Appendix: Answers to Review Questions

Answers to Chapter 1: Domain 1.0: Threat and Vulnerability Management

  1. B. Open source intelligence is freely available information that does not require a subscription fee. Closed source and proprietary intelligence are synonyms and do involve payments to the providers. Vulnerability feeds may be considered threat intelligence, but they normally come with subscription fees.
  2. A. Although it may seem strange, a DNS brute-force attack that queries a list of IPs, common subdomains, or other lists of targets will often bypass intrusion detection and prevention systems that do not pay particular attention to DNS queries. Cynthia may even be able to find a DNS server that is not protected by the organization's IPS! nmap scans are commonly used during reconnaissance, and Cynthia can expect them to be detected since they are harder to conceal. Cynthia shouldn't expect to be able to perform a zone transfer, and if she can, a well-configured IPS should immediately flag the event.
  3. D. An intelligence source that results in false positive errors is lacking in accuracy because it is providing incorrect results to the organization. Those results may still be timely and relevant, but they are not correct. Expense is not one of the three intelligence criteria.
  4. A. Structured Threat Information eXpression (STIX) is an XML language originally sponsored by the U.S. Department of Homeland Security. In its current version, STIX 2.0 defines 12 STIX domain objects, including things like attack patterns, identities, malware, threat actors, and tools. TAXII is designed to support STIX data exchange between security components over HTTPS. OpenIOC is an XML framework for the exchange of indicators of compromise (IOCs). STIX uses XML, but XML itself does not provide a mechanism for describing security information until used as a vehicle for expressing STIX objects.
  5. C. MySQL uses port 3306 as its default port. Oracle uses 1521, Postgres uses 5432, and Microsoft SQL uses 1433/1434.
  6. B. It is possible for any of these threat actors to be affiliated with an APT, but the highest likelihood is that a sophisticated APT threat would be associated with a nation-state, rather than a less-resourced alternative.
  7. A. Cynthia's first action should be to determine whether there is a legitimate reason for the workstation to have the listed ports open.
  8. D. The organization determines what type of information it needs to collect during the requirements phase of the intelligence cycle. This type of information could also be gathered during the feedback phase, but this question states that the program is new, so Charles would not yet have collected feedback.
  9. A. The sharing of intelligence information with customers takes place during the dissemination phase of the intelligence cycle.
  10. B. The Department of Homeland Security collaborates with industry through information sharing and analysis centers (ISACs). These ISACs cover industries such as healthcare, financial, aviation, government, and critical infrastructure.
  11. C. All of the threats described here are serious threats that exist in modern enterprises. However, the most pervasive threat is commodity malware, which threatens essentially every computing environment on an almost constant basis.
  12. C. This source provides information about IP addresses based on past behavior. This makes it a reputational source. A behavioral source would look at information about current behavior. This is a product offered by Cisco and is proprietary, not open source. It does not provide indicators that would help you determine whether your system had been compromised.
  13. D. This analysis used the Diamond Model of Intrusion Analysis, which describes a sequence where an adversary deploys a capability targeted at an infrastructure against a victim. The Diamond Model draws its name from the shape of the diagram created during the analysis.
  14. D. This is an example of function-as-a-service (FaaS) computing. A service like Lambda could also be described as platform-as-a-service (PaaS), because FaaS is a subset of PaaS. However, the term FaaS is the one that best describes this service.
  15. C. Detection systems placed in otherwise unused network space will detect scans that blindly traverse IP ranges. Since no public services are listed, attackers who scan this range can be presumed to be hostile and are often immediately blocked by security devices that protect production systems.
  16. D. Nara can reduce the number of services in her environment that are exposed to a brute-force attack. This is a means of reducing the total attack surface. She can't alter characteristics of her adversary, such as the adversary's capability, choice of attack vectors, or likelihood of launching an attack.
  17. C. This flow sample shows four distinct hosts being accessed from 192.168.2.1. They are 10.2.3.1, 10.6.2.4, 10.6.2.5, and 10.8.2.5.
  18. A. Threat intelligence information is not commonly shared with legal counsel on a routine basis. CompTIA's CySA+ objectives list the following common recipients: incident response, vulnerability management, risk management, security engineering, and detection and monitoring.
  19. D. Community clouds are cloud computing environments available only to members of a collaborative community, such as a set of universities. Public clouds are available to any customers who wish to use them. Private clouds are for the use of the organization building the cloud only. Hybrid clouds mix elements of public and private clouds in an enterprise computing strategy.
  20. D. netstat is found on Windows, Linux, and macOS systems and can provide information about other systems on the network and can provide information about open ports and systems that the host has connected to. Chris can search for common web and database server service ports to help identify the local targets he is looking for.
  21. B. Cloud Formation allows engineers to write code that creates infrastructure. This is an example of infrastructure as code (IAC) computing.
  22. C. By default, nmap uses a TCP SYN scan. If the user does not have proper socket privileges (such as root on a Linux system), it will use a TCP connect scan.
  23. D. Netcat, telnet, and wget can all be used to conduct Isaac's banner-grabbing exercise. FTP will not connect properly to get the banner he wants to see.
  24. A. Limiting the information available about an organization by requiring authentication will strongly limit the ability of potential attackers to gather information. Secure domain registration may conceal the registration contact's information but does not provide any real additional protection. Limiting technologies listed in a job posting can help limit what attackers may find out, but most organizations would prefer to better match candidates. Finally, purging all metadata can help protect information about internal systems and devices but is difficult to enforce, and document metadata is not a primary source of information about most organizations.
  25. B. Since Cassandra is scanning a wireless network and the system is using an IP address that is commonly used for commodity wireless routers, her best guess should be that this is a wireless router that can be accessed via SSH and that is providing a web management interface and print services. The OS fingerprinting that nmap provides is not always reliable, and the VirtualBox match is a false positive in this case. The actual host scanned is an Asus router running open source firmware and additional software.
  26. D. Depending on the level of access associated with the key, this error could give anyone discovering the key total control of an organization's AWS account, resulting in a complete loss of confidentiality, integrity, and availability.
  27. B. The command nbtstat -c shows the contents of the NetBIOS name cache and shows a list of name-to-IP address mappings.
  28. C. The Wayback Machine and similar sites capture periodic snapshots of websites from across the Internet, allowing penetration testers and others performing reconnaissance activities to gather information from historic versions of their target sites. This also means that long-term data breaches may be archived in sites like these in addition to search engine caches.
  29. D. nmap provides Common Platform Enumeration data when the -O (OS fingerprinting) and verbose flags are used. If Kristen had seen the -sV flag instead, she would have expected service version information.
  30. B. Banner grabbing is an active process and requires a connection to a remote host to grab the banner. The other methods are all passive and use third-party information that does not require a direct lookup against a remote host.
  31. D. While the hostnames cluster1 and cluster1a indicate that there may be a cluster of mail servers, this query does not prove that. Instead, Charlene knows that there are two MX entries for her target. She will also notice that mail hosting is handled by MessageLabs, a software-as-a-service provider for email and other managed services, indicating that the public email presence for her target is handled by a specialized company. MXToolbox allows deeper queries about blacklists and SMTP tests, but this image only shows the links to them and does not provide details.
  32. B. nmap supports the use of both HTTP and SOCKS4 proxies, allowing Alex to configure the remote host as an HTTP proxy and bounce his scans through it. This can allow nmap users to leverage their scanning tools without installing them on a protected host or network.
  33. D. This chart shows typical latency for a remote system and minimal or at times zero packet loss. This chart shows normal operations, and Lukas can safely report no visible issues.
  34. B. By default Apache does not run as an administrative user. In fact, it typically runs as a limited user. To take further useful action, Frank should look for a privilege escalation path that will allow him to gain further access.
  35. C. Maddox's actions could identify improperly secured storage buckets that require remediation. While the other vulnerabilities could exist in Maddox's cloud environment, they are not likely to be discovered during a permissions inventory.
  36. C. Alex knows that systems that are exposed to the Internet like DMZ systems are constantly being scanned. She should rate the likelihood of the scan occurring as high. In fact, there is a good chance that a scan will be occurring while she is typing up her report!
  37. A. This type of XSS vulnerability, where the attack is stored on a server for later users, is a persistent vulnerability. The scenario does not tell us that the code is immediately displayed to the user submitting it, so there is no indication of a reflected attack. The attack is stored on the server, rather than in the browser, so it is not a DOM-based attack. Blind XSS attacks do not exist.
  38. B. Hping is a tool that allows the user to handcraft packets for use in attacks and penetration tests. Arachni is a web application security testing tool. Responder is a tool that receives and responds to network requests. Hashcat is a password recovery utility.
  39. C. Field-programmable gate arrays (FPGAs) are hardware that may be dynamically reprogramed by the end user. System on a chip (SoC) do not provide reprogramming capability. Real-time operating systems (RTOSs) are software, not hardware. MODBUS is a standard for communication on SCADA networks.
  40. D. The malloc() function allocates memory from the heap, not the stack, and therefore this is a heap overflow attack. We do not have enough information to determine the type of information stored in this area of memory, so we cannot determine whether it is an integer overflow. The vulnerability may also be described as a buffer overflow, but this term is more generic and less descriptive, so it is not the best answer.
  41. B. Maria's team should use full-disk encryption or volume encryption and should secure the encryption keys properly. This will ensure that any data that remains cannot be exposed to future users of the virtual infrastructure. Although many cloud providers have implemented technology to ensure that this won't happen, Maria can avoid any potential issues by ensuring that she has taken proactive action to prevent data exposure. Using a zero-wipe is often impossible because virtual environments may move without her team's intervention, data masking will not prevent unmasked data or temporary data stored on the virtual disks from being exposed, and spanning multiple virtual disks will still leave data accessible, albeit possibly in fragmented form.
  42. C. When endpoints are connected without a network control point between them, a host-based solution is required. In this case, Lucca's specific requirement is to prevent attacks, rather than simply detect them, meaning that an HIPS is required to meet his needs. Many modern products combine HIPS capabilities with other features such as data loss prevention and system compliance profiling, so Lucca may end up with additional useful capabilities if he selects a product with those features.
  43. B. In a password spraying attack, the attacker tries a set of common passwords using many different accounts. The activity Geoff sees is consistent with this type of attack. Credential stuffing attacks seek to use username/password lists stolen from another site to log on to a different site. This would result in only one login attempt per username. Brute-force attacks would result in thousands or millions of attempts per username. Rainbow table attacks take place offline and would not be reflected in the logs.
  44. B. Most SaaS providers do not want their customers conducting port scans of their service, and many are glad to provide security assertions and attestations including audits, testing information, or contractual language that addresses potential security issues. Using a different scanning tool, engaging a third-party tester, or even using a VPN are not typically valid answers in a scenario like this.
  45. A. Device manufacturer identification relies on the MAC address that includes a vendor prefix. Since MAC addresses can be changed in software, this is not guaranteed to be accurate, but in most cases, you can reasonably expect it to match the manufacturer of the NIC. The complete list of prefixes can be found at standards-oui.ieee.org/oui/oui.txt.
  46. A. The greatest risk in the event of a DoS attack is that the logs are stored in the same cloud environment that is under attack. Cybersecurity professionals may not be able to access those logs to investigate the incident.
  47. C. SQL injection and XML injection attacks commonly take place against applications using those languages. Cross-site scripting (XSS) attacks are a common example of an injection attack against HTML documents. STIX is a language used to define security threat information and is not a common target of injection attacks.
  48. A. Rootkits are specifically designed for privilege escalation attacks, providing the ability to escalate a normal user account into an administrative account.
  49. B. This is a classic example of a time-of-check/time-of-use (TOC/TOU) attack, which exploits a race condition in application code.
  50. A. The strcpy()function in C is notorious for leading to buffer overflow vulnerabilities and must be used very carefully.
  51. A. Of the tools listed, ScoutSuite is the only multicloud testing tool. Pacu, Prowler, and CloudSploit are all AWS-specific tools.
  52. C. The CAN bus is a standard for communication among components of a vehicle and is not likely to be found in any other environment.
  53. C. Reaver attempts to exploit a vulnerability in the Wi-Fi Protected Setup (WPS) protocol.
  54. B. Azra's suspicious user appears to be attempting to crack LANMAN hashes using a custom word list. The key clues here are the john application, the LM hash type, and the location of the word list.
  55. C. nmap's Common Platform Enumeration is a standardized way to name applications, operating systems, and hardware. CPE output starts with cpe:/a for applications, /h for hardware, and /o for operating systems.
  56. D. Detecting port scans requires the ability to identify scanning behavior, and the applications that create syslog entries on most default Linux distributions are not set up for this. Lakshman should identify a tool like psad, an IDS package, or other tool that can track connections and scan behavior and report on it and then use syslog to send those messages to his log collector or SIEM.
  57. C. By purchasing a mitigation service, Greg is reducing the potential impact of a DDoS attack. This service can't reduce the likelihood that an attacker will launch an attack or the capability of that adversary. Greg did not change his own infrastructure, so he did not reduce the total attack surface.
  58. D. The service running from the www directory as the user apache should be an immediate indication of something strange, and the use of webmin from that directory should also be a strong indicator of something wrong. Lucas should focus on the web server for the point of entry to the system and should review any files that the Apache user has created or modified. If local vulnerabilities existed when this compromise occurred, the attacker may have already escalated to another account!
  59. D. Geoff's only sure bet to prevent these services from being accessed is to put a network firewall in front of them. Many appliances enable services by default; since they are appliances, they may not have host firewalls available to enable. They also often don't have patches available, and many appliances do not allow the services they provide to be disabled or modified.
  60. C. Using self-signed certificates for services that will be used by the general public or organizational users outside of a small testing group can be an issue because they will result in an error or warning in most browsers. The TLS encryption used for HTTPS will remain just as strong regardless of whether the certificate is provided by a certificate authority or self-signed, and a self-signed certificate cannot be revoked at all.
  61. A. Pretexting is a form of social engineering that relies on lies about the social engineer's motives. In this case, Fred is giving his targets reasons to believe he is legitimately a member of the organization's support team. OSINT refers to open source intelligence, which is data gathered from public sources. A tag-out sometimes refers to handing off to another member of a penetration test team, whereas profiling is conducted while gathering information about an individual, team, or organization before conducting a social engineering attack.
  62. D. The uses described for the workstation that Carrie is securing do not require inbound access to the system on any of these ports. Web browsing and Active Directory domain membership traffic can be handled by traffic initiated by the system.
  63. C. Whereas the first three ports are common to many of the devices listed, TCP 515 is the LPR/LPD port, 631 is the IPP port commonly used by many print servers, and TCP port 9100 is the RAW, or direct, IP port. Although this could be another type of device, it is most likely a network-connected printer.
  64. B. The system is showing normal ports for a Windows file server. It is most likely that Manish's escalation to management resulted in action by the server administrator.
  65. C. Using telnet to connect to remote services to validate their response is a useful technique for service validation. It doesn't always work, but it can allow you to interact with the service to gather information manually.
  66. B. nmap can combine operating system identification and time to live (TTL) to take a reasonable guess at the number of hops in the network path between the scanner and a remote system. The operating system guess will provide the base time to live, and the TTL counter will decrement at each hop. Given these two pieces of information, nmap takes an educated but often very accurate guess.
  67. B. Delivery occurs when the adversary either deploys their tool directly against targets or via release that relies on staff at the target interacting with it such as in an email payload, on a USB stick, or via websites that they visit.
  68. D. This scan shows Ramesh that he is likely on a network using some portion of the 10.0.0.0/8 private IP space. An initial scan of the 10.0.2.0/24 network to determine what is near him would be a good start. Since the Zenmap scan was run to a single external host, it will not show other hosts on the local network, so there may be more than two nodes on the network. Ramesh cannot make determinations about what the host at 96.120.24.121 is, beyond a device on the route between the local host and his remote scan destination.
  69. B. Marta's best option from this list is to query DNS using WHOIS. She might also choose to use a BGP looking glass, but most of the information she will need will be in WHOIS. If she simply scans the network the web server is in, she may end up scanning a third-party hosting provider, or other systems that aren't owned by her organization in the /24 subnet range. Contacting ICANN isn't necessary with access to WHOIS, and depending on what country Marta is in, ICANN may not have the data she wants. Finally, using traceroute will only show the IP address of the system she queries; she needs more data to perform a useful scan in most instances.
  70. C. Scans from location C will show fewer open ports because most datacenter firewalls are configured to only allow the ports for publicly accessible services through to other networks. Location C is on an internal network, so Marta will probably see more ports than if she tried to scan datacenter systems from location A, but it is likely that she will see far fewer ports than a port scan of the datacenter from inside the datacenter firewall will show.
  71. B. Marta will see the most important information about her organization at location B, which provides a view of datacenter servers behind the datacenter firewall. To get more information, she should request that the client network firewall ruleset include a rule allowing her scanner to scan through the firewall to all ports for all systems on all protocols.
  72. A. Since Andrea is attempting to stop external scans from gathering information about her network topology, the firewall is the best place to stop them. A well-designed ruleset can stop, or at least limit, the amount of network topology information that attackers can collect.
  73. C. Brandon should select RIPE, the regional Internet registry for Europe, the Middle East, and parts of Central Asia. AFRINIC serves Africa, APNIC serves the Asia/Pacific region, and LACNIC serves Latin America and the Caribbean.
  74. B. Testing for common sample and default files is a common tactic for vulnerability scanners. Janet can reasonably presume that her Apache web server was scanned using a vulnerability scanner.
  75. B. If Chris can perform a zone transfer, he can gather all of the organization's DNS information, including domain servers, hostnames, MX and CNAME records, time to live records, zone serial number data, and other information. This is the easiest way to gather the most information about an organization via DNS if it is possible. Unfortunately, for penetration testers (and attackers!), few organizations allow untrusted systems to perform zone transfers.
  76. C. Performing a WHOIS query is the only passive reconnaissance technique listed. Each of the other techniques performs an active reconnaissance task.
  77. A. Passive network mapping can be done by capturing network traffic using a sniffing tool like Wireshark. Active scanners including nmap, the Angry IP Scanner, and netcat (with the -z flag for port scanning) could all set off alarms as they scan systems on the network.
  78. B. AAAA records are IPv6 address records. This means that Ryan may also want to scan for hosts that are available via IPv6 gateways. The rest of the answers here are made up for this question.
  79. B. Zenmap topologies show a number of pieces of useful information. The icons next to DemoHost2 show the following information: a relative assessment of how many ports are open, with white showing “not scanned,” green showing less than three open ports, yellow showing three to six open ports, and red showing more than six open ports. Next, it shows a firewall is enabled, and finally the lock icon shows that some ports are filtered. In this scan, only DemoHost2 has been identified by nmap as currently running a firewall, which doesn't mean that other hosts are not actually running firewalls.
  80. B. This capture shows SQL injection attacks being attempted. We can determine this from the SQL keywords (e.g., UNION ALL) that appear in packets 2188 and 2196. Since this is the reconnaissance phase, the red team should not be actively attempting to exploit vulnerabilities and has violated the rules of engagement.
  81. A. TCP port 636 is often used for secure LDAP, and secure HTTP typically uses TCP 443. Although other services could use these ports, Jennifer's best bet is to presume that they will be providing the services they are typically associated with.
  82. A. Kai's next step is to prepare to pivot. To do so, she needs to browse for additional systems and to identify the methods she will use to access them. At times, this will move her back into the discovery phase.
  83. A. The nmap -T command accepts a setting between 0 (or “paranoid”) and 5 (or “insane”). When Scott sets his scan to use the insane setting, it will perform the fastest scanning it can, which will likely set off any IDS or IPS that is watching for scans.
  84. D. Microsoft SQL typically runs on TCP ports 1433 and 1434. Oracle's default is 1521, IRC is 6667, and VNC is 5900.
  85. B. Cloudflare, Akamai, and other content distribution networks use a network of distributed servers to serve information closer to requesters. In some cases, this may make parts of a vulnerability scan less useful, whereas others may remain valid. Here, Andrea simply knows that the content is hosted in a CDN and that she may not get all the information she wants from a scan.
  86. B. Large data flows leaving an organization's network may be a sign of data exfiltration by an advanced persistent threat. Using HTTPS to protect the data while making it look less suspicious is a common technique.
  87. A. Tracy knows that most wired networks do not use end-to-end encryption by default and that wireless networks are typically more easily accessible than a wired network that requires physical access to a network jack or a VPN connection from an authorized account. Without more detail, she cannot determine whether authentication is required for both networks, but NAC is a common security feature of wired networks, and WPA2 Enterprise requires authentication as well. Port security is used only for wired network connections.
  88. B. Most infrastructure as a service (IaaS) providers will allow their customers to perform security scans as long as they follow the rules and policies for such scans. Ian should review his vendor's security documentation and contact them for details if he has questions.
  89. B. Port 3389 is the service port for RDP. If Fred doesn't expect this port to be open on his point-of-sale terminals, he should immediately activate his incident response plan.
  90. D. Many system administrators have historically chosen 8080 and 8443 as the alternate service ports for plain-text and secure web services. Although these ports could be used for any service, it would be reasonable for Saanvi to guess that a pair of services with ports like these belongs to web servers.
  91. C. Using a UDP scan, as shown in option C with the -sU flag, will not properly identify printers since print service ports are TCP ports. The other commands will properly scan and identify many printers based on either their service ports (515, 631, 9100) or their OS version.
  92. B. TCP ports 1433 and 1434 are commonly associated with Microsoft SQL servers. A print server will likely use ports 515, 631, and 9100; a MySQL server will typically use 3306; and alternate ports for web servers vary, but 8443 is a common alternative port.
  93. B. This nmap scan will scan for SSH (22), SMTP (25), DNS (53), and LDAP (389) on their typical ports. If the services are running on an alternate port, this scan will completely miss those and any other services.
  94. C. Load balancers can alias multiple servers to the same hostname. This can be confusing when conducting scans, because it may appear that multiple IP addresses or hosts are responding for the same system.
  95. C. This scan shows only UDP ports. Since most services run as TCP services, this scan wouldn't have identified most common servers. Kwame should review the commands that his team issued as part of their exercise. If he finds that nmap was run with an -sU flag, he will have found the issue.
  96. B. nmap provides both hardware and operating system identification capabilities as part of its common platform enumeration features. cpe:/o indicates operating system identification, and cpe:/h indicates hardware identification.
  97. A. RADIUS typically uses TCP ports 1812 and 1813. Kerberos is primarily a UDP service although it also uses TCP 544 and 2105, Postgres uses 5432, and VNC uses 5500.
  98. B. nmap supports quite a few firewall evasion techniques including spoofing the MAC (hardware) address, appending random data, setting scan delays, using decoy IP addresses, spoofing the source IP or port, modifying the MTU size, or intentionally fragmenting packets.
  99. A. The dig command provides information including the time the query was done, details of the query that was sent, and the flags sent. In most cases, however, host, dig -x, and nslookup will provide roughly the same information. zonet is not an actual Linux command.
  100. A. When an organization expires multiple certificates, it often indicates a security problem that resulted in a need to invalidate the certificates. Fred should check for other information about a possible compromise near the dates of expiration.
  101. D. Casey knows that she saw three open ports and that nmap took its best guess at what was running on those ports. In this case, the system is actually a Kali Linux system, a Debian-based distribution. This is not a Cisco device, it is not running CentOS, and it was not built by IBM.
  102. D. Since SNMP does not reliably report on closed UDP ports and SNMP servers don't respond to requests with invalid community strings, any of these answers could be true. This means that receiving “no response” to an SNMP query can mean that the machines are unreachable (often due to a firewall), they are not running SNMP, or the community string that was used is incorrect.
  103. B. Angela can use NetworkMiner, a tool that can analyze existing packet capture files to do OS identification and which identifies and marks images, files, credentials, sessions, DNS queries, parameters, and a variety of other details. Ettercap can perform passive TCP stack fingerprinting but is primarily a man-in-the-middle tool, dradis is an open source collaboration platform for security teams, and Sharkbait is not a security tool or term.
  104. A. A canonical name (CNAME) is used to alias one name to another. MX records are used for mail servers, SPF records indicate the mail exchanges (MXes) that are authorized to send mail for a domain, and an SOA record is the Start of Authority record that notes where the domain is delegated from its parent domain.
  105. C. When a vulnerability exists and a patch has not been released or cannot be installed, compensating controls can provide appropriate protection. In the case of PCI DSS (and other compliance standards), documenting what compensating controls were put in place and making that documentation available is an important step for compliance.
  106. C. The -sP flag for nmap indicates a ping scan, and /24 indicates a range of 255 addresses. In this case, that means that nmap will scan for hosts that respond to ping in the 192.168.2.0 to 192.168.2.255 IP address range.
  107. B. Performing a scan from an on-site network connection is the most likely to provide more detail. Many organizations have a strong external network defense but typically provide fewer protections for on-site network connections to allow internal users to access services. It is possible that the organization uses services found only on less common ports or UDP only services, but both of these options have a lower chance of being true than for an on-site scan to succeed. nmap does provide firewall and IPS evasion capabilities, but this is also a less likely scenario.
  108. C. Passive fingerprinting relies on the ability of a system to capture traffic to analyze. Preventing systems from using promiscuous mode will provide attackers with very little data when performing passive fingerprinting. Both intrusion prevention systems and firewalls can help with active fingerprinting but will do nothing to stop passive fingerprinting.
  109. C. Wang's screenshot shows behavioral analysis of the executed code. From this, you can determine that malwr is a dynamic analysis sandbox that runs the malware sample to determine what it does while also analyzing the file.
  110. D. While SSH port forwarding and SSH tunneling are both useful techniques for pivoting from a host that allows access, nmap requires a range of ports open for default scans. He could write a script and forward the full range of ports that nmap checks, but none of the commands listed will get him there. If Frank has access to proxy chains, he could do this with two commands.
  111. C. Angela has captured part of a Nikto scan that targets a vulnerable ASP script that allows directory traversal attacks. If it was successful, the contents of files like /etc/passwd would be accessible using the web server.
  112. A. Since organizations often protect information about the technologies they use, OSINT searches of support forums and social engineering are often combined to gather information about the technologies they have in place. Port scanning will typically not provide detailed information about services and technologies. Social media review may provide some hints, but document metadata does not provide much information about specific technologies relevant to a penetration test or attack.
  113. C. Sarah knows that domain registration information is publicly available and that her organization controls the data that is published. Since this does not expose anything that she should not expect to be accessible, she should categorize this as a low impact.
  114. C. The increasing digit of the IP address of the target system (.6, .7, .8) and the ICMP protocol echo request indicate that this is a ping sweep. This could be part of a port scan, but the only behavior that is shown here is the ping sweep. This is ICMP and cannot be a three-way handshake, and a traceroute would follow a path rather than a series of IP addresses.
  115. D. While the system responded on common Windows ports, you cannot determine whether it is a Windows system. It did respond, and both ports 139 and 445 were accessible. When the host the Wireshark capture was conducted from queried DNS, it did not receive a response, indicating that the system does not have a DNS entry (or at least, it doesn't have one that is available to the host that did the scan and ran the Wireshark capture).
  116. D. nmap has a number of built-in antifirewall capabilities, including packet fragmentation, decoy scans, spoofing of source IP and source port, and scan timing techniques that make detection less likely. Spoofing the target IP address won't help; her packets still need to get to the actual target.
