You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" CompTIA CySA+ (CS0-002) Practice Test 4 "
0 of 60 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
CompTIA CySA+ (CS0-002)
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking view questions. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Answered
Review
Question 1 of 60
1. Question
Which of the following would be part of an active defense strategy? (SELECT THREE)
Correct
OBJ-2.1: Active defense refers to controls that perform a counterattack. Active defense means an engagement with the adversary, but this can be interpreted in several different ways. Laying traps such as decoy assets or deploying honeypots would be classified as an active defense. Another active defense technique is to implement fictitious DNS entries that can also be used to delay or slow down an adversary’s enumeration of your network. Blocking the adversary’s C2 infrastructure and the deletion of adversary malware are considered a part of normal incident response actions. Installing a new IDS signature would be considered vulnerability management and not an active defense.
Incorrect
OBJ-2.1: Active defense refers to controls that perform a counterattack. Active defense means an engagement with the adversary, but this can be interpreted in several different ways. Laying traps such as decoy assets or deploying honeypots would be classified as an active defense. Another active defense technique is to implement fictitious DNS entries that can also be used to delay or slow down an adversary’s enumeration of your network. Blocking the adversary’s C2 infrastructure and the deletion of adversary malware are considered a part of normal incident response actions. Installing a new IDS signature would be considered vulnerability management and not an active defense.
Unattempted
OBJ-2.1: Active defense refers to controls that perform a counterattack. Active defense means an engagement with the adversary, but this can be interpreted in several different ways. Laying traps such as decoy assets or deploying honeypots would be classified as an active defense. Another active defense technique is to implement fictitious DNS entries that can also be used to delay or slow down an adversary’s enumeration of your network. Blocking the adversary’s C2 infrastructure and the deletion of adversary malware are considered a part of normal incident response actions. Installing a new IDS signature would be considered vulnerability management and not an active defense.
Question 2 of 60
2. Question
What SCAP component provides a list of entries that contains an identification number, a description, and a public reference for each publicly known weakness in a piece of software?
Correct
OBJ-3.4: The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise’s computing assets.
Incorrect
OBJ-3.4: The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise’s computing assets.
Unattempted
OBJ-3.4: The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise’s computing assets.
Question 3 of 60
3. Question
An organization wants to get an external attacker’s perspective on their security status. Which of the following services should they purchase?
Correct
OBJ-5.2: Penetration tests provide an organization with an external attacker’s perspective on their security status. The NIST process for penetration testing divides tests into four phases: planning, discovery, attack, and reporting. The penetration test results are valuable security planning tools, as they describe the actual vulnerabilities that an attacker might exploit to gain access to a network. A vulnerability scan provides an assessment of your security posture from an internal perspective. Asset management refers to a systematic approach to the governance and realization of value from the things that a group or entity is responsible for over their whole life cycles. It may apply both to tangible assets and intangible assets. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.
Incorrect
OBJ-5.2: Penetration tests provide an organization with an external attacker’s perspective on their security status. The NIST process for penetration testing divides tests into four phases: planning, discovery, attack, and reporting. The penetration test results are valuable security planning tools, as they describe the actual vulnerabilities that an attacker might exploit to gain access to a network. A vulnerability scan provides an assessment of your security posture from an internal perspective. Asset management refers to a systematic approach to the governance and realization of value from the things that a group or entity is responsible for over their whole life cycles. It may apply both to tangible assets and intangible assets. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.
Unattempted
OBJ-5.2: Penetration tests provide an organization with an external attacker’s perspective on their security status. The NIST process for penetration testing divides tests into four phases: planning, discovery, attack, and reporting. The penetration test results are valuable security planning tools, as they describe the actual vulnerabilities that an attacker might exploit to gain access to a network. A vulnerability scan provides an assessment of your security posture from an internal perspective. Asset management refers to a systematic approach to the governance and realization of value from the things that a group or entity is responsible for over their whole life cycles. It may apply both to tangible assets and intangible assets. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.
Question 4 of 60
4. Question
You were conducting a forensic analysis of an iPad backup and discovered that only some of the information is within the backup file. Which of the following best explains why some of the data is missing?
Correct
OBJ-4.4: iPhone/iPad backups can be created as full or differential backups. In this scenario, the backup being analyzed is likely a differential backup containing the information that has changed since the last full backup. If the backup were encrypted, you would be unable to read any of the contents. If the backup were interrupted, the backup file would be in an unusable state. If the backup were stored in iCloud, you would need access to their iCloud account to retrieve and access the file. Normally, during an investigation, you will not have access to the user’s iCloud account.
Incorrect
OBJ-4.4: iPhone/iPad backups can be created as full or differential backups. In this scenario, the backup being analyzed is likely a differential backup containing the information that has changed since the last full backup. If the backup were encrypted, you would be unable to read any of the contents. If the backup were interrupted, the backup file would be in an unusable state. If the backup were stored in iCloud, you would need access to their iCloud account to retrieve and access the file. Normally, during an investigation, you will not have access to the user’s iCloud account.
Unattempted
OBJ-4.4: iPhone/iPad backups can be created as full or differential backups. In this scenario, the backup being analyzed is likely a differential backup containing the information that has changed since the last full backup. If the backup were encrypted, you would be unable to read any of the contents. If the backup were interrupted, the backup file would be in an unusable state. If the backup were stored in iCloud, you would need access to their iCloud account to retrieve and access the file. Normally, during an investigation, you will not have access to the user’s iCloud account.
Question 5 of 60
5. Question
Which of the following is the biggest advantage of using Agile software development?
Correct
OBJ-2.2: Agile development can react quickly to changing customer requirements since it allows all phases of software development to run in parallel instead of a linear or sequenced approach. Waterfall development, not agile development, is a structured and phase-oriented model. A frequent criticism is that the agile model can allow developers to lose focus on the project’s overall objective. Agile models do not necessarily produce better, more secure, or more efficient code than other methods.
Incorrect
OBJ-2.2: Agile development can react quickly to changing customer requirements since it allows all phases of software development to run in parallel instead of a linear or sequenced approach. Waterfall development, not agile development, is a structured and phase-oriented model. A frequent criticism is that the agile model can allow developers to lose focus on the project’s overall objective. Agile models do not necessarily produce better, more secure, or more efficient code than other methods.
Unattempted
OBJ-2.2: Agile development can react quickly to changing customer requirements since it allows all phases of software development to run in parallel instead of a linear or sequenced approach. Waterfall development, not agile development, is a structured and phase-oriented model. A frequent criticism is that the agile model can allow developers to lose focus on the project’s overall objective. Agile models do not necessarily produce better, more secure, or more efficient code than other methods.
Question 6 of 60
6. Question
An organization wants to choose an authentication protocol that can be used over an insecure network without implementing additional encryption services. Which of the following protocols should they choose?
Correct
OBJ-3.2: The Kerberos protocol is designed to send data over insecure networks while using strong encryption to protect the information. RADIUS, TACACS, and TACACS+ are all protocols that contain known vulnerabilities that would require additional encryption to secure them during the authentication process.
Incorrect
OBJ-3.2: The Kerberos protocol is designed to send data over insecure networks while using strong encryption to protect the information. RADIUS, TACACS, and TACACS+ are all protocols that contain known vulnerabilities that would require additional encryption to secure them during the authentication process.
Unattempted
OBJ-3.2: The Kerberos protocol is designed to send data over insecure networks while using strong encryption to protect the information. RADIUS, TACACS, and TACACS+ are all protocols that contain known vulnerabilities that would require additional encryption to secure them during the authentication process.
Question 7 of 60
7. Question
Which of the following is NOT considered a phase in the incident response cycle?
Correct
OBJ-4.2: There are four phases to the incident response cycle: preparation; detection and analysis; containment, eradication and recovery; and post-incident activity. While you will conduct some notifications and communication during your incident response, that term is not one of the four defined phases.
Incorrect
OBJ-4.2: There are four phases to the incident response cycle: preparation; detection and analysis; containment, eradication and recovery; and post-incident activity. While you will conduct some notifications and communication during your incident response, that term is not one of the four defined phases.
Unattempted
OBJ-4.2: There are four phases to the incident response cycle: preparation; detection and analysis; containment, eradication and recovery; and post-incident activity. While you will conduct some notifications and communication during your incident response, that term is not one of the four defined phases.
Question 8 of 60
8. Question
A vulnerability scanner has reported that a vulnerability exists in the system. Upon validating the report, the analyst determines that this reported vulnerability does not exist on the system. What is the proper term for this situation?
Correct
OBJ-1.3: A false positive occurs when a scanner detects a vulnerability, but the vulnerability does not actually exist on the scanned system. A true positive occurs when a scanner detects a vulnerability, and the vulnerability exists on the scanned system. A true negative occurs when a scanner does not detect a vulnerability because the vulnerability does not exist on the scanned system. A false negative occurs when a scanner does not detect a vulnerability, but the vulnerability actually exists on the scanned system.
Incorrect
OBJ-1.3: A false positive occurs when a scanner detects a vulnerability, but the vulnerability does not actually exist on the scanned system. A true positive occurs when a scanner detects a vulnerability, and the vulnerability exists on the scanned system. A true negative occurs when a scanner does not detect a vulnerability because the vulnerability does not exist on the scanned system. A false negative occurs when a scanner does not detect a vulnerability, but the vulnerability actually exists on the scanned system.
Unattempted
OBJ-1.3: A false positive occurs when a scanner detects a vulnerability, but the vulnerability does not actually exist on the scanned system. A true positive occurs when a scanner detects a vulnerability, and the vulnerability exists on the scanned system. A true negative occurs when a scanner does not detect a vulnerability because the vulnerability does not exist on the scanned system. A false negative occurs when a scanner does not detect a vulnerability, but the vulnerability actually exists on the scanned system.
Question 9 of 60
9. Question
Your organization’s primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. This critical patch was designed to remediate a vulnerability that can allow a malicious actor to execute code on the server over the Internet remotely. You ran a vulnerability scan of the network and determined that all servers are still being reported as having the vulnerability. You verified all your scan configurations are correct. Which of the following might be the reason that the scan report still showing the servers as vulnerable? (SELECT ALL THAT APPLY)
Correct
OBJ-1.4: There are two reasonable choices presented: (1) the vulnerability assessment scan is returning a false positive, or (2) this critical patch did not remediate the vulnerability. It is impossible to know which is based on the description in the question. If the patch was installed successfully, as the question states, then it is possible that the critical patch was coded incorrectly and did not actually remediate the vulnerability. While most operating system vendors test their patches before release to prevent this, they are sometimes rushed into production with extremely critical patches. The patch does not actually remediate the vulnerability on all systems. When this occurs, the vendor will issue a subsequent patch to fix it and supersede the original patch. The other option is that the vulnerability assessment tool is incorrectly configured and is returning a false positive. This can occur when the signature used to detect the vulnerability is too specific or too generic to actually detect whether the system was patched for the vulnerability or not. The other options are incorrect, as you do not have to wait a certain period of time after installation before scanning. It is assumed that you are scanning the same IP range both times as you have verified your scan configuration.
Incorrect
OBJ-1.4: There are two reasonable choices presented: (1) the vulnerability assessment scan is returning a false positive, or (2) this critical patch did not remediate the vulnerability. It is impossible to know which is based on the description in the question. If the patch was installed successfully, as the question states, then it is possible that the critical patch was coded incorrectly and did not actually remediate the vulnerability. While most operating system vendors test their patches before release to prevent this, they are sometimes rushed into production with extremely critical patches. The patch does not actually remediate the vulnerability on all systems. When this occurs, the vendor will issue a subsequent patch to fix it and supersede the original patch. The other option is that the vulnerability assessment tool is incorrectly configured and is returning a false positive. This can occur when the signature used to detect the vulnerability is too specific or too generic to actually detect whether the system was patched for the vulnerability or not. The other options are incorrect, as you do not have to wait a certain period of time after installation before scanning. It is assumed that you are scanning the same IP range both times as you have verified your scan configuration.
