You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" CompTIA CySA+ (CS0-002) Practice Test 6 "
0 of 60 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
CompTIA CySA+ (CS0-002)
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking view questions. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Answered
Review
Question 1 of 60
1. Question
A software assurance test analyst performs a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. Which technique is the analyst utilizing?
Correct
OBJ-2.2: Fuzzing is an automated software assessment technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions (crashes), failing built-in code assertions, or finding potential memory leaks. Dynamic code analysis relies on studying how the code behaves during execution. Fuzzing a specific type of dynamic code analysis, making it a better answer to this question. Static code analysis is a method of debugging by examining source code before a program is run. Known bad data injection is a technique where data known to cause an exception or fault is entered as part of the testing/assessment. With known bad data injections, you would not use randomly generated data sets, though.
Incorrect
OBJ-2.2: Fuzzing is an automated software assessment technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions (crashes), failing built-in code assertions, or finding potential memory leaks. Dynamic code analysis relies on studying how the code behaves during execution. Fuzzing a specific type of dynamic code analysis, making it a better answer to this question. Static code analysis is a method of debugging by examining source code before a program is run. Known bad data injection is a technique where data known to cause an exception or fault is entered as part of the testing/assessment. With known bad data injections, you would not use randomly generated data sets, though.
Unattempted
OBJ-2.2: Fuzzing is an automated software assessment technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions (crashes), failing built-in code assertions, or finding potential memory leaks. Dynamic code analysis relies on studying how the code behaves during execution. Fuzzing a specific type of dynamic code analysis, making it a better answer to this question. Static code analysis is a method of debugging by examining source code before a program is run. Known bad data injection is a technique where data known to cause an exception or fault is entered as part of the testing/assessment. With known bad data injections, you would not use randomly generated data sets, though.
Question 2 of 60
2. Question
What is the lowest layer (bottom layer) of a bare-metal virtualization environment?
Correct
OBJ-2.1: The bottom layer is physical hardware in this environment. It is what sits beneath the hypervisor and controls access to guest operating systems. The bare-metal approach doesn’t have a host operating system.
Incorrect
OBJ-2.1: The bottom layer is physical hardware in this environment. It is what sits beneath the hypervisor and controls access to guest operating systems. The bare-metal approach doesn’t have a host operating system.
Unattempted
OBJ-2.1: The bottom layer is physical hardware in this environment. It is what sits beneath the hypervisor and controls access to guest operating systems. The bare-metal approach doesn’t have a host operating system.
Question 3 of 60
3. Question
What type of information will a Cisco switch log be configured to capture logs at level 7?
Correct
OBJ-3.1: Cisco’s log levels range from significant emergencies at level 0 for emergencies to level 7 for debugging, which can be quite noisy but provides large amounts of information for analysis during an incident response.
Incorrect
OBJ-3.1: Cisco’s log levels range from significant emergencies at level 0 for emergencies to level 7 for debugging, which can be quite noisy but provides large amounts of information for analysis during an incident response.
Unattempted
OBJ-3.1: Cisco’s log levels range from significant emergencies at level 0 for emergencies to level 7 for debugging, which can be quite noisy but provides large amounts of information for analysis during an incident response.
Question 4 of 60
4. Question
Which of the following vulnerability scanning tools would be used to conduct a web application vulnerability assessment?
Correct
OBJ-1.3: Nikto is a web application scanner that can perform comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. While OpenVAS, Nessus, and Qualys have the ability to scan the web servers themselves for vulnerabilities, they are not the best option to conduct a web application vulnerability assessment. OpenVAS, Nessus, and Qualys are infrastructure vulnerability scanners that focus on vulnerabilities with hosts and network devices.
Incorrect
OBJ-1.3: Nikto is a web application scanner that can perform comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. While OpenVAS, Nessus, and Qualys have the ability to scan the web servers themselves for vulnerabilities, they are not the best option to conduct a web application vulnerability assessment. OpenVAS, Nessus, and Qualys are infrastructure vulnerability scanners that focus on vulnerabilities with hosts and network devices.
Unattempted
OBJ-1.3: Nikto is a web application scanner that can perform comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. While OpenVAS, Nessus, and Qualys have the ability to scan the web servers themselves for vulnerabilities, they are not the best option to conduct a web application vulnerability assessment. OpenVAS, Nessus, and Qualys are infrastructure vulnerability scanners that focus on vulnerabilities with hosts and network devices.
Question 5 of 60
5. Question
Which of the following has occurred if a device fails to activate because it has detected an unknown modification?
Correct
OBJ-2.3: NIST defines self-checking behavior as a control used to prohibit elicit modification to hardware components. This can be done using anti-tamper technology like a field-programmable gate array (FPGA), a physically unclonable function (PUF), or other techniques. Obfuscation is the act of making something obscure, unclear, or unintelligible. Usually, this is done by encoding strings or binary information to make it less detectable by signature-based detection mechanisms. Improper authentication occurs when an attacker claims to have a given identity, and the software does not prove or insufficiently proves that the claim is correct. The Trusted Foundry Program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military.
Incorrect
OBJ-2.3: NIST defines self-checking behavior as a control used to prohibit elicit modification to hardware components. This can be done using anti-tamper technology like a field-programmable gate array (FPGA), a physically unclonable function (PUF), or other techniques. Obfuscation is the act of making something obscure, unclear, or unintelligible. Usually, this is done by encoding strings or binary information to make it less detectable by signature-based detection mechanisms. Improper authentication occurs when an attacker claims to have a given identity, and the software does not prove or insufficiently proves that the claim is correct. The Trusted Foundry Program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military.
Unattempted
OBJ-2.3: NIST defines self-checking behavior as a control used to prohibit elicit modification to hardware components. This can be done using anti-tamper technology like a field-programmable gate array (FPGA), a physically unclonable function (PUF), or other techniques. Obfuscation is the act of making something obscure, unclear, or unintelligible. Usually, this is done by encoding strings or binary information to make it less detectable by signature-based detection mechanisms. Improper authentication occurs when an attacker claims to have a given identity, and the software does not prove or insufficiently proves that the claim is correct. The Trusted Foundry Program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military.
Question 6 of 60
6. Question
You have tried to email yourself a file named “passwords.xlsx” from your corporate workstation to your Gmail account. Instead of receiving the file in your email, you received a description of why this was a policy violation and what you can do to get the file released or resent. Which of the following DLP remediation actions has occurred?
Correct
OBJ-3.2: Tombstone remediation quarantines and replaces the original file with one describing the policy violation and how the user can rerelease it. Quarantine denies access to the original file to the user (or possibly any user). This might be accomplished by encrypting the file in place or by moving it to a quarantine area in the file system. Block prevents the user from copying the original file but retains access to it. The user may or may not be alerted to the policy violation, but it will be logged as an incident by the management engine. Alert only allows the copying to occur, but the management system records an incident and may alert an administrator.
Incorrect
OBJ-3.2: Tombstone remediation quarantines and replaces the original file with one describing the policy violation and how the user can rerelease it. Quarantine denies access to the original file to the user (or possibly any user). This might be accomplished by encrypting the file in place or by moving it to a quarantine area in the file system. Block prevents the user from copying the original file but retains access to it. The user may or may not be alerted to the policy violation, but it will be logged as an incident by the management engine. Alert only allows the copying to occur, but the management system records an incident and may alert an administrator.
Unattempted
OBJ-3.2: Tombstone remediation quarantines and replaces the original file with one describing the policy violation and how the user can rerelease it. Quarantine denies access to the original file to the user (or possibly any user). This might be accomplished by encrypting the file in place or by moving it to a quarantine area in the file system. Block prevents the user from copying the original file but retains access to it. The user may or may not be alerted to the policy violation, but it will be logged as an incident by the management engine. Alert only allows the copying to occur, but the management system records an incident and may alert an administrator.
Question 7 of 60
7. Question
An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store’s IT department hired an external supplier to expand its network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system. Which of the following long-term cybersecurity risks might occur based on these actions?
Correct
OBJ-2.1: While the physical security posture of the company has definitely been improved by adding the cameras, alarms, and locks, this appliance-based system may pose additional risks to the store’s network. Specialized technology and appliance-based systems rarely receive security updates at the same rate as regular servers or endpoints. These devices need to be on a network to ensure that their network functions can continue, but they don’t necessarily need to be on the enterprise production network. A good option would be to set up a parallel network that is physically or logically isolated from the enterprise network and install the video cameras, alarms, and lock on that one. These devices cannot be isolated from the internet without compromising their functions, such as allowing remote monitoring of the system and locks. The devices should be scanned for viruses before installation, but that is a short-term consideration and doesn’t protect them long-term.
Incorrect
OBJ-2.1: While the physical security posture of the company has definitely been improved by adding the cameras, alarms, and locks, this appliance-based system may pose additional risks to the store’s network. Specialized technology and appliance-based systems rarely receive security updates at the same rate as regular servers or endpoints. These devices need to be on a network to ensure that their network functions can continue, but they don’t necessarily need to be on the enterprise production network. A good option would be to set up a parallel network that is physically or logically isolated from the enterprise network and install the video cameras, alarms, and lock on that one. These devices cannot be isolated from the internet without compromising their functions, such as allowing remote monitoring of the system and locks. The devices should be scanned for viruses before installation, but that is a short-term consideration and doesn’t protect them long-term.
Unattempted
OBJ-2.1: While the physical security posture of the company has definitely been improved by adding the cameras, alarms, and locks, this appliance-based system may pose additional risks to the store’s network. Specialized technology and appliance-based systems rarely receive security updates at the same rate as regular servers or endpoints. These devices need to be on a network to ensure that their network functions can continue, but they don’t necessarily need to be on the enterprise production network. A good option would be to set up a parallel network that is physically or logically isolated from the enterprise network and install the video cameras, alarms, and lock on that one. These devices cannot be isolated from the internet without compromising their functions, such as allowing remote monitoring of the system and locks. The devices should be scanned for viruses before installation, but that is a short-term consideration and doesn’t protect them long-term.
Question 8 of 60
8. Question
Which of the following roles should coordinate communications with the media during an incident response?
Correct
OBJ-4.1: Public relations staff should be included in incident response teams to coordinate communications with the general public and the media to manage any negative publicity from a serious incident. Information about the incident should be released in a controlled way when appropriate through known press and external public relations agencies. Senior leadership should be focused on how the incident affects their departments or functional areas to make the best decisions. The senior leadership should not talk to the media without guidance from the public relations team. System administrators are part of the incident response team since they know the network’s normal baseline behavior and its system better than anyone else. System administrators should not talk to the media during an incident response. Human resources are part of the incident response team to appropriately contact any suspected insider threats and ensure no breaches of employment law or employment contracts are made.
Incorrect
OBJ-4.1: Public relations staff should be included in incident response teams to coordinate communications with the general public and the media to manage any negative publicity from a serious incident. Information about the incident should be released in a controlled way when appropriate through known press and external public relations agencies. Senior leadership should be focused on how the incident affects their departments or functional areas to make the best decisions. The senior leadership should not talk to the media without guidance from the public relations team. System administrators are part of the incident response team since they know the network’s normal baseline behavior and its system better than anyone else. System administrators should not talk to the media during an incident response. Human resources are part of the incident response team to appropriately contact any suspected insider threats and ensure no breaches of employment law or employment contracts are made.
Unattempted
OBJ-4.1: Public relations staff should be included in incident response teams to coordinate communications with the general public and the media to manage any negative publicity from a serious incident. Information about the incident should be released in a controlled way when appropriate through known press and external public relations agencies. Senior leadership should be focused on how the incident affects their departments or functional areas to make the best decisions. The senior leadership should not talk to the media without guidance from the public relations team. System administrators are part of the incident response team since they know the network’s normal baseline behavior and its system better than anyone else. System administrators should not talk to the media during an incident response. Human resources are part of the incident response team to appropriately contact any suspected insider threats and ensure no breaches of employment law or employment contracts are made.
Question 9 of 60
9. Question
You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command)
Correct
OBJ-3.1: journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd’s log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes it easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. If there are too many results, we could further filter the results using regular expressions with grep using the -e flag. Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep filter as the only results for UID 1003 (terri) will already be shown. So, while all four of these would produce the same results, the most efficient option to accomplish this is by entering “journalctl _UID=1003 | grep sudo” in the terminal. Don’t get afraid when you see questions like this; walk through each part of the command step by step and determine the differences. In this question, you may not have known what journalctl is, but you didn’t need to. You needed to identify which grep expression was the shortest that would still get the job done. By comparing the differences between the options presented, you could likely take your best guess and identify the right one.
