1.
A security analyst is conducting traffic analysis and observes an HTTP POST to a web server. The POST header is approximately 1,0000 bytes in length. During transmission, one byte is delivered every 10 seconds. Which of the following attacks is this traffic indicative of?
Correct Answer
A. Exfiltration
Explanation
The given scenario describes a situation where a large amount of data is being slowly transmitted over HTTP POST. This behavior is indicative of exfiltration, which refers to the unauthorized extraction of data from a network. In this case, the attacker is slowly sending the data to avoid detection and to successfully exfiltrate the information from the web server. This method allows the attacker to bypass security measures and transfer sensitive data without raising suspicion.
2.
A small bank employs an administrator who manages configurations, preforms updates to servers, creates accounts, and reviews audit logs. The bank recently received a write up from a third-party preformed security assessment attributed to this administrator's job details. The insufficiency of which of the following controls was MOST likely to have caused citation.
Correct Answer
D. Separation of duties
Explanation
The insufficiency of separation of duties was most likely to have caused the citation. Separation of duties is a control measure that ensures that no single individual has complete control over a process or system. In this case, the administrator is responsible for multiple tasks such as managing configurations, performing updates, creating accounts, and reviewing audit logs. Without proper separation of duties, there is a higher risk of fraud, errors, and unauthorized activities going undetected. The third-party security assessment likely identified this lack of control as a potential vulnerability in the bank's security measures.
3.
A security administrator determines several months after the first instance that a local privileged user has been routinely logging into a server interactively as "root" and browsing the internet. The administrator determines this by preforming an annual review of the security logs on that server. For which of the following security architecture area should the administrator recommend review and modification? (select two)
Correct Answer(s)
A. Log aggregation and analysis
D. Acceptable use policies
Explanation
The administrator should recommend a review and modification of the log aggregation and analysis process because it took several months to detect the unauthorized activity. This suggests that the logs were not being properly monitored or analyzed in a timely manner. Additionally, the administrator should recommend a review and modification of the acceptable use policies because the local privileged user was accessing the internet, which may be a violation of the organization's policy.
4.
A cybersecurity analyst was hired to resolve a security issue within a company after it has been reported that many employee account passwords had been compromised. Upon investigating the incident, the cybersecurity analyst found that brute force attack was launched against the company. Which of the following remediation actions can the cybersecurity analyst recommend to the senior management to address these security issues?
Correct Answer
B. Deploy multifactor authentication
Explanation
The cybersecurity analyst can recommend deploying multifactor authentication as a remediation action to address the security issues. This is because multifactor authentication adds an extra layer of security by requiring users to provide multiple forms of identification, such as a password and a unique code sent to their mobile device, before accessing their accounts. This would help prevent unauthorized access even if the passwords are compromised through a brute force attack.
5.
Management is concerned with administrator access from outside the network to a key server in the company. Specifically, firewall rules allow access to the server anywhere in the company. Which of the following would be an effective solution?
Correct Answer
B. Jump Box
Explanation
A jump box is a secure computer that serves as an intermediary between external networks and the key server. It acts as a single access point for administrators, allowing them to connect to the jump box first and then access the key server. This setup adds an extra layer of security by reducing direct access to the key server from outside the network. It also allows for better monitoring and control over administrator access, as all connections are funneled through the jump box.
6.
The Chief Information Security Officer (CISO) has asked the security staff to identify a framework on which to base the security program. The CISO would like to achieve a certification showing the security program meets all the required best practices. Which of the following would be the BEST choice.
Correct Answer
D. ISO
Explanation
ISO (International Organization for Standardization) would be the best choice for the CISO to base the security program on and achieve a certification showing that it meets all the required best practices. ISO provides internationally recognized standards for various aspects of business operations, including information security. By adopting ISO standards, the security program can ensure that it follows a comprehensive and systematic approach to managing information security risks, thereby demonstrating its commitment to best practices and compliance with industry standards.
7.
Considering confidentiality and integrity, which of the following makes servers more secure than desktops?
Correct Answer(s)
B. OS
D. pHysical access restrictions
Explanation
The operating system (OS) plays a crucial role in enhancing the security of servers compared to desktops. Servers typically use specialized server operating systems that are designed with robust security features and protocols. These OSs offer better protection against unauthorized access, malware, and other security threats. Additionally, physical access restrictions, such as secure data centers and restricted entry, further enhance server security by preventing unauthorized individuals from physically accessing the server hardware.
