TestOut ch 12-15
An employee has been dismissed from the company and is suspected of gathering sensitive customer data before their termination. The legal team has asked you to perform a forensic examination of their workstation hard drive. Before you begin examining the contents of the device, what should you do?
Connect a write blocker to prevent changes being accidently made to the device.
Each virtual machine created by a hypervisor is called a:
Guest
Which protocol does Windows Event Forwarding use to transfer events to a central computer?
HTTP
As an administrator, you may need to access internal company servers from home or from another location. Which of the following would be the most secure solution?
Install a dedicated jump server inside the firewall.
Which of the following BEST describes continuous intergration?
It allows all integration changes to be automated and placed back into a shared mainline.
Tristi, a community outreach employee, is looking to apply machine learning into her job. Which of the following might she use machine learning for as a way to further her company's goals?
It can help her tailor the company's social media feed.
Which of the following is a fixed-sized bit array that has random data added to each plaintext hash?
Salted hashesP>
You have a file with sensitive data. It has a hash through a CHF. When you get to the office in the morning and access the file, you notice that the hash is different than it was the day before. What do you know about the file?
The file has been tampered with.
What is the main purpose of SOAR?
To replace tasks that are repetitive and done manually with automated workflows
Which of the following is beta testing also known as?
User acceptance testing
Which of the following can be run as traditional software on a virtual machine?
VFA
Which technology causes a transistor in the chip to blow if the chip's firmware is altered?
eFuse
Where can you find a quick overview of your monitored system's current state?
Dashboard
Which of the following is true about log review?
For logs to be beneficial, they must be analyzed.
What does a router use to protect a network from attacks and to control which types of communications are allowed on a network?
Access control list
Which of the following are characteristics of a RESTful API? (Select two.)
A client-server architecture managed through HTTP. A layered system that organizes server types.
You are creating an input validation component for a digital form. Which type of protection should you be building into it?
Make sure that no one can input something malicious into the form.
Which of the following BEST describes a non-disclosure agreement policy?
A policy requiring a confidentiality contract in which employees agree to not divulge certain information for a specific length of time.
Which of the following BEST describes a high-value asset?
An offline asset that halts production.
At which layer is a web application firewall log used to record HTTP traffic?
Application
When decommissioning assets, which of the following MUST be recycled?
CRT monitors Notebook batteries
Which of the following is the process of obfuscating data by changing it into random characters?
Data masking
Which of the following methods for making data inaccessible is considered insufficient for preventing data recovery? (Select two.)
Deleting or changing all partitions on the device. Formatting all partitions.
Which of the following are true regarding parameterized queries? (Select two.)
Help prevent SQL injection attacks Are pre-compiled SQL statements
What is the name of a computer on which a hypervisor runs to provide one or more virtual machines?
Host
Downtime, penalties, and damage to assets are incident consequences with which type of impact?
Immediate impact
Which of the following BEST describes system logs?
Indicate logins with escalated privileges.
Where are network device log files stored by default?
On the local device
Why is security for VMs more important than security for a physical machine?
One bad configuration could be replicated across your network.
When you create an event subscription, events are sent from one computer to another. What is the computer that generated the event called?
Source computer
When you create an event subscription, events are sent from one computer to another. What is the computer that receives the events called?
Collector computer
During which phase of the IT asset life cycle do you perform maintenance, such as installing system updates and patches?
Operations
You have collected files that contain evidence of a cyber crime committed against your company. You are required to share each file with legal teams, law enforcement, and the CEO of your company. Which of the following is the first thing to do to ensure that the files are not tampered with and everyone gets the exact same information in the files?
Apply a CHF to each file.
Attackers have used a brute force attack to crack CHF hashes in your network. What could you do to better protect the original strings?
Apply adaptive hashing.
Which of the following tools allows domain owners to notify receivers that emails have been authenticated, provides feedback about the legitimacy of emails sent on their domain, and applies instructions for emails that failed authentication?
DMARC
If an employee is suspected of being an insider threat, he or she should be reported and mitigated through which department?
