Assessment 1

Question 1

After running an nmap scan of a system, you receive scan data that indicates the following three ports are open:
22/TCP
443/TCP
1521/TCP
What services commonly run on these ports?
A. SMTP, NetBIOS, MS-SQL
B. SSH, LDAPS, LDAP
C. SSH, HTTPS, Oracle
D. FTP, HTTPS, MS-SQL

Answer 1

C. These three TCP ports are associated with
SSH (22),
HTTPS (443),
Oracle databases (1521).

Other ports mentioned in the potential answers are SMTP (25), NetBIOS (137–139),
LDAP (389), LDAPS (636) and MS-SQL (1433/1434)

Question 2

What type of system allows attackers to believe they have succeeded with their attack, thus providing defenders with information about their attack methods and tools?
A. A honeypot
B. A sinkhole
C. A crackpot
D. A darknet

Answer 2

A. Honeypots are systems that are designed to look like attractive targets. When they
are attacked, they simulate a compromise, providing defenders with a chance to see how attackers operate and what tools they use. DNS sinkholes provide false information to malicious software, redirecting queries about command-and-control (C&C) systems to
allow remediation. Darknets are segments of unused network space that are monitored to detect traffic—since legitimate traffic should never be aimed at the darknet, this can be used to detect attacks and other unwanted traffic. Crackpots are eccentric people—not a system
you’ll run into on a network.

Question 3

What cybersecurity objective could be achieved by running your organization’s web servers in redundant, geographically separate datacenters?
A. Confidentiality
B. Integrity
C. Immutability
D. Availability

Answer 3

D. Redundant systems, particularly when run in multiple locations and with other protections to ensure uptime, can help provide availability.

Question 4

Which of the following vulnerability scanning methods will provide the most accurate detail
during a scan?
A. Black box/unknown environment
B. Authenticated
C. Internal view
D. External view

Answer 4

B. An authenticated, or credentialed, scan provides the most detailed view of the system. Black-box assessments presume no knowledge of a system and would not have credentials or an agent to work with on the system. Internal views typically provide more detail than external views, but neither provides the same level of detail that credentials can allow. To learn more on this topic, see Chapter 6.

Question 5

Security researchers recently discovered a flaw in the Chakra JavaScript scripting engine in Microsoft’s Edge browser that could allow remote execution or denial of service via a specifically crafted website. The CVSS 3.1 score for this vulnerability reads:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
What is the attack vector and the impact to integrity based on this rating?
A. System, 9, 8
B. Browser, High
C. Network, High
D. None, High

Answer 5

C. When reading the CVSS score, AV is the attack vector. Here, N means network. Confidentiality (C), integrity (I), and availability (A) are listed at the end of the listing, and all three are rated as High in this CVSS rating. To learn more on this topic, see Chapter 7.

Question 6

Alice is a security engineer tasked with performing vulnerability scans for her organization. She encounters a false positive error in one of her scans. What should she do about this?
A. Verify that it is a false positive, and then document the exception.
B. Implement a workaround.
C. Update the vulnerability scanner.
D. Use an authenticated scan, and then document the vulnerability

Answer 6

A. When Alice encounters a false positive error in her scans, her first action should be to verify it. This may involve running a more in-depth scan like an authenticated scan, but it could also involve getting assistance from system administrators, checking documentation, or other validation actions. Once she is done, she should document the exception so that it is properly tracked. Implementing a workaround is not necessary for false positive vulnerabilities, and updating the scanner should be done before every vulnerability scan. Using an
authenticated scan might help but does not cover all the possibilities for validation she may
need to use. To learn more on this topic, see Chapter 7.

Question 7

Which phase of the incident response process is most likely to include gathering additional evidence such as information that would support legal action?
A. Preparation
B. Detection and Analysis
C. Containment, Eradication, and Recovery
D. Post-incident Activity and Reporting

Answer 7

C. The Containment, Eradication, and Recovery phase of an incident includes steps to limit damage and document what occurred, including potentially identifying the attacker and tools used for the attack. This means that information useful to legal actions is most likely to be gathered during this phase. To learn more on this topic, see Chapter 9.

Question 8

Which of the following descriptions explains an integrity loss?
A. Systems were taken offline, resulting in a loss of business income.
B. Sensitive or proprietary information was changed or deleted.
C. Protected information was accessed or exfiltrated.
D. Sensitive personally identifiable information was accessed or exfiltrated.

Answer 8

B. Integrity breaches involve data being modified or deleted. Systems being taken offline is an availability issue, protected information being accessed might be classified as a breach of proprietary information, and sensitive personally identifiable information breaches would typically be classified as privacy breaches

Question 9

Hui’s incident response program uses metrics to determine if their subscription to and use of IoC feeds is meeting the organization’s requirements. Which of the following incident response metrics is most useful if Hui wants to assess their use of IoC feeds?
A. Alert volume metrics
B. Mean time to respond metrics
C. Mean time to detect metrics
D. Mean time to remediate metrics

Answer 9

C. IoCs are used to improve detection, and Hui knows that gathering mean time to detect metrics will help the organization determine if their use of IoC feeds is improving detection speed. Alert volume is driven by configuration and maintenance of alerts, and it would not determine if the IoC usage was appropriate. Response time and remediation time are better used to measure the organization’s processes and procedures.

Question 10

Abdul’s monitoring detects regular traffic sent from a system that is suspected to be compromised and participating in a botnet to a set of remote IP addresses. What is this called?
A. Anomalous pings
B. Probing
C. Zombie chatter
D. Beaconing

Answer 10

D. Regular traffic from compromised systems to command-and-control nodes is known as beaconing. Anomalous pings could describe unexpected pings, but they are not typically part of botnet behavior, zombie chatter is a made-up term, and probing is part of scanning behavior in some cases. To learn more on this topic, see

Question 11

What industry standard is used to describe risk scores?
A. CRS
B. CVE
C. RSS
D. CVSS

Answer 11

D. The Common Vulnerability Scoring System, or CVSS, is used to rate and describe risks. CVE, Common Vulnerabilities and Exposures, classifies vulnerabilities. RSS, or Really Simple Syndication, is used to create feeds of websites. CRS was made up for this question. To learn
more on this topic, see Chapter 12.

Question 12

What term is used to describe the retention of data and information related to pending or active litigation?
A. Preservation
B. Legal hold
C. Criminal hold
D. Forensic archiving

Answer 12

B. The term legal hold is used to describe the retention of data and information related to a pending or active legal investigation. Preservation is a broader term used to describe retention of data for any of a variety of reasons including business requirements. Criminal
hold and forensic archiving were made up for this question. To learn more on this topic, see
Chapter 13

Question 13

During a forensic investigation Maria discovers evidence that a crime has been committed.
What do organizations typically do to ensure that law enforcement can use data to prosecute
a crime?
A. Securely wipe drives to prevent further issues
B. Document a chain of custody for the forensic data
C. Only perform forensic investigation on the original storage media
D. Immediately implement a legal hold

Answer 13

B. Documenting a proper chain of custody will allow law enforcement to be more likely to use forensic data successfully in court. Wiping drives will cause data loss, forensic examination is done on copies, not original drives, and legal holds are done to preserve data when litigation is occurring or may occur

Question 14

Oscar’s manager has asked him to ensure that a compromised system has been completely purged of the compromise. What is Oscar’s best course of action?
A. Use an antivirus tool to remove any associated malware.
B. Use an antimalware tool to completely scan and clean the system.
C. Wipe and rebuild the system.
D. Restore a recent backup.

Answer 14

C. The most foolproof means of ensuring that a system does not remain compromised is to wipe and rebuild it. Without full knowledge of when the compromise occurred, restoring a
backup may not help, and both antimalware and antivirus software packages cannot always ensure that no remnant of the compromise remains, particularly if the attacker created accounts or otherwise made changes that wouldn’t be detected as malicious software. To
learn more on this topic, see Chapter 11.

Question 15

Which of the following actions is not a common activity during the recovery phase of an incident response process?
A. Reviewing accounts and adding new privileges
B. Validating that only authorized user accounts are on the systems
C. Verifying that all systems are logging properly
D. Performing vulnerability scans of all systems

Answer 15

A. The recovery phase does not typically seek to add new privileges. Validating that only legitimate accounts exist, that the systems are all logging properly, and that systems have been vulnerability scanned are all common parts of an incident response recovery phase.
To learn more on this topic, see Chapter 11.

Question 16

A statement like “Windows workstations must have the current security configuration template applied to them before being deployed” is most likely to be part of which document?
A. Policies
B. Standards
C. Procedures
D. Guidelines

Answer 16

B. This statement is most likely to be part of a standard. Policies contain high-level statements of management intent; standards provide mandatory requirements for how policies are carried out, including statements like that provided in the question. A procedure would
include the step-by-step process, and a guideline describes a best practice or recommendation.
To learn more on this topic, see Chapter 8

Question 17

A firewall is an example of what type of control?
A. Preventive
B. Detective
C. Responsive
D. Corrective

Answer 17

A. The main purpose of a firewall is to block malicious traffic before it enters a network,
therefore preventing a security incident from occurring. For this reason, it is best classified as a preventive control. To learn more on this topic, see Chapter 8.

