Exam 2 Flashcards by Jeff Latham

What type of information will a Cisco switch log be configured to capture logs at level 7?

a. debugging
b. warnings
c. emergencies
d. errors

Debugging

0-7; 0 is most severe and 7 least severe

0 - used for emergency; the system has become unstable
1 - an alert condition; a condition should be corrected immediately
2 - critical condition; failure in the system’s primary application ; requires attention
3 - error condition; something is happening to the system that is preventing the proper function
4 - warning condition; an error may occur if action is not taken
5 - notice condition; events are unusual but not errors
6 - information conditions; normal operational messages that require no action
7- debugging conditions; information useful to developers while debugging networks and applications

How well did you know this?

Not at all

Perfectly

Joseph would like to prevent hosts from connecting to known malware distribution domains. What type of solution should be used without deploying endpoint protection software or an IPS solution?

a. anti-malware router filters
b. route poisoning
c. DNS sinkholing
d. subdomain allow listing

DNS sinkholing

DNS sinkholing - uses a list of known domains/IP addresses belonging to malicious hosts and uses an internal DNS server to create a fake reply

Route poisoning - prevents networks from sending data somewhere when the destination is invalid

Subdomain allow list - only applicable if you are blocking all traffic save for what is explicitly allowed

Anti-malware router filters - not applicable here

How well did you know this?

Not at all

Perfectly

You want to search all the logs using REGEX to alert on any findings where a filename contains the word “password” (regardless of case). For example, “PASSWORD.txt,” “Password.log,” or “password.xlsx” should cause the alert to occur. Once deployed, this search will be conducted daily to find any instances of an employee saving their passwords in a file that could be easily found by an attacker. Which of the following commands would successfully do this?

a. grep “(PASSWORD)|(password)” logfile.log
b. grep \i password logfile.log
c. grep -i password logfile.log
d. grep password /i logfile.log

grep -i password logfile.log

-i - means the entire string is case insensitive

How well did you know this?

Not at all

Perfectly

You have been asked to conduct a forensic disk image on an internal 500 GB hard drive. You connect a write blocker to the drive and begin to image it using dd to copy the contents to an external 500 GB hard drive. Before completing the image, the tool reports that the imaging failed. Which of the following is most likely the reason for the image failure?

a. the data on the source drive was modified during the imaging
b. the source drive is encrypted with BitLocker
c. the data cannot be copied using the RAW format
d. there are bad sectors on the destination drive

There are bad sectors on the destination drive

Since it is a bit by bit copy, the disk can be copied to RAW format even if it is encrypted

How well did you know this?

Not at all

Perfectly

Which role validates the user’s identity when using SAML for authenticaiton?

a. SP
b. RP
c. User agent
d. IdP

IdP

IdP - Identity Provider

SP - Service Provider

RP - Relying Party

How well did you know this?

Not at all

Perfectly

Consider the following file called firewall.log that contains 53,682 lines that logged every connection going into and out of this network. The log file is in the following data format, as shown below with the first two lines of the log file:

a. grep “10.1.0.10,” firewall.log | grep “23”
b. grep “10.1.0.10,” firewall.log | grep “23”
c. grep “10.1.0.10,” firewall.log | grep “23$”
d. grep “10.1.0.10,” firewall.log | grep “23$”

grep “10.1.0.10,” firewall.log | grep “23$”

You must escape the dot ( . ) in the IP address ( . ) and the comma ( , ) at the end ( \, )

23$ indicates that the port number should only be considered a match if it is at the end of the line. This ensures it only matches for destination ports

How well did you know this?

Not at all

Perfectly

Barrett needs to verify settings on a macOS computer to ensure that the configuration he expects is currently set on the system. What type of file is commonly used to store configuration settings for a macOS system?

a. plists
b. the registry
c. .config files
d. .profile files

plists

Preference and configuration files in macOS use property lists (plists to specify attributes, or properties, of an app or process.

Registry is for Windows

.profile is a UNIX user’s start-up file

.config is a configuration file used by various applications containing plain text parameters that define settings or preferences for building or running a program

How well did you know this?