Human resources
Which of the following statements is true regarding IDS and IPS?
IDS is a passive system; IPS is an active system.
Which of the following technologies is a hypervisor substitute that separates resources at the operating system level?
Containerization
URL and DNS monitoring, flow and packet analysis, and DGA monitoring are all methods to secure data in which of the following areas?
Network monitoring
Where should VM administration occur?
On the hypervisor and virtual machine
Which software facilitates communication between different virtual machines by checking data packets before moving them to a destination?
vSwitch
As part of setting up a Windows machine to send log events to a remote host, you have executed the winrm qc command and answered the questions as shown below. Which command would you run on the collector host from an elevated Command Prompt?
wecutil qc
On rare occasions, an individual computer contains information that is highly confidential and must remain separated from both internal and external networks. Which of the following segmentation solutions would BEST achieve this goal?
Air gap
Which of the following two methods can be used to refine the number of alerts displayed in Kibana based on search rules? (Select two.)
Add a filter in the Search field. Click a ring on the Security Onion - Data Overview graph.
What is the philosophy behind DevSecOps?
Everyone on the development team should be responsible for security.
You find a file that has the following as the first line of what appears to be a log file. What does the dc3dd command do in this instance?
It is used to create images of devices for forensic review.
During which phase of the incident response life cycle do you hold meetings to discuss lessons learned from the incident and the response?
Post-incident activities
Which phase includes taking the recommendations that can be put into action through security implementations, policies, and procedures?
Post-incident feedback
Which of the following occurs during the deployment phase of the IT asset life cycle?
Recording of asset tag information
Which of the following is an open-source intrusion detection system that provides search and analysis tools to help index collected data?
Security Onion
Which of the following is a best practice for implementing security patches?
Security patches should be tested and implemented in a sandbox before being applied to all active systems.
Which of the following is a benefit of microservices?
They function independently of each other. If one service fails, the application can keep working.
Mary is working on a software development project, and her manager reminds her that the team needs to focus on software assurance. Which of the following BEST describes software assurance?
To create software that customers find reliable
Which program did the U.S. Department of Defense set up to determine the authenticity of a hardware source?
Trusted Foundry Program
Pop-up windows and unusual error messages are often which type of IOC?
Unexpected output
What information is included in the service portion of a due diligence assessment? (Select two.)
What level of system access does the vendor require? Does the vendor provide reliable and timely product support?
What information can an organization obtain as part of a SCAP security scan?
Whether or not their systems are configured for optimal security.
Which method is used to verify that a connected device is trusted?
Bus encryption
As you're investigating an incident for your company, you discover that a crash on the suspect's computer occurred and created a snapshot of everything that was in physical memory at the time of the crash. Which type of memory dump is this?
Complete memory dump
You need to review the logs on a Windows machine that's experiencing a lot of crashes. From PowerShell, you plan on using the Get-Eventlog command but need to use an option to see which logs are available. What is the full command you should use?
Get-Eventlog -logname *
Having downloaded an .iso file for a project you are preparing for, and you want to validate that the file is from the vendor and hasn't been tampered with. You have downloaded the md5 hash signature for the .iso and need to validate the file. Which Windows PowerShell utility would you use?
Get-FileHash
While looking at your Security Onion appliance, you noticed that there was a significant increase in after-hours traffic on your network when all workstations were powered off and nobody else was in the office. Some of this traffic generated alerts in Kibana. Also, your web server was very slow to respond when you checked the website. With the information in the graph below, what might be the cause? (Select two.)
A DDoS attack An ICMP flood attack
Members of the executive team have asked for an explanation as to why the bit size of an encryption key needs to be higher than the 56-bit RC4 they are using. They show you a screenshot of the research they've done on the powerful desktop computer they run, saying that none of the keys they are using will be in production for more than a year. They want to just keep using the smaller keys. How would you answer them?
A cluster or use of cloud computing could break this in a very short period of time.
The sender's name, company position, address, and phone number are commonly found in which of the following?