Question 18

Cathy wants to collect network-based indicators of compromise as part of her security monitoring practice. Which of the following is not a common network-related IoC?
A. Bandwidth consumption
B. Rogue devices on the network
C. Scheduled updates
D. Activity on unexpected ports

Answer 18

C. Scheduled updates are a normal activity on network connected devices. Common indicators of potentially malicious activity include bandwidth consumption, beaconing, irregular peer-to-peer communication, rogue devices, scans, unusual traffic spikes, and activity on
unexpected ports. To learn more on this topic, see Chapter 3.

Question 19

Nick wants to analyze a potentially malicious software package using an open source, locally hosted tool. Which of the following tools is best suited to his need if he wants to run the tool as part of the process?
A. Strings
B. A SIEM
C. VirusTotal
D. Cuckoo Sandbox

Answer 19

D. Cuckoo Sandbox is the only item from the list of potential answers that is a locally
installed and run sandbox that analyzes potential malware by running it in a safe sandbox
environment. To learn more on this topic, see Chapter 3.

Question 20

Which software development life cycle model uses linear development concepts in an iterative, four-phase process?
A. Waterfall
B. Agile
C. RAD
D. Spiral

Answer 20

D. The Spiral model uses linear development concepts like those used in Waterfall but repeats four phases through its life cycle: requirements gathering, design, build, and evaluation. To learn more on this topic

Question 21

Naomi wants to make her applications portable and easy to move to new environments without the overhead of a full operating system. What type of solution should she select?
A. An x86 architecture
B. Virtualization
C. Containerization
D. A SASE solution

Answer 21

C. Naomi should containerize her application. This will provide her with a lightweight option that can be moved between services and environments without requiring her to have
an OS included in her container. Virtualization would include a full operating system. SASE is a solution for edge-focused security, whereas x86 is a hardware architecture.

Question 22

Bharath wants to make changes to the Windows Registry. What tool should he select?
A. regwiz.msc
B. notepad.exe
C. secpol.msc
D. regedit

Answer 22

D. The built-in Windows Registry editor is regedit. The secpol.msc tool is used to view
and manage security policies. There is no regwiz tool, and Notepad, while handy, shouldn’t be used to try to edit the Registry!

Question 23

Tom wants to set an appropriate logging level for his Cisco networking equipment while he’s troubleshooting. What log level should he set?
A. 1
B. 3
C. 5
D. 7

Answer 23

D. Tom knows that log level 7 provides debugging messages that he will need during troubleshooting. Once he’s done, he’ll likely want to set a lower log level to ensure that he doesn’t
create lots of noise in his logs.

Question 24

Which of the following is not a common use of network segmentation?
A. Decreasing attack surfaces
B. Limiting the scope of regulatory compliance
C. Reducing availability
D. Increasing the efficiency of a network

Answer 24

C. Segmentation is sometimes used to increase availability by reducing the potential impact of an attack or issue—intentionally reducing availability is unlikely to be a path chosen by most organizations.

Question 25

Ric’s organization wants to implement zero trust. What concern should Ric raise about zero trust implementations? A. They can be complex to implement. B. Zero trust does not support TLS inspection. C. Zero trust is not compatible with modern software-defined networks. D. They are likely to prevent users from accomplishing their jobs

Answer 25

A. Ric knows that zero trust can be complex to implement. Zero trust does not specifically prevent TLS inspection or conflict with SDN, and a successful zero trust implementation needs to validate user permissions but allow them to do their jobs.

Question 26

Michelle has a security token that her company issues to her. What type of authentication factor does she have? A. Biometric B. Possession C. Knowledge D. Inherence

Answer 26

B. Michelle’s security token is an example of a possession factor, or “something you have.” A password or PIN would be a knowledge factor or “something you know,” and a fingerprint or retina scan would be a biometric, or inherence, factor.

Question 27

Which party in a federated identity service model makes assertions about identities to service providers? A. RPs B. CDUs C. IDPs D. APs

Answer 27

C. Identity providers (IDPs) make assertions about identities to relying parties and service providers in a federation. CDUs and APs are not terms used in federated identity designs.

Question 28

What design concept requires that each action requested be verified and validated before it is allowed to occur? A. Secure access service edge B. Zero trust C. Trust but verify D. Extended validation network

Answer 28

B. Zero trust requires each action or use of privileges to be validated and verified before it is allowed to occur. Secure access service edge combines software-defined networking with other security products and services to control edge device security rather than requiring a secured central service or network. Trust but verify and extended validation network are not design concepts

Question 29

Juan’s organization uses LDAP to allow users to log into a variety of services without having to type in their username and password again. What type of service is in use? A. SSO B. MFA C. EDR D. ZeroAuth

Answer 29

A. Juan’s organization is using a single sign-on (SSO) solution that allows users to sign in once and use multiple services. MFA is multifactor authentication; EDR is endpoint detection and response, an endpoint security tool; and ZeroAuth was made up for this question.

Question 30

Jen’s organization wants to ensure that administrator credentials are not used improperly. What type of solution should Jen recommend to address this requirement? A. SAML B. CASB C. PAM D. PKI

Answer 30

C. A privilege access management (PAM) system would not only allow Jen’s organization to manage and monitor privilege use for administrator accounts but would be helpful for other privileges as well. SAML is an XML-based language used to send authorization and authentication data, a CASB is a cloud access security broker used to manage cloud access rights, and PKI is a public key infrastructure used to issue and manage security certificates.

Question 31

Financial and medical records are an example of what type of data? A. CHD B. PCI C. PII D. TS/SCI

Answer 31

C. Common examples of PII include financial records, addresses and phone numbers, and national or state identification numbers like Social Security numbers, passport numbers, and driver’s license numbers in the United States. CHD is cardholder data. PCI is the payment card industry, which defines the PCI DSS security standard. TS/SCI is a U.S. classification label standing for Top Secret/Sensitive Compartmented Information

Question 32

Which of the following is not part of cardholder data for credit cards? A. The cardholder’s name B. The CVV code C. The expiration date D. The primary account number

Answer 32

B. The primary account number (PAN), the cardholder’s name, and the expiration date of the card are considered cardholder data. Sensitive authentication data includes the CVV code, the contents of the magnetic stripe and chip, and the PIN code if one is used.

Question 33

Sally wants to find configuration files for a Windows system. Which of the following is not a common configuration file location? A. The Windows Registry B. C:\Program Files\ C. directory:\Windows\Temp D. C:\ProgramData\

Answer 33

C. The temporary files directory is not a common location for configuration files for programs. Instead, the Registry, ProgramData, and Program Data directories are commonly used to store configuration information.

Question 34

What type of factor is a PIN? A. A location factor B. A biometric factor C. A possession factor D. A knowledge factor

Answer 34

D. A PIN is something you know and thus is a knowledge factor.

Question 35

What protocol is used to ensure that logs are time synchronized? A. TTP B. NTP C. SAML D. FTP

Answer 35

B. NTP (Network Time Protocol) is the underlying protocol used to ensure that systems are using synchronized time.

Question 36

OAuth, OpenID, SAML, and AD FS are all examples of what type of technology? A. Federation B. Multifactor authentication C. Identity vetting D. PKI

Answer 36

A. OAuth, OpenID, SAML, and AD FS are all examples of technologies used for federated identity. They aren’t MFA, identity vetting, or PKI technologies.

Question 37

Example Corporation has split their network into network zones that include sales, HR, research and development, and guest networks, each separated from the others using network security devices. What concept is Example Corporation using for their network security? A. Segmentation B. Software-defined networking C. Single-point-of-failure avoidance D. Zoned routing

Answer 37

A. Example Corporation is using segmentation, separating different risk or functional groupings. Software-defined networking is not mentioned, as no code-based changes or configurations are being made. There is nothing to indicate a single point of failure, and zoned routing was made up for this question—but the zone routing protocol is a network protocol used to maintain routes in a local network region.

Question 38

During a penetration test of Anna’s company, the penetration testers were able to compromise the company’s web servers and deleted their log files, preventing analysis of their attacks. What compensating control is best suited to prevent this issue in the future? A. Using full-disk encryption B. Using log rotation C. Sending logs to a syslog server D. Using TLS to protect traffic

Answer 38

C. Sending logs to a remote log server or bastion host is an appropriate compensating control. This ensures that copies of the logs exist in a secure location, allowing them to be reviewed if a similar compromise occurred. Full-disk encryption leaves files decrypted while in use and would not secure the log files from a compromise, whereas log rotation simply means that logs get changed out when they hit a specific size or time frame. TLS encryption for data (including logs) in transit can keep it private and prevent modification but wouldn’t protect the logs from being deleted.

