Mock Exam 2

  1. Which of the following are exploitability metrics?
    1. Attack Vector | Availability | Privileges Required
    2. Attack Vector | Attack Complexity | Privileges Required
    3. Confidentiality | Integrity | Availability
    4. Attack Complexity | User Interaction | Scope
  2. Which transport layer protocol is the most likely to be used for the destination: 192.168.1.254:snmp?
    1. DNS
    2. TCP
    3. HTTP
    4. UDP
  3. Which of the following will be matched by the regex statement, [PacktPub]{8}?
    1. packtpub
    2. Packt Pub
    3. PACKTPUB
    4. backtack
  4. What element of a network profile describes how much data is successfully transmitted over the network per second?
    1. Total throughput
    2. Session duration
    3. Critical asset utilization
    4. Running tasks
  1. Which of the following is a reason to conduct probabilistic analysis?
    1. Innovative threats
    2. Inconsistent timestamps on logs
    3. Incomplete logs
    4. Integrity concerns on processed logs
  2. How can an operator extract an application that's been downloaded from a website using Wireshark?
    1. File | Export Objects | HTTP....
    2. File | Export Objects | UDP....
    3. File | Export Objects | Application/octet-stream.
    4. Applications can only be downloaded from a TCP stream.
  3. Which of the following is true of trends in the analysis for cybersecurity?
    1. Increasing processing power means analysts are ahead of attackers.
    2. Increased information sharing means deterministic analysis is becoming accessible for smaller companies.
    3. Machine learning techniques are increasingly being used to support probabilistic analysis.
    4. Increasingly sophisticated attacks are pushing deterministic analysis into popularity.
  4. A user in finance follows a link that's sent to them from HACME bank, their company's business banking supplier. The user accessed the website through Mozilla Firefox on Windows 10. Which log is suspicious?
    1. GET HACME.com/login.php HTTP/1.1 in the proxy log
    2. user-agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 in the Proxy Log
    3. GET %D2%A2ACME.com/login.php HTTP/1.1 in the Proxy Log
    4. Records to [hacme.com]:443 in NetFlow, where [hacme.com] is the correct IP address for the bank's web server
  5. Which of the following teams may act as a response team of last resort, leading the response for organizations that may not have their own response team?
