdGlvbiBpbiBzb21lb25lIGVsc2UncyBjb3Vyc2UsIHRoZXkgc3RvbGUgaXQhIik7= -=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=- Based on the output above, which of the following methods do you believe the attacker used to prevent their malicious code from being easily read or analyzed? A.QR coding B.Base64 C.XML D.SQL

B.BAse64 Explanation OBJ-1.4: While there are many different formats used by attackers to obfuscate their malicious code, Base64 is by far the most popular. If you see a string like the one above, you can attempt to decode it using an online Base64 decoder. In fact, I recommend you copy the string above and decode it to see how easy it is to reverse a standard Base64 encoded message. Some more advanced attackers will also use XOR and a key shift in combination with Base64 to encode the message and make it harder to decode, but using a tool like CyberChef can help you decode those, as well. Structured Query Language (SQL) is used to communicate with a database. Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. SQL and XML are not considered obfuscation techniques. A QR Code is a two-dimensional version of the barcode, known from product packaging in the supermarket. QR coding is the process of converting some kind of data into a single QR code. QR coding might be considered a form of obfuscation, but it is not shown in the example output provided in this question.

A vulnerability scan has returned the following results:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Detailed Results 10.56.17.21 (APACHE-2.4) Windows Shares Category: Windows CVE ID: - Vendor Ref: - Bugtraq ID: - Service Modified - 8.30.2017 Enumeration Results: print$ c:\windows\system32\spool\drivers files c:\FileShare\Accounting Temp c:\temp -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What best describes the meaning of this output? A.There is an unknown bug in an Apache server with no bugtraw ID B.Connecting to the host using a null session allows enumeration of the share names on the host C.Windows defender has a known exploit that must be resolved or patched D.There is no CVE present, so this is a false positive caused by Apahce running on a Windows server D.

B.Connecting to the host using a null session allows enumeration of the share names on the host Explanation OBJ-2: This is the result of a vulnerability scan that conducted an enumeration of open Windows shares on an Apache server. The enumeration results show three share names (print$, files, Temp), that have been found using a null session connection. There is no associated CVE with this vulnerability, but it is not a false positive. Not all vulnerabilities have a CVE associated with them. Nothing in this output indicates anything concerning Windows Defender, so this is not the correct answer. Bugtraq IDs are a different type of identification number issued for vulnerabilities by SecurityFocus. Generally, if there is a CVE, there will also be a Bugtraq ID. The fact that both the CVE and Bugtraq ID are blank is not suspicious since we are dealing with a null enumeration result.

Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across a large number of devices? A.Patch management B.GPO C.HIPS D.Anti-malware

B.GPO Explanation OBJ-1.3: Microsoft's Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. It allows an administrator to create a policy and deploy it across a large number of devices in the domain or network. Patch management, host intrusion prevention systems (HIPS), and anti-malware software are different types of host security controls, but only GPOs have the ability to configure settings across multiple Windows devices efficiently.

Which of the following types of scans are useful for probing firewall rules? A.TCP SYN B.TCP ACK C.TCP RST D.XMAS TREE

B.TCP ACK Explanation OBJ-1.2: TCP ACK scans can be used to determine what services are allowed through a firewall. An ACK scan sends TCP packets with only the ACK bit set. Whether ports are open or closed, the target is required to respond with a RST packet. Firewalls that block the probe, usually make no response or send back an ICMP destination unreachable error. This distinction allows Nmap to report whether the ACK packets are being filtered. A TCP SYN scan can sometimes be used to determine what ports are filtered, but if the firewall is configured to drop packets for disallowed ports instead of sending a RST packet, then a TCP SYN scan will not be able to determine if a firewall was there or if the port was simply unavailable. A TCP RST packet is sent by a target in response to a TCP ACK scan, but a TCP RST is not a valid type of scan itself. A XMAS Tree scan will set the FIN, PSH, and URG flags in the TCP packet. This is a very noisy type of scan and not useful for probing firewall rules

Your organization has recently migrated to a SaaS provider for its enterprise resource planning (ERP) software. Prior to this migration, a weekly port scan conducted to help validate the security of the on-premise systems. Which of the following actions should you take to validate the security of the cloud-based solution? A.Utilize a different scanning tool B.Utilize vendor testing and audits C.Utilize a third-party contractor to conduct the scans D.Utilize a VPN to scan inside the vendors security perimeter

B.Utilize vendor testing and audits Explanation OBJ-1.4: The best option is to utilize vendor testing and audits in a cloud-based environment. Most SaaS providers will not allow customers to conduct their own port scans or vulnerability scans against the SaaS service. This means you cannot scan using a VPN connection, utilize different scanning tools, or hire a third-party contractor to scan on your behalf.

Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system? A.Intrustion Detection SYstem B.Whitelisting C.VPN D.MAC filtering

B.Whitelisting Explanation OBJ-1: By implementing whitelisting of the authorized IP addresses for the five largest vendors, they will be the only ones who will be able to access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker. Based on the description in the scenario, it appears like the system is under some form of denial of service attack, but by implementing a whitelist at the edge of the network and blackholing any traffic from IP addresses that are not whitelisted, the server will no longer be overwhelmed or perform slowly to respond to legitimate requests. MAC filtering is only applicable at layer 2 of the OSI model (which would not work for traffic being sent over the internet from your vendors to your server). A VPN is a reasonable solution to help secure the connection between the vendors and your systems, but it will not deal with the DoS condition being experienced. An intrusion detection system may detect the DoS condition, but an IDS cannot resolve the condition (whereas an IPS could).

Jay is replacing his organization's current vulnerability scanner with a new tool. As he begins to create the scanner's configurations and scanning policy, he notices a conflict in the settings recommended between different documents. Which of the following sources must Jay follow when trying to resolve these conflicts? A.NIST guideline documents B.Vendor best practices C.Corporate policy D.COnfiguration settings from the prior system

C.Corporate policy Explanation OBJ-2: Policies are formalized statements that apply to a specific area or task. Policies are mandatory and employees who violate a policy may be disciplined. Guidelines are general, non-mandatory recommendations. Best practices are considered procedures that are accepted as being correct or most effective, but are not mandatory to be followed. Configuration settings from the prior system could be helpful, but again, this is not a mandatory compliance area like a policy would be. Therefore, Jay should first follow the policy before the other three options if there is a conflict between them.

Trevor is responsible for conducting the vulnerability scans for his organization. His supervisor must produce a monthly report for the CIO that includes the number of open vulnerabilities. What process should Trevor use to ensure the supervisor gets the information needed for their monthly report? A.Create an account for the supervisor to the vulnerability scanner so they can run their own reports B.Run a report each month and then email it to his supervisor C.Create a customer report that is automatically emailed each month to the supervisors with the needed information

C.Create a customer report that is automatically emailed each month to the supervisors with the needed information Explanation OBJ-2: The best solution is to design a report that provides all necessary information and configure the system to automatically send this report to the supervisor automatically each month. It is not a good practice to create additional accounts on the vulnerability scanner beyond what is necessary per the concept of least privilege. It is also inefficient for Trevor to run the reports each month and then have to email them to his supervisor. When possible, the use of automation should be encouraged.

Edward's bank recently suffered an attack where an employee made an unauthorized modification to a customer's bank balance. Which tenant of cybersecurity was violated by this employee's actions? A.Confidentiality B.Authentication C.Integrity D.Availability

C.Integrity Explanation OBJ-1.4: The CIA Triad is a security model that has been developed to help people think about various parts of IT security. Integrity ensures that no unauthorized modifications are made to the information. The attack described here violates the integrity of the customer's bank account balance. Confidentiality is concerned with unauthorized people seeing the contents of the data. In this scenario, the employee is authorized to see the bank balance, but not change its value. Availability is concerned with the data being accessible when and where it is needed. Again, this wasn't affected by the employee's actions. Authentication is concerned with only authorized people accessing the data. Again, this employee was authorized to see the balance.

An analyst just completed a port scan and received the following results of open ports:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- TCP: 80 TCP: 110 TCP: 443 TCP: 1433 TCP: 3306 TCP: 3389 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on these scan results, which of the following services are NOT currently operating? A.Web B.Database C.SSH D.RDP

C.SSH Explanation OBJ-2: Based on the port numbers shown as open in the results, SSH is not currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on port 3389.

You have run a vulnerability scan and received the following output:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- CVE-2011-3389 QID 42366 - SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side vulnerability Check with: openssl s_client -connect login.diontraining.com:443 - tls -cipher "AES:CAMELLISA:SEED:3DES:DES" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following categories should this be classified as? A.PKI tranfer vulnerability B.Active directory encryption vulnerability C.Web application crypotography vulnerability D.VPN tunnel

C.Web application crypotography vulnerability Explanation OBJ-2: This vulnerability should be categories as a web application cryptographic vulnerability. This is shown by the weak SSLv3.0/TLSv1.0 protocol being used in cipher block chaining (CBC) mode. Specifically, the use of the 3DES and DES algorithms during negotiation is a significant vulnerability. A stronger protocol should be used, such as forcing the use of AES.

Joseph would like to prevent hosts from connecting to known malware distribution domains. What type of solution should be used without deploying endpoint protection software or an IPS system? A.Route poisoning B.Anti-malware router filters C.Subdomain whitelisting D.DNS blackingholing

D.DNS blackholing Explanation OBJ-1.3: DNS blackholing is a process that uses a list of known domains/IP addresses belonging to malicious hosts and uses an internal DNS server to create a fake reply. Route poisoning prevents networks from sending data somewhere when the destination is invalid. Routers do not usually have an anti-malware filter, and this would be reserved for a unified threat management system. Subdomain whitelisting would not apply here because it would imply that you are implicitly denying all traffic and only allow whitelisted subdomains to be accessed from the hosts that would affect their operational utility to the organization.