Not at all

Perfectly

You have just run the following commands on your Linux workstation:

Which of the following options would be included as part of the output for the grep command issued? (Select ANY that apply)

a. Dion
b. DION
c. DIOn
d. dion
e. DIon

All would be part of the output

How well did you know this?

Not at all

Perfectly

Consider the following data:

Which of the following best describes the data presented above?

a. a JSON excerpt describing a REST API call to a Trusted Automated eXchange of Indicator Information (TAXII) service
b. a JSON excerpt that describes an APT using the Structured Threat Information eXpression (STIX) format
c. an XML entry describing an APT using the Structured Threat Information eXpression (STIX) framework
d. an XML entry describing an APT usnig the MITRE ATT&CK framework

A JSON excerpt that describes an APT using the Structured Threat Information eXpression (STIX) format

TAXII is an application protocol for exchanging CTI over HTTPS

TAXII defines a RESTful API (a set of services and message exchanges) and a set of requirements for TAXII Clients and Servers

MITRE ATT&CKis a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations

How well did you know this?

Not at all

Perfectly

An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store’s IT department hired an external supplier to expand its network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system.Which of the following long-term cybersecurity risks might occur based on these actions?

a. these devices should be scanned for viruses before installation
b. these devices are insecure and should be isolated from the internet
c. these devices should be isolated from the rest of the enterprise network
d. there are no new risks due to the install and the company has a stronger physical security posture

These devices should be isolated from the rest of the enterprise

Because these devices receive updates more slowly, and because they introduce more potential targets, they should be isolated from the rest of the production network.

How well did you know this?

Not at all

Perfectly

You want to provide controlled remote access to the remote administration interfaces of multiple servers hosted on a private cloud. What type of segmentation security solution is the best choice for this scenario?

a. airgap
b. jumpbox
c. bastion hosts
d. physical

Jump box

Jumpbox - a single PC/server used to connect to other/critical devices. Using a jumpbox limits access and prevents unnecessary administrative work setting up devices to connect to critical infrastructure

Bastion host - a special-purpose computer on the network specifically designed and configured to whichstand attacks

Airgap - A network or single host computer with inique security requirements that may be physically separated from any other network

How well did you know this?

Not at all

Perfectly

What containment technique is the strongest possible response to an incident?

a. segmentation
b. isolating affected systems
c. enumeration
d. isolating the attacker

Isolating affected systems

Segmentation - refers to the isolation of a machine using network technologies and architecture. VLANs, routing/subnetting

Enumeration - refers to the process of extracting user names, machine names, network resources, shares, and services from a system

How well did you know this?

Not at all

Perfectly

Which type of media sanitization would you classify degaussing as?

a. destruction
b. purging
c. erasing
d. clearing

Purging

Purging - degaussing is a type of purging; eliminates information from being feasibly recovered even in a laboratory environment

Clearing - prevents data from being retrieved without the use of state-of-the-art laboratory techniques. Often involves overwriting data one or more times

Destruction - a physical process that may involve shredding media to pieces, disintegrating it into parts, pulverizing it to powder, or incinerating it to ash

Erasing - deleting the data file’s pointer on a storage device

How well did you know this?

Not at all

Perfectly

A recent threat has been announced in the cybersecurity world, stating a critical vulnerability in a particular operating system’s kernel. Unfortunately, your company has not maintained a current asset inventory, so you are unsure oh how many of your servers may be affected. What should you do to find all of the affected servers within your network?

a. conduct an OS fingerprinting scan across the network
b. conduct a service discovery scan on the network
c. manually review the syslog server’s log
d. conduct a packet capture of data traversing the server network

Conduct an OS fingerprinting scan across the network

How well did you know this?

