You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" CompTIA CySA+ (CS0-002) Practice Test 8 "
0 of 60 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
CompTIA CySA+ (CS0-002)
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking view questions. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Answered
Review
Question 1 of 60
1. Question
Which of the following types of capabilities would an adversary need to identify and exploit zero-day vulnerabilities?
Correct
OBJ-3.3: According to the MITRE ATT&CK framework, developed capabilities can identify and exploit zero-day vulnerabilities. Acquired and augmented refers to the utilization of commodity malware and techniques (i.e., script kiddies). Advanced capabilities refer to those that can introduce vulnerabilities through the supply chain in proprietary and open-source products. Integrated capabilities involve non-cyber tools such as political or military assets.
Incorrect
OBJ-3.3: According to the MITRE ATT&CK framework, developed capabilities can identify and exploit zero-day vulnerabilities. Acquired and augmented refers to the utilization of commodity malware and techniques (i.e., script kiddies). Advanced capabilities refer to those that can introduce vulnerabilities through the supply chain in proprietary and open-source products. Integrated capabilities involve non-cyber tools such as political or military assets.
Unattempted
OBJ-3.3: According to the MITRE ATT&CK framework, developed capabilities can identify and exploit zero-day vulnerabilities. Acquired and augmented refers to the utilization of commodity malware and techniques (i.e., script kiddies). Advanced capabilities refer to those that can introduce vulnerabilities through the supply chain in proprietary and open-source products. Integrated capabilities involve non-cyber tools such as political or military assets.
Question 2 of 60
2. Question
You are conducting a review of a VPN device’s logs and found the following URL being accessed:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- https://sslvpn/dana-na/../skillcertprotraining/html5acc/teach/../../../../../../etc/passwd?/skillcertprotraining/html5acc/teach/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based upon this log entry alone, which of the following most likely occurred?
Correct
OBJ-3.3: The exact string used here was the attack string used in CVE-2019-11510 to compromise thousands of VPN servers worldwide using a directory traversal approach. However, its presence in the logs does not prove that the attack was successful, only that it was attempted. To verify that the attacker successfully downloaded the/etc/passwd file, a cybersecurity analyst would require additional information and correlation. If the server utilizes proper input validation on URL entries, then the directory traversal would be prevented. As no SQL or XML language elements are present, this is definitely not an SQL or XML injection attack.
Incorrect
OBJ-3.3: The exact string used here was the attack string used in CVE-2019-11510 to compromise thousands of VPN servers worldwide using a directory traversal approach. However, its presence in the logs does not prove that the attack was successful, only that it was attempted. To verify that the attacker successfully downloaded the/etc/passwd file, a cybersecurity analyst would require additional information and correlation. If the server utilizes proper input validation on URL entries, then the directory traversal would be prevented. As no SQL or XML language elements are present, this is definitely not an SQL or XML injection attack.
Unattempted
OBJ-3.3: The exact string used here was the attack string used in CVE-2019-11510 to compromise thousands of VPN servers worldwide using a directory traversal approach. However, its presence in the logs does not prove that the attack was successful, only that it was attempted. To verify that the attacker successfully downloaded the/etc/passwd file, a cybersecurity analyst would require additional information and correlation. If the server utilizes proper input validation on URL entries, then the directory traversal would be prevented. As no SQL or XML language elements are present, this is definitely not an SQL or XML injection attack.
Question 3 of 60
3. Question
You have been asked to scan your company’s website using the OWASP ZAP tool. When you perform the scan, you received the following warning:
“The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Passwords may be stored in browsers and retrieved.”
You begin to investigate further by reviewing a portion of the HTML code from the website that is listed below:
Based on your analysis, which of the following actions should you take?
Correct
OBJ-2.2: Since your company owns the website, you can require the developer to implement a bug/code fix to prevent the form from allowing the AUTOCOMPLETE function to work on this website. The code change to perform is quite simple, simply adding “autocomplete=off” to the code’s first line.
Incorrect
OBJ-2.2: Since your company owns the website, you can require the developer to implement a bug/code fix to prevent the form from allowing the AUTOCOMPLETE function to work on this website. The code change to perform is quite simple, simply adding “autocomplete=off” to the code’s first line.
Unattempted
OBJ-2.2: Since your company owns the website, you can require the developer to implement a bug/code fix to prevent the form from allowing the AUTOCOMPLETE function to work on this website. The code change to perform is quite simple, simply adding “autocomplete=off” to the code’s first line.
Question 4 of 60
4. Question
A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst?
Correct
OBJ-2.1: Since Apache is being run on the scanned server, this indicates a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn’t contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.
Incorrect
OBJ-2.1: Since Apache is being run on the scanned server, this indicates a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn’t contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.
Unattempted
OBJ-2.1: Since Apache is being run on the scanned server, this indicates a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn’t contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.
Question 5 of 60
5. Question
Which of the following tools can NOT be used to conduct a banner grab from a web server on a remote host?
Correct
OBJ-5.2: FTP cannot be used to conduct a banner grab. A cybersecurity analyst or penetration tester uses a banner grab to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. This is commonly done using telnet, wget, or netcat.
Incorrect
OBJ-5.2: FTP cannot be used to conduct a banner grab. A cybersecurity analyst or penetration tester uses a banner grab to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. This is commonly done using telnet, wget, or netcat.
Unattempted
OBJ-5.2: FTP cannot be used to conduct a banner grab. A cybersecurity analyst or penetration tester uses a banner grab to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. This is commonly done using telnet, wget, or netcat.
Question 6 of 60
6. Question
What popular open-source port scanning tool is commonly used for host discovery and service identification?
Correct
OBJ-4.4: The world’s most popular open-source port scanning utility is nmap. The Services console (services.msc) allows an analyst to disable or enable Windows services. The dd tool is used to copy files, disk, and partitions, and it can also be used to create forensic disk images. Nessus is a proprietary vulnerability scanner developed by Tenable. While Nessus does contain the ability to conduct a port scan, its primary role is as a vulnerability scanner, and it is not an open-source tool.
Incorrect
OBJ-4.4: The world’s most popular open-source port scanning utility is nmap. The Services console (services.msc) allows an analyst to disable or enable Windows services. The dd tool is used to copy files, disk, and partitions, and it can also be used to create forensic disk images. Nessus is a proprietary vulnerability scanner developed by Tenable. While Nessus does contain the ability to conduct a port scan, its primary role is as a vulnerability scanner, and it is not an open-source tool.
Unattempted
OBJ-4.4: The world’s most popular open-source port scanning utility is nmap. The Services console (services.msc) allows an analyst to disable or enable Windows services. The dd tool is used to copy files, disk, and partitions, and it can also be used to create forensic disk images. Nessus is a proprietary vulnerability scanner developed by Tenable. While Nessus does contain the ability to conduct a port scan, its primary role is as a vulnerability scanner, and it is not an open-source tool.