An email's signature block
BitLocker is being deployed to all Windows machines on your network. A new machine has been installed with the latest Windows 10 software and needs to have its drive encrypted. When you start to encrypt, you see the following error. You know that this machine has a TPM because your own workstation is the same model. What should you do?
Check the BIOS to ensure that the TPM is enabled and activated.
Which of the following configurations can be used with Windows Event Forwarding? (Select two.)
Collector-initiated subscriptions Source-initiated subscriptions
Before signing an agreement with a new vendor, which type of assessment should you complete?
Due diligence
An employee has asked for help with some files they accidently deleted from their machine. They were a training schedule and a resume for a new employee named Jack. You access the machine, install Recuva, and run it. You point to the directory where the files were located, but you only see one file can be recovered. How do you best explain this?
File recovery software can't always reclaim data from free space.
Trusted Platform Modules and Hardware Security Modules are two examples of which hardware assurance?
Hardware roots of trust
Which of the following is true regarding containerization?
If an attacker gains access to the operating system, they will have access to all containers.
Which of the following BEST describes the isolation-based containment method?
Involves disconnecting a device, VLAN, or network segment from the rest of the network
Adaptive hashing adds an extra layer of security to a hash value through which of the following processes?
It feeds the hashed output back into the function a predetermined number of times.
Which of the following statements BEST describes VDI?
It starts a minimal operating system for a remote user to access.
Which of the following is the term used for an IP address that's been flagged for suspicious or malicious activity?
Known bad
As you gather evidence for an investigation, you need to make a copy of a hard disk drive that includes all visible files as well as any unallocated space. It needs to include any deleted files, metadata, or timestamps. Which of the following options would be BEST for this task?
Make a forensic copy of the drive.
Which devices are responsible for forwarding packets in a virtual network?
Physical networking devices
Which of the following is one of the five phases of the incident response life cycle?
Preparation
During which phase of the IT asset life cycle do you determine what impact a new asset will have on the existing network and users?
Procurement
Which SIEM function provides long-term storage of collected data to meet government compliance requirements.
Retention
Monitoring MAC addresses could help detect which network-based Indicator of Compromise (IOC)?
Rogue device
Which of the following is true about rule-writing?
Rules could be as simple as looking for unsuccessful logins or could include more complex behavioral patterns.
Which of the following is a SIEM collection tool that's used to search and analyze large collections of data in multiple formats?
Splunk
After detecting a security incident that may have left your systems vulnerable to outside attack, you determine that a change is necessary. You want to reduce the impact of the threat as soon as possible, but you also want to follow your organization's change management procedures. Which of the following would be the BEST approach to this scenario?
Submit a high-priority change request and wait for the necessary approvals before making changes to the system.
You are configuring your pfSense security appliance, which will provide firewall, DNS, and DHCP services for your users. You are currently working on configuring DNS servers. Which menus would you use to make the required changes?
System > General Setup
Which method does degaussing use to securely dispose of data?
The use of a powerful magnetic force to wipe data completely from a drive.
While reviewing your pfSense appliance logs, you notice the following. What is happening?
There are two DHCP servers that are responding to DHCPREQUEST events.
Your boss has requested that you ensure that the chips in all new hardware purchases have not already been infected with malware or other malicious software. Which feature should you look for in your devices?
Trusted Platform Module
One of the older Windows machines on your network has been re-installed. You want to turn on BitLocker to encrypt the system volume, but you receive an error message that the device doesn't have a Trusted Platform Module (TPM) and can't use BitLocker. You know that several other identical machines have BitLocker enabled. What do you need to do to get BitLocker working on this hardware?
Use a Group Policy option to allow BitLocker without the TPM.
Which of the following BEST describes a cacheable system?
A client cache has the right to reuse response data for equivalent requests that come later.
What is the name of the sanitization method that involves destruction of an encryption key to render a drive's data useless?
Cryptographic erase
When analyzing memory consumption for indicators of compromise, what information is the most useful?
Per-process memory usage
If you are testing software without looking at the backend code, which kind of testing are you engaging in?
