JasonDion Practice Exam 4 Flashcards

Question

Your company has noticed a significant increase in the mean time to detect (MTTD) and mean time to respond (MTTR) to incidents. What is a potential impact of these increased metrics? A. It improves the company's public image. B. It increases the legal protection against cyber attacks. C. It results in a decrease in security alert volume. D. It might lead to a greater impact of security incidents.

Answer 1

D. It might lead to a greater impact of security incidents. An increase in MTTD and MTTR suggests a slower reaction to incidents, which can allow threats to cause more damage before they are detected and addressed. These metrics don't provide legal protection. They measure organizational effectiveness in detecting and responding to incidents. MTTD and MTTR metrics don't directly impact the volume of security alerts. They measure the speed of detection and response. Increased MTTD and MTTR are unlikely to improve a company's public image; in fact, they might harm the company's reputation if they result in a significant breach.

Answer 2

D. Root cause analysis. Conducting a root cause analysis can help understand how the vulnerability was exploited, which is key to preventing similar attacks in the future. While transparency is important, immediate public disclosure without a comprehensive understanding of the situation might not prevent future attacks and could even lead to additional issues. Merely increasing the alert volume may not help prevent future attacks. It's more important to understand the nature of the attack and take targeted actions. Communicating with law enforcement might help with the investigation but wouldn't necessarily prevent similar attacks in the future.

Answer 3

D. \b(192\.168\.66\.6)|(10\.66\.6\.10)|(172\.16\.66\.1)\b The correct option is \b(192\.168\.66\.6)|(10\.66\.6\.10)|(172\.16\.66\.1)\b, which uses parenthesis and "OR" operators (|) to delineate the possible whole-word variations of the three IP addresses. Using square braces indicates that any of the letters contained in the square braces are matching criteria. Using the + operator indicates an allowance for one more instance of the preceding element. In all cases, the period must have an escape (\) sequence preceding it as the period is a reserved operator internal to REGEX.

Answer 4

A. John does not have permission to perform the scan. All options listed are an issue, but the most significant issue is that John does not have the client’s permission to perform the scan. A vulnerability scan may be construed as a form of reconnaissance, penetration testing, or even an attack on the organization’s systems. A cybersecurity analyst should never conduct a vulnerability scan on another organization’s network without explicit written permission. In some countries, a vulnerability scan against an organization’s network without their permission is considered a cybercrime and could result in jail time for the consultant.

Answer 5

D. http.request.method=="POST" && ip.dst==10.1.2.3 Filtering the available PCAP with just the http "post" methods would display any data sent when accessing a REST API, regardless of the destination IP. Filtering the available PCAP with just the desired IP address would show all traffic to that host (10.1.2.3). Combining both of these can minimize the data displayed to only show things posted to the API located at 10.1.2.3. The ip.proto==tcp filter would display all TCP traffic on a network, regardless of the port, IP address, or protocol being used. It would simply produce too much information to analyze.

Answer 6

A. Attack surface The collection of all points from which an adversary may attack is considered the attack surface. The attack vector represents the specific points an adversary has chosen for a particular attack. The threat model defines the behavior of the adversary. An adversary capability set is the list of items an adversary can use to conduct their attack.

Answer 7

E. This appears to be normal network traffic. This appears to be normal network traffic. The first line shows that a DNS lookup was performed for a website (test.diontraining.com). The second line shows the response from the DNS server with the IP address of the website. The third line begins a three-way handshake between an internal host and the website. The fourth line is the SYN-ACK response from the website to the internal host as part of this handshake. The fifth line is a standard Windows NetBIOS query within the local area network to translate human-readable names to local IP addresses. The sixth and seventh lines appear to be inbound requests to port 443 and port 8080, both of which were sent the RST by the internal host's firewall since it is not running those services on the host. None of this network traffic appears to be suspicious.

Answer 8

C. Static code analysis Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on a human to human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively.