Question 7 of 60
7. Question
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.skillcertprotraining.com/../../../../etc/shadow. What type of attack has likely occurred?
Correct
OBJ-1.7: This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. SQL injection is the placement of malicious code in SQL statements via web page input.
Incorrect
OBJ-1.7: This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. SQL injection is the placement of malicious code in SQL statements via web page input.
Unattempted
OBJ-1.7: This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. SQL injection is the placement of malicious code in SQL statements via web page input.
Question 8 of 60
8. Question
Yoyodyne Systems has recently bought out its competitor, Whamiedyne Systems, which went out of business due to a series of data breaches. As a cybersecurity analyst for Yoyodyne, you are assessing Whamiedyne’s existing applications and infrastructure. During your analysis, you discover the following URL is used to access an application:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
ttps://www.whamiedyne.com/app/accountInfo?acct=12345
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
You change the URL to end with 12346 and notice that a different user’s account information is now displayed. Which of the following type of vulnerabilities or threats have you discovered?
Correct
OBJ-3.3: This is an example of an insecure direct object reference. Direct object references are typically insecure when they do not verify whether a user is authorized to access a specific object. Therefore, it is important to implement access control techniques in applications that work with private information or other sensitive data types. Based on the URL above, you cannot determine if the application is vulnerable to an XML or SQL injection attack. An attacker can modify one or more of these four basic functions in a SQL injection attack by adding code to some input within the web app, causing it to execute the attacker’s own set of queries using SQL. An XML injection is similar but focuses on XML code instead of SQL queries. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the developer’s order and timing, which is not the case in this scenario.
Incorrect
OBJ-3.3: This is an example of an insecure direct object reference. Direct object references are typically insecure when they do not verify whether a user is authorized to access a specific object. Therefore, it is important to implement access control techniques in applications that work with private information or other sensitive data types. Based on the URL above, you cannot determine if the application is vulnerable to an XML or SQL injection attack. An attacker can modify one or more of these four basic functions in a SQL injection attack by adding code to some input within the web app, causing it to execute the attacker’s own set of queries using SQL. An XML injection is similar but focuses on XML code instead of SQL queries. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the developer’s order and timing, which is not the case in this scenario.
Unattempted
OBJ-3.3: This is an example of an insecure direct object reference. Direct object references are typically insecure when they do not verify whether a user is authorized to access a specific object. Therefore, it is important to implement access control techniques in applications that work with private information or other sensitive data types. Based on the URL above, you cannot determine if the application is vulnerable to an XML or SQL injection attack. An attacker can modify one or more of these four basic functions in a SQL injection attack by adding code to some input within the web app, causing it to execute the attacker’s own set of queries using SQL. An XML injection is similar but focuses on XML code instead of SQL queries. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the developer’s order and timing, which is not the case in this scenario.
Question 9 of 60
9. Question
SkillCertPro Training Solutions is conducting a penetration test of its facilities. The penetration testing team has been augmented by an employee of the company who has general user privileges. The security staff is unaware of the testing. According to NIST, which of the following types of penetration tests is being conducted?
Correct
OBJ-4.2: This is considered an internal covert test. It is internal because an employee of the company is part of the team and provides them with general user privileges. This will simulate an insider threat attack. It is also considered covert because the security staff and system administrators are unaware of the ongoing test.
Incorrect
OBJ-4.2: This is considered an internal covert test. It is internal because an employee of the company is part of the team and provides them with general user privileges. This will simulate an insider threat attack. It is also considered covert because the security staff and system administrators are unaware of the ongoing test.
Unattempted
OBJ-4.2: This is considered an internal covert test. It is internal because an employee of the company is part of the team and provides them with general user privileges. This will simulate an insider threat attack. It is also considered covert because the security staff and system administrators are unaware of the ongoing test.
Question 10 of 60
10. Question
Based on some old SIEM alerts, you have been asked to perform a forensic analysis on a given host. You have noticed that some SSL network connections are occurring over ports other than port 443. The SIEM alerts indicate that copies of svchost.exe and cmd.exe have been found in the host’s %TEMP% folder. The logs indicate that RDP connections have previously connected with an IP address that is external to the corporate intranet, as well. What threat might you have uncovered during your analysis?
Correct
OBJ-3.1: The provided indicators of compromise appear to be from an Advanced Persistent Threat (APT). These attacks tend to go undetected for several weeks or months and utilize secure communication to external IPs as well as Remote Desktop Protocol connections to provide the attackers with access to the infected host. While an APT might use a software vulnerability to gain their initial access, the full description provided in the question that includes the files being copied and executed from the %TEMP% folder and the use of SSL/RDP connections indicates longer-term exploitation, such as one caused by an APT.
Incorrect
OBJ-3.1: The provided indicators of compromise appear to be from an Advanced Persistent Threat (APT). These attacks tend to go undetected for several weeks or months and utilize secure communication to external IPs as well as Remote Desktop Protocol connections to provide the attackers with access to the infected host. While an APT might use a software vulnerability to gain their initial access, the full description provided in the question that includes the files being copied and executed from the %TEMP% folder and the use of SSL/RDP connections indicates longer-term exploitation, such as one caused by an APT.
Unattempted
OBJ-3.1: The provided indicators of compromise appear to be from an Advanced Persistent Threat (APT). These attacks tend to go undetected for several weeks or months and utilize secure communication to external IPs as well as Remote Desktop Protocol connections to provide the attackers with access to the infected host. While an APT might use a software vulnerability to gain their initial access, the full description provided in the question that includes the files being copied and executed from the %TEMP% folder and the use of SSL/RDP connections indicates longer-term exploitation, such as one caused by an APT.
Question 11 of 60
11. Question
While investigating a data breach, you discover that the account credentials used belonged to an employee who was fired several months ago for misusing company IT systems. Apparently, the IT department never deactivated the employee’s account upon their termination. Which of the following categories would this breach be classified as?
Correct
OBJ-4.2: An insider threat is any current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems. Based on the details provided in the question, it appears the employee’s legitimate credentials were used to conduct the breach. This would be classified as an insider threat. A zero-day is a vulnerability in software unpatched by the developer or an attack that exploits such a vulnerability. A known threat is a threat that can be identified using a basic signature or pattern matching. An advanced persistent threat (APT) is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware.
Incorrect
OBJ-4.2: An insider threat is any current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems. Based on the details provided in the question, it appears the employee’s legitimate credentials were used to conduct the breach. This would be classified as an insider threat. A zero-day is a vulnerability in software unpatched by the developer or an attack that exploits such a vulnerability. A known threat is a threat that can be identified using a basic signature or pattern matching. An advanced persistent threat (APT) is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware.
