Chapter 7
Practice Exam 2

  1. Ty is reviewing the scan report for a Windows system joined to his organization's domain and finds the vulnerability shown here. What should be Ty's most significant concern related to this vulnerability?
    Snapshot of the vulnerability result obtained from reviewing the scan report for the windows system.
    1. The presence of this vulnerability indicates that an attacker may have compromised his network.
    2. The presence of this vulnerability indicates a misconfiguration on the target server.
    3. The presence of this vulnerability indicates that the domain security policy may be lacking appropriate controls.
    4. The presence of this vulnerability indicates a critical flaw on the target server that must be addressed immediately.
  2. During an incident investigation, Chris discovers that attackers were able to query information about his routers and switches using SNMP. Chris finds that his routers used “public” and “private” as their community strings. Which of the following is not an appropriate action to take to help secure SNMP in Chris's organization?
    1. Add complexity requirements to the SNMP community string.
    2. Enable and configure SNMP v2c.
    3. Enable and require TLS setting for SNMP.
    4. Apply different SNMP community strings to devices with different security levels.
  3. Heidi runs a vulnerability scan of the management interface of her organization's virtualization platform and finds the severity 1 vulnerability shown here. What circumstance, if present, should increase the severity level of this vulnerability to Heidi?
    Snapshot of a type of circumstance which should increase the security level of the vulnerability.

    1. Lack of encryption
    2. Missing security patch
    3. Exposure to external networks
    4. Out-of-date antivirus signatures
  4. Rowan ran a port scan against a network switch located on her organization's internal network and discovered the results shown here. She ran the scan from her workstation on the employee VLAN. Which one of the following results should be of greatest concern to her?
    Snapshot of a list of results to find the greatest concern from running a port scan against a network switch located on an internal organization network.
    1. Port 22
    2. Port 23
    3. Port 80
    4. Ports 8192 to 8194
  5. Evan is troubleshooting a vulnerability scan issue on his network. He is conducting an external scan of a website located on the web server shown in the diagram. After checking the Apache httpd logs on the web server, he saw no sign of the scan requests. Which one of the following causes is the least likely issue for him to troubleshoot?
    Schematic illustration of troubleshooting a vulnerability scan issue on a network.
    1. The scans are being blocked by an intrusion prevention system.
    2. The scans are being blocked by an Apache .htaccess file.
    3. The scans are being blocked by a network firewall.
    4. The scans are being blocked by a host firewall.
  6. Sam is looking for evidence of software that was installed on a Windows 10 system. He believes that the programs were deleted and that the suspect used both registry and log cleaners to hide evidence. What Windows feature can't he use to find evidence of the use of these programs?
    1. The MFT
    2. Volume shadow copies
    3. The shim (application compatibility) cache
    4. Prefetch files
  7. Mila is evaluating the security of an application developed within her organization. She would like to assess the application's security by supplying it with invalid inputs. What technique is Mila planning to use?
    1. Fault injection
    2. Stress testing
    3. Mutation testing
    4. Fuzz testing
  8. A port scan conducted during a security assessment shows the following results. What type of device has most likely been scanned? 
    Nmap scan report for EXAMPLE (192.168.1.79)
Host is up (1.00s latency).
Not shown: 992 closed ports
PORT     STATE 
21/tcp   open  
23/tcp   open  
80/tcp   open  
280/tcp  open  
443/tcp  open  
515/tcp  open  
631/tcp  open  
9100/tcp open  
Nmap done: 1 IP address (1 host up) scanned in 124.20 seconds
    1. A wireless access point
    2. A server
    3. A printer
    4. A switch
  9. Kim is reviewing the data gathered by the first responder to a security incident and comes across a text file containing the output shown here. What command generated this output?
    Snapshot of the output generated from reviewing the data gathered by the first responder to a security incident.
    1. traceroute
    2. netstat
    3. ifconfig
    4. sockets
  10. Which of the following is not one of the major categories of security event indicators described by NIST 800-61?
    1. Alerts from IDS, IPS, SIEM, AV, and other security systems
    2. Logs generated by systems, services, and applications
    3. Exploit developers
    4. Internal and external sources
  11. During an nmap scan of a network, Charles receives the following response from nmap: 
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-21 20:03 EDT
Nmap done: 256 IP addresses (0 hosts up) scanned in 29.74 seconds

    What can Charles deduce about the network segment from these results?