Unattempted
OBJ-1.4: There are two reasonable choices presented: (1) the vulnerability assessment scan is returning a false positive, or (2) this critical patch did not remediate the vulnerability. It is impossible to know which is based on the description in the question. If the patch was installed successfully, as the question states, then it is possible that the critical patch was coded incorrectly and did not actually remediate the vulnerability. While most operating system vendors test their patches before release to prevent this, they are sometimes rushed into production with extremely critical patches. The patch does not actually remediate the vulnerability on all systems. When this occurs, the vendor will issue a subsequent patch to fix it and supersede the original patch. The other option is that the vulnerability assessment tool is incorrectly configured and is returning a false positive. This can occur when the signature used to detect the vulnerability is too specific or too generic to actually detect whether the system was patched for the vulnerability or not. The other options are incorrect, as you do not have to wait a certain period of time after installation before scanning. It is assumed that you are scanning the same IP range both times as you have verified your scan configuration.
Question 10 of 60
10. Question
Consider the following file called firewall.log that contains 53,682 lines that logged every connection going into and out of this network. The log file is in the following data format, as shown below with the first two lines of the log file:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
DATE,FACILITY,CHAIN,IN,SRC,DST,LEN,TOS,PREC,TTL,ID,PROTO,SPT,DPT
Jan 11 05:33:59,lx1 kernel: iptables,INPUT,eth0,10.1.0.102,10.1.0.1,52,0×00,0x00,128,2242,TCP,2564,23
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following commands would display all of the lines from the firewall.log file that contain the destination IP address of 10.1.0.10 and a destination port of 23?
Correct
OBJ-3.1: The easiest way to do this is with a grep command. In Linux, you can chain together commands by piping data from one command’s output to serve as the input to another command. In this scenario, you can use grep to find all the lines with the IP address first. Then, you can use the second grep command to find all the lines using port 23. The result is a smaller, filtered list of events to analyze. When using the dot in the IP addresses, you must remember to escape this character. Otherwise, grep treats it as a special character in a regular expression treated as any character (except a line break). Adding the \ before the dot (\.), grep treats it simply as a dot or period. You must also escape the comma for it to be processed properly. The $ after the port number is used to indicate that the number should only be counted as a match if it is at the end of the line. This ensures that we only return the destination ports (DPT) matching 23 and not the source port (SPT).
Incorrect
OBJ-3.1: The easiest way to do this is with a grep command. In Linux, you can chain together commands by piping data from one command’s output to serve as the input to another command. In this scenario, you can use grep to find all the lines with the IP address first. Then, you can use the second grep command to find all the lines using port 23. The result is a smaller, filtered list of events to analyze. When using the dot in the IP addresses, you must remember to escape this character. Otherwise, grep treats it as a special character in a regular expression treated as any character (except a line break). Adding the \ before the dot (\.), grep treats it simply as a dot or period. You must also escape the comma for it to be processed properly. The $ after the port number is used to indicate that the number should only be counted as a match if it is at the end of the line. This ensures that we only return the destination ports (DPT) matching 23 and not the source port (SPT).
Unattempted
OBJ-3.1: The easiest way to do this is with a grep command. In Linux, you can chain together commands by piping data from one command’s output to serve as the input to another command. In this scenario, you can use grep to find all the lines with the IP address first. Then, you can use the second grep command to find all the lines using port 23. The result is a smaller, filtered list of events to analyze. When using the dot in the IP addresses, you must remember to escape this character. Otherwise, grep treats it as a special character in a regular expression treated as any character (except a line break). Adding the \ before the dot (\.), grep treats it simply as a dot or period. You must also escape the comma for it to be processed properly. The $ after the port number is used to indicate that the number should only be counted as a match if it is at the end of the line. This ensures that we only return the destination ports (DPT) matching 23 and not the source port (SPT).
Question 11 of 60
11. Question
You are attempting to run a packet capture on a Linux workstation using the tcpdump command. Which of the following would allow you to conduct the packet capture and write the output to a file for later analysis?
Correct
OBJ-3.2: The tcpdump command is a command-line packet capture utility for Linux. The tcpdump command uses the -w option to write the capture output results to a file. A .pcap extension normally identifies packet capture files. The tcpdump command uses the -r option to read the contents of a packet capture file. The tcpdump command uses the -n option to show network address information in numeric format (does not resolve hostnames). The tcpdump command uses the -e option to include the data link (Ethernet) header when performing a packet capture.
Incorrect
OBJ-3.2: The tcpdump command is a command-line packet capture utility for Linux. The tcpdump command uses the -w option to write the capture output results to a file. A .pcap extension normally identifies packet capture files. The tcpdump command uses the -r option to read the contents of a packet capture file. The tcpdump command uses the -n option to show network address information in numeric format (does not resolve hostnames). The tcpdump command uses the -e option to include the data link (Ethernet) header when performing a packet capture.
Unattempted
OBJ-3.2: The tcpdump command is a command-line packet capture utility for Linux. The tcpdump command uses the -w option to write the capture output results to a file. A .pcap extension normally identifies packet capture files. The tcpdump command uses the -r option to read the contents of a packet capture file. The tcpdump command uses the -n option to show network address information in numeric format (does not resolve hostnames). The tcpdump command uses the -e option to include the data link (Ethernet) header when performing a packet capture.
Question 12 of 60
12. Question
As part of the reconnaissance stage of a penetration test, Kumar wants to retrieve information about an organization’s network infrastructure without causing an IPS alert. Which of the following is his best course of action?
Correct
OBJ-3.1: The best course of action is to perform a DNS brute-force attack. The DNS brute-force attack queries a list of IPs and typically bypasses IDS/IPS systems that do not alert on DNS queries. A ping sweep or a stealth scan can be easily detected by the IPS, depending on the signatures and settings being used. A DNS zone transfer is also something that often has a signature search for it and will be alerted upon since it is a common attack technique.
Incorrect
OBJ-3.1: The best course of action is to perform a DNS brute-force attack. The DNS brute-force attack queries a list of IPs and typically bypasses IDS/IPS systems that do not alert on DNS queries. A ping sweep or a stealth scan can be easily detected by the IPS, depending on the signatures and settings being used. A DNS zone transfer is also something that often has a signature search for it and will be alerted upon since it is a common attack technique.
Unattempted
OBJ-3.1: The best course of action is to perform a DNS brute-force attack. The DNS brute-force attack queries a list of IPs and typically bypasses IDS/IPS systems that do not alert on DNS queries. A ping sweep or a stealth scan can be easily detected by the IPS, depending on the signatures and settings being used. A DNS zone transfer is also something that often has a signature search for it and will be alerted upon since it is a common attack technique.
Question 13 of 60
13. Question
Jeff has been contacted by an external security company and told that they had found a copy of his company’s proprietary source code on GitHub. Upon further investigation, Jeff has determined that his organization owns the repository where the source code is located. Which of the following mitigations should Jeff apply immediately?
Correct
OBJ-1.6: Jeff should immediately change the repository from public to private to prevent further exposure of the source code. Deleting the repository would also fix the issue but could compromise the company’s ongoing business operations. Reevaluation of the company’s information management policies should be done, but this is not as time-critical as changing the repository’s public/private setting. Once the repository is configured to be private, then Jeff should investigate any possible compromises that may have occurred and reevaluate their policies.
Incorrect
OBJ-1.6: Jeff should immediately change the repository from public to private to prevent further exposure of the source code. Deleting the repository would also fix the issue but could compromise the company’s ongoing business operations. Reevaluation of the company’s information management policies should be done, but this is not as time-critical as changing the repository’s public/private setting. Once the repository is configured to be private, then Jeff should investigate any possible compromises that may have occurred and reevaluate their policies.
Unattempted
OBJ-1.6: Jeff should immediately change the repository from public to private to prevent further exposure of the source code. Deleting the repository would also fix the issue but could compromise the company’s ongoing business operations. Reevaluation of the company’s information management policies should be done, but this is not as time-critical as changing the repository’s public/private setting. Once the repository is configured to be private, then Jeff should investigate any possible compromises that may have occurred and reevaluate their policies.
Question 14 of 60
14. Question
You have been given access to a Windows system located on an Active Directory domain as part of a white box penetration test. Which of the following commands would provide information about other systems on this network?
Correct
OBJ-3.3: The net use command will list network shares that the workstation is using. This will help to identify file servers and print servers on the network. The net group command can only be used on domain controllers. The net config command will allow servers and workstations services to be controlled once they have already been identified. The net user command would show any user accounts on the local Windows workstation you are using.
Incorrect
OBJ-3.3: The net use command will list network shares that the workstation is using. This will help to identify file servers and print servers on the network. The net group command can only be used on domain controllers. The net config command will allow servers and workstations services to be controlled once they have already been identified. The net user command would show any user accounts on the local Windows workstation you are using.
Unattempted
OBJ-3.3: The net use command will list network shares that the workstation is using. This will help to identify file servers and print servers on the network. The net group command can only be used on domain controllers. The net config command will allow servers and workstations services to be controlled once they have already been identified. The net user command would show any user accounts on the local Windows workstation you are using.
Question 15 of 60
15. Question
Which of the following actions should you perform during the post-incident activities of an incident response?
Correct
OBJ-4.2: Most of these options are partially true, but only the evidence retention option is entirely accurate. If there is a legal or regulatory impact, evidence of the incident must be preserved for at least the timescale defined by the regulations. This can be a period of many years. If a civil or criminal prosecution of the incident perpetrators is expected, the evidence must be collected and stored using forensics procedures. The sanitizing of storage devices should not be performed to prevent liability but instead to prepare your evidence collection jump bag or kit for the next incident response. This should only be done once the evidence (dd images) have been transferred to a secure storage device following the evidence retention requirements. The incident summary report is generally used to provide recommendations to a wider, non-technical audience. Therefore, it should not be written in an in-depth technical manner. The lessons learned report should be widely shared across all incident response teams and the company’s technical organization. If the lessons learned report is kept confidential and not shared, then the lessons are collected on paper and not actually becoming lessons learned by others to prevent future incidents.
Incorrect
OBJ-4.2: Most of these options are partially true, but only the evidence retention option is entirely accurate. If there is a legal or regulatory impact, evidence of the incident must be preserved for at least the timescale defined by the regulations. This can be a period of many years. If a civil or criminal prosecution of the incident perpetrators is expected, the evidence must be collected and stored using forensics procedures. The sanitizing of storage devices should not be performed to prevent liability but instead to prepare your evidence collection jump bag or kit for the next incident response. This should only be done once the evidence (dd images) have been transferred to a secure storage device following the evidence retention requirements. The incident summary report is generally used to provide recommendations to a wider, non-technical audience. Therefore, it should not be written in an in-depth technical manner. The lessons learned report should be widely shared across all incident response teams and the company’s technical organization. If the lessons learned report is kept confidential and not shared, then the lessons are collected on paper and not actually becoming lessons learned by others to prevent future incidents.
Unattempted
OBJ-4.2: Most of these options are partially true, but only the evidence retention option is entirely accurate. If there is a legal or regulatory impact, evidence of the incident must be preserved for at least the timescale defined by the regulations. This can be a period of many years. If a civil or criminal prosecution of the incident perpetrators is expected, the evidence must be collected and stored using forensics procedures. The sanitizing of storage devices should not be performed to prevent liability but instead to prepare your evidence collection jump bag or kit for the next incident response. This should only be done once the evidence (dd images) have been transferred to a secure storage device following the evidence retention requirements. The incident summary report is generally used to provide recommendations to a wider, non-technical audience. Therefore, it should not be written in an in-depth technical manner. The lessons learned report should be widely shared across all incident response teams and the company’s technical organization. If the lessons learned report is kept confidential and not shared, then the lessons are collected on paper and not actually becoming lessons learned by others to prevent future incidents.