Answer 9

A. Denial-of-service attacks A denial-of-service or DoS attack isn’t usually included as part of a penetration test. This type of attack contains too much risk for an organization to allow it to be included in an assessment scope. Social engineering, physical penetration attempts, and reverse engineering are all commonly included in a penetration test's scope.

Answer 10

C. The REGEX expression to filter using "[Ss]cript" is insufficient. As an attacker could use SCRIPT or SCRipt or %53CrIPT to evaded it. The most likely explanation is that the REGEX filter was insufficient to eliminate every single possible cross-site scripting attack that could occur. Since cross-site scripting relies on the HTML tags to launch, the system administrators had a good idea of creating input validation using a REGEX for those keywords. Unfortunately, they forgot to include a more inclusive version of this REGEX to catch all variants. For example, simply using [Ss][Cc][Rr][Ii][Pp][Tt] would have been much more secure, but even this would miss %53CrIPT would evade this filter. To catch all the letter S variants, you would need to use [%53%%73Ss], which includes the capital S in hex code, the lower case s in hex code, the capital S, and the lowercase s. While it is possible that an attacker used an SQL injection instead, their REGEX input validation would still have allowed a cross-site scripting attack to occurs, so this option must be eliminated. As for the logging options, both are possible in the real world, but they do not adequately answer this scenario. The obvious flaw in their input validation is their REGEX filter.

Answer 11

C. Conduct regular training sessions to teach employees how to recognize and avoid phishing emails. Regular training plays a crucial role in mitigating the risk of employees falling victim to phishing attacks. By providing ongoing education and awareness programs, employees can become more knowledgeable about the tactics and techniques used in phishing attempts. This training equips them with the skills to recognize and report suspicious emails, links, or requests, thereby reducing the likelihood of falling for phishing scams. While this might discourage careless behavior, it does not equip employees with the knowledge to avoid phishing attempts. While this may seem like a direct solution, it is not practical or effective in the long term. Education is a more effective approach. While certain software may offer better spam filters, it cannot fully prevent phishing attempts, which often rely on social engineering.

Answer 12

D. It aids in understanding the factors that led to the incident, helping to prevent occurrences in the future. Root cause analysis is crucial for understanding what caused the incident, enabling organizations to implement measures to prevent similar incidents from happening in the future. The main goal of root cause analysis is not to assign blame, but to understand what led to the incident so that similar issues can be prevented. Root cause analysis does not directly assist in data recovery. It focuses on understanding the cause of the incident. While findings from root cause analysis may be used to inform communications, its primary purpose is not to provide a basis for media interaction.

Answer 13

C. POS malware Point-of-sale malware (POS malware) is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. Ransomware is a type of malware that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. Keyloggers are a type of monitoring software designed to record keystrokes made by a user. These keyloggers can record the information you type into a website or application and send to back to an attacker. A rootkit is a malware class that modifies system files, often at the kernel level, to conceal its presence.

Answer 14

B. Data correlation Data correlation is the first step in making sense of data from across numerous sensors. This will ensure the data is placed concerning other pieces of data within the system. For example, if your IDS detected an incident, host logs were collected, and your packet capture system collected the network traffic, the SIEM could be used to correlate all three pieces of information from these different systems to allow an analyst to understand the event better. By conducting data correlation, it allows an analyst to identify a pattern more clearly and take action. Data correlation should be performed as soon as the SIEM indexes the data.

Answer 15

C. Leading to postponed or overlooked system updates and patches. Avoiding interruptions could cause delays or oversights in system maintenance, including the application of important updates and patches. While avoiding interruptions may maintain productivity, it doesn't directly impact vulnerability management. Business process continuity does not have a direct correlation with the effectiveness of marketing strategies. While uninterrupted operations may contribute to business success, this is not directly related to vulnerability management.