Incorrect
OBJ-3.1: journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd’s log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes it easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. If there are too many results, we could further filter the results using regular expressions with grep using the -e flag. Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep filter as the only results for UID 1003 (terri) will already be shown. So, while all four of these would produce the same results, the most efficient option to accomplish this is by entering “journalctl _UID=1003 | grep sudo” in the terminal. Don’t get afraid when you see questions like this; walk through each part of the command step by step and determine the differences. In this question, you may not have known what journalctl is, but you didn’t need to. You needed to identify which grep expression was the shortest that would still get the job done. By comparing the differences between the options presented, you could likely take your best guess and identify the right one.
Unattempted
OBJ-3.1: journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd’s log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes it easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. If there are too many results, we could further filter the results using regular expressions with grep using the -e flag. Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep filter as the only results for UID 1003 (terri) will already be shown. So, while all four of these would produce the same results, the most efficient option to accomplish this is by entering “journalctl _UID=1003 | grep sudo” in the terminal. Don’t get afraid when you see questions like this; walk through each part of the command step by step and determine the differences. In this question, you may not have known what journalctl is, but you didn’t need to. You needed to identify which grep expression was the shortest that would still get the job done. By comparing the differences between the options presented, you could likely take your best guess and identify the right one.
Question 10 of 60
10. Question
An analyst just completed a port scan and received the following results of open ports:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
TCP: 80
TCP: 110
TCP: 443
TCP: 1433
TCP: 3306
TCP: 3389
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based on these scan results, which of the following services are NOT currently operating?
Correct
OBJ-1.4: Based on the port numbers shown as open in the nmap scan results, SSH is not currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on port 3389.
Incorrect
OBJ-1.4: Based on the port numbers shown as open in the nmap scan results, SSH is not currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on port 3389.
Unattempted
OBJ-1.4: Based on the port numbers shown as open in the nmap scan results, SSH is not currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on port 3389.
Question 11 of 60
11. Question
Fail To Pass Systems has just been the victim of another embarrassing data breach. Their database administrator needed to work from home this weekend, so he downloaded the corporate database to his work laptop. On his way home, he left the laptop in an Uber, and a few days later, the data was posted on the internet. Which of the following mitigations would have provided the greatest protection against this data breach?
Correct
OBJ-5.1: The greatest protection against this data breach would have been to require data at rest encryption on all endpoints, including this laptop. If the laptop were encrypted, the data would not have been readable by others, even if it was lost or stolen. While requiring a VPN for all telework employees is a good idea, it would not have prevented this data breach since the laptop’s loss caused it. Even if a VPN had been used, the same data breach would have still occurred if the employee copied the database to the machine. Remember on exam day that many options are good security practices, but you must select the option that solves the issue or problem in the question being asked. Similarly, data masking and NDAs are useful techniques, but they would not have solved this particular data breach.
Incorrect
OBJ-5.1: The greatest protection against this data breach would have been to require data at rest encryption on all endpoints, including this laptop. If the laptop were encrypted, the data would not have been readable by others, even if it was lost or stolen. While requiring a VPN for all telework employees is a good idea, it would not have prevented this data breach since the laptop’s loss caused it. Even if a VPN had been used, the same data breach would have still occurred if the employee copied the database to the machine. Remember on exam day that many options are good security practices, but you must select the option that solves the issue or problem in the question being asked. Similarly, data masking and NDAs are useful techniques, but they would not have solved this particular data breach.
Unattempted
OBJ-5.1: The greatest protection against this data breach would have been to require data at rest encryption on all endpoints, including this laptop. If the laptop were encrypted, the data would not have been readable by others, even if it was lost or stolen. While requiring a VPN for all telework employees is a good idea, it would not have prevented this data breach since the laptop’s loss caused it. Even if a VPN had been used, the same data breach would have still occurred if the employee copied the database to the machine. Remember on exam day that many options are good security practices, but you must select the option that solves the issue or problem in the question being asked. Similarly, data masking and NDAs are useful techniques, but they would not have solved this particular data breach.
Question 12 of 60
12. Question
Which of the following types of output encoding is being used in the following output?
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
aGVsbG8gd29ybGQNCg==
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Correct
OBJ-4.3: The string aGVsbG8gd29ybGQNCg== is using Base64 encoding. Base64 encoding is commonly used to convert binary data, such as ASCII text characters, into an encoded string to bypass detection mechanisms in a network. While a Base64 string won’t always end with an equal or double equal sign, it is common to see them used. This is because the equal signs are used to pad the string to the proper length and complement the final processing of the message’s encoding.
Incorrect
OBJ-4.3: The string aGVsbG8gd29ybGQNCg== is using Base64 encoding. Base64 encoding is commonly used to convert binary data, such as ASCII text characters, into an encoded string to bypass detection mechanisms in a network. While a Base64 string won’t always end with an equal or double equal sign, it is common to see them used. This is because the equal signs are used to pad the string to the proper length and complement the final processing of the message’s encoding.
Unattempted
OBJ-4.3: The string aGVsbG8gd29ybGQNCg== is using Base64 encoding. Base64 encoding is commonly used to convert binary data, such as ASCII text characters, into an encoded string to bypass detection mechanisms in a network. While a Base64 string won’t always end with an equal or double equal sign, it is common to see them used. This is because the equal signs are used to pad the string to the proper length and complement the final processing of the message’s encoding.
Question 13 of 60
13. Question
A recent vulnerability scan found several vulnerabilities on an organization’s public-facing IP addresses. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation?
Correct
OBJ-1.4: The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to prevent a security breach most effectively. While the other issues should be addressed eventually, you need to prioritize the most critical one (remote code execution) on a public-facing IP address. A public-facing IP address means the device is accessible from the internet.
Incorrect
OBJ-1.4: The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to prevent a security breach most effectively. While the other issues should be addressed eventually, you need to prioritize the most critical one (remote code execution) on a public-facing IP address. A public-facing IP address means the device is accessible from the internet.
Unattempted
OBJ-1.4: The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to prevent a security breach most effectively. While the other issues should be addressed eventually, you need to prioritize the most critical one (remote code execution) on a public-facing IP address. A public-facing IP address means the device is accessible from the internet.
Question 14 of 60
14. Question
Which type of threat actor can accidentally or inadvertently cause a security incident in your organization?
Correct
OBJ-1.1: An insider threat is a type of threat actor assigned privileges on the system that cause an intentional or unintentional incident. Insider threats can be used as unwitting pawns of external organizations or make crucial mistakes that can open up exploitable security vulnerabilities. Hacktivists, Organized Crimes, and advanced persistent threats (APT) entities do not accidentally or unwittingly target organizations. Instead, their actions are deliberate in nature. A hacktivist is an attacker that is motivated by a social issue or political cause. Organized crime is a type of threat actor that uses hacking and computer fraud for commercial gain. An advanced persistent threat (APT) is a type of threat actor who can obtain, maintain, and diversify access to network systems using exploits and malware.
Incorrect
OBJ-1.1: An insider threat is a type of threat actor assigned privileges on the system that cause an intentional or unintentional incident. Insider threats can be used as unwitting pawns of external organizations or make crucial mistakes that can open up exploitable security vulnerabilities. Hacktivists, Organized Crimes, and advanced persistent threats (APT) entities do not accidentally or unwittingly target organizations. Instead, their actions are deliberate in nature. A hacktivist is an attacker that is motivated by a social issue or political cause. Organized crime is a type of threat actor that uses hacking and computer fraud for commercial gain. An advanced persistent threat (APT) is a type of threat actor who can obtain, maintain, and diversify access to network systems using exploits and malware.
Unattempted
OBJ-1.1: An insider threat is a type of threat actor assigned privileges on the system that cause an intentional or unintentional incident. Insider threats can be used as unwitting pawns of external organizations or make crucial mistakes that can open up exploitable security vulnerabilities. Hacktivists, Organized Crimes, and advanced persistent threats (APT) entities do not accidentally or unwittingly target organizations. Instead, their actions are deliberate in nature. A hacktivist is an attacker that is motivated by a social issue or political cause. Organized crime is a type of threat actor that uses hacking and computer fraud for commercial gain. An advanced persistent threat (APT) is a type of threat actor who can obtain, maintain, and diversify access to network systems using exploits and malware.
Question 15 of 60
15. Question
Which of the following types of information is protected by rules in the United States that specify the minimum frequency of vulnerability scanning required for devices that process it?
Correct
OBJ-5.1: The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. As part of PCI DSS compliance, organizations must conduct internal and external scans at prescribed intervals on any devices or systems that process credit card data. HIPPA protects medical and insurance records, but this law doesn’t define a frequency for vulnerability scanning requirements. Driver’s license numbers are considered PII, but again, there is no defined frequency scanning requirement regarding protecting PII under law, regulation, or rule.
Incorrect
OBJ-5.1: The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. As part of PCI DSS compliance, organizations must conduct internal and external scans at prescribed intervals on any devices or systems that process credit card data. HIPPA protects medical and insurance records, but this law doesn’t define a frequency for vulnerability scanning requirements. Driver’s license numbers are considered PII, but again, there is no defined frequency scanning requirement regarding protecting PII under law, regulation, or rule.
Unattempted
OBJ-5.1: The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. As part of PCI DSS compliance, organizations must conduct internal and external scans at prescribed intervals on any devices or systems that process credit card data. HIPPA protects medical and insurance records, but this law doesn’t define a frequency for vulnerability scanning requirements. Driver’s license numbers are considered PII, but again, there is no defined frequency scanning requirement regarding protecting PII under law, regulation, or rule.
Question 16 of 60
16. Question
Which of the following tools is useful for capturing Windows memory data for forensic analysis?
Correct
OBJ-4.4: The Volatility framework, DumpIt, and EnCase are examples of Windows memory capture tools for forensic use. The dd tool is used to conduct forensic disk images. Wireshark is used for packet capture and analysis. Nessus is a commonly used vulnerability scanner.
Incorrect
OBJ-4.4: The Volatility framework, DumpIt, and EnCase are examples of Windows memory capture tools for forensic use. The dd tool is used to conduct forensic disk images. Wireshark is used for packet capture and analysis. Nessus is a commonly used vulnerability scanner.
Unattempted
OBJ-4.4: The Volatility framework, DumpIt, and EnCase are examples of Windows memory capture tools for forensic use. The dd tool is used to conduct forensic disk images. Wireshark is used for packet capture and analysis. Nessus is a commonly used vulnerability scanner.
Question 17 of 60
17. Question
You are conducting an incident response and have traced the attack source to some compromised user credentials. After performing log analysis, you discover that the attack was successfully authenticated from an unauthorized foreign country. Your management is now asking for you to implement a solution to help mitigate this type of attack from occurring again. Which of the following should you implement?
Correct
OBJ-3.2: Context-based authentication can consider several factors before permitting access to a user, including their location (e.g., country, GPS location, etc.), the time of day, and other key factors to minimize the threat of compromised credentials from being utilized by an attacker. A self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor and repair their own problem without calling the help desk. While helpful, this alone would not help prevent an attacker from using the compromised credentials. Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems. Again, this is helpful since it will minimize the number of usernames and passwords that a user must remember. Still, if their credentials are stolen, then the attacker can now access every system the user had access to, extending the problem. Password complexity is also a good thing to use, but it won’t address the challenge presented in how to prevent the use of compromised credentials. If the password complexity is increased, this will prevent a brute force credential compromise. However, if the credentials are compromised any other way, the attacker could still log in to our systems and cause trouble.
Incorrect
OBJ-3.2: Context-based authentication can consider several factors before permitting access to a user, including their location (e.g., country, GPS location, etc.), the time of day, and other key factors to minimize the threat of compromised credentials from being utilized by an attacker. A self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor and repair their own problem without calling the help desk. While helpful, this alone would not help prevent an attacker from using the compromised credentials. Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems. Again, this is helpful since it will minimize the number of usernames and passwords that a user must remember. Still, if their credentials are stolen, then the attacker can now access every system the user had access to, extending the problem. Password complexity is also a good thing to use, but it won’t address the challenge presented in how to prevent the use of compromised credentials. If the password complexity is increased, this will prevent a brute force credential compromise. However, if the credentials are compromised any other way, the attacker could still log in to our systems and cause trouble.