  117. A. Using an agent-based scanning approach will provide Kim with the most reliable results for systems that are not always connected to the network. The agent can run the scans and then report results the next time the agent is connected to a network. The other technologies all require that the system be connected to the network during the scan.
  118. B. As Carla reads this report, she should note that the bottom three vulnerabilities have a status of Fixed. This indicates that the information leakage vulnerability is already corrected and that the server no longer supports TLS v1.0. The alert about the load balancer is severity 1, and Carla should treat it as informational. This leaves a severity 2 vulnerability for the expired SSL certificate as the highest-severity issue of the choices presented.
  119. C. In a VM escape attack, the attacker exploits vulnerabilities in the hypervisor to gain access to resources assigned to other guest operating systems. Services running on the guest may be vulnerable to the other attacks listed here, but those attacks would only be able to access other resources assigned to either the same guest (in the case of buffer overflow or directory traversal) or the client (in the case of cross-site scripting).
  120. C. Sadiq should ensure that the ICS is on an isolated network, unreachable from any Internet-connected system. This greatly reduces the risk of exploitation. It would not be cost-effective to develop a patch himself, and Sadiq should not trust any software that he obtains from an Internet forum. An intrusion prevention system, while a good idea, is not as strong a control as network isolation.
  121. C. This vulnerability has a severity rating of 3/5 and is further mitigated by the fact that the server is on an internal network, accessible only to trusted staff. This rises above the level of an informational report and should be addressed, but it does not require urgent attention.
  122. B. The High Severity Report is the most likely report of the choices given that will provide a summary of critical security issues. The Technical Report will likely contain too much detail for Rob's manager. The Patch Report will indicate systems and applications that are missing patches but omit other security issues. The Unknown Device Report will focus on systems detected during the scan that are not registered with the organization's asset management system.
  123. A. The Payment Card Industry Data Security Standard (PCI DSS) regulates credit and debit card information. The Family Educational Rights and Privacy Act (FERPA) applies to student educational records. The Health Insurance Portability and Accountability Act (HIPAA) regulates protected health information. The Sarbanes–Oxley (SOX) Act requires controls around the handling of financial records for public companies.
  124. C. Web servers commonly run on ports 80 (for HTTP) and 443 (for HTTPS). Database servers commonly run on ports 1433 (for Microsoft SQL Server), 1521 (for Oracle), or 3306 (for MySQL). Remote Desktop Protocol services commonly run on port 3389. There is no evidence that SSH, which uses port 22, is running on this server.
  125. B. Nina should perform testing of her code before deploying it to production. Because this code was designed to correct an issue in a vulnerability scan, Nina should ask the security team to rerun the scan to confirm that the vulnerability scan was resolved as one component of her testing. A penetration test is overkill and not necessary in this situation. Nina should not deploy the code to production until it is tested. She should not mark the issue as resolved until it is verified to work in production.
  126. B. Port 23 is used by telnet, an insecure unencrypted communications protocol. George should ensure that telnet is disabled and blocked. Secure shell (SSH) runs on port 22 and serves as a secure alternative. Port 161 is used by the Simple Network Management Protocol (SNMP), and port 443 is used for secure web connections.
  127. B. This system is exposing a service on port 3389. This port is typically used for remote administrative access to Windows servers.
  128. C. The issue identified in this scan report is with a service running on port 3389. Windows systems use port 3389 for the Remote Desktop Protocol (RDP). Therefore, Harold should turn to this service first.
  129. D. None of the protocols and versions listed in this question is an acceptable way to correct this vulnerability. All versions of SSL contain critical vulnerabilities and should no longer be used. TLS v1.0 also contains a vulnerability that would allow an attacker to downgrade the cryptography used by the server. Harold should upgrade the server to support at least TLS v1.2.
  130. D. VMware is a virtualization platform that is widely used to run multiple guest operating systems on the same hardware platform. This vulnerability indicates a vulnerability in VMware itself, which is the hypervisor that moderates access to physical resources by those guest operating systems.
  131. B. Quentin should reconfigure cipher support to resolve the issues surrounding the weak cipher support of SSL/TLS and RDP. He should also obtain a new SSL certificate to resolve multiple issues with the current certificate. He should add account security requirements to resolve the naming of guest accounts and the expiration of administrator passwords. There is no indication that any Windows patches are missing on this system.
  132. A. Although all of these categories of information should trigger vulnerability scanning for assets involved in their storage, processing, or transmission, only credit card information has specific regulations covering these scans. The Payment Card Industry Data Security Standard (PCI DSS) contains detailed requirements for vulnerability scanning.
  133. A. Stella should remediate this vulnerability as quickly as possible because it is rated by the vendor as a Critical vulnerability. The description of the vulnerability indicates that an attacker could execute arbitrary code on the server and use this vulnerability to achieve escalation of privilege. Therefore, this should be one of Stella's highest priorities for remediation.
  134. B. This system is running SharePoint. This application only runs on Microsoft Windows servers.
  135. B. The vulnerability report indicates that SharePoint application patches are available to correct the vulnerability on a variety of versions of SharePoint. This should be Stella's first course of action since it will correct the underlying issue. Deploying an intrusion prevention system may also prevent attackers from exploiting the vulnerability, but it will depend on the positioning of the IPS and the attacker's location on the network and will not correct the underlying issue. There is no indication that an operating system patch will correct the issue. Disabling the service will prevent an attacker from exploiting the vulnerability but will also disable the business-critical service.
  136. D. A supervisory control and data acquisition (SCADA) network is a form of industrial control system (ICS) that is used to maintain sensors and control systems over a large geographic area.
  137. D. The most likely issue is that Eric's scanner has not pulled the most recent signatures from the vendor's vulnerability feed. Eric should perform a manual update and rerun the scan before performing an investigation of the servers in question or filing a bug report.
  138. A. Blind SQL injection vulnerabilities are very difficult to detect and are a notorious source of false positive reports. Natalie should verify the results of the tests performed by the developers but should be very open to the possibility that this is a false positive report, since that is the most likely scenario.
  139. A. Virtualized systems run full versions of operating systems. If Kasun's scan revealed a missing operating system patch when he scanned a virtualized server, the patch should be applied directly to that guest operating system.
  140. D. Joaquin can improve the quality and quantity of information available to the scanner by moving to credentialed scanning, moving to agent-based scanning, and integrating asset information into the scans. Any of these actions is likely to reduce the false positive rate. Increasing the sensitivity of scans would likely have the opposite effect, causing the scanner to report even more false positives.
  141. C. Of the choices presented, the maximum number of simultaneous checks per host is the only setting that would affect individual systems. Changing the number of simultaneous hosts per scan and the network timeout would have an effect on the broader network. Randomizing IP addresses would not have a performance impact.
  142. C. This report simply states that a cookie used by the service is not encrypted. Before raising any alarms, Isidora should investigate the contents of the cookie to determine whether the compromise of its contents would introduce a security issue. This might be the case if the cookie contains session or authentication information. However, if the cookie does not contain any sensitive contents, Isidora may be able to simply leave the service as is.
  143. C. Information asset value refers to the value that the organization places on data stored, processed, or transmitted by an asset. In this case, the types of information processed (e.g., regulated data, intellectual property, personally identifiable information) helps to determine information asset value. The cost of server acquisition, cost of hardware replacement, and depreciated cost all refer to the financial value of the hardware, which is a different concept than information asset value.
  144. D. Laura should consider deploying vulnerability scanning agents on the servers she wants to scan. These agents can retrieve configuration information and send it to the scanner for analysis. Credentialed scanning would also be able to retrieve this information, but it would require that Laura manage accounts on each scanned system. Server-based scanning would not be capable of retrieving configuration information from the host unless run in credentialed mode. Uncredentialed scans would not have the access required to retrieve detailed configuration information from scan targets.
  145. B. The vulnerability report states that the issue is with SQL Server. SQL Server is a database platform provided by Microsoft.
  146. D. It is unlikely that a network IPS would resolve this issue because it would not be able to view the contents of an encrypted SSH session. Disabling port 22 would correct the issue although it may cause business disruption. Disabling AES-GCM is listed in the solution section as a feasible workaround, whereas upgrading OpenSSH is the ideal solution.
  147. D. Unfortunately, Singh cannot take any action to remediate this vulnerability. He could consider restricting network access to the server, but this would likely have an undesirable effect on email access. The use of encryption would not correct this issue. The vulnerability report indicates that “There is no known fix at this time,” meaning that upgrading Windows or Exchange would not correct the problem.
  148. B. SQL injection vulnerabilities target the data stored in enterprise databases, but they do so by exploiting flaws in client-facing applications. These flaws are most commonly, but not exclusively, found in web applications.
  149. B. This vulnerability exists in Microsoft Internet Information Server (IIS), which is a web server. The fact that the vulnerability could result in cross-site scripting issues also points to a web server. Web servers use the HTTP and HTTPS protocols. Ryan could configure IPS rules to filter HTTP/HTTPS access to this server.
  150. B. Applying a security patch would correct the issue on this server. The fact that the header for this vulnerability includes a Microsoft security bulletin ID (MS17-016) indicates that Microsoft likely released a patch in 2017. Disabling the IIS service would disrupt business activity on the server. Modifying the web application would not likely address this issue as the report indicates that it is an issue with the underlying IIS server and not a specific web application. IPS rules may prevent an attacker from exploiting the vulnerability, but they would not correct the underlying issue.
  151. A. Since this is an escalation of privilege vulnerability, it is likely that an attacker could gain complete control of the system. There is no indication that control of this system would then lead to complete control of the domain. Administrative control of the server would grant access to configuration information and web application logs, but these issues are not as serious as an attacker gaining complete control of the server.
  152. B. This server is located on an internal network and only has a private IP address. Therefore, the only scan that would provide any valid results is an internal scan. The external scanner would not be able to reach the file server through a valid IP address.
  153. A. Task 1 strikes the best balance between criticality and difficulty. It allows Zahra to remediate a medium criticality issue with an investment of only six hours of time. Task 2 is higher criticality but would take three weeks to resolve. Task 3 is the same criticality but would require two days to fix. Task 4 is lower criticality but would require the same amount of time to resolve as Task 1.
  154. C. Although all of these options are viable, the simplest solution is to design a report that provides the information and then configure the system to automatically send this report to the director each month.
  155. C. If the firewall is properly configured, the workstation and file server are not accessible by an external attacker. Of the two remaining choices, the web server vulnerability (at severity 5) is more severe than the mail server vulnerability (at severity 1). Most organizations do not bother to remediate severity 1 vulnerabilities because they are usually informational in nature.
  156. A. This is an informational-level report that will be discovered on any server that supports the OPTIONS method. This is not a serious issue and is listed as an informational item, so Mike does not need to take any action to address it.
  157. D. Ports 139 and 445 are associated with Windows systems that support file and printer sharing.
  158. A. Although a buffer overflow attack could theoretically have an impact on information stored in the database, a SQL injection vulnerability poses a more direct threat by allowing an attacker to execute arbitrary SQL commands on the database server. Cross-site scripting attacks are primarily user-based threats that would not normally allow database access. A denial-of-service attack targets system availability, rather than information disclosure.
  159. A. IPsec is a secure protocol for the establishment of VPN links. Organizations should no longer use the obsolete Secure Sockets Layer (SSL) or Point-to-Point Tunneling Protocol (PPTP) for VPN connections or other secure connections.
  160. D. Rahul does not need to take any action on this vulnerability because it has a severity rating of 2 on a five-point scale. PCI DSS only requires the remediation of vulnerabilities with at least a “high” rating, and this vulnerability does not clear that threshold.
  161. C. This vulnerability is with the Network Time Protocol (NTP), a service that runs on UDP port 123. NTP is responsible for providing synchronizing for the clocks of servers, workstations, and other devices in the organization.
  162. D. Aaron should treat this vulnerability as a fairly low priority and may never get around to remediating it if there are more critical issues on his network. The vulnerability only has a severity rating of 2 (out of 5), and the vulnerability is further mitigated by the fact that the server is accessible only from the local network.
  163. A. The SQL injection attack could be quite serious, since it may allow an attacker to retrieve and/or modify information stored in the backend database. The second highest priority should be resolving the use of unencrypted authentication, because it may allow the theft of user credentials. The remaining two vulnerabilities are less serious, because they pose only a reconnaissance risk.
  164. A. The report notes that all of the vulnerabilities for these three servers are in Fixed status. This indicates that the vulnerabilities existed but have already been remediated and no additional work is required.
  165. B. The most likely issue is that the maintenance subscription for the scanner expired while it was inactive and the scanner is not able to retrieve current signatures from the vendor's vulnerability feed. The operating system of the scanner should not affect the scan results. Ji-won would not be able to access the scanner at all if she had invalid credentials or the scanner had an invalid IP address.
  166. D. The most likely scenario is that a network IPS is blocking SQL injection attempts sent to this server, and the internal scanner is positioned on the network in such a way that it is not filtered by the network IPS. If a host IPS were blocking the requests, the vulnerability would likely not appear on internal scans either. If a firewall were blocking the requests, then no external scanner entries would appear in the log file.
  167. D. The fact that this vulnerability affects kernel-mode drivers is very serious, because it indicates that an attacker could compromise the core of the operating system in an escalation of privilege attack. The other statements made about this vulnerability are all correct, but they are not as serious as the kernel-mode issue.
  168. B. System administrators are normally in the best position to remediate vulnerabilities because they are responsible for maintaining the server configuration. Network engineers, security analysts, and managers may provide input, but they often lack either the privileges or knowledge to successfully remediate a server.
  169. A. Because both of these hosts are located on the same virtualization platform, it is likely that the network traffic never leaves that environment and would not be controlled by an external network firewall or intrusion prevention system. Ed should first look at the internal configuration of the virtual network to determine whether he can apply the restriction there.
  170. D. This is an example of the POODLE vulnerability that exploits weaknesses in the OpenSSL encryption library. While replacing SSL with TLS and disabling weak ciphers are good practices, they will not correct this issue. Carl should upgrade OpenSSL to a more current version that does not contain this vulnerability.
  171. B. According to corporate policy, Renee must run the scans on a daily basis, so the weekend is not a viable option. The scans should run when they have the least impact on operations, which, in this scenario, would be in the evening. The purpose of vulnerability scans is to identify known vulnerabilities in systems and not to perform load testing of servers.
  172. A. The highest-severity vulnerability in this report is the use of an outdated version of SNMP. Ahmed can correct this issue by disabling the use of SNMP v1 and SNMP v2, which contain uncorrectable security issues, and replacing them with SNMP v3. The other actions offered as choices in this question would remediate other vulnerabilities shown in the report, but they are all of lower severity than the SNMP issue.
  173. C. Glenda can easily resolve this issue by configuring workstations to automatically upgrade Chrome. It is reasonable to automatically deploy Chrome updates to workstations because of the fairly low impact of a failure and the fact that users could switch to another browser in the event of a failure. Manually upgrading Chrome would also resolve the issue, but it would not prevent future issues. Replacing Chrome with Internet Explorer would resolve this issue but create others, since Internet Explorer is no longer supported by Microsoft. This is a serious issue, so Glenda should not ignore the report.
  174. B. Glenda should remediate this vulnerability as quickly as possible because it occurs widely throughout her organization and has a significant severity (4 on a 5-point scale). If an attacker exploits this vulnerability, they could take control of the affected system by executing arbitrary code on it.
  175. C. Oracle database servers use port 1521 for database connections. Port 443 is used for HTTPS connections to a web server. Microsoft SQL Server uses port 1433 for database connections. Port 8080 is a nonstandard port for web services.
  176. A. The most likely explanation for this result is that the organization is running web services on a series of nonstandard ports from 2025 to 2035. The banner returned by the service on these ports indicates the use of Microsoft Internet Information Services and does not appear to be a false positive. There is no indication that the server has been compromised, although it may soon be compromised if they don't update their outdated version of IIS!
  177. D. This cipher uses the insecure Data Encryption Standard (DES) algorithm and should be replaced. The other ciphers listed all use the secure Advanced Encryption Standard (AES) in place of DES encryption.
  178. B. The PCI DSS standard requires that merchants and service providers present a clean scan result that shows no critical or high vulnerabilities in order to maintain compliance.
  179. C. The vulnerability shown here affects PNG processing on systems running Windows. PNG is an acronym for Portable Networks Graphics and is a common image file format.
  180. C. Patrick should be extremely careful with this patch. If the patch causes services to fail, it has the potential to disable all of his organization's Windows servers. This is a serious risk and requires testing prior to patch deployment. Patrick's best course of action is to deploy the patch in a test environment and then roll it out into production on a staged basis if that test is successful. Options that involve deploying the patch to production systems prior to testing may cause those services to fail. Disabling all external access to systems is likely an overreaction that would have critical business impact.
  181. C. The standard scan of 1,900 common ports is a reasonably thorough scan that will conclude in a realistic period of time. If Aaron knows of specific ports used in his organization that are not included in the standard list, he could specify them using the Additional section of the port settings. A full scan of all 65,535 ports would require an extremely long period of time on a Class C network. Choosing the Light Scan setting would exclude a large number of commonly used ports, whereas the None setting would not scan any ports.
  182. A. From the information given in the scenario, you can conclude that all of the HTTP/HTTPS vulnerabilities are not exploitable by an attacker because of the firewall restrictions. However, OpenSSL is an encryption package used for other services, in addition to HTTPS. Therefore, it may still be exposed via SSH or other means. Haruto should replace it with a current, supported version because running an end-of-life (EOL) version of this package exposes the organization to potentially unpatchable security vulnerabilities.
  183. B. Banner grabbing scans are notorious for resulting in false positive reports because the only validation they do is to check the version number of an operating system or application against a list of known vulnerabilities. This approach is unable to detect any remediation activities that may have taken place that do not alter the version number.
  184. C. Vulnerability 3 has a CVSS score of 10.0 because it received the highest possible ratings on all portions of the CVSS vector. All three vulnerabilities have ratings of “high” for the confidentiality, integrity, and availability impact metrics. Vulnerabilities 1 and 2 have lower values for one or more of the exploitability metrics.
  185. D. A cybersecurity analyst should consider all of these factors when prioritizing remediation of vulnerabilities. The severity of the vulnerability is directly related to the risk involved. The likelihood of the vulnerability being exploited may be increased or reduced based on the affected system's network exposure. The difficulty of remediation may impact the team's ability to correct the issue with a reasonable commitment of resources.
  186. B. There is no indication in the scenario that the server is running a database; in fact, the scenario indicates that the server is dedicated to running the Apache web service. Therefore, it is unlikely that a database vulnerability scan would yield any results. Landon should run the other three scans, and if they indicate the presence of a database server, he could follow up with a specialized database vulnerability scan.
  187. C. The vulnerability report's impact statement reads as follows: “If successfully exploited, this vulnerability could lead to intermittent connectivity problems, or the loss of all NetBIOS functionality.” This is a description of an availability risk.
  188. C. Data classification is a set of labels applied to information based on their degree of sensitivity and/or criticality. It would be the most appropriate choice in this scenario. Data retention requirements dictate the length of time that an organization should maintain copies of records. Data remanence is an issue where information thought to be deleted may still exist on systems. Data privacy may contribute to data classification but does not encompass the entire field of data sensitivity and criticality in the same manner as data classification. For example, a system may process proprietary business information that would be very highly classified and require frequent vulnerability scanning. Unless that system also processed personally identifiable information, it would not trigger scans under a system based solely on data privacy.
  189. C. In this scenario, a host firewall may be an effective way to prevent infections from occurring in the first place, but it will not expedite the recovery of a system that is already infected. Intrusion prevention systems and security patches will generally not be effective against a zero-day attack and also would not serve as a recovery control. Backups would provide Tom with an effective way to recover information that was encrypted during a ransomware attack.
  190. B. There is no reason to believe that upgrading the operating system will resolve this application vulnerability. All of the other solutions presented are acceptable ways to address this risk.
  191. D. This is a serious vulnerability because it exposes significant network configuration information to attackers and could be used to wage other attacks on this network. However, the direct impact of this vulnerability is limited to reconnaissance of network configuration information.
  192. B. In this case, Yashvir should ask the DBA to recheck the server to ensure that the patch was properly applied. It is not yet appropriate to mark the issue as a false positive report until Yashvir performs a brief investigation to confirm that the patch is applied properly. This is especially true because the vulnerability relates to a missing patch, which is not a common source of false positive reports. There was no acceptance of this vulnerability, so Yashvir should not mark it as an exception. He should not escalate this issue to management because the DBA is working with him in good faith.
  193. A. This is most likely a false positive report. The vulnerability description says “note that this script is experimental and may be prone to false positives.” It is less likely that the developers and independent auditors are all incorrect. The scanner is most likely functioning properly, and there is no indication that either it or the database server is misconfigured.
  194. B. X.509 certificates are used to exchange public keys for encrypted communications. They are a fundamental part of the SSL and TLS protocols, and an issue in an X.509 certificate may definitely affect HTTPS, SSH, and VPN communications that depend on public key cryptography. HTTP does not use encryption and would not be subject to this vulnerability.
  195. A. This is an example of a false positive report. The administrator demonstrated that the database is not subject to the vulnerability because of the workaround, and Larry went a step further and verified this himself. Therefore, he should mark the report as a false positive in the vulnerability scanner.
  196. B. False positive reports like the one described in this scenario are common when a vulnerability scanner depends on banner grabbing and version detection. The primary solution to this issue is applying a patch that the scanner would detect by noting a new version number. However, the administrator performed the perfectly acceptable action of remediating the vulnerability in a different manner without applying the patch, but the scanner is unable to detect that remediation activity and is reporting a false positive result.
  197. C. The Post Office Protocol v3 (POP3) is used for retrieving email from an email server.
  198. A. Margot can expect to find relevant results in the web server logs because they would contain records of HTTP requests to the server. Database server logs would contain records of the queries made against the database. IDS logs may contain logs of SQL injection alerts. NetFlow logs would not contain useful information because they only record traffic flows, not the details of the communications.
  199. A. The runas command allows an administrator to execute a command using the privileges of another user. Linux offers the same functionality with the sudo command. The Linux su command is similar but allows an administrator to switch user identities, rather than simply execute a command using another user's identity. The ps command in Linux lists active processes, whereas the grep command is used to search for text matching a pattern.
  200. A. Plain-text authentication sends credentials “in the clear,” meaning that they are transmitted in unencrypted form and are vulnerable to eavesdropping by an attacker with access to a network segment between the client and server.
  201. D. Fingerprinting vulnerabilities disclose information about a system and are used in reconnaissance attacks. This vulnerability would allow an attacker to discover the operating system and version running on the target server.
  202. B. The majority of the most serious issues in this scan report relate to missing security updates to Windows and applications installed on the server. Akari should schedule a short outage to apply these updates. Blocking inbound connections at the host firewall would prevent the exploitation of these vulnerabilities, but it would also prevent users from accessing the server. Disabling the guest account and configuring the use of secure ciphers would correct several vulnerabilities, but they are not as severe as the vulnerabilities related to patches.
  203. D. Ben should obtain permission from the client to perform scans before engaging in any other activities. Failure to do so may violate the law and/or anger the client.
  204. A. The fact that the server runs a critical business process should increase the importance of the patch, rather than deferring it indefinitely. Katherine should work with the engineer to schedule the patch to occur during a regular maintenance window. It is reasonable to wait until that scheduled window because of the relatively low impact of the vulnerability.
  205. C. The best options to correct this vulnerability are either removing the JRE if it is no longer necessary or upgrading it to a recent, secure version. This vulnerability is exploited by the user running a Java applet and does not require any inbound connections to the victim system, so a host firewall would not be an effective control. A web content filtering solution, though not the ideal solution, may be able to block malicious GIF files from exploiting this vulnerability.
  206. B. In this situation, Grace is facing a true emergency. Her web server has a critical vulnerability that is exposed to the outside world and may be easily exploited. Grace should correct the issue immediately, informing all relevant stakeholders of the actions that she is taking. She can then follow up by documenting the change as an emergency action in her organization's change management process. All of the other approaches in this question introduce an unacceptable delay.
  207. A. Although ARP tables may provide the necessary information, this is a difficult way to enumerate hosts and is prone to error. Doug would have much greater success if he consulted the organization's asset management tool, ran a discovery scan, or looked at the results of other recent scans.
  208. A. The most likely reason for this result is that the scan sensitivity is set to exclude low-impact vulnerabilities rated as 1 or 2. There is no reason to believe that Mary configured the scan improperly because this is a common practice to limit information overload and is likely intentional. It is extremely unlikely that systems in the datacenter contain no low-impact vulnerabilities when they have high-impact vulnerabilities. If Mary excluded high-impact vulnerabilities, the report would not contain any vulnerabilities rated 4 or 5.
  209. D. This vulnerability is presented as an Info level vulnerability and, therefore, does not represent an actual threat to the system. Mikhail can safely ignore this issue.
  210. D. Vulnerability scans can only provide a snapshot in time of a system's security status from the perspective of the vulnerability scanner. Agent-based monitoring provides a detailed view of the system's configuration from an internal perspective and is likely to provide more accurate results, regardless of the frequency of vulnerability scanning.
  211. A. The SQL injection vulnerability is clearly the highest priority for remediation. It has the highest severity (5/5) and also exists on a server that has public exposure because it resides on the DMZ network.
  212. D. Pete and the desktop support team should apply the patch using a GPO or other centralized configuration management tool. This is much more efficient than visiting each workstation individually, either in person or via remote connection. There is no indication in the scenario that a registry update would remediate this issue.
  213. A. An insider would have the network access required to connect to a system on the internal server network and exploit this buffer overflow vulnerability. Buffer overflow vulnerabilities typically allow the execution of arbitrary code, which may allow an attacker to gain control of the server and access information above their authorization level. Vulnerability 3 may also allow the theft of information, but it has a lower severity level than vulnerability 2. Vulnerabilities 4 and 5 are denial-of-service vulnerabilities that would allow the disruption of service, not the theft of information.
  214. A. Wanda should restrict interactive logins to the server. The vulnerability report states that “The most severe of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document.” If Wanda restricts interactive login, it greatly reduces the likelihood of this type of activity. Removing Internet Explorer or Microsoft Office might lower some of the risk, but it would not be as effective as completely restricting logins. Applying the security patch is not an option because of the operational concerns cited in the question.