Answer 16

C. An uncredentialled scan of the network was performed. Uncredentialled scans are generally unable to detect many vulnerabilities on a device. When conducting an internal assessment, you should perform an authenticated (credentialed) scan of the environment to most accurately determine the network's vulnerability posture. In most enterprise networks, if a vulnerability exists on one machine, it also exists on most other workstations since they use a common baseline or image. If the scanner failed to connect to the workstations, an error would have been generated in the report.

Answer 17

B. Steganography was used to hide the leaked data inside the user's photos. The most likely explanation is that the user utilized steganography to hide the leaked data inside their trip photos. Steganography is the process of hiding one message inside another. By hiding the customer’s information within the digital photos, the incident response team would not see the data being hidden without knowing to look for it inside the seemingly benign pictures from the trip. The scenario did not mention whether or not the user connected to the corporate VPN from their home, and the company should log all VPN connections, so this is not the correct answer. Additionally, the user could not hash the data and email it to themselves without losing the information since hashes are a one-way algorithm. Therefore, even if the user had the hash value, they still would not have the customers' personal information. Finally, according to the scenario, the user’s email showed no evidence of encrypted files being sent

Answer 18

B. Purge, validate, and document the sanitization of the drives. Purging the drives, validating that the purge was effective, and documenting the sanitization is the best response. Purging includes methods that eliminate information from being feasibly recovered even in a lab environment. For example, performing a cryptographic erasure (CE) would sanitize and purge the drives' data without harming the drives themselves. Clearing them leaves the possibility that some tools would allow data recovery. Since the scenario indicates that these were leased drives that must be returned at the end of a lease, they cannot be destroyed.

Answer 19

A. Polymorphic virus A polymorphic virus alters its binary code to avoid detection by antimalware scanners that rely on signature-based detection. By changing its signature, the virus can avoid detection.

Answer 20

B. Delivery The delivery phase of the Cyber Kill Chain involves transmitting the malicious payload to the victim. Command and Control involves maintaining communication with the compromised system, not delivering the malicious payload. Reconnaissance involves gathering information about the target system, not delivering the malicious payload. Installation involves the payload setting up a foothold on the compromised system, not delivering the malicious payload.

Answer 21

A. Impossible Travel This alert indicates that a user's account has been used to log in from two distant locations within a time frame shorter than the possible travel time between the locations, signaling potential unauthorized access. AbuseIPDB is a tool used to check IP addresses for reported malicious activity, it would not necessarily detect geographically improbable logins based on the information available. Interpreting suspicious commands is a useful skill for identifying potentially malicious actions on a system, but it's not directly related to detecting geographically improbable logins. Pattern recognition involves identifying repeating trends or anomalies in data, which might not directly relate to this specific scenario of geographically improbable logins.

Answer 22

B. How will the appliance receive updated signatures and scanning engines? C. How will the appliance receive security patches and updates? E. Do you have security personnel and procedures in place to review the output from this appliance and take action where appropriate? F. Does the new appliance provide a detailed report or alert showing why it believes an attachment is malicious? Often, cybersecurity professionals fall in love with a new technological solution without fully considering the true cost of ownership and risks it poses to their organization. Even if this is the perfect security mechanism, the organization must plan for how they will respond to the alerts provided by this appliance. Additionally, you must consider if you have the right people and procedures to use the new application effectively. The appliance will also need to receive security patches, feature updates, and signature definition files routinely to remain effective and secure. At later stages of analysis, your security team may need to determine why a false-positive or false-negative occurred, which requires detailed alerts or reports from the machine. In corporate environments, privacy is limited for employees as most companies have a "right to monitor" included as part of their AUP and access policies. Therefore privacy is a minimal area of concern in this case. The appliance cannot manipulate the information passing through it since it will analyze the information by placing a copy into a sandbox. This allows it to make a allow or deny decision and will not modify the original data is processed.