Unattempted
OBJ-3.2: Context-based authentication can consider several factors before permitting access to a user, including their location (e.g., country, GPS location, etc.), the time of day, and other key factors to minimize the threat of compromised credentials from being utilized by an attacker. A self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor and repair their own problem without calling the help desk. While helpful, this alone would not help prevent an attacker from using the compromised credentials. Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems. Again, this is helpful since it will minimize the number of usernames and passwords that a user must remember. Still, if their credentials are stolen, then the attacker can now access every system the user had access to, extending the problem. Password complexity is also a good thing to use, but it won’t address the challenge presented in how to prevent the use of compromised credentials. If the password complexity is increased, this will prevent a brute force credential compromise. However, if the credentials are compromised any other way, the attacker could still log in to our systems and cause trouble.
Question 18 of 60
18. Question
You are conducting a code review of a program and observe the following calculation of 0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program?
Correct
OBJ-1.7: Integer overflows and other integer manipulation vulnerabilities frequently result in buffer overflows. An integer overflow occurs when an arithmetic operation results in a large number to be stored in the space allocated for it. Integers are stored in 32 bits on the x86 architecture; therefore, if an integer operation results in a number greater than 0xffffffff, an integer overflow occurs, as was the case in this example. SQL injection is an attack that injects a database query into the input data directed at a server by accessing the application’s client-side. Password spraying is a type of brute force attack in which multiple user accounts are tested with a dictionary of common passwords. Impersonation is the act of pretending to be another person or system for fraud.
Incorrect
OBJ-1.7: Integer overflows and other integer manipulation vulnerabilities frequently result in buffer overflows. An integer overflow occurs when an arithmetic operation results in a large number to be stored in the space allocated for it. Integers are stored in 32 bits on the x86 architecture; therefore, if an integer operation results in a number greater than 0xffffffff, an integer overflow occurs, as was the case in this example. SQL injection is an attack that injects a database query into the input data directed at a server by accessing the application’s client-side. Password spraying is a type of brute force attack in which multiple user accounts are tested with a dictionary of common passwords. Impersonation is the act of pretending to be another person or system for fraud.
Unattempted
OBJ-1.7: Integer overflows and other integer manipulation vulnerabilities frequently result in buffer overflows. An integer overflow occurs when an arithmetic operation results in a large number to be stored in the space allocated for it. Integers are stored in 32 bits on the x86 architecture; therefore, if an integer operation results in a number greater than 0xffffffff, an integer overflow occurs, as was the case in this example. SQL injection is an attack that injects a database query into the input data directed at a server by accessing the application’s client-side. Password spraying is a type of brute force attack in which multiple user accounts are tested with a dictionary of common passwords. Impersonation is the act of pretending to be another person or system for fraud.
Question 19 of 60
19. Question
Raj is working to deploy a new vulnerability scanner for an organization. He wants to verify the information he gets is the most accurate view of the configurations on the organization’s traveling salespeople’s laptops to determine if any configuration issues could lead to new vulnerabilities. Which of the following technologies would work BEST to collect the configuration information in this situation?
Correct
OBJ-3.1: Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization’s network. These agent-based scans can be conducted when the laptop is offline and then sent to a centralized server the next time it is connected to the network. Server-based scanning, non-credentialed scanning, and passive network monitoring require a continuous network connection to collect the devices’ configurations accurately.
Incorrect
OBJ-3.1: Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization’s network. These agent-based scans can be conducted when the laptop is offline and then sent to a centralized server the next time it is connected to the network. Server-based scanning, non-credentialed scanning, and passive network monitoring require a continuous network connection to collect the devices’ configurations accurately.
Unattempted
OBJ-3.1: Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization’s network. These agent-based scans can be conducted when the laptop is offline and then sent to a centralized server the next time it is connected to the network. Server-based scanning, non-credentialed scanning, and passive network monitoring require a continuous network connection to collect the devices’ configurations accurately.
Question 20 of 60
20. Question
Your organization requires the use of TLS or IPSec for all communications with an organization’s network. Which of the following is this an example of?
Correct
OBJ-5.1: Data in transit (or data in motion) occurs whenever data is transmitted over a network. Examples of types of data in transit include website traffic, remote access traffic, data being synchronized between cloud repositories, and more. In this state, data can be protected by a transport encryption protocol, such as TLS or IPsec. Data at rest means that the data is in persistent storage media using whole disk encryption, database encryption, and file- or folder-level encryption. Data in use is when data is present in volatile memory, such as system RAM or CPU registers and cache. Secure processing mechanisms such as Intel Software Guard Extensions can encrypt data as it exists in memory so that an untrusted process cannot decode the information. This uses a secure enclave and requires a hardware root of trust. Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without proper authorization. DLP is a generic term that may include data at rest, data in transit, or data in use to function.
Incorrect
OBJ-5.1: Data in transit (or data in motion) occurs whenever data is transmitted over a network. Examples of types of data in transit include website traffic, remote access traffic, data being synchronized between cloud repositories, and more. In this state, data can be protected by a transport encryption protocol, such as TLS or IPsec. Data at rest means that the data is in persistent storage media using whole disk encryption, database encryption, and file- or folder-level encryption. Data in use is when data is present in volatile memory, such as system RAM or CPU registers and cache. Secure processing mechanisms such as Intel Software Guard Extensions can encrypt data as it exists in memory so that an untrusted process cannot decode the information. This uses a secure enclave and requires a hardware root of trust. Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without proper authorization. DLP is a generic term that may include data at rest, data in transit, or data in use to function.
Unattempted
OBJ-5.1: Data in transit (or data in motion) occurs whenever data is transmitted over a network. Examples of types of data in transit include website traffic, remote access traffic, data being synchronized between cloud repositories, and more. In this state, data can be protected by a transport encryption protocol, such as TLS or IPsec. Data at rest means that the data is in persistent storage media using whole disk encryption, database encryption, and file- or folder-level encryption. Data in use is when data is present in volatile memory, such as system RAM or CPU registers and cache. Secure processing mechanisms such as Intel Software Guard Extensions can encrypt data as it exists in memory so that an untrusted process cannot decode the information. This uses a secure enclave and requires a hardware root of trust. Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without proper authorization. DLP is a generic term that may include data at rest, data in transit, or data in use to function.
Question 21 of 60
21. Question
A penetration tester is using a known vulnerability to compromise an Apache webserver. After they gain access to the server, what is their next step to pivot to a protected system behind the DMZ?
Correct
OBJ-1.7: Apache web servers are run as a limited user by default, not as an administrative or root account. To be efficient and effective, the penetration tester should attempt to conduct a privilege escalation before pivoting into the DMZ. As a penetration tester, they would not likely patch the system, conduct a vulnerability scan, or install additional tools. This does not help them achieve their goal of pivoting into the DMZ.
Incorrect
OBJ-1.7: Apache web servers are run as a limited user by default, not as an administrative or root account. To be efficient and effective, the penetration tester should attempt to conduct a privilege escalation before pivoting into the DMZ. As a penetration tester, they would not likely patch the system, conduct a vulnerability scan, or install additional tools. This does not help them achieve their goal of pivoting into the DMZ.
Unattempted
OBJ-1.7: Apache web servers are run as a limited user by default, not as an administrative or root account. To be efficient and effective, the penetration tester should attempt to conduct a privilege escalation before pivoting into the DMZ. As a penetration tester, they would not likely patch the system, conduct a vulnerability scan, or install additional tools. This does not help them achieve their goal of pivoting into the DMZ.
Question 22 of 60
22. Question
Which analysis framework makes no allowance for an adversary retreat in its analysis?
Correct
OBJ-2.1: The Lockheed Martin cyber kill chain implicitly assumes a unidirectional workflow. Therefore, it fails to consider that an adversary may retreat during an attack. MITRE and Diamond’s models are more dynamic systems that allow for a broader range of adversary behaviors. AlienVault was specifically designed to avoid the rigidity of the Lockheed Martin cyber kill chain.
Incorrect
OBJ-2.1: The Lockheed Martin cyber kill chain implicitly assumes a unidirectional workflow. Therefore, it fails to consider that an adversary may retreat during an attack. MITRE and Diamond’s models are more dynamic systems that allow for a broader range of adversary behaviors. AlienVault was specifically designed to avoid the rigidity of the Lockheed Martin cyber kill chain.
Unattempted
OBJ-2.1: The Lockheed Martin cyber kill chain implicitly assumes a unidirectional workflow. Therefore, it fails to consider that an adversary may retreat during an attack. MITRE and Diamond’s models are more dynamic systems that allow for a broader range of adversary behaviors. AlienVault was specifically designed to avoid the rigidity of the Lockheed Martin cyber kill chain.
Question 23 of 60
23. Question
Which operating system feature is designed to detect malware that is loaded early in the system startup process or before the operating system can load itself?
Correct
OBJ-2.3: Measured boot is a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval and analysis by anti-malware software on a remote server. Master boot record analysis is used to capture the hard disk’s required information to support a forensic investigation. It would not detect malware during the system’s boot-up process. Startup control would be used to determine which programs will be loaded when the operating system is initially booted, but this would be too late to detect malware loaded during the pre-startup and boot process. Advanced anti-malware solutions are programs that are loaded within the operating system. Therefore, they are loaded too late in the startup process to be effective against malicious boot sector viruses and other BIOS/UEFI malware variants.
Incorrect
OBJ-2.3: Measured boot is a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval and analysis by anti-malware software on a remote server. Master boot record analysis is used to capture the hard disk’s required information to support a forensic investigation. It would not detect malware during the system’s boot-up process. Startup control would be used to determine which programs will be loaded when the operating system is initially booted, but this would be too late to detect malware loaded during the pre-startup and boot process. Advanced anti-malware solutions are programs that are loaded within the operating system. Therefore, they are loaded too late in the startup process to be effective against malicious boot sector viruses and other BIOS/UEFI malware variants.
Unattempted
OBJ-2.3: Measured boot is a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval and analysis by anti-malware software on a remote server. Master boot record analysis is used to capture the hard disk’s required information to support a forensic investigation. It would not detect malware during the system’s boot-up process. Startup control would be used to determine which programs will be loaded when the operating system is initially booted, but this would be too late to detect malware loaded during the pre-startup and boot process. Advanced anti-malware solutions are programs that are loaded within the operating system. Therefore, they are loaded too late in the startup process to be effective against malicious boot sector viruses and other BIOS/UEFI malware variants.
Question 24 of 60
24. Question
Which security control would prevent unauthorized users from connecting to a company’s wireless network?
Correct
OBJ-2.1: Network Access Control (NAC) prevents unauthorized users from connecting to a network. Firewalls and intrusion prevention systems (IPS) are meant to restrict access from external sources and block known attacks. They would not keep out an intruder who is already in range of the wireless network. Network segmentation would limit the access that an intruder has to network resources but would not block the connection itself.
Incorrect
OBJ-2.1: Network Access Control (NAC) prevents unauthorized users from connecting to a network. Firewalls and intrusion prevention systems (IPS) are meant to restrict access from external sources and block known attacks. They would not keep out an intruder who is already in range of the wireless network. Network segmentation would limit the access that an intruder has to network resources but would not block the connection itself.
Unattempted
OBJ-2.1: Network Access Control (NAC) prevents unauthorized users from connecting to a network. Firewalls and intrusion prevention systems (IPS) are meant to restrict access from external sources and block known attacks. They would not keep out an intruder who is already in range of the wireless network. Network segmentation would limit the access that an intruder has to network resources but would not block the connection itself.
Question 25 of 60
25. Question
You have just returned from a business trip to a country with a high intellectual property theft rate. Which of the following precautions should you take before reconnecting your laptop to your corporate network? (SELECT TWO)
Correct
OBJ-2.3: While scanning for viruses is a good idea and should be done, that alone is insufficient to detect all the ways an advanced adversary could have manipulated your laptop if it were outside of your custody for any significant length of time, such as leaving it in your hotel room. A ‘before’ image would be needed to compare the laptop to upon returning to detect possible hardware modifications. Destruction might be wasteful without evidence of a possible crime. Therefore, this is not the best option. Reimaging may be advantageous but will not remove any hardware modifications an attacker may have installed. Degaussing is considered a purging activity, but it will also destroy the laptop’s hard drive. While enabled full disk encryption is a good security practice, it should have been enabled before the trip. Once you return, encrypting the drive will not help if the attacker already modified the laptop.