  215. D. For best results, Garret should combine both internal and external vulnerability scans. The external scan provides an “attacker's eye view” of the web server, whereas the internal scan may uncover vulnerabilities that would only be exploitable by an insider or an attacker who has gained access to another system on the network.
  216. A. The scenario describes an acceptable use of a compensating control that has been reviewed with the merchant bank. Frank should document this as an exception and move on with his scans. Other actions would go against his manager's wishes and are not required by the situation.
  217. D. All three of these scan types provide James with important information and/or are needed to meet regulatory requirements. The external scan from James's own network provides information on services accessible outside of the payment card network. The internal scan may detect vulnerabilities accessible to an insider or someone who has breached the network perimeter. The approved scanning vendor (ASV) scans are required to meet PCI DSS obligations. Typically, ASV scans are run infrequently and do not provide the same level of detailed reporting as scans run by the organization's own external scans, so James should include both in his program.
  218. A. Any one of the answer choices provided is a possible reason that Helen received this result. However, the most probable scenario is that the printer is actually running a web server and this is a true positive result. Printers commonly provide administrative web interfaces, and those interfaces may be the source of vulnerabilities.
  219. D. Joe has time to conduct some communication and change management before making the change. Even though this change is urgent, Joe should take advantage of that time to communicate with stakeholders, conduct a risk assessment, and initiate change management processes. These tasks will likely be abbreviated forms of what Joe would do if he had time to plan a change normally, but he should make every effort to complete them.
  220. C. Port 389 is used by the Lightweight Directory Access Protocol (LDAP) and is not part of the SMB communication. SMB may be accessed directly over TCP port 445 or indirectly by using NetBIOS over TCP/IP on TCP ports 137 and 139.
  221. B. Ted can reduce the number of results returned by the scan by decreasing the scan sensitivity. This will increase the threshold for reporting, only returning the most important results. Increasing the scan sensitivity would have the opposite effect, increasing the number of reported vulnerabilities. Changing the scan frequency would not alter the number of vulnerabilities reported.
  222. A. Microsoft has discontinued support for Internet Explorer versions other than IE 11 and has discontinued Internet Explorer after version 11 because it has been replaced by Microsoft Edge. Google Chrome and Mozilla Firefox are also suitable replacement browsers.
  223. A. Buffer overflow vulnerabilities occur when an application attempts to put more data in a memory location than was allocated for that use, resulting in unauthorized writes to other areas of memory. Bounds checking verifies that user-supplied input does not exceed the maximum allowable length before storing it in memory.
  224. D. System D is the only system that contains a critical vulnerability, as seen in the scan results. Therefore, Sherry should begin with this system as it has the highest-priority vulnerability.
  225. D. The problem Victor is experiencing is that the full scan does not complete in the course of a single day and is being cancelled when the next full scan tries to run. He can fix this problem by reducing the scanning frequency. For example, he could set the scan to run once a week so that it completes. Reducing the number of systems scanned would not meet his requirement to scan the entire datacenter. He cannot increase the number of scanners or upgrade the hardware because he has no funds to invest in the system.
  226. C. The only high-criticality issue on this report (and all but one of the medium-criticality issues) relates to an outdated version of the Apache web server. Vanessa should upgrade this server before taking any other remediation action.
  227. D. The Relaunch On Finish schedule option will run continuous vulnerability scanning of the target servers. Each time the scan completes, it will start over again. Gil should be extremely careful when choosing this option because it may cause undesirable resource consumption for both the scanner and the target servers.
  228. D. This scan result does not directly indicate a vulnerability. However, it does indicate that the server is configured for compatibility with 16-bit applications, and those applications may have vulnerabilities. It is an informational result that does not directly require action on Terry's behalf.
  229. B. PuTTY is a commonly used remote login application used by administrators to connect to servers and other networked devices. If an attacker gains access to the SSH private keys used by PuTTY, the attacker could use those keys to gain access to the systems managed by that administrator. This vulnerability does not necessarily give the attacker any privileged access to the administrator's workstation, and the SSH key is not normally used to encrypt stored information.
  230. B. Mateo should remove the four pieces of obsolete software identified by the vulnerability scan (Java 6.1, Internet Explorer 8, Microsoft .NET Framework 4, and Microsoft Visual C++ 2005). He should also apply the Windows MS17-012 security update and patch Chrome, Java, and other vulnerable applications on this system. All of these issues raise critical vulnerabilities in the scan report. There is no indication that host firewall changes are required.
  231. D. Although all of the technologies listed here contribute to the security of mobile devices, only containerization allows the isolation and protection of sensitive information separate from other uses of the device. Containerization technology creates a secure vault for corporate information that may be remotely wiped without affecting other uses of the device. It also protects the contents of the container from other applications and services running on the device.
  232. A. In this situation, Sally recognizes that there is no imminent threat, so it is not necessary to follow an emergency change process that would allow her to implement the change before conducting any change management. That said, the change should be made without waiting up to three months for a scheduled patch cycle. Therefore, Sally's best option is to initiate a high-priority change through her organization's change management process.
  233. C. Gene's best option is to alter the sensitivity level of the scan so that it excludes low-importance vulnerabilities. The fact that his manager is telling him that many of the details are unimportant is his cue that the report contains superfluous information. Although he could edit the chart manually, he should instead alter the scan settings so that he does not need to make those manual edits each time he runs the report.
  234. D. Avik is required to rerun the vulnerability scan until she receives a clean result that may be submitted for PCI DSS compliance purposes.
  235. A. PCI DSS requires that networks be scanned quarterly or after any “significant change in the network.” A firewall upgrade definitely qualifies as a significant network change, and Chanda should schedule a vulnerability scan immediately to maintain PCI DSS compliance.
  236. A. Network segmentation is one of the strongest controls that may be used to protect industrial control systems and SCADA systems by isolating them from other systems on the network. Input validation and memory protection may provide some security, but the mitigating effect is not as strong as isolating these sensitive systems from other devices and preventing an attacker from connecting to them in the first place. Redundancy may increase uptime from accidental failures but would not protect the systems from attack.
  237. C. Although any of these reasons are possible, the most likely cause of this result is that the system administrator blocked the scanner with a host firewall rule. It is unlikely that the administrator completed the lengthy, time-consuming work overnight and without causing a service disruption. If the server were down, other IT staff would have reported the issue. If the scan did not run, Glenda would not see any entries in the scanner's logs.
  238. B. Any addresses in the 10.x.x.x, 172.16.x.x, and 192.168.x.x ranges are private IP addresses that are not routable over the Internet. Therefore, of the addresses listed, only 12.8.1.100 could originate outside the local network.
  239. B. The most likely issue here is that there is a network firewall between the server and the third-party scanning service. This firewall is blocking inbound connections to the web server and preventing the external scan from succeeding. CIFS generally runs on port 445, not port 80 or 443. Those ports are commonly associated with web services. The scanner is not likely misconfigured because it is successfully detecting other ports on the server. Nick should either alter the firewall rules to allow the scan to succeed or, preferably, place a scanner on a network in closer proximity to the web server.
  240. A. Change management processes should always include an emergency change procedure. This procedure should allow applying emergency security patches without working through the standard change process. Thomas has already secured stakeholder approval on an informal basis so he should proceed with the patch and then file a change request after the work is complete. Taking the time to file the change request before completing the work would expose the organization to a critical security flaw during the time required to complete the paperwork.
  241. B. The vulnerability description indicates that this software has reached its end-of-life (EOL) and, therefore, is no longer supported by Microsoft. Mike's best solution is to remove this version of the framework from the affected systems. No patches will be available for future vulnerabilities. There is no indication from this result that the systems require operating system upgrades. Mike should definitely take action because of the critical severity (5 on a 5-point scale) of this vulnerability.
  242. B. Credentialed scans are able to log on to the target system and directly retrieve configuration information, providing the most accurate results of the scans listed. Unauthenticated scans must rely on external indications of configuration settings, which are not as accurate. The network location of the scanner (external vs. internal) will not have a direct impact on the scanner's ability to read configuration information.
  243. C. The best path for Brian to follow would be to leverage the organization's existing trouble ticket system. Administrators likely already use this system on a regular basis, and it can handle reporting and escalation of issues. Brian might want to give administrators access to the scanner and/or have emailed reports sent automatically as well, but those will not provide the tracking that he desires.
  244. A. Vulnerability scanners should be updated as often as possible to allow the scanner to retrieve new vulnerability signatures as soon as they are released. Xiu Ying should choose daily updates.
  245. C. Ben is facing a difficult challenge and should likely perform all of the actions described in this question. However, the best starting point would be to run Windows Update to install operating system patches. Many of the critical vulnerabilities relate to missing Windows patches. The other actions may also resolve critical issues, but they all involve software that a user must run on the server before they can be exploited. This makes them slightly lower priorities than the Windows flaws that may be remotely exploitable with no user action.
  246. A. Tom should consult service level agreements (SLAs) and memorandums of understanding (MOUs). These documents should contain all commitments made to customers related to performance. Disaster recovery plans (DRPs) and business impact assessments (BIAs) should not contain this type of information.
  247. C. Zhang Wei should likely focus his efforts on high-priority vulnerabilities, as vulnerability scanners will report results for almost any system scanned. The time to resolve critical vulnerabilities, the number of open critical vulnerabilities over time, and the number of systems containing critical vulnerabilities are all useful metrics. The total number of reported vulnerabilities is less useful because it does not include any severity information.
  248. A. Although the vulnerability scan report does indicate that this is a low-severity vulnerability, Zhang Wei must take this information in context. The management interface of a virtualization platform should never be exposed to external hosts, and it also should not use unencrypted credentials. In that context, this is a critical vulnerability that could allow an attacker to take control of a large portion of the computing environment. He should work with security and network engineers to block this activity at the firewall as soon as possible. Shutting down the virtualization platform is not a good alternative because it would be extremely disruptive, and the firewall adjustment is equally effective from a security point of view.
  249. B. The server described in this report requires multiple Red Hat Linux and Firefox patches to correct serious security issues. One of those Red Hat updates also affects the MySQL database service. Although there are Oracle patches listed on this report, they relate to Oracle Java, not an Oracle database.
  250. D. The Technical Report will contain detailed information on a specific host and is designed for an engineer seeking to remediate the system. The PCI Technical Report would focus on credit card compliance issues, and there is no indication that this server is used for credit card processing. The Qualys Top 20 Report and Executive Report would contain summary information more appropriate for a management audience and cover an entire network, rather than provide detailed information on a single system.
  251. D. The use of FTP is not considered a good security practice. Unless tunneled through a secure protocol, FTP is unencrypted, allowing an attacker to eavesdrop on communications and steal credentials that may be transmitted over FTP links. Additionally, this vulnerability indicates that an attacker can gain access to the server without even providing valid credentials.
  252. B. The scan report shows two issues related to server accounts: a weak password policy for the Administrator account and an active Guest account. Tom should remediate these issues to protect against the insider threat. The server also has an issue with weak encryption, but this is a lower priority given that the machine is located on an internal network.
  253. B. Although all the solutions listed may remediate some of the vulnerabilities discovered by Dave's scan, the vast majority of issues in an unmaintained network result from missing security updates. Applying patches will likely resolve quite a few vulnerabilities, if not the majority of them.
  254. C. Kai should deploy the patch in a sandbox environment and then thoroughly test it prior to releasing it in production. This reduces the risk that the patch will not work well in her environment. Simply asking the vendor or waiting 60 days may identify some issues, but it does not sufficiently reduce the risk because the patch will not have been tested in her company's environment.
  255. B. Service level agreements (SLAs) specify the technical parameters of a vendor relationship and should include coverage of service availability as well as remedies for failure to meet the agreed-on targets. Memorandums of understanding (MOUs) are less formal documents that outline the relationship between two organizations. Business partnership agreements (BPAs) typically cover business, rather than technical, issues and would not normally include availability commitments. Business impact assessments (BIAs) are risk assessments and are not legal agreements.
  256. D. Although all these vulnerabilities do pose a confidentiality risk, the SQL injection vulnerability poses the greatest threat because it may allow an attacker to retrieve the contents of a backend database. The HTTP TRACK/TRACE methods and PHP information disclosure vulnerabilities may provide reconnaissance information but would not directly disclose sensitive information. SSL v3 is no longer considered secure but is much more difficult to exploit for information theft than a SQL injection issue.
  257. C. Bring your own device (BYOD) strategies allow users to operate personally owned devices on corporate networks. These devices are more likely to contain vulnerabilities than those managed under a mobile device management (MDM) system or a corporate-owned, personally enabled (COPE) strategy. Transport Layer Security (TLS) is a network encryption protocol, not a mobile device strategy.
  258. A. This is a critical vulnerability that should be addressed immediately. In this case, Sophia should decommission the server and replace it with a server running a current operating system. Microsoft no longer supports Windows Server.
  259. B. Ling or the domain administrator could remove the software from the system, but this would not allow continued use of the browser. The network administrator could theoretically block all external web browsing, but this is not a practical solution. The browser developer is the only one in a good situation to correct an overflow error because it is a flaw in the code of the web browser.
  260. C. Jeff should begin by looking at the highest-severity vulnerabilities and then identify whether they are confidentiality risks. The highest-severity vulnerability on this report is the Rational ClearCase Portscan Denial of Service vulnerability. However, a denial-of-service vulnerability affects availability, rather than confidentiality. The next highest-severity report is the Oracle Database TNS Listener Poison Attack vulnerability. A poisoning vulnerability may cause hosts to connect to an illegitimate server and could result in the disclosure of sensitive information. Therefore, Jeff should address this issue first.
  261. B. Although all these concerns are valid, the most significant problem is that Eric does not have permission from the potential client to perform the scan and may wind up angering the client (at best) or violating the law (at worst).
  262. B. The firewall rules would provide Renee with information about whether the service is accessible from external networks. Server logs would contain information on actual access but would not definitively state whether the server is unreachable from external addresses. Intrusion detection systems may detect an attack in progress but are not capable of blocking traffic and would not be relevant to Renee's analysis. Data loss prevention systems protect against confidentiality breaches and would not be helpful against an availability attack.
  263. D. Mary should consult the organization's asset inventory. If properly constructed and maintained, this inventory should contain information about asset criticality. The CEO may know some of this information, but it is unlikely that they would have all the necessary information or the time to review it. System names and IP addresses may contain some hints to asset criticality but would not be as good a source as an asset inventory that clearly identifies criticality.
  264. A. The vulnerability description indicates that this is a vulnerability that exists in versions of Nessus earlier than 6.6. Upgrading to a more recent version of Nessus would correct the issue.
  265. C. Passive network monitoring meets Kamea's requirements to minimize network bandwidth consumption while not requiring the installation of an agent. Kamea cannot use agent-based scanning because it requires application installation. She should not use server-based scanning because it consumes bandwidth. Port scanning does not provide vulnerability reports.
  266. D. Of the answers presented, the maximum number of simultaneous hosts per scan is most likely to have an impact on the total bandwidth consumed by the scan. Enabling safe checks and stopping the scanning of unresponsive hosts is likely to resolve issues where a single host is negatively affected by the scan. Randomizing IP addresses would only change the order of scanning systems.
  267. C. The issue raised by this vulnerability is the possibility of eavesdropping on administrative connections to the database server. Requiring the use of a VPN would add strong encryption to this connection and negate the effect of the vulnerability. A patch is not an option because this is a zero-day vulnerability, meaning that a patch is not yet available. Disabling administrative access to the database server would be unnecessarily disruptive to the business. The web server's encryption level is irrelevant to the issue as it would affect connections to the web server, not the database server.
  268. A. In a remote code execution attack, the attacker manages to upload arbitrary code to a server and run it. These attacks are often because of the failure of an application or operating system component to perform input validation.
  269. C. Of the documents listed, only corporate policy is binding on Raul, and he should ensure that his new system's configuration complies with those requirements. The other sources may provide valuable information to inform Raul's work, but compliance with them is not mandatory.
  270. A. The server with IP address 10.0.102.58 is the only server among the possible answers that has a level 5 vulnerability. Level 5 vulnerabilities have the highest severity and should be prioritized. The server at 10.0.16.58 has the most overall vulnerabilities but does not have any level 5 vulnerabilities. The servers at 10.0.46.116 and 10.0.69.232 have only level 3 vulnerabilities, which are less severe than level 5 vulnerabilities.
  271. A. Enabling credentialed scanning would increase the likelihood of detecting vulnerabilities that require local access to a server. Credentialed scans can read deep configuration settings that might not be available with an uncredentialed scan of a properly secured system. Updating the vulnerability feed manually may add a signature for this particular vulnerability but would not help with future vulnerabilities. Instead, Abella should configure automatic feed updates. Increasing the scanning frequency may increase the speed of detection but would not impact the scanner's ability to detect the vulnerability. The organization's risk appetite affects what vulnerabilities they choose to accept but would not change the ability of the scanner to detect a vulnerability.
  272. A. Applying patches to the server will not correct SQL injection or cross-site scripting flaws, since these reside within the web applications themselves. Kylie could correct the root cause by recoding the web applications to use input validation, but this is the more difficult path. A web application firewall would provide immediate protection with lower effort.
  273. A. There is no reasonable justification for Pietro reviewing the reports prior to providing them to the administrators responsible for the systems. In the interests of transparency and efficiency, he should configure the scans to run automatically and send automated notifications to administrators as soon as they are generated. This allows immediate remediation. There is nothing preventing Pietro from performing a review of the scan results, but he should not filter them before providing them to the responsible engineers.
  274. C. This error indicates that the vulnerability scanner was unable to verify the signature on the digital certificate used by the web server. If the organization is using a self-signed digital certificate for this internal application, this would be an expected result.
  275. C. Cross-site scripting and cross-site request forgery vulnerabilities are normally easy to detect with vulnerability scans because the scanner can obtain visual confirmation of a successful attack. Unpatched web servers are often identified by using publicly accessible banner information. Although scanners can often detect many types of SQL injection vulnerabilities, it is often difficult to confirm blind SQL injection vulnerabilities because they do not return results to the attacker but rely on the silent (blind) execution of code.
  276. B. Analyzing and reporting findings to management is one of the core tasks of a continuous monitoring program. Another core task is responding to findings by mitigating, accepting, transferring, or avoiding risks. Continuous monitoring programs are not tasked with performing forensic investigations, as this is an incident response process.
  277. A. The phpinfo file is a testing file often used by web developers during the initial configuration of a server. Although any of the solutions provided here may remediate this vulnerability, the most common course of action is to simply remove this file before the server is moved into production or made publicly accessible.
  278. D. The Unknown Device Report will focus on systems detected during the scan that are not registered with the organization's asset management system. The High Severity Report will provide a summary of critical security issues across all systems. The Technical Report will likely contain too much detail and may not call out unknown systems. The Patch Report will indicate systems and applications that are missing patches but not necessarily identify unknown devices.
  279. B. Continuous monitoring uses agents installed on monitored systems to immediately report configuration changes to the vulnerability scanner. Scheduled scans would not detect a change until the next time they run. Automated remediation would correct security issues rather than report configuration changes. Automatic updates would ensure that scans use the most current vulnerability information.
  280. D. The manager has thought about the risk and, in consultation with others, determined that it is acceptable. Therefore, Mark should not press the matter and demand remediation, either now or in six months. He should mark this vulnerability as an approved exception in the scanner to avoid future alerts. It would not be appropriate to mark this as a false positive because the vulnerability detection was accurate.
  281. C. Jacquelyn should update the vulnerability feed to obtain the most recent signatures from the vendor. She does not need to add the web servers to the scan because they are already appearing in the scan report. Rebooting the scanner would not necessarily update the feed. If she waits until tomorrow, the scanner may be configured to automatically update the feed, but this is not guaranteed and is not as efficient as simply updating the feed now.
  282. A. FISMA does specify many requirements for agencies that conduct vulnerability scans, but it does not contain any specific requirements regarding the frequency of the scans. It merely states that agencies must conduct scans of information systems and hosted applications when new vulnerabilities potentially affecting the system/application are identified and reported.
  283. C. It would be difficult for Sharon to use agent-based or credentialed scanning in an unmanaged environment because she would have to obtain account credentials for each scanned system. Of the remaining two technologies, server-based scanning is more effective at detecting configuration issues than passive network monitoring.
  284. D. To be used in a secure manner, certificates must take advantage of a hash function that is not prone to collisions. The MD2, MD4, MD5, and SHA-1 algorithms all have demonstrated weaknesses and would trigger a vulnerability. The SHA-256 algorithm is still considered secure.
  285. B. This vulnerability should not prevent users from accessing the site, but it will cause their browsers to display a warning that the site is not secure.
  286. B. This error is a vulnerability in the certificate itself and may be corrected only by requesting a new certificate from the certificate authority (CA) that uses a secure hash algorithm in the certificate signature.
  287. A. Secure shell (SSH) traffic flows over TCP port 22. Port 636 is used by the Lightweight Directory Access Protocol (LDAP). Port 1433 is used by Microsoft SQL Server. Port 1521 is used by Oracle databases.
  288. C. This error occurs when the server name on a certificate does not match the name of the server in question. It is possible that this certificate was created for another device or that the device name is slightly different than that on the certificate. Joaquin should resolve this error by replacing the certificate with one containing the correct server name.
  289. B. Lori should absolutely not try to run scans without the knowledge of other IT staff. She should inform her team of her plans and obtain permission for any scans that she runs. She should limit scans of production systems to safe plug-ins while she is learning. She should also limit the bandwidth consumed by her scans and the time of her scans to avoid impacts on production environments.
  290. D. Credentialed scans are also known as authenticated scans and rely on having credentials to log on to target hosts and read their configuration settings. Meredith should choose this option.
  291. A. Norman's manager is deciding to use the organization's risk appetite (or risk tolerance) to make this decision. He is stating that the organization will tolerate medium severity risks but will not accept critical or high-severity risks. This is not a case of a false positive or false negative error, since they are not discussing a specific vulnerability. The decision is not based on data classification because the criticality or sensitivity of information was not discussed.
  292. D. Birthday attacks occur when an attacker is able to discover multiple inputs that generate the same output. This is an event known as a collision.
  293. A. The security and web development communities both consider Adobe Flash an outdated and insecure technology. The best solution would be for Meredith to remove this software from systems in her organization. Applying the security patches would be a temporary solution, but it is likely that new vulnerabilities will arise soon requiring more patches. Blocking inbound access to the workstations would not be effective because Flash vulnerabilities are typically exploited after a client requests a malicious file. An intrusion detection system may alert administrators to malicious activity but does not perform blocking.
  294. D. The scenario does not indicate that Nabil has any operational or managerial control over the device or the administrator, so his next step should be to escalate the issue to an appropriate manager for resolution. Nabil should not threaten the engineer because there is no indication that he has the authority to do so. Nabil cannot correct the vulnerability himself because he should not have administrative access to network devices as a vulnerability manager. He should not mark the vulnerability as an exception because there is no indication that it was accepted through a formal exception process.
  295. A. In a well-managed test environment, the test systems should be configured in a near-identical manner to production systems. They should be running the same operating systems and require the same patches. However, in almost every organization, there are systems running in production that do not have mirror deployments in test environments because of cost, legacy system issues, and other reasons.
  296. D. The vulnerability scan of this server has fairly clean results. All of the vulnerabilities listed are severity 3 or lower. In most organizations, immediate remediation is required only for severity 4 or 5 vulnerabilities.
  297. A. Maria should contact the vendor to determine whether a patch is available for the appliance. She should not attempt to modify the appliance herself, as this may cause operational issues. Maria has no evidence to indicate that this is a false positive report, and there is no reason to wait 30 days to see whether the problem resolves itself.
  298. C. Credit card information is subject to the Payment Card Industry Data Security Standard (PCI DSS), which contains specific provisions that dictate the frequency of vulnerability scanning. Although the other data types mentioned in the question are regulated, none of those regulations contains specific provisions that identify a required vulnerability scanning frequency.
  299. C. Chang could resolve this issue by adding additional scanners to balance the load, reducing the frequency of scans or reducing the scope (number of systems) of the scan. Changing the sensitivity level would not likely have a significant impact on the scan time.
  300. C. This is a critical vulnerability in a public-facing service and should be patched urgently. However, it is reasonable to schedule an emergency maintenance for the evening and inform customers of the outage several hours in advance. Therefore, Trevor should immediately begin monitoring affected systems for signs of compromise and work with the team to schedule maintenance for as soon as possible.
  301. D. The best practice for securing virtualization platforms is to expose the management interface only to a dedicated management network, accessible only to authorized engineers. This greatly reduces the likelihood of an attack against the virtualization platform.
  302. B. If possible, Bhanu should schedule the scans during periods of low activity to reduce the impact they have on business operations. The other approaches all have a higher risk of causing a disruption.
  303. C. By conducting awareness training, Kevin is seeking to educate insiders about the risks posed by phishing attacks. Specifically, he is seeking to prevent an insider from unintentionally posing a risk to the organization by falling victim to a phishing attack.
  304. 304A. This report is best classified as a true positive report because the vulnerability did exist on the system, even though it was later remediated. A true negative report occurs when a vulnerability scanner correctly reports that a vulnerability does not exist. A false positive report occurs when a scanner incorrectly reports that a vulnerability exists, while a false negative report occurs when a scanner incorrectly reports that no vulnerability exists.
  305. D. Gwen and her manager are choosing to take no further action and, therefore, are choosing to accept the remaining risk.
  306. C. Thomas can deploy a web application firewall to block attempts to exploit the vulnerability. Applying a patch or updating the source code may also resolve the issue, but Thomas cannot do this himself because he does not have access to the source code. Dynamic testing identifies vulnerabilities but does not correct them.
  307. A. Aircrack-ng is a wireless network assessment tool and it is designed to detect wireless security issues, such as the use of insecure wireless encryption keys.
  308. C. Walt finds himself in a very common situation, with business leaders worried about the impact of vulnerability remediation on their activities. The business leaders are concerned about business process interruption and degrading functionality. This could be best resolved with a robust organizational governance process. The system in question is newly deployed, so it is not an example of a legacy system.