Question 39

Ben is preparing a system hardening procedure for his organization. Which of the following is not a typical system hardening process or step? A. Updating and patching systems B. Enabling additional services C. Enabling logging D. Configuration disk encryption

Answer 39

B. Ben knows that hardening processes typically focus on disabling unnecessary services, not enabling additional services. Updating, patching, enabling logging, and configuring security capabilities like disk encryption are all common hardening practices.

Question 40

Gabby is designing a multifactor authentication system for her company. She has decided to use a passphrase, a time-based code generator, and a PIN to provide additional security. How many distinct factors will she have implemented when she is done? A. One B. Two C. Three D. Four

Answer 40

B. While it may seem like Gabby has implemented three different factors, both a PIN and a passphrase are knowledge-based factors and cannot be considered distinct factors. She has implemented two distinct factors with her design. If she wanted to add a third factor, she could replace either the password or the PIN with a fingerprint scan or other biometric fact

Question 41

ports 20, 21

Answer 41

FTP

Question 42

22

Answer 42

SSH

Question 43

23

Answer 43

Telnet

Question 44

25

Answer 44

SMTP

Question 45

53

Answer 45

DNS

Question 46

80

Answer 46

HTTP

Question 47

110

Answer 47

POP3

Question 48

123

Answer 48

NTP

Question 49

143

Answer 49

IMAP

Question 50

389

Answer 50

LDAP

Question 51

443

Answer 51

HTTPS

Question 52

636

Answer 52

LDAPS

Question 53

1433

Answer 53

SQL SERVER

Question 54

1521

Answer 54

ORACLE

Question 55

1723

Answer 55

PPTP

Question 56

3389

Answer 56

RDP

Question 57

During an incident response, you find that an employee’s workstation was infected with ransomware. What should be the first step in the incident response process? A. Erase the affected workstation’s hard drive. B. Isolate the affected workstation from the network. C. Reinstall the operating system. D. Notify all employees about the ransomware attack.

Answer 57

B. Isolate the affected workstation from the network.

Question 58

What type of vulnerability scan focuses on identifying misconfigurations and weak security settings in a network? A. External scan B. Internal scan C. Baseline scan D. Full scan

Answer 58

B. Internal scan

Question 59

Which log source is most likely to provide information about unauthorized access attempts to a network resource? A. Application logs B. Web server logs C. System logs D. Network device logs

Answer 59

D. Network device logs

Question 60

A company is assessing the likelihood and impact of potential security threats. What process are they engaged in? A. Risk assessment B. Vulnerability scanning C. Penetration testing D. Threat hunting

Answer 60

A. Risk assessment

Question 61

Which type of tool would you use to continuously monitor network traffic and provide alerts on suspicious activities? A. IDS (Intrusion Detection System) B. SIEM (Security Information and Event Management) C. HIPS (Host-based Intrusion Prevention System) D. DLP (Data Loss Prevention)

Answer 61

A. IDS (Intrusion Detection System)

Question 62

What is the primary purpose of implementing access control lists (ACLs) in a network? A. To encrypt sensitive data in transit B. To control which users and devices can access network resources C. To monitor network traffic for anomalies D. To patch known vulnerabilities in network devices

Answer 62

B. To control which users and devices can access network resources

Question 63

After analyzing a security incident, you find that an attacker exploited a vulnerability in an outdated software version. What should be done to mitigate this type of vulnerability in the future? A. Install a firewall to block the attack. B. Regularly update and patch software. C. Disable the outdated software. D. Use encryption to protect data.

Answer 63

B. Regularly update and patch software.

Question 64

What is the purpose of the OSI model in networking? A. To define the standard hardware interfaces B. To standardize the protocols used for network communication C. To provide a framework for understanding network interactions and protocols D. To determine the speed and bandwidth of the network

Answer 64

C. To provide a framework for understanding network interactions and protocols

Question 65

Which routing protocol uses DUAL (Diffusing Update Algorithm) to calculate the best path? A. RIP B. OSPF C. EIGRP D. BGP

Answer 65

C. EIGRP

Question 66

What is the purpose of a VLAN (Virtual Local Area Network)? A. To segment network traffic into separate broadcast domains B. To provide redundancy in case of a network failure C. To increase the speed of data transmission over the network D. To secure data by encrypting it during transmission

Answer 66

A. To segment network traffic into separate broadcast domains

Question 67

: What is the primary function of an access control list (ACL) on a router? A. To manage routing protocols and their updates B. To control access to network resources based on IP addresses and protocols C. To provide encryption for data transmission across the network D. To monitor and analyze network traffic for performance issues

Answer 67

B. To control access to network resources based on IP addresses and protocols

Question 68

Which command can be used to display the IP routing table on a Cisco router? A. show ip route B. show interfaces C. show running-config D. show version

Answer 68

A. show ip route

Question 69

What does the acronym PPP stand for in networking? A. Public Packet Protocol B. Point-to-Point Protocol C. Private Packet Protocol D. Point-to-Point Process

Answer 69

B. Point-to-Point Protocol

Question 70

What port number is used by HTTP for web traffic? A. 21 B. 22 C. 80 D. 443

Answer 70

C. 80

Question 71

What is the primary purpose of footprinting in the context of ethical hacking? A. To exploit vulnerabilities in a target system B. To gather information about a target system to identify potential security weaknesses C. To install malware on a target system D. To launch denial-of-service attacks

Answer 71

B. To gather information about a target system to identify potential security weaknesses

Question 72

Which tool is commonly used to perform network reconnaissance and identify live hosts, open ports, and services on a network? A. Nmap B. Metasploit C. Burp Suite D. Wireshark

Answer 72

A. Nmap

Question 73

Which of the following tools is commonly used for vulnerability scanning and analysis? A. Nessus B. Metasploit C. Netcat D. Aircrack-ng

Answer 73

A. Nessus

Question 74

What technique is used to gain unauthorized access to a system by exploiting weak or default passwords? A. Social engineering B. Password cracking C. SQL injection D. Denial-of-Service (DoS) attack

Answer 74

B. Password cracking

Question 75

What is the primary purpose of packet sniffing in a network security context? A. To capture and analyze network traffic B. To create and manage network firewalls C. To perform penetration testing D. To encrypt network communications

Answer 75

A. To capture and analyze network traffic

Question 76

Which type of social engineering attack involves tricking individuals into providing sensitive information by pretending to be someone they trust? A. Phishing B. Smishing C. Vishing D. Pretexting

Answer 76

D. Pretexting

Question 77

What is the purpose of a digital signature in cryptography? A. To encrypt data during transmission B. To ensure data integrity and verify the authenticity of the sender C. To generate a random encryption key D. To perform data compression

Answer 77

B. To ensure data integrity and verify the authenticity of the sender

Question 78

Physical Layer (Layer 1) Function: Deals with the physical connection between devices, including the transmission of raw bit streams over a physical medium (like cables, switches, and network interface cards).

Answer 78

Examples: Ethernet cables, fiber optics, and wireless radio frequencies.

Question 79

Data Link Layer (Layer 2) Function: Responsible for creating a reliable link between two directly connected nodes. It handles error detection, correction, and frame synchronization.

Answer 79

Examples: MAC addresses, Ethernet, and switches.

Question 80

Network Layer (Layer 3) Function: Manages routing and forwarding of packets across networks. It determines the best path to send data from the source to the destination and handles logical addressing.

Answer 80

Examples: IP addresses, routers.

Question 81

Transport Layer (Layer 4) Function: Provides reliable data transfer between end systems, including error recovery and flow control. It ensures that data is delivered in the correct order and without errors.

Answer 81

Examples: TCP (Transmission Control Protocol), UDP (User Datagram Protocol).

Question 82

Session Layer (Layer 5) Function: Manages sessions or connections between applications. It establishes, maintains, and terminates connections and ensures that sessions are properly synchronized.

Answer 82

Examples: Session establishment protocols, APIs.

Question 83

Presentation Layer (Layer 6) Function: Translates data between the application layer and the network format. It handles data encryption, decryption, compression, and translation.

Answer 83

Examples: Data formats, encryption protocols like SSL/TLS.

Question 84

Application Layer (Layer 7) Function: Provides network services directly to end-user applications. It supports application services such as email, file transfer, and web browsing.

Answer 84

Examples: HTTP, FTP, SMTP, DNS.

Question 85

What is open source intelligence? OSINT

Answer 85

Open Source Intelligence (OSINT) refers to the process of collecting and analyzing publicly available information to support decision-making, investigation, or analysis. This information can come from a wide range of sources, including: Internet Resources: Websites, social media platforms, blogs, forums, and online news articles. Public Records: Government databases, court records, and public filings. Media: Newspapers, television, radio broadcasts, and other forms of media. Academic and Research Publications: Journals, research papers, and other scholarly work. Commercial Data: Market research reports, business directories, and industry reports.