    1. Coordination centers
    2. Analysis centers
    3. Managed security service providers
    4. National CSIRT
  1. A signature-based antivirus software is an example of what type of analysis?
    1. Deterministic analysis
    2. Probabilistic analysis
    3. Narrative analysis
    4. Predictive analysis
  2. What is the purpose of ARP?
    1. To map IP addresses to MAC addresses
    2. To map IP addresses to port numbers on a switch
    3. To map sockets to port numbers on a switch
    4. To map sockets to MAC addresses
  3. Which of the following might occur in the reconnaissance phase of the Cyber Kill Chain?
    1. Unsolicited emails are sent, telling users to click a link.
    2. Unsolicited telephone calls are made, telling users to allow a remote desktop connection.
    3. Unsolicited professional social media requests are made, asking for information about an upcoming job opportunity.
    4. Unsolicited merchandise, including USB pen drives.
  4. Which of the following is not a category of a safeguard under HIPAA?
    1. Administrative safeguards
    2. Preemptive safeguards
    3. Technical safeguards
    4. Physical safeguards
  5. Which of the following is a property of the NTFS filesystem?
    1. Maximum file size of 4 GB
    2. Maximum directory depth of 60 levels
    3. Support for encryption
    4. Full journaling (metadata and file data) support
  6. Which of the following is a feature of sandbox detection?
    1. Sandbox detection allows the API calls to be recorded.
    2. Sandbox detection can negate some of the complexities associated with polymorphic malware.
    3. Sandbox detection is faster than signature-based detection.
    4. Sandbox detection uses file features extracted from the file itself to classify unknown files using machine learning.
  1. Which of the following might occur in the exploitation phase of the Cyber Kill Chain?
    1. The attack code is launched.
    2. The attack code is downloaded to an infected host.
    3. The attack code is constructed based on the observed vulnerabilities.
    4. The infected host's beacon back to the command and control server.
  2. Who will coordinate the incident response activity if there is a single, distributed CSIRT in a large organization?
    1. Coordination center
    2. Organizational senior management
    3. IT support
    4. Information assurance
  3. What can an organization use to manually configure alert priorities?
    1. Correlation rules in the Firepower Management Console
    2. Traps for syslog messages
    3. Severity scores in the IDS
    4. Metasploit
  4. Who is ultimately responsible for reviewing and accounting for deficiencies under SOX?
    1. IT service managers
    2. Executive board members
    3. External auditors
    4. Internal verifiers
  5. An email attachment enters the system and is characterized as malware. Which of the following is true?
    1. If the attachment was malicious, this is a true negative.
    2. If the attachment was legitimate, this is a true positive.
    3. If the attachment was legitimate, this is a false positive.
    4. If the attachment was malicious, this is a false negative.
  1. The network's security software went offline two days ago. An investigator suspects that malware has found its way onto a user's computer in this time. Which of the following would be considered corroborative evidence?
    1. Antivirus scan logs that detected no threats
    2. Network data showing a spike in traffic from that computer over the last two days
    3. Activity logs showing that the computer has not been used in a week
    4. Multiple files on the computer being deleted over a number of months
  2. Which of the following is a benefit of removing partial and transitive dependencies during normalization?
    1. Removing anomalies
    2. Reducing duplication
    3. Structuring metadata
    4. Collating information
  3. An IPv6 packet has a length field value of 0. What might this mean?
    1. The packet header has been corrupted.
    2. The packet has no payload.
    3. The packet has a total length greater than 65,535 bytes.
    4. The packet is being used to establish a session.
  4. Which of the following items is sensitive authentication data?
    1. Cardholder name
    2. Service code
    3. Magnetic-strip information
    4. Cardholder address
  5. Which of the following is the highest priority item for collection according to NIST.SP800-86?
    1. Network connections
    2. Running processes
    3. Contents of memory
    4. Open files
  1. Which option allows case sensitivity to be enforced with grep?
    1. -i
    2. -o
    3. grep is case-sensitive by default
    4. -C
  1. Which of the following precautions reduce the threat to data during an investigation? (Select all that apply.)
    1. Antistatic wristbands used during physical handling
    2. Performing analysis on the original drive
    3. Storage in specialist storage facilities
    4. Encrypting the data
  2. Which of the following statements about the following screenshot are true? (Select two.)

    1. Creating a new file creates duplication and, therefore, may create update anomalies.
    2. A new file should be created with the | command.
    3. Creating a new file with the > command maintains the integrity of the original.
    4. A new file should be created with the mv command.
  1. Which of the following HTTP responses might indicate that the web server is currently experiencing a denial of service attack?
    1. HTTP/1.1 408 Gateway Timeout
    2. HTTP/1.1 503 Service Unavailable
    3. HTTP/1.1 301 Moved Permanently
    4. HTTP/1.1 400 Bad Request
  1. A network administrator issues the following command. What are they trying to do?

    1. Shut down this unused port
    2. Prevent an unauthorized host using this unused port
    3. Prevent an unauthorized host from unplugging the legitimate device and using the port in its place
    4. Reset the saved MAC addresses associated with the port
  1. In which phase of the Cyber Kill Chain does lateral movement and privilege escalation occur?
    1. Exploitation
    2. Installation
    3. Command and control
    4. Actions on objectives
  2. How can an investigator collect information about the network connections on a device running Windows?
    1. The CLI command, w
    2. The CLI command, netstat
    3. The CLI command, ifconfig
    4. The CLI command, ipconfig
  1. The following screenshot shows part of a NetFlow output for an organization using PAT. What can be said about the position of the NetFlow collection device relative to the network?

    1. The data is being collected before translation has been applied on the outbound interface and before translation has been applied on the inbound interface.
    2. The data is being collected before translation has been applied on the outbound interface and after translation has been applied on the inbound interface.
    3. The data is being collected after translation has been applied on the outbound interface and before translation has been applied on the inbound interface.
    4. The data is being collected after translation has been applied on the outbound interface and after translation has been applied on the inbound interface.