Answers to Chapter 2: Domain 2.0: Software and Systems Security

  1. B. A honeypot is used by security researchers and practitioners to gather information about techniques and tools used by attackers. A honeypot will not prevent attackers from targeting other systems, and unlike a tarpit, it is not designed to slow down attackers. Typically, honeypot data must be analyzed to provide useful information that can be used to build IDS and IPS rules.
  2. C. Tarpits are a form of active defense that decoy or bait attackers. Passive defenses include cryptography, security architecture, and similar options. Sticky defenses and reaction-based defenses were made up for this question.
  3. C. Trusted foundries are part of the Department of Defense's program that ensures that hardware components are trustworthy and have not been compromised by malicious actors. A trusted platform module (TPM) is a hardware security module, OEMs are original equipment manufacturers but may not necessarily have completed trusted hardware sources, and gray-market providers sell hardware outside of their normal or contractually allowed areas.
  4. A. Susan's best option is to use an automated testing sandbox that analyzes the applications for malicious or questionable behavior. Although this may not catch every instance of malicious software, the only other viable option is decompiling the applications and analyzing the code, which would be incredibly time consuming. Since she doesn't have the source code, Fagan inspection won't work (and would take a long time too), and running a honeypot is used to understand hacker techniques, not to directly analyze application code.
  5. C. Manesh knows that the file she downloaded and computed a checksum for does not match the MD5 checksum that was calculated by the providers of the software. She does not know if the file has been corrupted or if attackers have modified the file, but she may want to contact the providers of the software to let them know about the issue—and she definitely shouldn't execute or trust the file!
  6. B. Cloud providers are increasingly making hardware security modules (HSMs) available as part of their offerings. Amazon's CloudHSM, Azure's Dedicated HSM, and Google's Cloud HSM all provide the ability to host, manage, and properly secure encryption keys in their cloud environments.
  7. D. Aziz is using a jump box to provide access. A jump box, sometimes called a jump server or secure administrative host, is a system used to manage devices in a separate, typically higher, security zone. This prevents administrators from using a less secure administrative workstation in the high-security zone.
  8. D.  bcrypt is a strong password-hashing algorithm that includes salts for the stored values. If Charles uses bcrypt, he will have made the best choice from the list, since both MD5 and SHA-1 are not as strong, even with a salt. Encrypting the database may seem like a good idea, but storing plain-text passwords means that an exploit that can read the database while it is decrypted will get plain-text passwords.
  9. C. The diagram shows a signed boot log that is delivered to a remote server. This is how remote attestation works—the local system, which includes a TPM module, creates and signs a boot log to be validated by a remote server.
  10. C. A mandatory access control system relies on the operating system to constrain what actions or access a subject can perform on an object. Role-based access control uses roles to determine access to resources, and discretionary access control allows subjects to control access to objects that they own or are responsible for. Level-based access control is a type of role-based access control.
  11. C. Sahib is performing static analysis, which is analysis performed without running code. He can use tools or manually review the code (and in fact, is likely to do both).
  12. B. Since Carol wants to analyze a program as it runs, you know she needs a dynamic code analysis tool. With the added safety requirement, a sandbox is also needed. Static code analysis looks at source code, no mention is made of decompiling or reverse engineering the code, and Fagan inspection is a formal code analysis process.
  13. D. Mike needs to conduct user acceptance testing (UAT) with a broad group of users to validate the functionality and usability of the software.
  14. A. Mike's team should stress test the application by loading it beyond what its maximum expected load is. They should validate that it performs as expected and that their infrastructure can handle the load of broad usage by the company. Stress testing often tests to a multiple of the maximum expected load to ensure that the application will handle unexpected load conditions.
  15. B. Regression testing checks to ensure that old flaws have not been reintroduced. Mike's team needs to regression test their application, particularly because they reintroduced old code that may have flaws.
  16. A. Susan's best option is to submit the file to a tool like VirusTotal that will scan it for virus-like behaviors and known malware tools. Checking the hash using either a manual check or by using the National Software Reference Library can tell her if the file matches a known good version but won't tell her if it includes malware. Running a suspect file is the worst option on the list.
  17. D. Caitlyn is preparing a decomposition diagram that maps the high-level functions to lower-level components. This will allow her to better understand how the malware package works and may help her identify areas she should focus on.
  18. B. The U.S. DoD Trusted Foundry program works to assure the integrity and confidentiality of integrated circuit (IC) design and manufacturing. This helps to ensure that agents of foreign governments are not able to insert flaws or code into the ICs that could be leveraged for intelligence or cyberwarfare activities.
  19. D. Fuzz testing involves sending invalid or random data to an application to test its ability to handle unexpected data. Fault injection directly inserts faults into error handling paths, particularly error handling mechanisms that are rarely used or might otherwise be missed during normal testing. Mutation testing is related to fuzzing and fault injection, but rather than changing the inputs to the program or introducing faults to it, mutation testing makes small modifications to the program itself. Stress testing is a performance test that ensures applications and the systems that support them can stand up to the full production load.
  20. B. The strategy outlined by Nishi is one of network segmentation—placing separate functions on separate networks. She is explicitly not interconnecting the two networks. VPNs and VLANs are also technologies that could assist with the goal of protecting sensitive information, but they use shared hardware and would not necessarily achieve the level of isolation that Nishi requires.
  21. C. Bobbi is adopting a physical, not logical, isolation strategy. In this approach, known as air-gapping, the organization uses a stand-alone system for the sensitive function that is not connected to any other system or network, greatly reducing the risk of compromise. VLAN isolation and network segmentation involve a degree of interconnection that is not present in this scenario.
  22. C. The Agile software development methodology is characterized by multiple sprints, each producing a concrete result. The Waterfall model follows a series of sequential steps, whereas the Spiral model uses multiple passes through four phases. Rapid Application Development (RAD) uses a five-phase approach in an iterative format.
  23. B. Multifactor authentication helps reduce the risk of a captured or stolen password by requiring more than one factor to authenticate. Attackers are less likely to have also stolen a token, code, or biometric factor. A captive portal is used to authenticate users for guest networks or similar purposes. VPNs (virtual private networks) are used to provide a private network connection that can make a local network act like it is part of a remote network. OAuth is an open protocol for secure authorization.
  24. B. Amanda's team should use full-disk encryption or volume encryption and should secure the encryption keys properly. This will ensure that any data that remains cannot be exposed to future users of the virtual infrastructure. Although many cloud providers have implemented technology to ensure that this won't happen, Amanda can avoid any potential issues by ensuring that she has taken proactive action to prevent data exposure. Using a zero wipe is often impossible because virtual environments may move without her team's intervention, data masking will not prevent unmasked data or temporary data stored on the virtual disks from being exposed, and spanning multiple virtual disks will still leave data accessible, albeit possibly in fragmented form.
  25. B. The most practical approach is for Huan to implement two-factor authentication on the account and retain the approval device himself. This allows him to approve each request but does not require modifying or re-creating the account for each use. The approach where the consultant must advise Huan before using the account does not meet the requirement of Huan approving each use.
  26. B. The diagram already shows a firewall in place on both sides of the network connection. Ian should place a VPN at the point marked by ?s to ensure that communications over the Internet are encrypted. IPSs and DLP systems do provide added security controls, but they do not provide encrypted network connections.
  27. A. Host firewalls operate at the individual system level and, therefore, cannot be used to implement network segmentation. Routers and switches may be used for this purpose by either physically separating networks or implementing VLAN tagging. Network firewalls may also be used to segment networks into different zones.
  28. C. The Fagan inspection is a highly formalized, rigorous code review process that involves six phases. Pair programming, over-the-shoulder reviews, and pass-around code reviews are all examples of lightweight, fairly informal code review processes.
  29. B. As stated in the question, Orizon performs a review of Java classes, indicating that it is performing a source code review. Techniques that perform source code review are grouped into the category of static code analyzers. The other testing techniques listed in this question are all examples of dynamic code analysis, where the testing application actually executes the code.
  30. B. Fuzz testing works by dynamically manipulating input to an application in an effort to induce a flaw. This technique is useful for detecting places where an application does not perform proper input validation.
  31. C. A VPN (virtual private network) is an ideal solution when transmitting traffic across untrusted intermediary networks. Kobe could use a TLS or an IPsec VPN depending on the type of remote access and protocols that he needs. If he requires full access via a variety of IP-based protocols, his best bet would be an IPsec VPN. If he needs application-based access via web browsers and similar tools, a TLS VPN can offer the advantage of not needing a client while offering greater session-level filtering and controls. A VPC (virtual private cloud) is a virtual network provided by a cloud computing vendor, an air gap is a means of keeping two systems or networks from communicating by physically separating them, and physical segmentation breaks a network into different sections using distinct hardware and cabling.
  32. B. Security artifacts created during the Design phase include security architecture documentation and data flow diagrams.
  33. B. Disposition is a separate SDLC phase that is designed to ensure that data is properly purged at the end of an application life cycle. Operations and maintenance activities include ongoing vulnerability scans, patching, and regression testing after upgrades.
  34. D. A Trusted Platform Module (TPM) is used to store RSA encryption keys. These keys are then used to authenticate the system and for other purposes that need cryptographically secure authentication of the system.
  35. C. User acceptance testing (UAT) verifies that code meets user requirements and is typically the last phase of application testing before code is released to production.
  36. D. Olivia needs to review the code without running it, which means she needs to perform a static analysis. Static analysis is often performed with an automated tool, but her security analysts may also choose to review the code manually to identify potential details about the threat actors or what the code may have been specifically intended to do.
  37. A. Olivia will conduct dynamic code analysis, which tests the code by running it while providing appropriate test inputs.
  38. C. Fuzz testing involves sending random or invalid data to an application to test its ability to handle the unexpected data. Olivia should identify a fuzzer (a fuzz testing tool) and run it against the application.
  39. D. The $ character does not necessarily represent a security issue. The greater than/less than brackets ( <>) are used to enclose HTML tags and require further inspection to determine whether they are part of a cross-site scripting attack. The single quotation mark ( ') could be used as part of a SQL injection attack.
  40. C. Security through obscurity is not a good practice. You should not rely on the secrecy of the control (e.g., the location of the web interface) as a security measure. Therefore, obscuring web interface locations is not included on the OWASP security controls list.
  41. D. Query parameterization, input validation, and data encoding are all ways to prevent the database from receiving user-supplied input that injects unwanted commands into an SQL query. Logging and intrusion detection are important controls, but they would detect, rather than prevent, a SQL injection attack.
  42. C. A machine's MAC, or hardware address, will not typically change over time. MAC addresses can also provide useful information like the manufacturer's name, allowing Jill to have a useful guess about what type of device she has discovered during a discovery scan for asset tracking.
  43. B. Asset tagging associates a tag, often with a barcode and/or RFID tag, allowing easy scanning and tracking. Although tagged assets may have a lifespan associated with them from acquisition to disposition, and they should have a documented disposition process, tagging itself is most closely associated with the use of barcodes and RFID tags.
  44. B. The diagram shows a measured boot process in which each boot object sends a hash of the next item to the TPM chip and from there to the boot log.
  45. B. Ian knows that deploying multiple access points in the same space to deploy a physically segmented wireless network would significantly increase both the costs of deployment and the complexity of the network due to access points causing conflicts. His best choice is to logically segment his networks using one set of access points. SSID and WPA segmentation are both made-up terms for this question.
  46. C. Barbara should be most concerned about compromise of the underlying VMware host as a threat model for her virtual segmentation. VLAN hopping (typically done via 802.1q trunking attacks) requires trunking to be turned on, which is unlikely in a virtualized environment like this. Border Gateway Protocol (BGP) route spoofing occurs at the router level, and is once again unlikely to be a threat in a VMware environment.

    You may not always know all the technologies in a question like this, so when you prepare for the exam you should consider what you do know when you run into this type of question. Here, you might note that relying on the underlying host for virtualization means that a compromise of the system would allow attackers to overcome the segmentation that is acting to protect them.

  47. C. Relying on hashing means that Charles will only be able to identify the specific versions of malware packages that have already been identified. This is a consistent problem with signature-based detections, and malware packages commonly implement polymorphic capabilities that mean that two instances of the same package will not have identical hashes due to changes meant to avoid signature based detection systems.
  48. A. An air gap, or complete physical isolation, provides the strongest control available on the list provided. To traverse an air gap, one of Noriko's staff would need to physically copy files via a removable drive, or would need to plug a device into the air-gapped network.
  49. C. Routers are devices that are specifically designed to forward network traffic between two or more networks. Firewalls are used to apply rules to traffic that passes through them, whereas IPSs scan and monitor traffic at a deeper level and then apply rules based on the content and behaviors that they see. Switches are used at the edges of networks to connect devices to the network.
  50. C. Using a multifactor solution will significantly decrease the likelihood of a successful phishing attack resulting in an attacker having both factors for any given user. Although deploying multifactor can be complex, it is the most impactful of the options listed. Both password lifespan and length modifications will not change what happens when users accidentally disclose their current password as part of a phishing attack, and a PIN can also be disclosed.
  51. B. The most common factors for multifactor systems today are knowledge factors (like a password) and possession factors, which can include a token, authenticator application, or a smartcard.
  52. C. Angela could roll out a context-based authentication system that has login restrictions based on the staff members' working hours. This can help prevent abuse and limit what an attacker can do after hours as well.
  53. A. NIST has pointed out that SMS is a relatively insecure way to delivering codes as part of a multifactor authentication system. The two most common attacks against SMS message delivery are VoIP hacks, where SMS messages may be delivered to a VoIP system, which can be accessed by an attacker, and SIM swapping attacks, where a SIM card is cloned and SMS messages are also delivered to an attacker.
  54. C. FIPS 140 is a U.S. government standard for information processing, and FIPS 140-2 is used to approve cryptographic modules. PCI DSS is a credit card security standard set by credit card companies, and both HSM-2015 and CA-Check were made up for this question.
  55. B. OpenFlow is used to allow software-defined network (SDN) controllers to push changes to switches and routers, allowing flow control, network traffic partitioning, and testing of applications and configurations.
  56. B. Mandatory access control, or MAC, relies on the operating system to enforce constraints on the ability of subjects to access objects. Unlike discretionary access control (DAC) models, where users can choose to grant access to objects, MAC requires a security policy administrator. RBAC (role-based access control) defines controls by role, and ABAC (attribute-based access control) uses attributes to determine who gets specific rights.
  57. B. A virtual private cloud environment (VPC) describes a pool of resources that are isolated using a variety of technologies, typically including use of private IP addresses and a VLAN or other network isolation technology. VPCs provide what is essentially a private segment of public cloud resources.
  58. C. Rick's team has set up a honeynet—a group of systems set up to attract attackers while capturing the traffic they send and the tools and techniques they use. A honeypot is a single system set up in a similar way, whereas a tarpit is a system set up to slow down attackers. A blackhole is often used on a network as a destination for traffic that will be silently discarded.
  59. A. Scaling a serverless system is a useful way to handle additional traffic but will not prevent denial-of-service (DoS) attacks from driving additional cost. In fact, horizontal scaling will add additional costs as it scales. API keys can be used to prevent unauthorized use of the serverless application, and keys can be deprovisioned if they are abused. Capping API invocations and using timeouts can help limit the maximum number of uses and how much they are used, both of which can help prevent additional costs.
  60. D. Change management helps to ensure that only approved changes are made, that they are properly documented, and that they occur when they are supposed to.
  61. B. Virtualization allows you to run multiple operating systems on the same underlying hardware, whereas containerization lets you deploy multiple applications on the same operating system on a single system. Containerization can allow direct hardware access, whereas virtualization typically does not. Virtualization is not necessary for containerization, although it is often used, but containerization can get performance improvements from bare metal installations. Finally, there is a key difference, as noted in option B.
  62. D. The Waterfall model follows a series of sequential steps, as shown in the diagram. The Agile software development methodology is characterized by multiple sprints, each producing a concrete result. The Spiral model uses multiple passes through four phases, resulting in a spiral-like diagram. Rapid Application Development (RAD) uses a five-phase approach in an iterative format.
  63. A. Virtual desktop infrastructure (VDI) environments store data on the server rather than on the local device, making them an attractive alternative when theft of data from local systems is a concern.
  64. B. Workloads in a secure containerization environment should be distributed in a way that allows hosts to only run containers of a specific security level. Since Brandon has three different security levels in his environment, he should use separate hosts that can be configured to secure the data appropriately while also limiting the impact if a container is breached.
  65. B. Privileged accounts typically include local and domain administrators, SA and other accounts that manage databases, root accounts, and other administrative accounts on Linux and Unix systems, service accounts, and similar accounts on network and other devices.
  66. A. If Ned implements multifactor authentication for his environment, he can use security tokens or other one-time password (OTP) options to ensure that attackers will not be able to use stolen credentials successfully even if passwords are exposed. Password complexity rules won't help with a keylogger, and expiring passwords with lifespan rules can limit how long the attacker can use them, but even with very short lifespans the attacker may still have them available for some time. Finally, preventing USB devices from being plugged in can help, but software keyloggers won't be caught or prevented by this solution.
  67. B. All of these are examples of single sign-on (SSO) implementations. They allow a user to use a single set of credentials to log in to multiple different services and applications. When federated, SSO can also allow a single account to work across a variety of services from multiple organizations.
  68. D. SAML, OpenID, and OAuth are all common protocols used for federation. Kerberos is a network authentication protocol largely used inside organizations.
  69. B. A jump host, or jump box, allows for easier logging of administrative access and can serve as an additional layer of protection between administrative workstations and the protected network. In this case, Mei's needs are best served by a jump host. Bastion hosts are fully exposed to attacks. Administrative virtual machines can be useful but don't make central auditing quite as easy and may allow a compromised virtual machine host to be a problem. Finally, direct SSH or RDP require auditing of all administrative workstations and could allow a compromised workstation to cause issues by allowing it to directly connect to the secure network.
  70. A. Greg's job is as a system administrator, and thus this is role-based access control (RBAC). If the question had specified that the rights were granted based on his title, instead of his job, it could be an attribute-based access control system (ABAC). Mandatory access controls (MACs) are enforced by the operating system, whereas discretionary access controls (DACs) are delegated to users.
  71. A. Manual review techniques are useful when automation is difficult or where human knowledge is required. Wherever possible, automated assessment and management techniques should be used to ensure that reviews happen more frequently and issues are detected more consistently.
  72. B. A cloud access security broker (CASB) can perform actions like monitoring activity, managing cloud security policies for SaaS services, enforcing security policies, logging, alerting, and in-line policy enforcement when deployed with agents on endpoint devices or as a proxy.
  73. C. If Lucca changes the settings to archive the log when full, the system will create a new log file each time the file fills up. Unless he runs out of drive space, Lucca will have files for as long as he wants to capture them—but he will need to manually clear the log files every so often.
  74. A. TLS (Transport Layer Security) is used to secure web and other types of traffic. Many people still call TLS SSL out of habit, but TLS is actually a different protocol and has replaced SSL (Secure Sockets Layer). IPsec is an encryption protocol used for VPNs and other point-to-point connections between networks. PPTP (Point-to-Point Tunneling Protocol) has a number of security issues.
  75. A. TLS can still work with an expired certificate; however, web browsers will report that the certificate is expired. Expired certificates are not revoked—in fact, revocation is a separate process, and certificates are checked against a certificate revocation protocol to ensure that they are valid. Although browsers may report an expired certificate and may make it harder to access the site, the website itself will remain accessible.
  76. A. Active defenses are aimed at slowing down attackers while using their resources. The rest of the terms listed here were made up for this question. Active defenses are sometimes referred to as “deception technology.”
  77. B. Using proven versions of well-known and documented cryptographic algorithms like AES-256 mean that developers can follow secure, well-documented development and utilization practices when developing mobile applications. Using basic cryptographic techniques would limit the ability of developers to select appropriate algorithm. In-house-developed cryptographic algorithms are unlikely to have received the testing and evaluation necessary to be fully secure. Finally, limiting cryptographic techniques to only open source implementations would remove useful libraries and implementations that are part of commercial toolkits.
  78. C. A WAF (web application firewall) can often be used to address the specific SQL injection attack. Claire can either write a rule based on the SQL injection attack or use a broader SQL injection prevention ruleset. An IDS would only detect the attack and would not stop it, whereas DLP (data loss prevention) tools might help if data was being stolen but won't stop SQL injection. Some firewalls may have WAF functionality built in, but here the best option is the dedicated web application firewall.

    Donna has been assigned as the security lead for a DevSecOps team building a new web application. As part of the effort, she has to oversee the security practices that the team will use to protect the application. Use your knowledge of secure coding practices to help Donna guide her team through this process in the next three questions.