Unattempted
OBJ-4.2: An insider threat is any current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems. Based on the details provided in the question, it appears the employee’s legitimate credentials were used to conduct the breach. This would be classified as an insider threat. A zero-day is a vulnerability in software unpatched by the developer or an attack that exploits such a vulnerability. A known threat is a threat that can be identified using a basic signature or pattern matching. An advanced persistent threat (APT) is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware.
Question 12 of 60
12. Question
You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank’s cybersecurity program?
Correct
OBJ-5.3: The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information. The Health Insurance Portability and Accountability Act (HIPPA) is a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Sarbanes-Oxley (SOX) is a United States federal law that set new or expanded requirements for all US public company boards, management, and public accounting firms. The Family Educational Rights and Privacy Act (FERPA) of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.
Incorrect
OBJ-5.3: The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information. The Health Insurance Portability and Accountability Act (HIPPA) is a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Sarbanes-Oxley (SOX) is a United States federal law that set new or expanded requirements for all US public company boards, management, and public accounting firms. The Family Educational Rights and Privacy Act (FERPA) of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.
Unattempted
OBJ-5.3: The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information. The Health Insurance Portability and Accountability Act (HIPPA) is a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Sarbanes-Oxley (SOX) is a United States federal law that set new or expanded requirements for all US public company boards, management, and public accounting firms. The Family Educational Rights and Privacy Act (FERPA) of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.
Question 13 of 60
13. Question
The management at Steven’s work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network?
Correct
OBJ-3.3: The best option is MAC address reporting from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port connected to a network device.
Incorrect
OBJ-3.3: The best option is MAC address reporting from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port connected to a network device.
Unattempted
OBJ-3.3: The best option is MAC address reporting from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port connected to a network device.
Question 14 of 60
14. Question
Which of the following techniques would best mitigate malware that utilizes a fast flux network for its command and control infrastructure?
Correct
OBJ-3.2: Third-party DNS resolvers, particularly those of ISPs, will typically have elaborate algorithms designed to detect command and control (C2) via fast flux networks. Fast flux DNS utilizes a technique that rapidly changes the IP address associated with a domain to allow an adversary to defeat IP-based blacklists. Often, these fast flux networks have communication patterns that might be detectable, though. While in-house statistical analysis might be possible (and could be done in parallel), the commercial resources available to a large scale ISP or dedicated secure DNS providers will be better tailored to combatting this issue.
Incorrect
OBJ-3.2: Third-party DNS resolvers, particularly those of ISPs, will typically have elaborate algorithms designed to detect command and control (C2) via fast flux networks. Fast flux DNS utilizes a technique that rapidly changes the IP address associated with a domain to allow an adversary to defeat IP-based blacklists. Often, these fast flux networks have communication patterns that might be detectable, though. While in-house statistical analysis might be possible (and could be done in parallel), the commercial resources available to a large scale ISP or dedicated secure DNS providers will be better tailored to combatting this issue.
Unattempted
OBJ-3.2: Third-party DNS resolvers, particularly those of ISPs, will typically have elaborate algorithms designed to detect command and control (C2) via fast flux networks. Fast flux DNS utilizes a technique that rapidly changes the IP address associated with a domain to allow an adversary to defeat IP-based blacklists. Often, these fast flux networks have communication patterns that might be detectable, though. While in-house statistical analysis might be possible (and could be done in parallel), the commercial resources available to a large scale ISP or dedicated secure DNS providers will be better tailored to combatting this issue.
Question 15 of 60
15. Question
Which of the following threats to a SaaS deployment would be the responsibility of the consumer to remediate?
Correct
OBJ-3.1: In a SaaS model, the consumer has to ensure that the endpoints being used to access the cloud are secure. Since the consumer owns the endpoint (laptop, desktop, tablet, smartphone, etc.), they are responsible for securing it. The entire concept behind using a SaaS product is that the service provider will patch the servers’ underlying operating systems, create secure software that isn’t vulnerable to SQL injection or cross-site scripting attacks, and ensure proper operations and maintenance of the backend systems.
Incorrect
OBJ-3.1: In a SaaS model, the consumer has to ensure that the endpoints being used to access the cloud are secure. Since the consumer owns the endpoint (laptop, desktop, tablet, smartphone, etc.), they are responsible for securing it. The entire concept behind using a SaaS product is that the service provider will patch the servers’ underlying operating systems, create secure software that isn’t vulnerable to SQL injection or cross-site scripting attacks, and ensure proper operations and maintenance of the backend systems.
Unattempted
OBJ-3.1: In a SaaS model, the consumer has to ensure that the endpoints being used to access the cloud are secure. Since the consumer owns the endpoint (laptop, desktop, tablet, smartphone, etc.), they are responsible for securing it. The entire concept behind using a SaaS product is that the service provider will patch the servers’ underlying operating systems, create secure software that isn’t vulnerable to SQL injection or cross-site scripting attacks, and ensure proper operations and maintenance of the backend systems.
Question 16 of 60
16. Question
SkillCertPro Training Solutions has just installed a backup generator for their offices that use SCADA/ICS for remote monitoring of the system. The generator’s control system has an embedded cellular modem that periodically connects to the generator’s manufacturer to provide usage statistics. The modem is configured for outbound connections only, and the generator has no data connection with any of SkillCertPro Training’s other networks. The manufacturer utilizes data minimization procedures and uses the data to recommend preventative maintenance service and ensure maximum uptime and reliability by identifying parts that need to be replaced. Which of the following cybersecurity risk is being assumed in this scenario?
Correct
OBJ-5.2: There is minimal risk being assumed in this scenario since the cellular modem is configured for outbound connections only. This also minimizes the risk of an attacker gaining remote access to the generator. The generator is logically and physically isolated from the rest of the enterprise network, so even if an attacker could exploit the generator, they could not pivot into the production network. While there is a risk of the manufacturer using the data for purposes other than originally agreed upon, this is a minimal risk due to the manufacturer’s data minimization procedures and the type of data collected. Should the manufacturer choose to use usage statistics about the generator for some other purpose, it would have a negligible impact on the company since it does not contain any PII or proprietary company data.
Incorrect
OBJ-5.2: There is minimal risk being assumed in this scenario since the cellular modem is configured for outbound connections only. This also minimizes the risk of an attacker gaining remote access to the generator. The generator is logically and physically isolated from the rest of the enterprise network, so even if an attacker could exploit the generator, they could not pivot into the production network. While there is a risk of the manufacturer using the data for purposes other than originally agreed upon, this is a minimal risk due to the manufacturer’s data minimization procedures and the type of data collected. Should the manufacturer choose to use usage statistics about the generator for some other purpose, it would have a negligible impact on the company since it does not contain any PII or proprietary company data.