Incorrect
OBJ-2.3: While scanning for viruses is a good idea and should be done, that alone is insufficient to detect all the ways an advanced adversary could have manipulated your laptop if it were outside of your custody for any significant length of time, such as leaving it in your hotel room. A ‘before’ image would be needed to compare the laptop to upon returning to detect possible hardware modifications. Destruction might be wasteful without evidence of a possible crime. Therefore, this is not the best option. Reimaging may be advantageous but will not remove any hardware modifications an attacker may have installed. Degaussing is considered a purging activity, but it will also destroy the laptop’s hard drive. While enabled full disk encryption is a good security practice, it should have been enabled before the trip. Once you return, encrypting the drive will not help if the attacker already modified the laptop.
Unattempted
OBJ-2.3: While scanning for viruses is a good idea and should be done, that alone is insufficient to detect all the ways an advanced adversary could have manipulated your laptop if it were outside of your custody for any significant length of time, such as leaving it in your hotel room. A ‘before’ image would be needed to compare the laptop to upon returning to detect possible hardware modifications. Destruction might be wasteful without evidence of a possible crime. Therefore, this is not the best option. Reimaging may be advantageous but will not remove any hardware modifications an attacker may have installed. Degaussing is considered a purging activity, but it will also destroy the laptop’s hard drive. While enabled full disk encryption is a good security practice, it should have been enabled before the trip. Once you return, encrypting the drive will not help if the attacker already modified the laptop.
Question 26 of 60
26. Question
Which of the following types of digital forensic investigations is most challenging due to the on-demand nature of the analyzed assets?
Correct
OBJ-4.4: The on-demand nature of cloud services means that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data. Cloud providers can mitigate this to some extent by using extensive logging and monitoring options. A CSP might also provide an option to generate a file system and memory snapshots from containers and VMs in response to an alert condition generated by a SIEM. Employee workstations are often the easiest to conduct forensics on since they are a single-user environment for the most part. Mobile devices have some unique challenges due to their operating systems, but good forensic tool suites are available to ease the forensic acquisition and analysis of mobile devices. On-premise servers are more challenging than a workstation to analyze, but they do not suffer from the same issues as cloud-based services and servers.
Incorrect
OBJ-4.4: The on-demand nature of cloud services means that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data. Cloud providers can mitigate this to some extent by using extensive logging and monitoring options. A CSP might also provide an option to generate a file system and memory snapshots from containers and VMs in response to an alert condition generated by a SIEM. Employee workstations are often the easiest to conduct forensics on since they are a single-user environment for the most part. Mobile devices have some unique challenges due to their operating systems, but good forensic tool suites are available to ease the forensic acquisition and analysis of mobile devices. On-premise servers are more challenging than a workstation to analyze, but they do not suffer from the same issues as cloud-based services and servers.
Unattempted
OBJ-4.4: The on-demand nature of cloud services means that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data. Cloud providers can mitigate this to some extent by using extensive logging and monitoring options. A CSP might also provide an option to generate a file system and memory snapshots from containers and VMs in response to an alert condition generated by a SIEM. Employee workstations are often the easiest to conduct forensics on since they are a single-user environment for the most part. Mobile devices have some unique challenges due to their operating systems, but good forensic tool suites are available to ease the forensic acquisition and analysis of mobile devices. On-premise servers are more challenging than a workstation to analyze, but they do not suffer from the same issues as cloud-based services and servers.
Question 27 of 60
27. Question
A software assurance laboratory performs a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. Which of the following is the laboratory performing?
Correct
OBJ-2.2: Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User Acceptance Testing is the process of verifying that a created solution/software works for the user. Security regression testing ensures that changes made to a system do not harm its security, are therefore of high significance, and the interest in such approaches has steadily increased. Stress testing verifies the system’s stability and reliability by measuring its robustness and error handling capabilities under heavy load conditions.
Incorrect
OBJ-2.2: Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User Acceptance Testing is the process of verifying that a created solution/software works for the user. Security regression testing ensures that changes made to a system do not harm its security, are therefore of high significance, and the interest in such approaches has steadily increased. Stress testing verifies the system’s stability and reliability by measuring its robustness and error handling capabilities under heavy load conditions.
Unattempted
OBJ-2.2: Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User Acceptance Testing is the process of verifying that a created solution/software works for the user. Security regression testing ensures that changes made to a system do not harm its security, are therefore of high significance, and the interest in such approaches has steadily increased. Stress testing verifies the system’s stability and reliability by measuring its robustness and error handling capabilities under heavy load conditions.
Question 28 of 60
28. Question
You are in the recovery steps of an incident response. Your analysis revealed that the attacker exploited an unpatched vulnerability on a public-facing web server as the initial intrusion vector in this incident. Which of the following mitigations should be implemented first during the recovery?
Correct
OBJ-4.2: All of the options listed are the best security practices to implement before and after a detected intrusion, but scanning for additional instances of this vulnerability should be performed first. Often, an enterprise network uses the same baseline configuration for all servers and workstations. Therefore, if a vulnerability is exploited on one device (such as an insecure configuration), that same vulnerability could exist on many other assets across the network. During your recovery, you must identify if any other network systems share the same vulnerability and mitigate them. If you don’t, the attacker could quickly reinfect your network by simply attacking another machine using the same techniques used during this intrusion. The other options listed are all examples of additional device hardening that should be conducted during recovery after you have identified the exploited vulnerability across the rest of the network.
Incorrect
OBJ-4.2: All of the options listed are the best security practices to implement before and after a detected intrusion, but scanning for additional instances of this vulnerability should be performed first. Often, an enterprise network uses the same baseline configuration for all servers and workstations. Therefore, if a vulnerability is exploited on one device (such as an insecure configuration), that same vulnerability could exist on many other assets across the network. During your recovery, you must identify if any other network systems share the same vulnerability and mitigate them. If you don’t, the attacker could quickly reinfect your network by simply attacking another machine using the same techniques used during this intrusion. The other options listed are all examples of additional device hardening that should be conducted during recovery after you have identified the exploited vulnerability across the rest of the network.
Unattempted
OBJ-4.2: All of the options listed are the best security practices to implement before and after a detected intrusion, but scanning for additional instances of this vulnerability should be performed first. Often, an enterprise network uses the same baseline configuration for all servers and workstations. Therefore, if a vulnerability is exploited on one device (such as an insecure configuration), that same vulnerability could exist on many other assets across the network. During your recovery, you must identify if any other network systems share the same vulnerability and mitigate them. If you don’t, the attacker could quickly reinfect your network by simply attacking another machine using the same techniques used during this intrusion. The other options listed are all examples of additional device hardening that should be conducted during recovery after you have identified the exploited vulnerability across the rest of the network.
Question 29 of 60
29. Question
An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account’s cached credentials when the user logged into an SSO system?
Correct
OBJ-4.3: Pass the Hash (PtH) is the process of harvesting an account’s cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.
Incorrect
OBJ-4.3: Pass the Hash (PtH) is the process of harvesting an account’s cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.
Unattempted
OBJ-4.3: Pass the Hash (PtH) is the process of harvesting an account’s cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.
Question 30 of 60
30. Question
Edward’s bank recently suffered an attack where an employee made an unauthorized modification to a customer’s bank balance. Which tenant of cybersecurity was violated by this employee’s actions?
Correct
OBJ-5.2: The CIA Triad is a security model that helps people think about various parts of IT security. Integrity ensures that no unauthorized modifications are made to the information. The attack described here violates the integrity of the customer’s bank account balance. Confidentiality is concerned with unauthorized people seeing the contents of the data. In this scenario, the employee is authorized to see the bank balance but not change its value. Availability is concerned with the data being accessible when and where it is needed. Again, this wasn’t affected by the employee’s actions. Authentication is concerned with only authorized people accessing the data. Again, this employee was authorized to see the balance.
Incorrect
OBJ-5.2: The CIA Triad is a security model that helps people think about various parts of IT security. Integrity ensures that no unauthorized modifications are made to the information. The attack described here violates the integrity of the customer’s bank account balance. Confidentiality is concerned with unauthorized people seeing the contents of the data. In this scenario, the employee is authorized to see the bank balance but not change its value. Availability is concerned with the data being accessible when and where it is needed. Again, this wasn’t affected by the employee’s actions. Authentication is concerned with only authorized people accessing the data. Again, this employee was authorized to see the balance.
Unattempted
OBJ-5.2: The CIA Triad is a security model that helps people think about various parts of IT security. Integrity ensures that no unauthorized modifications are made to the information. The attack described here violates the integrity of the customer’s bank account balance. Confidentiality is concerned with unauthorized people seeing the contents of the data. In this scenario, the employee is authorized to see the bank balance but not change its value. Availability is concerned with the data being accessible when and where it is needed. Again, this wasn’t affected by the employee’s actions. Authentication is concerned with only authorized people accessing the data. Again, this employee was authorized to see the balance.
Question 31 of 60
31. Question
A cybersecurity analyst conducts proactive threat hunting on a network by correlating and searching the Sysmon and Windows Event logs. The analyst uses the following query as part of their hunt:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Query: “mimikatz” NOT “EventCode=4658” NOT “EventCode=4689” EventCode=10 | stats count by _time, SourceImage, TargetImage, GrantedAccess
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based on the query above, which of the following potential indicators of compromise is the threat hunter relying on?
Correct
OBJ-3.3: This is a difficult question, but you should see a keyword in the query, “mimikatz.” Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs, and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket, or building Golden Kerberos tickets. This makes post-exploitation lateral movement within a network easy for attackers. It is definitely considered unauthorized software and should be immediately alerted upon if discovered in your network. Data exfiltration is the process by which an attacker takes data that is stored inside of a private network and moves it to an external network. Processor consumption is an IoC that monitors the per-process percentage of CPU time to show what causes the problem. Irregular peer-to-peer communication occurs when hosts within a network establish connections over unauthorized ports or data transfers.
Incorrect
OBJ-3.3: This is a difficult question, but you should see a keyword in the query, “mimikatz.” Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs, and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket, or building Golden Kerberos tickets. This makes post-exploitation lateral movement within a network easy for attackers. It is definitely considered unauthorized software and should be immediately alerted upon if discovered in your network. Data exfiltration is the process by which an attacker takes data that is stored inside of a private network and moves it to an external network. Processor consumption is an IoC that monitors the per-process percentage of CPU time to show what causes the problem. Irregular peer-to-peer communication occurs when hosts within a network establish connections over unauthorized ports or data transfers.
Unattempted
OBJ-3.3: This is a difficult question, but you should see a keyword in the query, “mimikatz.” Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs, and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket, or building Golden Kerberos tickets. This makes post-exploitation lateral movement within a network easy for attackers. It is definitely considered unauthorized software and should be immediately alerted upon if discovered in your network. Data exfiltration is the process by which an attacker takes data that is stored inside of a private network and moves it to an external network. Processor consumption is an IoC that monitors the per-process percentage of CPU time to show what causes the problem. Irregular peer-to-peer communication occurs when hosts within a network establish connections over unauthorized ports or data transfers.
OBJ-3.1: This is an example of a Boolean-based SQL injection. This occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. In this example, notice that the statement being parsed as part of the URL after the equal sign is equivalent to 1 or 17-7=10. This means the portion of the statement that is 17-7=10 would return a value of 1 (since it is true). Then, we are left to compute if 1 = 1, and since it does, the SQL database will treat this as a positive authentication. This is simply an obfuscation technique of a 1=1 SQL injection technique. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic.
Incorrect
OBJ-3.1: This is an example of a Boolean-based SQL injection. This occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. In this example, notice that the statement being parsed as part of the URL after the equal sign is equivalent to 1 or 17-7=10. This means the portion of the statement that is 17-7=10 would return a value of 1 (since it is true). Then, we are left to compute if 1 = 1, and since it does, the SQL database will treat this as a positive authentication. This is simply an obfuscation technique of a 1=1 SQL injection technique. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic.