Unknown testing
You are testing a new application using a combination of known and unknown testing. How would you BEST describe this approach?
You are engaging in partially known testing.
Which command was invoked to start PID 3825 in the output below in conjunction with the ps aux command?
python
Which of the following BEST describes workflow orchestration?
A collection of tasks that are performed in a logical sequence as efficiently as possible.
You are looking for a wipe utility to erase deleted files without affecting any other files. Which utilities could you use? (Select two.)
DP Shredder Cipher
During which phase of the incident response life cycle do you reinforce your systems, policies, and procedures to ensure that your resources are well secured?
Preparation
All incident-related questions from outside the organization should be handled through which department?
Public relations
Shelley, a programmer, wants to make sure her code works well under rigorous conditions. Which of the following activities would be MOST appropriate to help her run a stress test on her code?
Put an enormous amount of data into the software to see if it has problems.
What is the primary purpose of eradication?
Eliminate all traces of an incident while carefully preserving evidence that may be used in a criminal investigation.
As you're investigating a cyber crime in your organization, you suspect that important files have been deleted. Which of the following techniques can you use to bypass the file system and recover files based only on their structure by scanning raw bytes of disk data in order to reassemble them for examination?
File carving
The following steps BEST describe which one of the following data monitoring methods? Keep a user log to document everyone that handles each piece of sensitive data. Monitor the system in real time.
File monitoring
Pedro, a security analyst, is tasked with monitoring a company's threat feed. Which of the following should he look for as part of his analysis?
IP addresses that might be malicious.
The process of determining the extent of damage/potential damage from a security event is known as what?
Impact analysis
The following information about an incident should be provided to stakeholders: What caused the incident and which security measures have been taken. What was the incident's financial, systemic, and reputational impact. How have policies and procedures been updated because of the incident. Which report should be used to share this information?
Incident summary
Which network-based Indicator of Compromise (IOC) could be present if you detect ongoing communication between two workstations on your network?
Irregular peer-to-peer communication
After having calculated the MD5 hash for a file, you need to compare it to the value provided by the vendor. You could examine each character to ensure it is correct, but PowerShell has a utility for comparing the strings. Which of the following would be an example of that command?
"2b8efe1bee907243f22c16e14032a5ea" -eq "2b8efe1bee907243f22c16e14032a5ea"
During which phase of the incident response life cycle do you isolate affected systems and restrict communication to only trusted individuals?
Containment
Which of the following sends you an alert when an automated port scan is detected?
Network intrusion system
Which of the following should be included in a policy? (Select two.)
Outline for roles and levels of authority Definition of security incidents
Which method involves considering all an incident's details and taking action to keep the incident from happening again.
Vulnerability mitigation
Which Linux command can be used to provide a table of each running process?
top
There is a feature that has the following characteristics: Is deterministic. Can quickly compute the fixed-sized bit array for any given input. Creates a unique fixed-sized bit array for each input. Creates a new array if any modification occurs to the original input. These characteristics BEST describe which of the following?
Cryptographic hash function
Which of the following is an email authentication tool that relies on an email's encrypted digital signature to verify its authenticity?
DKIM
Kim wants to send a secure message to Tyler. She adds a secret key to her message data before she applies the SHA1 hashing algorithm. Tyler has the secret key, so he knows whether Kim's message has been altered when it arrives. Which of the following is the process Kim followed?
Keyed hashing
Post-incident activities provide an opportunity to learn from experiences. The feedback gathered in this phase can be used to improve on existing security policies and procedures. A good way to gather this information is to hold a meeting to discuss the incident and the incident response. What is this meeting called?
Lessons learned
In monitoring you company's email for security, you notice that several employees have been sent emails with an attachment that includes a virus. The virus in this email is considered which of the following?
Malicious payload
The contents of memory are very complex. Once you have moved memory content to a removable drive, what will you need to use to understand the contents?
Memory analysis tool
A criminal offers a bribe to an employee at your company who has access to sensitive data, asking the employee to transfer the data to the criminal's computer. What are some actions you can take to help protect against data loss from insider threats like this one?