Unattempted
OBJ-5.2: There is minimal risk being assumed in this scenario since the cellular modem is configured for outbound connections only. This also minimizes the risk of an attacker gaining remote access to the generator. The generator is logically and physically isolated from the rest of the enterprise network, so even if an attacker could exploit the generator, they could not pivot into the production network. While there is a risk of the manufacturer using the data for purposes other than originally agreed upon, this is a minimal risk due to the manufacturer’s data minimization procedures and the type of data collected. Should the manufacturer choose to use usage statistics about the generator for some other purpose, it would have a negligible impact on the company since it does not contain any PII or proprietary company data.
Question 17 of 60
17. Question
Which mobile device strategy is most likely to introduce vulnerable devices to a corporate network?
Correct
OBJ-5.2: The BYOD (bring your own device) strategy opens a network to many vulnerabilities. People can bring their personal devices to the corporate network, and their devices may contain vulnerabilities that could be allowed to roam free on a corporate network. COPE (company-owned/personally enabled) means that the company provides the users with a smartphone primarily for work use, but basic functions such as voice calls, messaging, and personal applications are allowed, with some controls on usage and flexibility. With CYOD, the user can choose which device they wish to use from a small selection of devices approved by the company. The company then buys, procures, and secures the device for the user. The MDM is a mobile device management system that gives centralized control over COPE company-owned personally enabled devices.
Incorrect
OBJ-5.2: The BYOD (bring your own device) strategy opens a network to many vulnerabilities. People can bring their personal devices to the corporate network, and their devices may contain vulnerabilities that could be allowed to roam free on a corporate network. COPE (company-owned/personally enabled) means that the company provides the users with a smartphone primarily for work use, but basic functions such as voice calls, messaging, and personal applications are allowed, with some controls on usage and flexibility. With CYOD, the user can choose which device they wish to use from a small selection of devices approved by the company. The company then buys, procures, and secures the device for the user. The MDM is a mobile device management system that gives centralized control over COPE company-owned personally enabled devices.
Unattempted
OBJ-5.2: The BYOD (bring your own device) strategy opens a network to many vulnerabilities. People can bring their personal devices to the corporate network, and their devices may contain vulnerabilities that could be allowed to roam free on a corporate network. COPE (company-owned/personally enabled) means that the company provides the users with a smartphone primarily for work use, but basic functions such as voice calls, messaging, and personal applications are allowed, with some controls on usage and flexibility. With CYOD, the user can choose which device they wish to use from a small selection of devices approved by the company. The company then buys, procures, and secures the device for the user. The MDM is a mobile device management system that gives centralized control over COPE company-owned personally enabled devices.
Question 18 of 60
18. Question
A cybersecurity analyst notices the following XML transaction while reviewing the communication logs for a public-facing application that receives XML input directly from its clients:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based on the output above, which of the following is true?
Correct
OBJ-3.3: This is an example of an XML External Entity (XXE) vulnerability. Any references to document abc of type xyz may now be replaced with /etc/passwd, which would allow the user to harvest the data contained within the file. Although in modern Linux operating systems, the /etc/passwd only contains the usernames resident on the system and not the passwords, this is still valuable information for an attacker. The ‘/etc/passwd’ file has been better secured in recent systems by using a shadow file (which contains hashed values for the passwords). Without an input validation step is added to the process, there is nothing to stop the attacker from gathering other potentially sensitive files from the server. While ISO-8859-1 does indeed cover the Latin alphabet and is standard throughout XML, it has no significance from a cybersecurity perspective. A parameterized query is a form of output encoding that defends against SQL and XML injections. This code does not contain a parameterized query.
Incorrect
OBJ-3.3: This is an example of an XML External Entity (XXE) vulnerability. Any references to document abc of type xyz may now be replaced with /etc/passwd, which would allow the user to harvest the data contained within the file. Although in modern Linux operating systems, the /etc/passwd only contains the usernames resident on the system and not the passwords, this is still valuable information for an attacker. The ‘/etc/passwd’ file has been better secured in recent systems by using a shadow file (which contains hashed values for the passwords). Without an input validation step is added to the process, there is nothing to stop the attacker from gathering other potentially sensitive files from the server. While ISO-8859-1 does indeed cover the Latin alphabet and is standard throughout XML, it has no significance from a cybersecurity perspective. A parameterized query is a form of output encoding that defends against SQL and XML injections. This code does not contain a parameterized query.
Unattempted
OBJ-3.3: This is an example of an XML External Entity (XXE) vulnerability. Any references to document abc of type xyz may now be replaced with /etc/passwd, which would allow the user to harvest the data contained within the file. Although in modern Linux operating systems, the /etc/passwd only contains the usernames resident on the system and not the passwords, this is still valuable information for an attacker. The ‘/etc/passwd’ file has been better secured in recent systems by using a shadow file (which contains hashed values for the passwords). Without an input validation step is added to the process, there is nothing to stop the attacker from gathering other potentially sensitive files from the server. While ISO-8859-1 does indeed cover the Latin alphabet and is standard throughout XML, it has no significance from a cybersecurity perspective. A parameterized query is a form of output encoding that defends against SQL and XML injections. This code does not contain a parameterized query.
Question 19 of 60
19. Question
You are attending a cybersecurity conference and just watched a security researcher demonstrating the exploitation of a web interface on a SCADA/ICS component. This caused the device to malfunction and be destroyed. You recognize that the same component is used throughout your company’s manufacturing plants. Which of the following mitigation strategies would provide you with the most immediate protection against this emergent threat?
Correct
OBJ-4.3: The most immediate protection against this emergent threat would be to block the web interface from being accessible over the network. Before doing this, you must evaluate whether the interface needs to remain open for the system to function properly. If it is not needed, you should block it to minimize the SCADA/ICS component’s attack surface. Ideally, your SCADA/ICS components should already be logically or physically isolated from the enterprise network. Since the question doesn’t mention the networks as an area of concern, we can assume they are already following the industry best practice of logical or physical segmentation between the SCADA/ICS network and the enterprise network. On the exam, make sure you focus on the question being asked. In this case, the question focuses on the web interface. Developing a patch can be a time-consuming process, therefore waiting for the manufacturer to provide a patch will not provide immediate protection to your components. The same is true for replacing the affected components. Even if you could get the company to authorize the funding for such a purchase, it would take time to order, ship, receive and install the new components. Additionally, you would cause unwanted downtime in the factory during the installation of the components, making it an ineffective option when simply blocking the web interface is free, quick, and effective.