    1. There are no active hosts in the network segment.
    2. All hosts on the network segment are firewalled.
    3. The scan was misconfigured.
    4. Charles cannot determine if there are hosts on the network segment from this scan.
  12. Oskar is designing a vulnerability management program for his company, a hosted service provider. He would like to check all relevant documents for customer requirements that may affect his scanning. Which one of the following documents is least likely to contain this information?
    1. BPA
    2. SLA
    3. MOU
    4. BIA
  13. During a port scan of a server, Gwen discovered that the following ports are open on the internal network:

    TCP port 25

    TCP port 80

    TCP port 110

    TCP port 443

    TCP port 1521

    TCP port 3389

    Of the services listed here, for which one does the scan not provide evidence that it is likely running on the server?

    1. Web
    2. Database
    3. SSH
    4. Email
  14. As part of her forensic analysis of a wiped thumb drive, Selah runs Scalpel to carve data from the image she created. After running Scalpel, she sees the following in the audit.log file created by the program. What should Selah do next?
    Snapshot of the forensic analysis of a wiped thumb drive.
    1. Run a data recovery program on the drive to retrieve the files.
    2. Run Scalpel in filename recovery mode to retrieve the actual filenames and directory structures of the files.
    3. Review the contents of the scalpelout folder.
    4. Use the identified filenames to process the file using a full forensic suite.
  15. As part of a government acquisitions program for the U.S. Department of Defense (DoD), Sean is required to ensure that the chips and other hardware-level components used in the switches, routers, and servers that he purchases do not include malware or other potential attack vectors. What type of supplier should Sean seek out?
    1. A TPM
    2. An OEM provider
    3. A trusted foundry
    4. A gray-market provider
  16. One of the servers that Adam is responsible for recently ran out of disk space. Despite system-level alarms, the problem was not detected, resulting in an outage when the server crashed. How would this issue be categorized if the NIST threat categorization method were used as part of an after-action review?
    1. Environmental
    2. Adversarial
    3. Accidental
    4. Structural
  17. Pranab would like guidance on grouping information into varying levels of sensitivity. He plans to use these groupings to assist with decisions around the security controls that the organization will apply to storage devices containing that information. Which one of the following policies is most likely to contain relevant information for Pranab's decision-making process?
    1. Data retention policy
    2. Data classification policy
    3. Data encryption policy
    4. Data disposal policy
  18. Erin is attempting to collect network configuration information from a Windows system on her network. She is familiar with the Linux operating system and would use the ifconfig command to obtain the desired information on a Linux system. What equivalent command should she use in Windows?
    1. ipconfig
    2. netstat
    3. ifconfig
    4. netcfg
  19. Lonnie ran a vulnerability scan of a server that he recently detected in his organization that is not listed in the organization's configuration management database. One of the vulnerabilities detected is shown here. What type of service is most likely running on this server?
    Snapshot of a type of service which is used to run a vulnerability scan of a server.