8.
A system Administrator has reviewed the following output#nmap server.localNmap scan report for server.localHost is up (0.3452345s latency)Not shown: 997 closed portsPort State Service22/tcp open 'ssh80tcp open http#nc server. local 80220 server. local company SMTP server (postfix/2.3.3) #nc server. local 22SSH-2. 0-OpenSSH_7.1p2 Debian-2#Which of the following can a system administrator infer from the above output
Correct Answer
A. The company email server is running a non-standard port
Explanation
The output shows that port 22 (SSH) and port 80 (HTTP) are open, but there is no mention of the email server running on any port. Therefore, the system administrator cannot infer anything about the company email server from this output.
9.
The security operations team is conducting a mock forensics investigation. Which of the following should be the FIRST action taken after a seizing a compromised workstation?
Correct Answer
B. Implement the incident response plan
Explanation
After seizing a compromised workstation, the first action should be to implement the incident response plan. This is because the incident response plan provides a systematic approach to handle security incidents and outlines the necessary steps to mitigate the impact of the compromise. By implementing the incident response plan, the security operations team can quickly and effectively respond to the incident, contain the compromise, and start the process of investigating and remediating the issue. Activating the escalation checklist, analyzing the forensic image, and performing evidence acquisition are important steps in the overall investigation process, but they should be done after implementing the incident response plan.
10.
Nmap scan results on a set of IP addresses returned one or more lines beginning with "cpe:/o. "followed by a company name, product name, and version. Which of the following would this string help an administrator identify?
Correct Answer
A. Operation systems
Explanation
The string "cpe:/o." followed by a company name, product name, and version indicates the operating systems installed on the scanned IP addresses. This information can help an administrator identify the specific operating systems being used by the devices on the network.
11.
Which of the following BEST explains the purpose of data ownership policy?
Correct Answer
A. The policy should describe the roles and responsibilities between users and managers, and the management of specific data types
Explanation
The purpose of a data ownership policy is to clearly define the roles and responsibilities between users and managers when it comes to data. It also aims to establish how specific data types should be managed. This policy ensures that everyone in the organization understands their obligations and the proper procedures for handling and protecting data.
12.
An organization has recently recovered from an incident where a managed switch had been accessed and reconfigured without authorization by an insider. The incident response team is working on developing a lessons learned report with recommendations. Which of the following recommendations would be BEST to prevent the same attack from occurring in the future?
Correct Answer
B. Implement a separate logical network segment for management interfaces
Explanation
Implementing a separate logical network segment for management interfaces would be the best recommendation to prevent the same attack from occurring in the future. This would ensure that the management interfaces are isolated from the rest of the network, making it more difficult for unauthorized access and configuration changes to occur. By separating the management interfaces, any potential insider threat would have limited access and would not be able to easily compromise the switch. This recommendation would enhance the security of the network and prevent similar incidents from happening again.
13.
A company has been a victim of multiple volumetric DoS attacks. Packet of the offending traffic shows the following09:23:45. 058939 IP 192.168.1.1:2562 > 170.43.30.4:0: Flags[ ], seq 1887775210:1887776670, win 512, length 146009:23:45. 058940 IP 192.168.1.1:2563 > 170.43.30.4:0: Flags[ ], seq 1887775211: 1887776671, win 512 length 146009:23:45. 058941 IP 192.168.1.1:2564 > 170.43.30.4:0: Flags[ ], seq 1887775212: 1887776672, win 512 length 146009:23:45. 058942 IP 192.168.1.1:2565 > 170.43.30.4:0: Flags[ ], seq 1887775213: 1887776673, win 512 length 1460Which of the following mitigation techniques is MOST effective against the above attack?
Correct Answer
A. The company should contact the upstream ISP and ask that RFC 1918 traffic be dropped
Explanation
The given packet shows that the source IP address is 192.168.1.1, which is a private IP address according to RFC 1918. Volumetric DoS attacks often involve spoofed IP addresses, including private IP addresses. By contacting the upstream ISP and asking them to drop RFC 1918 traffic, the company can effectively block the attack traffic that is using a private IP address as the source. This is the most effective mitigation technique in this scenario.