Question 86

What is defensive OSINT?

Answer 86

Defensive OSINT is a proactive approach to security, aiming to stay ahead of potential threats by leveraging publicly available information to strengthen defenses and mitigate risks. Here are some key aspects of defensive OSINT: Threat Detection Vulnerability Assessment Reputation Management Incident Response Security Awareness

Question 87

What is CERT?

Answer 87

CERT stands for Computer Emergency Response Team. It's a specialized group that provides expertise and support in managing and responding to cybersecurity incidents and threats. The key functions and roles of a CERT include: Incident Response: Assisting organizations in identifying, managing, and mitigating cybersecurity incidents such as breaches, malware infections, and other types of cyberattacks. CERTs often provide guidance on how to contain and recover from these incidents. Threat Intelligence: Gathering, analyzing, and disseminating information about current and emerging threats to help organizations understand and defend against potential risks. This can involve sharing information about vulnerabilities, attack patterns, and trends. Security Advice and Best Practices: Offering recommendations and guidelines on improving cybersecurity practices and policies to help organizations strengthen their defenses and reduce the risk of incidents. Coordination and Collaboration: Working with other CERTs, government agencies, law enforcement, and private sector organizations to coordinate responses to large-scale or complex incidents and to share information about threats and vulnerabilities. Training and Awareness: Providing training and resources to help organizations and individuals understand cybersecurity risks and implement effective security measures. This can include workshops, seminars, and educational materials. Research and Development: Conducting research to develop new tools, techniques, and methodologies for detecting, preventing, and responding to cyber threats.

Question 88

When assessing risks to your organization's IT infrastructure, which framework allows for prioritization based on the potential impact of threats? a) NIST's Cybersecurity Framework b) OWASP Top 10 c) Center for Internet Security (CIS) Top 20 Critical Security Controls d) ISO 310007

Answer 88

a) NIST's Cybersecurity Framework The NIST Cybersecurity Framework provides a structured approach to managing and prioritizing cybersecurity risks based on the potential impact of threats. It includes components for identifying, protecting, detecting, responding to, and recovering from cybersecurity incidents, helping organizations focus on the most critical areas of their IT infrastructure.

Question 89

Among the following strategies for dealing with multiple known vulnerabilities, which one is deemed MOST crucial for their successful management and mitigation? a) The number of vulnerabilities b) Prioritizing the risk level associated with each vulnerability c) The type of vulnerabilities d) The location of vulnerabilities

Answer 89

b) Prioritizing the risk level associated with each vulnerability Prioritizing vulnerabilities based on their risk level—considering factors like potential impact, exploitability, and the criticality of affected systems—is essential for effective management and mitigation. This approach helps ensure that resources are allocated to address the most significant threats first, reducing the overall risk to the organization.

Question 90

How could a company's reluctance to interrupt its business processes potentially impact its vulnerability management? a) Increasing the company's overall market share b) Enhancing the effectiveness of the company's marketing strategies c) Boosting employee productivity during work hours d) Leading to postponed or overlooked system updates and patches

Answer 90

d) Leading to postponed or overlooked system updates and patches When a company is hesitant to disrupt its business processes, it might delay or skip necessary system updates and security patches to avoid interruptions. This can leave vulnerabilities unaddressed, increasing the risk of security breaches and compromising the overall effectiveness of its vulnerability management efforts.

Question 91

Why is it crucial for an organization to conduct regular vulnerability management reporting? a) Boosts the company's stock price b) Improves employee morale c) Helps in identifying and prioritizing the system vulnerabilities d) Increases the number of customers

Answer 91

c) Helps in identifying and prioritizing the system vulnerabilities Regular vulnerability management reporting allows an organization to systematically identify and assess the security weaknesses in its systems. By continuously monitoring and reporting on vulnerabilities, the organization can prioritize them based on their risk levels, ensuring that the most critical issues are addressed promptly and effectively. This proactive approach helps in maintaining a robust security posture and mitigating potential threats.

Question 92

If you want to conduct an operating system identification during an nmap scan, which syntax should you utilize? a) nmap -os b) nmap -O c) nmap -id d) nmap -osscan

Answer 92

b) nmap -O The -O option in Nmap enables OS detection, which attempts to determine the operating system of the target system based on various network characteristics.

Question 93

Dion Training conducts weekly vulnerability scanning of their network and patches any identified issues within 24 hours. Which of the following best describes the company's risk response strategy? a) Avoidance b) Acceptance c) Mitigation d) Transference

Answer 93

c) Mitigation Mitigation involves taking steps to reduce the impact or likelihood of identified risks. By conducting weekly vulnerability scans and promptly patching any issues within 24 hours, Dion Training is actively working to reduce their security vulnerabilities and manage risk effectively.

Question 94

Which of the following methods can be used to identify affected hosts in a system? (Choose THREE) a) Using Bitlocker b) Use a vulnerability scanner to scan the system for known vulnerabilities. c) Use a packet sniffer to monitor network traffic for signs of exploitation. d) Use a network scanner to scan the network for hosts that are running vulnerable software.

Answer 94

To identify affected hosts in a system, you can use the following methods: b) Use a vulnerability scanner to scan the system for known vulnerabilities. c) Use a packet sniffer to monitor network traffic for signs of exploitation. d) Use a network scanner to scan the network for hosts that are running vulnerable software. Each of these methods helps in identifying hosts that may be vulnerable or compromised in different ways: Vulnerability scanners look for known vulnerabilities in systems and applications. Packet sniffers can detect signs of exploitation by analyzing network traffic. Network scanners identify hosts on the network and can detect if they are running software with known vulnerabilities. Bitlocker is not used for identifying affected hosts; it is a disk encryption feature designed to protect data on Windows systems.

Question 95

What is Threat Hunting?

Answer 95

Threat hunting in cybersecurity is a proactive approach to identifying and mitigating potential security threats within an organization's network. Unlike traditional methods that rely on automated tools and reactive measures, threat hunting involves actively searching for signs of malicious activity or security breaches that may not be detected by standard defenses. Here’s a breakdown of what threat hunting involves: Proactive Searching: Threat hunters don’t wait for alerts from security systems. Instead, they actively search for anomalies and indicators of compromise (IOCs) that might suggest an attacker is present in the network. Hypothesis-Driven: Hunters often start with a hypothesis about how an attack might occur or how a threat actor might behave. They use this hypothesis to guide their search for evidence. Analysis of Data: They analyze data from various sources, such as network traffic, system logs, and endpoint activity, to identify patterns or behaviors indicative of a threat. Use of Tools and Techniques: Threat hunters employ various tools, including advanced analytics, machine learning, and custom scripts, to detect hidden threats. They might also use threat intelligence feeds to stay updated on the latest attack techniques. Collaboration: Threat hunting often involves collaboration with other teams, such as incident response and forensic teams, to validate findings and develop mitigation strategies. Continuous Improvement: Findings from threat hunting activities are used to refine and improve the organization’s security posture, such as updating detection rules, improving response protocols, and enhancing overall defenses. In essence, threat hunting aims to find and neutralize threats before they can cause significant damage, improving the organization's overall security resilience.

Question 96

What is Cloud Access Security Broker??CASB

Answer 96

A Cloud Access Security Broker (CASB) is a security solution designed to manage and secure access to cloud-based services and applications. CASBs act as an intermediary between users and cloud service providers, providing visibility, control, and protection for data and applications in the cloud. They help organizations enforce security policies and ensure compliance with regulations, addressing various concerns related to cloud usage.

Question 97

what is data loss prevention used for? DLP

Answer 97

Data Loss Prevention (DLP) is a cybersecurity technology used to prevent sensitive data from being accidentally or intentionally copied, transferred, or shared outside of an organization's authorized boundaries. It helps protect against data breaches, regulatory violations, and financial losses. Here are some common use cases for DLP: Preventing data exfiltration: DLP can detect and block attempts to copy or transfer sensitive data to unauthorized locations, such as personal email accounts or external devices. Enforcing compliance: DLP can help organizations comply with industry regulations like GDPR, HIPAA, and PCI DSS, which require strict data protection measures. Protecting intellectual property: DLP can safeguard valuable intellectual property, such as trade secrets, research data, and customer information. Preventing insider threats: DLP can detect and prevent malicious insiders from stealing or sharing sensitive data. DLP solutions typically use a combination of techniques, including: Content analysis: Examining the content of files and messages to identify sensitive data. Context analysis: Analyzing the context in which data is accessed or transferred to determine if it is authorized. User behavior analysis: Monitoring user behavior to detect suspicious activity. Encryption: Encrypting sensitive data to make it unreadable if it is intercepted. Access controls: Restricting access to sensitive data based on user roles and permissions. By implementing effective DLP measures, organizations can significantly reduce the risk of data breaches and protect their valuable assets.