Answer 23

A. Application software security. Since the software development lifecycle (SDLC) is focused on building software applications, the best control category would be application software security. While all other documents hosted by the Center for Internet Security contain useful information, the application software security control is most likely to contain relevant information relating to best practices to implement in the SDLC.

Answer 24

A. Use a web application firewall (WAF) to block malicious traffic. C. Use a firewall to restrict access to the affected systems. To mitigate the risk associated with the ProxyNotShell vulnerability, the software development company can configure a Web Application Firewall (WAF) to block traffic related to the vulnerability. By implementing specific rules within the WAF, any malicious traffic attempting to exploit the vulnerability can be identified and blocked, thereby preventing attackers from successfully exploiting the vulnerability. To mitigate the risk associated with the vulnerability, the software development company can configure a firewall to restrict access to the affected systems exclusively for authorized users. By implementing proper firewall rules, the company can control and limit network traffic, preventing unauthorized access and minimizing the potential for attackers to exploit the vulnerability. Creating a new product does not directly address the vulnerability in the existing one. While having more developers might eventually help fix the vulnerability, it does not provide an immediate solution.

Answer 25

C. Memory consumption Memory consumption refers to the precise measurement of the quantity of memory that is being actively utilized by the various processes within a system. It serves as a crucial indicator of the system's resource allocation and utilization efficiency. Consequently, when the analyst identifies a discernibly elevated level of memory usage within the system, they are effectively overseeing and scrutinizing the specific aspect of memory consumption. Data encryption, while important for data security, doesn't involve monitoring the amount of memory used by a system's processes. Memory resource management is about efficiently utilizing a system's memory. Data storage is about holding data, not about monitoring the memory usage of a system's processes.

Answer 26

D. Cross-site scripting This scenario is a perfect example of the effects of a cross-site scripting (XSS) attack. If your website's HTML code does not perform input validation to remove scripts that may be entered by a user, then an attacker can create a popup window that collects passwords and uses that information to compromise other accounts further. A cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. An XSS will allow an attacker to execute arbitrary JavaScript within the victim's browser (such as creating pop-ups). A CSRF would allow an attack to induce a victim to perform actions they do not intend to perform. A rootkit is a set of software tools that enable an unauthorized user to control a computer system without being detected. SQL injection is the placement of malicious code in SQL statements via web page input. None of the things described in this scenario would indicate a CSRF, rootkit, or SQL injection.

Answer 27

A. sc [ip address] Service control (sc) is a Windows command that allows you to create, start, stop, query, or delete a Windows service. The dig command will give you information on when a query was performed, the details that were sent, and what flags were sent. In most cases, host and nslookup will also provide similar information.

Answer 28

B. It could indicate a need for improved security measures or updated software. An upward trend in vulnerabilities may signal a need to enhance cybersecurity defenses. On the contrary, an upward trend would indicate an increased need for thorough vulnerability scanning. Network bandwidth usage isn't directly related to the trend in vulnerability discoveries. While efficiency is important, an upward trend in vulnerability discoveries is not an indicator of server efficiency.

Answer 29

D. Dissemination The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights. The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. The analysis phase focuses on converting collected data into useful information or actionable intelligence. The final phase of the security intelligence cycle is feedback and review, which utilizes both intelligence producers and intelligence consumers' input. This phase aims to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle is developed.

Answer 30

B. FTK Imager FTK Imager can create perfect copies or forensic images of computer data without making changes to the original evidence. The forensic image is identical in every way to the original, including file slack and unallocated space or drive free space. The dd tool can also create forensic images, but it is not a proprietary tool since it is open-source. Memdump is used to collect the content within RAM on a given host. Autopsy is a cross-platform, open-source forensic tool suite.

Answer 31

D. Cross-Site Scripting (XSS) XSS vulnerabilities are widespread across web applications and can lead to serious consequences, such as user data theft, making this the correct answer. The SolarWinds SUNBURST was a severe, targeted supply chain attack, not a common vulnerability like XSS. The Spectre attack was an impactful hardware vulnerability, but it's not typically categorized as a top 10 vulnerability. While the Poodle Attack was significant and impacted SSL 3.0 protocol, it is not categorized as a top 10 widespread vulnerability.