Not at all

Perfectly

A penetration tester is conducting an assessment of a wireless network that is secure using WPA2 Enterprise encryption. Which of the following are major differences between conducting reconnaissance of a wireless network versus a wired network? (SELECT TWO)

a. MAC filtering
b. port security
c. network access control
d. encryption
e. authentication
f. physical accessibility

Encryption and Physical accessibility

OBJ-1.4: Most wireless networks utilize end-to-end encryption, whereas wired networks do not. Physical accessibility is another major difference between wireless and wired networks since wireless networks can be accessed from a distance using powerful antennas. Authentication, MAC filtering, and network access control (NAC) can be implemented equally on wired and wireless networks. Port security is only applicable to wired networks.

How well did you know this?

Not at all

Perfectly

Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services?

a. CHAP
b. TACACS+
c. Kerberos
d. RADIUS

TACACS+

TACACS - Terminal Access Controller Access Control System

RADIUS - Remote Authentication Dial-In User Service; provides these services but was not created by Cisco

Kerberos - Mutual authentication for client/server applications using secret-key cryptography

CHAP - Challenge-Handshake Authentication Protocol for not provide authorization or accounting services

How well did you know this?

Not at all

Perfectly

You need to determine the bestw ay to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, byt you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment?

a. Virtualization
b. Purchae additional workstations
c. Sandboxing
d. Bypass testing and deploy patches directly into the production environment

Virtualization

How well did you know this?

Not at all

Perfectly

Which of the following vulnerabilities is the greatest threat to data confidentiality?

a. HTTP TRACE/TRACK methods enabled
b. Web application SQL injection vulnerability
c. SSL Server with SSLv3 enabled vulnerability
d. phpinfo information disclosure vulnerability

Web application SQL injection vulnerability

How well did you know this?

Not at all

Perfectly

Fail To Pass Systems has just been the victim of another embarrassing data breach. Their database administrator needed to work from home this weekend, so he downloaded the corpirate database to his work laptop. On his way home, he left the laptop in an Uber, and a few days later, the data was posted on the Internet. Which of the following mitigations would have provided the greatest protection against this data breach?

a. Require data at rest encryption on all endpoints
b. Require all new employees to sign an NDA
c. Require data masking for any information stored in the database
d. Require a VPN to be utilized for all telework employees

Require data at rest encryption on all endpoints

How well did you know this?

Not at all

Perfectly

Which of the following technologies is NOT a shared authentication protocol?

a. LDAP
b. OpenID Connect
c. OAuth
d. Facebook Connect

LDAP

How well did you know this?

Not at all

Perfectly

Jorge is working with an application team to remediate a critical SQL injection vulnerability on a public-facing server. The team is worried that deploying the fix will require several hours of downtime and block customer transactions from being completed by the server. Which of the following is the BEST action for Jorge to recommend?

a. Wait until the next scheduled maintenance window to remediate the vulnerability
b. Schedule an emergency maintenance for an off-peak time later in the day to remediate the vulnerability
c. Remediate the vulnerability immediately
d. Delay the remediation until the next major update of the SQL server occurs

Schedule an emergency maintenance for an off-peak time later in the day to remediate the vulnerability

How well did you know this?

Not at all

Perfectly

During which phase of the incident response process does an organizaiton assemble an incident response toolkit?

a. Post-incident activity
b. Preparation
c. Containment, eradication, and recovery
d. Detection and analysis

Preparation

How well did you know this?

Not at all

Perfectly

Evaluate the following log entry:

Based on this log entry, which of the following statements are true?

a. The packet was blocked inbound to the network
b. MAC filtering is enabled on the firewall
c. packets are being blocked inbound to and outbound from the network
d. an attempted connection to the telnet service was prevented
e. the packet was blocked outbound from the network
f. an attempted connection to the ssh service was prevented

The packet was blocked inbound to the network

An attempted connection to the telnet service was prevented

How well did you know this?

Not at all

Perfectly

You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of he following is NOT a typical means of identifying a malware beacon’s behavior on the network?

a. the beacon’s persistence
b. the beacon’s protocol
c. the beaconing interval
d. the removal of known traffic

the beacon’s protocol

How well did you know this?