Question 16 of 60
16. Question
Which protective feature is used to prevent a buffer overflow attack from specific applications by randomizing where a program’s components are run from in memory?
Correct
OBJ-2.1: ASLR randomizes where components of a running process (such as the base executable, APIs, and the heap) are placed in memory, which makes it more difficult to conduct a buffer overflow at specific points in the address space. The Windows Data Execution Prevention (DEP) feature protects processes against exploits that try to execute code from a writable memory area (stack/heap). Windows DEP prevents code from being run from a non-executable memory region. Data loss prevention (DLP) software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. A dynamic link library (DLL) is a library that contains code and data that can be used by more than one program at the same time.
Incorrect
OBJ-2.1: ASLR randomizes where components of a running process (such as the base executable, APIs, and the heap) are placed in memory, which makes it more difficult to conduct a buffer overflow at specific points in the address space. The Windows Data Execution Prevention (DEP) feature protects processes against exploits that try to execute code from a writable memory area (stack/heap). Windows DEP prevents code from being run from a non-executable memory region. Data loss prevention (DLP) software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. A dynamic link library (DLL) is a library that contains code and data that can be used by more than one program at the same time.
Unattempted
OBJ-2.1: ASLR randomizes where components of a running process (such as the base executable, APIs, and the heap) are placed in memory, which makes it more difficult to conduct a buffer overflow at specific points in the address space. The Windows Data Execution Prevention (DEP) feature protects processes against exploits that try to execute code from a writable memory area (stack/heap). Windows DEP prevents code from being run from a non-executable memory region. Data loss prevention (DLP) software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. A dynamic link library (DLL) is a library that contains code and data that can be used by more than one program at the same time.
Question 17 of 60
17. Question
You have been asked to recommend a capability to monitor all of the traffic entering and leaving the corporate network’s default gateway. Additionally, the company’s CIO requests to block certain content types before it leaves the network based on operational priorities. Which of the following solution should you recommend to meet these requirements?
Correct
OBJ-2.1: Due to the requirements provided, you should install a NIPS on the gateway router’s internal interface and a firewall on the external interface of the gateway router. The firewall on the external interface will allow the bulk of the malicious inbound traffic to be filtered before reaching the network. Then, the NIPS can be used to inspect the traffic entering the network and provide protection for the network using signature-based or behavior-based analysis. A NIPS is less powerful than a firewall and could easily “fail open” if it is overcome with traffic by being placed on the external interface. The NIPS installed on the internal interface would also allow various content types to be quickly blocked using custom signatures developed by the security team. We wouldn’t want to place the NIPS on the external interface in the correct choice for the same reasons. We also wouldn’t choose to install a NIPS on both the internal and external connections. IP filtering on both interfaces of the router will not provide the ability to monitor the traffic or to block traffic based on content type. Finally, we would not want to rely on a NIDS on the external interface alone since it can only monitor and not provide the content blocking capabilities needed.
Incorrect
OBJ-2.1: Due to the requirements provided, you should install a NIPS on the gateway router’s internal interface and a firewall on the external interface of the gateway router. The firewall on the external interface will allow the bulk of the malicious inbound traffic to be filtered before reaching the network. Then, the NIPS can be used to inspect the traffic entering the network and provide protection for the network using signature-based or behavior-based analysis. A NIPS is less powerful than a firewall and could easily “fail open” if it is overcome with traffic by being placed on the external interface. The NIPS installed on the internal interface would also allow various content types to be quickly blocked using custom signatures developed by the security team. We wouldn’t want to place the NIPS on the external interface in the correct choice for the same reasons. We also wouldn’t choose to install a NIPS on both the internal and external connections. IP filtering on both interfaces of the router will not provide the ability to monitor the traffic or to block traffic based on content type. Finally, we would not want to rely on a NIDS on the external interface alone since it can only monitor and not provide the content blocking capabilities needed.
Unattempted
OBJ-2.1: Due to the requirements provided, you should install a NIPS on the gateway router’s internal interface and a firewall on the external interface of the gateway router. The firewall on the external interface will allow the bulk of the malicious inbound traffic to be filtered before reaching the network. Then, the NIPS can be used to inspect the traffic entering the network and provide protection for the network using signature-based or behavior-based analysis. A NIPS is less powerful than a firewall and could easily “fail open” if it is overcome with traffic by being placed on the external interface. The NIPS installed on the internal interface would also allow various content types to be quickly blocked using custom signatures developed by the security team. We wouldn’t want to place the NIPS on the external interface in the correct choice for the same reasons. We also wouldn’t choose to install a NIPS on both the internal and external connections. IP filtering on both interfaces of the router will not provide the ability to monitor the traffic or to block traffic based on content type. Finally, we would not want to rely on a NIDS on the external interface alone since it can only monitor and not provide the content blocking capabilities needed.
Question 18 of 60
18. Question
You are analyzing the following network utilization report because you suspect one of the servers has been compromised.
-=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=-
IP Address Name Uptime Historical Current
192.168.20.2 web01 7D 12H 32M 06S 42.6 GB 44.1 GB
192.168.20.3 webdev02 4D 07H 12M 45S 1.95 GB 2.13 GB
192.168.20.4 dbsvr01 12D 02H 46M 14S 3.15 GB 24.6 GB
192.168.20.5 marketing01 2D 17H 18M 41S 5.2 GB 4.9 GB
-=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=-
Based on the report above, which of the following servers do you suspect has been compromised and should be investigated further?
Correct
OBJ-3.1: Due to the considerable increase in network utilization on dbsvr01, it should be suspected of compromise and further investigated. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This increase is nearly 8x more than the previous month when all of the other servers stayed relatively constant. This indicates a possible compromise of the database server (dbsvr01) and a data breach or data exfiltration.
Incorrect
OBJ-3.1: Due to the considerable increase in network utilization on dbsvr01, it should be suspected of compromise and further investigated. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This increase is nearly 8x more than the previous month when all of the other servers stayed relatively constant. This indicates a possible compromise of the database server (dbsvr01) and a data breach or data exfiltration.
Unattempted
OBJ-3.1: Due to the considerable increase in network utilization on dbsvr01, it should be suspected of compromise and further investigated. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This increase is nearly 8x more than the previous month when all of the other servers stayed relatively constant. This indicates a possible compromise of the database server (dbsvr01) and a data breach or data exfiltration.
Question 19 of 60
19. Question
You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses older unencrypted SSDs as part of their default configuration, and the manufacturer does not provide a SE utility for the devices. The storage devices contained top-secret data that would bankrupt the company if it fell into a competitor’s hands. After safely extracting the device’s data and saving it to a new self-encrypting drive, you have been asked to dispose of the SSDs securely. Which of the following methods should you use?
Correct
OBJ-4.2: Physical destruction is the only option that will meet the requirements of this scenario. Sanitizing a hard drive can be done using cryptographic erase (CE), secure erase (SE), zero-fill, or physical destruction. In this scenario, the SSDs were not self-encrypting drives (SED) and did not have a SE utility available, so the CE or SE methods cannot be used. The cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive. A secure erase (SE) is used to perform the sanitization of flash-based devices (such as SSDs or USB devices) when cryptographic erase is not available. The zero-fill method relies on overwriting a storage device by setting all bits to the value of zero (0), but this is not effective on SSDs or hybrid drive. The best option is to conduct physical destruction since the scenario states that the storage device was already replaced with a new self-encrypting drive (SED). The old SSD contained top-secret data crucial to maintaining a corporate advantage over the company’s competitors. Physical destruction occurs by mechanical shredding, incineration, or degaussing magnetic hard drives.
Incorrect
OBJ-4.2: Physical destruction is the only option that will meet the requirements of this scenario. Sanitizing a hard drive can be done using cryptographic erase (CE), secure erase (SE), zero-fill, or physical destruction. In this scenario, the SSDs were not self-encrypting drives (SED) and did not have a SE utility available, so the CE or SE methods cannot be used. The cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive. A secure erase (SE) is used to perform the sanitization of flash-based devices (such as SSDs or USB devices) when cryptographic erase is not available. The zero-fill method relies on overwriting a storage device by setting all bits to the value of zero (0), but this is not effective on SSDs or hybrid drive. The best option is to conduct physical destruction since the scenario states that the storage device was already replaced with a new self-encrypting drive (SED). The old SSD contained top-secret data crucial to maintaining a corporate advantage over the company’s competitors. Physical destruction occurs by mechanical shredding, incineration, or degaussing magnetic hard drives.
Unattempted
OBJ-4.2: Physical destruction is the only option that will meet the requirements of this scenario. Sanitizing a hard drive can be done using cryptographic erase (CE), secure erase (SE), zero-fill, or physical destruction. In this scenario, the SSDs were not self-encrypting drives (SED) and did not have a SE utility available, so the CE or SE methods cannot be used. The cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive. A secure erase (SE) is used to perform the sanitization of flash-based devices (such as SSDs or USB devices) when cryptographic erase is not available. The zero-fill method relies on overwriting a storage device by setting all bits to the value of zero (0), but this is not effective on SSDs or hybrid drive. The best option is to conduct physical destruction since the scenario states that the storage device was already replaced with a new self-encrypting drive (SED). The old SSD contained top-secret data crucial to maintaining a corporate advantage over the company’s competitors. Physical destruction occurs by mechanical shredding, incineration, or degaussing magnetic hard drives.
Question 20 of 60
20. Question
You are developing a containment and remediation strategy to prevent the spread of an APT within your network. Your plan suggests creating a mirror of the company’s databases, routing all externally sourced network traffic to it, and gradually updating with pseudo-realistic data to confuse and deceive the APT as they attempt to exfiltrate the data. Once the attacker has downloaded the corrupted database, your company would then conduct remediation actions on the network and restore the correct database information to the production system. Which of the following types of containment strategies does the plan utilize?
Correct
OBJ-4.2: There are two types of containment: segmentation and isolation. This is an example of a segmentation-based containment strategy that utilizes deception. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. As opposed to completely isolating the hosts, you might configure the protected segment to deceive him or her into thinking the attack is progressing successfully, such as in the database modification example. The scenario is not a hack-back approach since the APT is not directly attacked, only deceived. Isolation-based containment involves removing an affected component from whatever larger environment it is a part of. In this scenario, the original database was never isolated from the network, nor were any other affected assets during the deception.
Incorrect
OBJ-4.2: There are two types of containment: segmentation and isolation. This is an example of a segmentation-based containment strategy that utilizes deception. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. As opposed to completely isolating the hosts, you might configure the protected segment to deceive him or her into thinking the attack is progressing successfully, such as in the database modification example. The scenario is not a hack-back approach since the APT is not directly attacked, only deceived. Isolation-based containment involves removing an affected component from whatever larger environment it is a part of. In this scenario, the original database was never isolated from the network, nor were any other affected assets during the deception.
Unattempted
OBJ-4.2: There are two types of containment: segmentation and isolation. This is an example of a segmentation-based containment strategy that utilizes deception. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. As opposed to completely isolating the hosts, you might configure the protected segment to deceive him or her into thinking the attack is progressing successfully, such as in the database modification example. The scenario is not a hack-back approach since the APT is not directly attacked, only deceived. Isolation-based containment involves removing an affected component from whatever larger environment it is a part of. In this scenario, the original database was never isolated from the network, nor were any other affected assets during the deception.
Question 21 of 60
21. Question
Which of the following are the two most important factors when determining a containment strategy?
Correct
OBJ-4.2: Safety and security of personnel should always be the first and most important overriding concern. In particular, this may apply in cases where SCADA/ICS equipment is present. Once the physical danger is abated, the second priority will be to prevent any further exfiltration of data or prevent the ongoing intrusion from spreading. All other factors are important but should only be considered after considering safety and preventing the incident’s further spread. Once that has been done, you can determine whether to use an isolation-based or segmentation-based containment technique.
