CYAC+ 003 - questions Flashcards
(31 cards)
A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?
A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L
B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H
D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H
The answer is A
The attack vector is network (AV:N), the attack complexity is low (AC:L), no privileges are required (PR:N), no user interaction is required (UI:N), the scope is unchanged (S:U), the confidentiality and integrity impacts are high (C:H/I:H), and the availability impact is low (A:L).
The value “K” for Integrity (I) does not exist. It might be typo.
Reference:
https://www.first.org/cvss/calculator/3.1
Which of the following items should be included in a vulnerability scan report? (Choose two.)
A. Lessons learned
B. Service-level agreement
C. Playbook
D. Affected hosts
E. Risk score
F. Education plan
Selected Answer: DE
Correct - From CertMaster:
Vulnerability Report Content
The report should detail identified vulnerabilities, such as missing patches, incorrect configuration settings, and weak passwords, and include the following:
Details regarding the type of vulnerability
- The number of instances
- The affected systems
- The risk levels
- Recommendations
The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?
A. A mean time to remediate of 30 days
B. A mean time to detect of 45 days
C. A mean time to respond of 15 days
D. Third-party application testing
Selected Answer: A
In summary, the correct answer is “30 days average time to remediate” because it focuses on the time frame for effective application of fixes and patches, which is critical to cybersecurity, rather than just the initial response to an alert. This helps ensure that vulnerabilities are patched in a timely manner and reduces exposure to security risks.
he security team reviews a web server for XSS and runs the following Nmap scan:
Which of the following most accurately describes the result of the scan?
A. An output of characters > and “ as the parameters used m the attempt
B. The vulnerable parameter ID http://172.31.15.2/1.php?id-2 and unfiltered characters returned
C. The vulnerable parameter and unfiltered or encoded characters passed > and “ as unsafe
D. The vulnerable parameter and characters > and “ with a reflected XSS attempt
Selected Answer: D
it is mentioned that it is reflected in the output
A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?
A. Code analysis
B. Static analysis
C. Reverse engineering
D. Fuzzing
Selected Answer: C
Static analysis is typically done when you have the source code in front of you. This is a precompiled binary, you won’t know its librares, functions, system calls, etc. without reverse engineering of some kind. Typically what you’ll do is put it in some sort of sandbox and see what it beacons, etc. I guess you can call that reverse engineering, so C would be the best answer here.
An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?
A. Hard disk
B. Primary boot partition
C. Malicious files
D. Routing table
E. Static IP address
Selected Answer: D
The “Guide to Collecting and Archiving Evidence” (RFC 3227) establishes the following order of volatility
- registers, cache
- routing table, arp cache, process table, kernel statistics, memory
- temporary file systems
- disk
- remote logging and monitoring data that is relevant to the system in question
- physical configuration, network topology
- archival media
An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?
A. PCI Security Standards Council
B. Local law enforcement
C. Federal law enforcement
D. Card issuer
Selected Answer: D
Correct. First to the card issuer.
Under the terms of PCI DSS, an organization that has experienced a breach of customer transactions should report the breach to the card issuer. The card issuer is responsible for authorizing and processing the transactions. The card issuer may have specific reporting requirements and procedures for the organization to follow in the event of a breach.
And to be clear, the card issuer is not VISA or Mastercard or else. It is the bank.
Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?
A. Mean time to detect
B. Number of exploits by tactic
C. Alert volume
D. Quantity of intrusion attempts
Selected Answer: A
MTTD is a metric that measures how long it takes to detect a security incident or threat from the time it occurs. It is the best metric for an organization to focus on given recent investments in
SIEM, SOAR, and a ticketing system. MTTD is a metric that measures how long it takes to detect a security
incident or threat from the time it occurs
A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user’s workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?
A. Create a timeline of events detailing the date stamps, user account hostname and IP information associated with the activities
B. Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation
C. Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identify the case as an HR-related investigation
D. Notify the SOC manager for awareness after confirmation that the activity was intentional
Selected Answer: B
Because we are dealing with privacy and HR B is the answer. However, A would be the actual investigation to be submitted, hostname and IP isn’t really a privacy concern on an organizational network.
A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?