Unattempted
OBJ-3.1: This is an example of a Boolean-based SQL injection. This occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. In this example, notice that the statement being parsed as part of the URL after the equal sign is equivalent to 1 or 17-7=10. This means the portion of the statement that is 17-7=10 would return a value of 1 (since it is true). Then, we are left to compute if 1 = 1, and since it does, the SQL database will treat this as a positive authentication. This is simply an obfuscation technique of a 1=1 SQL injection technique. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic.
Question 33 of 60
33. Question
After 9 months of C++ programming, the team at Whammiedyne systems has released their new software application. Within just 2 weeks of release, though, the security team discovered multiple serious vulnerabilities in the application that must be corrected. To retrofit the source code to include the required security controls will take 2 months of labor at the cost of $100,000. Which development framework should Whammiedyne use in the future to prevent this situation from occurring in other projects?
Correct
OBJ-3.4: DevSecOps is a combination of software development, security operations, and systems operations and refers to the practice of integrating each discipline with the others. DevSecOps approaches are generally better postured to prevent problems like this because security is built-in during the development instead of retrofitting the program afterward. The DevOps development model incorporates IT staff but does not include security personnel. The agile software development model focuses on iterative and incremental development to account for evolving requirements and expectations. The waterfall software development model cascades the phases of the SDLC so that each phase will start only when all of the tasks identified in the previous phase are complete. A team of developers can make secure software using either the waterfall or agile model. Therefore, they are not the right answers to solve this issue.
Incorrect
OBJ-3.4: DevSecOps is a combination of software development, security operations, and systems operations and refers to the practice of integrating each discipline with the others. DevSecOps approaches are generally better postured to prevent problems like this because security is built-in during the development instead of retrofitting the program afterward. The DevOps development model incorporates IT staff but does not include security personnel. The agile software development model focuses on iterative and incremental development to account for evolving requirements and expectations. The waterfall software development model cascades the phases of the SDLC so that each phase will start only when all of the tasks identified in the previous phase are complete. A team of developers can make secure software using either the waterfall or agile model. Therefore, they are not the right answers to solve this issue.
Unattempted
OBJ-3.4: DevSecOps is a combination of software development, security operations, and systems operations and refers to the practice of integrating each discipline with the others. DevSecOps approaches are generally better postured to prevent problems like this because security is built-in during the development instead of retrofitting the program afterward. The DevOps development model incorporates IT staff but does not include security personnel. The agile software development model focuses on iterative and incremental development to account for evolving requirements and expectations. The waterfall software development model cascades the phases of the SDLC so that each phase will start only when all of the tasks identified in the previous phase are complete. A team of developers can make secure software using either the waterfall or agile model. Therefore, they are not the right answers to solve this issue.
Question 34 of 60
34. Question
An incident response team is publishing an incident summary report and is determining the evidence retention requirements for the data collected during a response. Which of the following incident response phases is currently being performed by the team?
Correct
OBJ-4.2: The post-incident activities phase is when report writing occurs, incident summary reports are published, evidence retention is determined, and lessons learned reports are created. An incident response has five stages: preparation, detection and analysis, containment, eradication and recovery, and post-incident activities.
Incorrect
OBJ-4.2: The post-incident activities phase is when report writing occurs, incident summary reports are published, evidence retention is determined, and lessons learned reports are created. An incident response has five stages: preparation, detection and analysis, containment, eradication and recovery, and post-incident activities.
Unattempted
OBJ-4.2: The post-incident activities phase is when report writing occurs, incident summary reports are published, evidence retention is determined, and lessons learned reports are created. An incident response has five stages: preparation, detection and analysis, containment, eradication and recovery, and post-incident activities.
Question 35 of 60
35. Question
In which type of attack does the attacker begin with a normal user account and then seek additional access rights?
Correct
OBJ-1.7: Privilege escalation attacks seek to increase the access level that an attacker has to a target system. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization, or business. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Remote code execution is the ability an attacker has to access someone else’s computing device and make changes, no matter where the device is geographically located.
Incorrect
OBJ-1.7: Privilege escalation attacks seek to increase the access level that an attacker has to a target system. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization, or business. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Remote code execution is the ability an attacker has to access someone else’s computing device and make changes, no matter where the device is geographically located.
Unattempted
OBJ-1.7: Privilege escalation attacks seek to increase the access level that an attacker has to a target system. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization, or business. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Remote code execution is the ability an attacker has to access someone else’s computing device and make changes, no matter where the device is geographically located.
Question 36 of 60
36. Question
Consider the following REGEX search string:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following strings would NOT be included in the output of this search?
Correct
OBJ-3.1: The \b delimiter indicates that we are looking for whole words for the complete string. The REGEX is made up of four identical repeating strings, (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.”. For now, let us refer to these octets, such as the ones used in internet protocol version 4 addresses. Each octet will allow the combination of 25[0-5] OR (|) 2[0-4][9-] OR numbers 00-99 is preceded by (?) a 0 or 1, or just a single number followed by a “.”. Since the period is treated as a special character in a REGEX operator, the escape character (\) is required to enable the symbol to act as a dot or period in the output. This sequence repeats four times, allowing for all variations of normal IP addresses to be entered for values 0-255. Since 259 is outside the range of 255, this is rejected. More specifically, character strings starting with 25 must end with a number between 0 and 5 (25[0-5]). Therefore, 259 would be rejected. Now, on exam day, if you received a question like this, you can try to figure out the pattern as explained above, or you can take the logical shortcut. The logical shortcut is to look at the answer first and see that they all look like IP addresses. Remember, grep, and REGEX are used by a cybersecurity analyst to search logs for indicators of compromise (like an IP address), so don’t be afraid to take a logical guess if you need to conserve time during your exam. So, which one isn’t a valid IP address? Clearly, 37.259.129.107 is not a valid IP address, so if you had to guess as to what wouldn’t be an output of this complex-looking command, you should guess that one!
Incorrect
OBJ-3.1: The \b delimiter indicates that we are looking for whole words for the complete string. The REGEX is made up of four identical repeating strings, (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.”. For now, let us refer to these octets, such as the ones used in internet protocol version 4 addresses. Each octet will allow the combination of 25[0-5] OR (|) 2[0-4][9-] OR numbers 00-99 is preceded by (?) a 0 or 1, or just a single number followed by a “.”. Since the period is treated as a special character in a REGEX operator, the escape character (\) is required to enable the symbol to act as a dot or period in the output. This sequence repeats four times, allowing for all variations of normal IP addresses to be entered for values 0-255. Since 259 is outside the range of 255, this is rejected. More specifically, character strings starting with 25 must end with a number between 0 and 5 (25[0-5]). Therefore, 259 would be rejected. Now, on exam day, if you received a question like this, you can try to figure out the pattern as explained above, or you can take the logical shortcut. The logical shortcut is to look at the answer first and see that they all look like IP addresses. Remember, grep, and REGEX are used by a cybersecurity analyst to search logs for indicators of compromise (like an IP address), so don’t be afraid to take a logical guess if you need to conserve time during your exam. So, which one isn’t a valid IP address? Clearly, 37.259.129.107 is not a valid IP address, so if you had to guess as to what wouldn’t be an output of this complex-looking command, you should guess that one!
Unattempted
OBJ-3.1: The \b delimiter indicates that we are looking for whole words for the complete string. The REGEX is made up of four identical repeating strings, (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.”. For now, let us refer to these octets, such as the ones used in internet protocol version 4 addresses. Each octet will allow the combination of 25[0-5] OR (|) 2[0-4][9-] OR numbers 00-99 is preceded by (?) a 0 or 1, or just a single number followed by a “.”. Since the period is treated as a special character in a REGEX operator, the escape character (\) is required to enable the symbol to act as a dot or period in the output. This sequence repeats four times, allowing for all variations of normal IP addresses to be entered for values 0-255. Since 259 is outside the range of 255, this is rejected. More specifically, character strings starting with 25 must end with a number between 0 and 5 (25[0-5]). Therefore, 259 would be rejected. Now, on exam day, if you received a question like this, you can try to figure out the pattern as explained above, or you can take the logical shortcut. The logical shortcut is to look at the answer first and see that they all look like IP addresses. Remember, grep, and REGEX are used by a cybersecurity analyst to search logs for indicators of compromise (like an IP address), so don’t be afraid to take a logical guess if you need to conserve time during your exam. So, which one isn’t a valid IP address? Clearly, 37.259.129.107 is not a valid IP address, so if you had to guess as to what wouldn’t be an output of this complex-looking command, you should guess that one!
Question 37 of 60
37. Question
You are conducting a static code analysis of a Java program. Consider the following code snippet:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
String custname = request.getParameter(“customerName”);
String query = “SELECT account_balance FROM user_data WHERE user_name = ? “;
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, custname);
ResultSet results = pstmt.executeQuery( );
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based on the code above, what type of secure coding practice is being used?
Correct
OBJ-1.3: A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the “parameters” (think “variables”) that need to be inserted into the statement for it to be executed. It’s commonly used as a means of preventing SQL injection attacks. This code snippet is an example of a Java implementation of a parameterized query. Input validation would involve the proper testing of any input supplied by a user to an application. Since the first line takes the custname input without any validation, this is not an example of the input validation secure coding practice. Session management refers to the process of securely handling multiple requests to a web-based application or service from a single user or entity. Authentication is the act of proving an assertion, such as the identity of a computer system user. This code snippet is neither a form of session management nor authentication. For the exam, you should not fully understand what this code is doing, but you should understand what it is not doing. There is nothing in the code that indicates session management or receiving usernames and passwords. Therefore, we can rule out session management and authentication. This leaves us with input validation and parameterized queries as our best options. Based on the code, we see the word query multiple times, which should be a hint that the answer is a parameterized query even if you can’t read this Java code fully.
Incorrect
OBJ-1.3: A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the “parameters” (think “variables”) that need to be inserted into the statement for it to be executed. It’s commonly used as a means of preventing SQL injection attacks. This code snippet is an example of a Java implementation of a parameterized query. Input validation would involve the proper testing of any input supplied by a user to an application. Since the first line takes the custname input without any validation, this is not an example of the input validation secure coding practice. Session management refers to the process of securely handling multiple requests to a web-based application or service from a single user or entity. Authentication is the act of proving an assertion, such as the identity of a computer system user. This code snippet is neither a form of session management nor authentication. For the exam, you should not fully understand what this code is doing, but you should understand what it is not doing. There is nothing in the code that indicates session management or receiving usernames and passwords. Therefore, we can rule out session management and authentication. This leaves us with input validation and parameterized queries as our best options. Based on the code, we see the word query multiple times, which should be a hint that the answer is a parameterized query even if you can’t read this Java code fully.
Unattempted
OBJ-1.3: A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the “parameters” (think “variables”) that need to be inserted into the statement for it to be executed. It’s commonly used as a means of preventing SQL injection attacks. This code snippet is an example of a Java implementation of a parameterized query. Input validation would involve the proper testing of any input supplied by a user to an application. Since the first line takes the custname input without any validation, this is not an example of the input validation secure coding practice. Session management refers to the process of securely handling multiple requests to a web-based application or service from a single user or entity. Authentication is the act of proving an assertion, such as the identity of a computer system user. This code snippet is neither a form of session management nor authentication. For the exam, you should not fully understand what this code is doing, but you should understand what it is not doing. There is nothing in the code that indicates session management or receiving usernames and passwords. Therefore, we can rule out session management and authentication. This leaves us with input validation and parameterized queries as our best options. Based on the code, we see the word query multiple times, which should be a hint that the answer is a parameterized query even if you can’t read this Java code fully.
Question 38 of 60
38. Question
Which of the following is a best practice that should be followed when scheduling vulnerability scans of an organization’s data center?
Correct
OBJ-1.3: For the best results, the scans should be scheduled during periods of low activity. This will help to reduce the negative impact of scanning on business operations. The other three options all carry a higher risk of causing disruptions to the network or its business operations.
Incorrect
OBJ-1.3: For the best results, the scans should be scheduled during periods of low activity. This will help to reduce the negative impact of scanning on business operations. The other three options all carry a higher risk of causing disruptions to the network or its business operations.