Not at all

Perfectly

What method might a system administrator use to replicate the DNS information from one DNS server to another, but could also be used maliciously by an attacker? a. DNSSEC b. DNS registration c. CNAME d. zone transfers

Zone transfers **DNSSEC** - strengthens authentication in DNS using digital signatures based on public-key cryptography

Dion Training wants to require students to log on using multifactor authentication to increase the security of the authorization and authentication process. Currently, students log in to diontraining.com using a username and password. What proposed solution would best meet the goal of enabling multifactor authentication for the student login process? a. require students to choose an image to serve as a secondary password after logon b. require students to enter a cognitive password requirement (such as 'What is your dog's name?) c. require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password d. require students to create a unique pin that is entered after their username and password is accepted

Require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password

Dion Consulting Group has just won a contract to provide updates to an employee payroll system originally written years ago in C++. During your assessment of the source code, you notice the command "strcpy" is being used in the application. Whihc of the following provides is cause for concernm and what mitigation would you recommend to overcome it? a. strcpy could allow a buffer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow b. strcpy could allow a buffer overflow to occur; you should rewrite the entire system in java c. strcpy would allow an integer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow d. strcpy could allow an integer overflow to occur; you should rewrite the entire system in java

strcpy could allow a buffer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow **strcpy** - a built-in function that does not provide a default mechanism for checking if data will overwrite the boundaries of a buffer Buy making sure your operating system supports ASLR, you can make it impossible for a buffer overflow to work by randomizing where objects in memroy are being loaded.

Your company was recently the victim of a cross-site scripting attack. The system administrators claim this wasn't possible since they performed input validation using REGEX to alert on any strings that contain the term "[Ss]cript" in them. Which of the following statements concerning this attack is true? a. the server has insufficient logging and monitoring configured b. the attacker has modified the logs to cover their tracks and prevent a successful investigation c. a SQL injection must have occurred since their input validation would have prevented or

The REGEX expression to filter using "[Ss]cript" is insufficient since an attacker could use SCRIPT or SCRipt or %53CrIPT to evade it.

You are reviewing a rule within your organization's IDS. You see the following output: Based on this rule, which of the following malicious packets would this IDS alert on? a. any malicious outbound packets b. any malicious inbound packets c. a malicious outbound TCP packet d. a malicious inbound TCP packet

A malicious inbound TCP packet

Dion Training's new COO is reviewing the organization's current information security policy. She notives that it was first created three years ago. Since that time, the organization has undergone multiple audits and assessments that required revisions to the policy. Which of the following is the most reasonable frequency to conduct a formal review of the organization's policies to ensure they remain up to date? a. every 5 years b. annually c. monthly d. quarterly

Annually Annual reviews are an industry standard and are typically sufficient unless circumstances happen that might require an update or revision sooner.

You are working as a network administrator for Dion Training. The company has decided to allow employees to connect their devices to the corporate wireless network under a new BYOD policy. You have been asked to separate the corporate network into an administrative network (for corporate-owned devices) and an untrustd network (for employee-owned devices). Which of the following technologies should you implement to achieve this foal? a. WPA2 b. MAC filtering c. VLAN d. VPN

VLAN

Which of the following roles should coordinate communications with the media during an incident response? a. senior leadership b. human resources c. system administrators d. public relations

Public relations

You are reverse engineering a malware sample using the Strings tool when you notice the code inside appears to be obfuscated. You look at the following line of output on your screen. Based on the output above, which of the following methods do you believe the attacker used to prevent their malicious code from being easily read or analyzed? a. Base64 b. XML c. SQL d. QR coding

Base64

Which of the following is NOT considered a phase in the incident response cycle? a. preparation b. detection and analysis c. containment, eradication, and recovery d. notification and communication

Notification and communication 4 phases: * Preparation * Detection and analysis * Containment, eradication, and recovery * Post-incident activity

A salesperson's laptop has become unresponsive after attempting to open a PDF in their email. A cybersecurity analyst reviews the IDS and anti-virus software for any alerts or unusual behavior but finds nothing suspicious. Which of the following threats would BEST classify this scenario? a. ping of death b. PII exfitration c. zero-day malware d. RAT