Question 98

Multi Cloud Security

Answer 98

Multi-cloud security refers to the practice of protecting data and applications deployed across multiple cloud platforms (e.g., AWS, Azure, Google Cloud). As organizations increasingly adopt hybrid and multi-cloud strategies, ensuring security across these environments becomes paramount.

Question 99

What is Security Architecture?

Answer 99

Security architecture is the design and implementation of a comprehensive security strategy for an organization's IT infrastructure. It provides a blueprint for protecting information assets and ensuring compliance with security regulations.

Question 100

Security Architecture Keys...

Answer 100

Key components of security architecture include: Security policies and standards: A set of guidelines and rules that define the organization's security practices. Security controls: Mechanisms used to protect information assets, such as firewalls, intrusion detection systems, encryption, and access controls. Security frameworks: Standardized approaches to security management, such as NIST Cybersecurity Framework or ISO 27001. Security risk management: The process of identifying, assessing, and mitigating security risks. A well-designed security architecture should address the following goals: Confidentiality: Ensuring that information remains private and accessible only to authorized individuals. Integrity: Protecting information from unauthorized modification or deletion. Availability: Ensuring that information is accessible when needed. Non-repudiation: Preventing users from denying their actions or involvement in a transaction. Common security architectures include: Defense in depth: A layered approach to security that uses multiple controls to protect information assets. Zero trust: A security model that assumes that all network traffic is untrusted and requires strong authentication and authorization before granting access. Cloud security architecture: A specific type of architecture designed to protect cloud-based applications and data. By developing a robust security architecture, organizations can improve their resilience to cyber threats and protect their valuable information assets.

Question 101

what is security orchestration automation and response SOAR?

Answer 101

Security Orchestration, Automation, and Response (SOAR) is a technology platform designed to streamline and improve security operations by automating repetitive tasks, integrating disparate security tools, and providing a centralized view of security events. Key components of SOAR include: Automation: Automating routine security tasks, such as threat intelligence gathering, vulnerability scanning, and incident response procedures. Orchestration: Coordinating and integrating multiple security tools and processes to create a cohesive security response. Response: Providing a platform for security analysts to investigate and respond to security incidents efficiently.

Question 102

XSS attempt..

Answer 102

XSS (Cross-Site Scripting) is a type of web application vulnerability that allows an attacker to inject malicious scripts into a webpage that is viewed by other users. These scripts can be used to steal sensitive information, redirect users to malicious websites, or perform other malicious actions.

Question 103

XSS types:

Answer 103

Reflected XSS: The malicious script is reflected back to the user's browser in the response to a request. Stored XSS: The malicious script is stored on the server and executed when a user visits a vulnerable page. DOM-based XSS: The malicious script is executed within the Document Object Model (DOM) of the web page.

Question 104

What is Cyber Kill Chain?

Answer 104

Cyber Kill Chain is a conceptual framework that outlines the various stages a cyberattack typically follows. It's a helpful tool for understanding and defending against cyber threats. By understanding the Cyber Kill Chain, organizations can implement defensive measures at each stage to prevent or mitigate cyberattacks. For example, they can strengthen their network security, educate employees about phishing threats, and deploy intrusion detection systems.

Question 105

The stages of the Cyber Kill Chain are:

Answer 105

1-Reconnaissance: The attacker gathers information about the target, such as its networks, systems, and vulnerabilities. 2-Weaponization: The attacker develops malicious payloads, such as malware or exploit code. 3-Delivery: The attacker delivers the malicious payload to the target, often through email, phishing, or social engineering. 4-Exploitation: The attacker exploits vulnerabilities in the target's systems to gain unauthorized access. 5-Installation: The attacker installs malicious software on the target's systems. 6-Command and Control: The attacker establishes a communication channel with the compromised systems to maintain control. 7-Actions on Objectives: The attacker carries out their intended actions, such as stealing data, disrupting operations, or causing damage.

Question 106

What is Single Pane of Glass?

Answer 106

Single Pane of Glass (SPOG) is a concept in IT management that refers to a centralized platform or dashboard that provides a unified view of an organization's entire IT infrastructure. It allows administrators to monitor and manage various IT components, such as servers, networks, applications, and security systems, from a single interface.

Question 107

Keys benefits of SPOG (Single Pane Of Glass)

Answer 107

Key benefits of SPOG: Improved visibility: Provides a comprehensive overview of an organization's IT environment, making it easier to identify potential issues and bottlenecks. Enhanced efficiency: Streamlines IT operations by automating routine tasks and reducing manual effort. Centralized management: Offers a centralized platform for managing and controlling IT resources. Simplified troubleshooting: Facilitates troubleshooting by providing a single point of access to relevant information and tools. Enhanced security: Improves security by providing a centralized view of potential threats and vulnerabilities.

Question 108

What is CVSS

Answer 108

CVSS (Common Vulnerability Scoring System) is a standardized framework used to measure the severity of software vulnerabilities. It assigns a numerical score to each vulnerability based on various factors, such as exploitability, impact, and the availability of a patch.

Question 109

Key Components of CVSS:

Answer 109

Key components of CVSS: Base Score: The fundamental score that reflects the intrinsic characteristics of the vulnerability. Temporal Score: Adjusts the base score based on factors like the availability of a patch or exploit. Environmental Score: Adjusts the temporal score based on the specific environment in which the vulnerability exists.

Question 110

Factors considered in CVSS:

Answer 110

Attack Vector: How the vulnerability can be exploited (e.g., network, local, remote). Attack Complexity: The difficulty of exploiting the vulnerability. Authentication: Whether authentication is required to exploit the vulnerability. Privileges Required: The privileges necessary to exploit the vulnerability. User Interaction: Whether user interaction is required to exploit the vulnerability. Scope: Whether the vulnerability affects a single component or the entire system. Confidentiality Impact: The potential impact on confidentiality (e.g., data disclosure). Integrity Impact: The potential impact on integrity (e.g., data modification). Availability Impact: The potential impact on availability (e.g., system downtime)

Question 111

CVSS breakdown

Answer 111

CVSS:3.1: Indicates the version of CVSS used. AV:N: Attack Vector: Network AC:L: Attack Complexity: Low PR:N: Privileges Required: None UI:R: User Interaction: Required S:U: Scope: Unchanged C:H: Confidentiality Impact: High I:H: Integrity Impact: High A:H: Availability Impact: High E:P: Exploit Code Maturity: Proof-of-Concept RC:X: Remediation Level: X (unknown) RC:X: Report Confidence: X (unknown) RL:D: Remediation Level: Defined RU:U: Report Update: Unknown

Question 112

What is an IPS event?

Answer 112

IPS Event refers to an incident or occurrence detected by an Intrusion Prevention System (IPS). An IPS is a security device or software that monitors network traffic for malicious activity and takes action to prevent attacks from succeeding.

Question 113

What is SDLC phase

Answer 113

SDLC Phase stands for Software Development Life Cycle Phase. It refers to one of the stages or steps involved in the process of creating software applications. The SDLC typically consists of multiple phases, each with its own specific goals and activities.

Question 114

what is a tabletop exercise?

Answer 114

A tabletop exercise is a simulated scenario that helps organizations test their emergency response plans and procedures. It's a controlled environment where participants can practice responding to a hypothetical crisis or incident without the risks and consequences of a real-world event.

Question 115

what is TTP?

Answer 115

TTP in cybersecurity typically refers to Tactics, Techniques, and Procedures. It's a framework used to categorize and analyze the methods employed by threat actors to compromise systems and networks

Question 116

Obfuscated Link...??

Answer 116

Obfuscated links are links that have been disguised or altered to make it difficult to determine their true destination. This can be done for various reasons, including: To hide malicious intent: Attackers may obfuscate links to phishing websites or malware downloads to make them appear legitimate. To track clicks: Marketers may obfuscate links to track click-through rates and analyze user behavior. To protect sensitive information: Organizations may obfuscate links to sensitive data to prevent unauthorized access.

Question 117

CMMI Model

Answer 117

The Capability Maturity Model Integration (CMMI) is a process improvement framework that helps organizations improve their ability to deliver products and services. It provides a structured approach to process improvement, focusing on five levels of maturity: Initial: The organization's processes are chaotic and poorly defined. Repeatable: Basic processes are established, but they may be inconsistent and inefficient. Defined: Processes are standardized and documented, but may not be optimized. Managed: Processes are quantitatively measured and controlled. Optimized: Processes are continuously improved and optimized.

Question 118

OWASP

Answer 118

OWASP (Open Web Application Security Project) is a global nonprofit organization focused on improving the security of software applications. It provides frameworks, tools, and resources to help developers and security professionals build more secure web applications. Some of OWASP's key initiatives include: OWASP Top 10: A list of the most critical web application security risks. OWASP ZAP: A free and open-source web application security scanner. OWASP Security Knowledge Base: A collection of articles, tutorials, and resources on web application security. OWASP Testing Guide: A comprehensive guide to web application security testing.