14.
An organization uses common Vulnerability Scoring System (CVSS) scores to prioritize remediation of vulnerabilities. Management wants to modify the priorities based on a difficult factor so that vulnerabilities with lower CVSS scores may get higher priority if they are easier to implement with less risk to the system functionality. Management also wants to qualify the priority. Which of the following would achieve managements objective?
Correct Answer
C. (CVSS Score)* Difficulty =Priority
Where difficulty is a range from 1 to 10 with 10 being the easiest and lowest risk to implement
Explanation
The correct answer is (CVSS Score)* Difficulty =Priority, where difficulty is a range from 1 to 10 with 10 being the easiest and lowest risk to implement. This formula allows management to modify the priorities based on a difficulty factor, giving higher priority to vulnerabilities with lower CVSS scores if they are easier to implement with less risk to the system functionality. By using a scale of 1 to 10 for difficulty, the organization can accurately qualify the priority of each vulnerability.
15.
The director of software development is concerned with recent web application security incidents, including the successful breach of a black-end database server. The director would like to work with the security team to implement a standardized way to design, build and test web applications and services that support them. Which of the following meets that criteria ?
Correct Answer
A. OWASP
Explanation
OWASP (Open Web Application Security Project) is the correct answer. OWASP provides a set of guidelines, tools, and resources for web application security. By working with the security team to implement OWASP, the director of software development can ensure that web applications and services are designed, built, and tested in a standardized and secure manner. OWASP focuses on identifying and mitigating common web application vulnerabilities, making it an appropriate choice for addressing the concerns raised by recent security incidents. SANS is a well-known organization that offers cybersecurity training and certifications, but it does not specifically focus on web application security. PHP and Ajax are programming languages and technologies, not comprehensive frameworks or guidelines for web application security.
16.
A security analyst has noticed that a particular server has consumed over 1TB of bandwidth over the course of a month. It has port 3333 open, however, there have not been any alerts or notices regarding the server or its archives. Which of the following did the analyst discover?
Correct Answer
C. Zero day
Explanation
The analyst discovered a zero day vulnerability on the server. A zero day vulnerability refers to a security flaw that is unknown to the software vendor and does not have a patch or fix available. This vulnerability allowed the server to consume a large amount of bandwidth without triggering any alerts or notices.
17.
A company is running Microsoft on a file server. A vulnerability scan returned the following result:Vulnerable software installed: office 2007HKEY_LOCAL_MACHINE\Software\Microsoft\Windows|CurrentVersion|Installer|Userdata S-1-5-18\Products\000021095F01000000100000000F01FEC\InstallProperties -key exists The Office component Microsoft Office Excel Services is running an affected version - 12.0.6612.1000 HKEY_LOCAL_MACHINE\software\Microsoft\windows|CurrentVersion\Installer\UserData\S-1-5-18\ Products\000021095F01000000100000000F01FE\Patches\F6A389258DE016A46B54137BE2278095A - key does not exist patch { 52983A6F-OED8-4A61-B645-31B72E7208A9} is not installed Which of the following would provide the MOST efficient method of remediating this finding?
Correct Answer
B. Install patches on the server
Explanation
The vulnerability scan has identified that the file server is running an affected version of Microsoft Office Excel Services. The scan also indicates that a specific patch is not installed on the server. Therefore, the most efficient method of remediation would be to install the missing patches on the server. This would help to address the vulnerability and ensure that the software is up to date with the necessary security fixes.
18.
A security analyst is reviewing logs and discovers that a company-owned computer is issued to an employee is generation many alerts and warnings. The analyst continues to review the log evens and discovers that a non company-owned device from a different unknown IP address is generation the same events. The analyst informs the manger of these findings, and the manager explains that these activities are already known and part of an on going simulation. Given this scenario, which of the following roles are the analyst, the employee and the manager filing ?
Correct Answer
D. The analyst is the blue team
The employee is the red team
The manager is the white team
Explanation
In this scenario, the security analyst is reviewing logs and discovering that a non company-owned device is generating alerts and warnings on a company-owned computer issued to an employee. The analyst informs the manager about these findings and the manager explains that these activities are part of an ongoing simulation. Based on this information, the analyst is playing the role of the blue team, responsible for monitoring and defending the company's systems. The employee is playing the role of the red team, responsible for simulating attacks and identifying vulnerabilities. The manager is playing the role of the white team, responsible for overseeing and coordinating the simulation exercise.