Incorrect
OBJ-4.2: Safety and security of personnel should always be the first and most important overriding concern. In particular, this may apply in cases where SCADA/ICS equipment is present. Once the physical danger is abated, the second priority will be to prevent any further exfiltration of data or prevent the ongoing intrusion from spreading. All other factors are important but should only be considered after considering safety and preventing the incident’s further spread. Once that has been done, you can determine whether to use an isolation-based or segmentation-based containment technique.
Unattempted
OBJ-4.2: Safety and security of personnel should always be the first and most important overriding concern. In particular, this may apply in cases where SCADA/ICS equipment is present. Once the physical danger is abated, the second priority will be to prevent any further exfiltration of data or prevent the ongoing intrusion from spreading. All other factors are important but should only be considered after considering safety and preventing the incident’s further spread. Once that has been done, you can determine whether to use an isolation-based or segmentation-based containment technique.
Question 22 of 60
22. Question
Stephane was asked to assess the technical impact of a reconnaissance performed against his organization. He has discovered that a third party has been performing reconnaissance by querying the organization’s WHOIS data. Which category of technical impact should he classify this as?
Correct
OBJ-1.4: This would be best classified as a low technical impact. Since WHOIS data about the organization’s domain name is publicly available, it is considered a low impact. This is further mitigated by the fact that your company gets to decide what information is actually published in the WHOIS data. Since only publicly available information is being queried and exposed, this can be considered a low impact.
Incorrect
OBJ-1.4: This would be best classified as a low technical impact. Since WHOIS data about the organization’s domain name is publicly available, it is considered a low impact. This is further mitigated by the fact that your company gets to decide what information is actually published in the WHOIS data. Since only publicly available information is being queried and exposed, this can be considered a low impact.
Unattempted
OBJ-1.4: This would be best classified as a low technical impact. Since WHOIS data about the organization’s domain name is publicly available, it is considered a low impact. This is further mitigated by the fact that your company gets to decide what information is actually published in the WHOIS data. Since only publicly available information is being queried and exposed, this can be considered a low impact.
Question 23 of 60
23. Question
Which of the following will an adversary so during the exploitation phase of the Lockheed Martin kill chain? (SELECT THREE)
Correct
OBJ-2.1: During this phase, activities taken during the exploitation phase are conducted against the target’s system. Taking advantage of or exploiting an accessible vulnerability, waiting for a malicious email attached to be opened, or waiting for a user to click on a malicious link is all part of the exploitation phase. The installation of a web shell, backdoor, or implant is all performed during the installation phase. Selecting a backdoor implant and appropriate command and control infrastructure occurs during the weaponization phase.
Incorrect
OBJ-2.1: During this phase, activities taken during the exploitation phase are conducted against the target’s system. Taking advantage of or exploiting an accessible vulnerability, waiting for a malicious email attached to be opened, or waiting for a user to click on a malicious link is all part of the exploitation phase. The installation of a web shell, backdoor, or implant is all performed during the installation phase. Selecting a backdoor implant and appropriate command and control infrastructure occurs during the weaponization phase.
Unattempted
OBJ-2.1: During this phase, activities taken during the exploitation phase are conducted against the target’s system. Taking advantage of or exploiting an accessible vulnerability, waiting for a malicious email attached to be opened, or waiting for a user to click on a malicious link is all part of the exploitation phase. The installation of a web shell, backdoor, or implant is all performed during the installation phase. Selecting a backdoor implant and appropriate command and control infrastructure occurs during the weaponization phase.
Question 24 of 60
24. Question
You received an incident response report indicating a piece of malware was introduced into the company’s network through a remote workstation connected to the company’s servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again?
Correct
OBJ-2.1: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company’s networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issue. MAC Filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the email delivery.
Incorrect
OBJ-2.1: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company’s networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issue. MAC Filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the email delivery.
Unattempted
OBJ-2.1: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company’s networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issue. MAC Filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the email delivery.
Question 25 of 60
25. Question
A penetration tester is conducting an assessment of a wireless network that is secure using WPA2 Enterprise encryption. Which of the following are major differences between conducting reconnaissance of a wireless network versus a wired network? (SELECT TWO)
Correct
OBJ-1.4: Most wireless networks utilize end-to-end encryption, whereas wired networks do not. Physical accessibility is another major difference between wireless and wired networks since wireless networks can be accessed from a distance using powerful antennas. Authentication, MAC filtering, and network access control (NAC) can be implemented equally on wired and wireless networks. Port security is only applicable to wired networks.
Incorrect
OBJ-1.4: Most wireless networks utilize end-to-end encryption, whereas wired networks do not. Physical accessibility is another major difference between wireless and wired networks since wireless networks can be accessed from a distance using powerful antennas. Authentication, MAC filtering, and network access control (NAC) can be implemented equally on wired and wireless networks. Port security is only applicable to wired networks.
Unattempted
OBJ-1.4: Most wireless networks utilize end-to-end encryption, whereas wired networks do not. Physical accessibility is another major difference between wireless and wired networks since wireless networks can be accessed from a distance using powerful antennas. Authentication, MAC filtering, and network access control (NAC) can be implemented equally on wired and wireless networks. Port security is only applicable to wired networks.
Question 26 of 60
26. Question
Which of the following functions is not provided by a TPM?
Correct
OBJ-2.3: User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software cannot tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.
Incorrect
OBJ-2.3: User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software cannot tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.
Unattempted
OBJ-2.3: User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software cannot tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.
Question 27 of 60
27. Question
A threat intelligence analyst is researching a new indicator of compromise. At the same time, the web proxy server-generated an alert for this same indicator of compromise. When asked about this alert, the analyst insists that they did not visit any of the related sites, but instead, they were listed on the results page of their search engine query. Which of the following is the BEST explanation for what has occurred?
Correct
OBJ-1.2: Prefetch, a capability in modern web browsers, is used to speed up web browsing by grabbing content that may be asked for by the user at a later time. For example, if you search for a term and the results are being shown to the user, prefetch will download the first three results in anticipation of the user clicking one of the top three links. In the scenario presented in this question, the prefetch has downloaded the malicious content and therefore caused the alert.
Incorrect
OBJ-1.2: Prefetch, a capability in modern web browsers, is used to speed up web browsing by grabbing content that may be asked for by the user at a later time. For example, if you search for a term and the results are being shown to the user, prefetch will download the first three results in anticipation of the user clicking one of the top three links. In the scenario presented in this question, the prefetch has downloaded the malicious content and therefore caused the alert.
Unattempted
OBJ-1.2: Prefetch, a capability in modern web browsers, is used to speed up web browsing by grabbing content that may be asked for by the user at a later time. For example, if you search for a term and the results are being shown to the user, prefetch will download the first three results in anticipation of the user clicking one of the top three links. In the scenario presented in this question, the prefetch has downloaded the malicious content and therefore caused the alert.
Question 28 of 60
28. Question
Which of the following is not considered a component that belongs to the category of identity management infrastructure?
Correct
OBJ-2.1: The human resource system may be a data source for identity management, but it is not part of the infrastructure itself. LDAP servers, provisioning engines, and auditing systems are all part of identity management infrastructures. Most organizations rely on an LDAP Directory to store users, groups, roles, and relationships between those entities. A provisioning engine is responsible for coordinating the creation of user accounts, email authorizations in the form of rules and roles, and other tasks such as provisioning of physical resources associated with enabling new users. The auditing system is responsible for verifying the identities present in the organization’s systems are valid and correct.
Incorrect
OBJ-2.1: The human resource system may be a data source for identity management, but it is not part of the infrastructure itself. LDAP servers, provisioning engines, and auditing systems are all part of identity management infrastructures. Most organizations rely on an LDAP Directory to store users, groups, roles, and relationships between those entities. A provisioning engine is responsible for coordinating the creation of user accounts, email authorizations in the form of rules and roles, and other tasks such as provisioning of physical resources associated with enabling new users. The auditing system is responsible for verifying the identities present in the organization’s systems are valid and correct.
Unattempted
OBJ-2.1: The human resource system may be a data source for identity management, but it is not part of the infrastructure itself. LDAP servers, provisioning engines, and auditing systems are all part of identity management infrastructures. Most organizations rely on an LDAP Directory to store users, groups, roles, and relationships between those entities. A provisioning engine is responsible for coordinating the creation of user accounts, email authorizations in the form of rules and roles, and other tasks such as provisioning of physical resources associated with enabling new users. The auditing system is responsible for verifying the identities present in the organization’s systems are valid and correct.
Question 29 of 60
29. Question
Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application?
Correct
OBJ-2.2: Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download. The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on comparing hash digests. A public or private key would not be assigned solely to a single file, nor do they provide integrity on their own. Public and private keys are used to ensure data confidentiality, whereas a hash digest ensures integrity. The file size and file creation date are additional forms of metadata that could help validate a file’s integrity. Still, they of a much lower quality and trust factor than using a hash digest. Therefore MD5 or SHA1 is a better choice.
Incorrect
OBJ-2.2: Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download. The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on comparing hash digests. A public or private key would not be assigned solely to a single file, nor do they provide integrity on their own. Public and private keys are used to ensure data confidentiality, whereas a hash digest ensures integrity. The file size and file creation date are additional forms of metadata that could help validate a file’s integrity. Still, they of a much lower quality and trust factor than using a hash digest. Therefore MD5 or SHA1 is a better choice.
Unattempted
OBJ-2.2: Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download. The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on comparing hash digests. A public or private key would not be assigned solely to a single file, nor do they provide integrity on their own. Public and private keys are used to ensure data confidentiality, whereas a hash digest ensures integrity. The file size and file creation date are additional forms of metadata that could help validate a file’s integrity. Still, they of a much lower quality and trust factor than using a hash digest. Therefore MD5 or SHA1 is a better choice.
Question 30 of 60
30. Question
You are conducting a quick nmap scan of a target network. You want to conduct an SYN scan, but you don’t have raw socket privileges on your workstation. Which of the following commands should you use to conduct the SYN scan from your workstation?
Correct
OBJ-1.4: The nmap TCP connect scan (-sT) is used when the SYN scan (-sS) is not an option. You should use the -sT flag when you d not have raw packet privileges on your workstation or if you are scanning an IPv6 network. This flag tells nmap to establish a connection with the target machine by issuing the connect system call instead of directly using an SYN scan. Normally, a fast scan using the -sS (SYN scan) flag is more often conducted, but it requires raw socket access on the scanning workstation. The -sX flag would conduct a Xmas scan where the FIN, PSH, and URG flags are used in the scan. The -O flag would conduct an operating system detection scan of the target system.
Incorrect
OBJ-1.4: The nmap TCP connect scan (-sT) is used when the SYN scan (-sS) is not an option. You should use the -sT flag when you d not have raw packet privileges on your workstation or if you are scanning an IPv6 network. This flag tells nmap to establish a connection with the target machine by issuing the connect system call instead of directly using an SYN scan. Normally, a fast scan using the -sS (SYN scan) flag is more often conducted, but it requires raw socket access on the scanning workstation. The -sX flag would conduct a Xmas scan where the FIN, PSH, and URG flags are used in the scan. The -O flag would conduct an operating system detection scan of the target system.
Unattempted
OBJ-1.4: The nmap TCP connect scan (-sT) is used when the SYN scan (-sS) is not an option. You should use the -sT flag when you d not have raw packet privileges on your workstation or if you are scanning an IPv6 network. This flag tells nmap to establish a connection with the target machine by issuing the connect system call instead of directly using an SYN scan. Normally, a fast scan using the -sS (SYN scan) flag is more often conducted, but it requires raw socket access on the scanning workstation. The -sX flag would conduct a Xmas scan where the FIN, PSH, and URG flags are used in the scan. The -O flag would conduct an operating system detection scan of the target system.
Question 31 of 60
31. Question
Following a root cause analysis of an edge router’s unexpected failure, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue?