    1. Database
    2. Web
    3. Time
    4. Network management
  20. Jorge would like to use a standardized system for evaluating the severity of security vulnerabilities. What SCAP component offers this capability?
    1. CPE
    2. CVE
    3. CVSS
    4. CCE
  21. When performing threat-hunting activities, what are cybersecurity analysts most directly seeking?
    1. Vulnerabilities
    2. Indicators of compromise
    3. Misconfigurations
    4. Unpatched systems
  22. Taylor is preparing to run vulnerability scans of a web application server that his organization recently deployed for public access. He would like to understand what information is available to a potential external attacker about the system as well as what damage an attacker might be able to cause on the system. Which one of the following scan types would be least likely to provide this type of information?
    1. Internal network vulnerability scan
    2. Port scan
    3. Web application vulnerability scan
    4. External network vulnerability scan
  23. While analyzing a packet capture in Wireshark, Chris finds the packet shown here. Which of the following is he unable to determine from this packet?
    Snapshot of the determination of a packet capture in Wireshark.
    1. That the username used was gnome
    2. That the protocol used was FTP
    3. That the password was gnome123
    4. That the remote system was 137.30.120.40
  24. Cynthia's review of her network traffic focuses on the graph shown here. What occurred in late June?
    Graph depicts the network traffic focuses that occurred in late June.

    1. Beaconing
    2. High network bandwidth consumption
    3. A denial-of-service attack
    4. A link failure
  25. Carlos arrived at the office this morning to find a subpoena on his desk requesting electronic records in his control. What type of procedure should he consult to determine appropriate next steps, including the people he should consult and the technical process he should follow?
    1. Evidence production procedure
    2. Monitoring procedure
    3. Data classification procedure
    4. Patching procedure
  26. Pranab is attempting to determine what services a Windows system is running and decides to use the netstat -at command to list TCP ports. He receives the output shown here. The system is most likely running which services?
    Snapshot of the output obtained by attempting to determine what services a windows system is running.
    1. A plain-text web server, Microsoft file sharing, and a secure web server
    2. SSH, email, and a plain-text web server
    3. An email server, a plain-text web server, and Microsoft-DS
    4. A plain-text web server, Microsoft RPC, and Microsoft-DS
  27. Paul is researching models for implementing an IT help desk and would like to draw upon best practices in the industry. Which one of the following standard frameworks would provide Paul with the best guidance?
    1. ISO
    2. ITIL
    3. COBIT
    4. PCI DSS
  28. Which stage of the incident response process includes activities such as adding IPS signatures to detect new attacks?
    1. Detection and analysis
    2. Containment, eradication, and recovery
    3. Postincident activity
    4. Preparation
  29. Gloria is configuring vulnerability scans for a new web server in her organization. The server is located on the DMZ network, as shown here. What type of scans should Gloria configure for best results?
    Schematic illustration of configuring the vulnerability scan for a new web server in an organization.
    1. Gloria should not scan servers located in the DMZ.
    2. Gloria should perform only internal scans of the server.
    3. Gloria should perform only external scans of the server.
    4. Gloria should perform both internal and external scans of the server.
  30. Pranab is preparing to reuse media that contained data that his organization classifies as having “moderate” value. If he wants to follow NIST SP 800-88's guidelines, what should he do to the media if the media will not leave his organization's control?
    1. Reformat it
    2. Clear it
    3. Purge it
    4. Destroy it
  31. Susan is building an incident response program and intends to implement NIST's recommended actions to improve the effectiveness of incident analysis. Which of the following items is not a NIST-recommended incident analysis improvement?
    1. Perform behavioral baselining.
    2. Create and implement a logging policy.
    3. Set system BIOS clocks regularly.
    4. Maintain an organizationwide system configuration database.
  32. Jim's nmap port scan of a system showed the following list of ports: 
    PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
3389/tcp open  ms-wbt-server

    What operating system is the remote system most likely running?

    1. Windows
    2. Linux
    3. An embedded OS
    4. macOS
  33. The Snort IPS that Adam has configured includes a rule that reads as follows: 
    alert tcp $EXTERNAL_NET any -> 10.0.10.0/24 80
(msg:"Alert!";
content:"http|3a|//www.example.com/download.php"; nocase;
offset:12; classtype: web-application-activity;sid:5555555; rev:1;)

    What type of detection method is Adam using?

