JasonDion Practice Exam 3 Flashcards
You have been investigating how a malicious actor could exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that a rootkit’s installation had modified the web server’s BIOS. After removing the rootkit and reflash the BIOS to a known good image, what should you do to prevent the malicious actor from affecting the BIOS again?
A. Utilize file integrity monitoring.
B. Utilize secure boot.
C. Install a host-based IDS.
D. Install an anti-malware application.
B. Utilize secure boot.
Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that the OS vendor has digitally signed it. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used. The TPM can also be invoked to compare hashes of key system state data (boot firmware, boot loader, and OS kernel) to ensure they have not been tampered with by a rootkit. The other options are all good security practices, but they only apply once you have already booted into the operating system. This makes them ineffective against boot sector or rootkit attacks.
You have evidence to believe that an attacker was scanning your network from an IP address at 172.16.1.224. This network is part of a /26 subnet. You wish to quickly filter through several logs using a REGEX for anything that came from that subnet. What REGEX expression would provide the appropriate output when searching the logs for any traffic originating from only IP addresses within that subnet?
A. \b172.16.1.(25[0-5]|2[0-4][0-9]?)\b
B. \b172.16.1.(25[0-5]|2[0-4][0-9]|19[2-9])\b
C. \b172.16.1.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b
D. \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b
A. \b172.16.1.(25[0-5]|2[0-4][0-9]?)\b
The correct answer is \b172.16.1.(25[0-5]|19[2-9]|2[0-4][0-9])\b. The \b delimiter indicates that we are looking for whole words for the complete string. To answer this question, you have to rely on your networking knowledge and what you learned back in Network+. First, you need to calculate what is the IP range for this subnet. Since this is a /26, it would have 64 IP addresses in the range. Since the IP provided was 172.16.1.224, the range would be 172.16.1.192 to 172.16.1.255. The correct answer allows all values of 200-249 through the use of the phrase 2[0-4][0-9]. The values of 250-255 are specified by 25[0-5]. The values of 192-199 are specified through the use of 19[2-9]. All other REGEX expressions either allow too much or too little of the available IP space to be effective and precise filters for the subnet given. If you had this on the exam, I would calculate the IP address range first (as we did in this explanation). Then, I would see which parts are static in the IP address (172.16.1. in this case). Three of our answer choices provide this, so we now know the large REGEX is the wrong answer. Next, we need to figure out how only to show the values of 192-255. As you look at the three options, you need to look for the differences only between the options and see which would allow for the addresses needed. All three options have the same two first terms in the last octet, which covers 200-255, so you really need to determine how to represent the values of 192-199 best.
Your organization’s computer network has been experiencing some unusual activities. You are considering establishing a Computer Security Incident Response Team (CSIRT) to address these incidents. Which of the following would be a primary function of a CSIRT?
A. Creating marketing strategies.
B. Exploiting vulnerabilities.
C. Coordinating the response to security incidents.
D. Writing security policies.
C. Coordinating the response to security incidents.
A CSIRT’s main role is to coordinate the response to computer security incidents, which includes identifying, managing, and preventing further incidents. Creating marketing strategies is outside the scope of a CSIRT’s responsibilities, which are focused on computer security. Exploiting vulnerabilities is not a function of a CSIRT. This is a behavior associated with threat actors, not with defensive security teams. While a CSIRT might contribute to the development of security policies based on their incident response experiences, their primary function is to respond to security incidents, not to write policies.
In the aftermath of a ransomware attack at your company, you as the incident response manager have been asked to present a report to the executive team. They are particularly interested in a detailed analysis of how the attack happened and the key areas that allowed for it to occur. What part of your report should you focus on?
A. Root cause analysis
B. Scope
C. Executive summary
D. Recommendations
A. Root cause analysis
A root cause analysis provides a deep dive into what allowed the incident to occur, helping to identify vulnerabilities and procedural shortcomings. The scope section typically outlines what systems and data were impacted by the incident, not the reasons behind it. While the recommendations section provides guidance on future action, it does not typically contain a detailed analysis of how the incident occurred. While the executive summary provides a high-level overview of the incident, it does not typically delve into a detailed analysis of the root causes.
Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate network. As part of the contract, the company has specified that it will not provide any network details to the penetration testing firm. Instead, the company wants to see how much information about the network can be found by the penetration testers using open-source research and scanning the corporate network. What type of assessment is this considered?
A. White box
B. Black box
C. Gray box
D. Red box
B. Black box
In a black box assessment, the penetration tester takes an average hacker’s role with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black-box penetration test determines the vulnerabilities in a system that are exploitable from outside the network.
A threat intelligence analyst is researching a new indicator of compromise. At the same time, the web proxy server-generated an alert for this same indicator of compromise. When asked about this alert, the analyst insists that they did not visit any of the related sites, but instead, they were listed on the results page of their search engine query. Which of the following is the BEST explanation for what has occurred?
A. Alert is unrelated to the search that was conducted.
B. The standard approved browser was not being used by the analyst.
C. A link related to the indicator was accidentally clicked by the analyst.
D. Prefetch is enabled on the analyst’s web browser.
D. Prefetch is enabled on the analyst’s web browser.
Prefetch, a capability in modern web browsers, is used to speed up web browsing by grabbing content that may be asked for by the user at a later time. For example, if you search for a term and the results are being shown to the user, prefetch will download the first three results in anticipation of the user clicking one of the top three links. In the scenario presented in this question, the prefetch has downloaded the malicious content and therefore caused the alert.
Sarah has reason to believe that systems on her network have been compromised by an APT. She has noticed many file transfers outbound to a remote site via TLS-protected HTTPS sessions from unknown systems. Which of the following techniques would most likely detect the APT?
A. Network traffic analysis.
B. Endpoint forensics.
C. Endpoint behavior analysis.
D. Network forensics.
B. Endpoint forensics.
An advanced persistent threat (APT) is a stealthy computer network threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. APTs usually send encrypted traffic so that they are harder to detect through network traffic analysis or network forensics. This means that you need to focus on the endpoints to detect an APT. Unfortunately, APTs are very sophisticated, so endpoint behavioral analysis is unlikely to detect them easily, so Sarah will need to conduct endpoint forensics as her most likely method to detect an APT and their associated infections on her systems.
In the Cyber Kill Chain model, at which stage does an attacker deliver the actual working part of the attack?
A. Command and Control
B. Exploitation
C. Reconnaissance
D. Weaponization
B. Exploitation
The Exploitation phase is where the attacker leverages a vulnerability to execute the main part of the attack. Reconnaissance is the initial phase where the attacker gathers information about the target. Weaponization is where the attacker creates a malicious payload but does not deliver it. The Command and Control phase is where the attacker establishes a channel to remotely control the compromised system
A penetration tester is using a known vulnerability to compromise an Apache webserver. After they gain access to the server, what is their next step to pivot to a protected system behind the DMZ?
A. Patching
B. Privilege escalation
C. Installing additional tools
D. Vulnerability scanning
B. Privilege escalation
Apache web servers are run as a limited user by default, not as an administrative or root account. To be efficient and effective, the penetration tester should attempt to conduct a privilege escalation before pivoting into the DMZ. As a penetration tester, they would not likely patch the system, conduct a vulnerability scan, or install additional tools. This does not help them achieve their goal of pivoting into the DMZ.
Your organization has detected unusual network traffic patterns originating from an internal server during non-business hours. Upon investigation, it’s discovered that an attacker has gained access and is sending data outbound on an uncommon port. According to the MITRE ATT&CK framework, which stage does this activity align with?
A. Command and Control
B. Lateral Movement
C. Exfiltration
D. Discovery
C. Exfiltration
In the MITRE ATT&CK framework, Exfiltration is the stage that describes the transmission of information from within the victim’s environment to a location controlled by the adversary. Command and Control pertains to how an adversary communicates with systems under their control within a target network, not the stage of exporting data out of the network. Discovery involves the adversary understanding the network and looking for resources to further their attack, not the act of sending data out of the network. Lateral Movement refers to the techniques an adversary uses to traverse the network, not the act of exfiltrating data.