19.
The Chief Information Office (CIO) of a company has been receiving an increased amount of spam in the last month. The CIO has not signed up for any newsletter or given contact information to any venders during this time frame. Which of the following techniques would a cybersecurity analyst employ to duplicate an external actor's methods of uncovering the CIO's e-mail address (select two)
Correct Answer(s)
A. Social media profiling
B. Email harvesting
Explanation
The correct answer is social media profiling and email harvesting. Social media profiling involves gathering information about an individual from their social media accounts, which could potentially reveal their email address. Email harvesting is the process of collecting email addresses from various sources, such as websites or online directories. Both techniques can be used by an external actor to uncover the CIO's email address without the CIO directly providing their contact information to any vendors or newsletters.
20.
During the post-seizure analysis of a workstation, the technician discovers a large archive on an image that forensic tools suite is unable to access. The technician Is prompted for authorization credentials when attempting to open the files manually. Which of the following tools would be MOST appropriate to use on the archive to gain access.
Correct Answer
D. Password cracker
Explanation
A password cracker would be the most appropriate tool to use on the archive in order to gain access. Since the technician is prompted for authorization credentials when attempting to open the files manually, it suggests that the archive is password protected. A password cracker is designed to systematically attempt different combinations of passwords until the correct one is found, allowing the technician to gain access to the files within the archive.
21.
Following a data compromise, a cybersecurity analyst noticed the following executed query:Select * from Users WHERE name = rick or 1=1Which of the following attacks occurred, and which of the following technical security controls would BEST reduce the risk of future impact from this attack
Correct Answer(s)
C. Parameter validation
F. SQL injection
Explanation
The executed query "Select * from Users WHERE name = rick or 1=1" indicates a SQL injection attack. In this attack, the attacker exploits a vulnerability in the application's input validation, allowing them to inject malicious SQL code into the query. Parameter validation is the best technical security control to reduce the risk of future impact from this attack. By properly validating and sanitizing user input, the application can prevent the injection of malicious SQL code and ensure that only valid parameters are used in the query. This helps to protect the database from unauthorized access and manipulation.
22.
Which of the following is MOST effective for correlation analysis by log for threat management?
Correct Answer
D. SIEM
Explanation
SIEM (Security Information and Event Management) is the most effective option for correlation analysis by log for threat management. SIEM systems collect and analyze log data from various sources, such as network devices, servers, and applications, to identify and correlate security events. By analyzing log data, SIEM can detect patterns and anomalies that may indicate potential threats or security incidents. This helps organizations in threat management by providing real-time monitoring, alerting, and incident response capabilities. PACP (Passive Asset Categorization Protocol), SCAP (Security Content Automation Protocol), and IPS (Intrusion Prevention System) are not specifically designed for correlation analysis by log for threat management.
23.
An analyst was testing the latest version of internally developed CRM system. The analyst created a basic user account. Using a few tools in Kali's latest distribution, the analyst was able to access configuration files, change permission on folders and groups, and delete and create new system objects. Which of the following techniques did the analyst use to preform these unauthorized services?
Correct Answer
B. Privilege escalation
Explanation
The analyst used privilege escalation to perform these unauthorized services. Privilege escalation refers to the act of gaining higher levels of access or permissions than originally granted. In this case, the analyst was able to access configuration files, change permissions, and manipulate system objects, indicating that they were able to elevate their privileges beyond what their basic user account should have allowed.
24.
A security analyst received a compromised workstation. The workstation's hard drive may contain evidence of criminal activities. Which of the following is the First thing the analyst must do to ensure the integrity of a hard drive while preforming the analysis?
Correct Answer
A. Make a copy of the hard drive
Explanation
To ensure the integrity of the hard drive while performing the analysis, the security analyst should make a copy of the hard drive. This is important because creating a copy ensures that the original evidence remains untouched and unaltered, allowing the analyst to work with the copy without compromising the integrity of the original data. By making a copy, any changes made during the analysis will only affect the duplicate, preserving the integrity of the original evidence.