Monitor who is requesting and sending data, monitor employee's behavior, and store all sensitive data in one location.
An incident that impacts a company's primary functions to the point that it cannot continue with business as usual is considered to have which type of impact?
Organizational impact
Including a legitimate-looking embedded link to a malicious site in an email purporting to be from a legitimate source is which of the following types of cyberattack?
Phishing
Which of the following mobile data acquisition types copies the entire flash memory, including deleted files and data remnants?
Physical acquisition
Which of the following actions can help safeguard against data loss?
Routinely review access controls to ensure only needed access is given to each employee.
Taylor is a manager who is trying to find a way to get computers with different operating systems to easily interact with each other. Which of the following should she use to accomplish this?
SOAP
Which of the following tools allows a domain owner to specify email servers that can send an email in the domain, and which servers are not allowed to send emails?
SPF
Which of the following BEST describes how using scripts is different from running regular code?
Scripts are usually interpreted instead of compiled.
Which of the following containment methods divides the network into subnetworks that are unable to communicate with each other directly?
Segmentation
Restarts, crashes, frozen applications, and intermittent stopping are examples of which application-based indicator of compromise (IOC)?
Service interruption
A manager is asking questions about why you must use a disk wiping utility before donating old hardware to a charity. How would you answer that question?
Simply deleting data using a workstation's standard tools does not really remove data from the hard drive.
Damage to an organization's reputation and other non-cost incident consequences are considered which type of impact?
Total impact
Which of the following is the practice of gathering insight about network events based on users daily behaviors to create a baseline for anomaly detection?
UEBA
Which of the following BEST describes the data security policy of data sovereignty?
A policy that dictates that data is subject to the laws of the nation in which it was collected.
Which of the following BEST describes phishing?
A cyberattack in which an email purporting to be from a legitimate organization is sent with a malicious payload.
The DKIM tool can provide security for your company's emails because it contains which of the following?
A digital signature
Which of the following BEST describes adaptive hashes?
A function that feeds the hashed output back into the function a preset number of times.
The economic impact of an incident can be tangible or intangible. Which of the following costs would be considered intangible? (Select two.)
Damage to reputation Loss of potential customers
Large data transfers to unusual devices could be a sign of which Indicator of Compromise (IOC)?
Data exfiltration
Which type of breach happens when an attacker removes or transfers data from your system to another?
Data exfiltration
You have observed that Steve, an employee at your company, has been coming in at odd hours, requesting sensitive data that is unrelated to his position, and bringing in his own flash drive. Steve's actions are common indicators of which of the following threats?
Data loss
During which phase of the incidence response life cycle do you identify an attack or an incident after it has begun?
Detection and analysis
Which of the following is the science of gathering and analyzing digital data in relation to a computer crime or cyber attack?
Digital forensics
Which of the following is an advantage to having self-contained components in SOA?
It is easier to maintain than interdependent services.
As you walk by a coworker's workstation, you see the following on the screen. What is the Dnscat2 DNS server typically used for?
It is used to execute other commands on a remote host.
How can a legal hold be helpful in digital forensics?
It protects data from being altered.
Your company president suspects that one of the employees has been embezzling money from the company and depositing it in their own bank account. Which of the following methods could you use to find evidence of this action?
String search
Business email compromise attacks have been increasingly waged against corporations' email systems. Attackers exploit an auto-forwarding email vulnerability to set emails that contain keywords to be redirected to their own inboxes. Which of the following BEST helps protect against this form of attack?
Sync email accounts settings.
Costs that are easily identifiable and quantifiable, such as damaged hardware, stolen passwords, and lost or corrupted data, are considered which type of impact?
Tangible
After creating a new case in Autopsy and selecting an image from a hard drive to inspect, you select the appropriate ingest modules, and the analyze process is completed. What should you look at next?
The Results section, which gives an overview of the process.
Which of the following can contain a wealth of information that can be used to determine the authenticity of an email?
The header block
How can the Wireshark tool help you with digital forensics?
You can use it to analyze packets to search for evidence.