Your organization has experienced a significant cybersecurity incident, and an executive summary of the incident has been prepared. However, the board of directors has requested detailed evidence supporting the summary. Where would they typically find this information?
A. In the evidence section of the incident response report.
B. In the public relations communication.
C. In the regulatory reporting.
D. In the executive summary.
A. In the evidence section of the incident response report.
The evidence section typically contains all detailed information, data, and artifacts related to the incident, supporting the claims and conclusions made in the executive summary. The executive summary is meant to provide a high-level overview of the incident, and while it should be accurate, it typically does not include detailed evidence. Regulatory reporting is focused on providing information to regulatory bodies and usually does not include detailed evidence supporting an executive summary. Public relations communications are intended for external stakeholders and are not typically used for providing detailed evidence related to an incident.
After a cyber incident at your organization where a ransomware attack crippled the operational servers, your team is tasked with conducting an in-depth examination. The goal is to trace back the origin of the attack, determining where and how it penetrated your defenses. Which activity would best aid your team in this endeavor?
A. Incident response plan
B. Lessons learned
C. Forensic analysis
D. Root cause analysis
D. Root cause analysis
Root cause analysis involves investigating an incident in detail to determine its origin and how it unfolded, with the aim of preventing similar incidents in the future. The incident response plan is a preparatory document outlining the organization’s approach to managing security incidents. It is not an activity performed after an incident. Lessons learned is the review process after an incident, where stakeholders evaluate what happened, what was done well, and what needs improvement. It’s a broader concept than just determining the initial cause of an issue. Although forensic analysis also involves a thorough investigation of an incident, its focus is broader and often includes legal implications, whereas root cause analysis is more focused on the initial causes of the issue.
An analyst reviews the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors can access the internet. How can this type of attack be prevented from occurring in the future?
A. Enable NAC on the open wireless network.
B. Install an IDS to protect the HVAC system.
C. Implement a VLAN to separate the HVAC control system from the open wireless network.
D. Enable WPA2 security on the open wireless network.
C. Implement a VLAN to separate the HVAC control system from the open wireless network.
A VLAN is useful to segment out network traffic to various parts of the network and stop someone from the open wireless network from logging to the HVAC controls. By utilizing NAC, each machine connected to the open wireless network could be checked for compliance and determine if it is a ‘known’ machine, but they would still be given access to the entire network. Also, since this is a publicly usable network, using NAC could prevent users from accessing all the network features. An IDS would be a good solution to detect the attempted logins, but it won’t prevent them. Instead, an IPS would be required to prevent logins.
Which law requires government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards?
A. SOX
B. HIPPA
C. FISMA
D. COPPA
C. FISMA
The Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural or human-made threats. FISMA requires that government agencies and other organizations that operate systems on behalf of government agencies comply with security standards. The Health Insurance Portability and Accountability Act (HIPPA) is a United States federal law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. The Children’s Online Privacy Protection Act (COPPA) is a United States federal law that imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Sarbanes–Oxley (SOX) is a United States federal law that set new or expanded requirements for all U.S. public company boards, management, and public accounting firms.
Review the following packet captured at your NIDS:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
23:12:23.154234 IP 86.18.10.3:54326 > 71.168.10.45:3389 Flags [P.], Seq 1834:1245, ack1, win 511, options [nop,nop, TS val 263451334 erc 482862734, length 125
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
After reviewing the packet above, you discovered there is an unauthorized service running on the host. Which of the following ACL entries should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on this host?
A. DENY IP HOST 86.18.10.3 EQ 3389
B. DENY TCP ANY HOST 71.168.10.45 EQ 3389
C. DENY IP HOST 71.168.10.45 ANY EQ 25
D. DENY TCP ANY HOST 86.18.10.3 EQ 25
B. DENY TCP ANY HOST 71.168.10.45 EQ 3389
Since the question asks you to prevent unauthorized service access, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).
Which of the following techniques would best mitigate malware that utilizes a fast flux network for its command and control infrastructure?