Zero-day malware

During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyse cannot install Microsoft's refular patch. Which of the following options woul dbe best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS? a. remove the POS terminals from the network until the vendor releases a patch b. replace the Windows POS terminals with standard Windows systems c. build custom OS image that includes the patch d. identify, implement, and document compensating controls

Identify, implement, and document compensating controls

The local electric power plant contains both busines networks and ICS/SCAD netwoks to control their equipment. Which technology should the power plant's security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems? a. automated patch deployment b. intrusion prevention system c. log consolidation d. anti-virus software

Intrusion prevention system

You are the incident response team lead investigating a possible data breach at your company with 5 other analysts. A journalist contacts you and inquires about a press release from your company that indicates a breach has occurred. You quickly deny everything andthen call the company's public relations officer to ask fi a press release had been published, which it has not. Which of the following has likely occurred? a. inadvertent release of information b. disclosing based on regulatory requirements c. communication was limited to trusted parties d. release of PII and SPI

Inadvertent release of information

A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst? a. database vulnerability scan b. network vulnerability scan c. port scan d. web application vulnerability scan

Web application vulnerability scan

Which of the following will an adversary do during the final phase of the Lockheed Martin kill chain (SELECT FOUR)? a. lateral movement through the environment b. release of malicious email c. modify data d. wait for user to click on a malicious link e. exfiltrate data f. privilege escalation

Lateral movement through the environment Modify data Exfiltrate data Privilege escalation

Which of the following is NOT one of the main criteria included in a penetration testing plan? a. scope b. account credentials c. timing d. authorization

Account credentials

A cybersecurity analyst at Yoyodyne Systems just finished reading a news article about their competitor, Whamiedynt Systems, being hacked by an unknown threat actor. Both companies sell to the same basic group of consumers over the internet since their products are used interchangeably by consumers. Which of the following is a valid cybersecurity concern for Yoyodyne Systems? a. the attacker will conduct a SQL injection against their database b. they may now be vulneable to a credential stuffing attack c. the same vulnerability will be compromised on their servers d. the attacker will conduct an on-path attack

They may now be vulneable to a credential stuffing attack Since the two companies share the same customer base, it is likely that customers used the same set of credentials on both sites.

You work as a cybersecurity analyst at a software development firm. The software developers have begun implementing commercial and open source libraries into their codebase to minimize the time it takes to develop and release a new application. Which of the following should be your biggest concern as a cybersecurity analyst? a. there are no concerns with using commercial or open-source libraries to speed up developments b. Open-source libraries are inherently insecure because you do not knwo who wrote them c. whether or not the libraries being used in the projects are the most up to date versions d. any security flaws present in the library will also be present in the developed application

Any security flaws present in the library will also be present in the developed application

Which of the following is NOT consideredpart of the Internet of Things? a. smart television b. laptop c. ICS d. SCADA

Laptop

Which of the following lists the UEFI boot phases in the proper order? a. driver execution environment, boot device select, security, transient system load, pre-EFI initialization, runtime b. boot device select, security, pre-EFI initialization, driver execution environment, transient system load, runtime c. security, pre-EFI initialization, driver execution environment, boot device select, transient system load, runtime d. pre-EFI initialization, security, boot device select, transient system load, driver execution environment, runtime

security, pre-EFI initialization, driver execution environment, boot device select, transient system load, runtime

What remediation strategies are the MOST effective in reducing the risk to an embedded ICS from a network-based compromise (SELECT TWO)? a. disabling unused services b. NIDS c. segmentation d. patching

Disabling unused services Segmentation

You have been asked to provide some training to Dion Training's system administrators about the importance of proper patching of a system before deployment. To demonstrate the effects of deploying a new system without patching it first, you ask the system administrators to provide you with an image of a brand-new server they plan to deploy. How shoulld you deploy the image to demonstrate the vulnerabulities exposed while maintaining the security of the corporate network? a. deploy the vulnerable image to a virtual machine on a physical server, create an ACL to restrict all incoming connections to the system, then scan it for vulnerabulities. b. deploy the image to a brand new physical server, connect it to the corporate network, then conduct a vulnerability scan to demonstrate how many vulnerabulities are now on the network c. deploy the system image within a virtual machine, ensure it is in an isolated sandbox environment, then scan it for vulnerabilities d. Utilize a server with multiple virtual machine snapshots installed to it, restore from a known compromised image, then scan it for vulnerabilities