Correct
OBJ-2.3: Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization’s supply chain. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences.
Incorrect
OBJ-2.3: Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization’s supply chain. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences.
Unattempted
OBJ-2.3: Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization’s supply chain. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences.
Question 32 of 60
32. Question
You are reviewing the logs in your IDS and see that entries were showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred?
Correct
OBJ-3.1: Based on the description provided, this is most likely a port scan. Using a tool like nmap, an attacker can create an SYN scan across every port in a range against the desired target. A port scan or SYN scan may trigger an alert in your IDS. While scanners support more stealthy scans, default scans may connect to each port sequentially. The other options are incorrect because a remote host will typically connect to only a single port associated with a service. An SYN flood normally sends many SYNs to a single system. Still, it doesn’t send them to unused ports, and a UDP probe will not send SYN packets.
Incorrect
OBJ-3.1: Based on the description provided, this is most likely a port scan. Using a tool like nmap, an attacker can create an SYN scan across every port in a range against the desired target. A port scan or SYN scan may trigger an alert in your IDS. While scanners support more stealthy scans, default scans may connect to each port sequentially. The other options are incorrect because a remote host will typically connect to only a single port associated with a service. An SYN flood normally sends many SYNs to a single system. Still, it doesn’t send them to unused ports, and a UDP probe will not send SYN packets.
Unattempted
OBJ-3.1: Based on the description provided, this is most likely a port scan. Using a tool like nmap, an attacker can create an SYN scan across every port in a range against the desired target. A port scan or SYN scan may trigger an alert in your IDS. While scanners support more stealthy scans, default scans may connect to each port sequentially. The other options are incorrect because a remote host will typically connect to only a single port associated with a service. An SYN flood normally sends many SYNs to a single system. Still, it doesn’t send them to unused ports, and a UDP probe will not send SYN packets.
Question 33 of 60
33. Question
A cybersecurity analyst working at a major university is reviewing the SQL server log of completed transactions and notices the following entry:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
“select ID, GRADE from GRADES where ID=1235235; UPDATE GRADES set GRADE=’A’ where ID=1235235;”
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based on this transaction log, which of the following most likely occurred?
Correct
OBJ-3.3: Based on this transaction log entry, it appears that the ID# field was not properly validated before being passed to the SQL server. This would allow someone to conduct an SQL injection and retrieve the student’s grades, and set all of this student’s grades to an ‘A’ at the same time. It is common to look for a ‘1==1’ type condition to identify an SQL injection. There are other methods to conduct an SQL injection attack that could be utilized by an attacker. If input validation is not being performed on user-entered data, an attacker can exploit any SQL language aspect and therefore inject SQL specific commands. This entry is suspicious and indicates that either the application or the SQL database is not functioning properly. Still, there appears to be adequate logging and monitoring based on what we can see and whether the question never indicates logging was an issue. An SQL database would not be designed to set ALL of a particular student’s grades to A’s, thus making this single entry suspicious. Most SQL statements in an SQL log will be fairly uniform and repetitive by nature when you review them. This leaves us with the question as to who person this SQL injection. Per the question choices, it could be the student with ID# 1235235 or “someone.” While it seems as if student #1235235 had the most to gain from this, without further investigation, we cannot prove that it actually was student #1235235 that performed the SQL injection. Undoubtedly, student #125235 should be a person of interest in any ensuing investigations, but additional information (i.e., whose credentials were being used, etc.) should be used before making any accusations. Therefore, the answer is that “someone” performed this SQL injection.
Incorrect
OBJ-3.3: Based on this transaction log entry, it appears that the ID# field was not properly validated before being passed to the SQL server. This would allow someone to conduct an SQL injection and retrieve the student’s grades, and set all of this student’s grades to an ‘A’ at the same time. It is common to look for a ‘1==1’ type condition to identify an SQL injection. There are other methods to conduct an SQL injection attack that could be utilized by an attacker. If input validation is not being performed on user-entered data, an attacker can exploit any SQL language aspect and therefore inject SQL specific commands. This entry is suspicious and indicates that either the application or the SQL database is not functioning properly. Still, there appears to be adequate logging and monitoring based on what we can see and whether the question never indicates logging was an issue. An SQL database would not be designed to set ALL of a particular student’s grades to A’s, thus making this single entry suspicious. Most SQL statements in an SQL log will be fairly uniform and repetitive by nature when you review them. This leaves us with the question as to who person this SQL injection. Per the question choices, it could be the student with ID# 1235235 or “someone.” While it seems as if student #1235235 had the most to gain from this, without further investigation, we cannot prove that it actually was student #1235235 that performed the SQL injection. Undoubtedly, student #125235 should be a person of interest in any ensuing investigations, but additional information (i.e., whose credentials were being used, etc.) should be used before making any accusations. Therefore, the answer is that “someone” performed this SQL injection.
Unattempted
OBJ-3.3: Based on this transaction log entry, it appears that the ID# field was not properly validated before being passed to the SQL server. This would allow someone to conduct an SQL injection and retrieve the student’s grades, and set all of this student’s grades to an ‘A’ at the same time. It is common to look for a ‘1==1’ type condition to identify an SQL injection. There are other methods to conduct an SQL injection attack that could be utilized by an attacker. If input validation is not being performed on user-entered data, an attacker can exploit any SQL language aspect and therefore inject SQL specific commands. This entry is suspicious and indicates that either the application or the SQL database is not functioning properly. Still, there appears to be adequate logging and monitoring based on what we can see and whether the question never indicates logging was an issue. An SQL database would not be designed to set ALL of a particular student’s grades to A’s, thus making this single entry suspicious. Most SQL statements in an SQL log will be fairly uniform and repetitive by nature when you review them. This leaves us with the question as to who person this SQL injection. Per the question choices, it could be the student with ID# 1235235 or “someone.” While it seems as if student #1235235 had the most to gain from this, without further investigation, we cannot prove that it actually was student #1235235 that performed the SQL injection. Undoubtedly, student #125235 should be a person of interest in any ensuing investigations, but additional information (i.e., whose credentials were being used, etc.) should be used before making any accusations. Therefore, the answer is that “someone” performed this SQL injection.
Question 34 of 60
34. Question
You need to perform an architectural review and select a view that focuses on the technologies, settings, and configurations used within the architecture. Which of the following views should you select?
Correct
OBJ-2.1: A technical view focuses on technologies, settings, and configurations. An operational view looks at how a function is performed or what it accomplishes. A logical view describes how systems interconnect. An acquisition views focus on the procurement process.
Incorrect
OBJ-2.1: A technical view focuses on technologies, settings, and configurations. An operational view looks at how a function is performed or what it accomplishes. A logical view describes how systems interconnect. An acquisition views focus on the procurement process.
Unattempted
OBJ-2.1: A technical view focuses on technologies, settings, and configurations. An operational view looks at how a function is performed or what it accomplishes. A logical view describes how systems interconnect. An acquisition views focus on the procurement process.
Question 35 of 60
35. Question
Fail to Pass Systems has recently moved its corporate offices from France to Westeros, a country with no meaningful privacy regulations. The marketing department believes that this move will allow the company to resell all of its customer’s data to third-party companies and shield the company from any legal responsibility. Which policy is violated by this scenario?
Correct
OBJ-5.1: While the fictitious Westeros may have no privacy laws or regulations, the laws of the countries where the company’s customers reside may still retain sovereignty over the data obtained from those regions during the course of the company’s business there. This is called Data Sovereignty. Data sovereignty refers to a jurisdiction (such as France or the European Union) preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction. Data sovereignty may demand certain concessions on your part, such as using location-specific storage facilities in a cloud service. Fail to Pass Systems will likely face steep fines from different regions if they go through with their plan to sell all of their customers’ data to the highest bidders. Fail to Pass Systems may even be blocked from communicating with individual regions. Although Data minimization and data limitation policies may be violated depending on the company’s internal policies, these policies are not legally binding like the provisions of GDPR are. Data enrichment means that the machine analytics behind the view of a particular alert can deliver more correlating and contextual information with a higher degree of confidence, both from within the local network’s data points and from external threat intelligence.
Incorrect
OBJ-5.1: While the fictitious Westeros may have no privacy laws or regulations, the laws of the countries where the company’s customers reside may still retain sovereignty over the data obtained from those regions during the course of the company’s business there. This is called Data Sovereignty. Data sovereignty refers to a jurisdiction (such as France or the European Union) preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction. Data sovereignty may demand certain concessions on your part, such as using location-specific storage facilities in a cloud service. Fail to Pass Systems will likely face steep fines from different regions if they go through with their plan to sell all of their customers’ data to the highest bidders. Fail to Pass Systems may even be blocked from communicating with individual regions. Although Data minimization and data limitation policies may be violated depending on the company’s internal policies, these policies are not legally binding like the provisions of GDPR are. Data enrichment means that the machine analytics behind the view of a particular alert can deliver more correlating and contextual information with a higher degree of confidence, both from within the local network’s data points and from external threat intelligence.
Unattempted
OBJ-5.1: While the fictitious Westeros may have no privacy laws or regulations, the laws of the countries where the company’s customers reside may still retain sovereignty over the data obtained from those regions during the course of the company’s business there. This is called Data Sovereignty. Data sovereignty refers to a jurisdiction (such as France or the European Union) preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction. Data sovereignty may demand certain concessions on your part, such as using location-specific storage facilities in a cloud service. Fail to Pass Systems will likely face steep fines from different regions if they go through with their plan to sell all of their customers’ data to the highest bidders. Fail to Pass Systems may even be blocked from communicating with individual regions. Although Data minimization and data limitation policies may be violated depending on the company’s internal policies, these policies are not legally binding like the provisions of GDPR are. Data enrichment means that the machine analytics behind the view of a particular alert can deliver more correlating and contextual information with a higher degree of confidence, both from within the local network’s data points and from external threat intelligence.
Question 36 of 60
36. Question
A financial services company wants to donate some old hard drives from their servers to a local charity. Still, they are concerned about the possibility of residual data being left on the drives. Which of the following secure disposal methods would you recommend the company use?
Correct
OBJ-4.2: In a cryptographic erase (CE), the storage media is encrypted by default. The encryption key itself is destroyed during the erasing operation. CE is a feature of self-encrypting drives (SED) and is often used with solid-state devices. Cryptographic erase can be used with hard drives, as well. Zero-fill is a process that fills the entire storage device with zeroes. For SSDs and hybrid drives, zero-fill-based methods might not be reliable because the device uses wear-leveling routines in the drive controller to communicate which locations are available for use to any software process accessing the device. A secure erase is a special utility provided with some solid-state drives that can perform the sanitization of flash-based devices. Overwrite is like zero-fill but can utilize a random pattern of ones and zeroes on the storage device. The most secure option would be a cryptographic erase (CE) for the question’s scenario.
Incorrect
OBJ-4.2: In a cryptographic erase (CE), the storage media is encrypted by default. The encryption key itself is destroyed during the erasing operation. CE is a feature of self-encrypting drives (SED) and is often used with solid-state devices. Cryptographic erase can be used with hard drives, as well. Zero-fill is a process that fills the entire storage device with zeroes. For SSDs and hybrid drives, zero-fill-based methods might not be reliable because the device uses wear-leveling routines in the drive controller to communicate which locations are available for use to any software process accessing the device. A secure erase is a special utility provided with some solid-state drives that can perform the sanitization of flash-based devices. Overwrite is like zero-fill but can utilize a random pattern of ones and zeroes on the storage device. The most secure option would be a cryptographic erase (CE) for the question’s scenario.