Question 119

SLA

Answer 119

SLA Cybersecurity: A Contractual Commitment to Security SLA stands for Service Level Agreement . In the context of cybersecurity, an SLA is a contract between a service provider (like a Managed Security Service Provider or MSSP) and a client that outlines the specific cybersecurity services to be provided and the expected level of performance.

Question 120

Key components of a cybersecurity SLA typically include:

Answer 120

Scope of Services: Clearly defined services, such as vulnerability assessments, penetration testing, incident response, or threat monitoring.   Performance Metrics: Specific measurements used to evaluate the service provider's performance, such as response times to incidents, uptime guarantees, or compliance with industry standards.   Responsibilities: Clearly defined roles and responsibilities of both the service provider and the client.   Incident Response Plan: Procedures for handling security incidents, including notification processes, investigation steps, and remediation actions. Termination Clauses: Conditions under which the agreement can be terminated.   Confidentiality and Data Privacy: Provisions to protect sensitive information.

Question 121

Key Components of a CASB Policy

Answer 121

Data Classification Access Controls Data Loss Prevention (DLP) Threat Detection and Response Compliance Requirements Incident Response Plan User Education and Awareness

Question 122

MITRE ATT&CK

Answer 122

MITRE ATT&CK is a comprehensive framework for analyzing and understanding the tactics, techniques, and procedures (TTPs) used by attackers in cyber attacks. While the cyber kill chain provides a detailed view of the different stages of an attack, it does not provide as much detail about the tactics, techniques, and procedures used by the attacker as MITRE ATT&CK. The SANS Institute Top 20 Critical Security Controls list the 20 most important security controls organizations should implement to protect against cyber attacks. It does not specialize in tactics, techniques, and procedures (TTPs). While the National Institute of Standards and Technology (NIST) provides a comprehensive view of information security, it does not provide a framework for analyzing tactics, techniques, and procedures (TTPs).

Question 123

Cuckoo Sandbox

Answer 123

is a versatile open-source platform designed for the analysis of malware behavior. It provides a controlled environment where suspicious files can be executed safely, allowing security analysts to observe and understand their actions.

Question 124

A security analyst has received a suspicious email that appears to be from a recognized address. The analyst needs to determine if the email is legitimate or not. Which of the following email analysis methods would be the most appropriate for the security analyst to use in this scenario? A.Email Header Analysis B.Link and Attachment Analysis C.Sender Reputation Verification D.Analysis of Domain-based Message Authentication (DMARC)

Answer 124

D.DMARC combines two other email authentication protocols, SPF and DKIM. It allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain. This can help verify the authenticity of the email. While email header analysis can provide valuable information about the origin and path of an email, it may not definitively prove the legitimacy of the email. While this technique can help identify malicious links or attachments in an email, it doesn't confirm the legitimacy of the sender. Verifying the reputation of the sender can be helpful but does not provide a foolproof method of determining the legitimacy of the email.

Question 125

A network administrator at a large business is performing a security assessment of the company's network infrastructure. The administrator must determine the most appropriate framework for conducting a comprehensive security assessment. Which of the following frameworks would be the most appropriate for the network administrator? A.National Institute of Standards and Technology (NIST) Cybersecurity Framework B.Federal Information Security Management Act (FISMA) C.Open Source Security Testing Methodology Manual (OSSTMM) D.International Organization for Standardization (ISO) 27001/27002

Answer 125

C.-Open Source Security Testing Methodology Manual (OSSTMM) is a comprehensive methodology for conducting a security assessment of a network infrastructure.

Question 126

A network administrator has received reports of intermittent connectivity issues. To diagnose the problem, the network administrator has decided to use tcpdump. Which of the following are the primary functionalities of using tcpdump in this scenario? (Select the two best options.) A.To monitor network performance B.To capture and analyze network packets for troubleshooting purposes C.To detect and prevent malicious activity on the network D.To implement network-based firewall rules

Answer 126

A and B.-In this scenario, the network administrator is using tcpdump to monitor network performance, and it can provide information that the network administrator can use in this scenario. The administrator is also using tcpdump to capture and analyze network packets for troubleshooting purposes, such as diagnosing network issues or analyzing network behavior.

Question 127

An e-commerce company has recently experienced a series of phishing attacks targeting its employees. The company tasks the security team with implementing a solution to prevent email spoofing and protect against future phishing attempts. Which of the following technologies would be the most effective at achieving this goal? A.Two-factor authentication B.DNS-based Authentication of Named Entities (DANE) C.Sender Policy Framework (SPF) D.Public key infrastructure (PKI)

Answer 127

C.-DNS-based Authentication of Named Entities (DANE) provides a mechanism for verifying the authenticity of a server's Transport Layer Security (TLS) certificate, although it does not protect against phishing attacks.

Question 128

A network administrator at a small business is concerned about the increasing number of phishing attacks that are targeting the organization's employees. The administrator wants to implement a comprehensive solution to help protect the organization from these types of attacks. Which of the following solutions would be the most appropriate for the network administrator to use in this scenario?

Answer 128

B.Domain-based Message Authentication, Reporting, and Conformance (DMARC) Domain-based Message Authentication, Reporting & Conformance (DMARC) is a comprehensive solution for protecting against phishing attacks. It builds on Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to provide a complete solution for preventing email spoofing.

Question 129

An organization plans to conduct a security assessment and wants to utilize a comprehensive and open approach to guide the assessment process. Which of the following covers various security aspects, such as physical, information, and wireless security, making it the most appropriate choice for the organization's security assessment? A.Open Worldwide Application Security Project (OWASP) Top Ten B.MITRE ATT&CK C.National Institute of Standards and Technology (NIST) Cybersecurity Framework D.Open Source Security Testing Methodology Manual (OSSTMM)

Answer 129

D.-The Open Source Security Testing Methodology Manual (OSSTMM) covers various security aspects, such as physical, information, and wireless security, making it the most appropriate choice for the organization's security assessment.

Question 130

A security analyst is responsible for detecting and responding to security incidents in the organization. The security analyst has decided to implement a security orchestration, automation, and response (SOAR) platform. What is the primary purpose of using a SOAR platform in this scenario? A.To automate incident responses B.To provide real-time threat intelligence to security teams C.To store and manage security-related data D.To monitor and control access to sensitive information

Answer 130

A.-Automating incident responses is one of the key benefits of using a security orchestration, automation, and response (SOAR) platform. The security analyst can respond to incidents more quickly and effectively by automating routine and repetitive tasks.

Question 131

A security analyst monitors the network traffic of an enterprise environment. The analyst has noticed activity on an unexpected port and needs to determine the cause. What is the most likely explanation for the activity on the unexpected port? A.Distributed denial-of-service (DDoS) attack B.Phishing campaign C.Malware infection D.Unpatched software

Answer 131

C.-A malware infection can cause activity on unexpected ports as the malware communicates with its command-and-control server, exfiltrates data, or carries out other malicious activities.

Question 132

A security analyst is conducting a review of a server in a large organization. The analyst has noticed that the server's disk capacity is almost full. What is the most likely cause of high disk capacity consumption in this scenario? A.Insufficient cache B.Large data sets C.Disk fragmentation D.Disk corruption

Answer 132

B.- Storing large data sets can consume a significant amount of disk capacity, particularly if the data is in multiple locations or if a user improperly manages and archives the data.

Question 133

A threat intelligence analyst is conducting a network reconnaissance and needs to gather information about the relationships between various entities on the target network. Which tool could the analyst use to accomplish this task? A.Wireshark B.Maltego C.OpenVAS D.Tcpdump

Answer 133

B.- Maltego is a tool specifically designed for information gathering and visualizing the relationships between various entities. It can gather information about domains, IP addresses, and other network entities to help identify potential targets for a cyber attack.

Question 134

A company's IT security team must perform a comprehensive vulnerability assessment on its network infrastructure to identify potential security weaknesses and misconfigurations. The team requires a tool to scan various systems, devices, and applications and provide detailed reports with actionable recommendations. What tool can accomplish this task? A.Burp Suite B.Splunk C.Nessus D.Snort

Answer 134

C.- Nessus is a vulnerability scanning tool that supports scanning various types of systems, devices, and applications. The team can use Nessus to provide detailed reports with actionable recommendations. Burp Suite is a web application security testing tool that focuses on identifying vulnerabilities and security issues in web applications. It is not specifically used for comprehensive vulnerability assessments across the network infrastructure. Splunk is a powerful data analytics and log management platform that helps organizations gain insights from their data and monitor their infrastructure. It is not specifically used for comprehensive vulnerability assessments. Snort is an open-source intrusion detection and prevention system (IDPS) that monitors network traffic for malicious activities and potential security threats. It is not for comprehensive vulnerability assessments.