25.
A security analyst is preforming a static code of a review of a web application that includes a blog. The comment sections contain the following snippet:<script>var d = document.getElement ById ("userComment"). value; document. getElementById ("displayComment") .innerHTML =usercomment
Correct Answer
C. Cross-site scripting
Explanation
The given snippet of code is vulnerable to cross-site scripting (XSS) attack. This is because the user input from the comment section is directly inserted into the HTML without proper validation or sanitization. An attacker can exploit this vulnerability by injecting malicious code into the comment section, which will then be executed by other users visiting the web application. This can lead to various attacks such as stealing sensitive information, hijacking user sessions, or defacing the website.
26.
A security analyst is preforming a review of Active directory and discovers two new user accounts in the accounting department. Neither of the users has elevated permissions, but accounts in the group are given access to the company's sensitive financial management application by default. Which of the following is the BEST course of action?
Correct Answer
E. Confirm the accounts are valid and ensure role-bases permission are appropriate
Explanation
The best course of action in this scenario is to confirm the validity of the newly discovered user accounts and ensure that their role-based permissions are appropriate. This is important because the accounts have access to the company's sensitive financial management application by default, even though they do not have elevated permissions. By confirming their validity and reviewing their permissions, the security analyst can ensure that only authorized individuals have access to sensitive information and prevent any potential security breaches or unauthorized access.
27.
Which of the following actions should occur to address any open issues while closing an incident involving various departments within the network
Correct Answer
E. None of the above
Explanation
The correct answer is "none of the above" because the actions mentioned in the options (Incident Response Plan, Lesson learned report, reverse engineering process, chain of custody documentation) do not directly address open issues while closing an incident involving various departments within the network. These options may be relevant in other stages of incident response or for different purposes, but they are not specifically focused on addressing open issues during the closure of an incident.
28.
Following a security breach, a post-mortem was done to analyze the driving factors behind the breach. The cybersecurity analysis discussed potential impacts, mitigations, and remediation based on current events and emerging threat vectors to specific stakeholders. Which of the following is this considered to be?
Correct Answer
A. Threat intelligence
Explanation
The given scenario describes a post-mortem analysis conducted after a security breach. The analysis involves discussing potential impacts, mitigations, and remediation based on current events and emerging threat vectors. This process is known as threat intelligence, which refers to the collection, analysis, and dissemination of information about potential threats to an organization's security. It helps organizations understand the nature of the threats they face and make informed decisions to protect their systems and data.
29.
An organization followed an SDLC process for vulnerability remediation from development (DEV) through staging (STG) to production (PROD). the organization found that this process took to long and provided no additional security value. Which of the following vulnerability management processes is the BEST approach for this organization?
Correct Answer
A. Remediate both DEV and STG concurrently, test and then remediate PROD
Explanation
The best approach for this organization would be to remediate both DEV and STG concurrently, test them, and then remediate PROD. This approach ensures that vulnerabilities are addressed in both the development and staging environments simultaneously, reducing the overall time taken for the remediation process. Additionally, testing after remediation in DEV and STG allows for verification of the effectiveness of the remediation measures before applying them to the production environment. This approach strikes a balance between efficiency and security value by addressing vulnerabilities at multiple stages of the SDLC.
30.
Which of following represent the reasoning behind careful pf the timelines and time day boundaries for and time of boundaries for an authorized penetration test?
Correct Answer(s)
C. To mitigation unintended impacts to operation
D. To avoid conflicts with real intrusions that may occur
Explanation
The careful planning of timelines and time boundaries for an authorized penetration test is important to mitigate any unintended impacts to operations. By scheduling the test activities, personnel resources can be allocated efficiently. Additionally, determining the frequency of team communication and reporting ensures effective coordination and monitoring of the test. By avoiding conflicts with real intrusions that may occur, the test can be conducted without causing disruptions or confusion. Lastly, ensuring that the test has measured impact to operations helps in assessing the effectiveness of the test and identifying areas for improvement.
31.
A new policy requires the security team to preform web applications and OS Vulnerability scan. All of the company's web applications use federated authentications and are accessible via a central portal. Which of the following should be implemented to ensure a more scan of the company's web applications, while at the same time reducing false positives?