Unattempted
OBJ-4.2: In a cryptographic erase (CE), the storage media is encrypted by default. The encryption key itself is destroyed during the erasing operation. CE is a feature of self-encrypting drives (SED) and is often used with solid-state devices. Cryptographic erase can be used with hard drives, as well. Zero-fill is a process that fills the entire storage device with zeroes. For SSDs and hybrid drives, zero-fill-based methods might not be reliable because the device uses wear-leveling routines in the drive controller to communicate which locations are available for use to any software process accessing the device. A secure erase is a special utility provided with some solid-state drives that can perform the sanitization of flash-based devices. Overwrite is like zero-fill but can utilize a random pattern of ones and zeroes on the storage device. The most secure option would be a cryptographic erase (CE) for the question’s scenario.
Question 37 of 60
37. Question
SkillCertPro Training’s new COO is reviewing the organization’s current information security policy. She notices that it was first created three years ago. Since that time, the organization has undergone multiple audits and assessments that required revisions to the policy. Which of the following is the most reasonable frequency to conduct a formal review of the organization’s policies to ensure they remain up to date?
Correct
OBJ-5.3: Annual reviews are an industry standard and are typically sufficient unless circumstances happen that might require an update or revision sooner. Waiting five years between policy reviews is too long and would leave the organization with constantly outdated policies. Similarly, conduct quarterly or monthly reviews is too frequent, and there will not be enough time for substantial changes to have occurred. Additionally, most formal audits and assessments are undertaken annually. Therefore, this is a reasonable frequency to use without overburdening your staff.
Incorrect
OBJ-5.3: Annual reviews are an industry standard and are typically sufficient unless circumstances happen that might require an update or revision sooner. Waiting five years between policy reviews is too long and would leave the organization with constantly outdated policies. Similarly, conduct quarterly or monthly reviews is too frequent, and there will not be enough time for substantial changes to have occurred. Additionally, most formal audits and assessments are undertaken annually. Therefore, this is a reasonable frequency to use without overburdening your staff.
Unattempted
OBJ-5.3: Annual reviews are an industry standard and are typically sufficient unless circumstances happen that might require an update or revision sooner. Waiting five years between policy reviews is too long and would leave the organization with constantly outdated policies. Similarly, conduct quarterly or monthly reviews is too frequent, and there will not be enough time for substantial changes to have occurred. Additionally, most formal audits and assessments are undertaken annually. Therefore, this is a reasonable frequency to use without overburdening your staff.
Question 38 of 60
38. Question
You have noticed some unusual network traffic outbound from a certain host. The host is communicating with a known malicious server over port 443 using an encrypted TLS tunnel. You ran a full system anti-virus scan of the host with an updated anti-virus signature file, but the anti-virus did not find any infection signs. Which of the following has MOST likely occurred?
Correct
OBJ-1.2: Since you scanned the system with the latest anti-virus signatures and did not find any signs of infection, it would most likely be evidence of a zero-day attack. A zero-day attack has a clear sign of compromise (the web tunnel being established to a known malicious server). The anti-virus doesn’t have a signature yet for this particular malware variant. Password spraying occurs when an attacker tries to log in to multiple different user accounts with the same compromised password credentials. Session hijacking is exploiting a valid computer session to gain unauthorized access to information or services in a computer system. Based on the scenario, it doesn’t appear to be session hijacking since the user would not normally attempt to connect to a malicious server. Directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory. A directory traversal is usually indicated by a dot dot slash (../) in the URL being attempted.
Incorrect
OBJ-1.2: Since you scanned the system with the latest anti-virus signatures and did not find any signs of infection, it would most likely be evidence of a zero-day attack. A zero-day attack has a clear sign of compromise (the web tunnel being established to a known malicious server). The anti-virus doesn’t have a signature yet for this particular malware variant. Password spraying occurs when an attacker tries to log in to multiple different user accounts with the same compromised password credentials. Session hijacking is exploiting a valid computer session to gain unauthorized access to information or services in a computer system. Based on the scenario, it doesn’t appear to be session hijacking since the user would not normally attempt to connect to a malicious server. Directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory. A directory traversal is usually indicated by a dot dot slash (../) in the URL being attempted.
Unattempted
OBJ-1.2: Since you scanned the system with the latest anti-virus signatures and did not find any signs of infection, it would most likely be evidence of a zero-day attack. A zero-day attack has a clear sign of compromise (the web tunnel being established to a known malicious server). The anti-virus doesn’t have a signature yet for this particular malware variant. Password spraying occurs when an attacker tries to log in to multiple different user accounts with the same compromised password credentials. Session hijacking is exploiting a valid computer session to gain unauthorized access to information or services in a computer system. Based on the scenario, it doesn’t appear to be session hijacking since the user would not normally attempt to connect to a malicious server. Directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory. A directory traversal is usually indicated by a dot dot slash (../) in the URL being attempted.
Question 39 of 60
39. Question
You are analyzing the logs of a forensic analysts workstation and see the following:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
root@SkillCertProTraining:/home# dd if=/dev/sdc of=/dev/sdb bs=1M count=1000
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What does the bs=1M signify in the command list above?
Correct
OBJ-4.4: The dd command is used in forensic data acquisition to forensically create a bit by bit copy of a hard drive to a disk image. The bs operator sets the block size when using the Linux dd command. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Incorrect
OBJ-4.4: The dd command is used in forensic data acquisition to forensically create a bit by bit copy of a hard drive to a disk image. The bs operator sets the block size when using the Linux dd command. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Unattempted
OBJ-4.4: The dd command is used in forensic data acquisition to forensically create a bit by bit copy of a hard drive to a disk image. The bs operator sets the block size when using the Linux dd command. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Question 40 of 60
40. Question
Which of the following technologies could be used to ensure that users who log in to a network are physically in the same building as the network they are attempting to authenticate on? (SELECT TWO)
Correct
OBJ-3.2: Network Access Control is used to identify an endpoint’s characteristics when conducting network authentication. The GPS location of the device will provide the longitude and latitude of the user, which could be compared against the GPS coordinates of the building. Port security enables an administrator to configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port. This would not help to locate the individual based on their location, though. Geo-IP, or geolocation and country lookup of a host-based on its IP address, would identify the country of origin of the user, but not whether they are within the building’s confines. Geo-IP is also easily tricked if the user logs in over a VPN connection.
Incorrect
OBJ-3.2: Network Access Control is used to identify an endpoint’s characteristics when conducting network authentication. The GPS location of the device will provide the longitude and latitude of the user, which could be compared against the GPS coordinates of the building. Port security enables an administrator to configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port. This would not help to locate the individual based on their location, though. Geo-IP, or geolocation and country lookup of a host-based on its IP address, would identify the country of origin of the user, but not whether they are within the building’s confines. Geo-IP is also easily tricked if the user logs in over a VPN connection.
Unattempted
OBJ-3.2: Network Access Control is used to identify an endpoint’s characteristics when conducting network authentication. The GPS location of the device will provide the longitude and latitude of the user, which could be compared against the GPS coordinates of the building. Port security enables an administrator to configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port. This would not help to locate the individual based on their location, though. Geo-IP, or geolocation and country lookup of a host-based on its IP address, would identify the country of origin of the user, but not whether they are within the building’s confines. Geo-IP is also easily tricked if the user logs in over a VPN connection.
Question 41 of 60
41. Question
You want to search all the logs using REGEX to alert on any findings where a filename contains the word “password” (regardless of case). For example, “PASSWORD.txt,” “Password.log,” or “password.xlsx” should cause the alert to occur. Once deployed, this search will be conducted daily to find any instances of an employee saving their passwords in a file that could be easily found by an attacker. Which of the following commands would successfully do this?
Correct
OBJ-3.1: The flag (-i) in grep means that the entire string that follows will be treated as case insensitive. The absence of the whole word identifier (i.e., \b, ^) indicates that matching can occur at any part of the text being evaluated. In other words, “MyPasswords” will also be detected by this REGEX search. The (PASSWORD)|(password) REGEX will detect partial phrases of “PASSWORD” or “password” but will fail on simple things like “Password.” All other options misuse the case-insensitivity flag.
Incorrect
OBJ-3.1: The flag (-i) in grep means that the entire string that follows will be treated as case insensitive. The absence of the whole word identifier (i.e., \b, ^) indicates that matching can occur at any part of the text being evaluated. In other words, “MyPasswords” will also be detected by this REGEX search. The (PASSWORD)|(password) REGEX will detect partial phrases of “PASSWORD” or “password” but will fail on simple things like “Password.” All other options misuse the case-insensitivity flag.
Unattempted
OBJ-3.1: The flag (-i) in grep means that the entire string that follows will be treated as case insensitive. The absence of the whole word identifier (i.e., \b, ^) indicates that matching can occur at any part of the text being evaluated. In other words, “MyPasswords” will also be detected by this REGEX search. The (PASSWORD)|(password) REGEX will detect partial phrases of “PASSWORD” or “password” but will fail on simple things like “Password.” All other options misuse the case-insensitivity flag.
Question 42 of 60
42. Question
Your company has just announced a change to an “API first” model of software development. As a cybersecurity analyst, you are immediately concerned about the possibility of an insecure deserialization vulnerability in this model. Which of the following is the primary basis for an attack against this vulnerability?
Correct
OBJ-1.6: When implementing an API, objects in memory from one computer can be serialized and passed to another for deserialization. If the API user is malicious, they may create a fictitious object, appropriately serialize it, and then send it through the API for execution. The only model for defeating this approach is to allow the API to be exposed to trusted sources or to not serialize anything with potentially executable source code (i.e., non-primitive data types). Cross-site scripting and SQL attacks are not a concern for an API first model. While stuffiest logging and monitoring would prevent an analyst from detecting if a deserialization vulnerability was exploited, these alone would not be the basis for an attack against deserialization.
Incorrect
OBJ-1.6: When implementing an API, objects in memory from one computer can be serialized and passed to another for deserialization. If the API user is malicious, they may create a fictitious object, appropriately serialize it, and then send it through the API for execution. The only model for defeating this approach is to allow the API to be exposed to trusted sources or to not serialize anything with potentially executable source code (i.e., non-primitive data types). Cross-site scripting and SQL attacks are not a concern for an API first model. While stuffiest logging and monitoring would prevent an analyst from detecting if a deserialization vulnerability was exploited, these alone would not be the basis for an attack against deserialization.
Unattempted
OBJ-1.6: When implementing an API, objects in memory from one computer can be serialized and passed to another for deserialization. If the API user is malicious, they may create a fictitious object, appropriately serialize it, and then send it through the API for execution. The only model for defeating this approach is to allow the API to be exposed to trusted sources or to not serialize anything with potentially executable source code (i.e., non-primitive data types). Cross-site scripting and SQL attacks are not a concern for an API first model. While stuffiest logging and monitoring would prevent an analyst from detecting if a deserialization vulnerability was exploited, these alone would not be the basis for an attack against deserialization.
Question 43 of 60
43. Question
Which of the following technologies is NOT a shared authentication protocol?
Correct
OBJ-2.2: LDAP can be used for single sign-on but is not a shared authentication protocol. OpenID, OAuth, and Facebook Connect are all shared authentication protocols. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. OAuth is designed to facilitate the sharing of information (resources) within a user profile between sites.
Incorrect
OBJ-2.2: LDAP can be used for single sign-on but is not a shared authentication protocol. OpenID, OAuth, and Facebook Connect are all shared authentication protocols. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. OAuth is designed to facilitate the sharing of information (resources) within a user profile between sites.
Unattempted
OBJ-2.2: LDAP can be used for single sign-on but is not a shared authentication protocol. OpenID, OAuth, and Facebook Connect are all shared authentication protocols. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. OAuth is designed to facilitate the sharing of information (resources) within a user profile between sites.
Question 44 of 60
44. Question
Which of the following information is traditionally found in the SOW for a penetration test?
Correct
OBJ-5.2: A Scope of Work (SOW) for a penetration test normally contains the list of excluded hosts. This ensures that the penetration tester does not affect hosts, workstations, or servers outside of the assessment scope. The timing of the scan and the maintenance windows are usually found in the rules of engagement (ROE). The executive summary report contents are usually not identified in any of the scoping documents, only the requirement of whether such a report is to be delivered at the end of the assessment.