    1. Anomaly-based
    2. Trend-based
    3. Availability-based
    4. Behavioral-based
  34. Peter works for an organization that is joining a consortium of similar organizations that use a federated identity management system. He is configuring his identity management system to participate in the federation. Specifically, he wants to ensure that users at his organization will be able to use their credentials to access federated services. What role is Peter configuring?
    1. Relying party
    2. Service provider
    3. Identity provider
    4. Consumer
  35. Helen is seeking to protect her organization against attacks that involve the theft of user credentials. Which one of the following threats poses the greatest risk of credential theft in most organizations?
    1. DNS poisoning
    2. Phishing
    3. Telephone-based social engineering
    4. Shoulder surfing
  36. As part of her duties as an SOC analyst, Emily is tasked with monitoring intrusion detection sensors that cover her employer's corporate headquarters network. During her shift, Emily's IDS reports that a network scan has occurred from a system with IP address 10.0.11.19 on the organization's unauthenticated guest wireless network aimed at systems on an external network. What should Emily's first step be?
    1. Report the event to the impacted third parties.
    2. Report the event to law enforcement.
    3. Check the system's MAC address against known assets.
    4. Check authentication logs to identify the logged-in user.
  37. Which of the following commands is not useful for validating user permissions on a Linux system?
    1. more /etc/sudoers
    2. groups
    3. stat
    4. strings
  38. Tommy's company recently implemented a new policy that restricts root access to its cloud computing service provider master account. This policy requires that a team member from the operations group retrieve a password from a password vault to log in to the account. The account then uses two-factor authentication that requires that a team member from the security group approve the login. What type of control is the company using?
    1. Separation of duties
    2. Privileged account monitoring
    3. Dual control
    4. Least privilege
  39. Sai works in an environment that is subject to the Payment Card Industry Data Security Standard (PCI DSS). He realizes that technical constraints prevent the organization from meeting a specific PCI DSS requirement and wants to implement a compensating control. Which one of the following statements is not true about proper compensating controls?
    1. The control must include a clear audit mechanism.
    2. The control must meet the intent and rigor of the original requirement.
    3. The control must provide a similar level of defense as the original requirement provides.
    4. The control must be above and beyond other requirements.
  40. Lou recently scanned a web server in his environment and received the vulnerability report shown here. What action can Lou take to address this vulnerability?
    Snapshot of the vulnerability report obtained from scanning a web server in an environment.
    1. Configure TLS
    2. Replace the certificate
    3. Unblock port 443
    4. Block port 80
  41. Mike's company recently suffered a security incident when they lost control of thousands of personal customer records. Many of these records were from projects that ended long ago and served no business purpose. What type of policy, if followed, would have best limited the impact of this incident?
    1. Data ownership policy
    2. Account management policy
    3. Acceptable use policy
    4. Data retention policy
  42. Which of the following factors is not typically considered when determining whether evidence should be retained?
    1. Media life span
    2. Likelihood of civil litigation
    3. Organizational retention policies
    4. Likelihood of criminal prosecution
  43. Match each of the following with the appropriate element of the CIA Triad:
    1. A hard drive failure resulting in a service outage
    2. A termination letter that is left on a printer and read by others in the department
    3. Modification of an email's content by a third party
    1. 1. Integrity, 2. Confidentiality, 3. Confidentiality
    2. 1. Integrity, 2. Confidentiality, 3. Availability
    3. 1. Availability, 2. Availability, 3. Confidentiality
    4. 1. Availability, 2. Confidentiality, 3. Integrity
  44. Niesha discovered the vulnerability shown here on a server running in her organization. What would be the best way for Niesha to resolve this issue?
    Snapshot of resolving the given issues discovered from the vulnerability.