A. Conduct detailed statistical analysis of the structure of domain names to detect anomalies.
B. Blacklisting known malicious IP addresses.
C. Blacklisting known malicious domain names.
D. Utilize a secure recursive DNS resolver to a third-party secure DNS resolver.
D. Utilize a secure recursive DNS resolver to a third-party secure DNS resolver.
Third-party DNS resolvers, particularly those of ISPs, will typically have elaborate algorithms designed to detect command and control (C2) via fast flux networks. Fast flux DNS utilizes a technique that rapidly changes the IP address associated with a domain to allow an adversary to defeat IP-based blacklists. Often, these fast flux networks have communication patterns that might be detectable, though. While in-house statistical analysis might be possible (and could be done in parallel), the commercial resources available to a large scale ISP or dedicated secure DNS providers will be better tailored to combatting this issue.
How do service level objectives (SLOs) contribute to incident response?
A. They define expectations for incident response times and quality, providing clear targets for the response team.
B. They estimate the financial loss due to the incident.
C. They provide a detailed timeline of the incident.
D. They identify the root cause of the incident.
A. They define expectations for incident response times and quality, providing clear targets for the response team.
SLOs set the expected standards for incident response, such as response times, thereby providing clear targets and performance benchmarks for the response team. SLOs set expectations for incident response performance; they are not designed to estimate financial loss from an incident. SLOs set performance standards and expectations; they do not directly contribute to identifying the root cause of an incident. While SLOs can guide the timeline of the response, they do not provide a detailed timeline of the incident.
You are a cybersecurity analyst investigating a potential network issue at your company. You suspect there is unusual traffic on your company’s network. Which of the following tools would be most effective for capturing and analyzing network packets in real-time to investigate this issue?
A. tcpdump
B. Nmap
C. Wireshark
D. Ping
A. tcpdump
tcpdump is primarily used for capturing and analyzing network packets in real-time, which would be effective for investigating unusual network traffic. Nmap is primarily used for network discovery and security auditing. It can identify what hosts are available on the network, what services those hosts are offering, what operating systems they are running, and what type of packet filters/firewalls are in use. It doesn’t focus on real-time packet analysis. While Wireshark is also a network protocol analyzer, it provides a GUI and more detailed analysis features than tcpdump. However, for quick, real-time traffic analysis, tcpdump is more lightweight and often preferred. Ping is a basic network tool used to test whether a particular host is reachable across an IP network and to measure the round-trip time for packets. It doesn’t provide real-time traffic analysis.
Which of the following types of capabilities would an adversary need to identify and exploit zero-day vulnerabilities?
A. Developed
B. Advanced
C. Integrated
D. Acquired and augmented
A. Developed
According to the MITRE ATT&CK framework, developed capabilities can identify and exploit zero-day vulnerabilities. Acquired and augmented refers to the utilization of commodity malware and techniques (i.e., script kiddies). Advanced capabilities refer to those that can introduce vulnerabilities through the supply chain in proprietary and open-source products. Integrated capabilities involve non-cyber tools such as political or military assets.
In a scenario where an organization has implemented a strict change management policy, how might this policy influence the process of remediating identified vulnerabilities?
A. By creating bureaucratic delays in implementing necessary patches and updates.
B. By ensuring automatic remediation of vulnerabilities.
C. By guaranteeing seamless coordination between different departments.
D. By reducing the operational costs of the IT department.
A. By creating bureaucratic delays in implementing necessary patches and updates.
If governance policies require multiple approvals for actions, they could slow down the process of remediating vulnerabilities. Governance policies do not ensure automatic remediation; they guide an organization’s approach to handling vulnerabilities. While effective governance can improve interdepartmental coordination, it does not inherently expedite vulnerability remediation. While operational cost is a concern in governance, it does not directly impact the speed or efficiency of vulnerability remediation.
DeepScan supports data-flow analysis and understands the execution flow of a program. It allows you to see possible security flaws without executing the code. Which of the following types of tools would DeepScan be classified as?
A. Decompiler
B. Fault injector
C. Fuzzer
D. Static code analyzer
D. Static code analyzer
DeepScan is an example of a static code analysis tool. It inspects the code for possible errors and issues without actually running the code. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program through a fuzzer. A decompiler is a computer program that takes an executable file as input and attempts to create a high-level source file that can be recompiled successfully. Fault injection is a testing technique that aids in understanding how a system behaves when stressed in unusual ways. A fuzzer, decompiler, and fault injector are all dynamic analysis tools because they require the program being tested and run for analysis.