Question 135

A security analyst is investigating a server issue where the memory utilization is consistently high. What is most likely the cause of the high memory consumption? A.Memory leaks B.Insufficient hard disk space C.Disk defragmentation D.Insufficient cache

Answer 135

A.- Memory leaks occur when an application allocates memory but does not release it when it is no longer needed, causing high memory consumption over time. It is the most likely cause of high memory consumption.

Question 136

B.Angry IP scanner

Answer 136

Angry IP Scanner provides basic information about open ports and services but may not provide the same level of detail or accuracy as Nmap.

Question 137

Nmap

Answer 137

Nmap is a popular open-source tool for network discovery, mapping, and security auditing. Its features include the ability to scan a large number of hosts, detect operating systems and applications, and perform vulnerability assessments.

Question 138

OpenVas

Answer 138

The OpenVAS tool is an open-source vulnerability scanner that can identify vulnerabilities in multiple operating systems and devices, making it a suitable option for the security analyst.

Question 139

A security analyst is monitoring the network traffic of a large organization. The analyst has noticed an unusual spike in network traffic and needs to determine the cause. What is the most likely explanation for the unusual spike in network traffic? A.Background traffic B.Distributed denial-of-service (DDoS) attack C.Network configuration issue D.Heightened user activity

Answer 139

B.- A distributed denial-of-service (DDoS) attack is a type of cyber attack that uses multiple compromised devices to flood a target network with traffic, causing a denial of service. An unusual spike in network traffic could indicate a DDoS attack.

Question 140

A network administrator is performing a quick network scan to identify all devices and services on the organization's network. The administrator does not require extra features but is required to use an open-source solution. Which of the following tools would be the most appropriate for the network administrator to use in this scenario? A.Angry IP B.Wireshark C.Nessus D.Traceroute

Answer 140

A.- Angry IP Scanner is a popular open-source network scanning and mapping tool. It can scan an entire network or a range of IP addresses to identify all connected devices and services.

Question 141

A network security analyst is performing a penetration testing engagement for a client. The analyst needs to exploit vulnerabilities in the client's network. Which of the following tools is most commonly used by security professionals for this purpose? A.Metasploit B.Nessus C.OpenVAS D.Angry IP scanner

Answer 141

A.- Metasploit is a widely used framework for penetration testing and exploiting vulnerabilities. It allows security professionals to test the security of a network by finding and exploiting vulnerabilities.

Question 142

A security analyst is conducting an assessment of the network security of a small office. The analyst must determine if any unauthorized devices and services are on the network. What type of scan/sweep would indicate to the security analyst that unauthorized devices and services are running on the network? A.Port scan B.Ping sweep C.TCP sweep D.UDP sweep

Answer 142

A.- By determining which ports are open using a port scan, the security analyst can determine what services or applications are running on the target device, and identify any unauthorized devices or services that may be present on the network.

Question 143

Nikto

Answer 143

is another popular web application scanner designed to use the command line, and the project website is https://www.cirt.net/nikto2. Nikto can discover the type of HTTP server and web applications running on a host and expose vulnerabilities contained within them. Nikto scans using default settings can be easily performed using the command nikto -h.

Question 144

Arachni

Answer 144

is another open-source web scanner application (arachni-scanner.com) available with both command line and web-based graphical interfaces. By default, the scanner audits HTML forms, JavaScript forms, JSON input, XML input, links, and any orphan input elements. The scanner actively tests many different vulnerabilities, including code injection, SQL injection, XSS, CSRF, local and remote file inclusion, session fixation, directory traversal, backdoors, insecure policies, server information leakage, personal data exposure, and others.

Question 145

Prowler

Answer 145

is an audit tool for use with AWS only. It can detect misconfigurations and security issues, such as weak passwords, unpatched systems, and insecure protocol use. It can also be used to evaluate cloud infrastructure against the CIS Benchmarks™ for AWS (cisecurity.org/benchmark/amazon_web_services) and perform regulatory compliance checks.

Question 146

ScoutSuite

Answer 146

s a powerful open-source security auditing tool used to assess cloud infrastructure security. It allows organizations to evaluate the security of their cloud environments across multiple providers and services, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). The tool collects data from a cloud platform using API calls. Then it compiles a report of all the discovered objects, including VM instances, storage containers, IAM accounts, data, firewall ACLs, and many others. The scanner ruleset can categorize discovered items with severity levels based on predetermined policies.

Question 147

Pacu

Answer 147

is designed as an exploitation framework for evaluating the security of an AWS environment. It includes modules for exploiting APIs and VM instances. An attacker or pen tester can use cloud-access credentials to determine how they may be abused to gather information about other accounts and configured services, or gain unauthorized access to cloud services.

Question 148

A security analyst is performing a web application security assessment for a client to determine if any vulnerabilities exist in the web application and provide recommendations for remediation. Which tool is best suited for this task, considering its ability to identify security vulnerabilities and create and share custom scripts and plugins? A.Burp Suite Community Edition B.Aircrack-ng C.Zed Attack Proxy (ZAP) D.Metasploit

Answer 148

C. Zed Attack Proxy (ZAP) is a free, open-source web application security testing tool. It identifies security vulnerabilities in web applications and supports creating and sharing custom scripts and plugins. ZAP is a popular choice for web application security assessments.

Question 149

A software development company is building a custom web application for a client that will process sensitive financial information. The client has specified that a software developer must thoroughly test the application for security vulnerabilities before it goes into production. The company has several security testing options but wants to use the tool that will provide the most comprehensive results. What tool should the company use in this instance? A.Nessus B.Burp Suite C.Metasploit D.Nmap

Answer 149

B.- Burp Suite is a web application security testing tool that provides comprehensive features for identifying and mitigating security vulnerabilities. It would be the most appropriate tool for the software development company to use in this scenario.

Question 150

A security analyst has to perform a thorough security assessment of a client's web infrastructure. The client has a large number of web servers, and the analyst needs to identify any vulnerabilities that may exist within them. To accomplish this task, the analyst needs a tool that can quickly scan multiple web servers and provide comprehensive information on any detected vulnerabilities. Given the following options, which tool best suits the security analyst's needs in this scenario? A.Nikto B.Metasploit C.Arachni D.Burp Suite

Answer 150

A.- Nikto is a web server scanner that the security analyst can use to specifically identify vulnerabilities in web servers. It can quickly scan multiple web servers and provide comprehensive information on any detected vulnerabilities.

Question 151

A company's security team needs to assess the security posture of its Amazon Web Services (AWS) environment, focusing on both the reconnaissance and exploitation phases of a penetration testing engagement. The team requires a tool that can automate various attack scenarios and validate the effectiveness of its cloud security controls. Which of the following tools is best suited for this task? A.Pacu B.Zed Attack Proxy (ZAP) C.Tenable.io D.Suricata

Answer 151

A.- Pacu is an open-source Amazon Web Services (AWS) exploitation framework for penetration testing engagements in AWS environments. It automates various attack scenarios and helps validate the effectiveness of cloud security controls.

Question 152

A company wants to evaluate the security posture of its Amazon Web Services (AWS) infrastructure to ensure it adheres to industry best practices and compliance standards. What tool can the company use to automate the auditing process and generate reports for their cloud environment? A.Burp Suite B.Nessus C.Nmap D.Prowler

Answer 152

D.-Prowler is an open-source security tool that helps organizations evaluate their Amazon Web Services (AWS) infrastructure and ensure it adheres to industry best practices and compliance standards.

Question 153

A cloud security team is looking for a multi-cloud security auditing tool that can assess the security posture of their Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP) environments. The cloud security team needs a tool that can provide a clear and concise view of potential security risks and misconfigurations. Which of the following tools is best suited for this task? A.Wazuh B.Aircrack-ng C.ScoutSuite D.Nikto

Answer 153

C.- ScoutSuite is an open-source multi-cloud security auditing tool that supports AWS, Azure, and GCP environments. It assesses the security posture of cloud environments and provides a concise view of potential security risks and misconfigurations.

Question 154

A software development company has launched a new e-commerce website for their client. The client has expressed concerns about the website's security and has asked the development team to ensure that the website is secure from any potential threats. The development team has decided to conduct a web application security assessment to address these concerns. Which of the following tool best suits this task, considering its ability to identify security vulnerabilities, support automated testing and extend functionality by installing add-ons? A.Nikto B.Maltego C.Aircrack-ng D.Zed Attack Proxy (ZAP)

Answer 154

D.- ZAP (Zed Attack Proxy) is a popular open-source web application testing tool. It has many features to support automated scanning, input manipulation, and API testing. Key features include an intercepting proxy for intercepting and modifying requests and responses between the browser and web application and an active scanner that can identify vulnerabilities such as SQL injection and cross-site scripting (XSS). Its plugin architecture can extend its capabilities, allowing users to create and share custom scripts and plugins.