    1. Disable the use of AES-GCM.
    2. Upgrade OpenSSH.
    3. Upgrade the operating system.
    4. Update antivirus signatures.
  45. As part of her postincident recovery process, Alicia creates a separate virtual network as shown here to contain compromised systems she needs to investigate. What containment technique is she using?
    Schematic illustration of the containment technique used for pos- incident recovery process.
    1. Segmentation
    2. Isolation
    3. Removal
    4. Reverse engineering
  46. Jennifer is reviewing her network monitoring configurations and sees the following chart for a system she runs remotely in Amazon's Web Services (AWS) environment more than 400 miles away. What can she use this data for?
    Bar chart depicts Amazon's Web services obtained from reviewing network monitoring configuration.
    1. Incident response; she needs to determine the issue causing the spikes in response time.
    2. The high packet loss must be investigated, since it may indicate a denial-of-service attack.
    3. She can use this data to determine a reasonable response time baseline.
    4. The high response time must be investigated, since it may indicate a denial-of-service attack.
  47. The Windows system that Abdul is conducting live forensics on shows a partition map, as shown here. If Abdul believes that a hidden partition was deleted resulting in the unallocated space, which of the following tools is best suited to identifying the data found in the unallocated space?
    Snapshot of a partition map to find the best-suited tools to identify the data found in the unlocated space.
    1. Scalpel
    2. DBAN
    3. parted
    4. dd
  48. During a postmortem forensic analysis of a Windows system that was shut down after its user saw strange behavior, Pranab concludes that the system he is reviewing was likely infected with a memory-resident malware package. What is his best means of finding the malware?
    1. Search for a core dump or hiberfil.sys to analyze.
    2. Review the INDX files and Windows registry for signs of infection.
    3. Boot the system and then use a tool like the Volatility Framework to capture live memory.
    4. Check volume shadow copies for historic information prior to the reboot.
  49. Juliette's organization recently suffered a cross-site scripting attack, and she plans to implement input validation to protect against the recurrence of such attacks in the future. Which one of the following HTML tags should be most carefully scrutinized when it appears in user input?
    1. <SCRIPT>
    2. <XSS>
    3. <B>
    4. <EM>
  50. Jessie needs to prevent port scans like the scan shown here. Which of the following is a valid method for preventing port scans?
    Snapshot of the list of ports which is used to prevent the port scans.
    1. Not registering systems in DNS
    2. Using a firewall to restrict traffic to only ports required for business purposes
    3. Using a heuristic detection rule on an IPS
    4. Implementing port security
  51. The IT services company that Pranab works for uses the NIST functional impact categories to describe the impact of incidents. During a recent construction project, a contractor plugged a network device in twice to the same switch, resulting in a network loop and taking down the organization's network for a third of their users. How should Pranab classify this event?
    1. Urgent
    2. Medium
    3. Important
    4. High
  52. What information can be gathered by observing the distinct default values of the following TCP/IP fields during reconnaissance activities: initial packet size, initial TTL, window size, maximum segment size, and flags?
    1. The target system's TCP version
    2. The target system's operating system
    3. The target system's MAC address
    4. These fields are only useful for packet analysis
  53. Brooke would like to find a technology platform that automates workflows across a variety of security tools, including the automated response to security incidents. What category of tool best meets this need?
    1. SIEM
    2. NIPS
    3. SOAR
    4. DLP
  54. Miray needs to identify the device or storage type that has the lowest order of volatility. Which of the following is the least volatile?
    1. Network traffic
    2. A solid-state drive
    3. A spinning hard drive
    4. A DVD-ROM
  55. Henry recently completed a vulnerability scan of his organization's datacenter and received the vulnerability report shown here from a server running in the data center. This server is running on a virtualization platform running on a bare-metal hypervisor. Where must Henry correct this issue?
    Snapshot of the vulnerability report running in the data center using a bare-metal hypervisor.
    1. Guest operating system
    2. Hypervisor
    3. Application
    4. Host operating system
  56. Luis is an IT consultant brought in to assess the maturity of risk management practices at a firm using the NIST Cybersecurity Framework. During his evaluation, he determines that the organization does use an organizationwide approach to managing cybersecurity risk but that it does not use risk-informed policies, processes, and procedures to address potential cybersecurity events. At what tier of the Cybersecurity Framework does this organization's risk management program reside?
    1. Tier 1: Partial
    2. Tier 2: Risk Informed
    3. Tier 3: Repeatable
    4. Tier 4: Adaptive
  57. After receiving complaints about a system on her network not performing correctly, Anastasia decides to investigate the issue by capturing traffic with Wireshark. The captured traffic is shown here. What type of issue is Anastasia most likely seeing?
    Snapshot of a type of issue related to capture traffic received from a system to investigate the issue with Wireshark.
    1. A link failure
    2. A failed three-way handshake
    3. A DDoS
    4. A SYN flood
  58. During a log review, Lisa sees repeated firewall entries, as shown here: 
    Sep 16 2019 23:01:37: %ASA-4-106023: Deny tcp src
outside:10.10.0.100/53534 dst 
inside:192.168.1.128/1521 by 
access-group "OUTSIDE" [0x5063b82f, 0x0]
Sep 16 2019 23:01:38: %ASA-4-106023: Deny tcp src
outside:10.10.0.100/53534 dst 
inside:192.168.1.128/1521 by 
access-group "OUTSIDE" [0x5063b82f, 0x0]
Sep 16 2019 23:01:39: %ASA-4-106023: Deny tcp src
outside:10.10.0.100/53534 dst 
inside:192.168.1.128/1521 by 
access-group "OUTSIDE" [0x5063b82f, 0x0]
Sep 16 2019 23:01:40: %ASA-4-106023: Deny tcp src
outside:10.10.0.100/53534 dst 
inside:192.168.1.128/1521 by 
access-group "OUTSIDE" [0x5063b82f, 0x0]