Answer 32

D. Training Regular training is crucial to equip the workforce with the necessary knowledge to recognize and respond to potential incidents. An incident response plan is a set of procedures to manage and handle an incident. It outlines how the organization will respond to an incident but does not involve the regular education of the workforce. While playbooks provide detailed, step-by-step guides on how to respond to specific types of incidents, they do not involve the regular education of the workforce. While business continuity disaster recovery planning is an essential part of incident management preparation, it does not directly involve workforce education on recognizing and responding to incidents.

Answer 33

C. Stakeholders provide the necessary support and resources for effective incident management. Stakeholders are individuals or groups with a vested interest in the security of an organization. Their support and resources can help effectively manage and mitigate incidents. While stakeholders play a vital role in the incident response process, their main function is not to resolve the incident but to support the incident response team that does. While certain stakeholders may have a role in communicating with the public, it is not their primary responsibility in the incident response process. The task of analyzing the root cause of an incident typically falls to the incident response team or forensic experts, not stakeholders.

Answer 34

C. Root cause analysis Root cause analysis is the process of determining the initial cause(s) of a problem or issue, with the intent to fix the issue by addressing these underlying causes. Lessons learned is a process that follows an incident, where all stakeholders reflect on what happened, what was done well, and what needs to be improved for future incidents. It is broader and less technically focused than root cause analysis. The incident response plan is a strategic document outlining the procedures for handling and managing an incident, not a post-incident activity. While forensic analysis also involves a detailed examination of an incident, it typically goes beyond root cause analysis to include a detailed and systematic examination of all aspects of an incident, often with an eye to legal requirements and implications.

Answer 35

A. An XML External Entity (XXE) vulnerability has been exploited and its possible that the password has downloaded the file "/etc/passwd". This is an example of an XML External Entity (XXE) vulnerability. Any references to document abc of type xyz may now be replaced with /etc/passwd, which would allow the user to harvest the data contained within the file. Although in modern Linux operating systems, the /etc/passwd only contains the usernames resident on the system and not the passwords, this is still valuable information for an attacker. The ‘/etc/passwd’ file has been better secured in recent systems by using a shadow file (which contains hashed values for the passwords). Without an input validation step is added to the process, there is nothing to stop the attacker from gathering other potentially sensitive files from the server. While ISO-8859-1 does indeed cover the Latin alphabet and is standard throughout XML, it has no significance from a cybersecurity perspective. A parameterized query is a form of output encoding that defends against SQL and XML injections. This code does not contain a parameterized query.

Answer 36

C. Zero-day attacks. Zero-day attacks have no known fix, so patches will not correct them. A zero-day vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software). If a discovered software bug or known vulnerability is found, a patch or mitigation is normally available. If a piece of malware has well-defined indicators of compromise, a patch or signature can be created to defend against it, as well.

Answer 37

A. Directory traversal This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. SQL injection is the placement of malicious code in SQL statements via web page input.

Answer 38

D. Any listed answers may be true. The best option is all of the answers listed. SNMP doesn’t report closed UDP ports, and SNMP servers don’t respond to invalid information requests. The “no response” can mean that the systems cannot be reached (either internally or externally). If you entered an invalid community string, then SNMP will be unable to provide a response or report its findings.