  79. B. Using Unicode encoding to avoid blacklists is a common technique. OWASP recommends you avoid attempting to detect potentially dangerous characters and patterns of characters with a blacklist.
  80. B. A web proxy is a commonly used tool for web application attacks and allows data to be changed after client-side validation. In general, client-side validation is not a secure technique because of this.
  81. A. Cross-site scripting is the primary threat that is created by not using secure output encoding. Allowing users to enter arbitrary input and then displaying it to other users can result in a cross-site scripting attack. SQL injection is most common as a direct attack, whereas cross-site request forgery normally relies on users clicking a malicious link.
  82. D. Attribute-based access controls use attributes like the user's title, organizational IT, demographic information, or other details like environmental attributes or resource attributes to grant access. ABAC can be far more granular than role-based access control (RBAC), but it can also be much more complex to set up and maintain. Mandatory access controls (MACs) are enforced by the operating system, whereas discretionary access controls (DACs) are delegated to users.
  83. C. Although all of these attacks are potential threats to an SOC, the most likely form of attack against network connected IoT devices is through their network connections aimed at the operating system and applications or other software that the devices run.
  84. B. The BIOS, or basic input/output system, of a PC is a type of firmware. In Dell's implementation of this technology, a SHA-256 hash of the new firmware is compared to a known good hash on Dell's servers. If an issue is detected, administrators are notified so that they can take appropriate action.
  85. A. DevSecOps makes security a shared responsibility throughout the development and operations life cycle, and automating some security gates is a common practice to make this happen without causing slowdowns. This means that practitioners must consider both application and infrastructure security constantly from the beginning of the workflow to deployment and support. Implementing zero-day vulnerabilities would be a terrible idea, and having security practitioners exert more control rather than collaboratively making flows work more effectively and removing security features from the integrated development environment aren't great ideas either.
  86. B. OWASP recommends all of these except uploading every file that is submitted to a third-party AV tool. Checking them using a locally hosted tool is a common solution, but you probably don't want to expose every file you receive to a third party, no matter how trusted they may be.
  87. C. Output encoding translates special characters to an equivalent that will not be interpreted as part of a script or other significant character by a user's browser (or other endpoint application). An HIDS would only alarm on potential attacks, rather than stop them; a firewall will not parse the data; and string randomization was made up for this question—but if it did exist, randomized data wouldn't be useful in most applications when displaying input to a user.
  88. C. OWASP recommends a large session ID value to avoid brute-force attacks. 2^128 is 340,282,366,920,938,463,463,374,607,431,768,211,456, a number that is far larger than you would need to avoid duplication of numbers, even for very large groups of users across the entire world. If you encounter a question like this and don't know the answer, you can apply logic. In this case, the number is so large that it doesn't make sense to use it for simply duplication avoidance, and any reasonable number of users—including the entire population of the world—would require fewer bits.
  89. B. The answer that provides the least specific information to potential attackers is the best answer here: login failed; invalid user ID or password does not tell an attacker which option they have wrong or provide hints about which accounts may or may not exist.
  90. B. TLS (Transport Layer Security) is the security protocol used to protect modern web traffic in transit. SSL was the precursor to TLS, whereas VPN technology is used in specific point-to-point scenarios when connecting to remote services or networks. IPsec is a secure network protocol suite, but it is not the most common option in use for web traffic.
  91. B. This code is an example of one way to parameterize queries. Here, the var1 and var2 variables are bound to specific data objects. In some cases, the CySA+ exam may show you examples of code or configurations that you may not be familiar with. In that case, you should read the example carefully for useful context like the statement bindParam here. That should give you a clue to the parameterized queries answer being the correct option.
  92. B. In a service-oriented architecture there are three primary roles: a service provider creates and publishes a web service in a broker or repository. The service broker, registry, or repository provides information about the web services to requesters. Service requesters or consumers use web services after finding entries describing it in the service broker's catalog. Service guardians were made up for this question.
  93. B. The identity provider (IDP) provides the authentication in SAML-based authentication flow. A service provider, or SP, provides services to a user, and the user is typically the principal. A relying party (RP) leverages an IDP to provide authentication services.
  94. A. Using TLS will help to ensure that a third party is unable to insert itself into the message stream. TLS can be used to authenticate the service provider and service consumer while also providing message confidentiality, message integrity protection, and replay defenses.
  95. C. SOAP messages are XML documents that contain an envelope that identifies the document as a SOAP message, a header and body that contain information, and a fault element that contains error messages and status information as necessary.
  96. C. API keys allow individual consumers to be issued their own keys, preventing a public service from being overwhelmed or shared. If a key is misused, it can be disabled while still allowing other legitimate users to use the service.
  97. B. REST-based web services typically make requests in the form of a URL, sometimes with additional information added. SOAP uses XML, and SQL queries are used for databases.
  98. B. The Docker file includes both a username and password, a very insecure means of using credentials for a microservice. Erik will need to work with the team responsible to identify another design option to handle the microservice's authentication needs.
  99. B. Physical access is the best (and often only) way to compromise an air-gapped, physically isolated system. Although some esoteric attack methods can gather information via RF, acoustic, or other leakage, real-world scenarios will require physical access in almost all cases.
  100. B. Hardware security modules (HSMs) are devices that are specifically designed to securely store and manage digital keys for cryptographic systems. They also provide crypto processing capabilities.
  101. C. IPsec VPNs are preferred when users require a full connection to the network they will VPN to. TLS VPNs provide the advantage of accessing specific applications, often using HTTP/HTTPS traffic, whereas IPsec users are treated as full members of the network. SSL is outdated, and WPA2 is a wireless network security protocol.
  102. B. One use of eFuses is to prevent firmware downgrades. To do this, implementations will often burn a specified number of fuses at each new firmware revision. If the number of fuses burned is higher than the required number for the firmware that is being installed, the system knows that the firmware is older and will prevent it from being installed. Since eFuses are burned when they are activated, they cannot be reset. eFuses being burned does not mean that firmware cannot be changed only that a check can be made to ensure that firmware is the correct version or newer. If it is newer, more fuses will be burned to match that version number.
  103. C. UEFI (Unified Extensible Firmware Interface) is a replacement for the BIOS previously used as the low-level software that starts up your computer. UEFI supports Secure Boot, so Dev needs a modern UEFI-enabled system to use it.
  104. A. Trusted execution environments rely on all assets, code, and the underlying OS having been installed and started securely. To do this, trusted execution environments rely on a combination of signature checking, immutable assets, and/or isolation.
  105. B. Apple refers to the separate hardware-based key manager in Apple devices as a Secure Enclave. The Secure Enclave boots separately from the rest of the device and has its own memory used to store private keys. This design is intended to make access to encrypted data very difficult without access to the physical device. A hardware security module (HSM) is a device used to create and manage cryptographic keys. Both a secure bastion and a cryptolocker were made up for this question, although cryptolocker itself is a type of malware.
  106. D. Processor security extensions are intended to protect the operations of the processor, but register wiping isn't a typical feature. Registers typically contain ephemeral data, and wiping them securely would not be a requirement of most commercial CPUs.
  107. C. Atomic execution ensures that the memory in use by an atomic operation cannot be read or written to until the operation is done. Trusted execution environments are secure areas of a CPU, memory coherence ensures that corresponding memory locations for a multicore processor always contain the same cached data, and nonblocking memory was made up for this question, although nonblocking algorithms exist.
  108. B. The certificate issuer is responsible for signing the digital certificate. In this case, the issuer, as shown in the certificate, is Amazon. Starfield Services is the root CA, meaning that it issued the certificate to Amazon and allows it to issue certificates to end users. nd.edu is the subject of the certificate, and RSA is an encryption algorithm used in the certificate.
  109. C. This is a wildcard certificate, meaning that it is valid for the subject domain (nd.edu) as well as any subdomains of that domain (e.g., www.nd.edu). It would not, however, be valid for subdomains. A wildcard certificate for *.business.nd.edu would cover www.business.nd.edu.
  110. A. Certificates are publicly provided and contain the public key for the website. The website retains the private key that generated the certificate. Tom may or may not have his own keys for email encryption, SSH, or other purposes, but they are not involved in this process.
  111. A. The purpose of a digital certificate is to provide the subject's public key to the world. In this case, the subject is the nd.edu website (as well as subdomains of nd.edu), and the certificate presents that site's public key.
  112. A. Holographic stickers show when a device has been opened and are frequently used as an anti-tampering technique. They do not prevent theft, and while asset tags are frequently used for asset management and asset tracking, holographic stickers aren't commonly used for those purposes as they do not offer any advantages over traditional barcodes or RFID stickers.
  113. B. An SED (self-encrypting drive) is always encrypted, and the keys to the drive itself are also encrypted. They provide hardware level security for data with continuous encryption (and decryption) as data is stored and accessed. This means that the only time that the data could be stolen is when the drive in active, and the key to the drive has been presented to the drive using a hardware token or passcode.
  114. C. Amanda's organization needs to invest in change management tools and techniques to ensure that changes are tracked and that the tasks and procedures that go with those changes occur. A project management or ticketing tool may be able to provide some of these capabilities, but change management specific tools can really help keep a sharp focus on the effort. An IDE (integrated development environment) is used for programming rather than for this type of task.
  115. B. The most effective means of checking most firmware to validate that it is a trusted firmware update is to compare the hash of the file that you have against the provided hash values from the manufacturer website.
  116. C. Amanda needs to use a system or device on the air-gapped network to access the HSM. This provides isolation, preventing misconfiguration or other security issues from causing the device to be compromised.
  117. B. During a measured boot process, each object measures the hash of the next object in the chain and stores it securely so that it can be reviewed later. It does not check to see if objects are good or bad, nor does it interrupt the boot.
  118. B. Encrypted data transmission between a CPU and a GPU occurs over a bus, making this a form of bus encryption. Bus encryption protects data that might be observed by an untrusted user or attacker and is used on PCs between the GPU and CPU as part of the digital rights management for paid video content under the PVP-UAB (protected video path) standard.
  119. C. In a SAML transaction, the user initiates a request to the Relying Party, who then redirects the user to the SSO provider. The user then authenticates to the SAML Identity Provider and receives a SAML response, which is sent to the Relying Party as proof of identity.
  120. A. Hardware security modules (HSMs) are hardened and tamper-resistant dedicated hardware devices for cryptographic processing and management, including generating keys, handling digital signatures, and encrypting and decrypting data. Border Gateway Protocol (BGP) is a routing protocol, and SSM was made up for this question.
  121. C. Saeed wants to track items via a physical inventory, which means that he or others on the organization's staff will need to manually validate devices over time. Asset tags using barcodes or RFID tags can make this process much faster by allowing team members to scan them as part of inventory management and asset tracking practices.
  122. A. Symmetric encryption with hard-coded keys is vulnerable to a number of attacks that target those keys. If you're not familiar with the differences between symmetric and asymmetric encryption, you should review them! Once the keys are captured, either via access to the code, disassembly, memory tampering, or another technique, all communications can be decrypted. The other entries are all taken from the OWASP Mobile Application Security checklist.
  123. C. Anti-tampering techniques seek to prevent microprobing and other physical attacks, as well as techniques like freezing the device or applying unexpected voltages or clock feeds. Some anti-tampering solutions will even wipe the protected device's sensitive data if they detect tampering involving these techniques, even if they aren't currently powered up.
  124. A. Patricia's best option is to ensure that her device can handle bus encryption. This will ensure that the updates to the device are not able to be snooped or captured in unencrypted form as they are transferred over the PCIe bus of the system where the devices reside.
  125. B. Since an SED fully encrypts the data it contains, simply deleting the encryption key for the drive is just as secure as a full wipe or other data destruction process. This means that securely disposing of self-encrypting drives is much simpler and faster than other technologies, where a drive wipe or physical destruction may be required.
  126. A. A Trusted Platform Module (TPM) is required to enable Secure Boot and remote attestation capabilities. TPM modules are tamper-resistant security chips that provide various services to allow these boot modes and capabilities to function. A hardware security module (HSM) is used to create, manage, and process encryption keys. A GPM and an MX module were made up for this question.
  127. A. Secured Boot uses cryptographic signatures for executables to check each object against known public keys stored in the BIOS of the system that is running the Secured Boot.
  128. C. Atomic execution ensures that the full write and write operations are completed before any other processor or I/O device can take action on the memory location. The remainder of these options were made up for this question.
  129. D. During a Secure Boot process, the UEFI firmware on a system checks the objects in the boot process. If they do not match, it will result in an error. This is intended to prevent malware from infecting systems but could potentially happen if the manufacturer of the operating system or software does not properly sign objects in the boot process.
  130. C. These are all examples of processor security extensions providing additional cryptographic instructions. Since AES, 3DES, and ECC are all encryption algorithms and SHA-256 is a hashing algorithm, we know that this can't be either of the first two options alone. Bus encryption may use these, but they aren't just examples of bus encryption algorithms.
  131. A. A VPC (virtual private cloud) is an isolated segment of a public cloud. They are typically provided with their own private IP space, and VLANed or otherwise segmented out from other resources in the public cloud.
  132. D. Since API keys limit which clients can access a REST-based service, they can be used to reduce the impact of potential denial-of-service (DoS) attacks. Although it may be possible to overwhelm the server with connections, unless the attackers have a legitimate API key or keys, DoS attacks will be harder to accomplish.
  133. C. Although physical segmentation can make it easier to see specific traffic while providing better network security and increased performance, running a separate infrastructure is rarely a less expensive option.
  134. A. Scott's network has redundancy throughout its network core, including firewalls, core routers, and core switches, but has a single connection to the Internet. In this case Scott should be most worried about that single connection.
  135. D. Diversity of ISPs and fiber paths are both important to ensure that a failure of the ISP or a cut of the fiber along one path will not take Scott's organization offline.
  136. D. Although the edge router shown in point E has only a single connection, most organizations will not identify edge routers or switches as critical points of failure. In this case, since we know his organization does not consider edge devices mission critical, Scott will not identify any other items as single points of failure that he should remediate.
  137. D. Multifactor authentication is the most effective option because attackers will need to present both factors. Even if they know the password, unless they have the second factor their attempt to access the application will fail. Account lockouts and CAPTCHAs can be useful when attempting to prevent brute-force attacks, and complexity settings may make some brute-force attacks slower and harder to conduct.
  138. C. A salt is a unique, randomly generated string added to each password in a hashing process. Salts are then stored in a database in addition to the password hash. A pepper is shared between all passwords and is not unique, nor is it stored in a database. As you might expect, mashing was made up, and hashing is the process that is performed on a salted (and possibly peppered!) password.
  139. B. Segmented networks are almost always used to isolate groups rather than to combine them. Common uses include specific network segments for VoIP, wireless, or specific trust zones and levels.
  140. C. All processes on a Linux system can read these environment variables, meaning that the database username and passwords for the Docker application are exposed to every process running on the system. Kwame will need to work with the team responsible for the service to identify better ways to securely share secrets. Fortunately, there are secrets management APIs and others available for Docker, Kubernetes, and similar tools.
  141. B. Software-defined networks (SDNs) consist of three major layers: the application layer, where information about the network is used to improve flow, configuration, and other items; the control layer, which is where the logic from SDN controllers control the network infrastructure; and the infrastructure layer, which is made up of the networking equipment. If you're not deeply familiar with SDNs, you can address questions like this by reviewing what you do know. The other three options contain elements of the OSI model but don't make sense in the context of SDN.
  142. C. Virtual desktops still run the same operating systems and applications that they provide virtually, and they are not immune to malware. In some cases malware may not be able to persist if the organization is using ephemeral applications and desktops, which are restarted from a clean base image when they are launched.
  143. B. If Micah implements automated vulnerability scanning, he can check to see if the applications that are about to be deployed have known vulnerabilities. Automated patching will also help with this, but will only apply available patches and will not assess whether there are configuration vulnerabilities or unpatched vulnerabilities. Fuzz testing can help to test if the applications have issues with unexpected input but will not address most vulnerabilities, and hashing will only tell him if he is running the version of code that he expects to, not if it is vulnerable.
  144. A. If Susan can automate some security testing so that it is performed as automatically during the development process, DevOps staff can receive immediate feedback on what security improvements, if any, need to be made to their implementations and code.
  145. A. Camille will need to integrate her identity provider (IDP) to provide authentication and authorization. Once users are authenticated, they can use various service providers throughout the federation. She will also probably want to use some form of single sign-on (SSO) service, but it is not required to be part of a federation.
  146. B. The NIST 800-190 guidelines suggest that a hardware root of trust with cryptographic verification of boot mechanisms, system images, and container runtimes using a TPM is a best practice for hardware-based trusted computing.
  147. D. Where possible, NIST recommends segmenting by purpose, data sensitivity, and threat model to separate OS kernels.
  148. C. The NIST 800-190 guidelines note that traditional vulnerability management tools may make assumptions like those in options A and B regarding the systems and applications they are scanning. Since containers are ephemeral and may be updated and changed very frequently, a traditional vulnerability scanning and management approach is likely to be a poor fit for a containerized environment.
  149. B. Collecting data like timing information or acoustic data can provide detail of what is occurring on a system. Each of these is an example of side-channel attacks that can allow attackers to reverse-engineer information about a system that would otherwise not be exposed.
  150. C. The most distinctive feature of privileged account management tools for enterprise use is the ability to manage entitlements across multiple systems throughout an enterprise IT environment. Broader identity and access management systems for enterprises provide user account management and life cycle services, including account expiration tools and password life cycle management capabilities.
  151. B. SAML provides all of the capabilities Amira is looking for. Unlike SAML, OAuth is an authorization standard, not an authentication standard. LDAP provides a director and can be used for authentication but would need additional tools to be used as described. Finally, OpenID connect is an authentication layer on top of OAuth, which is an authorization framework. Together, they would also meet the needs described here, but individually they do not.
  152. A. Nathaniel should use an attribute-based access control (ABAC) scheme that can take into account things like the resource attributes described here. Role-based access control (RBAC) would not meet this need since it only takes into account roles in the organization, not attributes. Mandatory access controls (MACs) are enforced by the operating system, whereas discretionary access controls (DACs) are delegated to users.
  153. B. Atomic execution requires that a process complete the action that it is taking before another process or task can read or write to the memory location that it is using. In general, the term atomic means that the transaction is indivisible and must complete. Trusted execution environments are part of a processor that are designed to protect confidentiality and integrity. Anti-tampering techniques help protect chips from being reverse- engineered or modified while in use, and bus encryption protects data in transit on a bus like those found between CPUs and drives or other devices in a system.
  154. B. The Windows Event Viewer is a built-in tool for Windows systems that can be used to view application, security, setup, system, and other events and logs. Secpol.msc is the Local Security Policy snap-in, and logview.msc is not a built-in Windows tool or a snap-in.
  155. C. SQL injection is regularly rated as one of the top web application vulnerabilities, and parameterizing queries is an important way to help prevent it. Parameterized queries, or prepared statements, require developers to define the SQL code they will use, then pass in each parameter to the query. This prevents attackers from changing the intent of the query and allows the query to be used only as intended if properly implemented.
  156. D. Linux syslogs can be sent as UDP or TCP, although some syslog tools like rsyslog implement additional protocols. Isaac knows that TCP handles errors and will retransmit packets if something goes wrong, whereas UDP will merely send the data regardless of what occurs—it is faster and uses fewer resources but doesn't meet his needs. HTTP and HTTPS are not Linux syslog protocols.
  157. B. A TLS VPN (sometimes called an SSL/TLS VPN) is typically the chosen solution when application filtering is required. Since TLS VPNs operate at the session layer, they can make decisions based on users and groups, as well as specific commands, application content, or URLs. IKE and X.509 are underlying technologies for encryption and are not types of VPNs, whereas IPsSec is a type of VPN but not the best choice for this purpose. IPsec VPNs can support all IP application and simply appear to be an IP network.
  158. B. Output encoding is frequently used to prevent cross-site scripting (XSS) attacks by replacing potentially dangerous characters in previously input user data with harmless equivalents.
  159. A. Of the options provided, level 1, KERN_ALERT, is the most severe. Level 0, or KERN_EMERG, is the most severe kernel log level. You may not always know the specific details of technical question. In this case, you should read through the options and narrow down which selections you should use. It is unlikely that a mid-range level would be the most severe, thus allowing you to rule out level 2 and level 4. You are then left with ALERT and DEBUG. Debugging tends to be noisy with full data, which should lead you to select option A, KERN_ALERT.
  160. C. The Agile method is heavily driven by user stories and customer involvement. Sprints deliver functional code, meaning that some elements of the product may be ready early.
  161. B. Spiral places a heavy emphasis on risk assessment and improves from Waterfall by repeating the identification/design/build/evaluation process. This will handle both the complexity that Scott is aware will be involved as well as the late addition of design requirements.
  162. C. The disposition phase of SDLC addresses what occurs when a product or system reaches the end of its life. Scott will need to decommission systems and services, identify what will happen to data and other artifacts, and make other decisions before the system can be shut down.
  163. A. Trusted foundries are part of a U.S. government program to ensure secure, available ICs for the defense industry. Sofía will need to use other protective measures like those listed to ensure that her company's product will resist reverse-engineering techniques.
  164. B. A wildcard certificate can be used for multiple subdomains of a domain. Thus, any site with .comptia.org as the domain can use this certificate.
  165. C. REST (Representational State Transfer) is an architectural style that focuses on web services that are stateless, cacheable, and provide a uniform interface. RESTful services send typically JSON messages to a web server, requiring less bandwidth while supporting multiple data formats and relying on HTTP-based commands. Waterfall is a development style, and SOAP relies on XML and does not support multiple formats, thus requiring more bandwidth in most circumstances.
  166. D. Session IDs should be associated with information needed by the application like userID, client IP address, session timeout and session start time information, or other details on the server side, typically in a session management database or repository. If the session ID had this information encoded in it, it could be reverse engineered and decoded, possibly resulting in data leakage. Complex session IDs are not a processing concern, unless there is sensitive information covered by law (which isn't listed in the question) and then legal limitations would not apply. Session IDs are sent to the application and user whose session they belong to, so they would not breach data simply by being sent.
  167. C. Detection systems placed in otherwise unused network space will detect scans that blindly traverse IP ranges. Since no public services are listed, attackers who scan this range can be presumed to be hostile and are often immediately blocked by security devices that protect production systems.
  168. B. Input validation involves a variety of techniques, including checking the minimum and maximum range for numeric input, checking the length of input strings, removing special characters, and providing limited options for drop-down menus and other strings.
  169. D. This regular expression will match all U.S. state abbreviations. Even if you're not familiar with regular expressions, you may be asked to read unfamiliar code and determine what function it is performing. Here, reading the list should give you a good clue based on the two-letter pairings.
  170. B. Adam knows that TCP/80 is the normal port for unencrypted HTTP traffic. As soon as he sees the traffic, he should immediately check if the traffic is unencrypted. If it is, his first recommendation will likely be to switch to TLS encrypted traffic. Once that is complete, he can worry about whether data is encrypted at rest and if usernames and passwords are passed as part of the traffic, which might be acceptable if it was protected with TLS!
  171. B. Digitally signing firmware and requiring new firmware to have the right digital signature can help Nick's organization prevent untrusted firmware from being installed. Encrypting the firmware can help keep the contents of the firmware package confidential but won't prevent unauthorized firmware from being installed. Binary firmware merely describes a type of encoding.
  172. C. A web server and a web browser are a form of client-server platform. Embedded systems are a combination of hardware and software inside a larger system. Firmware is a type of software that provides low-level functions for a computer or device. An SOC (system on chip) is a complete system on a single chip.
  173. D. The use of proprietary protocols is typically the least concerning of these. Attackers are more likely to be familiar with common protocols and standards, and attack tools are more likely to exist for those common standards. Lara is likely to note that embedded systems often suffer from a lack of updates once deployed and that updates can be difficult to deploy. This is a particular concern because embedded systems often have very long lifespans once they are in place. Many embedded systems are also designed and deployed with the assumption that they will be placed on a secure, isolated network, which may not always be the case.
  174. C. Password reuse is a bad idea in most cases, and reusing passwords will not do anything to slow down or reduce the effectiveness of brute-force attacks. Multifactor authentication, if properly implemented, can stop almost all brute-force attacks. Account lockouts are useful because they delay brute-force attacks or can stop them entirely if the lockout requires user intervention. CAPTCHAs add a layer of complexity for attackers and often require human intervention, which can make it difficult to conduct a brute-force attack.
  175. B. Secure Boot is a process that computes a cryptographic hash of the operating system, boot loader, and boot drivers. Manual boot hash comparison and bootsec were made up for this question, whereas a Trusted Platform Module (TPM) chip is a security chip that enables services like Secure Boot and remote attestation.
  176. C. Fuzzers are tools that send unexpected input, testing whether an application can handle data that does not match what it expects. User acceptance testing (UAT) is a type of testing that helps to ensure that users can properly use a tool and that it performs the functions they expect. A stress testing tool typically puts very high loads onto an infrastructure or application to see how it performs when stressed. Regression testing is done to ensure that old flaws are not reintroduced to an application.
  177. C. Storing passwords in an encrypted form may be necessary in some special cases, but the best practice for the great majority of password use cases is to store a salted hash with an appropriate work factor (how many times the hashing algorithm is used). This makes computing the hash more computationally expensive, and thus harder for attackers to do to create a database of possible hashed passwords. Combined with salting, this makes creating rainbow tables prohibitively complex.
  178. B. Of the listed options, only bcrypt is considered a modern password hashing algorithm. If Kristen didn't have the option to use bcrypt, her best bet from the list provided would be SHA-512. She would then need to use a salt and a pepper, and use a large number of iterations of the algorithm to provide the best protection that she could. You can read more about recommendations like these at owasp.org/www-project-cheat-sheets/cheatsheets/Password_Storage_Cheat_Sheet.html.
  179. C. Software as a service (SaaS) vendors provide a service, rather than infrastructure, which means that Liam would not be able to install a full disk or column-level encryption tool. SaaS vendors will not allow customer-hired third-party auditors into their environments in most cases since they are shared environments. Liam's best bet is to select a service that provides encryption at rest as part of their service.
  180. B. Software-defined networking (SDN) is designed to handle changing traffic patterns and use of data to drive network configurations, routing, and optimization efforts. Faraj's best option is to use a software-defined network. Serverless is a technology that runs compute runtimes rather than a network, and a VPN is used to connect networks or systems together via a private channel.
  181. D. Serverless environments are a shared service, and since there is not a system that is accessible to consumers, there is nowhere to install endpoint tools. Similarly, network IPSs cannot be placed in front of a shared resource. Elaine should also be aware that any flaw with the underlying serverless environment will likely impact all of the service hosting systems.
  182. C. The first three steps of a Fagan inspection are preparatory, including planning, overview and assignment of roles, and the preparation for the meeting, including review of the item and supporting materials. Actual identification of the defect occurs during the inspection meeting. If you're not familiar with Fagan inspection, you can rule out overview and preparation as well as rework by considering what the likely actions are associated with each phase's title.
  183. B. Validating the output will not prevent SQL injection from occurring. Using prepared statements with parameterized queries, stored procedures, escaping all user-supplied input, whitelisting input validation, and applying least privilege to the application and database accounts are all useful techniques to prevent successful SQL injection.
  184. C. Unvalidated parameters in a SQL query are likely to allow SQL injection attacks. An attacker could inject arbitrary SQL code into that parameter, thus gaining additional access to the database and the data stored in it.
  185. B. The identity provider asserts to the service provider that the user is a valid user, and thus, that they are who they claim to be. The service provider then determines what rights the user has based on that identity. The process does not need to assert who it is, nor is the user's password provided to the SP.
  186. C. eFuses can be used to track firmware versions, with an increasing number of fuses burned as each new revision is installed. The hardware checks the number of fuses associated with a given firmware package, and if more are burnt than match that package, it will not be accepted.
  187. A. Security screws are a form of anti-tampering control, and they are intended to prevent unauthorized individuals from accessing hardware.
  188. C. The U.S. Department of Defense Trusted Foundry program is overseen by the DMEA (Defense Microelectronics Activity). It provides an assured chain of custody for ICs, oversees the supply chain to prevent disruptions, works to prevent ICs from being modified or tampered with, and works to prevent the ICs from being reverse engineered or evaluated.
  189. C. Michelle knows that a self-encrypting drive uses a data encryption key (DEK) to encrypt and decrypt the drive, and that data is encrypted as it is written and decrypted when it is read. This means she will need to access a live machine with the appropriate key in use to capture the data she wants.
  190. B. Processor security extensions are on-chip implementations of security features. Various chip manufacturers use different terms like Intel's Software Guard Extensions (SGX), ARM's TrustZone Security Extensions, and others found across the industry.
  191. D. A significant advantage of TLS-based VPNs is the ability to be clientless. IPsec VPNs protect IP packets between locations, whereas TLS (sometimes still called SSL) VPNs protect application traffic streams. That key difference can be part of the decision about what type of VPN technology to use.
  192. B. Segmentation is typically used to decrease the number of systems in a network segment, rather than to increase it. Segmentation is often used to decrease an organization's attack surface by moving systems that don't need to be exposed to a protected segment. It can also be used to limit compliance impact by removing systems from a compliance zone that do not need to be part of it. Finally, limiting the number of systems or devices in segment or keeping potentially problematic systems in an isolated network segment can help increase availability.
  193. C. Kubernetes and Docker are both examples of containerization tools.
  194. D. Nathan's best option is to send the logs to a remote server. The server should be protected to ensure that the same exploits that might compromise other systems will not impact the secure log storage server or service. In many organizations, a SIEM device or security logging tool like ELK or Splunk may be used to store and work with these logs.
  195. B. Once your private key has been exposed, your only option is to remove the keypair from use and to replace it wherever it is in use. If the SSH keys are used to control infrastructure or a cloud service and they are uploaded to a public site, there is a good chance they will be found and exploited very quickly. The authors of this book have seen keys that were exposed and used in less than 20 minutes from the time they were uploaded!
  196. A. Although most testing occurs in the testing and integration phase of the software development life cycle, unit testing is often performed as part of the development phase to ensure that components of the code work properly. User acceptance testing (UAT), fuzzing, and stress testing all typically occur as part of a more formal testing phase.
  197. B. The Spiral methodology uses a linear development process with an iterative process that revisits the four phases multiple times. Those four phases are identification, design, build, and evaluation. Agile processes use user stories, so you can rule both of those options out. Spiral doesn't rely on that concept. Option C is also a bad option; note the lack of a testing phase.
  198. C. The key reason that the term DevSecOps has entered common use is the need to integrate security into the application life cycle.
  199. C. The feasibility phase of a project like this looks into whether the project should occur and also looks for alternative solutions as well as the costs for each solution proposed.
  200. C. Although it may seem like code analysis and unit testing should occur in the testing and integration phase, remember that unit testing occurs on individual program components, which means it will occur as the code is written. The same holds true for code analysis, and thus, the first time this happens will be in the coding stage.
  201. B. Before an application can enter ongoing operations and maintenance, users must be trained and the application must be transitioned to the team that will maintain it for its life cycle. Disposition occurs when a product or system hits the end of its life cycle. Unit testing is often part of the coding phase. Testing and integration occur just before training and transition (point D).
  202. D. OpenID, SAML, and OAuth are all commonly used protocols for federated identity. Ansel will need to better understand what the use cases for federated identity are in his environment and which organizations he will federate with before he chooses a protocol to implement, and may eventually need to support more than one.