Correct Answer
A. The vulnerability scanner should be configured to preform authenticated scans
Explanation
To ensure a more accurate scan of the company's web applications and reduce false positives, the vulnerability scanner should be configured to perform authenticated scans. Authenticated scans allow the scanner to log in to the web applications using valid credentials, giving it a deeper understanding of the application's vulnerabilities and reducing the chances of false positives. By authenticating with the application, the scanner can access restricted areas and test functionalities that may not be available to anonymous users, providing a more comprehensive assessment of potential vulnerabilities.
32.
An executive tasked a security analyst to aggregate past lost, traffic and alerts on a particular vector. The analyst was then tasked with analyzing the data and making predictions on future complications regarding this attack vector. Which of the following types of analysis is the security analyst MOST likely con conditioning?
Correct Answer
A. Trend analysis
Explanation
The security analyst is most likely conducting trend analysis. Trend analysis involves analyzing past data and identifying patterns or trends to make predictions about future outcomes. In this case, the analyst is aggregating past lost, traffic, and alerts on a specific attack vector and using that data to predict future complications related to that vector. This aligns with the concept of trend analysis, which focuses on identifying and analyzing patterns over time to make informed predictions.
33.
During a review of security controls, an analyst was able to an external, unsecured FTP server from a workstation. The analyst was troubleshooting and reviewed the ACLs of the segment firewall the workstation is connected toBased on the ACL's above, which of the following explain why the able to connect to the FTP server?
Correct Answer
A. A FTP was explicitly allowed in seq 8 of the ACL
Explanation
The analyst was able to connect to the FTP server because FTP was explicitly allowed in sequence 8 of the ACL.
34.
A security analyst is to configure a vulnerability scan for a new segment on the network. Given the requirement to prevent credentials for traversing the network while still conducting a credential scan, which of the following is the BEST choice?
Correct Answer
A. Install agents on the endpoints to preform the scan
Explanation
Installing agents on the endpoints to perform the scan is the best choice because it allows the vulnerability scan to be conducted without the credentials traversing the network. By installing agents on the endpoints, the scan can be performed locally on each endpoint without the need for credentials to be transmitted across the network. This ensures that the credentials remain secure and reduces the risk of them being intercepted or compromised during the scan.
35.
A company invested 10 percent of its entire annual budget in security technologies. The Chief information officer (CIO) is convinced that, without his investment, the company will risk being the next victim of the same cyber attacks its competitors experiences 3 months ago. However, despite this investment, users are sharing their usernames and passwords with their coworkers to get jobs done. Which of the following will eliminate the risk introduced by this practice
Correct Answer
A. Invest in and implement a solution to ensure non-repudiation
Explanation
Investing in and implementing a solution to ensure non-repudiation will eliminate the risk introduced by users sharing their usernames and passwords. Non-repudiation ensures that the actions of a user cannot be denied or falsely attributed to someone else. By implementing this solution, the company can track and authenticate user actions, making it impossible for users to share their credentials without being identified. This will discourage the practice of sharing usernames and passwords, thereby reducing the risk of unauthorized access and potential cyber attacks.
36.
Creating a lessons learned report following an incident will help an analyst to communicate which of the following information.
Correct Answer(s)
A. Root cause analysis of the incident and the impact it had on the organization
D. Enhancements to the policies and practice that will improve business responses
Explanation
Creating a lessons learned report following an incident will help an analyst communicate the root cause analysis of the incident and the impact it had on the organization. This report will provide valuable insights into the factors that led to the incident and the consequences it had on the organization's operations. Additionally, the report will also highlight enhancements to the policies and practices that can be implemented to improve the organization's response to similar incidents in the future.
37.
Which of the following has occurred
Correct Answer
B. 123.120.110.212 is infected with a Trojan
38.
A company has recently launched a new billing invoice for a few key vendors. The cybersecurity analyst is receiving calls that the website is preforming slowly and the pages sometimes time out. The analyst notices the website is receiving millions of a request, causing the services to become unavailable. Which of the following can be implemented to maintain the availability of the website?