Sarah has reason to believe that systems on her network have been compromised by an APT. She has noticed a large number of file transfers outbound to a remote site via TLS-protected HTTPS sessions from unknown systems. Which of the following techniques would most likely detect the APT? A. network traffic analysis B.Network forensics C.Endpoint behavior analysis D.Endpoint forensics

D.Endpoint forensics Explanation OBJ-1: An advanced persistent threat (APT) is a stealthy computer network threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. APTs usually send traffic that is encrypted so that they are harder to detect through network traffic analysis or network forensics. This means that you need to focus on the endpoints to detect an APT. Unfortunately, APTs are very sophisticated, so endpoint behavioral analysis is unlikely to easily detect them, so Sarah will need to conduct endpoint forensics as her most likely method to detect an APT and their associated infections on her systems.

Vulnerability scans must be conducted on a continuous basis in order to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next? A.Attempt to identify all the false positives and exceptions, then resolve any remaining items B.Wait to perform any additional scanning until the current list of vulnerabilities have been remediated fully C.Place any ssets that contain PHI in a sandbox environment and then remediate all the vulnerabilites D.Filter the scan results to include onnly those items listed as critical in the asset inventory and remediate those vulnerabilites first

D.Filter the scan results to include onnly those items listed as critical in the asset inventory and remediate those vulnerabilites first OBJ-2: PHI is an abbreviation for Personal Health Information. When attempting to remediate a large number of vulnerabilities, it is crucial to prioritize the vulnerabilities to determine which ones should be remediated first. In this case, there is a regulatory requirement to ensure the security of the PHI data. Therefore, those assets that are critical to the secure handling or storage of PHI are of the highest risk should be prioritized for remediation first. It is impractical to resolve all 2,592 vulnerabilities at once. Therefore, you should not try to identify all the false positives and exceptions and then resolve any remaining items since they won't be prioritized for remediation. You should also not wait to perform additional scanning because a scan is only a snapshot of your current status. If it takes 30 days to remediate all the vulnerabilities and you do not scan, new vulnerabilities may have been introduced during that time. Placing all the PHI asserts into a sandbox will not work either because then you have removed them from the production environment, and they can no longer serve their critical business functions.

Syed is developing a vulnerability scanner program for a large network of sensors that are used to monitor his company's transcontinental oil pipeline. What type of network is this? A.SoC B.CAN C.BAS D.SCADA

D.SCADA Explanation OBJ-2: SCADA (supervisory control and data acquisition) networks is a type of network that works off of an ICS (industry control system) and is used to maintain sensors and control systems over large geographic areas. A building automation system (BAS) for offices and data centers ("smart buildings") can include physical access control systems, but also heating, ventilation, and air conditioning (HVAC), fire control, power and lighting, and elevators and escalators. Vehicular networks are called a controller area network (CAN). A CAN uses serial communication buses to connect electronic control units and other subsystems in cars and unmanned aerial vehicles (UAV). System-on-chip (SoC) is a design where all these processors, controllers, and devices are provided on a single processor die or chip.

Judith is conducting a vulnerability scan of her data center. She notices that a management interface for a virtualization platform is exposed to her vulnerability scanner. Which of the following networks should the management interface of the hypervisor be exposed to ensure the best security of the virtualization platform? A.External zone B.Internal zone C.DMZ D.Management network

D.Management network Explanation OBJ-2: The management interface should only be exposed to an isolated or dedicated network that is used for management and configuration of the network device and platforms only. This would also help reduce the likelihood of an attack against the virtualization platform or the hypervisor itself. The external zone (internet), internal zone (LAN), or DMZ should not have the management interface exposed to them.

What is the lowest layer (bottom layer) of a bare-metal virtualization environment? A.Hypervisor B.Host operating systems C.Guest operating system D.Physical hardware

D.Physical hardware Explanation OBJ-2: The bottom layer is physical hardware in this environment. It is what sits beneath the hypervisor and controls access to guest operating systems. The bare-metal approach doesn't have a host operating system.

You just completed an nmap scan against a workstation and received the following output: -=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- # nmap diontraining012 Starting Nmap ( http://nmap.org ) Nmap scan report for diontraining012 (192.168.14.61) Not shown: 997 filtered ports PORT STATE 135/tcp open 139/tcp open 445/tcp open Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds -=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- Based on these results, which of the following operating system is most likely being run by this workstation? A.Ubuntu B.macOS C.CentOS D.Windows

D.Windows Explanation OBJ-2: The workstation is most likely running a version of the Windows operating system. Port 139 and port 445 are associated with the SMB file and printer sharing service run by Windows. Since Windows 2000, the NetBIOS file and print sharing has been running over these ports on all Windows systems by default.


Related study sets

Chapter 8 Behavior in Organizations

View Set

PrepU Ch 32: Management of Patients with Immune Deficiency Disorders

View Set

Introduction to python programming Milestone 2

View Set

9.2 solution of Electrolytes and Nonelectrolytes

View Set