Practice Tests - Practice Test 2 Flashcards
3- Rowan ran a port scan against a network switch located on her organization’s internal network and discovered the results shown here. She ran the scan from her workstation on the employee VLAN. Which one of the following results should be of greatest concern to her?
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-26 19:25 EDT
Nmap scan report for 10.1.0.121
Host is up (0.058s latency).
Not shown: 966 closed ports
PORT STATE
22/tcp open
23/tcp open
80/tcp filtered
443/tcp open
631/tcp filtered
8192/tcp filtered
8193/tcp filtered
8194/tcp filtered
28201/tcp filtered
Nmap done: 1 IP address (1 host up) scanned in 5.29 seconds
- Port 22
- Port 23
- Port 80
- Ports 8192 to 8194
Port 23
Both ports 22 and 23 should be of concern to Rowan because they indicate that the network switch is accepting administrative connections from a general‐use network. Instead, the switch should accept administrative connections only from a network management VLAN. Of these two results, port 23 should be of the greatest concern because it indicates that the switch is allowing unencrypted telnet connections that may be subject to eavesdropping. The results from ports 80 and 8192 to 8194 are of lesser concern because they are being filtered by a firewall.
4- Evan is troubleshooting a vulnerability scan issue on his network. He is conducting an external scan of a website located on the web server shown in the diagram. After checking the web server logs, he saw no sign of the scan requests. Which one of the following causes is the least likely issue for him to troubleshoot?
(look up diagram in book)
- The scans are being blocked by an intrusion prevention system.
- The scans are being blocked by a rule within the web server application.
- The scans are being blocked by a network firewall.
- The scans are being blocked by a host firewall.
The scans are being blocked by a rule within the web server application.
All of the scenarios described here could result in failed vulnerability scans and are plausible on this network. However, the fact that the web server logs do not show any denied requests indicates that the issue is not with the web server application itself. If this were the case, Evan would see evidence of it in the web server logs.
5- Sam is looking for evidence of software that was installed on a Windows system. He believes that the programs were deleted and that the suspect used both registry and log cleaners to hide evidence. What Windows feature can’t he use to find evidence of the use of these programs?
- The MFT
- Volume shadow copies
- The shim (application compatibility) cache
- Prefetch files
The shim (application compatibility) cache
The shim cache is used by Windows to track scripts and programs that need specialized compatibility settings. It is stored in the registry at shutdown, which means that a thorough registry cleanup will remove program references from it. The master file table (MFT), volume shadow copies, and prefetch files can all contain evidence of deleted applications.
7- A port scan conducted during a security assessment shows the following results. What type of device has most likely been scanned?
Nmap scan report for EXAMPLE (192.168.1.79)
Host is up (1.00s latency).
Not shown: 992 closed ports
PORT STATE
21/tcp open
23/tcp open
80/tcp open
280/tcp open
443/tcp open
515/tcp open
631/tcp open
9100/tcp open
Nmap done: 1 IP address (1 host up) scanned in 124.20 seconds
- A wireless access point
- A server
- A printer
- A switch
A printer
Although TCP ports 21, 23, 80, and 443 are all common ports, 515 and 9100 are commonly associated with printers.
8- Which of the following is not one of the major categories of security event indicators described by NIST 800‐61?
- Alerts from IDS, IPS, SIEM, AV, and other security systems
- Logs generated by systems, services, and applications
- Exploit developers
- Internal and external sources
Exploit developers
NIST identifies four major categories of security event indicators: alerts, logs, publicly available information, and people both inside and outside the organization. Exploiting developers may provide some information but is not a primary source of security event information.
9- During an nmap scan of a network, Charles receives the following response from nmap:
Starting Nmap 7.80 ( https://nmap.org )
Nmap done: 256 IP addresses (0 hosts up) scanned in 29.74 seconds
What can Charles deduce about the network segment from these results?
- There are no active hosts in the network segment.
- All hosts on the network segment are firewalled.
- The scan was misconfigured.
- Charles cannot determine if there are hosts on the network segment from this scan.
Charles cannot determine if there are hosts on the network segment from this scan.
A host that is not running any services or that has a firewall enabled that prevents responses can be invisible to nmap. Charles cannot determine whether there are hosts on this network segment and may want to use other means such as ARP queries, DHCP logs, and other network layer checks to determine whether there are systems on the network.
10- Oskar is designing a vulnerability management program for his company, a hosted service provider. He would like to check all relevant documents for customer requirements that may affect his scanning. Which one of the following documents is least likely to contain this information?