Correct Answer
C. Whitelisting
Explanation
Whitelisting can be implemented to maintain the availability of the website. By using whitelisting, the cybersecurity analyst can create a list of trusted IP addresses or domains that are allowed to access the website. This will block any unauthorized requests from reaching the website, reducing the load on the server and preventing it from becoming unavailable. Whitelisting ensures that only legitimate traffic is allowed, mitigating the impact of the millions of requests and improving the website's performance and availability.
39.
As part of the SDLC, software developers are testing the security of a new web application by inputting large amounts of random data. Which of the following types of testing is being preformed?
Correct Answer
A. Fuzzing
Explanation
The correct answer is fuzzing. Fuzzing is a type of testing where software developers input large amounts of random data into a system to test its security. This is done to identify vulnerabilities and potential issues in the application. Fuzzing helps to uncover unexpected behavior and can be an effective technique for finding security flaws in software.
40.
A reverse engineer was analyzing malware found on a retailers network and found code extracting data in memory. Which of the following threats did the engineer MOST likely uncover?
Correct Answer
A. POS malware
Explanation
The reverse engineer most likely uncovered POS malware. POS malware refers to malicious software that is specifically designed to target point-of-sale systems, such as those used by retailers. This type of malware is used to steal sensitive data, such as credit card information, from the retailer's network. The fact that the engineer found code extracting data in memory suggests that the malware was specifically designed to target and extract information from the point-of-sale system.
41.
A cybersecurity analyst has received an alert that well-known "call home" messaged are continuously observed by network sensors at network boundary. The proxy firewall successfully drops the messages. After determining the alert was a true positive, which of the following represents the MOST likely causes?
Correct Answer
B. Commands are attempting to reach a system infected with a botnet trojan
Explanation
The correct answer is "Commands are attempting to reach a system infected with a botnet trojan." This is the most likely cause because the alert indicates that "call home" messages are continuously observed by network sensors, which suggests that a system infected with a botnet trojan is receiving commands from a remote network. The proxy firewall successfully drops these messages, indicating that it is effectively blocking the communication between the infected system and the remote network.
42.
During a penetration test, a red team was able to collect the following dat via phone:OS: WindowsIP: 172.16.12.9Password: ApplesAV: NortonWhich of the following threat vectors enables this collection ?
Correct Answer
A. pHishing
Explanation
The red team was able to collect the data via phone, which suggests that they were able to trick or deceive someone into providing the information. Phishing is a common method used to trick individuals into revealing sensitive information such as passwords or personal details. It involves sending fraudulent emails or messages that appear to be from a legitimate source, in order to trick the recipient into providing the requested information. In this case, the red team was likely able to collect the data by using phishing techniques to deceive the target into revealing their OS, IP, password, and AV information.
43.
Which of the following principles describes how a security analyst should communicate during an incident?
Correct Answer
B. The communication should be limited to security staff only
Explanation
The principle that describes how a security analyst should communicate during an incident is that the communication should be limited to security staff only. This means that the analyst should only share information and updates about the incident with other members of the security team who are directly involved in managing and resolving the incident. By limiting communication to trusted and knowledgeable individuals within the security staff, sensitive information is kept confidential and the incident response process can be effectively coordinated without unnecessary distractions or potential leaks of information.
44.
A web application has a newly discovered vulnerability in the authentication method used to validate known company users. the user ID of Admin with a password "password" grand elevated access to the application over the internet. Which of the following is the BEST method to discover the vulnerability before a production deployment?
Correct Answer
A. Manual peer review
Explanation
A manual peer review involves having experienced individuals review the code and logic of the web application. This can help identify vulnerabilities and potential weaknesses in the authentication method. Since the vulnerability has already been discovered, a manual peer review can help identify and fix the issue before the application is deployed in a production environment. User acceptance testing, input validation, and stress testing may also be helpful in identifying vulnerabilities, but a manual peer review is considered the best method in this scenario.
45.
A security analyst of a small regional back has received an alert that nation states are attempting financial institutions via phishing campaigns. Which of the following techniques would the analyst recommend as a proactive measure to defend against this type of threat?
Correct Answer
B. Location-based NAC
Explanation
Location-based Network Access Control (NAC) would be recommended as a proactive measure to defend against phishing campaigns by nation states. This technique allows the security analyst to restrict access to the network based on the location of the user or device. By implementing location-based NAC, the analyst can ensure that only authorized users within the region or area are allowed access to the network, reducing the risk of unauthorized access from nation state actors attempting phishing attacks. This helps to strengthen the overall security posture of the small regional bank and mitigate the potential impact of such threats.