Incorrect
OBJ-4.3: The most immediate protection against this emergent threat would be to block the web interface from being accessible over the network. Before doing this, you must evaluate whether the interface needs to remain open for the system to function properly. If it is not needed, you should block it to minimize the SCADA/ICS component’s attack surface. Ideally, your SCADA/ICS components should already be logically or physically isolated from the enterprise network. Since the question doesn’t mention the networks as an area of concern, we can assume they are already following the industry best practice of logical or physical segmentation between the SCADA/ICS network and the enterprise network. On the exam, make sure you focus on the question being asked. In this case, the question focuses on the web interface. Developing a patch can be a time-consuming process, therefore waiting for the manufacturer to provide a patch will not provide immediate protection to your components. The same is true for replacing the affected components. Even if you could get the company to authorize the funding for such a purchase, it would take time to order, ship, receive and install the new components. Additionally, you would cause unwanted downtime in the factory during the installation of the components, making it an ineffective option when simply blocking the web interface is free, quick, and effective.
Unattempted
OBJ-4.3: The most immediate protection against this emergent threat would be to block the web interface from being accessible over the network. Before doing this, you must evaluate whether the interface needs to remain open for the system to function properly. If it is not needed, you should block it to minimize the SCADA/ICS component’s attack surface. Ideally, your SCADA/ICS components should already be logically or physically isolated from the enterprise network. Since the question doesn’t mention the networks as an area of concern, we can assume they are already following the industry best practice of logical or physical segmentation between the SCADA/ICS network and the enterprise network. On the exam, make sure you focus on the question being asked. In this case, the question focuses on the web interface. Developing a patch can be a time-consuming process, therefore waiting for the manufacturer to provide a patch will not provide immediate protection to your components. The same is true for replacing the affected components. Even if you could get the company to authorize the funding for such a purchase, it would take time to order, ship, receive and install the new components. Additionally, you would cause unwanted downtime in the factory during the installation of the components, making it an ineffective option when simply blocking the web interface is free, quick, and effective.
Question 20 of 60
20. Question
According to the US Department of Health and Human Services, the media must be notified when a data breach containing PHI exceeds how many affected individuals?
Correct
OBJ-4.2: According to the US Department of Health and Human Services, “Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach. It must include the same information required for the individual notice.”
Incorrect
OBJ-4.2: According to the US Department of Health and Human Services, “Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach. It must include the same information required for the individual notice.”
Unattempted
OBJ-4.2: According to the US Department of Health and Human Services, “Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach. It must include the same information required for the individual notice.”
Question 21 of 60
21. Question
Your company is adopting a cloud-first architecture model. Management wants to decommission the on-premises SIEM your analysts use and migrate it to the cloud. Which of the following is an issue with using this approach?
Correct
OBJ-3.1: If there are legal or regulatory requirements that require the company to host their security audit data on-premises, then moving to the cloud will not be possible without violating applicable laws. For example, some companies must host their data within their national borders, even if migrating to the cloud. The other options presented are all low risk and can be overcome with proper planning and mitigations. Most cloud providers have degrees of redundancy far above what any individual on-premises provider will be able to generate, making the concern over backups a minimal risk. If the SIEM is moved to a cloud-based server, it could still be operated and controlled in the same manner as the previous on-premise solution using a virtualized cloud-based server. While a VM or hypervisor escape is possible, they are rare and can be mitigated with additional controls.
Incorrect
OBJ-3.1: If there are legal or regulatory requirements that require the company to host their security audit data on-premises, then moving to the cloud will not be possible without violating applicable laws. For example, some companies must host their data within their national borders, even if migrating to the cloud. The other options presented are all low risk and can be overcome with proper planning and mitigations. Most cloud providers have degrees of redundancy far above what any individual on-premises provider will be able to generate, making the concern over backups a minimal risk. If the SIEM is moved to a cloud-based server, it could still be operated and controlled in the same manner as the previous on-premise solution using a virtualized cloud-based server. While a VM or hypervisor escape is possible, they are rare and can be mitigated with additional controls.
Unattempted
OBJ-3.1: If there are legal or regulatory requirements that require the company to host their security audit data on-premises, then moving to the cloud will not be possible without violating applicable laws. For example, some companies must host their data within their national borders, even if migrating to the cloud. The other options presented are all low risk and can be overcome with proper planning and mitigations. Most cloud providers have degrees of redundancy far above what any individual on-premises provider will be able to generate, making the concern over backups a minimal risk. If the SIEM is moved to a cloud-based server, it could still be operated and controlled in the same manner as the previous on-premise solution using a virtualized cloud-based server. While a VM or hypervisor escape is possible, they are rare and can be mitigated with additional controls.
Question 22 of 60
22. Question
A new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability?
Correct
OBJ-5.2: Since you wish to check for only the known vulnerability, you should scan for that specific vulnerability on all web servers. All web servers are chosen because Apache is a web server application. While performing an authenticated scan of all web servers or performing a web vulnerability scan of all servers would also find these vulnerabilities, it is a much larger scope. It would waste time and processing power by conducting these scans instead of properly scoping the scans based on your needs. Performing unauthenticated vulnerability scans on all servers is also too large in scope (all servers) while also being less effective (unauthenticated scan).
Incorrect
OBJ-5.2: Since you wish to check for only the known vulnerability, you should scan for that specific vulnerability on all web servers. All web servers are chosen because Apache is a web server application. While performing an authenticated scan of all web servers or performing a web vulnerability scan of all servers would also find these vulnerabilities, it is a much larger scope. It would waste time and processing power by conducting these scans instead of properly scoping the scans based on your needs. Performing unauthenticated vulnerability scans on all servers is also too large in scope (all servers) while also being less effective (unauthenticated scan).
Unattempted
OBJ-5.2: Since you wish to check for only the known vulnerability, you should scan for that specific vulnerability on all web servers. All web servers are chosen because Apache is a web server application. While performing an authenticated scan of all web servers or performing a web vulnerability scan of all servers would also find these vulnerabilities, it is a much larger scope. It would waste time and processing power by conducting these scans instead of properly scoping the scans based on your needs. Performing unauthenticated vulnerability scans on all servers is also too large in scope (all servers) while also being less effective (unauthenticated scan).
Question 23 of 60
23. Question
Which analysis framework is essentially a repository of known IOCs with ties to known specific threats?
Correct
OBJ-1.2: OpenIOC is essentially just a flat database of known indicators of compromise. The MITRE ATT&CK provides additional details about detection and mitigation. The Diamond model is an analytic framework for describing an attacker’s work. Lockheed Martin’s cyber kill chain provides a generalized concept for how an attacker might approach a network but does not deal with individual IOCs’ specifics.
Incorrect
OBJ-1.2: OpenIOC is essentially just a flat database of known indicators of compromise. The MITRE ATT&CK provides additional details about detection and mitigation. The Diamond model is an analytic framework for describing an attacker’s work. Lockheed Martin’s cyber kill chain provides a generalized concept for how an attacker might approach a network but does not deal with individual IOCs’ specifics.