Question 155

A software developer is working on a Linux-based application and encounters an unexpected issue in the code execution. The software developer needs a tool that can help them examine and debug the application, allowing them to inspect the runtime state and modify the program's execution flow. Which of the following tools is best suited for this task? A.Tcpdump B.GNU Debugger C.Wireshark D.Cuckoo

Answer 155

B.- The GNU Debugger is a widely used debugging tool for Linux-based applications. It allows developers to examine and debug applications, inspect the runtime state, and modify the program's execution flow.

Question 156

A security analyst at an organization receives an alert from their security information and event management (SIEM) system. Upon reviewing the log data, the analyst notices an increase in high-privilege actions within the network. What should the analyst prioritize when investigating this issue to identify the potential underlying cause? A.Investigate unusual network traffic patterns B.Analyze new user accounts C.Review application logs for unexpected behavior D.Examine recent file changes and modifications

Answer 156

B.- The analyst should prioritize analyzing newly created user accounts, as the increase in high-privilege actions may be in relation to the unauthorized introduction of new accounts with elevated permissions.

Question 157

A security analyst examines suspicious activity on a Linux-based server within the organization's network. The analyst uncovers a file containing an obfuscated script that utilizes system-level commands. Which technique should the analyst use to efficiently investigate potential malicious activities related to this incident on the affected system? A.Inspect the execution history of PowerShell scripts B.Examine Python script execution history C.Review JavaScript scripts output D.Analyze shell script logs

Answer 157

D.- Analyzing shell script logs would be the most effective way to investigate potential malicious activities related to this incident on the affected Linux-based system. The obfuscated script seems to be utilizing system-level commands, which is typical for shell scripts.

Question 158

A cybersecurity analyst is investigating a security incident and suspects that an attacker is using a specific programming language to execute commands on the target system. The target system is running on a Windows environment. Which programming language is most commonly associated with scripting and automating tasks in this context? A.Python B.Bash C.JavaScript D.PowerShell

Answer 158

D.- PowerShell is a task-based command-line shell and scripting language designed specifically for Windows environments. It is for scripting and automating tasks within Windows, making it the best choice for this scenario.

Question 159

A cybersecurity analyst is investigating a security incident and needs to search for specific patterns within large amounts of log data. Which programming tool or technique is most commonly used to identify patterns in text data and would be helpful for the analyst in this scenario? A.Python B.Regular expressions C.Shell script D.JavaScript

Answer 159

B.- Regular expressions are a powerful tool for defining and searching for specific patterns in text data, making them the most appropriate choice for this scenario.

Question 160

A software development company is building a custom application for a client that will collect and analyze moderate amounts of data to identify patterns and make predictions. The client has specified that the application must use a scripting language with many libraries and tools for machine learning. Which scripting language should the software developer use? A.C++ B.Python C.Java D.JavaScript

Answer 160

B.- Python has a vast and well-established ecosystem for machine learning, with numerous libraries and tools available for tasks such as data analysis, visualization, and modeling.

Question 161

A security analyst discovers that a new scheduled task is executing an unknown script regularly. Upon further investigation, it shows that the script includes cmdlets that are specific to a certain scripting language. What is the most efficient way for the analyst to identify potentially malicious activity related to this incident on the affected system? A.Review the output of JavaScript scripts B.Examine Python script execution history C.Analyze PowerShell logs D.Investigate Ruby script dependencies

Answer 161

C.- Analyzing PowerShell logs would be the most effective way to identify potentially malicious activity since the discovered script includes cmdlets unique to a certain language, which the analyst can infer as PowerShell.

Question 162

A web developer at a startup company is building a new web application. The developer wants to ensure that the application is secure from various types of attacks. Which of the following frameworks would be the most appropriate for the web developer to use? A.OWASP Web Security Testing Guide B.International Organization for Standardization (ISO) 27001/27002 C.Open Source Security Testing Methodology Manual (OSSTMM) D.Control Objectives for Information and related Technology (COBIT)

Answer 162

A.- OWASP Web Security Testing Guide is a comprehensive guide for web application security testing. It provides guidelines, best practices, and resources for web developers to ensure that their applications are secure from various types of attacks.

Question 163

DLP

Answer 163

In cybersecurity, Data Loss Prevention (DLP) refers to a set of strategies, technologies, and practices designed to ensure that sensitive or critical information does not get lost, leaked, or accessed by unauthorized individuals. DLP solutions aim to protect data from both accidental and intentional breaches.

Question 164

Ted, a file server administrator, has noticed that a large number of sensitive files have been transferred from a corporate workstation to an IP address outside of the local area network. Ted looks up the IP address and determines that it is located in a foreign country. Ted contacts his company’s security analyst, who verifies that the workstation’s anti-malware solution is up-to-date, and the network’s firewall is properly configured. What type of attack most likely occurred to allow the exfiltration of the files from the workstation? MAC spoofing Impersonation Session hijacking Zero-day

Answer 164

Zero-day

Question 165

You are conducting threat hunting for an online retailer. Upon analyzing their web server, you identified that a single HTML response returned as 45 MB in size, but an average response is normally only 275 KB. Which of the following categories of potential indicators of compromise would you classify this as? Introduction of new accounts Data exfiltration Beaconing Unauthorized privilege

Answer 165

Data exfiltration

Question 166

Judith is conducting a vulnerability scan of her data center. She notices that a management interface for a virtualization platform is exposed to her vulnerability scanner. Which of the following networks should the hypervisor's management interface be exposed to ensure the best security of the virtualization platform? Internal zone External zone DMZ Management network

Question 167

Which law requires government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards? HIPPA FISMA SOX COPPA

Question 168

You work for Dion Training as a physical security manager. You are concerned that the physical security at the entrance to the company is not sufficient. To increase your security, you are determined to prevent piggybacking. What technique should you implement first? Install a RFID badge reader at the entrance Install a mantrap at the entrance Install CCTV to monitor the entrance Require all employees to wear security badges when entering the building

Question 169

A cybersecurity analyst notices the following XML transaction while reviewing the communication logs for a public-facing application that receives XML input directly from its clients: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ]> &abc; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on the output above, which of the following is true? ISO-8859-1 only covers the Latin alphabet and may preclude other languages from being used An XML External Entity (XXE) vulnerability has been exploited and its possible that the password has downloaded the file "/etc/passwd". The application is using parameterized queries to prevent XML injections There is no concern since "/etc/passwd" does not contain any system passwords

Question 170

Which of the following type of solutions would you classify an FPGA as? Trusted platform module Anti-tamper Hardware security module Root of trust

Question 171

Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if a Dion Training employee uses the same Ethernet port in the conference room, they should access Dion Training's secure internal network. Which of the following technologies would allow you to configure this port and support both requirements? Implement NAC Configure a SIEM Create an ACL to allow access MAC filtering

Question 172

Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic? Machine learning Generative adversarial network Deep leaning Artificial intelligence

Question 173

Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices? MIB SNMP NetFlow SMTP

Question 174

Which of the following commands would NOT provide domain name information and details about a host? nslookup [ip address] sc [ip address] host [ip address] dig -x [ip address]

Question 175

What method might a system administrator use to replicate the DNS information from one DNS server to another, but could also be used maliciously by an attacker? Zone transfers DNSSEC CNAME DNS registration

Question 176

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URLs: https://test.diontraining.com/profile.php?userid=1546 https://test.diontraining.com/profile.php?userid=5482 https://test.diontraining.com/profile.php?userid=3618 What type of vulnerability does this website have? Improper error handling Race condition Weak or default configurations Insecure direct object reference

Question 177

During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization’s AAA services manager? SMS should be encrypted to be secure SMS messages may be accessible to attackers via VoIP or other systems SMS should be paired with a third factor SMS is a costly method of providing a second factor of authentication

Question 178

Jeff has been contacted by an external security company and told that they had found a copy of his company's proprietary source code on GitHub. Upon further investigation, Jeff has determined that his organization owns the repository where the source code is located. Which of the following mitigations should Jeff apply immediately? Change the repository from public to private Delete the repository Investigate if the source code was downloaded Revaluate the organization's information management policies

Question 179

A cybersecurity analyst is reviewing the DNS logs for his company's networks and sees the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- $ cat dns.log | bro-cut query gu2m9qhychvxrvh0eift.com oxboxkgtyx9veimcuyri.com 4f3mvgt0ah6mz92frsmo.com asvi6d6ogplqyfhrn0p7.com 5qlark642x5jbissjm86.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on this potential indicator of compromise (IoC), which of the following hypotheses should you make to begin threat hunting? Fast flux DNS is being used for an attacker's C2 The DNS server's hard drive is being used as a staging location for a data exfiltration The DNS server is running out of memory due to a memory resource exhaustion attack Data exfiltration is being attempted by an APT

Question 180

Which of the following is NOT a means of improving data validation and trust? Encrypting data in transit Decrypting data at rest Using MD5 checksums for files Implementing Tripwire

Answer 180

Decrypting data at rest.