  1. A system has 10 publicly routable addresses, a publicly accessible web server, and a /8 private (internal) addressing scheme. Which of the following should be considered?
    1. Applying a dynamic NAT to utilize the full publicly routable address pool
    2. Applying a PAT to allow more hosts to connect to the Internet simultaneously
    3. Applying a static NAT from one of the public addresses to the web server, pooling the other addresses for other users
    4. Using a static IP address allocation to apply control over every host's IP address
  1. What would be listed under Actor in a VERIS report concerning a "script kiddie" who found some code on a "dark web" site and was seeing what it would do?
    1. Actor: External: .Motive: Fun/.Variety: Unaffiliated
    2. Actor: External: .Motive: NA/.Variety: Unaffiliated
    3. Actor: External: .Motive: Unknown/.Variety: Unaffiliated
    4. Actor: External: .Motive: Grudge/.Variety: Force Majeure (chance)
  2. Which of the following is a reason to establish asset attribution?
    1. To prove that the item is in its original form
    2. To assert copyrights
    3. To prevent theft
    4. To allow the item to be shared
  3. At what point should the public affairs and media relations team be notified?
    1. As soon as an incident has been verified.
    2. As directed by senior management.
    3. When the incident has been identified.
    4. The Public Affairs and Media Relations team will contact the CSIRT if a comment is required.
  4. In which phase of the Cyber Kill Chain might an attacker exfiltrate data from the system?
    1. Reconnaissance
    2. Actions on Objectives
    3. Exploitation
    4. Delivery
  1. A vulnerability allows a remote attacker to pretend to be an employee and access internal documents. Which metric is likely to be affected the most?
    1. Confidentiality
    2. Privileges Required
    3. Scope
    4. Availability
  2. For which phase of the Cyber Kill Chain is the use of honey pots an effective defensive tool?
    1. Actions on Objectives
    2. Delivery
    3. Command and Control
    4. Exploitation
  1. An incident has arisen after a series of successful phishing emails were sent. Which would be the correct VERIS action?
    1. Social
    2. Misuse
    3. Error
    4. Malware
  2. Which piece of the data is required at a minimum to qualify as CHD under PCI DSS?
    1. CVV2
    2. PAN
    3. Expiry date
    4. PIN
  3. Which command allows the results of one function to be output to a file?
    1. The pipe character (|)
    2. The greater than sign (>)
    3. The caret sign (^)
    4. The ampersand character (&)
  1. Which protocol allows an administrator to determine the IP addresses of routers between two hosts?
    1. ICMP
    2. IPv6
    3. IPv4
    4. TCP
  1. Which of the following lines from Unix permissions indicates that a file can be executed by anyone within the same group as the owner?
    1. 0764
    2. -rw-rw-rw-
    3. 0710
    4. -rwxrw-r--
  2. Which of the following is not a barrier to retrospective analysis?
    1. Historic log file truncation
    2. Incorrect/inconsistent date stamps
    3. Log file collation and normalization
    4. Rolling log files
  1. Which of the following questions does not relate to the remediation phase in incident handling?
    1. What are the communication timelines for the resumption of services to customers?
    2. What is the effect of reverting to a previously backed up version of the data?
    3. Will compensation be required?
    4. How can customer relations be improved?
  2. An administrator suspects that a vulnerability exists on one of the host computers. It is communicating with the Command and Control host using HTTP messages. The hosts are all running macOS and Safari. Why is the following user-agent string suspicious?
    User-agent string: Mozilla/4.0 (compatible; MSIE 5.16; Mac_PowerPC)
    1. The user-agent string is too short.
    2. The user-agent string appears to be Mozilla, which is associated with Firefox.
    3. The user-agent string appears to be running Internet Explorer, which is not installed on the hosts.
    4. The user-agent string appears to support Mozilla/4.0 instead of Mozilla/6.0.
  1. Which of the following entities would not be considered in the identification phase of incident handling under NIST.SP800-61 r2?
    1. Partner organizations
    2. Regulators
    3. Threat actors
    4. Customers
  2. What command can be issued in the Terminal on macOS to display the list of tasks currently running on a device?
    1. Activity monitor
    2. tasklist
    3. ps -e
    4. last
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.29.238