Answers to Chapter 3: Domain 3.0: Security Operations and Monitoring

  1. B. Sites like VirusTotal run multiple antimalware engines, which may use different names for malware packages. This can result in a malware package apparently matching multiple different infections.
  2. B. The Windows Performance Monitor provides a live view of memory usage per running application or service. This can be useful for live memory analysis. MemCheck and WinMem were made up for this question, and top is a useful Linux tool for checking memory utilization. If you aren't familiar with tools like this, you may want to spend some time with Windows and Linux common command cheat sheets like the Linux sheet found at www.linuxtrainingacademy.com/linux-commands-cheat-sheet/.
  3. C. The Windows Resource Monitor application is a useful tool to both see real-time data and graph it over time, allowing Abul to watch for spikes and drops in usage that may indicate abnormal behavior.
  4. C. Binary diffing looks at multiple potentially related binaries that have anti-reverse-engineering tools run on them and looks for similarities. Graphs map this data, helping the tool identify malware families despite the protections that malware authors bake in. As you might have guessed, the rest of the answers for this question were made up.
  5. C. Threat intelligence feeds may be used to build rules, however unlike option B, threat feeds typically aren't used to build rules in real time for firewall devices. Firewalls typically do not analyze their own logs and build STIX feed entries, nor do they know about threat actor names, resources, and threat levels.
  6. B. PowerShell, wmic, and winrm.vbs are all commonly used for remote execution of code or scripts, and finding them in use on a typical workstation should cause you to be worried as most users will never use any of the three.
  7. A. Most common HTTP traffic will go to port 80, and HTTPS traffic will go to 443. The third most common port for web traffic is 8080, and would be a reasonable if significantly less common option. While other ports may be in use, if you aren't expecting traffic to nonstandard HTTP and HTTPS ports you may want to investigate the traffic.
  8. C. Availability analysis targets whether a system or service is working as expected. Although a SIEM may not have direct availability analysis capabilities, reporting on when logs or other data is not received from source systems can help detect outages. Ideally, Lucy's organization should be using a system monitoring tool that can alarm on availability issues as well as common system problems like excessive memory, network, disk, or CPU usage.
  9. C. When faced with massive numbers of notification messages that are sent too aggressively, administrators are likely to ignore or filter the alerts. Once they do, they are unlikely to respond to actual issues, causing all of the advantages of monitoring to be lost. If she doesn't spend some time identifying reasonable notification thresholds and frequencies, Lucy's next conversation is likely to be with an angry system administrator or manager.
  10. D. Lucy has configured a behavior-based detection. It is likely that a reasonable percentage of the detections will be legitimate travel for users who typically do not leave the country, but pairing this behavioral detection with other behavioral or anomaly detections can help determine if the login is legitimate or not.
  11. D. Disabling unneeded or risky services is an example of a strategy to reduce the attack surface area of a system or device. Threat modeling and proactive risk assessment are both activities that focus on preparation, rather than direct systems or technology action, and incident remediation might involve disabling a service, but there isn't enough information to know this for sure. What we do know for sure is that disabling unneeded services reduces the attack surface area for a system.
  12. C. RDP operates over TCP 3389. Most corporate workstations won't have RDP turned on inbound to workstations, and Suki may find that she has discovered a compromise or other behavior that her organization may not want to occur.
  13. B. Windows has support for both DEP (data execution prevention) and ASLR (address space location randomization). These combine to help prevent buffer overflows by preventing items in memory location tagged as data from being executed and by randomizing the memory space Windows uses to make it harder to take advantage of known memory locations with an overflow.
  14. A. Isaac should recommend 802.1x, the standard for port-based network access control. Both DMARC and SPF are email security standards, and 802.3 is the specification for Ethernet, but it isn't a security standard.
  15. C. The auth.log file on Linux systems will capture sudo events. A knowledgeable attacker is likely to erase or modify the auth.log file, so Ian should make sure that the system is sending these events via syslog to a trusted secure host. The sudoers file contains details of which users can use sudo and what rights they have. There is not a file called /var/log/sudo, and root's .bash_log file might contain commands that root has run but won't have details of the sudo event—there's no reason for root to sudo to root!
  16. C. Pete's organization is using an agent-based, out-of-band NAC solution that relies on a locally installed agent to communicate to existing network infrastructure devices about the security state of his system. If Pete's organization used dedicated appliances, it would be an in-band solution, and of course not having an agent installed would make it agentless.
  17. B. Tripwire can monitor files and directories for changes, which means Gabby can use it to monitor for files in a directory that have changed. It will not tell you how often the directory is accessed, who viewed files, or if sensitive data was copied out of the directory.
  18. C. Even if you're not familiar with the PS tools, you can use your knowledge of Windows command line tools to figure out what is happening here. We see a remote workstation (it is highly unlikely you would connect to your own workstation this way!) indicated by the \ip.address, a -u flag likely to mean userID with administrator listed, and a -p for password. We know that cmd.exe is the Windows command prompt, so it is reasonable and correct to assume that this will open a remote command prompt for interactive use. If this is a user who isn't an administrator, Charlene needs to start an incident investigation right away.
  19. A. TCP port 3306 is a common service port for MySQL. If you are asked to review rules for an IPS, IDS, firewall, or other service and do not know the rule syntax, look for what you do know. Here you can tell direction -> and that the alert would look for traffic from any system on any port to systems in the 10.10.11.0/24 network range on port 3306.
  20. B. User and event or entity behavior analytics (UEBA) captures data about entities and events as well as other security data and performs statistical and other analyses to detect abnormal and unexpected behavior, then alerts administrators so that they can review the information and take appropriate action.
  21. B. Sadiq should place his IPS at point B. The firewall will filter out large amounts of unnecessary traffic, reducing the load on the IPS, and the IPS will see the largest amount of untrusted traffic at this location without de-aligning with the increased load that it would face outside the firewall.
  22. C. SYN floods an attack technique that is used to exhaust session handlers on systems. A flood of SYNs from many different IP addresses without a completed TCP three-way handshake is often a sign of a SYN flood attack.
  23. B. First, Kai should check the scan log to review the scan type and error code to check it via the Microsoft support site. The most likely cause from the list of provided answers is a conflict with another security product. While security practitioners often worry about malware on systems, a common cause of scan failures is a second installed antivirus package. If Kai doesn't find a second antivirus package installed, she should conduct a scan using another tool to see if malware may be the issue.
  24. C. Blacklisting known bad IP addresses, as well as the use of both domain and IP reputation services can help Charles accomplish his task. Whitelisting only allows known addresses through and does not flag known bad addresses.
  25. B. The ps utility lists currently running processes, and aux are a set of flags that control which processes are selected. This output is then piped to grep, and all lines with the text apache2 will be selected. Then that list will be searched for the text root. This type of multiple piping can help quickly process large volumes of files and thousands or millions of lines of text.
  26. C. The most likely scenario in this circumstance is that the headers were forged to make the email appear to come from example.com, but the email was actually sent from mail.demo.com.
  27. A. Port security relies on MAC addresses to filter which systems are allowed to connect to the port, which means that Corbin needs to consider how to prevent MAC spoofing.
  28. D. While SPF and DKIM can help, combining them to limit trusted senders to only a known list and proving that the domain is the domain that is sending the email combine in the form of DMARC to prevent email impersonation when other organizations also DMARC.
  29. D. Email headers contain the message ID, date, to, from, user agent, IP addresses of both the sender and the receiver, and information about the email servers along the path between them. They do not contain a private key.
  30. A. The only error in this rule is the protocol. SMTP does run on port 25, and inbound connections should be accepted from any port and IP address. The destination IP address (10.15.1.1) is correct. However, SMTP uses the TCP transport protocol, not UDP.
  31. B. Chris can correct this error by switching the positions of rules 2 and 3. Rule 3, which permits access from the 10.20.0.0/16 subnet, will never be triggered because any traffic from that subnet also matches rule 2, which blocks it.
  32. D. Rule 4 is correctly designed to allow SSH access from external networks to the server located at 10.15.1.3. The error is not with the firewall rulebase, and Chris should search for other causes.
  33. B. Moving to a NAT environment will make the systems inaccessible from the outside world, massively reducing the organization's attack surface. Installing host firewalls would be a great second step, but could involve significant amounts of work to install and tune the firewalls.
  34. C. The ATT&CK framework defines the attack vector as the specifics behind how the adversary would attack the target. You don't have to memorize ATT&CK to pass the exam, but you should be prepared to encounter questions that you need to narrow down based on what knowledge you do have. Here you can rule out the threat actor and targeting method, and then decide between the attack vector and organizational weakness.
  35. B. Both quarantine networks and captive portals with patch tools and instructions are common solutions to this type of requirement. In this case, placing systems into an isolated quarantine network with access to update and patching sites will meet Manish's needs.
  36. A. Phishing attacks typically target credentials, so Lisa should focus on how to identify what credentials were exposed, how to prevent compromised credentials from causing problems, and how to reduce the likelihood of future successful phishing attacks. At the same time, she will need to monitor for use of the compromised credentials!
  37. C. Session hijacking of insecurely implemented session cookies is the likely result from this type of issue. Matt should spend time with his developers to ensure that they have reviewed resources like the OWASP guides to secure session creation and maintenance.
  38. B. Brute-force attacks rely on the ability to make multiple attempts to log in, access a service, or otherwise allow probes. A back-off algorithm can limit or prevent this by ensuring that only a limited number of attempts are possible before delays or a timed lockout occurs.
  39. A. The Structured Threat Information Expression language (STIX), and TAXII, the protocol used to transfer threat intelligence, are open protocols that have been adopted to allow multiple threat sources to be combined effectively. SAML is Security Assertion Markup Language, OCSP is Online Certificate Status Protocol, and CAB was made up for this question.
  40. B. The thing that a threat actor wants to do is a goal in the STIX 2.0 taxonomy. Since you're unlikely to have memorized the taxonomy, when you encounter a question like this you should rule out what you can. Most questions will have one or more obviously incorrect answers—here that's likely their resource level and their alias. If you only ruled those two out, you'd have a 50 percent chance of getting a question like this right. In this case, you can likely then guess that wanting to steal nuclear research data is a goal and move on with the next question.
  41. C. The ATT&CK framework is focused on network defense and broadly covers threat hunting. CAPEC is focused on application security. CVSS is the Common Vulnerability Scoring System, and Mopar is a parts, service, and customer care organization that is part of Fiat Chrysler.
  42. C. NAC (Network Access Control) can combine user or system authentication with client-based or clientless configuration and profiling capabilities to ensure that systems are properly patched, configured, and are in a desired security state. Whitelisting is used to allow specific systems or applications to work, port security is a MAC address filtering capability, and Extensible Authentication Protocol (EAP) is an authentication protocol.
  43. D. Oracle databases default to TCP port 1521. Traffic from the “outside” system is being denied when it attempts to access an internal system via that port.
  44. C. Packers, or runtime packers, are tools that self-extract when run, making the code harder to reverse-engineer. Crypters may use actual encryption or simply obfuscate the code, making it harder to interpret or read. Protectors are software that is intended to prevent reverse engineering and often include packing and encryption techniques as well as other protective technologies. Shufflers were made up for this question.
  45. B. Testing for common sample and default files is a common tactic for vulnerability scanners. Nara can reasonably presume that her Apache web server was scanned using a vulnerability scanner.
  46. A. Since Andrea is attempting to stop external scans from gathering information about her network topology, the firewall is the best place to stop them. A well-designed ruleset can stop, or at least limit, the amount of network topology information that attackers can collect.
  47. D. Adam's Snort rule is looking for a specific behavior—in this case, web traffic to example.com's download script. Rules looking for anomalies typically require an understanding of “normal,” whereas trend-based rules need to track actions over time and availability-based analysis monitors uptime.
  48. C. Since LOIC can leverage hundreds or thousands of hosts, limiting each connecting host to a connection rate and volume through filters like those provided by the iptables hashlimit plug-in can help. IP-based blacklisting may work for smaller botnets, but it is difficult to maintain for larger attacks and may eventually block legitimate traffic. Dropping all SYN packets would prevent all TCP connections, and route-blocking filters are not a method used to prevent this type of attack. While he's setting up firewall rules, Carlos may also want to investigate a denial-of-service mitigation partner or service in case the attackers move to more advanced methods or do overwhelm his link.
  49. D. While the infection may not cause the business to lose data, there is an effect as systems must be restored and investigation will need to be done to determine if data was lost in addition to being encrypted in place.
  50. D. The uses described for the workstation that Cormac is securing do not require inbound access to the system on any of these ports. Web browsing and Active Directory domain membership traffic can be handled by traffic initiated by the system.
  51. A. For most Windows user workstations, launches of cmd.exe by programs other than Explorer are not typical. This script will identify those launches and will alarm on them.
  52. C. Cormac built a reasonable initial list of operating system versions, but many devices on a modern network will not match this list, causing operating system version mismatch issues with the matching rules he built. He may need to either add broader lists of acceptable operating systems, or his organization may need to upgrade or replace devices that cannot be upgraded to acceptable versions.
  53. B. Henry's implementation is a form of DNS sinkholing, which sends traffic to an alternate address that acts as the sinkhole for traffic that would otherwise go to a known bad domain.
  54. C. Maria can push an updated hosts file to her domain connected systems that will direct traffic intended for known bad domains to the localhost or a safe system. She might want to work with a security analyst or other IT staff member to capture queries sent to that system to track any potentially infected workstations. A DNS sinkhole would only work if all of the systems were using local DNS, and offsite users are likely to have DNS settings set by the local networks they connect to. Antimalware applications may not have an update yet, or may fail to detect the malware, and forcing a BGP update for third-party networks is likely a bad idea.
  55. B. Domain names like those listed are a common sign of a domain generation algorithm (DGA), which creates procedurally generated domain names for malware command and control hosts.
  56. B. The first query will identify times when the reg.exe was launched by cmd.exe. If the same data is searched to correlate with launches of cmd.exe by explorer.exe, Mark will know when registry edits were launched via the command line ( cmd.exe) from Explorer—a process that typically means users have edited the registry, which should be an uncommon event in most organizations and is likely to be a security concern.
  57. C. When a vulnerability exists and a patch has not been released or cannot be installed, compensating controls can provide appropriate protection. In the case of PCI DSS (and other compliance standards), documenting what compensating controls were put in place and making that documentation available is an important step for compliance.
  58. D. Mateo's only sure bet to prevent these services from being accessed is to put a network firewall in front of them. Many appliances enable services by default, since they are appliances they may not have host firewalls available to enable. They also often don't have patches available, and many appliances do not allow the services they provide to be disabled or modified.
  59. B. This command uses the -i flag, which means it will ignore the case of the text. That means that grep will search all files with a .txt extension for any occurrences of example, regardless of the case or other letters around it.
  60. C. A data loss prevention (DLP) system may be able to intercept and block unencrypted sensitive information leaving the web server, but it does not apply cryptography to web communications. Transport Layer Security (TLS) is the most direct approach to meeting Pranab's requirement, as it encrypts all communication to and from the web server. Virtual private networks (VPNs) may also be used to encrypt network traffic, adding a layer of security. Full-disk encryption (FDE) may also be used to protect information stored on the server in the event the disk is stolen.
  61. A. The top command provides a real-time view of the memory usage for a system on a per-process basis. The ls command does not work for memory; mem was made up for this question; and memstat is used to check the state of memcached servers, and it won't help in this circumstance. If you're not familiar with basic Linux commands like top, you should spend some time with a Linux system as you prepare for the CySA+ exam. A basic understanding of common commands can be very helpful.
  62. A. Logging of application and server activity may provide valuable evidence during a forensic investigation. The other three controls listed are proactive controls designed to reduce the risk of an incident occurring and are less likely to directly provide information during a forensic investigation.
  63. C. The key requirements here are that this is an existing network and that the systems are BYOD. That means that Latisha should focus on an agentless system to remove the hurdles that agent-based scanning requires and that an out-of-band solution is likely appropriate since they are easier to retrofit to an existing network than an in-line solution, which can require rearchitecting a network to place the in-line NAC device into a central control location. It is important to note that Latisha will likely have less visibility than she would have with an agent-based system.
  64. A. Group Policy Objects (GPOs) are used to enforce security and configuration requirements within Active Directory. Active Directory forests and organizational units (OUs) are designed to organize systems and users hierarchically and do not directly allow security configurations, although GPOs may be applied to them. Domain controllers (DCs) are the servers that are responsible for providing Active Directory Domain Services to the organization and would be the point for applying and enforcing the GPO.
  65. A. Secure/Multipurpose Internet Mail Extensions (S/MIME) is standard for encryption and signing that has been implemented for many email platforms. If his email client and the recipient's email client both support it, Eric can digitally sign his email to prove that he sent it and that the content has not been changed.
  66. B. These commands will add filters to the INPUT ruleset that block traffic specifically from hosts A and B, while allowing only port 25 from host C. Option D might appear attractive but allows all traffic instead of only SMTP. Option A only drops SMTP traffic from host B (and all of the other hosts in its /24 segment), whereas option C allows traffic in from the hosts we want to block.
  67. A. Adding an iptables entry uses the -A flag to add to a list. Here, we can safely assume that OUTPUT is the outbound ruleset. The -d flag is used to designate the IP address or subnet range, and -j specifies the action, DROP.
  68. D. This view of htop shows both CPU1 and CPU2 are maxed out at 100 percent. Memory is just over 60 percent used. Almost all swap space is available.
  69. B. The top command will show a dynamic, real-time list of running processes. If Amanda runs this, she will immediately see that two processes are consuming 99 percent of a CPU each and can see the command that ran the program.
  70. D. The kill command is used to end processes in Linux. Amanda should issue the kill -9 command followed by the process ID of the processes she wants to end (the -9 flag is the signal, and means “really try hard to kill this process”). Since she has run both top and htop, she knows that she needs to end processes 3843 and 3820 to stop stress from consuming all her resources. A little research after that will show her that stress is a stress testing application, so she may want to ask the user who ran it why they were using it if it wasn't part of their job.
  71. A. MAC address spoofing or cloning will allow a system to easily bypass port security because port security only relies on MAC address verification to decide which systems can connect to a given network port.
  72. B. By default, an iptables firewall will have INPUT, OUTPUT, and FORWARD chains. Piper should use the DROP command on all three to stop all traffic to or from a machine.
  73. B. Syd has added an entry to the hosts file that routes all traffic for example.com to her local address. This is a useful technique to prevent a system from contacting a malicious host or domain, or to simply prevent a nontechnical user from visiting specific sites or domains.
  74. B. John has discovered a program that is both accepting connections and has an open connection, neither of which are typical for the Minesweeper game. Attackers often disguise trojans as innocuous applications, so John should follow his organization's incident response plan.
  75. C. Endpoint detection and response (EDR) tools use software agents to monitor endpoint systems and to collect data about processes, user and system activity, and network traffic, which is then sent to a central processing, analysis, and storage system.
  76. C. This command will prevent commands entered at the Bash shell prompt from being logged, as they are all sent to /dev/null. This type of action is one reason that administrative accounts are often logged to remote hosts, preventing malicious insiders or attackers who gain administrative access from hiding their tracks.
  77. D. When an email is forwarded, a new message with a new Message-ID header will be created. The In-Reply-To and References field will also be set as normal. The best option that Charles has is to look for clues like a subject line that reads “FWD”—something that is easily changed.
  78. D. The passwd binary stands out as having recently changed. This may be innocuous, but if Marta believes the machine was compromised, there is a good chance the passwd binary has been replaced with a malicious version. She should check the binary against a known good version, and then follow her incident response process if it doesn't match.
  79. B. Scheduled tasks, service creation, and autostart registry keys are all commonly found on Windows systems for legitimate purposes. Replacing services is far less common unless a known upgrade or patch has occurred.
  80. B. Even if you don't recognize the Windows Event ID, this query provides a number of useful clues. First, it has an interval of four hours, so you know a timeframe. Next, it lists data.login.user, which means you are likely querying user logins. Finally, it includes machine count, and >1, so you can determine that it is looking for more than one system that has been logged in to. Taken together, this means that the query looks for users who have logged in to more than one machine within any given four-hour period. Matt may want to tune this to a shorter time period, because false positives may result for technical support staff, but since most users won't log in to more than one machine, this could be a very useful threat-hunting query.
  81. D. The strings command extracts strings of printable characters from files, allowing Ben to quickly determine the contents of files. Grep would require knowing what he is looking for, and both more and less will simply display the file, which is often not a useful strategy for binaries.
  82. D. DNS sinkholes can block many types of drive-by downloads by preventing systems from connecting to malicious sites. DNS sinkholes do have limitations: they only work when a DNS query occurs, which means that some malware uses IP addresses directly to avoid them. They also can't stop malware from being executed, and of course malware could use a hard-coded DNS server instead of the organization's DNS server.
  83. D. The service running from the www directory as the user apache should be an immediate indication of something strange, and the use of webmin from that directory should also be a strong indicator of something wrong. Lucas should focus on the web server for the point of entry to the system and should review any files that the apache user has created or modified. If local vulnerabilities existed when this compromise occurred, the attacker may have already escalated to another account.
  84. A. SCAP (Security Content Automation Protocol) is a set of specifications that define how to exchange security automation content used to assess configuration compliance. It can also be used to detect vulnerable versions of software.
  85. C. Damian has likely encountered an advanced persistent threat (APT). They are characterized as extremely well resourced actors whose compromises typically have an extended dwell time and the ability to scale capabilities to counter defenders over time.
  86. D. Linux and Unix systems typically keep user account information stored in /etc/passwd, and /etc/shadow contains password and account expiration information. Using diff between the two files is not a useful strategy in this scenario.
  87. C. The increasing digit of the IP address of the target system (.6, .7, .8) and the ICMP protocol echo request indicate that this is a ping sweep. This could be part of a port scan, but the only behavior that is shown here is the ping sweep. This is ICMP, and cannot be a three-way handshake, and a traceroute would follow a path, rather than a series of IP addresses.
  88. C. API-based integrations allow a SOAR environment to send queries as required for the data they need. Flat files and CSVs can be useful when there is no API, or when there isn't support for the API in an environment, and real-time integration is not required. Email integrations can result in delays as email delivery is not done at a guaranteed speed and can require additional parsing and processing to extract information. Although it isn't in the list here, Bruce might consider a direct database connection if he was unable to use an API and wanted real-time data.
  89. D. Although the CySA+ exam includes email signatures in the list of items you may want to analyze, the same techniques are used to analyze the entire body of an email for malicious links and payloads. Header data is often checked against IP reputation databases and other checks that can help limit email from spam domains and known malicious senders. Signature blocks, however, are not typically a primary analysis tool.
  90. C. TCP port 22 indicates that this is most likely an SSH scan, and the single packet with no response traffic indicates unsuccessful connection attempts. If the system is not normally used for scanning for open SSH servers, Alice should look into why it is behaving this way.
  91. C. Debuggers allow you to control the execution of a program by setting breakpoints, changing input data and variables, and otherwise controlling the execution of the program. Disassemblers and decompilers can provide insight into the code of a binary (either source code or assembly code), whereas an unpacker helps remove compression or encryption used to help obfuscate the code itself.
  92. A. When you use grep with the -i flag, it performs a case-insensitive search. Neither -uc nor -case is a valid flag for this, and the search term comes before the filename, which means grep example.txt cysa+ will attempt to search a file named cysa+ for the example.txt phrase.
  93. C. The most common solution to identifying malicious embedded links in email is to use an antimalware software package to scan all emails. They typically include tools that combine IP and domain reputation lists as well as other heuristic and analytical tools to help identify malicious and unwanted links.
  94. A. Automated malware analysis tools use a secure and instrumented sandbox environment to unpack and run malware so that they can observe and record actions taken by the malware. This is used to perform behavioral analysis as well as to generate file fingerprints and other elements of unique malware signatures.
  95. B. Large data flows leaving an organization's network may be a sign of data exfiltration by an advanced persistent threat. Using HTTPS to protect the data while making it look less suspicious is a common technique.
  96. B. Repeated failures from the same host likely indicate a brute-force attack against the root account.
  97. C. Fortunately, the sshd service has a configuration setting called PermitRootLogin. Setting it to no will accomplish Singh's goal.
  98. A. The at command can be used to schedule Windows tasks. This task starts netcat as a reverse shell using cmd.exe via port 443 every Friday at 8:30 p.m. local time. Azra should be concerned, as this allows traffic in that otherwise might be blocked.
  99. C. This output shows a brute-force attack run against the localhost's root account using SSH. This resulted in the root user attempting to reauthenticate too many times, and PAM has blocked the retries. Fail2ban is not set up for this service; thus, this is the one item that has not occurred. If it was enabled, the Fail2ban log would read something like 2019-07-11 12:00:00,111 fail2ban.actions: WARNING [ssh] Ban 127.0.0.1.
  100. B. NAC solutions that implement employee job function-based criteria often use time-based controls to ensure that employees only have access when they are supposed to be working, role-based criteria due to their duties, and location-based rules to ensure that they only access networks where they work. Rule-based criteria typically focus on system health and configuration, thus focusing more on the computer or software than the user.
  101. C. The best option for Naomi is a dedicated sandbox tool like Sandboxie or a cloud service sandbox like app.run.any. They are designed to isolate the malware while providing instrumentation to capture and analyze the results of the malware execution. Manually building a virtualization environment is a possibility but requires a lot of work to instrument and build tools to analyze the malware. A containerization tool is best suited to app deployment, and a packet analyzer is useful for looking at network traffic.
  102. B. The - l flag is a key hint here, indicating that netcat was set up as a listener. Any connection to port 43501 will result in example.zip being sent to the connecting application. Typically, a malicious user would then connect to that port using netcat from a remote system to download the file.
  103. C. TCP port 3389 is the standard Microsoft Remote Desktop Protocol (RDP) port. This query would return all matches for source and destination names for all network events where the destination port was 3389—most likely a system with an accessible RDP service.
  104. D. Security checks are important at all the points listed in the question. After code is checked into a repository it can be checked using static code analysis tools. Code will then be tested in an automated test environment where it can be fuzz-tested, checked to make sure it is properly hardened, and tested in ways that a production environment might not risk. Finally, production environments can be monitored and penetration tested.
  105. A. Windows 10 Pro and Enterprise supports application whitelisting. Lukas can whitelist his allowed programs, then set the default mode to Disallowed, preventing all other applications from running and thus blacklisting the application. This can be a bit of a maintenance hassle but can be useful for high-security environments, or those in which limiting what programs can run is critical.
  106. C. This shows an attempted SQL injection attack. The query reads 1' UNION SELECT 0, and then looks for username, user_id, password, and email from the users table.
  107. B. A network packet and protocol analyzer like Wireshark can allow Jason to view the network activity that the worm takes, and thus to analyze its behavior. A disassembler will allow him to take apart the application binary to view the code behind it, whereas a debugger would allow him to manipulate the program as it is running. Finally, a PE viewer can help with things like dependency viewing for Windows binaries.
  108. D. The flags -n -i -v mean that the search will list the line numbers for each occurrence where the word mike does not appear. In fact, the -v flag reverses the usual search to make this search for places where the term does not show up. Using an * for the filename will match all files in the current directory.
  109. C. Remember that rights are read from left to right as user rights, group rights, then world rights. Here we have read, write, and execute ( rwx) for chuck, rw for admingroup, and r for world.
  110. C. Attackers often use built-in editing tools that are inadvertently or purposefully exposed to edit files to inject malicious code. In this case, someone has attempted to modify the 404 file displayed by WordPress. Anybody who received a 404 error from this installation could have been exposed to malicious code inserted into the 404 page, or simply a defaced 404 page.
  111. B. A SOAR (Security Orchestration, Automation, and Response) tool is focused on exactly what Melissa needs to do. While SIEM provides similar functionality, the key differentiator is the breadth of the platforms that SOAR tools can acquire data from, as well as the process automation capabilities they bring. UEBA (user entity behavior analytics) tools focus on behaviors rather than on a broad set of organizational data, and MDR (managed detection response) systems are used to speed up detection, rather than for compliance and orchestration.
  112. C. Monica issued a command that only stops a running service. It will restart at reboot unless the scripts that start it are disabled. On modern Ubuntu systems, that is handled by upstart. Other services may use init.d scripts. In either case, when asked a question like this, you can quickly identify this as a problem that occurred at reboot, and remove the answer that isn't likely to be correct.
  113. B. Intrusion prevention systems are placed in-line between networks or systems so that they can interact with traffic, giving them the ability to block attacks that they detect. This can also be dangerous, since a misconfigured IPS, an IPS that experiences a hardware or software failure, or an IPS with a false positive detection can prevent legitimate traffic from flowing. Both IDSs and IPSs can detect the same attacks, and both can use heuristic as well as signature-based attacks if they are capable of doing so.
  114. B. Encapsulating Security Payload (ESP) packets are part of the IPsec protocol suite and are typically associated with a tunnel or VPN. Ryan should check for a VPN application and determine what service or system the user may have connected to.
  115. A. Bohai can see that no invalid logins occurred and that someone logged in as the user after business hours. This means that the account has likely been compromised and that he should investigate how the password was lost. (In many cases, Bohai needs to ask the VP of Finance about bad password habits like writing it down or using a simple password.)
  116. C. Although some blacklists use entire IP ranges, changing IP addresses for SMTP servers is often a valid quick fix. Some organizations even discover that one server has been blacklisted and others in their cluster have not been. Migrating to a cloud provider or working with the blacklisting organizations can also help, and online validation tools can help Wang quickly check which lists her organization is on. Changing SMTP headers won't help.
  117. A. A desktop application that does not normally provide remote access opening a service port is an example of anomalous behavior. If a web server opened TCP/80 or TCP/443 it would be expected behavior and is likely to be known good behavior. Entity and heuristic behavior were both made up for this question.
  118. B. Large data flows leaving an organization's network may be a sign of data exfiltration by an advanced persistent threat (APT). Using HTTPS to protect the data while making it look less suspicious is a common technique.
  119. B. Data enrichment combines data from multiple sources like directories, geolocation information, and other data sources as well as threat feeds to provide deeper and broader security insights. It is not just a form of threat feed combination, and threat feed combination is a narrower technique than data enrichment is.
  120. D. DNS blackholing uses a list of known malicious domains or IP addresses and relies on listing the domains on an internal DNS server, which provides a fake reply. Route poisoning prevents networks from sending data to a destination that is invalid. Routers do not typically have an antimalware filter feature, and subdomain whitelisting was made up for this question.
  121. C. When endpoints are connected without a network control point between them, a host-based solution is required. In this case, Lucca's specific requirement is to prevent attacks, rather than simply detect them, meaning that a host intrusion prevention system (HIPS) is required to meet his needs. Many modern products combine HIPS capabilities with other features like data loss prevention (DLP) and system compliance profiling, so Lucca may end up with additional useful capabilities if he selects a product with those features.
  122. C. Best practice for most network devices is to put their administrative interfaces on a protected network. Many organizations then require administrators to connect via a jump box, adding another layer of protection. Preventing console access is typically not desirable in case changes need to be made and a GUI is not available. Login-block can help, but will only slow down attacks and will not prevent them.
  123. C. Random or deterministic sampling can help Sam's team capture usable flows despite not being able to handle the full throughput of their network. Random sampling will capture a random packet out of every n packets, with n set by the user. Deterministic sampling simply takes every nth packet that passes through. So Sam might sample the 1st, 11th, 21st, and so on. This means that small flows may be missed, but in this case, sampling half of all packets is still possible, meaning most flows will still be captured.
  124. B. Alice can use trend analysis to help her determine what attacks are most likely to target her organization, and then take action based on the trends that are identified.
  125. B. Security information and event management (SIEM) systems typically provide alerting, event and log correlation, compliance data gathering and reporting, data and log aggregation, and data retention capabilities. This also means that they can be used for forensic analysis since they should be designed to provide a secure copy of data. They do not typically provide performance management specific capabilities.
  126. B. Tripwire and similar programs are designed to monitor files for changes and to report on changes that occur. They rely on file fingerprints (hashes) and are designed to be reliable and scalable. Kathleen's best bet is to use a tool designed for the job, rather than to try to write her own.
  127. B. Heuristic detection methods run the potential malware application and track what occurs. This can allow the antimalware tool to determine if the behaviors and actions of the program match those common to malware, even if the file does not match the fingerprint of known malware packages.
  128. A. In this case, if the user is logged in to administrative systems, privileged account usage would be the most useful additional detail that Alaina could have available. Time-based login information might also prove useful, but a traveling administrative user might simply be in another time zone. Mobile device profile changes and DNS request anomalies are less likely to be correlated with a remote exploit and more likely to be correlated with a compromise of a user device or malware respectively. Rank Software provides a great threat hunting playbook at cdn2.hubspot.net/hubfs/2539398/Rank%20Software_Threat%20Hunting%20Playbook.pdf that may prove useful to you as you consider these threats.
  129. B. Firewall logs typically contain similar information that are contained in NetFlow records. However, the firewall does not always have the same access to network traffic as the switches and routers that generate NetFlow information. Though not a complete substitute, firewall logs do offer a good compensating control for the lack of NetFlow records. Routers and switches do not typically record traffic records in their standard logs—this is the function of NetFlow, which is unavailable on this network. Intrusion prevention systems (IPSs) do not record routine traffic information.
  130. A. macOS has a built-in memory monitoring tool as part of the Activity Monitor. It will show you details, including how much memory the system has, what is used by applications and the operating system, how much space is taken up by cached files to improve system performance, how much space is used on your disk for swap space, and how efficiently your memory is being used in the form of a statistic called memory pressure.
  131. D. Endpoint security suites typically include host firewalls, host intrusion prevention systems (IPSs), and antimalware software. Virtual private network (VPN) technology is normally a core component of the operating system or uses software provided by the VPN vendor.
  132. B. Vulnerability scanning would not serve as a compensating control because it would only detect, rather than correct, security flaws. There is no indication that encryption is not in place on this server or that it would address a SQL injection vulnerability. Both an intrusion prevention system (IPS) and a web application firewall (WAF) have the ability to serve as a compensating control and block malicious requests. Of the two, a WAF would be the best solution in this case because it is purpose-built for protecting against the exploitation of web application vulnerabilities.
  133. C. The first entry in the log indicates that the user authenticated from the system 10.174.238.88.
  134. C. The second log entry indicates that the sshd daemon handled the connection. This daemon supports the Secure Shell (SSH) protocol.
  135. B. The first log entry indicates that the user made use of public key encryption (PKI) to authenticate the connection. The user, therefore, possessed the private key that corresponded to a public key stored on the server and associated with the user.
  136. B. The identity of the user making the connection appears in the first log entry: accepted publickey for ec2-user. The third log entry that contains the string USER=root is recording the fact that the user issued the sudo command to create an interactive bash shell with administrative privileges. This is not the account used to create the server connection. The pam_unix entry indicates that the session was authenticated using the pluggable authentication module (PAM) facility.
  137. B. Network flows can be used to identify traffic patterns between systems that are atypical or which connect to systems that are known malware or malicious sites. Using his SIEM, Lucca can look for top talkers, behavior or trend-based anomalies, or other correlations that point to an issue.
  138. C. This flow sample shows four distinct hosts being accessed from 192.168.2.1. They are 10.2.3.1, 10.6.2.4, 10.6.2.5, and 10.8.2.5.
  139. C. Forming a hypothesis should be Fiona's next step. Once she starts to consider a scenario, she needs to identify the target and likely adversary techniques, and determine how she would verify the hypothesis.
  140. B. In STIX, these are all attack resource levels ranging from individuals all the way to government-level resources. When you encounter a question like this, you should eliminate the answers that can be easily removed like certification level and threat name. After that, think about what the goals are for profiling threat actors. In this case, attack resource level makes sense as part of a capability description.
  141. B. Awareness campaigns are among the most effective ways to counter spear phishing. A well-resourced APT organization will send email from legitimate email addresses, thus bypassing most DKIM and SPF defenses. Blocking email from all unknown senders is not acceptable to most organizations.
  142. D. Artificial intelligence (AI) and machine learning (ML)-based approaches are ideal for large volumes of log and analytical data. Manual processes like hypothesis-driven investigations, or IOC- or IOA-driven investigations, can take significant amounts of time when dealing with large volumes of data.
  143. D. Dani needs to carefully consider what could occur while she is analyzing the malware. Once it is allowed to connect to one or more remote systems, she needs to be aware that it may result in behavior changes, probes, or attacks by the attacker, or it could attack other systems once it has a network connection and can receive commands.
  144. C. You may not remember every common TCP port, but you'll want to make sure you have a good command of a few of them, including things like the LPR (515), IPP (631), and RAW (9100) ports common to many printers. Since these ports need to be open for printing services, the best option would be to move them to a protected subnet or IP range. RFC 1918 nonroutable IP addresses are often used for this purpose, but James may want to look into why devices like this are exposed to the Internet. He may have a deeper problem!
  145. B. Bundling critical assets into groups allows similar assets to be assessed together, leveraging the similarity of their threat profiles. This makes analysis less complex, rather than more complex. Assets should be grouped by similar sensitivity levels, rather than mixed. Threats are assessed against other threats for comparison purposes, and bundling assets will not provide a baseline for them.
  146. C. There are many indicators of compromise, including the ones listed in this question, as well as things like anomalies in privileged account usage, abnormal database requests and traffic patterns, geographical and time-based anomalies in usage patterns, unexpected and abnormal traffic growth, and many others. SCAP is an automation protocol, and both threat answers are not a good fit for this list, although threat hunting and threat feeds may include details such as the type of traffic or attack information.
  147. B. Services, input fields, protocols, APIs, and other potential targets are all examples of attack vectors. Threats are possible dangers that might exploit a vulnerability, and risks are the exposure to loss or harm that results from breaches or attacks. Surface tension is a term from physics, not cybersecurity.
  148. C. STIX and TAXII together are key elements of many integrated intelligence platforms because they offer an open standard for describing and transferring threat intelligence data. The term that the CySA+ exam objectives use for this concept is integrated intelligence. Combining sources of threat intelligence into a single platform or model is an important concept, as different threat feeds may have different biases, access to information that others do not, or other advantages or disadvantages that you may want to leverage or work around. Thus, using integrated intelligence should be part of your threat intelligence process.
  149. B. Since Naomi is specifically concerned about an end-user driven threat in the form of insider threats, a UEBA (user entity behavior analytics) tool is her best option from the list. A UEBA system will monitor for behaviors that are atypical for users such as those that an insider threat may take. An intrusion detection system would detect anomalous network activity and attacks, whereas both SOAR and SIEM systems would be useful for centralizing data from tools like the UEBA and IDS tools.
  150. D. Ling can use her SOAR system to analyze all of the common indicator of phishing emails, including subject line content, sender addresses, attachments, and headers. From there, her SOAR system can assign a severity value to the email and take appropriate action, such as testing attachments in an isolated environment, or removing phishing emails from mailboxes across her organization.
  151. C. The only consistent indicator for this bot in the list is the IP address. Isaac should write his script to validate the IP addresses of systems to see if they should be blacklisted.
  152. B. SOAR systems offer many ways to ingest data, and syslog, APIs, email, STIX/TAXII feeds, and database connections are all common ways for data to be acquired.
  153. B. Automated malware signature creation is necessary because of the massive number of new malware packages, variants, and thus new signatures that are created daily. The BASS overview from 2017 when BASS was created noted that there were 9,500 new signatures daily, and this issue has only gotten worse.
  154. D. The CySA+ Exam Outline refers to this process as data enrichment. Data enrichment can take many forms, but the basic concept is that adding and correlating multiple data sources provides a richer, more useful data environment. As you might have guessed, the remainder of the options for this question were made up.
  155. C. Data in use is the term most commonly used to describe data that a user is currently using or interacting with. Data at rest describes data that is in storage or archived. Data in motion is data that is moving through a network to an endpoint. Data execution was made up for this question.
  156. B. The question's description includes details about the use of the startup Registry entry for Common Startup and lists a Registry key. This means that the Reaver malware as described maintains persistence by using a Registry key.
  157. C. Machine learning in systems like this relies on datasets to build profiles of behavior that it then uses to identify abnormal behavior. They also use behavioral data that is frequently associated with attacks and malware, and use that to compare to the user behavior patterns. Signature-based analysis uses hashing or other related techniques to verify if files match a known malware package. The Babbage machine is a mechanical computer, and artificial network analysis was made up for this question.
  158. C. Although SIEM and SOAR systems often have similar functionality, SOAR systems are typically designed to work with a broader range of internal and external systems, including threat intelligence feeds and other data sources, and then assist with automation of responses.
  159. C. The National Vulnerability Database uses the Security Content Automation Protocol (SCAP) to represent vulnerability management data. STIX is a structured language used to describe cyberthreat information. CVSS (Common Vulnerability Scoring System) and CPE (Common Platform Enumeration) are both used to help feed the SCAP data.
  160. C. Continuous integration helps developers integrate their code into the mainline code base frequently. Although automated testing isn't always a part of continuous integration, it is a useful part of a complete continuous integration (CI)/continuous delivery (CD) pipeline. Continuous delivery is aimed at making your code pipeline deployable at any time by using automated testing and automated configuration. Some organizations then automatically push the changes into production. Both repo-stuffing and time coding were made up for this question.
  161. B. A single analyst working alone is likely to have limitation to their knowledge, experience, and their own experiential biases. Thus, Fiona should review her hypotheses for her own natural biases and may want to involve other analysts or experts to help control for them.
  162. D. According to the STIX 2.0 taxonomy (docs.oasis-open.org/cti/stix/v2.0/csprd02/part1-stix-core/stix-v2.0-csprd02-part1-stix-core.html#_Toc482357275), state actors like those that are responsible for APT-level attacks are classified as strategic. Experts are skilled and may create their own tools but are not operating at the massive scale of an APT actor.
  163. C. STIX (Structured Threat Information Expression Language) was developed for exactly this purpose. It is intended to be shared by the TAXII (Trusted Automated Exchange of Intelligence Information) protocol, via a hub-and-spoke, source/subscriber, or peer-to-peer distribution model. OAuth is used for access delegation, and STONES was made up for this question.
  164. C. Alaina's best option is to delete emails with these URLs from all inbound email. Blocking or monitoring for the IP addresses can help, but mobile and off-site users will not be protected if they do not send their traffic through her firewall or IDSs.
  165. A. A DNS sinkhole exactly meets Rowan's needs. It can redirect traffic intended for malicious sites and botnet controllers to a landing page, which warns the end user that something went wrong.
  166. B. Domain generation algorithms (DGAs) automatically generate domains using an algorithm driven by the time of day, cryptographic keys, or other information that the algorithm can use to identify domain names it should connect to. DGAs will generate a large number of names, and malware authors then only need to use a small subset, making the control hosts hard to find, whereas defenders must identify or block all the generated hosts.
  167. D. TCP port 22 is commonly used for SSH traffic. If you haven't learned the common ports, you should review them before taking the CySA+ exam.
  168. A. Static code analysis requires access to the source code, meaning that the SAST tool will need to be compatible with all the languages that Michelle needs to have tested. Binary output language was made up for this question, while options C and D both refer to dynamic testing because the application would be run in both options.
  169. B. Signature-based detections must match the defined signature used by the IPS. Some IPSs can use heuristic (behavior)-based detection techniques; however, Nina has not used this in her setup, so new attacks with dangerous behaviors will not be detected.
  170. B. A NetFlow or sFlow implementation can provide Nathan with the data that he needs. Flows show the source, destination, type of traffic, and amount of traffic, and if he collects flow information from the correct locations on his network, he will have the ability to see which systems are sending the most traffic and will also have a general idea of what the traffic is. A sniffer requires more resources, whereas SDWAN is a software-defined wide area network, which might provide some visibility but does not necessarily meet his needs. Finally, a network tap is used to capture data, but a tap alone does not analyze or provide this information.
  171. B. It may be tempting to answer “no impact” but the better answer here is “no impact to services.” The system will still require remediation, which will consume staff time, so there will not be a total lack of impact.
  172. D. The service is noncritical because it can be used to conduct business as usual after it is restored without a meaningful business impact due to the outage. During the outage, however, this is a denial of a noncritical service.
  173. D. Discovering an APT in your administrative systems typically indicates that you have lost control of your environment.
  174. C. The Transport Layer Security entry shows 20.3 percent of the traffic was sent over TLS. Although this may not all be encrypted web traffic, the likely answer is that the majority of it is.
  175. B. A binary file is downloaded from 49.51.172.56, as shown by the GET command for nCvQOQHCBjZFfiJvyVGA/yrkbdmt.bin. Annie should mark this as an indicator of compromise (IOC) and look for other traffic to or from this host, as well as what the workstation or system it is downloaded to does next.
  176. A. Annie's best option is to conduct an antimalware scan with a tool capable of detecting the Dridex malware. Since most malware command and control systems have multiple control nodes, simply blocking traffic to or from the system might be helpful, but it is unlikely to stop the infection from carrying out the bank credential theft that Dridex is known for.
  177. B. Steve could use Wireshark to capture the download traffic and to observe what host the file was downloaded from. Antimalware tools typically remove the malware but do not provide detailed visibility into its actions. An IPS can detect attacks but would need specific rules to detect the actions taken. Network flows will show where the traffic went but will not provide detailed specifics like a packet capture tool would.
  178. B. A relatively common issue during log reviews is incorrect or mismatched time zone settings. Many organizations that operate in more than one time zone use UTC (Universal Time Coordinated) to avoid having to do time zone corrections when comparing logs. In this case, Abdul should check the server that is recording the events at 6 p.m. to see if it is set to the wrong time zone or otherwise is misconfigured to have the wrong system time.
  179. D. Anonymous and other politically motivated groups are typically classified as hacktivists because their attacks are motivated for political or other activist reasons.
  180. D. Human safety and human lives are always the most critical system or resource. Here, safety systems should receive the highest rating, and in the US-CERT NCISS demo, they receive 100/100 points on the scale.
  181. D. All of these are common validation targets for agent-based NAC systems. Systems that do not meet the required update levels will often be placed in a quarantine network or may not be allowed to connect to the network.
  182. C. Port security relies on MAC addresses to allow or reject systems that are plugged into network ports that it is used on.
  183. B. Data loss prevention (DLP) systems use business rules that define when and how data is allowed to move around an organization, as well as how it should be classified. Data at rest is data that not moving, and the remaining options were made up for this question.
  184. C. Although some circumstances may require Jana to build a custom detection, commercial IPS vendors work hard to provide signatures for new threats. If she can, she should use the signature from her vendor. If she builds a detection based only on a proof of concept, she may only detect the POC. Blocking all traffic to the web servers is unlikely to be acceptable to the business, and researching and building a custom rule can take quite a while, especially if she does not have access to the exploit detail she needs to write it.
  185. B. Zhi should put her network flow collector at point B. This will prevent it from collecting information about traffic that the firewall would block but will show all flows that are headed out of or into the network. Both points C and D will capture information only from their respective network segments.
  186. B. Endpoint detection and response (EDR) tools are integrated security solutions that monitor endpoint systems and collect activity data, and then use threat intelligence and behavioral to automatically respond by removing or quarantining potential threats. EDR tools can also be helpful for forensic analysis and incident response. An IPS would be useful for monitoring network traffic, a CRM is a customer relationship management tool, and a UEBA would capture user behavior but does not have the same threat intelligence and response capabilities that an EDR has.
  187. B. Using numeric rights syntax, a 7 stands for read+write+execute, 4 stands for read, 2 stands for write, and 1 stands for execute, with 0 standing for no permissions. Adding the numbers together can tell you what permission you are giving. Here, Benita has set it to retain her personal full access to the file and has given read to groups and all. She could have also simply set it to 704, but we didn't have that option listed.
  188. C. Although you can build an isolated sandbox or VM, the safest way to analyze malware is to analyze the source code rather than running it. Thus, static analysis is the safest answer, but it may not be as useful as dynamic analysis where you can capture what the malware does as it happens. Static analysis can also be significantly slower because of the effort required to disassemble the code and reverse-engineer what it is doing.
  189. B. A cloud access security broker (CASB) is the ideal tool to increase Tom's visibility into cloud services. CASB tools are specifically designed to monitor for cloud access patterns and to ensure that unwanted activity does not occur.
  190. C. A workflow orchestration tool is designed to automatically configure, manage, and otherwise oversee systems, applications, and services. Scripts can be used to do this but can be overly complex and failure prone. APIs are used to send and receive data from applications or programs. SCAP (Security Content Automation Protocol) isn't used for this type of task.
  191. D. TAXII's standardized format and built-in mechanisms for securing and protecting data mean that it can speed up data exchange while providing a standard format for data and thus easy interoperability.
  192. D. Continuous delivery (or continuous deployment) environments sometimes use a blue/green deployment model, where one side is live and the other side is nearly identical but receives the next set of code updates. Traffic is then switched over to the new code while leaving the functional previous version in place. If something goes wrong, a switchback is easy to perform.
  193. B. Heuristic analysis has been an important part of modern antimalware suites because it can identify polymorphic malware packages that change their signature. Since heuristic tools look for behaviors rather than fingerprints, they can continue to detect how the malware behaves. Fagan code analysis is a formal code review process. Machine learning and AI may be used by heuristic tools, but there is nothing in this question that specifies either.
  194. B. This is an ideal use of machine learning; in fact, VMware uses machine learning in their VMware Service Defined Firewall to analyze extremely large volumes of application data to build profiles for known-good behavior for applications. Once a baseline is generated, security policies are written that ensure that anomalous behavior is blocked. Trend analysis is not useful for specific application details, manual analysis would involve the staff member Isaac was trying to avoid, and endpoint analysis is vague and undefined in this context.
  195. D. Windows filesystem auditing does not provide the ability to detect if files were changed. Forensic artifacts can indicate that a file was opened and identify the program that opened it. However, unlike tools such as Tripwire that track file hashes and thus can identify modifications, Windows file auditing cannot provide this detail.
  196. A. URL analysis of domain generation algorithm–created uniform resource locators (URLs) relies on either testing URLs via WHOIS lookups and NXDOMAIN responses, or machine learning techniques, which recognize patterns common to DGA-generated URLs. Natural language processing focuses on understanding natural language data, but DGAs do not rely on natural language style URLs in most cases.
  197. A. During an event, incident responders often have to pay more attention to the immediate impact to triage and prioritize remediation. Once systems are back online and the business is operating, total impact can be assessed and should be included in the report and considered in new controls and practices from the lessons learned analysis of the event.
  198. C. The SIEM dashboard is the first thing you see when you log in to almost any SIEM product. Configuring dashboards to provide the most relevant and useful information is an important activity for more SIEM operations staff. The reporting engine is useful for more in-depth detail and also typically helps feed the dashboard. Email reports can be useful to ensure regular delivery to users who may not have an account on the SIEM or for other purposes where an event-driven or schedule-driven report is useful. A SIEM ruleset defines what a SIEM does and when, but it isn't useful for a quick view.
  199. C. In this scenario, the attacker may have been trying to find users who have typed credentials into a sudo command in a script. This will find all occurrences of the sudo command in all the /home/users subdirectories and will then feed that output to a search for bash.log, meaning that only occurrences of sudo inside of bash.log entries will be returned.
  200. A. Munju can use an antimalware tool to scan all of her organization's inbound and outbound email if she operates her own email service. If she uses a third-party service like Office 365 or Gmail, antimalware scanning is a built-in part of the service. A hashing algorithm doesn't scan for malware. An IPS might detect malware if email is sent between servers in an unencrypted form but is not an efficient implementation of this type of protection, and a UEBA tool is focused on user entity behavior, not email antimalware scanning.