Deploy the system image within a virtual machine, ensure it is in an isolated sandbox environment, then scan it for vulnerabilities

An analyst reviews a triple-homed firewall configuration that connects to the internet, a private network, and one other network. Which of the following would best describe the third network connected to this firewall? a. data zone b. staging environment c. screened subnet d. availability zone

Screened subnet A **screened subnet** is formetly known as a DMZ and is a zone for hosts (e.g., web servers) that need to communicate with external hosts. **Data zones** describe the state and location of data to help isolate and protect it from unauthorized/inappropriate use An **availability zone** is an individual data center within a region of a cloud service provider's network A **staging environment** is a pre-production enclave used for testing and development

Which of the following categories of controls are firewalls, intrusion detection systems, and a RADIUS server classified as? a. technical controls b. administrative controls c. compensating controls d. physical controls

Technical controls **Technical controls** are implemented as a system of hardware, software, or firmware **Administrative controls** involve processes and procedures **Physical controls** include locks, fences, and other controls over physical access **Compensating controls** are controls that are put into place to cover any gaps and reduce the risk remaining after using other controls

Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6. a. port scan targetting 10.10.3.2 b. fragmentation attack targeting 10.10.3.6 c. port scan targetting 10.10.3.6 d. denial of service attack targeting 10.10.3.6

Port scan targeting 10.10.3.6

Which of the following vulnerabilities can be prevented by using input validation (Select ANY that apply) a. XML injection b. directory traversal c. cross-site scripting d. SQL injection

XML injection Directory traversal Cross-site scripting SQL injection

Dion Training Solutions is conducting a penetration test of its facilities. The penetration testing team has been augmented by an employee of the company who has general user privileges. The security staff is unaware of the testing. According to NIST, which of the following types of penetration tests is being conducted? a. a covert external test b. an overt external test c. an overt internal test d. a covert internal test

A covert internal test

Which of the following information is traditionally found in the Scope of Work (SOW) for a penetration test? a. excluded hosta b. format of the executive summary report c. timing of the scan d. maintenance windows

Excluded hosts

You are conducting threat hunting onyour organization's network. Every workstation on the network uses the same configuration baseline and contains a 500 GB HDD, 4 GB of RAM, and the WIndows 10 Enterprise operating system. You know from a previous experience that most of the workstations only use 40 GB of space on the had drives since most users save their files on the file server instead of the local workstation. You discovered one workstation that has over 250 GB of data stored on it. Which of the following is a likely hypothesis of what is happening, and how would you verify it? a. the host might be offline and conducted backups locally -- you should contact a system administrator to have it analyzed b. the host might be the victim of a remote access trojan -- you should reimage the machine immediately c. the host might use as a staging area for data exfiltration -- you should conduct volume-based trend analyziz on the host's storage device d. the host might be used as a command and control node for a botnet -- you should immediately disconnect the host from the network

The host might use as a staging area for data exfiltration -- you should conduct volume-based trend analyziz on the host's storage device

You are a cybersecurity analyst who has been given the output from a system administrator's Linux terminal. Based on the output providd, which of the following statements is correct? a. your email server is running out of a non-standard port b. your email server has been compromised c. your web server has been compromised d. your organization has a vulnerable version of the SSH server software installed

Your email server is running on a non-standard port

Marta's organization is concerned with the vulnerability of a user's account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability? a. password history b. minimum password length c. password complexity d. password expiration

Password expiration

A cybersecurity analyst conducts proactive threat hunting on a network by correlating and searching the Sysmon and Windows Event logs. The analyst uses the following query as part of their hunt: Based on the query above, which of the following potential indicators of compromise is the threat hunter relying on? a. irregular peer-to-peer communication b. processor consumption c. unauthorized software d. data exfiltration

