CIT Study Questions

Question 1

What is endpoint security solution?

Answer 1

It is a suite of tools that actively protect workstations or end-user devices (such as desktops, laptops, and personal mobile devices that access company resources) from most attack vectors.

Question 2

True or False Endpoint Security Solution operates as an enterprise security perimeter and is best suited for bring your own device (BYOD)

Answer 2

True

Question 3

Sean who works as a network administrator has just deployed an IDS in his organization’s network. Sean deployed an IDS that generates four types of alerts that include: true positive, false positive, false negative, and true negative. In which of the following conditions does the IDS generate a true positive alert?

-A true positive is a condition occurring when an event triggers an alarm when no actual attack is in progress.
-A true positive is a condition occurring when an IDS identifies an activity as acceptable behavior and the activity is acceptable.
-A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress.
-A true positive is a condition occurring when an IDS fails to react to an actual attack even

Answer 3

A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress.

Question 4

Which detection method searches for unknown viruses by looking for known suspicious behavior or file structure?

Answer 4

Heuristic detection

Question 5

What is NOT true of Muti-Engine Antivirus Scanning?
1) Only one AV should be installed on a workstation
2) Different AVs, different mythologies , and block lists
3) Scanning with multiple engines simultaneously
4) More than one AV can be installed on a workstation

Answer 5

4) More than one AV can be installed on a workstation

Question 6

What is worse a false positive or false negative cybersecurity?

Answer 6

A false positive state is when the IDS identifies an activity as an attack but the activity is acceptable behavior. A false positive is a false alarm. A false negative state is the most serious and dangerous state. This is when the IDS identifies an activity as acceptable when the activity is actually an attack.

Question 7

If multiple honeypots are connected to form a larger network, what term is used to describe the network?

a. honeycomb

b. combo lure

c. laureate

d. honey net

Answer 7

honeynet

Two or more honeypots on a network form a honey net.

Question 8

_________ are decoy systems designed to lure potential attackers away from critical systems.

A) Honeypots
B) Bastion Hosts
C) Wasp Nests
D) Designated Targets

Answer 8

A) Honeypots

Question 9

Which solution can be used to emulate computer services, such as mail and ftp, and to capture information related to logins or actions?

-DeMilitarized Zone (DMZ)
-Honeypot
-Intrusion Detection System (IDS)
-Firewall

Answer 9

-Honeypot

Question 10

Which type of data loss prevention system is usually installed near the network perimeter?

Answer 10

Network-based data loss prevention (DLP) solutions

Question 11

Data leakage prevention products can operate at which two modes?

Answer 11

Block List or Allow List

Question 12

DLP capabilities should be ______ to reduce false positives and ensure security policies are sufficiently enforced in cloud or hybrid environments.

Content aware
Context aware
Compliance aware
Both content and compliance aware
Both content and context aware

Answer 12

Both content and context aware

DLP tools in cloud or hybrid environments should be content aware and context aware – meaning, in addition to knowing what data is in scope and where it is, DLP tools should be aware of who is accessing it, from where and whether that access follows security policies.

Question 13

Allow Listing is always the best approach and a more secure solution true or false?

Answer 13

True

Question 14

Which of the following is the most important aspect in determining DLP readiness before deploying?

Choosing a vendor

Focusing on DLP limitations in extreme cases

Identifying data it is designed to protect

Relying on DLP as an infallible security control

Answer 14

Identifying data it is designed to protect

The most simple yet significant aspect of ensuring DLP effectiveness is determining what data to protect and where that data resides. DLP works best when the data has a defined pattern, location or source.

Question 15

DLP products can be categorized into which of the following two deployment models?

Zero trust and cloud-based

Cloud-based and agent-based

Network-based and agent-based

None of the above

Answer 15

Network-based and agent-based

When choosing a DLP product, security leaders must decide between network-based and agent-based deployment models.

Question 16

Which of the following is too often considered an afterthought when implementing DLP tools for security?

Structured data in databases

unstructured data.

Account directory data

Data in transit

Answer 16

Structured data in databases

To detect weaknesses and improve DLP management, pay special attention to structured data found in databases, which can often be overlooked by IT leaders preoccupied with the risks associated with unstructured data.

Question 17

How do DLP tools help organizations maintain data privacy compliance?

DLP software provides templates for compliance with certain regulations.

DLP systems log alerts and/or prevent sensitive data from being sent outside the organization.

Both of the above

None of the above

Answer 17

Both of the above

By providing templates for compliance with mandates such as HIPAA and by logging and/or preventing sensitive data from being sent externally, DLP can significantly aid compliance efforts as part of an enterprise data privacy framework.

Question 18

File timestamp is a metadata that contains information about a file and reflects when the file was created, last accessed, and last modified. In digital forensics, timestamps can be used for example to validate the integrity of an access log file (i.e. to check whether the file has been tampered with to mask unauthorized access attempt). Because different systems might be set to different time zones, in order to determine the chronological order of events during a security incident it is also important to take into account time offset which denotes the difference between the timestamp and a chosen reference time (a.k.a. time normalization).
True
False

Answer 18

True

Question 19

What is a communication protocol for electronic mail transmission?