    What service is the remote system most likely attempting to access?

    1. H.323
    2. SNMP
    3. MS-SQL
    4. Oracle
  59. After finishing a forensic case, Lucas needs to wipe the media that he is using to prepare it for the next case. Which of the following methods is best suited to preparing the SSD that he will use?
    1. Degauss the drive.
    2. Zero-write the drive.
    3. Use a PRNG.
    4. Use the ATA Secure Erase command.
  60. Luis is creating a vulnerability management program for his company. He only has the resources to conduct daily scans of approximately 10 percent of his systems, and the rest will be scheduled for weekly scans. He would like to ensure that the systems containing the most sensitive information receive scans on a more frequent basis. What criterion is Luis using?
    1. Data privacy
    2. Data remanence
    3. Data retention
    4. Data classification
  61. While investigating a cybersecurity incident, Bob discovers the file shown here stored on a system on his network. Which one of the following tools most likely generated this file?
    Snapshot of finding a type of tool used to investigate a cybersecurity incident.
    1. Cain & Abel
    2. Metasploit
    3. ftk
    4. John the Ripper
  62. During a security exercise, which team engages in offensive operations designed to compromise security controls?
    1. Black team
    2. Red team
    3. Blue team
    4. White team
  63. Peter is designing a vulnerability scanning program for the large chain of retail stores where he works. The store operates point-of-sale terminals in its retail stores as well as an e-commerce website. Which one of the following statements about PCI DSS compliance is not true?
    1. Peter's company must hire an approved scanning vendor to perform vulnerability scans.
    2. The scanning program must include, at a minimum, weekly scans of the internal network.
    3. The point-of-sale terminals and website both require vulnerability scans.
    4. Peter may perform some required vulnerability scans on his own.
  64. Rachel discovered the vulnerability shown here when scanning a web server in her organization. Which one of the following approaches would best resolve this issue?
    Snapshot of finding the best approach to resolve the issues discovered from scanning a web server.
    1. Patching the server
    2. Performing input validation
    3. Adjusting firewall rules
    4. Rewriting the application code
  65. Charlene's incident response team is fighting a rapidly spreading zero-day malware package that silently installs via Adobe Flash a vulnerability when an email attachment is viewed via webmail. After identifying a compromised system, she determines that the system is beaconing to a group of fast flux DNS entries. Which of the following techniques is best suited to identifying other infected hosts?
    1. Update antivirus software and scan using the latest definitions.
    2. Monitor for the IP addresses associated with the command-and-control systems.
    3. Log DNS queries to identify compromised systems.
    4. Check email logs for potential recipients of the message.
  66. What nmap feature is enabled with the -O flag?
    1. OS detection
    2. Online/offline detection
    3. Origami attack detection
    4. Origination port validation
  67. Mika uses a security token like the unit shown here and a password to authenticate to her PayPal account. What two types of factors is she using?
    Photo depicts a device showing the security token for a PayPal account.
    1. Something she knows and something she has
    2. Something she knows and something she is
    3. Something she is and something she has
    4. Mika is only using one type of factor because she knows the token code and her password
  68. Jose is working with his manager to implement a vulnerability management program for his company. His manager tells him that he should focus on remediating critical and high-severity risks to externally accessible systems. He also tells Jose that the organization does not want to address risks on systems without any external exposure or risks rated medium or lower. Jose disagrees with this approach and believes that he should also address critical and high-severity risks on internal systems. How should he handle the situation?