Answer 39

A. A call list/escalation list. To maintain a disciplined approach to incident response, the organization needs to document and follow procedures developed during the preparation phase. The SOC should have a call list or an escalation list as part of those procedures. This list should detail who should be called, what order, and how high up the organizational leadership chart a particular issue would reach. In almost every case, the incident response team lead should be contacted before the CEO or CIO is notified of the incident. When companies go "right to the top" of the leadership chart, the CEO and CIO will be acting on half-true or unverified information during the start of an incident response process. Instead, an established form for incident detail collection should be performed, the right technical leads should be notified of the incident, and the incident response team should be called in to analyze the information and provide a quick "stand up" report to leadership on what the issue is, what has already been done, and what they recommend doing from here to resolve the incident. All of the other options are best practices to consider and develop in the preparation phase. Still, they would not have solved the issue in this scenario of senior leadership being notified before the incident response team lead.

Answer 40

B. Data and log analysis The cybersecurity team is performing data and log analysis, a key incident response activity. They are analyzing logs to identify the cause of the data breach and determine the extent of the intrusion. Recovery involves restoring systems to normal operation and implementing measures to prevent future similar attacks. The team hasn't reached this stage yet; they are still analyzing logs to understand what happened. Containment is the process of limiting the extent of an intrusion and preventing it from spreading further. In this scenario, the team is analyzing data and logs, not containing the breach. Eradication involves eliminating the threat from the network, which can't be done until the threat is fully understood. The team is still at the analysis stage

Answer 41

A. May lead to delays in performing system maintenance and patching. Interruption concerns may push organizations to delay necessary vulnerability remediation, prolonging system exposure to risks. Fear of interruption does not directly enhance system functionality. Fear of interruption might in fact delay necessary actions, not accelerate them. Fear of interruption does not inherently reduce vulnerabilities; it may delay their remediation.

Answer 42

A. Prioritizing the risk level associated with each vulnerability. Risk prioritization is an essential part of vulnerability management, focusing on the most significant threats in a cybersecurity landscape. It involves assessing potential vulnerabilities, considering their likelihood of exploitation, and the potential impact of such an event. After prioritizing vulnerabilities, the highest-risk ones are addressed first, using methods such as software patching or security policy enhancement. This process is continuously revisited and adjusted as new threats and vulnerabilities emerge. The type of vulnerabilities may provide some context, but it is the risk associated with each that should primarily drive prioritization. The number alone does not give an accurate picture of prioritization. Not all vulnerabilities pose the same level of risk. While knowing where vulnerabilities reside is important, it's not the main factor in prioritization. The risk each vulnerability carries is more critical.

Answer 43

A. Prioritization When prioritizing vulnerabilities, several factors come into play. The severity of a vulnerability determines its potential impact, with high-impact vulnerabilities, like those granting system control, given higher priority. The likelihood of exploitation also plays a role, favoring vulnerabilities with higher probabilities, such as publicly disclosed ones. Additionally, the cost of remediation influences prioritization, as expensive fixes may require allocation within the organization's budget. By considering these factors, informed decisions can be made on vulnerability prioritization, leading to benefits such as saved resources, improved security, and compliance with regulations. Ultimately, prioritizing vulnerabilities enhances security posture and reduces the risk of attack. This is a process of setting up a firewall's settings to control network traffic, not the process of deciding which vulnerabilities to address first. Intrusion detection refers to the methods used to detect unauthorized access to a system or network. This refers to the process of delivering patches or updates to systems, not determining the order in which vulnerabilities are addressed.

Answer 44

D. Cyber Kill Chain The Cyber Kill Chain, developed by Lockheed Martin, describes the stages of a cyber attack. The steps taken by the red team align with this model, from the identification of vulnerabilities (reconnaissance), through exploitation and installation, to achieving their objectives (exfiltration). The OWASP Testing Guide provides a methodology for testing the security of web applications. It doesn't describe the stages of a cyber attack. The Diamond Model focuses on the relationship between four elements of an attack: the adversary, the victim, the infrastructure, and the capability. It doesn't represent a sequential progression of an attack. The MITRE ATT&CK framework provides a matrix of tactics, techniques, and procedures (TTPs) used by cyber adversaries. While it's useful for detailing attacker behavior, it doesn't provide a linear progression of an attack.