46.
A security analyst wants to scan the network for active hosts. Which of the following characteristics can help to differentiate between a virtual and physical host?
Correct Answer
A. Reserved MACs
Explanation
Reserved MACs can help differentiate between a virtual and physical host. In virtual environments, MAC addresses are often generated dynamically, whereas physical hosts typically have fixed, reserved MAC addresses assigned to their network interface cards (NICs). By examining the MAC addresses of the hosts on the network, the security analyst can identify those with reserved MACs as physical hosts, while hosts with dynamically generated MACs are likely to be virtual machines.
47.
A recent audit has uncovered several coding errors and a lack of input validation being used on a public portal. Due to the nature of the portal and the severity of the errors, the portal is unable to be patched. Which of the following tools could be used to reduce the risk of being compromised?
Correct Answer
A. Web application firewall
Explanation
A web application firewall can be used to reduce the risk of being compromised in this scenario. A web application firewall is specifically designed to protect web applications from common attacks such as SQL injection, cross-site scripting, and other vulnerabilities. Since the audit has uncovered coding errors and a lack of input validation on the public portal, a web application firewall can help mitigate these risks by monitoring and filtering incoming and outgoing traffic to the application, blocking any malicious requests or attempts to exploit the vulnerabilities. This can help protect the portal and its users from potential attacks.
48.
A cybersecurity analyst is reviewing the following outputs:root@kali!# hping3 -s -p 80 192.168.1.19HPING 192.168.1.19 (eth0 192.168.1.19) : s set, 40 headers + 0 data bytesLen=46 ip=192.168.1.19 ttl_64 DF id+28319 sport=80 flags=RA seq=0 win=0 rtt=0. 6 msroot@kali!# hping3 -s -p 80 192.168.1.19HPING 192.168.1.19 (eth0 192.168.1.19) : s set, 40 headers + 0 data bytesLen=46 ip=192.168.1.19 ttl_64 DF id+28319 sport=8080 flags=RA seq=0 win=29200 rtt-11.9Which of the following can the analyst infer from the above output?
Correct Answer
B. The remote host is running a service on port 8080
Explanation
The analyst can infer from the output that the remote host is running a service on port 8080. This is indicated by the presence of the "sport=8080" in the output, which suggests that the remote host is actively listening on port 8080 and responding to the hping3 packets sent to that port.
49.
A security analysis is concerned that employees may attempt to exfiltrate data prior to tendering their resignations. Unfortunately, the company cannot purchase a data loss prevention (DLP) system. which of the following recommendations should the security analyst make to provide defense-in depth against data loss? (select three)
Correct Answer(s)
A. Prevent users from accessing email and file-sharing via web proxy
B. Prevent flash drives from connection to USB ports using Group Policy
D. Prevent internet access on laptops unless connected to the network in the office or via VPN
Explanation
The security analyst should recommend preventing users from accessing email and file-sharing via web proxy, as this would restrict their ability to send sensitive data outside the network. They should also suggest preventing flash drives from connecting to USB ports using Group Policy, as this would prevent employees from easily copying data onto portable storage devices. Additionally, the analyst should recommend preventing internet access on laptops unless connected to the network in the office or via VPN, as this would limit the potential for data exfiltration through unauthorized internet connections.
50.
An organization wants to harden its web servers. As part of this goal, leadership has directed that vulnerability scan be preformed and the security team should remediate the servers according to the industry best practices. The team has already chosen a vulnerability scanner and preformed the necessary scan, and now the team needs to prioritize the fixes. Which of the following would help to prioritize the vulnerabilities for remediation in accordance with the industries best practices?
Correct Answer
A. CVSS
Explanation
CVSS (Common Vulnerability Scoring System) is a widely recognized industry standard for assessing and prioritizing vulnerabilities. It provides a numerical score to each vulnerability based on its severity, impact, and exploitability. By using CVSS, the security team can prioritize the fixes based on the highest-scoring vulnerabilities, ensuring that the most critical issues are addressed first. This approach aligns with industry best practices and helps the organization effectively remediate the vulnerabilities on its web servers.