    1. Jose should recognize that his manager has made a decision based upon the organization's risk appetite and should accept it and carry out his manager's request.
    2. Jose should discuss his opinion with his manager and request that the remediation criteria be changed.
    3. Jose should ask his manager's supervisor for a meeting to discuss his concerns about the manager's approach.
    4. Jose should carry out the remediation program in the manner that he feels is appropriate because it will address all of the risks identified by the manager as well as additional risks.
  69. Susan needs to test thousands of submitted binaries. She needs to ensure that the applications do not contain malicious code. What technique is best suited to this need?
    1. Sandboxing
    2. Implementing a honeypot
    3. Decompiling and analyzing the application code
    4. Fagan testing
  70. When conducting a quantitative risk assessment, what term describes the total amount of damage expected to occur as a result of one incident?
    1. EF
    2. SLE
    3. AV
    4. ALE
  71. Chris is implementing cryptographic controls to protect his organization and would like to use defense-in-depth controls to protect sensitive information stored and transmitted by a web server. Which one of the following controls would be least suitable to directly provide this protection?
    1. TLS
    2. VPN
    3. DLP
    4. FDE
  72. Alex needs to deploy a solution that will limit access to his network to only authorized individuals while also ensuring that the systems that connect to the network meet his organization's patching, antivirus, and configuration requirements. Which of the following technologies will best meet these requirements?
    1. Whitelisting
    2. Port security
    3. NAC
    4. EAP
  73. Chris has been tasked with removing data from systems and devices that leave his organization. One of the devices is a large multifunction device that combines copying, fax, and printing capabilities. It has a built-in hard drive to store print jobs and was used in an office that handles highly sensitive business information. If the multifunction device is leased, what is his best option for handling the drive?
    1. Destroy the drive.
    2. Reformat the drive using the MFD's built-in formatting program.
    3. Remove the drive and format it using a separate PC.
    4. Remove the drive and purge it.
  74. Rhonda recently configured new vulnerability scans for her organization's datacenter. Completing the scans according to current specifications requires that they run all day, every day. After the first day of scanning, Rhonda received complaints from administrators of network congestion during peak business hours. How should Rhonda handle this situation?
    1. Adjust the scanning frequency to avoid scanning during peak times.
    2. Request that network administrators increase available bandwidth to accommodate scanning.
    3. Inform the administrators of the importance of scanning and ask them to adjust the business requirements.
    4. Ignore the request because it does not meet security objectives.
  75. After restoring a system from 30-day-old backups after a compromise, administrators at Piper's company return the system to service. Shortly after that, Piper detects similar signs of compromise again. Why is restoring a system from a backup problematic in many cases?
    1. Backups cannot be tested for security issues.
    2. Restoring from backup may reintroduce the original vulnerability.
    3. Backups are performed with the firewall off and are insecure after restoration.
    4. Backups cannot be properly secured.
  76. Captured network traffic from a compromised system shows it reaching out to a series of five remote IP addresses that change on a regular basis. Since the system is believed to be compromised, the system's Internet access is blocked, and the system is isolated to a quarantine VLAN.

