Study Guide - Practice Exam 1 Flashcards
9- Kevin is configuring a web‐based SIEM application and would like it to trigger a vulnerability scan of a web server each time a certain event occurs in the SIEM. What technology would he configure on the SIEM to allow this action?
- API
- Webhook
- IPS
- CASB
Webhook
Webhooks allow one application to send a signal to another using a web request when a specific event occurs. The SIEM would be set up with a webhook based upon the event characteristics. That webhook would call the API on the vulnerability scanner (not the SIEM). This scenario does not call for the use of an intrusion prevention system (IPS) or a cloud access security broker (CASB).
Webhook
Webhooks allow you to send a signal from one application to another using a web request. For example, a webhook action in a threat intelligence platform could send a request to a vulnerability scanner’s API each time a new vulnerability is reported, triggering the desired scan
11- Saanvi is starting his incident response process and has been asked to immediately remediate the compromised web servers that were impacted to allow them to return to production. Why might he need to replace the drives in the systems and keep hashed copies of them?
- To prevent data loss
- Evidence retention
- To ensure proper data remanence prevention
- All of the above
Evidence retention
Retaining evidence may be required in the event of a criminal investigation or civil suit, and Saanvi may need to retain the original drives. He might opt to create copies of the drives for forensic purposes and will need to ensure that proper chain of custody and documentation is done, which may require engaging law enforcement before he takes any action.
Jacob discovers that systems in his datacenter have begun to connect to each other via SSH at regular intervals. Which of the following indicators of potentially malicious activity best matches this type of behavior?
- Beaconing
- Irregular peer‐to‐peer communication
- Scans
- Unusual traffic spikes
Irregular peer‐to‐peer communication
Systems in the same network segment or trust zone connecting to each other in abnormal ways is an example of irregular peer‐to‐peer communication. Servers are likely to connect to each other in known and expected ways, using services like database or HTTPS connections if they’re part of an established service architecture. Beaconing traffic typically leaves datacenters destined for command‐and‐control hosts. A single protocol like SSH at regular intervals is atypical for a scan or sweep, and the traffic is not described as a spike or high usage.
15- Kayla wants to check configuration information about a Windows system. Where does Windows store configuration information about the operating system like security settings?
- The user directory
- The system directory
- The Registry
- The Windows NT directory
The Registry
Windows stores information about things like security settings in the Windows Registry.
17- Jacinda wants to use data from her firewalls, EDR, and other security tools to help detect a potential incident. What type of information should she feed to her central security log and even management tools to help identify new attacks with known patterns?
- LFIs and RFIs
- OWASP feeds
- Kill chain models
- IoCs
IoCs
Indicator of compromise (IoC) feeds can be used to allow security monitoring systems to correlate log and other security information and to check it against known attack patterns and techniques. Jacinda can use this to identify newly identified attacks. LFIs and RFIs are local and remote file inclusions in the context of the CySA exam. OWASP does not provide threat data feeds, and the Cyber Kill Chain is an attack model.
LFI
local file inclusion
RFI
remote file inclusion
20- Which of the following is not typically involved in the initial phases of a CSIRT activation?
- Technical staff
- CSIRT leader
- Law enforcement
- First responder
Law enforcement
For most organizations, CSIRT activities initially involve internal resources. Law enforcement is involved only when it is believed that a crime has been committed, requiring participation of law enforcement officers.
22- Bob is evaluating the risk to his organization from advanced persistent threat (APT) attackers. He assesses the likelihood of this risk occurring to be medium and the impact high. How would this risk be categorized under most organizations’ risk evaluation matrices?
- Low risk
- Moderate risk
- Semi‐moderate risk
- High risk
High risk
Under the risk management matrix used by most organizations, a risk with a medium likelihood and high impact would be considered a high risk.
26- Gavin is responding to a security incident. He has taken actions to limit the amount of damage caused by the attack and is now moving on to remove malware installed by attackers on the network. What phase of the incident response process is Gavin beginning?
- Containment
- Recovery
- Post‐Incident Activities
- Eradication
Eradication
The primary purpose of eradication is to remove any of the artifacts of the incident that may remain on the organization’s network. This may include the removal of any malicious code from the network, the sanitization of compromised media, and the securing of compromised user accounts.
30- Jim has been provided with a CVE number for a vulnerability. What does the CVE tell him?
- It tells him the severity of the risk.
- It allows him to look up the risk.
- It tells him how many hosts are affected.
- It allows him to provide a compliance report.
It allows him to look up the risk.
Common Vulnerabilities and Exposures (CVE) numbers are used to identify vulnerabilities and will allow Jim to look up and reference the vulnerability across vendor‐provided databases and other sources of information. The CVE number does not provide information about the vulnerability itself like severity, number of affected hosts, or compliance information.
31- Which of the following is not a reason to avoid imaging live systems?
- The drive may be modified by the forensic tool.
- The drive contents may change during the imaging process.
- Unallocated space will not be included.
- Capturing memory contents is more difficult.
Capturing memory contents is more difficult.
There are many reasons to avoid imaging live machines if it is not absolutely necessary, but one advantage that imaging a live machine is the ability to directly capture the contents of memory. Risks of capturing images from live machines include inadvertent modification of the systems, changes that may occur on the machine during imaging, the potential for malware to attack the imaging system or to detect and avoid it, and the fact that most live images don’t capture unallocated space.
33- Brian is a new hire to his company as a threat hunter and he is beginning by developing scenarios of potential attacks. What threat hunting activity is Brian performing?
- Reducing the attack surface area
- Establishing the hypothesis
- Profiling threat actors
- Gathering evidence
Establishing the hypothesis
Brian is developing potential scenarios that might result in a successful attack. This is an example of establishing a threat‐hunting hypothesis. Next, Brian should look for evidence of such an attack in an attempt to confirm or refute his hypothesis.