Unattempted
OBJ-1.3: For the best results, the scans should be scheduled during periods of low activity. This will help to reduce the negative impact of scanning on business operations. The other three options all carry a higher risk of causing disruptions to the network or its business operations.
Question 39 of 60
39. Question
Which of the following utilizes a well-written set of carefully developed and tested scripts to orchestrate runbooks and generate consistent server builds across an enterprise?
Correct
OBJ-3.4: IaC is designed with the idea that a well-coded description of the server/network operating environment will produce consistent results across an enterprise and significantly reduce IT overhead costs through automation while precluding the existence of security vulnerabilities. SDN uses software to define networking boundaries but does not necessarily handle server architecture in the same way that IaC can. Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. Software as a Service (SaaS) is a computing method that uses the cloud to provide users with application services.
Incorrect
OBJ-3.4: IaC is designed with the idea that a well-coded description of the server/network operating environment will produce consistent results across an enterprise and significantly reduce IT overhead costs through automation while precluding the existence of security vulnerabilities. SDN uses software to define networking boundaries but does not necessarily handle server architecture in the same way that IaC can. Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. Software as a Service (SaaS) is a computing method that uses the cloud to provide users with application services.
Unattempted
OBJ-3.4: IaC is designed with the idea that a well-coded description of the server/network operating environment will produce consistent results across an enterprise and significantly reduce IT overhead costs through automation while precluding the existence of security vulnerabilities. SDN uses software to define networking boundaries but does not necessarily handle server architecture in the same way that IaC can. Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. Software as a Service (SaaS) is a computing method that uses the cloud to provide users with application services.
Question 40 of 60
40. Question
You are conducting a routine vulnerability scan of a server when you find a vulnerability. You locate a patch for the vulnerability on the software vendor’s website. What should you do next?
Correct
OBJ-1.3: Before any changes to a baseline occurs, a Request for Change should be submitted. This submission will start the change management process within your organization. Once approved, the patch should be tested in a staging environment, installed on the production server, and then the server should be rescanned to ensure the vulnerability no longer exists. In this scenario, no incident response is being performed since this is a vulnerability found during a routine vulnerability scan.
Incorrect
OBJ-1.3: Before any changes to a baseline occurs, a Request for Change should be submitted. This submission will start the change management process within your organization. Once approved, the patch should be tested in a staging environment, installed on the production server, and then the server should be rescanned to ensure the vulnerability no longer exists. In this scenario, no incident response is being performed since this is a vulnerability found during a routine vulnerability scan.
Unattempted
OBJ-1.3: Before any changes to a baseline occurs, a Request for Change should be submitted. This submission will start the change management process within your organization. Once approved, the patch should be tested in a staging environment, installed on the production server, and then the server should be rescanned to ensure the vulnerability no longer exists. In this scenario, no incident response is being performed since this is a vulnerability found during a routine vulnerability scan.
Question 41 of 60
41. Question
Which of the following methods should a cybersecurity analyst use to locate any instances on the network where passwords are being sent in cleartext?
Correct
OBJ-3.1: Full packet capture records the complete payload of every packet crossing the network. The other methods will not provide sufficient information to detect a cleartext password being sent. A net flow analysis will determine where communications occurred, by what protocol, to which devices, and how much content was sent. Still, it will not reveal anything about the content itself since it only analyzes the metadata for each packet crossing the network. A SIEM event log being monitored might detect that an authentication event has occurred. Still, it will not necessarily reveal if the password was sent in cleartext, as a hash value, or in the ciphertext. A software design documentation may also reveal the designer’s intentions for authentication when they created the application, but this only provides an ‘as designed’ approach for a given software and does not provide whether the ‘as-built’ configuration was implemented securely.
Incorrect
OBJ-3.1: Full packet capture records the complete payload of every packet crossing the network. The other methods will not provide sufficient information to detect a cleartext password being sent. A net flow analysis will determine where communications occurred, by what protocol, to which devices, and how much content was sent. Still, it will not reveal anything about the content itself since it only analyzes the metadata for each packet crossing the network. A SIEM event log being monitored might detect that an authentication event has occurred. Still, it will not necessarily reveal if the password was sent in cleartext, as a hash value, or in the ciphertext. A software design documentation may also reveal the designer’s intentions for authentication when they created the application, but this only provides an ‘as designed’ approach for a given software and does not provide whether the ‘as-built’ configuration was implemented securely.
Unattempted
OBJ-3.1: Full packet capture records the complete payload of every packet crossing the network. The other methods will not provide sufficient information to detect a cleartext password being sent. A net flow analysis will determine where communications occurred, by what protocol, to which devices, and how much content was sent. Still, it will not reveal anything about the content itself since it only analyzes the metadata for each packet crossing the network. A SIEM event log being monitored might detect that an authentication event has occurred. Still, it will not necessarily reveal if the password was sent in cleartext, as a hash value, or in the ciphertext. A software design documentation may also reveal the designer’s intentions for authentication when they created the application, but this only provides an ‘as designed’ approach for a given software and does not provide whether the ‘as-built’ configuration was implemented securely.
Question 42 of 60
42. Question
Cybersecurity analysts are experiencing some issues with their vulnerability scans aborting because the previous day’s scans are still running when the scanner attempts to start the current day’s scans. Which of the following recommendations is LEAST likely to resolve this issue?
Correct
OBJ-1.3: If the cybersecurity analyst were to reduce the scans’ sensitivity, it still would not decrease the time spent scanning the network and could alter the effectiveness of the results received. In this scenario, the scans, as currently scoped, are taking more than 24 hours to complete with the current resources. The analyst could reduce the scans’ scope, thereby scanning fewer systems or vulnerabilities signatures and taking less time to complete. Alternatively, the analyst could reduce the scans’ frequency by moving to a less frequent schedule, such as one scan every 48 hours or one scan per week. The final option would be to add additional vulnerability scanners to the process. This would allow the two scanners to work together to divide the workload and complete the task within the 24-hour scan frequency currently provided.
Incorrect
OBJ-1.3: If the cybersecurity analyst were to reduce the scans’ sensitivity, it still would not decrease the time spent scanning the network and could alter the effectiveness of the results received. In this scenario, the scans, as currently scoped, are taking more than 24 hours to complete with the current resources. The analyst could reduce the scans’ scope, thereby scanning fewer systems or vulnerabilities signatures and taking less time to complete. Alternatively, the analyst could reduce the scans’ frequency by moving to a less frequent schedule, such as one scan every 48 hours or one scan per week. The final option would be to add additional vulnerability scanners to the process. This would allow the two scanners to work together to divide the workload and complete the task within the 24-hour scan frequency currently provided.
Unattempted
OBJ-1.3: If the cybersecurity analyst were to reduce the scans’ sensitivity, it still would not decrease the time spent scanning the network and could alter the effectiveness of the results received. In this scenario, the scans, as currently scoped, are taking more than 24 hours to complete with the current resources. The analyst could reduce the scans’ scope, thereby scanning fewer systems or vulnerabilities signatures and taking less time to complete. Alternatively, the analyst could reduce the scans’ frequency by moving to a less frequent schedule, such as one scan every 48 hours or one scan per week. The final option would be to add additional vulnerability scanners to the process. This would allow the two scanners to work together to divide the workload and complete the task within the 24-hour scan frequency currently provided.
Question 43 of 60
43. Question
Natalie wants to create a backup of the permissions before making changes to the Linux workstation she will remediate. What Linux tool can she use to back up the permissions of the system’s complete directory structure?
Correct
OBJ-3.2: The getfacl command allows backups of directories to include permissions, saved to a text file. The setfacl command is used to restore the permissions from the backup created. The aclman and chbkup are not legitimate Linux commands. The iptables command is used to configure the Linux firewall, not the directory structure’s file permissions. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Incorrect
OBJ-3.2: The getfacl command allows backups of directories to include permissions, saved to a text file. The setfacl command is used to restore the permissions from the backup created. The aclman and chbkup are not legitimate Linux commands. The iptables command is used to configure the Linux firewall, not the directory structure’s file permissions. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Unattempted
OBJ-3.2: The getfacl command allows backups of directories to include permissions, saved to a text file. The setfacl command is used to restore the permissions from the backup created. The aclman and chbkup are not legitimate Linux commands. The iptables command is used to configure the Linux firewall, not the directory structure’s file permissions. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Question 44 of 60
44. Question
Jorge and Marta are working on a programming project together. During a code review, Marta explains her code to Jorge while looking at the code on her computer. Which of the following code review techniques is being used in this scenario?
Correct
OBJ-2.2: Over-the-shoulder code reviews rely on a programmer explaining their code to a peer. This provides a chance for a review of the code and a better understanding of both programmers’ code. In this example, Marta is explaining her code to Jorge while he looks over her shoulder. Pair programming alternates between programmers, with one strategizing and reviewing it while the other enters the computer’s code. Dual control is a personnel security process that requires more than one employee available to perform a specific task. This is used with split knowledge and is not a form of code review. A tool-assisted review is conducted using a software tool or other form of automation.
Incorrect
OBJ-2.2: Over-the-shoulder code reviews rely on a programmer explaining their code to a peer. This provides a chance for a review of the code and a better understanding of both programmers’ code. In this example, Marta is explaining her code to Jorge while he looks over her shoulder. Pair programming alternates between programmers, with one strategizing and reviewing it while the other enters the computer’s code. Dual control is a personnel security process that requires more than one employee available to perform a specific task. This is used with split knowledge and is not a form of code review. A tool-assisted review is conducted using a software tool or other form of automation.
Unattempted
OBJ-2.2: Over-the-shoulder code reviews rely on a programmer explaining their code to a peer. This provides a chance for a review of the code and a better understanding of both programmers’ code. In this example, Marta is explaining her code to Jorge while he looks over her shoulder. Pair programming alternates between programmers, with one strategizing and reviewing it while the other enters the computer’s code. Dual control is a personnel security process that requires more than one employee available to perform a specific task. This is used with split knowledge and is not a form of code review. A tool-assisted review is conducted using a software tool or other form of automation.
Question 45 of 60
45. Question
Which of the following programs was designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military?
Correct
OBJ-2.3: The Trusted Foundry program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military. Trusted Foundry was created to provide a chain of custody for classified/unclassified integrated circuits, ensure there is no reasonable threat related to supply disruption, prevent intentional/unintentional modification of integrated circuits, and protect integrated circuits from reverse engineering and vulnerability testing.
Incorrect
OBJ-2.3: The Trusted Foundry program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military. Trusted Foundry was created to provide a chain of custody for classified/unclassified integrated circuits, ensure there is no reasonable threat related to supply disruption, prevent intentional/unintentional modification of integrated circuits, and protect integrated circuits from reverse engineering and vulnerability testing.
Unattempted
OBJ-2.3: The Trusted Foundry program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military. Trusted Foundry was created to provide a chain of custody for classified/unclassified integrated circuits, ensure there is no reasonable threat related to supply disruption, prevent intentional/unintentional modification of integrated circuits, and protect integrated circuits from reverse engineering and vulnerability testing.
Question 46 of 60
46. Question
According to the US Department of Health and Human Services, notification of the individuals affected by a data breach containing PHI is required when how many individuals are affected?
Correct
OBJ-4.2: The US Department of Health and Human Services (HHS) says that “Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information.” HHS does not specify a minimum number of affected personnel. Therefore, the breach of a single record of PHI is sufficient to require a notification to the affected individual directly. If over 500 people are affected, then a notification to the media must also be made.
Incorrect
OBJ-4.2: The US Department of Health and Human Services (HHS) says that “Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information.” HHS does not specify a minimum number of affected personnel. Therefore, the breach of a single record of PHI is sufficient to require a notification to the affected individual directly. If over 500 people are affected, then a notification to the media must also be made.
Unattempted
OBJ-4.2: The US Department of Health and Human Services (HHS) says that “Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information.” HHS does not specify a minimum number of affected personnel. Therefore, the breach of a single record of PHI is sufficient to require a notification to the affected individual directly. If over 500 people are affected, then a notification to the media must also be made.
Question 47 of 60
47. Question
A SOC analyst has detected the repeated usage of a compromised user credential on the company’s email server. The analyst sends you an email asking you to check the server for any indicators of compromise since the email server is critical to continued business operations. Which of the following was likely overlooked by your organization during the incident response preparation phase?