A. Testing
B. Implementation
C. Validation
D. Rollback
Selected Answer: C
You test the patch before you apply it, and after you apply it, you validate it. I choose option C. Validation.
A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?
A. Data enrichment
B. Security control plane
C. Threat feed combination
D. Single pane of glass
Selected Answer: D
Single pane of glass is a term used to describe a unified view of a computer network or system. It is a graphical user interface that allows network administrators to manage their entire network from one place. The user interface can include monitoring, configuration, and control of the network, its components, and related services.
By combining all security services into a “single pane of glass,” security teams are better able to identify and respond to threats quickly and effectively. With this approach, security teams can automate workflows, allowing them to focus on responding to threats instead of managing multiple interfaces. It also provides real-time visibility into security incidents and events, simplifying the process of responding to and resolving them. Single Pane of Glass Orchestration is an invaluable tool for improving the efficiency of an organization’s security operations.
A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files?
A. Change the display filter to ftp.active.port
B. Change the display filter to tcp.port==20
C. Change the display filter to ftp-data and follow the TCP streams
D. Navigate to the File menu and select FTP from the Export objects option
Selected Answer: C
To see the entire contents of the downloaded files in the FTP session captured in Wireshark, the analyst should perform the following steps:
C. Change the display filter to ftp-data and follow the TCP streams.
By changing the display filter to “ftp-data” and then following the TCP streams, the analyst can access and view the entire data transfer, which includes the contents of the downloaded files. This method allows you to reconstruct and view the files being transferred over FTP
An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?
A. Scope
B. Weaponization
C. CVSS
D. Asset value
Selected Answer: B
The most likely factor that an analyst would communicate as the reason for the escalation of a CVE’s vulnerability score from 7.1 to 9.8 due to a widely available exploit being used to deliver ransomware is:
Weaponization in the context of vulnerability assessment and the Common Vulnerability Scoring System (CVSS) refers to the development and availability of tools, exploits, or malware that can take advantage of a vulnerability. When a widely available exploit, such as one used to deliver ransomware, becomes accessible to attackers, it significantly increases the severity of the vulnerability. This is because the exploitability of the vulnerability is heightened, leading to a higher CVSS score.
Which of the following is an important aspect that should be included in the lessons-learned step after an incident?
A. Identify any improvements or changes in the incident response plan or procedures
B. Determine if an internal mistake was made and who did it so they do not repeat the error
C. Present all legal evidence collected and turn it over to iaw enforcement
D. Discuss the financial impact of the incident to determine if security controls are well spent
Selected Answer: A
Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer’s customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?
A. Isolate Joe’s PC from the network
B. Reimage the PC based on standard operating procedures
C. Initiate a remote wipe of Joe’s PC using mobile device management
D. Perform no action until HR or legal counsel advises on next steps
Selected Answer: D
Before any technical actions are taken, it is crucial to involve HR and legal counsel to assess the situation, understand the legal implications of Joe’s actions, and determine the appropriate course of action. This ensures that any response is in compliance with employment laws and company policies.
The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?
A. Reduce the administrator and privileged access accounts
B. Employ a network-based IDS
C. Conduct thorough incident response
D. Enable SSO to enterprise applications
Selected Answer: A
Zero trust is a security framework that assumes that threats exist both inside and outside the network. It emphasizes the principle of “least privilege,” which means that users and systems should only have the minimum level of access necessary to perform their tasks.
While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the following steps should be taken next?
A. Shut the network down immediately and call the next person in the chain of command.
B. Determine what attack the odd characters are indicative of.
C. Utilize the correct attack framework and determine what the incident response will consist of.
D. Notify the local law enforcement for incident response.
Selected Answer: B
Do we know what the odd characters are indicative of yet? Is this an attack? We need to investigate and determine if this is an incident first before we consult an attack framework.
A zero-day command injection vulnerability was published. A security administrator is analyzing the following logs for evidence of adversaries attempting to exploit the vulnerability:
Which of the following log entries provides evidence of the attempted exploit?