Unattempted
OBJ-1.2: OpenIOC is essentially just a flat database of known indicators of compromise. The MITRE ATT&CK provides additional details about detection and mitigation. The Diamond model is an analytic framework for describing an attacker’s work. Lockheed Martin’s cyber kill chain provides a generalized concept for how an attacker might approach a network but does not deal with individual IOCs’ specifics.
Question 24 of 60
24. Question
Which tool would allow you to identify the target’s operating system by analyzing the TCP/IP stack responses?
Correct
OBJ-1.4: The nmap tool can be used to identify the target’s operating system by analyzing the TCP/IP stack responses. Identification of the operating system relies on differences in how operating systems and operating system versions respond to a query, what TCP options they support, what order they send the packets in, and other details that, when combined, can provide a unique fingerprint for a given TCP stack.
Incorrect
OBJ-1.4: The nmap tool can be used to identify the target’s operating system by analyzing the TCP/IP stack responses. Identification of the operating system relies on differences in how operating systems and operating system versions respond to a query, what TCP options they support, what order they send the packets in, and other details that, when combined, can provide a unique fingerprint for a given TCP stack.
Unattempted
OBJ-1.4: The nmap tool can be used to identify the target’s operating system by analyzing the TCP/IP stack responses. Identification of the operating system relies on differences in how operating systems and operating system versions respond to a query, what TCP options they support, what order they send the packets in, and other details that, when combined, can provide a unique fingerprint for a given TCP stack.
Question 25 of 60
25. Question
An independent cybersecurity researcher has contacted your company to prove a buffer overflow vulnerability exists in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development?
Correct
OBJ-2.2: Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on a human to human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively.
Incorrect
OBJ-2.2: Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on a human to human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively.
Unattempted
OBJ-2.2: Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on a human to human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively.
Question 26 of 60
26. Question
Which of the following will an adversary do during the reconnaissance phase of the Lockheed Martin kill chain? (SELECT THREE)
Correct
OBJ-1.2: Passively harvesting information from a target is the main purpose of the reconnaissance phase. Harvesting email addresses from the public internet, identifying employees on social media (particularly LinkedIn profiles), discovering public-facing servers, and gathering other publicly available information can allow an attacker to develop a more thorough understanding of a targeted organization. Acquiring or developing zero-day exploits, selecting backdoor implants, and choosing command and control (C2) mechanisms will require the information gathered during reconnaissance to be effective. Still, these activities will actually occur during the weaponization phase.
Incorrect
OBJ-1.2: Passively harvesting information from a target is the main purpose of the reconnaissance phase. Harvesting email addresses from the public internet, identifying employees on social media (particularly LinkedIn profiles), discovering public-facing servers, and gathering other publicly available information can allow an attacker to develop a more thorough understanding of a targeted organization. Acquiring or developing zero-day exploits, selecting backdoor implants, and choosing command and control (C2) mechanisms will require the information gathered during reconnaissance to be effective. Still, these activities will actually occur during the weaponization phase.
Unattempted
OBJ-1.2: Passively harvesting information from a target is the main purpose of the reconnaissance phase. Harvesting email addresses from the public internet, identifying employees on social media (particularly LinkedIn profiles), discovering public-facing servers, and gathering other publicly available information can allow an attacker to develop a more thorough understanding of a targeted organization. Acquiring or developing zero-day exploits, selecting backdoor implants, and choosing command and control (C2) mechanisms will require the information gathered during reconnaissance to be effective. Still, these activities will actually occur during the weaponization phase.
Question 27 of 60
27. Question
Susan is worried about the security of the master account associated with a cloud service and the access to it. This service is used to manage payment transactions. She has decided to implement a new multifactor authentication process where one individual has the password to the account. Still, another user in the accounting department has a physical token to the account. To login to the cloud service with this master account, both users would need to come together. What principle is Susan implementing by using this approach?
Correct
OBJ-2.1: This approach is an example of dual control authentication. Dual control authentication is used when performing a sensitive action. It requires the participation of two different users to login (in this case, one with the password and one with the token). Transitive trust is a technique via which a user/entity has already undergone authentication by one communication network to access resources in another communication network without having to undergo authentication a second time. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities. Security through obscurity is the reliance on security engineering in the design or implementation of secrecy as the main method of providing security to a system or component.
Incorrect
OBJ-2.1: This approach is an example of dual control authentication. Dual control authentication is used when performing a sensitive action. It requires the participation of two different users to login (in this case, one with the password and one with the token). Transitive trust is a technique via which a user/entity has already undergone authentication by one communication network to access resources in another communication network without having to undergo authentication a second time. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities. Security through obscurity is the reliance on security engineering in the design or implementation of secrecy as the main method of providing security to a system or component.
Unattempted
OBJ-2.1: This approach is an example of dual control authentication. Dual control authentication is used when performing a sensitive action. It requires the participation of two different users to login (in this case, one with the password and one with the token). Transitive trust is a technique via which a user/entity has already undergone authentication by one communication network to access resources in another communication network without having to undergo authentication a second time. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities. Security through obscurity is the reliance on security engineering in the design or implementation of secrecy as the main method of providing security to a system or component.
Question 28 of 60
28. Question
What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately?
Correct
OBJ-2.1: Vulnerability reports should include both the physical hosts and the virtual hosts on the target network. A common mistake of new cybersecurity analysts is to include physical hosts, thereby missing many network assets.
Incorrect
OBJ-2.1: Vulnerability reports should include both the physical hosts and the virtual hosts on the target network. A common mistake of new cybersecurity analysts is to include physical hosts, thereby missing many network assets.
Unattempted
OBJ-2.1: Vulnerability reports should include both the physical hosts and the virtual hosts on the target network. A common mistake of new cybersecurity analysts is to include physical hosts, thereby missing many network assets.
Question 29 of 60
29. Question
A cybersecurity analyst conducts an incident response at a government agency when she discovers that attackers had exfiltrated PII. Which of the following types of breaches has occurred?
Correct
OBJ-4.1: A data breach is an incident where information is stolen or taken from a system without the system’s owner’s knowledge or authorization. If sensitive personally identifiable information (PII) was accessed or exfiltrated, then a privacy breach has occurred. If information like trade secrets were access or exfiltrated, then a proprietary breach has occurred. If any data is modified or altered, then an integrity breach has occurred. If any information related to payroll, tax returns, banking, or investments is accessed or exfiltrated, then a financial breach has occurred.