Unauthorized software

You are reviewing the logs in your HIDS and see that entries were showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occured? a. the remote host cannot find the right service port b. port scan c. UDP probe d. SYN flood

Port scan

Which of the following is exploited by an SQL injection to give the attacker access to a database? a. operating system b. web application c. firewall d. database server

Web application

Rory is about to conduct forensics on a virtual machine. Which of the following process should be used to ensure that all of the data is acquired forensically? a. shutdown the virtual machine off and make a forensic copy of its disk image b. suspend the machine and copy the contents of the directory it resides in c. perform a live acquisition of the virtual machine's memory d. suspend the machine and make a forensic copy of the drive it resides on

Suspend the machine and copy the contents of the directory it resides in

A recent vulnerability scan found several vulnerabilities on an organization's public-facing IP addresses. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation? a. a cryptographically weak encryption cipher b. an HTTP response that reveals an internal IP address c. a website utilizing a self-signed SSL certificate d. a buffer overflow that is known to allow remote code execution

A buffer overflow that is known to allow remote code execution

You just finished conducting a remote scan of a class C network block using the following command "nmap -sS 202.15.73.0/24". The results only showed a single web server. Which of the following techniques would allow you to gather additional information about the network? a. use a UDP scan b. perform a scan from on-site c. use an IPS evasion technique d. scan using the -p 1-65535 flag

Perform a scan from on-site

Which of the following are the two most important factors when determining a containment strategy? a. preservation of evidence b. ensuring the sagety and security of all personnel c. identification of whether the intrusion is the primary attack or a secondary one (i.e., part of a more complex attack) d. prevention of an ongoing intrusion or data breach e. avoidance of alerting the attacker that they have been discovered

Ensuring the safety and security of al personnel Prevention of an ongoing intrusion or data breach

A cybersecurity analyst is analyzing an employee's workstation that is acting abnormaly. The analyst runs the netstat command and reviews the following output: Based on this output, which of the following entries is suspicious? (SELECT THREE) a. TCP 192.168.1.4:59515 208.50.77.89:80 ESTABLISHED b. TCP 192.168.1.4:53 91.198.117.247:443 CLOSE\_WAIT c. TCP 0.0.0.0:135 0.0.0.0:0 LISTENING d. TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED e. TCP 0.0.0.0:53 0.0.0.0:0 LISTENING f. TCP 192.168.1.4:59518 69.171.227.67:43 ESTABLISHED

TCP 192.168.1.4:53 91.198.117.247:443 CLOSE\_WAIT TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED TCP 0.0.0.0:53 0.0.0.0:0 LISTENING Port 53 is used for DNS servers to receive requests, and an employee's workstation running DNS would be unusual. If the Foreign Address uses port 53, this would indicate the workstation was conducting a normal DNS lookup, but based on the network traffic direction, this is not the case.

You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instread of port 636. The security scanning software recommends that you remediate this by changing user authentication to port to 636 wherever possible. What should you do? a. conduct remediation actions to update encryption keys on each server to match port 636 b. change all devices and servers that support it to port 636 since encrypted services run by default on port 636 c. change all devices and servers that support it to port 636 since port 389 is a reversed port that requires root access and can expose the server to privilege escalation attacks d. mark this as a false positive in your audit report since the services that typically run on ports 389 and 636 are identical

Change all devices and servers that support it to port 636 since encrypted services run by default on port 636

During a port scan, you discover a service running on a registered port. Based on this, what do you know about this service? a. the service's name on the registered port b. the service is running on a port between 0-1023 c. the vulnerability status of the service on the registered port d. the service is running ona port between 1024 and 49151