Incorrect
OBJ-5.2: A Scope of Work (SOW) for a penetration test normally contains the list of excluded hosts. This ensures that the penetration tester does not affect hosts, workstations, or servers outside of the assessment scope. The timing of the scan and the maintenance windows are usually found in the rules of engagement (ROE). The executive summary report contents are usually not identified in any of the scoping documents, only the requirement of whether such a report is to be delivered at the end of the assessment.
Unattempted
OBJ-5.2: A Scope of Work (SOW) for a penetration test normally contains the list of excluded hosts. This ensures that the penetration tester does not affect hosts, workstations, or servers outside of the assessment scope. The timing of the scan and the maintenance windows are usually found in the rules of engagement (ROE). The executive summary report contents are usually not identified in any of the scoping documents, only the requirement of whether such a report is to be delivered at the end of the assessment.
Question 45 of 60
45. Question
Which of the following provides a standard nomenclature for describing security-related software flaws?
Correct
OBJ-1.4: Common Vulnerabilities and Exposures (CVE) is an element of the Security Content Automation Protocol (SCAP) that provides a standard nomenclature for describing security flaws or vulnerabilities. A SIEM is a solution that provides a real-time or near-real-time analysis of security alerts generated by network hardware and applications. A VPC is a private network segment made available to a single cloud consumer on a public cloud. The Sarbanes-Oxley Act (SOX) dictates requirements for storing and retaining documents relating to an organization’s financial and business operations, including the type of documents to be stored and their retention periods.
Incorrect
OBJ-1.4: Common Vulnerabilities and Exposures (CVE) is an element of the Security Content Automation Protocol (SCAP) that provides a standard nomenclature for describing security flaws or vulnerabilities. A SIEM is a solution that provides a real-time or near-real-time analysis of security alerts generated by network hardware and applications. A VPC is a private network segment made available to a single cloud consumer on a public cloud. The Sarbanes-Oxley Act (SOX) dictates requirements for storing and retaining documents relating to an organization’s financial and business operations, including the type of documents to be stored and their retention periods.
Unattempted
OBJ-1.4: Common Vulnerabilities and Exposures (CVE) is an element of the Security Content Automation Protocol (SCAP) that provides a standard nomenclature for describing security flaws or vulnerabilities. A SIEM is a solution that provides a real-time or near-real-time analysis of security alerts generated by network hardware and applications. A VPC is a private network segment made available to a single cloud consumer on a public cloud. The Sarbanes-Oxley Act (SOX) dictates requirements for storing and retaining documents relating to an organization’s financial and business operations, including the type of documents to be stored and their retention periods.
Question 46 of 60
46. Question
During the analysis of data as part of ongoing security monitoring activities, which of the following is NOT a good source of information to validate the results of an analyst’s vulnerability scans of the network’s domain controllers?
Correct
OBJ-3.1: Vulnerability scans should never take place in a vacuum. Analysts should correlate scan results with other information sources, including logs, SIEM systems, and configuration management systems. DMARC (domain-based message authentication, reporting, and conformance) and DKIM (domain keys identified mail) are configurations performed on a DNS server to verify whether an email is sent by a third-party are verified to send it on behalf of the organization. For example, if you are using a third-party mailing list provider, they need your organization to authorize them to send an email on your behalf by setting up DMARC and DKIM in on your DNS records. While this is an important security configuration, it would not be a good source of information to validate the results of an analyst’s vulnerability scans on a domain controller.
Incorrect
OBJ-3.1: Vulnerability scans should never take place in a vacuum. Analysts should correlate scan results with other information sources, including logs, SIEM systems, and configuration management systems. DMARC (domain-based message authentication, reporting, and conformance) and DKIM (domain keys identified mail) are configurations performed on a DNS server to verify whether an email is sent by a third-party are verified to send it on behalf of the organization. For example, if you are using a third-party mailing list provider, they need your organization to authorize them to send an email on your behalf by setting up DMARC and DKIM in on your DNS records. While this is an important security configuration, it would not be a good source of information to validate the results of an analyst’s vulnerability scans on a domain controller.
Unattempted
OBJ-3.1: Vulnerability scans should never take place in a vacuum. Analysts should correlate scan results with other information sources, including logs, SIEM systems, and configuration management systems. DMARC (domain-based message authentication, reporting, and conformance) and DKIM (domain keys identified mail) are configurations performed on a DNS server to verify whether an email is sent by a third-party are verified to send it on behalf of the organization. For example, if you are using a third-party mailing list provider, they need your organization to authorize them to send an email on your behalf by setting up DMARC and DKIM in on your DNS records. While this is an important security configuration, it would not be a good source of information to validate the results of an analyst’s vulnerability scans on a domain controller.
Question 47 of 60
47. Question
Which of the following protocols is considered insecure and should never be used in your networks?
Correct
OBJ-2.1: Telnet is an application protocol used on the internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. It is considered insecure and should never be used in secure networks because it transmits everything in cleartext, including your authentication credentials. Telnet should be replaced with a more secure option, such as the secure shell (SSH) protocol. SSH performs the same functions as telnet but uses an encrypted tunnel to maintain the data’s confidentiality be sent over it. SSH File Transfer Protocol (SFTP) is a network protocol that provides file access, file transfer, and file management over any reliable data stream. Hypertext Transfer Protocol Secure (HTTPS) is an extension of HTTP used for secure communication over a computer network by encrypting data being transferred over it with either TLS or SSL.
Incorrect
OBJ-2.1: Telnet is an application protocol used on the internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. It is considered insecure and should never be used in secure networks because it transmits everything in cleartext, including your authentication credentials. Telnet should be replaced with a more secure option, such as the secure shell (SSH) protocol. SSH performs the same functions as telnet but uses an encrypted tunnel to maintain the data’s confidentiality be sent over it. SSH File Transfer Protocol (SFTP) is a network protocol that provides file access, file transfer, and file management over any reliable data stream. Hypertext Transfer Protocol Secure (HTTPS) is an extension of HTTP used for secure communication over a computer network by encrypting data being transferred over it with either TLS or SSL.
Unattempted
OBJ-2.1: Telnet is an application protocol used on the internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. It is considered insecure and should never be used in secure networks because it transmits everything in cleartext, including your authentication credentials. Telnet should be replaced with a more secure option, such as the secure shell (SSH) protocol. SSH performs the same functions as telnet but uses an encrypted tunnel to maintain the data’s confidentiality be sent over it. SSH File Transfer Protocol (SFTP) is a network protocol that provides file access, file transfer, and file management over any reliable data stream. Hypertext Transfer Protocol Secure (HTTPS) is an extension of HTTP used for secure communication over a computer network by encrypting data being transferred over it with either TLS or SSL.
Question 48 of 60
48. Question
An organization is conducting a cybersecurity training exercise. Which team is Jason assigned to if he has been asked to monitor and manage the defenders and attackers’ technical environment during the exercise?
Correct
OBJ-5.2: Jason is assigned to the white team. The white team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender’s mission. A red team is a group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. A blue team is a group of people responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers. The purple team is made up of both the blue and red teams to work together to maximize their cyber capabilities through continuous feedback and knowledge transfer between attackers and defenders.
Incorrect
OBJ-5.2: Jason is assigned to the white team. The white team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender’s mission. A red team is a group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. A blue team is a group of people responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers. The purple team is made up of both the blue and red teams to work together to maximize their cyber capabilities through continuous feedback and knowledge transfer between attackers and defenders.
Unattempted
OBJ-5.2: Jason is assigned to the white team. The white team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender’s mission. A red team is a group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. A blue team is a group of people responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers. The purple team is made up of both the blue and red teams to work together to maximize their cyber capabilities through continuous feedback and knowledge transfer between attackers and defenders.
Question 49 of 60
49. Question
Which one of the following methods would provide the most current and accurate information about any vulnerabilities present in a system with a misconfigured operating system setting?
Correct
OBJ-1.3: An agent-based monitoring solution would be the best choice to meet these requirements. Agent-based monitoring provides more details of the configuration settings for a system and can provide an internal perspective. While vulnerability scans can give you a snapshot of a system’s status at a certain time, it will not remain current and accurate without continual rescanning.
Incorrect
OBJ-1.3: An agent-based monitoring solution would be the best choice to meet these requirements. Agent-based monitoring provides more details of the configuration settings for a system and can provide an internal perspective. While vulnerability scans can give you a snapshot of a system’s status at a certain time, it will not remain current and accurate without continual rescanning.
Unattempted
OBJ-1.3: An agent-based monitoring solution would be the best choice to meet these requirements. Agent-based monitoring provides more details of the configuration settings for a system and can provide an internal perspective. While vulnerability scans can give you a snapshot of a system’s status at a certain time, it will not remain current and accurate without continual rescanning.
Question 50 of 60
50. Question
Which of the following does a User Agent request a resource from when conducting a SAML transaction?
Correct
OBJ-2.2: Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal’s User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal’s credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.
Incorrect
OBJ-2.2: Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal’s User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal’s credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.
Unattempted
OBJ-2.2: Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal’s User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal’s credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.
Question 51 of 60
51. Question
Jay is replacing his organization’s current vulnerability scanner with a new tool. As he begins to create the scanner’s configurations and scanning policy, he notices a conflict in the settings recommended between different documents. Which of the following sources must Jay follow when trying to resolve these conflicts?
Correct
OBJ-5.3: Policies are formalized statements that apply to a specific area or task. Policies are mandatory, and employees who violate a policy may be disciplined. Guidelines are general, non-mandatory recommendations. Best practices are considered procedures that are accepted as being correct or most effective but are not mandatory to be followed. Configuration settings from the prior system could be helpful, but this is not a mandatory compliance area like a policy. Therefore, Jay should first follow the policy before the other three options if there is a conflict.
Incorrect
OBJ-5.3: Policies are formalized statements that apply to a specific area or task. Policies are mandatory, and employees who violate a policy may be disciplined. Guidelines are general, non-mandatory recommendations. Best practices are considered procedures that are accepted as being correct or most effective but are not mandatory to be followed. Configuration settings from the prior system could be helpful, but this is not a mandatory compliance area like a policy. Therefore, Jay should first follow the policy before the other three options if there is a conflict.
Unattempted
OBJ-5.3: Policies are formalized statements that apply to a specific area or task. Policies are mandatory, and employees who violate a policy may be disciplined. Guidelines are general, non-mandatory recommendations. Best practices are considered procedures that are accepted as being correct or most effective but are not mandatory to be followed. Configuration settings from the prior system could be helpful, but this is not a mandatory compliance area like a policy. Therefore, Jay should first follow the policy before the other three options if there is a conflict.
Question 52 of 60
52. Question
Which of the protocols listed is NOT likely to trigger a vulnerability scan alert when used to support a virtual private network (VPN)?
Correct
OBJ-1.4: IPSec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated.
Incorrect
OBJ-1.4: IPSec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated.
Unattempted
OBJ-1.4: IPSec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated.
Question 53 of 60
53. Question
While studying for your CompTIA CySA+ course at SkillCertPro Training, you decided to install a SIEM to collect data on your home network and its systems. You do not want to spend any money purchasing a license, so you decide to use an open-source option instead. Which of the following SIEM solutions utilize an open-source licensing model?
Correct
OBJ-3.1: OSSIM is an open-source SIEM developed by AlienVault. It is capable of pulling information together from a wide variety of sources. ArcSight, Qradar, and Splunk are all proprietary, commercially licensed SIEM solutions.
Incorrect
OBJ-3.1: OSSIM is an open-source SIEM developed by AlienVault. It is capable of pulling information together from a wide variety of sources. ArcSight, Qradar, and Splunk are all proprietary, commercially licensed SIEM solutions.