Correct
OBJ-4.1: As part of your preparation phase, your organization should develop a communications plan that details which communication methods will be used during a compromise of various systems. If the analyst suspected the email server was compromised, then communications about the incident response efforts (including detection and analysis) should be shifted to a different communications path, such as encrypted chat, voice, or other secure means. Any analyst involved in working this incident should have already have prepared alternate, out-of-band communications to prevent an adversary from intercepting or altering communications. Based on the scenario provided, it is clear that a data criticality and prioritization analysis was already performed since the email server is known to be critical to operations. Based on the scenario, there is nothing to indicate that the analysts do not know how to search for IoCs properly. Based on the information provided, nothing indicates that either analyst doesn’t have the appropriate tools needed, so it can be safely assumed they have their jump bag or kit available for use.
Incorrect
OBJ-4.1: As part of your preparation phase, your organization should develop a communications plan that details which communication methods will be used during a compromise of various systems. If the analyst suspected the email server was compromised, then communications about the incident response efforts (including detection and analysis) should be shifted to a different communications path, such as encrypted chat, voice, or other secure means. Any analyst involved in working this incident should have already have prepared alternate, out-of-band communications to prevent an adversary from intercepting or altering communications. Based on the scenario provided, it is clear that a data criticality and prioritization analysis was already performed since the email server is known to be critical to operations. Based on the scenario, there is nothing to indicate that the analysts do not know how to search for IoCs properly. Based on the information provided, nothing indicates that either analyst doesn’t have the appropriate tools needed, so it can be safely assumed they have their jump bag or kit available for use.
Unattempted
OBJ-4.1: As part of your preparation phase, your organization should develop a communications plan that details which communication methods will be used during a compromise of various systems. If the analyst suspected the email server was compromised, then communications about the incident response efforts (including detection and analysis) should be shifted to a different communications path, such as encrypted chat, voice, or other secure means. Any analyst involved in working this incident should have already have prepared alternate, out-of-band communications to prevent an adversary from intercepting or altering communications. Based on the scenario provided, it is clear that a data criticality and prioritization analysis was already performed since the email server is known to be critical to operations. Based on the scenario, there is nothing to indicate that the analysts do not know how to search for IoCs properly. Based on the information provided, nothing indicates that either analyst doesn’t have the appropriate tools needed, so it can be safely assumed they have their jump bag or kit available for use.
Question 48 of 60
48. Question
Your organization recently suffered a large-scale data breach. The hackers successfully exfiltrated the personal information and social security numbers of your customers from your network. The CEO notified law enforcement about the breach. They will assist with the investigation and conduct evidence collection so that the hackers can be brought up on charges. What actions should your organization take in response to this event?
Correct
OBJ-4.1: Since the data breach is now the subject of an active law enforcement investigation, your organization should request that a law enforcement agent speaks with your employees to give them clear guidance on what they should and should not say to people outside of the investigation. Additionally, the company’s system administrators and analysts should not perform any actions on the network until they receive law enforcement guidance. This will ensure that the employees do not accidentally destroy and tamper with potential evidence of the crime.
Incorrect
OBJ-4.1: Since the data breach is now the subject of an active law enforcement investigation, your organization should request that a law enforcement agent speaks with your employees to give them clear guidance on what they should and should not say to people outside of the investigation. Additionally, the company’s system administrators and analysts should not perform any actions on the network until they receive law enforcement guidance. This will ensure that the employees do not accidentally destroy and tamper with potential evidence of the crime.
Unattempted
OBJ-4.1: Since the data breach is now the subject of an active law enforcement investigation, your organization should request that a law enforcement agent speaks with your employees to give them clear guidance on what they should and should not say to people outside of the investigation. Additionally, the company’s system administrators and analysts should not perform any actions on the network until they receive law enforcement guidance. This will ensure that the employees do not accidentally destroy and tamper with potential evidence of the crime.
Question 49 of 60
49. Question
Which party in a federation provides services to members of the federation?
Correct
OBJ-2.1: Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or a relying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this question.
Incorrect
OBJ-2.1: Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or a relying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this question.
Unattempted
OBJ-2.1: Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or a relying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this question.
Question 50 of 60
50. Question
Your organization is updating its incident response communications plan. A business analyst in the working group recommends that if the company discovers they are the victims of a data breach, they should only notify the affected parties to minimize media attention and bad publicity. Which of the following recommendations do you provide in response to the business analyst’s statement?
Correct
OBJ-4.1: Guidance from various laws and regulations must be considered when deciding who must be notified to avoid fines and judgments. The requirements for different types of data breaches are set out in laws/regulations. The requirements indicate who must be notified. Other than the regulator itself, this could include law enforcement, individuals and third-party companies affected by the breach, and public notification through the press or social media channels. For example, the Health Insurance Portability and Accountability Act (HIPAA) sets out reporting requirements in legislation, requiring breach notification to the affected individuals, the Secretary of the US Department of Health and Human Services, and, if more than 500 individuals are affected, to the media.
Incorrect
OBJ-4.1: Guidance from various laws and regulations must be considered when deciding who must be notified to avoid fines and judgments. The requirements for different types of data breaches are set out in laws/regulations. The requirements indicate who must be notified. Other than the regulator itself, this could include law enforcement, individuals and third-party companies affected by the breach, and public notification through the press or social media channels. For example, the Health Insurance Portability and Accountability Act (HIPAA) sets out reporting requirements in legislation, requiring breach notification to the affected individuals, the Secretary of the US Department of Health and Human Services, and, if more than 500 individuals are affected, to the media.
Unattempted
OBJ-4.1: Guidance from various laws and regulations must be considered when deciding who must be notified to avoid fines and judgments. The requirements for different types of data breaches are set out in laws/regulations. The requirements indicate who must be notified. Other than the regulator itself, this could include law enforcement, individuals and third-party companies affected by the breach, and public notification through the press or social media channels. For example, the Health Insurance Portability and Accountability Act (HIPAA) sets out reporting requirements in legislation, requiring breach notification to the affected individuals, the Secretary of the US Department of Health and Human Services, and, if more than 500 individuals are affected, to the media.
Question 51 of 60
51. Question
If an administrator cannot fully remediate a vulnerability, which of the following should they implement?
Correct
OBJ-5.2: Based on the question’s wording, a compensating control would be most accurate for the given scenario. Compensating controls may be considered when an entity cannot meet a requirement explicitly, as stated due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement by implementing other controls. Access requirements are a form of logical controls that can be implemented to protect a system and could be a form of a compensating control if used appropriately. A policy is a statement of intent and is implemented as a procedure or protocol within an organization. An engineering tradeoff is a situational decision that involves diminishing or losing one quality, quantity, or property of a set or design in return for gains in other aspects. Often, an engineering tradeoff occurs when we trade security requirements for operational requirements or vice versa.
Incorrect
OBJ-5.2: Based on the question’s wording, a compensating control would be most accurate for the given scenario. Compensating controls may be considered when an entity cannot meet a requirement explicitly, as stated due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement by implementing other controls. Access requirements are a form of logical controls that can be implemented to protect a system and could be a form of a compensating control if used appropriately. A policy is a statement of intent and is implemented as a procedure or protocol within an organization. An engineering tradeoff is a situational decision that involves diminishing or losing one quality, quantity, or property of a set or design in return for gains in other aspects. Often, an engineering tradeoff occurs when we trade security requirements for operational requirements or vice versa.
Unattempted
OBJ-5.2: Based on the question’s wording, a compensating control would be most accurate for the given scenario. Compensating controls may be considered when an entity cannot meet a requirement explicitly, as stated due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement by implementing other controls. Access requirements are a form of logical controls that can be implemented to protect a system and could be a form of a compensating control if used appropriately. A policy is a statement of intent and is implemented as a procedure or protocol within an organization. An engineering tradeoff is a situational decision that involves diminishing or losing one quality, quantity, or property of a set or design in return for gains in other aspects. Often, an engineering tradeoff occurs when we trade security requirements for operational requirements or vice versa.
Question 52 of 60
52. Question
During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization’s AAA services manager?
Correct
OBJ-2.1: NIST’s SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. SMS is unable to be encrypted (at least without adding additional applications to phones). A third factor is typically not a user-friendly recommendation and would be better handled by replacing SMS with the proposed third factor. SMS is not a costly method since it can be deployed for less than $20/month at scale.
Incorrect
OBJ-2.1: NIST’s SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. SMS is unable to be encrypted (at least without adding additional applications to phones). A third factor is typically not a user-friendly recommendation and would be better handled by replacing SMS with the proposed third factor. SMS is not a costly method since it can be deployed for less than $20/month at scale.
Unattempted
OBJ-2.1: NIST’s SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. SMS is unable to be encrypted (at least without adding additional applications to phones). A third factor is typically not a user-friendly recommendation and would be better handled by replacing SMS with the proposed third factor. SMS is not a costly method since it can be deployed for less than $20/month at scale.
Question 53 of 60
53. Question
You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636. The security scanning software recommends that you remediate this by changing user authentication to port to 636 wherever possible. What should you do?
Correct
OBJ-3.2: LDAP can be run on either port 389 or port 636. Port 389 is the standard port for LDAP but typically runs unencrypted LDAP services over this port. Instead, you should change all devices and servers that can technically support the change to port 636 since LDAP services over port 636 are encrypted by default.
Incorrect
OBJ-3.2: LDAP can be run on either port 389 or port 636. Port 389 is the standard port for LDAP but typically runs unencrypted LDAP services over this port. Instead, you should change all devices and servers that can technically support the change to port 636 since LDAP services over port 636 are encrypted by default.
Unattempted
OBJ-3.2: LDAP can be run on either port 389 or port 636. Port 389 is the standard port for LDAP but typically runs unencrypted LDAP services over this port. Instead, you should change all devices and servers that can technically support the change to port 636 since LDAP services over port 636 are encrypted by default.
Question 54 of 60
54. Question
Which of the following type of solutions would you classify an FPGA as?
Correct
OBJ-5.1: A field-programmable gate array (FPGA) is an anti-tamper mechanism that makes use of a type of programmable controller and a physically unclonable function (PUF). The PUF generates a digital fingerprint based on the unique features of the device. This means that tampering with a device, such as removing the chip or adding an unknown input/output mechanism, can be detected. A remedial action like using zero-filling cryptographic keys can be performed automatically. A hardware security module (HSM) is an appliance for generating and storing cryptographic keys. It is a solution that may be less susceptible to tampering and insider threats than a traditional software-based storage solution. A trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information. A hardware root of trust (RoT) or trust anchor is a secure subsystem that can provide attestation to declare something as true.
Incorrect
OBJ-5.1: A field-programmable gate array (FPGA) is an anti-tamper mechanism that makes use of a type of programmable controller and a physically unclonable function (PUF). The PUF generates a digital fingerprint based on the unique features of the device. This means that tampering with a device, such as removing the chip or adding an unknown input/output mechanism, can be detected. A remedial action like using zero-filling cryptographic keys can be performed automatically. A hardware security module (HSM) is an appliance for generating and storing cryptographic keys. It is a solution that may be less susceptible to tampering and insider threats than a traditional software-based storage solution. A trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information. A hardware root of trust (RoT) or trust anchor is a secure subsystem that can provide attestation to declare something as true.
Unattempted
OBJ-5.1: A field-programmable gate array (FPGA) is an anti-tamper mechanism that makes use of a type of programmable controller and a physically unclonable function (PUF). The PUF generates a digital fingerprint based on the unique features of the device. This means that tampering with a device, such as removing the chip or adding an unknown input/output mechanism, can be detected. A remedial action like using zero-filling cryptographic keys can be performed automatically. A hardware security module (HSM) is an appliance for generating and storing cryptographic keys. It is a solution that may be less susceptible to tampering and insider threats than a traditional software-based storage solution. A trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information. A hardware root of trust (RoT) or trust anchor is a secure subsystem that can provide attestation to declare something as true.
Question 55 of 60
55. Question
Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat?
Correct
OBJ-1.2: The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Diamond Model provides an excellent methodology for communicating cyber events and allowing an analyst to derive mitigation strategies implicitly. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but do not deal with the specifics of how to mitigate. OpenIOC contains a depth of research on APTs but does not integrate the detections and mitigation strategy.