Answer 45

B. Security, Pre-EFI initialization, Driver Execution Environment, Boot Device Select, Transient System Load, Runtime. The security must first prevent any potential contamination from advanced malware from affecting the system as it proceeds into its startup process. The security consists of initializing the code that the system executes after powering on the EFI system. Pre-EFI initialization initializes the CPU, temporary memory, and boot firmware volume (BFV). Driver Execution Environment initializes the entire system's physical memory, I/O, and MIMO (Memory Mapped Input Output) resources. Finally, it begins dispatching DXE Drivers present in the system Firmware Volumes (given in the HOBL). Boot Device Select interprets the boot configuration data and selects the Boot Policy for later implementation. Runtime focuses on clearing the UEFI program from memory and transferring control to the operating system.

Answer 46

B. Alerting the incident response team and working with them to mitigate any potential harm. In the face of a potential threat like this, the threat intelligence team would generally alert the incident response team and work with them to protect the organization and its customers. It is not generally advisable, or often legal, for an organization to engage directly with threat actors. Professional security teams should be involved in these situations. Retaliatory cyber attacks are both legally and ethically problematic and could lead to serious consequences. This is not the right course of action. Ignoring a potential threat, particularly one that involves customer data, would not be a safe or responsible course of action.

Answer 47

A. Direct action against public-facing servers. B. Release of malicious email. F. Deliberate social media interactions with the target's personnel. During the delivery phase, the adversary is firing whatever exploits they have prepared during the weaponization phase. At this stage, they still do not have access to their target, though. Therefore, taking direct action against a public-facing web server, sending a spear-phishing email, placing a USB drive with malware, or starting a conversation on social media all fit within this phase. internet-facing servers were enumerated during reconnaissance. Selecting a decoy document to present to the victim occurs during weaponization. Collecting press releases, contract awards, and conference attendee lists occur during the reconnaissance phase.

Answer 48

D. ESTABLISHED The ESTABLISH message indicates that an active and established connection is created between two systems. The LISTENING message indicates that the socket is waiting for an incoming connection from the second system. The LAST_ACK message indicates that the remote end has shut down the connection, and the socket is closed and waiting for an acknowledgment. The CLOSE_WAIT message indicates that the remote end has shut down the connection and is waiting for the socket to close. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goals aren't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

Answer 49

C. Incident response plan The incident response plan outlines the procedures and processes to handle and manage a security incident. It's an essential part of preparation for potential incidents. Tabletop exercises are a method of testing an organization's incident response plan and team, not establishing procedures for managing incidents. While training is an important part of preparation, it involves educating the workforce about potential incidents and how to respond, not outlining procedures for managing potential incidents. Business continuity disaster recovery planning focuses on how an organization can continue operations during and recover after a disruptive incident, not on outlining procedures for handling potential incidents.

Answer 50

B. Discovering potential threats before they impact your organization. Gathering threat intelligence from the deep web and dark web can help your organization identify emerging threats or planned attacks before they affect your network. While gathering intelligence can help identify and mitigate threats, it does not guarantee the elimination of all cyber threats. Gathering threat intelligence is a part of a broader security strategy and should be used in conjunction with other security measures, not in lieu of them. Gathering threat intelligence from the deep web and dark web is not related to increasing an organization's web presence; it's about identifying potential cyber threats.

Answer 51

B. Process Monitor Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. Autoruns shows you what programs are configured to run during system bootup or login. ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. DiskMon is an application that logs and displays all hard disk activity on a Windows system. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

Answer 52

C. Fuzzing Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User Acceptance Testing is the process of verifying that a created solution/software works for the user. Security regression testing ensures that changes made to a system do not harm its security, are therefore of high significance, and the interest in such approaches has steadily increased. Stress testing verifies the system's stability and reliability by measuring its robustness and error handling capabilities under heavy load conditions.