    When forensic investigators review the system, no evidence of malware is found. Which of the following scenarios is most likely?

    1. The system was not infected, and the detection was a false positive.
    2. The beaconing behavior was part of a web bug.
    3. The beaconing behavior was due to a misconfigured application.
    4. The malware removed itself after losing network connectivity.
  77. Which one of the following ISO standards provides guidance on the development and implementation of information security management systems?
    1. ISO 27001
    2. ISO 9000
    3. ISO 11120
    4. ISO 23270
  78. Mika's forensic examination of a compromised Linux system is focused on determining what level of access attackers may have achieved using a compromised www account. Which of the following is not useful if she wants to check for elevated privileges associated with the www user?
    1. /etc/passwd
    2. /etc/shadow
    3. /etc/sudoers
    4. /etc/group
  79. Tracy is validating the web application security controls used by her organization. She wants to ensure that the organization is prepared to conduct forensic investigations of future security incidents. Which one of the following OWASP control categories is most likely to contribute to this effort?
    1. Implement logging
    2. Validate all inputs
    3. Parameterize queries
    4. Error and exception handling
  80. Jamal is using agent-based scanning to assess the security of his environment. Every time that Jamal runs a vulnerability scan against a particular system, it causes the system to hang. He spoke with the system administrator, who provided him with a report showing that the system is current with patches and has a properly configured firewall that allows access only from a small set of trusted internal servers. Jamal and the server administrator both consulted the vendor, and they are unable to determine the cause of the crashes and suspect that it may be a side effect of the agent. What would be Jamal's most appropriate course of action?
    1. Approve an exception for this server.
    2. Continue scanning the server each day.
    3. Require that the issue be corrected in 14 days and then resume scanning.
    4. Decommission the server.
  81. Brent's organization runs a web application that recently fell victim to a man-in-the-middle attack. Which one of the following controls serves as the best defense against this type of attack?
    1. HTTPS
    2. Input validation
    3. Patching
    4. Firewall
  82. During an nmap port scan using the -sV flag to determine service versions, Ling discovers that the version of SSH on the Linux system she is scanning is not up-to-date. When she asks the system administrators, they inform her that the system is fully patched and that the SSH version is current. What issue is Ling most likely experiencing?
    1. The system administrators are incorrect.
    2. The nmap version identification is using the banner to determine the service version.
    3. nmap does not provide service version information, so Ling cannot determine version levels in this way.
    4. The systems have not been rebooted since they were patched.
  83. Tyler scans his organization's mail server for vulnerabilities and finds the result shown here. What should be his next step?
    Snapshot of the result obtained from scanning the organization's mail server.
    1. Shut down the server immediately.
    2. Initiate the change management process.
    3. Apply the patch.
    4. Rerun the scan.
  84. Carla is performing a penetration test of a web application and would like to use a software package that allows her to modify requests being sent from her system to a remote web server. Which one of the following tools would not meet Carla's needs?
    1. Nessus
    2. Burp
    3. ZAP
    4. Tamper Data
  85. Alex learns that a recent Microsoft patch covers a zero-day exploit in Microsoft Office that occurs because of incorrect memory handling. The flaw is described as potentially resulting in memory corruption and arbitrary code execution in the context of the current privilege level. Exploitation of the flaws can occur if victims open a specifically crafted Office document in a vulnerable version of Microsoft Office.

    If Alex finds out that approximately 15 of the workstations in his organization have been compromised by this malware, including one workstation belonging to a domain administrator, what phase of the incident response process should he enter next?

    1. Preparation
    2. Detection and analysis
    3. Containment, eradication, and recovery
    4. Postincident activity
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.220.125.100