Answers to Chapter 4: Domain 4.0: Incident Response

  1. B. Lucca only needs a verifiable MD5 hash to validate the files under most circumstances. This will let him verify that the file he downloaded matches the hash of the file that the vendor believes they are providing. There have been a number of compromises of vendor systems, such as open source projects that included distribution of malware that attackers inserted into the binaries or source code available for download, making this an important step when security is critical to an organization.
  2. C. The amount of metadata included in photos varies based on the device used to take them, but GPS location, GPS timestamp-based time (and thus correct, rather than device native), and camera type can all potentially be found. Image files do not track how many times they have been copied!
  3. A. Chris needs both the /etc/passwd and the /etc/shadow files for John the Ripper to crack the passwords. Although only hashes are stored, John the Ripper includes built-in brute-force tools that will crack the passwords.
  4. B. The Sysinternals suite provides two tools for checking access, AccessEnum and AccessChk. AccessEnum is a GUI-based program that gives a full view of filesystem and registry settings and can display either files with permissions that are less restrictive than the parent or any files with permissions that differ from the parent. AccessChk is a command-line program that can check the rights a user or group has to resources.
  5. A. John is not responding to an incident, so this is an example of proactive network segmentation. If he discovered a system that was causing issues, he might create a dedicated quarantine network or could isolate or remove the system.
  6. C. NIST describes events like this as security incidents because they are a violation or imminent threat of violation of security policies and practices. An adverse event is any event with negative consequences, and an event is any observable occurrence on a system or network.
  7. B. In most cases, the first detection type Mei should deploy is a rogue SSID detection capability. This will help her reduce the risk of users connecting to untrusted SSIDs. She may still want to conduct scans of APs that are using channels they should not be, and of course her network should either use network access controls or scan for rogue MAC addresses to prevent direct connection of rogue APs and other devices.
  8. C. Dan's efforts are part of the preparation phase, which involves activities intended to limit the damage an attacker could cause.
  9. B. Organizations that process credit cards work with acquiring banks to handle their card processing, rather than directly with the card providers. Notification to the bank is part of this type of response effort. Requiring notification of law enforcement is unlikely, and the card provider listing specifies only two of the major card vendors, none of which are specified in the question.
  10. B. Linux provides a pair of useful ACL backup and restore commands: getfacl allows recursive backups of directories, including all permissions to a text file, and setfacl restores those permissions from the backup file. Both aclman and chbkup were made up for this question.
  11. B. In cases where an advanced persistent threat (APT) has been present for an unknown period of time, backups should be assumed to be compromised. Since APTs often have tools that cannot be detected by normal anti-malware techniques, the best option that Manish has is to carefully rebuild the systems from the ground up and then ensure that they are fully patched and secured before returning them to service.
  12. A. FileVault does allow trusted accounts to unlock the drive but not by changing the key. FileVault 2 keys can be recovered from memory for mounted volumes and much like BitLocker, it suggests that users record their recovery key, so Jessica may want to ask the user or search their office or materials if possible. Finally, FileVault keys can be recovered from iCloud, providing her with a third way to get access to the drive.
  13. C. The series of connection attempts shown is most likely associated with a port scan. A series of failed connections to various services within a few seconds (or even minutes) is common for a port scan attempt. A denial-of-service attack will typically be focused on a single service, whereas an application that cannot connect will only be configured to point at one database service, not many. A misconfigured log source either would send the wrong log information or would not send logs at all in most cases.
  14. D. Windows audits account creation by default. Frank can search for account creation events under event ID 4720 for modern Windows operating systems.
  15. A. Purging requires complete removal of data, and cryptographic erase is the only option that will fully destroy the contents of a drive from this list. Reformatting will leave the original data in place, overwriting leaves the potential for file remnants in slack space, and repartitioning will also leave data intact in the new partitions.
  16. B. Unless she already knows the protocol that a particular beacon uses, filtering out beacons by protocol may cause her to miss beaconing behavior. Attackers want to dodge common analytical tools and will use protocols that are less likely to attract attention. Filtering network traffic for beacons based on the intervals and frequency they are sent at, if the beacon persists over time, and removing known traffic are common means of filtering traffic to identify beacons.
  17. C. Local scans often provide more information than remote scans because of network or host firewalls that block access to services. The second most likely answer is that Scott or Joanna used different settings when they scanned.
  18. C. A general best practice when dealing with highly sensitive systems is to encrypt copies of the drives before they are sent to third parties. Adam should encrypt the drive image and provide both the hash of the image and the decryption key under separate cover (sent via a separate mechanism) to ensure that losing the drive itself does not expose the data. Once the image is in the third-party examiner's hands, they will be responsible for its security. Adam may want to check on what their agreement says about security.
  19. B. A hardware write blocker can ensure that connecting or mounting the drive does not cause any changes to occur on the drive. Mika should create one or more forensic images of the original drive and then work with the copy or copies as needed. She may then opt to use forensic software, possibly including a software write blocker.
  20. A. This form is a sample chain-of-custody form. It includes information about the case; copies of drives that were created; and who was in possession of drives, devices, and copies during the investigation.
  21. C. The chmod command is used to change the permissions on a file. The head and tail commands are used to display the beginning and end of a file, respectively. The cat command is used to display an entire file.
  22. B. SNMP, packet sniffing, and NetFlow are commonly used when monitoring bandwidth consumption. Portmon is an aging Windows tool used to monitor serial ports, not exactly the sort of tool you'd use to watch your network's bandwidth usage!
  23. B. James can temporarily create an untrusted network segment and use a span port or tap to allow him to see traffic leaving the infected workstation. Using Wireshark or tcpdump, he can build a profile of the traffic it sends, helping him build a fingerprint of the beaconing behavior. Once he has this information, he can then use it in his recovery efforts to ensure that other systems are not similarly infected.
  24. C. The output of lsof shows a connection from the local host (10.0.2.6) to remote.host.com via SSH. The listing for /bin/bash simply means that demo is using the bash shell. Fred hasn't found evidence of demo accessing other systems on his local network but might find the outbound SSH connection interesting.
  25. B. Conducting a lessons learned review after using an incident response plan can help to identify improvements and to ensure that the plan is up-to-date and ready to handle new events.
  26. B. If Kathleen's company uses a management system or inventory process to capture the MAC addresses of known organizationally owned systems, then a MAC address report from her routers and switches will show her devices that are connected that are not in inventory. She can then track down where the device is physically connected to the port on the router or switch to determine whether the device should be there.
  27. C. When /var fills up, it is typically due to log files filling up all available space. The /var partition should be reviewed for log files that have grown to extreme size or that are not properly set to rotate.
  28. D. Linux permissions are read numerically as “owner, group, other.” The numbers stand for read: 4, write: 2, and execute: 1. Thus, a 7 provides that person, group, or other with read, write, and execute. A 4 means read-only; a 5 means read and execute, without write; and so on. 777 provides the broadest set of permissions, and 000 provides the least.
  29. C. Improper usage, which results from violations of an organization's acceptable use policies by authorized users, can be reduced by implementing a strong awareness program. This will help ensure users know what they are permitted to do and what is prohibited. Attrition attacks focus on brute-force methods of attacking services. Impersonation attacks include spoofing, man-in-the-middle attacks, and similar threats. Finally, web-based attacks focus on websites or web applications. Awareness may help with some specific web-based attacks like fake login sites, but many others would not be limited by Lauren's awareness efforts.
  30. C. Incremental mode is John the Ripper's most powerful mode, as it will try all possible character combinations as defined by the settings you enter at the start. Single crack mode tries to use login names with various modifications and is very useful for initial testing. Wordlist uses a dictionary file along with mangling rules to test for common passwords. External mode relies on functions that are custom-written to generate passwords. External mode can be useful if your organization has custom password policies that you want to tweak the tool to use.
  31. B. If business concerns override his ability to suspend the system, the best option that Lukas has is to copy the virtual disk files and then use a live memory imaging tool. This will give him the best forensic copy achievable under the circumstances. Snapshotting the system and booting it will result in a loss of live memory artifacts. Escalating may be possible in some circumstances, but the scenario specifies that the system must remain online. Finally, volatility can capture memory artifacts but is not designed to capture a full virtual machine.
  32. B. Reassembling the system to match its original configuration can be important in forensic investigations. Color-coding each cable and port as a system is disassembled before moving helps to ensure proper reassembly. Mika should also have photos taken by the on-site investigators to match her reassembly work to the on-site configuration.
  33. D. The Signal protocol is designed for secure end-to-end messaging, and using a distinct messaging tool for incident response can be helpful to ensure that staff separates incident communication from day-to-day operations. Text messaging is not secure. Email with TLS enabled is encrypted only between the workstation and email server and may be exposed in plain text at rest and between other servers. A Jabber server with TLS may be a reasonable solution but is less secure than a Signal-based application.
  34. B. Selah should check the error log to determine what web page or file access resulted in 404 “not found” errors. The errors may indicate that a page is mislinked, but it may also indicate a scan occurring against her web server.
  35. C. Since the drives are being returned at the end of a lease, you must assume that the contract does not allow them to be destroyed. This means that purging the drives, validating that the drives have been purged, and documenting the process to ensure that all drives are included are the appropriate actions. Clearing the drives leaves the possibility of data recovery, while purging, as defined by NIST SP 800-88, renders data recovery infeasible.
  36. C. The default macOS drive format is APFS and is the native macOS drive format. macOS does support FAT32 and can read NTFS but cannot write to NTFS drives without additional software. HFS+ was the default file system for earlier versions of macOS.
  37. B. Eraser is a tool used to securely wipe files and drives. If Eraser is not typically installed on his organization's machines, Tim should expect that the individual being investigated has engaged in some antiforensic activities including wiping files that may have been downloaded or used against company policy. This doesn't mean he shouldn't continue his investigation, but he may want to look at Eraser's log for additional evidence of what was removed.
  38. B. Data carving is the process of identifying files based on file signatures such as headers and footers and then pulling the information between those locations out as a file. Jessica can use common carving tools or could manually carve files if she knows common header and footer types that she can search for.
  39. D. A CSIRT leader must have authority to direct the incident response process and should be able to act as a liaison with organizational management. Although Latisha may not have deep incident response experience, she is in the right role to provide those connections and leadership. She should look at retaining third-party experts for incidents if she needs additional skills or expertise on her IR team.
  40. B. This system is not connected to a domain (default domain name has no value), and the default user is admin.
  41. A. The NX bit sets fine-grained permissions to mapped memory regions, while ASLR ensures that shared libraries are loaded at randomized locations, making it difficult for attackers to leverage known locations in memory via shared library attacks. DEP is a Windows tool for memory protection, and position-independent variables are a compiler-level protection that is used to secure programs when they are compiled.
  42. C. If the Security log has not rotated, Angela should be able to find the account creation under event ID 4720. The System log does not contain user creation events, and user profile information doesn't exist until the user's first login. The registry is also not a reliable source of account creation date information.
  43. A. The Linux file command shows a file's format, encoding, what libraries it is linked to, and its file type (binary, ASCII text, etc.). Since Alex suspects that the attacker used statically linked libraries, the file command is the best command to use for this scenario. stat provides the last time accessed, permissions, UID and GID bit settings, and other details. It is useful for checking when a file was last used or modified but won't provide details about linked libraries. strings and grep are both useful for analyzing the content of a file and may provide Alex with other hints but won't be as useful as the file command for this purpose.
  44. D. Lauren will get the most information by setting auditing to All but may receive a very large number of events if she audits commonly used folders. Auditing only success or failure would not show all actions, and full control is a permission, not an audit setting.
  45. A. The apt command is used to install and upgrade packages in Ubuntu Linux from the command line. The apt-get -u upgrade command will list needed upgrades and patches (and adding the -V flag will provide useful version information). The information about what patches were installed is retained in /var/log/apt, although log rotation may remove or compress older update information.
  46. C. Under most circumstances Ophcrack's rainbow table-based cracking will result in the fastest hash cracking. Hashcat's high-speed, GPU-driven cracking techniques are likely to come in second, with John the Ripper and Cain and Abel's traditional CPU-driven cracking methods remaining slower unless their mutation-based password cracks discover simple passwords very quickly.
  47. A. A logical acquisition focuses on specific files of interest, such as a specific type of file, or files from a specific location. In Eric's case, a logical acquisition meets his needs. A sparse acquisition also collects data from unallocated space. A bit-by-bit acquisition is typically performed for a full drive and will take longer.
  48. A. Resource Monitor provides average CPU utilization in addition to real-time CPU utilization. Since Kelly wants to see average usage over time, she is better off using Resource Monitor instead of Task Manager (which meets all of her other requirements). Performance Monitor is useful for collecting performance data, and iperf is a network performance measurement tool.
  49. D. The chain of custody for evidence is maintained by logging and labeling evidence. This ensures that the evidence is properly controlled and accessed.
  50. A. Roger has memory usage monitoring enabled with thresholds shown at the bottom of the chart that will generate an alarm if it continues. The chart shows months of stable memory utilization with very little deviation. Although a sudden increase could happen, this system appears to be functioning well.