Answer 53

A. Weaponization In the context of the WannaCry ransomware attack, the NSA tool, EternalBlue, was used during the weaponization phase to exploit a known vulnerability in Microsoft’s SMB protocol. Command and control refers to the phase where the attacker establishes a channel to control the compromised system. Actions and Objectives phase would be when the attackers actually encrypted the files and demanded the ransom. The delivery phase involves the transmission of the malicious payload to the victim, not the creation of it.

Answer 54

A. Utilizing an operating system SCAP plugin. Security Content Automation Protocol (SCAP) is a multi-purpose framework of specifications supporting automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. It is an industry-standard and support testing for compliance. The other options will not allow for a truly repeatable process since individual scans would occur each time instead of comparing against a known good baseline.

Answer 55

A. Application hardening Application hardening involves taking actions to best secure the application from attack. This involves removing any default or sample configurations, properly configuring settings, and updating the application to the latest and more secure version. Patch management is incorrect because only updating the software falls under patch management, not the configuration portions of her actions. Vulnerability scanning involves scanning a device for known vulnerabilities to update the device and prevent a future attack. Input validation is a technique to verify user-provided data meets the expected length and type before allowing a program to utilize it.

Answer 56

C. Plugins Plugins are software components that can extend the functionality of Burp Suite, including automated security tasks and additional vulnerability scanning options. While drivers enable hardware-software communication, they do not extend the functionality of Burp Suite. APIs (Application Programming Interfaces) allow different software applications to communicate but do not inherently extend the functionality of a specific tool like plugins. While scripts can automate certain tasks, they do not inherently extend the functionality of a specific tool like plugins.

Answer 57

A. Dion B. DION C. dion D. Dion E. DIOn The grep (global search for regular expressions and print) is one of Linux's powerful search tools. The general syntax for the grep command is "grep [options] pattern [files]. The command searches within the specified files (in this case, the Names.txt file). When the command is issued with the -i optional flag, it treats the specified pattern as case insensitive. Therefore, all uppercase and lowercase variations of the word "DION" will be presented from the file and displayed as the command output. By default, grep uses case sensitivity, so "grep DION Names.txt" would only display the output as "DION" and ignore the other variations. As a cybersecurity analyst, grep is one of your most important tools. You can use regular expressions (regex) to quickly find indicators of compromise within your log files using grep.

Answer 58

A. User and entity behavior analytics. Since ICS, SCADA, and IoT devices often run proprietary, inaccessible, or unpatchable operating systems, the traditional tools used to detect the presence of malicious cyber activity in normal enterprise networks will not function properly. Therefore, user and entity behavior analytics (UEBA) is best suited to detect and classify known-good behavior from these systems to create a baseline. Once a known-good baseline is established, deviations can be detected and analyzed. UEBA may be heavily dependent on advanced computing techniques like artificial intelligence and machine learning and may have a higher false-positive rate. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services. Entity refers to machine accounts, such as client workstations or virtualized server instances, and embedded hardware, such as the Internet of Things (IoT) devices. Traditional technologies include anti-virus tools, host-based IDS and IPS, and endpoint protection platforms.

Answer 59

A. Compliance with data breach notification laws. Legal considerations primarily involve complying with local, national, or international data breach notification laws and regulations, which typically require the organization to notify affected parties within a certain timeframe. While internal policies are important, they do not typically carry the legal weight that breach notification laws do. Compliance with these laws should be a primary consideration. While managing public relations is a crucial aspect of breach communication, it does not directly involve legal considerations. While important, contractual obligations are specific to individual relationships and may not have the broad legal implications that breach notification laws do.

Answer 60

D. Intrusion prevention system Since this question is focused on the ICS/SCADA network, the best solution would be implementing an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won't prevent an issue and therefore isn't the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches. Often, patches will break ICS/SCADA functionality. Antivirus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.

JasonDion Practice Exam 4 Flashcards

(84 cards)