Incorrect
OBJ-4.1: A data breach is an incident where information is stolen or taken from a system without the system’s owner’s knowledge or authorization. If sensitive personally identifiable information (PII) was accessed or exfiltrated, then a privacy breach has occurred. If information like trade secrets were access or exfiltrated, then a proprietary breach has occurred. If any data is modified or altered, then an integrity breach has occurred. If any information related to payroll, tax returns, banking, or investments is accessed or exfiltrated, then a financial breach has occurred.
Unattempted
OBJ-4.1: A data breach is an incident where information is stolen or taken from a system without the system’s owner’s knowledge or authorization. If sensitive personally identifiable information (PII) was accessed or exfiltrated, then a privacy breach has occurred. If information like trade secrets were access or exfiltrated, then a proprietary breach has occurred. If any data is modified or altered, then an integrity breach has occurred. If any information related to payroll, tax returns, banking, or investments is accessed or exfiltrated, then a financial breach has occurred.
Question 30 of 60
30. Question
You work as a cybersecurity analyst at a software development firm. The software developers have begun implementing commercial and open source libraries into their codebase to minimize the time it takes to develop and release a new application. Which of the following should be your biggest concern as a cybersecurity analyst?
Correct
OBJ-2.2: Any security flaws present in a commercial or open-source library will also be present in the developed application. A library is vulnerable, just as any other application or code might be. There are both known (discovered) and unknown vulnerabilities in the libraries being integrated into the project. Therefore, the software development team needs to ensure that they monitor the applicable libraries for additional CVEs that might be uncovered later. They have plans for distributing appropriate patches to their customers and a plan for integrating subsequent updates into their own codebase. Open-source libraries are not more vulnerable or insecure than commercially available or in-house developed libraries. In fact, most open-source software is more secure because it is widely analyzed and reviewed by programmers worldwide. While ensuring the most up to date versions of the libraries is a valid concern, as a cybersecurity analyst, you should be more concerned with current security flaws in the library so you can conduct risk management and implement controls to mitigate these vulnerabilities, and determine the method for continuing updates and patch support.
Incorrect
OBJ-2.2: Any security flaws present in a commercial or open-source library will also be present in the developed application. A library is vulnerable, just as any other application or code might be. There are both known (discovered) and unknown vulnerabilities in the libraries being integrated into the project. Therefore, the software development team needs to ensure that they monitor the applicable libraries for additional CVEs that might be uncovered later. They have plans for distributing appropriate patches to their customers and a plan for integrating subsequent updates into their own codebase. Open-source libraries are not more vulnerable or insecure than commercially available or in-house developed libraries. In fact, most open-source software is more secure because it is widely analyzed and reviewed by programmers worldwide. While ensuring the most up to date versions of the libraries is a valid concern, as a cybersecurity analyst, you should be more concerned with current security flaws in the library so you can conduct risk management and implement controls to mitigate these vulnerabilities, and determine the method for continuing updates and patch support.
Unattempted
OBJ-2.2: Any security flaws present in a commercial or open-source library will also be present in the developed application. A library is vulnerable, just as any other application or code might be. There are both known (discovered) and unknown vulnerabilities in the libraries being integrated into the project. Therefore, the software development team needs to ensure that they monitor the applicable libraries for additional CVEs that might be uncovered later. They have plans for distributing appropriate patches to their customers and a plan for integrating subsequent updates into their own codebase. Open-source libraries are not more vulnerable or insecure than commercially available or in-house developed libraries. In fact, most open-source software is more secure because it is widely analyzed and reviewed by programmers worldwide. While ensuring the most up to date versions of the libraries is a valid concern, as a cybersecurity analyst, you should be more concerned with current security flaws in the library so you can conduct risk management and implement controls to mitigate these vulnerabilities, and determine the method for continuing updates and patch support.
Question 31 of 60
31. Question
SIMULATION –
The developers recently deployed new code to three web servers. A daily automated external device scan report shows server vulnerabilities that are failing items according to PCI DSS.
If the vulnerability is not valid, the analyst must take the proper steps to get the scan clean.
If the vulnerability is valid, the analyst must remediate the finding.
After reviewing the information provided in the network diagram, select the STEP 2 tab to complete the simulation by selecting the correct Validation Result and
Remediation Action for each server listed using the drop-down options.
Instructions –
STEP 1: Review the information provided in the network diagram.
STEP 2: Given the scenario, determine which remediation action is required to address the vulnerability.
If at any time you would like to bring back the initial state of the simulation, please select the Reset All button.
Correct
Correct Answer: See the answer below
WEB_SERVER01: VALID “” IMPLEMENT SSL/TLS
WEB_SERVER02: VALID “” SET SECURE ATTRIBUTE WHEN COOKIE SHOULD SENT VIA HTTPS ONLY
WEB_SERVER03: VALID “” IMPLEMENT CA SIGNED CERTIFICATE
Incorrect
Correct Answer: See the answer below
WEB_SERVER01: VALID “” IMPLEMENT SSL/TLS
WEB_SERVER02: VALID “” SET SECURE ATTRIBUTE WHEN COOKIE SHOULD SENT VIA HTTPS ONLY
WEB_SERVER03: VALID “” IMPLEMENT CA SIGNED CERTIFICATE
Unattempted
Correct Answer: See the answer below
WEB_SERVER01: VALID “” IMPLEMENT SSL/TLS
WEB_SERVER02: VALID “” SET SECURE ATTRIBUTE WHEN COOKIE SHOULD SENT VIA HTTPS ONLY
WEB_SERVER03: VALID “” IMPLEMENT CA SIGNED CERTIFICATE
Question 32 of 60
32. Question
DRAG DROP –
You suspect that multiple unrelated security events have occurred on several nodes on a corporate network. You must review all logs and correlate events when necessary to discover each security event by clicking on each node. Only select corrective actions if the logs shown a security event that needs remediation. Drag and drop the appropriate corrective actions to mitigate the specific security event occurring on each affected device.
Instructions:
The Web Server, Database Server, IDS, Development PC, Accounting PC and Marketing PC are clickable. Some actions may not be required and each actions can only be used once per node. The corrective action order is not important. If at any time you would like to bring back the initial state of the simulation, please select the Reset button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the
Next button to continue.
Select and Place:
Correct
Correct Answer:
Incorrect
Correct Answer:
Unattempted
Correct Answer:
Question 33 of 60
33. Question
HOTSPOT –
A security analyst suspects that a workstation may be beaconing to a command and control server. Inspect the logs from the company’s web proxy server and the firewall to determine the best course of action to take in order to neutralize the threat with minimum impact to the organization.
Instructions:
Modify the firewall ACL, using the Firewall ACL form to mitigate the issue.
If at any time you would like to bring back the initial state of the simulation, please select the Reset All button.