Unattempted
OBJ-3.1: OSSIM is an open-source SIEM developed by AlienVault. It is capable of pulling information together from a wide variety of sources. ArcSight, Qradar, and Splunk are all proprietary, commercially licensed SIEM solutions.
Question 54 of 60
54. Question
You have just finished running an nmap scan on a server are see the following output:
-=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=-
# nmap skillcertprotraining.com
Starting Nmap ( http://nmap.org )
Nmap scan report for skillcertprotraining.com (64.13.134.52)
Not shown: 996 filtered ports
PORT STATE
22/tcp open
23/tcp open
53/tcp open
443/tcp open
Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds
-=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=-
Based on the output above, which of the following ports listed as open represents the most significant security vulnerability to your network?
Correct
OBJ-1.4: Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet is disabled and blocked from use. The other open ports are for SSH (port 22), DNS (port 53), and HTTPS (port 443).
Incorrect
OBJ-1.4: Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet is disabled and blocked from use. The other open ports are for SSH (port 22), DNS (port 53), and HTTPS (port 443).
Unattempted
OBJ-1.4: Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet is disabled and blocked from use. The other open ports are for SSH (port 22), DNS (port 53), and HTTPS (port 443).
Question 55 of 60
55. Question
Your organization is preparing for its required quarterly PCI DSS external vulnerability scan. Who is authorized to perform this scan?
Correct
OBJ-5.3: The Payment Card Industry Data Security Standard (PCI DSS) is a prescriptive framework. It is not a law but a formal policy created by the credit card industry that organizations must follow to accept credit and bank cards for payment. Quarterly required external vulnerability scans must be run by a PCI DSS approved scanning vendor (ASV). This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Incorrect
OBJ-5.3: The Payment Card Industry Data Security Standard (PCI DSS) is a prescriptive framework. It is not a law but a formal policy created by the credit card industry that organizations must follow to accept credit and bank cards for payment. Quarterly required external vulnerability scans must be run by a PCI DSS approved scanning vendor (ASV). This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Unattempted
OBJ-5.3: The Payment Card Industry Data Security Standard (PCI DSS) is a prescriptive framework. It is not a law but a formal policy created by the credit card industry that organizations must follow to accept credit and bank cards for payment. Quarterly required external vulnerability scans must be run by a PCI DSS approved scanning vendor (ASV). This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Question 56 of 60
56. Question
You have been asked to conduct a forensic disk image on an internal 500 GB hard drive. You connect a write blocker to the drive and begin to image it using dd to copy the contents to an external 500 GB USB hard drive. Before completing the image, the tool reports that the imaging failed. Which of the following is most likely the reason for the image failure?
Correct
OBJ-4.4: If you have verified that the source and the target media are both the same size, then a failure has likely occurred due to bad media on the source drive or some bad sectors on the destination drive. The data can always be copied into a RAW format since it is a bit by bit copy and will copy even the source drive’s bad sectors. Even if the source disk were encrypted, the dd program would create a bit by bit copy to the destination drive for later cryptoanalysis attempts. Even if the data were modified, this would not cause the copy to fail. Instead, the copy would continue and record the modified data instead of the original data.
Incorrect
OBJ-4.4: If you have verified that the source and the target media are both the same size, then a failure has likely occurred due to bad media on the source drive or some bad sectors on the destination drive. The data can always be copied into a RAW format since it is a bit by bit copy and will copy even the source drive’s bad sectors. Even if the source disk were encrypted, the dd program would create a bit by bit copy to the destination drive for later cryptoanalysis attempts. Even if the data were modified, this would not cause the copy to fail. Instead, the copy would continue and record the modified data instead of the original data.
Unattempted
OBJ-4.4: If you have verified that the source and the target media are both the same size, then a failure has likely occurred due to bad media on the source drive or some bad sectors on the destination drive. The data can always be copied into a RAW format since it is a bit by bit copy and will copy even the source drive’s bad sectors. Even if the source disk were encrypted, the dd program would create a bit by bit copy to the destination drive for later cryptoanalysis attempts. Even if the data were modified, this would not cause the copy to fail. Instead, the copy would continue and record the modified data instead of the original data.
Question 57 of 60
57. Question
You are searching a Linux server for a possible backdoor during a forensic investigation. Which part of the file system should you search for evidence of a backdoor related to a Linux service?
Correct
OBJ-4.4: Linux services are started by xinetd, but some new versions use sytemctl. Therefore, the /etc/xinetd.conf should be analyzed for any evidence of a backdoor being started as part of the Linux services. Both the /etc/passwd and /etc/shadow files contain configurations specifically associated with individual user accounts. The /home/.ssh directory contains SSH keys for SSH-based logins.
Incorrect
OBJ-4.4: Linux services are started by xinetd, but some new versions use sytemctl. Therefore, the /etc/xinetd.conf should be analyzed for any evidence of a backdoor being started as part of the Linux services. Both the /etc/passwd and /etc/shadow files contain configurations specifically associated with individual user accounts. The /home/.ssh directory contains SSH keys for SSH-based logins.
Unattempted
OBJ-4.4: Linux services are started by xinetd, but some new versions use sytemctl. Therefore, the /etc/xinetd.conf should be analyzed for any evidence of a backdoor being started as part of the Linux services. Both the /etc/passwd and /etc/shadow files contain configurations specifically associated with individual user accounts. The /home/.ssh directory contains SSH keys for SSH-based logins.
Question 58 of 60
58. Question
Vulnerability scans must be conducted continuously to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next?
Correct
OBJ-1.3: PHI is an abbreviation for Personal Health Information. When attempting to remediate numerous vulnerabilities, it is crucial to prioritize the vulnerabilities to determine which ones should be remediated first. In this case, there is a regulatory requirement to ensure the security of the PHI data. Therefore, those critical assets to the secure handling or storage of PHI are of the highest risk should be prioritized for remediation first. It is impractical to resolve all 2,592 vulnerabilities at once. Therefore, you should not identify all the false positives and exceptions and then resolve any remaining items since they won’t be prioritized for remediation. You should also not wait to perform additional scanning because a scan is only a snapshot of your current status. If it takes 30 days to remediate all the vulnerabilities and do not scan, new vulnerabilities may have been introduced. Placing all the PHI asserts into a sandbox will not work either because then you have removed them from the production environment, and they can no longer serve their critical business functions.
Incorrect
OBJ-1.3: PHI is an abbreviation for Personal Health Information. When attempting to remediate numerous vulnerabilities, it is crucial to prioritize the vulnerabilities to determine which ones should be remediated first. In this case, there is a regulatory requirement to ensure the security of the PHI data. Therefore, those critical assets to the secure handling or storage of PHI are of the highest risk should be prioritized for remediation first. It is impractical to resolve all 2,592 vulnerabilities at once. Therefore, you should not identify all the false positives and exceptions and then resolve any remaining items since they won’t be prioritized for remediation. You should also not wait to perform additional scanning because a scan is only a snapshot of your current status. If it takes 30 days to remediate all the vulnerabilities and do not scan, new vulnerabilities may have been introduced. Placing all the PHI asserts into a sandbox will not work either because then you have removed them from the production environment, and they can no longer serve their critical business functions.
Unattempted
OBJ-1.3: PHI is an abbreviation for Personal Health Information. When attempting to remediate numerous vulnerabilities, it is crucial to prioritize the vulnerabilities to determine which ones should be remediated first. In this case, there is a regulatory requirement to ensure the security of the PHI data. Therefore, those critical assets to the secure handling or storage of PHI are of the highest risk should be prioritized for remediation first. It is impractical to resolve all 2,592 vulnerabilities at once. Therefore, you should not identify all the false positives and exceptions and then resolve any remaining items since they won’t be prioritized for remediation. You should also not wait to perform additional scanning because a scan is only a snapshot of your current status. If it takes 30 days to remediate all the vulnerabilities and do not scan, new vulnerabilities may have been introduced. Placing all the PHI asserts into a sandbox will not work either because then you have removed them from the production environment, and they can no longer serve their critical business functions.
Question 59 of 60
59. Question
SkillCertPro Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if a SkillCertPro Training employee uses the same Ethernet port in the conference room, they should access SkillCertPro Training’s secure internal network. Which of the following technologies would allow you to configure this port and support both requirements?
Correct
OBJ-3.2: Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted SkillCertPro Training assets and provide them with access to the secure internal network. NAC could also determine unknown machines (assumed to be those of CompTIA employees) and provide them with direct internet access only by placing them onto a guest network or VLAN. While MAC filtering could be used to allow or deny access to the network, it cannot by itself control which set of network resources could be utilized from a single ethernet port. A security information and event management (SIEM) system provides real-time analysis of security alerts generated by applications and network hardware. An access control list could define what ports, protocols, or IP addresses the ethernet port could be utilized. Still, it would be unable to distinguish between a SkillCertPro Training employee’s laptop and a CompTIA employee’s laptop like a NAC implementation could.
Incorrect
OBJ-3.2: Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted SkillCertPro Training assets and provide them with access to the secure internal network. NAC could also determine unknown machines (assumed to be those of CompTIA employees) and provide them with direct internet access only by placing them onto a guest network or VLAN. While MAC filtering could be used to allow or deny access to the network, it cannot by itself control which set of network resources could be utilized from a single ethernet port. A security information and event management (SIEM) system provides real-time analysis of security alerts generated by applications and network hardware. An access control list could define what ports, protocols, or IP addresses the ethernet port could be utilized. Still, it would be unable to distinguish between a SkillCertPro Training employee’s laptop and a CompTIA employee’s laptop like a NAC implementation could.
Unattempted
OBJ-3.2: Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted SkillCertPro Training assets and provide them with access to the secure internal network. NAC could also determine unknown machines (assumed to be those of CompTIA employees) and provide them with direct internet access only by placing them onto a guest network or VLAN. While MAC filtering could be used to allow or deny access to the network, it cannot by itself control which set of network resources could be utilized from a single ethernet port. A security information and event management (SIEM) system provides real-time analysis of security alerts generated by applications and network hardware. An access control list could define what ports, protocols, or IP addresses the ethernet port could be utilized. Still, it would be unable to distinguish between a SkillCertPro Training employee’s laptop and a CompTIA employee’s laptop like a NAC implementation could.
Question 60 of 60
60. Question
Your service desk has been receiving many complaints from external users that a web application is responding slowly to requests and frequently receives a “connection timed out” error message when they attempt to submit information to the application. Which software development best practice should have been implemented to prevent this from occurring?
Correct
OBJ-2.2: Stress testing is a software testing activity that determines the robustness of software by testing beyond normal operating limits. Stress testing is essential for mission-critical software but can be used with all types of software. Stress testing is an important component of the capacity management process of IT service management. It ensures adequate resources are available to support the end user’s needs when an application goes into a production environment. Regression testing confirms that a recent program or code change has not adversely affected existing features. Input validation is the process of ensuring any user input have undergone cleansing to ensure it is properly formatted, correct, and useful. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program.
Incorrect
OBJ-2.2: Stress testing is a software testing activity that determines the robustness of software by testing beyond normal operating limits. Stress testing is essential for mission-critical software but can be used with all types of software. Stress testing is an important component of the capacity management process of IT service management. It ensures adequate resources are available to support the end user’s needs when an application goes into a production environment. Regression testing confirms that a recent program or code change has not adversely affected existing features. Input validation is the process of ensuring any user input have undergone cleansing to ensure it is properly formatted, correct, and useful. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program.
Unattempted
OBJ-2.2: Stress testing is a software testing activity that determines the robustness of software by testing beyond normal operating limits. Stress testing is essential for mission-critical software but can be used with all types of software. Stress testing is an important component of the capacity management process of IT service management. It ensures adequate resources are available to support the end user’s needs when an application goes into a production environment. Regression testing confirms that a recent program or code change has not adversely affected existing features. Input validation is the process of ensuring any user input have undergone cleansing to ensure it is properly formatted, correct, and useful. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program.
X
Use Page numbers below to navigate to other practice tests