Which of the following would be used to prevent a firmware downgrade?
A. TPM
B. SED
C. HSM
D.eFUSE
D.eFUSE
eFUSE is an Intel-designed mechanism to allow software instructions to blow a transistor in the hardware chip. One use of this is to prevent firmware downgrades, implemented on some game consoles and smartphones. Each time the firmware is upgraded, the updater blows an eFUSE. When there is a firmware update, the updater checks that the number of blown eFUSEs is not less than the firmware version number. A self-encrypting drive (SED) uses cryptographic operations performed by the drive controller to encrypt a storage device’s contents. A trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information. The TPM is implemented either as part of the chipset or as an embedded function of the CPU. A hardware security module (HSM) is an appliance for generating and storing cryptographic keys. An HSM solution may be less susceptible to tampering and insider threats than software-based storage.
Which of the following provides a standard nomenclature for describing security-related software flaws?
A. SIEM
B. VPC
C. SOX
D. CVE
D. CVE
Common Vulnerabilities and Exposures (CVE) is an element of the Security Content Automation Protocol (SCAP) that provides a standard nomenclature for describing security flaws or vulnerabilities. A SIEM is a solution that provides a real-time or near-real-time analysis of security alerts generated by network hardware and applications. A VPC is a private network segment made available to a single cloud consumer on a public cloud. The Sarbanes-Oxley Act (SOX) dictates requirements for storing and retaining documents relating to an organization’s financial and business operations, including the type of documents stored and their retention periods.
You are investigating a suspected compromise. You have noticed several files that you don’t recognize. How can you quickly and effectively check if the files have been infected with malware?
A. Run the Strings tool against each file to identify common malware identifiers.
B. Submit the files to an open-source intelligence provider like VirusTotal.
C. Disassemble the files and conduct static analysis on them using IDA Pro.
D. Scan the files using a local anti-virus/anti-malware engine.
B. Submit the files to an open-source intelligence provider like VirusTotal.
The best option is to submit them to an open-source intelligence provider like VirusTotal. VirusTotal allows you to quickly analyze suspicious files and URLs to detect types of malware. It then automatically shares them with the security community, as well. Disassembly and static analysis would require a higher level of knowledge and more time to complete. Running the Strings tool can help identify text if the code is not encoded in a specific way within the malware, but you have to know what you are looking for, such as a malware signature. You should never scan the files using a local anti-virus or anti-malware engine if you suspect the workstation or server has already been compromised because the scanner may also be compromised.
A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst?
A. Web application vulnerability scan.
B. Network vulnerability scan.
C. Port scan.
D. Database vulnerability.
A. Web application vulnerability scan.
Since Apache is being run on the scanned server, this indicates a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn’t contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.
Which of the following is not considered a component that belongs to the category of identity management infrastructure?
A. Provisioning engine.
B. LDAP.
C. Human resource system.
D. Auditing system.
C. Human resource system.
The human resource system may be a data source for identity management, but it is not part of the infrastructure itself. LDAP servers, provisioning engines, and auditing systems are all part of identity management infrastructures. Most organizations rely on an LDAP Directory to store users, groups, roles, and relationships between those entities. A provisioning engine is responsible for coordinating the creation of user accounts, email authorizations in the form of rules and roles, and other tasks such as provisioning of physical resources associated with enabling new users. The auditing system is responsible for verifying the identities present in the organization’s systems are valid and correct.
Your web application security team is preparing to conduct security testing on a new web application. Which guide would provide the most comprehensive framework for this testing?
A. OSS TMM
B. MITRE ATT&CK
C. OWASP Testing Guide
D. Cyber Kill Chain
C. OWASP Testing Guide
The OWASP Testing Guide provides a comprehensive framework for web application security testing. While the Open Source Security Testing Methodology Manual (OSSTMM) does provide guidance for security testing, it is not specifically focused on web application security testing. The MITRE ATT&CK framework primarily serves as a knowledge base for understanding attacker behaviors and tactics, techniques, and procedures (TTPs), not for guiding web application security testing. The Cyber Kill Chain describes the stages of a cyberattack, not a framework for web application security testing.