- BPA
- SLA
- MOU
- BIA
BIA
The business impact assessment (BIA) is an internal document used to identify and assess risks. It is unlikely to contain customer requirements. Service level agreements (SLAs), business partner agreements (BPAs), and memorandums of understanding (MOUs) are much more likely to contain this information.
12- As part of her forensic analysis of a wiped thumb drive, Selah runs Scalpel to carve data from the image she created. After running Scalpel, she sees the following in the audit.log file created by the program. What should Selah do next?
(loook up diagram in book)
- Run a data recovery program on the drive to retrieve the files.
- Run Scalpel in filename recovery mode to retrieve the actual filenames and directory structures of the files.
- Review the contents of the scalpelout folder.
- Use the identified filenames to process the file using a full forensic suite.
Review the contents of the scalpelout folder.
You may not be familiar with Scalpel or other programs you encounter on the exam. In many cases, the problem itself will provide clues that can help you narrow down your answer. Here, pay close attention to the command‐line flags, and note the -o flag, a common way to denote an output file. In practice, Scalpel automatically creates directories for each of the file types that it finds. Selah simply needs to visit those directories to review the files that she has recovered. She does not need to use another program. The filenames and directory structures may not be recoverable when carving files.
15- When performing threat‐hunting activities, what are cybersecurity analysts most directly seeking?
- Vulnerabilities
- Indicators of compromise
- Misconfigurations
- Unpatched systems
Indicators of compromise
The defining characteristic of threat hunting is that you are searching out compromises that have already occurred. Therefore, you are looking for indicators of compromise (IoCs). Vulnerabilities, unpatched systems, and misconfigurations are all things that vulnerability management activities, rather than threat‐hunting activities, would seek to identify.
17- While analyzing a packet capture in Wireshark, Chris finds the packet shown here. Which of the following is he unable to determine from this packet?
(look up diagram in book)
- That the username used was gnome
- That the protocol used was FTP
- That the password was gnome123
- That the remote system was 137.30.120.40
That the username used was gnome
FTP sends the username in a separate packet. Chris can determine that this was an FTP connection, that the password was gnome123, and that the FTP server was 137.30.120.40.
20- Which stage of the incident response process includes activities such as adding IPS signatures to detect new attacks?
- Detection and analysis
- Containment, eradication, and recovery
- Postincident activity
- Preparation
Detection and analysis
Adding new signatures (prior to an incident) is part of the preparation phase because it prepares an organization to detect attacks.
22- Pranab is preparing to reuse media that contained data that his organization classifies as having “moderate” value. If he wants to follow NIST SP 800‐88’s guidelines, what should he do to the media if the media will not leave his organization’s control?
- Reformat it
- Clear it
- Purge it
- Destroy it
Clear it
NIST SP‐800‐88 recommends clearing media and then validating and documenting that it was cleared. Clearing uses logical techniques to sanitize data in user‐addressable storage locations and protects against noninvasive data recovery techniques. This level of security is appropriate to moderately sensitive data contained on media that will remain in an organization.
26- As part of her duties as a security operations center (SOC) analyst, Emily is tasked with monitoring intrusion detection sensors that cover her employer’s corporate headquarters network. During her shift, Emily’s IDS reports that a network scan has occurred from a system with IP address 10.1.1.19 on the organization’s unauthenticated guest wireless network aimed at systems on an external network. What should Emily’s first step be?
- Report the event to the impacted third parties.
- Report the event to law enforcement.
- Check the system’s MAC address against known assets.
- Check authentication logs to identify the logged‐in user.
Check the system’s MAC address against known assets.
In most organizations, Emily’s first action should be to verify that the system is not one that belongs to the organization by checking it against her organization’s asset inventory. If the system is a compromised system on the wrong network, she or her team will need to address it. In most jurisdictions, there is no requirement to notify third parties or law enforcement of outbound scans, and since the guest wireless is specifically noted as being unauthenticated, there will not be authentication logs to check.
27- Sai works in an environment that is subject to the Payment Card Industry Data Security Standard (PCI DSS). He realizes that technical constraints prevent the organization from meeting a specific PCI DSS requirement and wants to implement a compensating control. Which one of the following statements is not true about proper compensating controls?
- The control must include a clear audit mechanism.
- The control must meet the intent and rigor of the original requirement.
- The control must provide a similar level of defense as the original requirement provides.
- The control must be above and beyond other requirements.
The control must include a clear audit mechanism.
The PCI DSS compensating control procedures do not require that compensating controls have a clearly defined audit mechanism, although this is good security practice. They do require that the control meet the intent and rigor of the original requirement, provide a similar level of defense as the original requirement, and be above and beyond other requirements.