The service is running on a port between 1024 and 49151

You have been asked to recommend a capability to monitor all of the traffic entering and leaving the corporate network's default gateway. Additionally, the company's CIO requests to block certain content types before it leaves the network based on operational priorities. Which of the following solution should you recommend to meet these requirements? a. configure IP filtering on the internal and external interfaces of the router b. install a NIPS on the internal interface and a firewall on the external interface of the router c. installation of a NIPS on both the internal and external interfaces of the router d. install a firewall on the router's internal interface and a NIDS on the router's external interface

Install a NIPS on the internal interface and a firewall on the external interface of the router

Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out, and the website overall is performing slowly. You have notived that the website received three million requests in just 24 hours, and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system? a. MAC filtering b. VPN c. implement an allow list d. intrusion detection system

Implement an allow list

While conducting a static analysis source sode review of a program, you see the following line of code: String query = "SELECT \* FROM CUSTOMER WHERE CUST\_ID='" + request.gerParameter("id") + "'"; What is the issue with the largest security issue with this line of code? a. this code is vulnerable to a buffer overflow attack b. the \* operation will allow retrieval of every data field about ths customer in the CUSTOMER table c. the code is using parameterized queries d. an SQL injection could occur because input validation is not being used on the id parameter

An SQL injection could occur because inut validation is not being used on the id parameter This code takes the input of “id” directly from a user or other program without conducting any input validation. This could be exploited and used as an attack vector for an SQL injection. If a malicious user can alter the ID source, it might get replaced with something like’ or ‘1’ ='1. This will cause the SQL statement to become: "SELECT \* FROM CUSTOMER WHERE CUST\_ID='' or '1'='1'". Because ‘1’ always equals ‘1’, the where clause will always return ‘true,’ meaning that EVERY record in the database could now become available to the attacker. When creating SQL statements, there are reasons for and against the use of the \* operator. Its presence alone does not necessarily indicate a weakness. With only one line of code being reviewed, you cannot make any statement about whether it is vulnerable to a buffer overflow attack. You do not see the declaration values for the initialization of the id variable. This code is not using parameterized queries, but if it did, then it would eliminate this vulnerability. A parameterized query is a type of output encoding that relies on prepared statements to reduce the risk of an SQL injection.

You are developing a containment and remediation strategy to prevent the spread of an APT within your network. Your plan suggests creating a mirror of the company's databases, routing all externally sourced network traffic to it, and gradually updating with pseudo-realistic data to confuse and deceive the APT as they attempt to exfiltrate the data. Once the attacker has downloaded the corrupted database, your company would then conduct remediation actions on the network to restore the correct database information to the production system. Which of the following types of containment strategies does the plan utilize? a. segmentation-based containment disrupts the APT by using a hack-back approach b. isolation-based containment by removing the affected database from production c. isolation-based containment by disconnecting the APT from the affected network d. segmentation-based containment that deceives the attack into believing their attack was successful

Segmentation-basd containment that deceives the attack into believing their attack was successful

An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account's cached credentials when the user logged into an SSO system? a. lateral movement b. pass the hash c. pivoting d. golden ticket

Pass the hash

Judith is conducting a vulnerability scan of her data center. She notives that a management interface for a virtualization platform is exposed to her vulnerability scanner. Which of the following networks should the hypervisor's management interface be exposed to ensure the best security of the virtualization platform? a. internal zone b. screened subnet c. external zone d. management network

Management network

Christina is auditing the security procedures related to the use of a cloud-based online payment service. She notices that the access permissions are set to that a single person can not add funds to the account and transfer funds out of the account. What security principle is most closely related to this scenario? a. separation of duties b. security through obscurity c. least privilege d. dual control authentication

Separation of duties

You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server? a. off-hours usage b. failed logins c. malicious processes d. unauthorized sessions

Malicious processes

You work for Dion Training as a physical security manager. You are concerned that the physical security at the entrance to the company is not sufficient. To increase your security, you are determined to prevent piggybacking. What technique should you implement first? a. install an access control vestibule at the entrance b. install CCTV to monitor the entrance c. require all employees to wear securtiy badges when entering the building d. install an RFID badge reader at the entrance

Install an access control vestibule at the entrance

Exam 2 Flashcards

(75 cards)