34- Rodney’s company wants to prevent phishing attacks from resulting in account compromise. Which of the following solutions will provide the most effective solution?
- Implement context‐aware authentication.
- Use enhanced password requirements.
- Add token‐based authentication.
- Set a shorter password lifespan.
Add token‐based authentication.
Multifactor authentication like token‐based authentication can help prevent phishing attacks that result in stolen credentials from resulting in attackers accessing systems. As long as attackers do not also acquire the token (often an app on a smartphone or a physical device kept in the user’s pocket), the attacker will not have all the factors they need to authenticate. Context‐aware authentication might help if attackers log in from places that legitimate users don’t, but enhanced password requirements and shorter password lifespans have a relatively small impact, if any.
35- The group of developers that Cynthia is part of tests each software component or function before integrating it into larger software modules. What is this process called?
- Code segmentation
- Unit testing
- UAT
- Fagan inspection
Unit testing
Unit testing tests the smallest testable parts of an application or program, ensuring that each component works properly before they are put together. UAT is user acceptance testing, Fagan inspection is a form of formal code review, and code segmentation is not a term used in software engineering or development.
37- Howard is analyzing the logs from his firewall and sees that the same IP address attempted blocked connections to the same server many different times. What is the most likely explanation for this activity?
- Denial‐of‐service (DoS) attack
- Port scan
- SQL injection
- Cross‐site scripting
Port scan
This is most likely a port scan being used to conduct reconnaissance and determine what ports are open on the server. A DoS attack would more likely use requests to a service allowed through the firewall. SQL injection and cross‐site scripting would be successful only against a web server that was allowed to receive connections through the firewall.
39- Angela wants to search for rogue devices on her network. Which of the following techniques will best help her identify systems if she has a complete hardware and systems inventory?
- MAC address vendor checking
- Site surveys
- Traffic analysis for unexpected behavior
- MAC address verification
MAC address verification
Since Angela already knows the MAC addresses of all the devices due to her systems inventory, she can simply search for associated MAC addresses that do not match the list.
40- What type of control can be put in place and documented if an existing security measure is too difficult to implement or does not fully meet security requirements?
- Cost limiting
- Administrative
- Compensating
- Break‐fix
Compensating
When existing controls are insufficient, do not resolve the issue, or are too difficult to implement, a compensating control is often put in place. It is important to document compensating controls, because they differ from the expected or typical control that would normally be in place.
42- Tom would like to use nmap to perform service fingerprinting and wants to request banner information from scanned services. What flag should he use?
- -oG
- -sS
- -b
- -sV
-sV
The -sV flag reports banner and version information. The -oG flag generates greppable output. The -sS flag requests a TCP SYN scan. The -b flag is used to detect servers supporting FTP bounce.
44- Insecure, Inc. has experienced multiple data breaches over the past 6 months and has recently hired Cynthia as an information security officer. Cynthia’s first task is to review Insecure, Inc.’s defenses with the goal of identifying appropriate defenses to put in place.
Cynthia knows that her new employers had two major breaches. Breach A occurred when an employee took home a USB external drive with sensitive customer information as well as corporate planning data for the following year. The employee left the drive in their car, and the car was broken into overnight. In the morning, the drive was gone. Insecure, Inc. is uncertain about the fate of the drive and is concerned that customer data as well as their top‐secret plans to best their competitors may have been exposed.
Breach B was caused when Insecure, Inc.’s new web application was attacked by unknown attackers who used a SQL injection attack to insert new data into their e‐commerce application. Insecure, Inc.’s website was quickly deluged with deal seekers, who put in hundreds of orders for Insecure’s newly inexpensive products—the attackers had managed to change the price for almost every product they sold. Insecure, Inc. managed to cancel most of the orders before they shipped, but they have had to deal with angry customers since the event.
Using this information, your task is to help Cynthia recommend the best defensive strategy for the following question.
If Cynthia wants to address the human side of the issues she has discovered, what solution would best help prevent future issues?
- Policy and awareness training
- Dual control and cross training
- Cross training and an awareness program
- Implementing a continuous improvement program
Policy and awareness training
It can be easy to forget how important policies and the standards and practices that derive from them are, but policies make up the foundation of an organization’s security practices. When combined with awareness training, it is far more likely that the employees that Cynthia works will avoid bad practices like taking unencrypted drives home or neglecting to use web application security development best practices.
PRNG
Psuedo Random Number Generator
48- What requirement of shared authentication is a key differentiator from SSO?
- It requires authentication for each site.
- It uses the same authentication key for each site.
- Shared authentication provides end‐to‐end encryption.
- The shared authentication standard is an open standard.
It requires authentication for each site.
The key difference between a shared authentication model and a single sign‐on (SSO) model is that shared authentication systems require users to enter credentials when authenticating to each site. Single sign‐on only requires a single sign‐on—exactly as the name says!
49- NIST’s data impact rating scale describes what category of data impact as “Sensitive personally identifiable information (PII) of taxpayers, employees, beneficiaries, etc. was accessed or exfiltrated?”
- Confidentiality breach
- Privacy breach
- Proprietary breach
- Integrity loss
Privacy breach
In NIST’s information impact categories classification scheme, this is a privacy breach, involving personally identifiable information. NIST defines four ratings: none, privacy breaches, proprietary information breaches, and integrity loss. Proprietary information breaches involve unclassified proprietary information, such as protected critical infrastructure information. Integrity losses occur when sensitive or proprietary information is changed or deleted. NIST does not use the broad term confidentiality breaches, instead preferring more specific definitions.