Answer 19

SMTP (Simple Mail Transfer Protocol) is a method of exchanging information between a sender’s server and a recipient’s server

Question 20

What port does SMTP use?

Answer 20

Port 25

Question 21

What does POP3 stand for and what port does it use?

Answer 21

Post Office Protocol port 110

Question 22

What does the TXT Record contain?

Answer 22

Contains descriptive human-readable text in a DNS record that often includes contact and hosting information

Question 23

What command is used to query DNS records, create automated scripts, and perform DNS zone transfers?

Answer 23

nslookup

Question 24

What attack method is designed to trick users into thinking the attacker is a legitimate entity so the attacker can perform such nefarious activities as gaining access to the victim’s personal information, spreading malware through infected links or attachments, and bypassing network access controls.

Answer 24

Spoofing

Question 25

Which attack is the act of altering DNS records to redirect traffic to a malicious online destination.

Answer 25

DNS Spoofing

Question 26

What part of the email provides the message’s routing information, which includes the email metadata, such as sender, recipient, and content type, which describes the type of data being sent (

Answer 26

Email header

Question 27

What platform should be used for testing email attachments?

Answer 27

The sandbox scans the file’s behavior to determine whether or not it has malicious intentions.

Question 28

What is used as a mail proxy located in DMZ and is responsible for sending and receiving email outside of and within the company

Answer 28

Mail Relay (can support many types of security mechanisms, such as DKIM, SPF, and DMARC to protect against phishing attacks as previously described.)

Question 29

Which of the following is NOT true for security operations center (SOC) functions?
1) Manages security incidents
2) Monitors different system logs and responds to incidents
3) Handles network management, configuration, and IT
4) Uses SIEM and ticket management tools

Answer 29

3 incorrect because they don’t handle network management configuration, and IT

SOC handle data analysis and technology

Question 30

Which feature is a characteristic of later SIEMs?

Select one:

A) Collect, normalize, and store log events and alerts
B) Connect all security tools together into defined workflows
C) Manage network information and alerts
D) Manage network events and alerts

Answer 30

A) Collect, normalize, and store log events and alerts

Question 31

Which feature provides SIEM greater visibility into the entire network?

Select one:

A) Complying with regulations
B) Deciphering encrypted logs and alerts
C) Sharing of logs by IoTs and BYODs
D) Analyzing logs and alerts from a single-pane-of-glass

Answer 31

D) Analyzing logs and alerts from a single-pane-of-glass

Question 32

Which problem was a barrier to the general acceptance of first-generation SIEM?

Select one:

A) The point solution approach to network security
B) Cost to purchase was prohibitive
C) Did not have the features needed by organizations
D) High-level of skill was required

Answer 32

D) High-level of skill was required

Question 33

What is one method that SIEM uses to analyze data?

Select one:

A) Apply security controls
B) Decipher encrypted data flows
C) Decipher encrypted logs and alerts
D) Watch for known indicators of compromise (IoC)

Answer 33

D) Watch for known indicators of compromise (IoC)

Question 34

The intrusion detection system at a software development company suddenly started generating multiple alerts regarding attacks against the company’s external webserver, VPN concentrator, and DNS servers. What should the security team do to determine which alerts to check first?

-Investigate based on the maintenance schedule of the affected systems.
-Investigate based on the service-level agreements of the systems.
-Investigate based on the order that the alerts arrived in.
-Investigate based on the potential effect of the incident.

Answer 34

Investigate based on the potential effect of the incident.

Question 35

What does the term SIEM stand for?

Security Information and Email Management

Security Information and Electronic Measurement

Security Information and Emergency Management

Security Information and Event Manager

Answer 35

Security Information and Event Manager

Question 36

Aggregation Alerts (summary of log data) true or false?

Answer 36

True (brute force and port scanning

Question 37

Correlation Alerts (taking all the logs and seeing the bigger picture of what’s going on) true or false?

Answer 37

True can imply a malicious hacking attempt

Question 38

What does the acronym SOAR stand for?

Answer 38

Security Orchestration, Automation, Response (SOAR)

Question 39

From the choices below, what is the best description of S.O.A.R?
1) combines the processes and the security tools available to exploit opportunities given a particular situation.
2) Connects all tools in your security stack together into defined workflows that can be run automatically
3) Correctly orients the security team to address the cyber threat according to the situation.

Answer 39

Connects all tools in your security stack together into defined workflows that can be run automatically

Question 40

The primary benefit of SOAR is that its automation eliminates the need for many repetitive Tier 1 analyst functions, thereby reducing incident response time. true or false?

Answer 40

True?

Question 41

What are playbooks used for?

Answer 41

To automate task an analyst would have to do manually (automation)

Question 42

What is alert fatigue?