Hot Area:
Correct
Correct Answer:
Incorrect
Correct Answer:
Unattempted
Correct Answer:
Question 34 of 60
34. Question
Which of the following BEST describes the offensive participants in a tabletop exercise?
Correct
Incorrect
Unattempted
Question 35 of 60
35. Question
After analyzing and correlating activity from multiple sensors, the security analyst has determined a group from a high-risk country is responsible for a sophisticated breach of the company network and continuous administration of targeted attacks for the past three months. Until now, the attacks went unnoticed.
This is an example of:
Correct
Incorrect
Unattempted
Question 36 of 60
36. Question
A system administrator who was using an account with elevated privileges deleted a large amount of log files generated by a virtual hypervisor in order to free up disk space. These log files are needed by the security team to analyze the health of the virtual machines. Which of the following compensating controls would help prevent this from reoccurring? (Choose two.)
Correct
Incorrect
Unattempted
Question 37 of 60
37. Question
Which of the following best practices is used to identify areas in the network that may be vulnerable to penetration testing from known external sources?
Correct
Incorrect
Unattempted
Question 38 of 60
38. Question
An organization has recently recovered from an incident where a managed switch had been accessed and reconfigured without authorization by an insider. The incident response team is working on developing a lessons learned report with recommendations. Which of the following recommendations will BEST prevent the same attack from occurring in the future?
Correct
Incorrect
Unattempted
Question 39 of 60
39. Question
A cybersecurity analyst is reviewing the current BYOD security posture. The users must be able to synchronize their calendars, email, and contacts to a smartphone or other personal device. The recommendation must provide the most flexibility to users. Which of the following recommendations would meet both the mobile data protection efforts and the business requirements described in this scenario?
Correct
Incorrect
Unattempted
Question 40 of 60
40. Question
A security analyst received a compromised workstation. The workstation’s hard drive may contain evidence of criminal activities. Which of the following is the
FIRST thing the analyst must do to ensure the integrity of the hard drive while performing the analysis?
Correct
Incorrect
Unattempted
Question 41 of 60
41. Question
File integrity monitoring states the following files have been changed without a written request or approved change. The following change has been made: chmod 777 “”Rv /usr
Which of the following may be occurring?
Correct
Incorrect
Unattempted
Question 42 of 60
42. Question
A security analyst has created an image of a drive from an incident. Which of the following describes what the analyst should do NEXT?
Correct
Incorrect
Unattempted
Question 43 of 60
43. Question
A cybersecurity analyst is currently investigating a server outage. The analyst has discovered the following value was entered for the username: 0xbfff601a. Which of the following attacks may be occurring?
Correct
Incorrect
Unattempted
Question 44 of 60
44. Question
External users are reporting that a web application is slow and frequently times out when attempting to submit information. Which of the following software development best practices would have helped prevent this issue?
Correct
Incorrect
Unattempted
Question 45 of 60
45. Question
A vulnerability scan has returned the following information:
Which of the following describes the meaning of these results?
Correct
Incorrect
Unattempted
Question 46 of 60
46. Question
A cybersecurity analyst is conducting a security test to ensure that information regarding the web server is protected from disclosure. The cybersecurity analyst requested an HTML file from the web server, and the response came back as follows:
Which of the following actions should be taken to remediate this security issue?
An analyst has initiated an assessment of an organization’s security posture. As a part of this review, the analyst would like to determine how much information about the organization is exposed externally. Which of the following techniques would BEST help the analyst accomplish this goal? (Choose two.)
Correct
Incorrect
Unattempted
Question 48 of 60
48. Question
A cybersecurity professional typed in a URL and discovered the admin panel for the e-commerce application is accessible over the open web with the default password. Which of the following is the MOST secure solution to remediate this vulnerability?
Correct
Incorrect
Unattempted
Question 49 of 60
49. Question
An organization is requesting the development of a disaster recovery plan. The organization has grown and so has its infrastructure. Documentation, policies, and procedures do not exist. Which of the following steps should be taken to assist in the development of the disaster recovery plan?
Correct
Incorrect
Unattempted
Question 50 of 60
50. Question
A company wants to update its acceptable use policy (AUP) to ensure it relates to the newly implemented password standard, which requires sponsored authentication of guest wireless devices. Which of the following is MOST likely to be incorporated in the AUP?
Correct
Incorrect
Unattempted
Question 51 of 60
51. Question
An analyst was tasked with providing recommendations of technologies that are PKI X.509 compliant for a variety of secure functions. Which of the following technologies meet the compatibility requirement? (Choose three.)
Correct
Incorrect
Unattempted
Question 52 of 60
52. Question
After completing a vulnerability scan, the following output was noted:
Which of the following vulnerabilities has been identified?
Correct
Incorrect
Unattempted
Question 53 of 60
53. Question
A security analyst is adding input to the incident response communication plan. A company officer has suggested that if a data breach occurs, only affected parties should be notified to keep an incident from becoming a media headline. Which of the following should the analyst recommend to the company officer?
Correct
Incorrect
Unattempted
Question 54 of 60
54. Question
A company has recently launched a new billing invoice website for a few key vendors. The cybersecurity analyst is receiving calls that the website is performing slowly and the pages sometimes time out. The analyst notices the website is receiving millions of requests, causing the service to become unavailable. Which of the following can be implemented to maintain the availability of the website?
Correct
Incorrect
Unattempted
Question 55 of 60
55. Question
A cybersecurity analyst has received the laptop of a user who recently left the company. The analyst types “˜history’ into the prompt, and sees this line of code in the latest bash history:
This concerns the analyst because this subnet should not be known to users within the company. Which of the following describes what this code has done on the network?
Correct
Incorrect
Unattempted
Question 56 of 60
56. Question
A security audit revealed that port 389 has been used instead of 636 when connecting to LDAP for the authentication of users. The remediation recommended by the audit was to switch the port to 636 wherever technically possible. Which of the following is the BEST response?
Correct
Incorrect
Unattempted
Question 57 of 60
57. Question
A security analyst is reviewing IDS logs and notices the following entry:
Which of the following attacks is occurring?
Correct
Incorrect
Unattempted
Question 58 of 60
58. Question
A company that is hiring a penetration tester wants to exclude social engineering from the list of authorized activities. Which of the following documents should include these details?
Correct
Incorrect
Unattempted
Question 59 of 60
59. Question
A reverse engineer was analyzing malware found on a retailer’s network and found code extracting track data in memory. Which of the following threats did the engineer MOST likely uncover?
Correct
Incorrect
Unattempted
Question 60 of 60
60. Question
Due to new regulations, a company has decided to institute an organizational vulnerability management program and assign the function to the security team.
Which of the following frameworks would BEST support the program? (Choose two.)
Correct
Incorrect
Unattempted
X
Use Page numbers below to navigate to other practice tests