29- Which of the following factors is not typically considered when determining whether evidence should be retained?
Media life span
Likelihood of civil litigation
Organizational retention policies
Likelihood of criminal prosecution
Media life span
Incident data should be retained as necessary regardless of media life span. Retention is often driven by the likelihood of civil or criminal action, as well as by organizational standards.
32- As part of her postincident recovery process, Alicia creates a separate virtual network as shown here to contain compromised systems she needs to investigate. What containment technique is she using?
(look up diagram)
- Segmentation
- Isolation
- Removal
- Reverse engineering
Segmentation
The firewall rules continue to allow access to the compromised systems, while preventing them from attacking other systems. This is an example of segmentation. Segmentation via VLANs, firewall rules, or other logical methods can help to protect other systems, while allowing continued live analysis.
differences:
- Segmentation
- Isolation
- Removal
- Segmentation: on its own network segment with limited or no connectivity outside of segment
- Isolation: removed from internal networks usually internal and internet (External)
- Removal: complete shut down
Scalpel
file carving tool
34- The Windows system that Abdul is conducting live forensics on shows a partition map, as shown here. If Abdul believes that a hidden partition was deleted resulting in the unallocated space, which of the following type of tool is best suited to identifying the data found in the unallocated space?
(look up diagram in book)
- File carving
- Wiping
- Partitioning
- Disk duplication
File carving
A file carving tool, such as Scalpel, is designed to identify files in a partition or volume that is missing its index or file allocation table. A wiping tool is used to completely remove data from a disk. Partitioning tools are used to modify the volume structure of a disk. Disk duplication tools are used to create forensic images, among other purposes.
File carving
a forensic analysis technique used to recover files when the original filesystem is no longer intact or available
35- During a postmortem forensic analysis of a Windows system that was shut down after its user saw strange behavior, Pranab concludes that the system he is reviewing was likely infected with a memory‐resident malware package. What is his best means of finding the malware?
- Search for a core dump or hibernation file to analyze.
- Review the INDX files and Windows registry for signs of infection.
- Boot the system and then use a tool like the Volatility Framework to capture live memory.
- Check volume shadow copies for historic information prior to the reboot.
Search for a core dump or hibernation file to analyze.
Pranab’s best option is to look for a hibernation file or core dump that may contain evidence of the memory‐resident malware. Once a system has been shut down, a memory‐resident malware package will be gone until the system is re‐infected, making reviews of the registry, INDX files, and volume shadow copies unlikely to be useful. Since the system was shut down, he won’t get useful memory forensics from a tool like the Volatility Framework unless the machine is re‐infected.
37- Jessie needs to prevent port scans like the scan shown here. Which of the following is a valid method for preventing port scans?
(look up diagram in book)
- Not registering systems in DNS
- Using a firewall to restrict traffic to only ports required for business purposes
- Using a heuristic detection rule on an IPS
- Implementing port security
Using a heuristic detection rule on an IPS
An intrusion prevention system (or other device or software with similar capabilities) to block port scans based on behavior is the most effective method listed. Not registering systems in DNS won’t stop IP‐based scans, and port scans will still succeed on the ports that firewalls allow through. Port security is a network switch–based technology designed to limit which systems can use a physical network port.
38- What information can be gathered by observing the distinct default values of the following TCP/IP fields during reconnaissance activities: initial packet size, initial TTL, window size, maximum segment size, and flags?
- The target system’s TCP version.
- The target system’s operating system.
- The target system’s MAC address.
- These fields are useful only for packet analysis.
The target system’s operating system.
Operating system fingerprinting relies on the differences between how each operating system (and sometimes OS versions) handles and sets various TCP/IP fields, including initial packet size, initial TTL, window size, maximum segment size, and the don’t fragment, sackOK, and nop flags.
42- After finishing a forensic case, Lucas needs to wipe the media that he is using to prepare it for the next case. Which of the following methods is best suited to preparing the SSD that he will use?
- Degauss the drive.
- Zero‐write the drive.
- Use a PRNG.
- Use the ATA Secure Erase command.
Use the ATA Secure Erase command.
The ATA Secure Erase command wipes all of an SSD, including host‐protected area partitions and remapped spare blocks. Degaussing is used for magnetic media such as tapes and is not effective on SSDs, whereas zero writing or using a pseudorandom number generator to fill the drive will not overwrite data in the host‐protected area or spare blocks, which are used to wear‐level most SSDs.