Incorrect
OBJ-1.2: The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Diamond Model provides an excellent methodology for communicating cyber events and allowing an analyst to derive mitigation strategies implicitly. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but do not deal with the specifics of how to mitigate. OpenIOC contains a depth of research on APTs but does not integrate the detections and mitigation strategy.
Unattempted
OBJ-1.2: The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Diamond Model provides an excellent methodology for communicating cyber events and allowing an analyst to derive mitigation strategies implicitly. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but do not deal with the specifics of how to mitigate. OpenIOC contains a depth of research on APTs but does not integrate the detections and mitigation strategy.
Question 56 of 60
56. Question
According to Lockheed Martin’s white paper “Intel Driven Defense,” which of the following technologies could degrade an adversary’s effort during the C2 phase of the kill chain?
Correct
OBJ-4.2: A network intrusion prevention system could disrupt an adversary’s C2 channel by shutting it down or blocking it. While a firewall ACL might be lucky enough to deny an adversary the ability to establish the C2 channel, a NIPS is better suited to detect and block an adversary than a static ACL entry. A conventional anti-virus would potentially disrupt the installation phase of an adversary’s attack, but it is unlikely to affect the C2 phase once installed. Port security is useful only against layer 2 addressing, which is not used for adversary C2 over the internet.
Incorrect
OBJ-4.2: A network intrusion prevention system could disrupt an adversary’s C2 channel by shutting it down or blocking it. While a firewall ACL might be lucky enough to deny an adversary the ability to establish the C2 channel, a NIPS is better suited to detect and block an adversary than a static ACL entry. A conventional anti-virus would potentially disrupt the installation phase of an adversary’s attack, but it is unlikely to affect the C2 phase once installed. Port security is useful only against layer 2 addressing, which is not used for adversary C2 over the internet.
Unattempted
OBJ-4.2: A network intrusion prevention system could disrupt an adversary’s C2 channel by shutting it down or blocking it. While a firewall ACL might be lucky enough to deny an adversary the ability to establish the C2 channel, a NIPS is better suited to detect and block an adversary than a static ACL entry. A conventional anti-virus would potentially disrupt the installation phase of an adversary’s attack, but it is unlikely to affect the C2 phase once installed. Port security is useful only against layer 2 addressing, which is not used for adversary C2 over the internet.
Question 57 of 60
57. Question
As a SOC analyst, you receive an alert concerning a dramatic slowdown affecting the company’s e-commerce server due to the load balancer’s critical failure. Your company depends on online sales for all of its business, and you know the immediate impact of this event will be a loss of sales. Which of the following is an appropriate classification of the impact in terms of the total impact and notification requirements? (SELECT THREE)
Correct
OBJ-5.2: Since online sales are critical to business operations, the impact would be categorized as organizational and not localized. While the immediate impact is a loss of sales due to the slow servers causing customer frustration and abandoned carts, the longer-term impact could include losing customers who will never return. It is unlikely to include damages to the company’s reputation over this event, though it isn’t a major trust and security issue like a data breach. In terms of notification requirements, it is optional to inform external authorities since there is no evidence of a crime.
Incorrect
OBJ-5.2: Since online sales are critical to business operations, the impact would be categorized as organizational and not localized. While the immediate impact is a loss of sales due to the slow servers causing customer frustration and abandoned carts, the longer-term impact could include losing customers who will never return. It is unlikely to include damages to the company’s reputation over this event, though it isn’t a major trust and security issue like a data breach. In terms of notification requirements, it is optional to inform external authorities since there is no evidence of a crime.
Unattempted
OBJ-5.2: Since online sales are critical to business operations, the impact would be categorized as organizational and not localized. While the immediate impact is a loss of sales due to the slow servers causing customer frustration and abandoned carts, the longer-term impact could include losing customers who will never return. It is unlikely to include damages to the company’s reputation over this event, though it isn’t a major trust and security issue like a data breach. In terms of notification requirements, it is optional to inform external authorities since there is no evidence of a crime.
Question 58 of 60
58. Question
You are in the recovery steps of an incident response. Throughout the incident, your team never successfully determined the root cause of the network compromise. Which of the following options would you LEAST likely perform as part of your recovery and remediation actions?
Correct
OBJ-4.1: Since your team could not determine the root cause of the compromise, you would most likely conduct system and network hardening actions as part of the recovery and remediation. The only option that is not considered a hardening action is proactively sanitizing and reimaging your routers and switches. If you performed this action, you could have unwanted disruptive effects on the company. Instead, it would be more beneficial to increase monitoring of the devices to ensure they are not compromised. Proactively sanitizing and reimaging all of the routers and switches would be a large undertaking. Without evidence suggesting that such an approach is warranted, you would be wasting a lot of time and money. The other options presented are the best security practices to prevent future compromises. Reimaging the network devices without knowing the root cause will likely be ineffective in securing the network.
Incorrect
OBJ-4.1: Since your team could not determine the root cause of the compromise, you would most likely conduct system and network hardening actions as part of the recovery and remediation. The only option that is not considered a hardening action is proactively sanitizing and reimaging your routers and switches. If you performed this action, you could have unwanted disruptive effects on the company. Instead, it would be more beneficial to increase monitoring of the devices to ensure they are not compromised. Proactively sanitizing and reimaging all of the routers and switches would be a large undertaking. Without evidence suggesting that such an approach is warranted, you would be wasting a lot of time and money. The other options presented are the best security practices to prevent future compromises. Reimaging the network devices without knowing the root cause will likely be ineffective in securing the network.
Unattempted
OBJ-4.1: Since your team could not determine the root cause of the compromise, you would most likely conduct system and network hardening actions as part of the recovery and remediation. The only option that is not considered a hardening action is proactively sanitizing and reimaging your routers and switches. If you performed this action, you could have unwanted disruptive effects on the company. Instead, it would be more beneficial to increase monitoring of the devices to ensure they are not compromised. Proactively sanitizing and reimaging all of the routers and switches would be a large undertaking. Without evidence suggesting that such an approach is warranted, you would be wasting a lot of time and money. The other options presented are the best security practices to prevent future compromises. Reimaging the network devices without knowing the root cause will likely be ineffective in securing the network.
Question 59 of 60
59. Question
You have been hired to investigate a possible insider threat from a user named Terri. Which of the following commands would successfully look through all the log files in “/var/log” for any references to “Terri” or “terri” on a Linux server?
Correct
OBJ-4.3: The find command will by default look at every single file starting in a designated subdirectory (in this case /var/log) and will execute whatever command is specified between “-exec” and “\;” with the ‘found’ file being substituted for the “{}.” Executing grep on every file with a parameter of -H will ensure the filename with the full path is displayed. The -e option in grep will use a REGEX expression. “[Tt]erri” is the correct REGEX expression to look for “Terri” or “terri.” As many files in the /var/log directory do not end with the extension “.log,” attempting to filter for just files with a .log extension will overly limit the results that are returned to you. “2> /dev/null” is needed to filter out any errors “find” might generate (such as attempting to open a directory). Now, let’s talk about tackling this on test day because you don’t need to have all of these things memorized to answer this question. Consider the four options presented to you and determine what is different in each one. You will notice every option starts with “fin /var/log” and ends with “{} \; 2>/dev/null”, so you should mentally ignore that in each of the answers and focus on what is different. We also see that all the answers have “grep -H -e,” so we aren’t be asked to be an expert on grep or its flags either, so mentally ignore that. This leaves us with two sets of differences. One set has “-name “*.log” versus “-exec.” The second set of differences is “‘Terri’ OR ‘terri'” or “[Tt]erri.” From this, you can determine which regular express is correct ([Tt]erri) and eliminate 2 of the four choices. Now, you need to pick between the name and exec flags. If you know anything about Linux log files, you should remember that they usually don’t end in .log as most Windows log files do, so we would pick exec if we had to guess.
Incorrect
OBJ-4.3: The find command will by default look at every single file starting in a designated subdirectory (in this case /var/log) and will execute whatever command is specified between “-exec” and “\;” with the ‘found’ file being substituted for the “{}.” Executing grep on every file with a parameter of -H will ensure the filename with the full path is displayed. The -e option in grep will use a REGEX expression. “[Tt]erri” is the correct REGEX expression to look for “Terri” or “terri.” As many files in the /var/log directory do not end with the extension “.log,” attempting to filter for just files with a .log extension will overly limit the results that are returned to you. “2> /dev/null” is needed to filter out any errors “find” might generate (such as attempting to open a directory). Now, let’s talk about tackling this on test day because you don’t need to have all of these things memorized to answer this question. Consider the four options presented to you and determine what is different in each one. You will notice every option starts with “fin /var/log” and ends with “{} \; 2>/dev/null”, so you should mentally ignore that in each of the answers and focus on what is different. We also see that all the answers have “grep -H -e,” so we aren’t be asked to be an expert on grep or its flags either, so mentally ignore that. This leaves us with two sets of differences. One set has “-name “*.log” versus “-exec.” The second set of differences is “‘Terri’ OR ‘terri'” or “[Tt]erri.” From this, you can determine which regular express is correct ([Tt]erri) and eliminate 2 of the four choices. Now, you need to pick between the name and exec flags. If you know anything about Linux log files, you should remember that they usually don’t end in .log as most Windows log files do, so we would pick exec if we had to guess.
Unattempted
OBJ-4.3: The find command will by default look at every single file starting in a designated subdirectory (in this case /var/log) and will execute whatever command is specified between “-exec” and “\;” with the ‘found’ file being substituted for the “{}.” Executing grep on every file with a parameter of -H will ensure the filename with the full path is displayed. The -e option in grep will use a REGEX expression. “[Tt]erri” is the correct REGEX expression to look for “Terri” or “terri.” As many files in the /var/log directory do not end with the extension “.log,” attempting to filter for just files with a .log extension will overly limit the results that are returned to you. “2> /dev/null” is needed to filter out any errors “find” might generate (such as attempting to open a directory). Now, let’s talk about tackling this on test day because you don’t need to have all of these things memorized to answer this question. Consider the four options presented to you and determine what is different in each one. You will notice every option starts with “fin /var/log” and ends with “{} \; 2>/dev/null”, so you should mentally ignore that in each of the answers and focus on what is different. We also see that all the answers have “grep -H -e,” so we aren’t be asked to be an expert on grep or its flags either, so mentally ignore that. This leaves us with two sets of differences. One set has “-name “*.log” versus “-exec.” The second set of differences is “‘Terri’ OR ‘terri'” or “[Tt]erri.” From this, you can determine which regular express is correct ([Tt]erri) and eliminate 2 of the four choices. Now, you need to pick between the name and exec flags. If you know anything about Linux log files, you should remember that they usually don’t end in .log as most Windows log files do, so we would pick exec if we had to guess.
Question 60 of 60
60. Question
Which of the following sets of Linux permissions would have the least permissive to most permissive?
Correct
OBJ-3.2: From least to most permissive, the best answer is 111, 734, and 747. Linux permissions are read “owner, group, other.” They also have numbers that are 4 (read), 2 (write), and 1 (execute). If a number shown is 7, that is 4+2+1 (read/write/execute) permissions. Therefore, the least permission is 000, and the most permissive is 777. The permission set of 111 is execute-execute-execute. The permission set of 734 is read/write/execute-write/execute-read. The permission set of 747 is read/write/execute-read-read/write/execute.
Incorrect
OBJ-3.2: From least to most permissive, the best answer is 111, 734, and 747. Linux permissions are read “owner, group, other.” They also have numbers that are 4 (read), 2 (write), and 1 (execute). If a number shown is 7, that is 4+2+1 (read/write/execute) permissions. Therefore, the least permission is 000, and the most permissive is 777. The permission set of 111 is execute-execute-execute. The permission set of 734 is read/write/execute-write/execute-read. The permission set of 747 is read/write/execute-read-read/write/execute.
Unattempted
OBJ-3.2: From least to most permissive, the best answer is 111, 734, and 747. Linux permissions are read “owner, group, other.” They also have numbers that are 4 (read), 2 (write), and 1 (execute). If a number shown is 7, that is 4+2+1 (read/write/execute) permissions. Therefore, the least permission is 000, and the most permissive is 777. The permission set of 111 is execute-execute-execute. The permission set of 734 is read/write/execute-write/execute-read. The permission set of 747 is read/write/execute-read-read/write/execute.
X
Use Page numbers below to navigate to other practice tests