Answer 42

When an analyst is overwhelmed with the number of alerts coming in

Question 43

Which of the following typically uses a combination of human and artificial intelligence to analyze event data and take action without intervention?

A. TTP
B. OSINT
C. SOAR
D. SIEM

Answer 43

C. SOAR

Question 44

1. What does IoT stand for?
   a) Internet of Technology
   b) Incorporate of Things
   c) Internet of Things
   d) Incorporate of Technology

Answer 44

c) IoT stands for Internet of Things

Question 45

What is considered IoT?
a) Any device or component, such as a fitness tracker, alarm system, or thermostat can be included in IoT if they can connect to the internet
b) network of virtual objects
c) network of objects in the ring structure
d) network of sensors

Answer 45

Any device or component, such as a fitness tracker, alarm system, or thermostat can be included in IoT if they can connect to the internet.

Question 46

Which of the following is false about IoT devices?
a) IoT devices use the internet for collecting and sharing data
b) IoT devices need microcontrollers
c) IoT devices use wireless technology
d) IoT devices are completely safe

Answer 46

d) IoT devices are completely safe

IoT devices are wireless devices and they use the internet for collecting and sharing data. They are not completely safe because they store data and sometimes hackers access them and lack proper security measures

Question 47

True or false IoT devices are subject to On-path (ON-PATH) and both DOS and DDOS attacks.

Answer 47

True

Question 48

What framework provides a list of IoT vulnerabilities and mediatization’s?

Answer 48

OWASP

Question 49

The primary best practice for the security of IoT devices is to purchase devices that were designed with security in mind. True or False

Answer 49

True

Question 50

What are some additional security best practices for IoT devices?

Answer 50

least-privilege and least-route methods, segregation (VLANs), IPS, firewalls, vulnerability scanners, NAC, and others and remove End of Life equipment.

Question 51

What Is ICS?

Answer 51

Industrial Control Systems (ICS) are units that monitor and manage industrial machinery used in critical infrastructure.

Question 52

What does ICS do?

Answer 52

(ICS) are units that monitor and manage industrial machinery used in critical infrastructure.
ICS integrates hardware, software, and network connectivity to achieve remote support and management of critical infrastructure devices.

Question 53

What protocol does ICS operate?

Answer 53

ICS can operate with the following protocols: RS-485, Modbus, DNP3, TASE 2.0, CIP, PROFIBUS, BACnet, and others.

Question 54

What Is Firmware?

Answer 54

Firmware is semi-permanent software used to operate hardware components. It is written onto dedicated flash memory on the computer’s hardware and provides instructions for hardware devices to enable communication with other hardware components.

Question 55

What is EDR?

Answer 55

Endpoint Threat Detection and Response (EDR) provides high visibility on all endpoints in the organization. The focus of EDR is on detecting and responding to malicious activity on the host. EDR

Question 56

EDR achieves its goal by utilizing machine learning and detects abnormal or anomalous activities on a workstation. True or false

Answer 56

True

Question 57

What is NGFW?

Answer 57

Next generation Firewall can identify the applications and features running over the network, identify malware

Question 58

What is a Host based Firewall?

Answer 58

software runs on individual endpoint

Question 59

Host based intrusion protection system (HIPS)

Answer 59

This means that when the protection system detects a possible security event, it will automatically try to block it.
Recognize and block known attacks
Secure OS and application config
Often built into endpoint protection software

Question 60

Host based intrusion detection system (HIDS)

Answer 60

It means that the protection system will be able to detect and alert upon a possible security event, but it will not attempt to block anything.
Uses log files to identify intrusions
Can reconfigure firewall to block

Question 61

What are HIPS Identification or signature techniques?

Answer 61

signature, heuristic, behavioral

Question 62

Defense in Depth

Answer 62

slowing down the progress of a hacker

Question 63

Which of the following is an area where IoT is used?
Enterprise IoT
Industrial IoT
Agriculture & Meteorology
All of the above

Answer 63

All of the above

Question 64

True of False IoT apps are clients connecting to a server that controls the IoT devices?

Answer 64

True

Question 65

Which of the following are components that allow IoT devices to function (Select 2)
Translator
External monitor
Data analysis and processing
Connectivity

Answer 65

Data analysis and processing
Connectivity

Question 66

Which of the following is a common hard-coded secret in an IoT device?
Sensitive URLs
Local pathnames
API & encryption keys
All of the above

Answer 66

All of the above

Question 66

True or False Firmware updates are released more frequently than software updates

Answer 66

False

Question 66

What are two common IoT attack vectors

Answer 66

unencrypted and firmware updates

Question 66

Which of the following are industrial IoT devices

• Sensors and devices
• Connectivity
• Data analysis and processing
• User interface
All of the above

Answer 66

All of the above

Question 67

Shodan provides a threat intelligence tool for scanning what exactly

Answer 67

web headers

Question 68

What are 3 ICS components?

Answer 68

HMI, PCL, RTU’s