What does a Cross-Site Scripting (XSS) vulnerability allow an attacker to do?
A. Modify the content of a website.
B. Inject malicious scripts into web pages viewed by other users.
C. Decrypt encrypted data.
D. Bypass authentication controls.
B. Inject malicious scripts into web pages viewed by other users.
XSS vulnerabilities allow attackers to inject malicious scripts into web pages that other users of the site will view, leading to potential data theft or other malicious actions. XSS does not allow an attacker to modify the actual content of the website, but rather the content as viewed by a specific user, and only for the duration of that user’s session. While serious, XSS vulnerabilities do not directly involve bypassing authentication controls. This would be more associated with authentication or session management vulnerabilities. XSS vulnerabilities do not involve decrypting encrypted data. Decryption without the proper key would generally require a cryptographic attack.
A buffer overflow vulnerability in Dion Cybertronix Corporation’s system was resolved and verified. However, after some weeks, the same vulnerability was identified again. What does this situation demonstrate?
A. Mitigation
B. Secure Coding
C. Access Control
D. Recurrence
D. Recurrence
This situation demonstrates recurrence, as a previously resolved vulnerability has appeared again. The growing complexity of modern systems adds to the challenge, making it harder to identify and address all vulnerabilities. While secure coding aims to prevent vulnerabilities, the reappearance of a vulnerability does not directly relate to it. Access control manages who can access resources in a system. It does not directly relate to the reappearance of a vulnerability. Mitigation reduces the likelihood of the vulnerability being exploited.
Which of the following secure coding best practices ensures a character like < is translated into the < string when writing to an HTML page?
A. Input Validation
B. Output encoding
C. Session management
D. Error handling
B. Output encoding
Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page. Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering the malfunction of various downstream components. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID.
You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment?
A. Purchase additional workstations.
B. Sandboxing.
C. Virtualization.
D. Bypass testing and deploy patches directly into the production environment.
C. Virtualization.
When you have a limited amount of hardware resources to utilize but have a requirement to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system before deployment. You should never deploy patches directly into production without testing them first in the lab.
Jamie’s organization is attempting to budget for the next fiscal year. Jamie has calculated that the asset value of a database server is $120,000. Based on her analysis, she believes that a data breach to this server will occur once every four years and has a risk factor is 30%. What is the ALE for a data breach within Jamie’s organization?
A. $90,000
B. $360,000
C. $36,000
D. $9,000
D. $9,000
The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the risk factor (RF). The annual loss expectancy (ALE) is the total cost of a risk to an organization annually. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).<br></br><br></br>SLE = AV x RF = $120,000 x 0.3 = $36,000<br></br>ALE = SLE x ARO = $36,000 x 0.25 = $9,000
Your intrusion detection system has produced an alert based on its review of a series of network packets. After analysis, it is determined that the network packets did not contain any malicious activity. How should you classify this alert?
A. True negative
B. False positive
C. False negative
D. True positive
B. False positive
A false positive occurs when an alert is triggered (the system believes malicious activity occurred) when there is no malicious activity involved. A false positive is an error in some evaluation process in which a condition tested for is mistakenly found to have been detected.
Why is regular vulnerability management reporting critical to an organization’s security posture?
A. It’s key to improving the company’s stock performance.
B. It’s primarily important for increasing employee productivity.
C. It’s essential for enhancing the company’s brand image.
D. To aid in effective prioritization and remediation.
D. To aid in effective prioritization and remediation.
Regular reporting provides ongoing visibility into system vulnerabilities, aiding in effective prioritization and remediation strategies. While robust security can indirectly contribute to a company’s overall performance, the immediate goal of vulnerability management reporting is to aid in maintaining a secure system. While strong security can enhance a company’s reputation, the primary objective of vulnerability management reporting is to ensure effective security management. While productivity is a vital organizational goal, the primary aim of vulnerability management reporting is to maintain awareness of the system’s security status.