A. Log entry 1
B. Log entry 2
C. Log entry 3
D. Log entry 4
Correct Answer: D
Explanation:
Log entry 4 shows an attempt to exploit the zero-day command injection vulnerability by appending a malicious command (;cat /etc/passwd) to the end of a legitimate request (/cgi-bin/index.cgi?name=John). This command
would try to read the contents of the/etc/passwdfile, which contains user account information, and could lead to further compromise of the system. The other log entries do not show any signs of command injection, as they
do not contain any special characters or commands that could alter the intended behavior of the application. Official
Reference:
https://www.imperva.com/learn/application-security/command-injection/
https://www.zerodayinitiative.com/advisories/published/
A cybersecurity team lead is developing metrics to present in the weekly executive briefs. Executives are interested in knowing how long it takes to stop the spread of malware that enters the network. Which of the following metrics should the team lead include in the briefs?
A. Mean time between failures
B. Mean time to detect
C. Mean time to remediate
D. Mean time to contain
Selected Answer: D
Explanation:
Mean time to contain (MTTC) measures the average amount of time it takes to isolate and contain a security incident once it has been detected. It specifically focuses on how long it takes to stop the spread of malware and prevent it from causing further damage within the network.
This metric measures the average time it takes to isolate or contain a security incident after it has been detected. It directly reflects the efficiency of the cybersecurity team in responding to and limiting the impact of security incidents such as malware infections.
While reviewing web server logs, a security analyst found the following line:
< IMG SRC=’vbscript:msgbox(“test”)’ >
Which of the following malicious activities was attempted?
A. Command injection
B. XML injection
C. Server-side request forgery
D. Cross-site scripting
Selected Answer: D
The provided line is an example of a cross-site scripting (XSS) attack. In an XSS attack, malicious code is injected into a web application, and when other users view the page containing this code, the injected code is executed in their browsers. In this case, the code attempts to execute a VBScript message box with the text “test”.
A security analyst is performing vulnerability scans on the network. The analyst installs a scanner appliance, configures the subnets to scan, and begins the scan of the network. Which of the following would be missing from a scan performed with this configuration?
A. Operating system version
B. Registry key values
C. Open ports
D. IP address
Selected Answer: B
A vulnerability scan performed by a scanner appliance on a network typically focuses on identifying vulnerabilities related to open ports, services, and known software vulnerabilities. It may also gather information about the operating system versions running on target hosts. However, registry key values are specific to Windows operating systems and are not typically part of a standard vulnerability scan. Registry information is typically not directly exposed or accessible via network scanning, so it’s not a common target for such scans.
A company is in the process of implementing a vulnerability management program. Which of the following scanning methods should be implemented to minimize the risk of OT/ICS devices malfunctioning due to the vulnerability identification process?
A. Non-credentialed scanning
B. Passive scanning
C. Agent-based scanning
D. Credentialed scanning
Selected Answer: B
OT/ICS (Operational Technology and Industrial Control Systems) are probably really important, so taking it down due to scanning is a bad idea. Passive scanning is the least invasive and is just collecting the packets, but not performing additional analysis on it, which reduces the work capacity on the systems
Passive monitoring relies on capturing information about the network as traffic passes a location on a network link…. Unlike active and router-based monitoring, passive monitoring does not add additional traffic to the network. It also performs after-the- fact analysis, since packets must be captured and analyzed, rather than being recorded in real time as they are sent.
A security analyst needs to mitigate a known, exploited vulnerability related to an attack vector that embeds software through the USB interface. Which of the following should the analyst do first?
A. Conduct security awareness training on the risks of using unknown and unencrypted USBs.
B. Write a removable media policy that explains that USBs cannot be connected to a company asset.
C. Check configurations to determine whether USB ports are enabled on company assets.
D. Review logs to see whether this exploitable vulnerability has already impacted the company.
Selected Answer: C
When dealing with a known and exploited vulnerability related to an attack vector that involves embedding software through the USB interface, the primary concern is to immediately stop the active exploitation and prevent further attacks. Given the options provided, the answeer is the best
Check configurations for USB ports (Option C): This is the most immediate action to take. Disabling or securing USB ports on company assets will prevent the attacker from further exploiting the vulnerability through this attack vector. It’s a quick and effective way to mitigate ongoing attacks.
A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below:
Which of the following vulnerability types is the security analyst validating?
A. Directory traversal
B. XSS
C. XXE
D. SSRF
Selected Answer: C
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.
In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.