    Memory usage is high, however, in a well-tuned system that does not have variable memory usage or sudden spikes. This is often an acceptable situation. Windows does not have an automated memory management tool that will curtail memory usage in this situation.

  51. B. The more effort Frank puts into staying up-to-date with information by collecting threat information (5), monitoring for indicators (1), and staying up-to-date on security alerts (3), the stronger his organization's security will be. Understanding specific threat actors may become relevant if they specifically target organizations like Frank's, but as a midsize organization Frank's employer is less likely to be specifically targeted directly.
  52. A. The Windows registry stores a list of wireless networks the system has connected to in the registry under HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionNetworkListProfiles. This is not a user-specific setting and is stored for all users in LocalMachine.
  53. B. Although it may seem to be a simple answer, ensuring that all input is checked to make sure that it is not longer than the variable or buffer it will be placed into is an important part of protecting web applications. Canonicalization is useful against scripting attacks. Format string attacks occur when input is interpreted as a command by an application. Buffer overwriting typically occurs with a circular buffer as data is replaced and is not an attack or attack prevention method.
  54. A. Suspending a virtual machine will result in the RAM and disk contents being stored to the directory where it resides. Simply copying that folder is then sufficient to provide Susan with all the information she needs. She should not turn the virtual machine off, and creating a forensic copy of the drive is not necessary (but she should still validate hashes for the copied files or directory).
  55. A. Chrome stores a broad range of useful forensic information in its SQLite database, including cookies, favicons, history, logins, top sites, web form data, and other details. Knowing how to write SQL queries or having access to a forensic tool that makes these databases easy to access can provide a rich trove of information about the web browsing history of a Chrome user.
  56. B. FTK Imager Light is shown configured to write a single large file that will fail on FAT32-formatted drives where the largest single file is 4 GB. If Chris needs to create a single file, he should format his destination drive as NTFS. In many cases, he should simply create a raw image to a blank disk instead!
  57. A. The simplest way to handle a configuration like this is to allow it to be reset when the condition is no longer true. If Christina adds the MAC address to her allowed devices list, this will automatically remove the alert. If she does not, the alert will remain for proper handling.
  58. B. Modern versions of Windows include the built-in certutil utility. Running certutil -hashfile [file location] md5 will calculate the MD5 hash of a file. certutil also supports SHA1 and SHA256 as well as other less frequently used hashes. md5sum and sha1sum are Linux utilities, and hashcheck is a shell extension for Windows.
  59. B. Disclosure based on regulatory or legislative requirements is commonly part of an incident response process; however, public feedback is typically a guiding element of information release. Limiting communication to trusted parties and ensuring that data and communications about the incident are properly secured are both critical to the security of the incident response process. This also means that responders should work to limit the potential for accidental release of incident-related information.
  60. D. A sudden resumption of traffic headed “in” after sitting at zero likely indicates a network link or route has been repaired. A link failure would show a drop to zero, rather than an increase. The complete lack of inbound traffic prior to the resumption at 9:30 makes it unlikely this is a DDoS, and the internal systems are not sending significant traffic outbound.
  61. D.  ifconfig, netstat -i, and ip link show will all display a list of the network interfaces for a Linux system. The intf command is made up for this question.
  62. B. Address space layout randomization (ASLR) is a technique used to prevent buffer overflows and stack smashing attacks from being able to predict where executable code resides in the heap. DEP is data execution protection, and both StackProtect and MemShuffle were made up for this question.
  63. D. The Windows Quick Format option leaves data in unallocated space on the new volume, allowing the data to be carved and retrieved. This does not meet the requirements for any of the three levels of sanitization defined by NIST.
  64. C. Angela's best choice would be to implement IP reputation to monitor for connections to known bad hosts. Antivirus definitions, file reputation, and static file analysis are all useful for detecting malware, but command-and-control traffic like beaconing will typically not match definitions, won't send known files, and won't expose files for analysis.
  65. C. Restoring a system to normal function, including removing it from isolation, is part of the containment, eradication, and recovery stage. This may seem to be part of the postincident activity phase, but that phase includes activities such as reporting and process updates rather than system restoration.
  66. A. Flow logs would show Chris outbound traffic flows based on remote IP addresses as well as volume of traffic, and behavioral (heuristic) analysis will help him to alert on similar behaviors. Chris should build an alert that alarms when servers in his datacenter connect to domains that are not already whitelisted and should strongly consider whether servers should be allowed to initiate outbound connections at all.
  67. B. The NIST recoverability effort categories call a scenario in which time to recovery is predictable with additional resources “supplemented.” The key to the NIST levels is to remember that each level of additional unknowns and resources required increases the severity level from regular to supplemented and then to extended. A nonrecoverable situation exists when the event cannot be remediated, such as when data is exposed. At that point, an investigation is launched. In a nongovernment agency, this phase might involve escalating to law enforcement.
  68. C. Using a forensic SIM (which provides some but not all of the files necessary for the phone to work); using a dedicated forensic isolation appliance that blocks Wi-Fi, cellular, and Bluetooth signals; or even simply putting a device into airplane mode are all valid mobile forensic techniques for device isolation. Although manipulating the device to put it into airplane mode may seem strange to traditional forensic examiners, this is a useful technique that can be documented as part of the forensic exercise if allowed by the forensic protocols your organization follows.
  69. B. The audit package can provide this functionality. auditd runs as a service, and then auditctl is used to specifically call out the files or directories that will be monitored.
  70. D. A forensic investigator's best option is to seize, image, and analyze the drive that Janet downloaded the files to. Since she only deleted the files, it is likely that the investigator will be able to recover most of the content of the files, allowing them to be identified. Network flows do not provide file information, SMB does not log file downloads, browser caches will typically not contain a list of all downloaded files, and incognito mode is specifically designed to not retain session and cache information.
  71. B. Jose can choose to isolate the compromised system, either physically or logically, leaving the attacker with access to the system while isolating it from other systems on his network. If he makes a mistake, he could leave his own systems vulnerable, but this will allow him to observe the attacker.
  72. D. NIST SP 800-61 categorizes signs of an incident into two categories, precursors and indicators. Precursors are signs that an incident may occur in the future. Since there is not an indicator that an event is in progress, this can be categorized as a precursor. Now Abdul needs to figure out how he will monitor for a potential attack.
  73. D. Lessons learned reviews are typically conducted by independent facilitators who ask questions like “What happened, and at what time?” and “What information was needed, and when?” Lessons learned reviews are conducted as part of the postincident activity stage of incident response and provide an opportunity for organizations to improve their incident response process.
  74. B. Although patching is useful, it won't stop zero-day threats. If Allan is building a plan specifically to deal with zero-day threats, he should focus on designing his network and systems to limit the possibility and impact of an unknown vulnerability. That includes using threat intelligence, using segmentation, using whitelisting applications, implementing only necessary firewall rules, using behavior and baseline-based intrusion prevention rules and SIEM alerts, and building a plan in advance.
  75. C. NIST describes events with negative consequences as adverse events. It might be tempting to immediately call this a security incident; however, this wouldn't be classified that way until an investigation was conducted. If the user accidentally accessed the file, it would typically not change classification. Intentional or malicious access would cause the adverse event to become a security incident.
  76. D. Cell phones contain a treasure trove of location data, including both tower connection log data and GPS location logs in some instances. Photographs taken on mobile devices may also include location metadata. Microsoft Office files do not typically include location information.

    Other potential sources of data include car GPS systems if the individual has a car with built-in GPS, black-box data-gathering systems, social media posts, and fitness software, as well as any other devices that may have built-in GPS or location detection capabilities. In some cases, this can be as simple as determining whether the individual's devices were connected to a specific network at a specific time.

  77. C. Documentation is important when tracking drives to ensure that all drives that should be sanitized are being received. Documentation can also provide evidence of proper handling for audits and internal reviews.
  78. D. Outsourcing to a third-party incident response provider allows Mike to bring in experts when an incident occurs while avoiding the day-to-day expense of hiring a full-time staff member. This can make a lot of financial sense if incidents occur rarely, and even large organizations bring in third-party response providers when large incidents occur. A security operations center (SOC) would be appropriate if Mike needed day-to-day security monitoring and operations, and hiring an internal team does not match Mike's funding model limitations in this scenario.
  79. C. An air gap is a design model that removes connections between network segments or other systems. The only way to cross an air gap is to carry devices or data between systems or networks, making removable media the threat vector here.
  80. C. Dan can look up the manufacturer prefix that makes up the first part of the MAC address. In this case, Dan will discover that the system is likely a Dell, potentially making it easier for him to find the machine in the office. Network management and monitoring tools build in this identification capability, making it easier to see if unexpected devices show up on the network. Of course, if the local switch is a managed switch, he can also query it to determine what port the device is plugged into and follow the network cable to it.
  81. C. NIST identifies three activities for media sanitization: clearing, which uses logical techniques to sanitize data in all user-addressable storage locations; purging, which applies physical or logical techniques to render data recovery infeasible using state-of-the-art laboratory techniques; and destruction, which involves physically destroying the media.
  82. B. Degaussing, which uses a powerful electromagnet to remove data from tape media, is a form of purging.
  83. A. As long as Brian is comfortable relying on another backup mechanism, he can safely disable volume shadow copies and remove the related files. For the drive he is looking at, this will result in approximately 26 GB of storage becoming available.
  84. C. Suki's best bet to track down the original source of the emails that are being sent is to acquire full headers from the spam email. This will allow her to determine whether the email is originating from a system on her network or whether the source of the email is being spoofed. Once she has headers or if she cannot acquire them, she may want to check one or more of the other options on this list for potential issues.
  85. C. Most portable consumer devices, especially those that generate large files, format their storage as FAT32. FAT16 is limited to 2 GB partitions, RAW is a photo file format, and APFS is the native macOS file format. Lauren can expect most devices to format media as FAT32 by default because of its broad compatibility across devices and operating systems.
  86. C. The traffic values captured by ifconfig reset at 4 GB of data, making it an unreliable means of assessing how much traffic a system has sent when dealing with large volumes of traffic. Bohai should use an alternate tool designed specifically to monitor traffic levels to assess the system's bandwidth usage.
  87. C. Brian should determine whether he needs live forensic information, but if he is not certain, the safest path for him is to collect live forensic information, take photos so that he knows how each system was set up and configured, and then power them down. He would then log each system as evidence and will likely create forensic copies of the drives once he reaches his forensic work area or may use a portable forensic system to make drive images on-site. Powering a running system down can result in the loss of significant forensic information, meaning that powering a system down before collecting some information is typically not recommended. Collecting a static image of a drive requires powering the system down first.
  88. B. When forensic evidence or information is produced for a civil case, it is called e-discovery. This type of discovery often involves massive amounts of data, including email, files, text messages, and any other electronic evidence that is relevant to the case.
  89. A. Personally identifiable information (PII) includes information that can be used to identify, contact, or locate a specific individual. At times, PII must be combined with other data to accomplish this but remains useful for directly identifying an individual. The data that Manish and Linda are classifying is an example of PII. PHI is personal health information. Intellectual property is the creation of human minds including copyrighted works, inventions, and other similar properties. PCI DSS is the Payment Card Industry Data Security Standards.
  90. C. A chain-of-custody form is used to record each person who works with or is in contact with evidence in an investigation. Typically, investigative work is also done in a way that fully records all actions taken and sometimes requires two people present to verify actions taken.
  91. A. Since Scott needs to know more about potential vulnerabilities, an authenticated scan from an internal network will provide him with the most information. He will not gain a real attacker's view, but in this case, having more detail is important.
  92. C. The primary role of management in an incident response effort is to provide the authority and resources required to respond appropriately to the incident. They may also be asked to make business decisions, communicate with external groups, or assess the impact on key stakeholders.
  93. D. Both auth.log and /etc/passwd may show evidence of the new user, but auth.log will provide details, while Chris would need to have knowledge of which users existed prior to this new user being added. Chris will get more useful detail by checking auth.log.
  94. C. Process Monitor provides detailed tracking of filesystem and registry changes as well as other details that can be useful when determining what changes an application makes to a system. System administrators and forensic and incident response professionals often use this, as it can help make tracking down intricate installer problems much easier.
  95. C. NIST does not include making backups of every system and device in its documentation. Instead, NIST suggests maintaining an organizationwide knowledge base with critical information about systems and applications. Backing up every device and system can be prohibitively expensive. Backups are typically done only for specific systems and devices, with configuration and restoration data stored for the rest.
  96. B. NIST identifies four major phases in the IR life cycle: preparation; detection and analysis; containment, eradication, and recovery; and postincident activity. Notification and communication may occur in multiple phases.
  97. D. The page file, like many system files, is locked while Windows is running. Charles simply needs to shut down the system and copy the page file. Some Windows systems may be set to purge the page file when the system is shut down, so he may need to pull the plug to get an intact page file.
  98. B. Checking the SSID won't help since an evil twin specifically clones the SSID of a legitimate AP. You can identify evil twins by checking their BSSID (the wireless MAC address). If the wireless MAC has been cloned, checking additional attributes such as the channel, cipher, or authentication method can help identify them. In many cases, they can also be identified using the organizational unique identifier (OUI) that is sent as a tagged parameter in beacon frames.
  99. C. Slack space is leftover storage that exists because files do not take up the entire space allocated for them. Since the Unallocated partition does not have a filesystem on it, space there should not be considered slack space. Both System Reserved and C: are formatted with NTFS and will have slack space between files.
  100. C. Luke should expect to find most of the settings he is looking for contained in plists, or property lists, which are XML files encoded in a binary format.
  101. C. Without other requirements in place, many organizations select a one- to two-year retention period. This allows enough time to use existing information for investigations but does not retain so much data that it cannot be managed. Regardless of the time period selected, organizations should set and consistently follow a retention policy.
  102. C. If Alice focuses on a quick restoration, she is unlikely to preserve all of the evidence she would be able to during a longer incident response process. Since she is focusing on quick restoration, the service should be available more quickly, and the service and system should not be damaged in any significant way by the restoration process. The time required to implement the strategy will typically be less if she does not conduct a full forensic investigation and instead focuses on service restoration.
  103. D. Criminal investigations can take very long periods of time to resolve. In most cases, Joe should ensure that he can continue to operate without the servers for the foreseeable future.
  104. C. A RAW image, like those created by dd, is Piper's best option for broad compatibility. Many forensic tools support multiple image formats, but RAW files are supported almost universally by forensic tools.
  105. D. Windows systems record new device connections in the security audit log if configured to do so. In addition, information is collected in both the setupapi log file and in the registry, including information on the device, its serial number, and often manufacturer and model details. The user's profile does not include device information.
  106. B. When a network share or mounted drive is captured from the system that mounts it, data like deleted files, unallocated space, and other information that requires direct drive access will not be captured. If Scott needs that information, he will need to create a forensic image of the drive from the host server.
  107. D. NIST identifies customers, constituents, media, other incident response teams, Internet service providers, incident reporters, law enforcement agencies, and software and support vendors as outside parties that an IR team will communicate with.
  108. B. Questions including what tools and resources are needed to detect, analyze, or mitigate figure incidents, as well as topics such as how information sharing could be improved, what could be done better or differently, and how effective existing processes and policies are, can all be part of the lessons learned review.
  109. B. The order of volatility for common storage locations is as follows:
    1. CPU cache, registers, running processes, RAM
    2. Network traffic
    3. Disk drives
    4. Backups, printouts, optical media
  110. C. Removing a system from the network typically occurs as part of the containment phase of an incident response process. Systems are typically not returned to the network until the end of the recovery phase.
  111. D. MD5, SHA-1, and SHA-2 hashes are all considered forensically sound. Although MD5 hashes are no longer a secure means of hashing, they are still considered appropriate for validation of forensic images because it is unlikely that an attacker would intentionally create a hash collision to falsify the forensic integrity of a drive.
  112. D. NIST's Computer Security Incident Handling Guide notes that identifying an attacker can be “time-consuming and futile.” In general, spending time identifying attackers is not a valuable use of incident response time for most organizations.
  113. B. The ability to create a timeline of events that covers logs, file changes, and many other artifacts is known as a Super Timeline. SIFT includes this capability, allowing Rick to decide what event types and modules he wants to enable as part of his timeline-based view of events.
  114. B. It is unlikely that skilled attackers will create a new home directory for an account they want to hide. Checking /etc/password and /etc/shadow for new accounts is a quick way to detect unexpected accounts, and checking both the sudoers and membership in wheel and other high-privilege groups can help Vlad detect unexpected accounts with increased privileges.
  115. A. Information sharing and analysis centers (ISACs) are information sharing and community support organizations that work within vertical industries like energy, higher education, and other business domains. Ben may choose to have his organization join an ISAC to share and obtain information about threats and activities that are particularly relevant to what his organization does. A CSIRT is a computer security incident response team and tends to be hosted in a single organization, a VPAC is made up, and an IRT is an incident response team.
  116. C. Headers can be helpful when tracking down spam email, but spammers often use a number of methods to obfuscate the original sender's IP address, email, or other details. Unfortunately, email addresses are often spoofed, and the email address may be falsified. In this case, the only verifiable information in these headers is the IP address of the originating host, mf-smf-ucb011.ocn.ad.jp (mf-smf-ucb011.ocn.ad.jp) [153.149.228.228]. At times even this detail can be forged, but in most cases, this is simply a compromised host or one with an open email application that spammers can leverage to send bulk email.
  117. C. The keychain in macOS stores user credentials but does not store user account passwords. All the other options listed are possible solutions for Azra, but none of them will work if the system has FileVault turned on.
  118. C. iPhone backups to local systems can be full or differential, and in this scenario the most likely issue is that Cynthia has recovered a differential backup. She should look for additional backup files if she does not have access to the original phone. If the backup was encrypted, she would not be able to access it without a cracking tool, and if it was interrupted, she would be unlikely to have the backup file or have it be in usable condition. iCloud backups require access to the user's computer or account and are less likely to be part of a forensic investigation.
  119. A. A second forensic examiner who acts as a witness, countersigning all documentation and helping document all actions, provides both strong documentation and another potential witness in court. Independent forensic action, no matter how well documented, will not be as reliable as having a witness.
  120. B. Although it may seem obvious that the system should be isolated from the network when it is rebuilt, we have seen this exact scenario played out before. In one instance, the system was compromised twice before the system administrator learned their lesson!
  121. D. MBR-, UEFI-, and BIOS-resident malware packages can all survive a drive wipe, but hiding files in slack space will not survive a zero wipe. Although these techniques are uncommon, they do exist and have been seen in the wild.
  122. D. Patents, copyrights, trademarks, and trade secrets are all forms of intellectual property. Patents, copyrights, and trademarks are all legal creations to support creators, while trade secrets are proprietary business information and are not formally protected by governments.
  123. B. BYOD (Bring Your Own Device) is increasingly common, and administrators typically find that network utilization, support tickets, and security risk (because of misconfigured, unpatched, or improperly secured devices) increase. Most organizations do not experience additional device costs with BYOD, since users are providing their own devices.
  124. A. The space that Saria sees is the space between the end of the file and the space allocated per cluster or block. This space may contain remnants of previous files written to the cluster or block or may simply contain random data from when the disk was formatted or initialized.
  125. C. The U.S. National Archives General Records Schedule stipulates a three-year records retention period for incident-handling records.
  126. A. Trusted system binary kits like those provided by the National Software Reference Library include known good hashes of many operating systems and applications. Kathleen can validate the files on her system using references like the NSRL (www.nsrl.nist.gov/new.html).
  127. A. Pluggable authentication module (PAM)–aware applications have a file in the /etc/pam.d directory. These files list directives that define the module and what settings or controls are enabled. Sadiq should ensure that the multifactor authentication system he uses is configured as required in the PAM files for the services he is reviewing.
  128. B. NIST specifically recommends the hostname, MAC addresses, and IP addresses of the system. Capturing the full output of an ipconfig or ifconfig command may be useful, but forensic analysis may not permit interaction with a live machine. Additional detail like the domain (or domain membership) may or may not be available for any given machine, and NIC manufacturer and similar data is not necessary under most circumstances.
  129. D. Since most APTs (including this one, as specified in the question) send traffic in an encrypted form, performing network forensics or traffic analysis will only provide information about potentially infected hosts. If Ryan wants to find the actual tools that may exist on endpoint systems, he should conduct endpoint forensics. Along the way, he may use endpoint behavior analysis, network forensics, and network traffic analysis to help identify target systems.
  130. B. Each antivirus or antimalware vendor uses their own name for malware, resulting in a variety of names showing for a given malware package or family. In this case, the malware package is a ransomware package; that is known by some vendors as GoldenEye or Petya.
  131. B. When a system is not a critical business asset that must remain online, the best response is typically to isolate it from other systems and networks that it could negatively impact. By disconnecting it from all networks, Ben can safely investigate the issue without causing undue risk.

    We have actually encountered this situation. After investigating, we found that the user's text-to-speech application was enabled, and the microphone had the gain turned all the way up. The system was automatically typing words based on how it interpreted background noise, resulting in strange text that terrified the unsuspecting user.

  132. C. When clusters are overwritten, original data is left in the unused space between the end of the new file and the end of the cluster. This means that copying new files over old files can leave remnant data that may help Kathleen prove that the files were on the system by examining slack space.
  133. C. The command line for snmpwalk provides the clues you need. The -c flag specifies a community string to use, and the -v flag specifies the SNMP version. Since we know the community string, you can presume that the contact ID is root rather than the community string.
  134. C. The built-in macOS utility for measuring memory, CPU, disk, network, and power usage is Activity Monitor. Windows uses Resource Monitor, Sysradar was made up for this question, and System Monitor is used to collect information from Microsoft's SQL Server via RPC.
  135. A. If the system that Angela is attempting to access had mounted the encrypted volume before going to sleep and there is a hibernation file, Angela can use hibernation file analysis tools to retrieve the BitLocker key. If the system did not hibernate or the volume was not mounted when the system went to sleep, she will not be able to retrieve the keys. Memory analysis won't work with a system that is off, the boot sector does not contain keys, and brute-force cracking is not a viable method of cracking BitLocker keys because of the time involved.
  136. C. The pseudocode tells you that Adam is trying to detect outbound packets that are part of short communications (fewer than 10 packets and fewer than 3,000 bytes) and that he believes the traffic may appear to be web traffic, be general TCP traffic, or not match known traffic types. This is consistent with the attributes of beaconing traffic. Adam also is making sure that general web traffic won't be captured by not matching on uripath and contentencoding.
  137. B. Services are often started by xinetd (although newer versions of some distributions now use systemctl). Both /etc/passwd and /etc/shadow are associated with user accounts, and $HOME/.ssh/ contains SSH keys and other details for SSH-based logins.
  138. B. NIST classifies changes or deletion of sensitive or proprietary information as an integrity loss. Proprietary breaches occur when unclassified proprietary information is accessed or exfiltrated, and privacy breaches involve personally identifiable information (PII) that is accessed or exfiltrated.
  139. C. Although responders are working to contain the incident, they should also reserve forensic and incident information for future analysis. Restoration of service is often prioritized over analysis during containment activities, but taking the time to create forensic images and to preserve log and other data is important for later investigation.
  140. C. The system Nara is reviewing only has login failure logging turned on and will not capture successful logins. She cannot rely on the logs to show her who logged in but may be able to find other forensic indicators of activity, including changes in the user profile directories and application caches.
  141. A. The only true statement based on the image is that there are two remote users connected to the system via SSH. Port 9898 is registered with IANA as Monkeycom but is often used for Tripwire, leading to incorrect identification of the service. The local system is part of the example.com domain, and the command that was run will not show any UDP services because of the -at flag, meaning that you cannot verify if any UDP services are running.
  142. A. Windows does not include a built-in secure erase tool in the GUI or at the command line. Using a third-party program like Eraser or a bootable tool like DBAN is a reasonable option, and encrypting the entire drive and then deleting the key will have the same effect.
  143. D. This data is obviously not personally identifiable information (PII), personal health information (PHI), or payment card information (PCI). Data about a merger would be considered corporate confidential information.
  144. C. Postmortem forensics can typically be done after shutting down systems to ensure that a complete forensic copy is made. Live forensics imaging can help to capture memory-resident malware. It can also aid in the capture of encrypted drives and filesystems when they are decrypted for live usage. Finally, unsupported filesystems can sometimes be imaged while the system is booted by copying data off the system to a supported filesystem type. This won't retain some filesystem-specific data but can allow key forensic activities to take place.
  145. D. There is no common standard for determining the age of a user account in Linux. Some organizations add a comment to user accounts using the -c flag for user creation to note when they are created. Using the ls command with the -ld flag will show the date of file creation, which may indicate when a user account was created if a home directory was created for the user at account creation, but this is not a requirement. The aureport command is useful if auditd is in use, but that is not consistent between Linux distros.
  146. B. Profiling networks and systems will provide a baseline behavior set. A SIEM or similar system can monitor for differences or anomalies that are recorded as events. Once correlated with other events, these can be investigated and may prove to be security incidents. Dynamic and static analyses are types of code analysis, whereas behavioral, or heuristic, analysis focuses on behaviors that are indicative of an attack or other undesirable behavior. Behavioral analysis does not require a baseline; instead, it requires knowing what behavior is not acceptable.
  147. C. A system restore should not be used to rebuild a system after an infection or compromise since it restores only Windows system files, some program files, registry settings, and hardware drivers. This means that personal files and most malware, as well as programs installed or modifications to programs after the restore point is created, will not be restored.
  148. B. Portable imaging tools like FTK Imager Lite can be run from removable media, allowing a live image to be captured. Kobe may still want to capture the system memory as well, but when systems are used for data gathering and egress, the contents of the disk will be important. Installing a tool or taking the system offline and mounting the drive are both undesirable in this type of scenario when the system must stay online and should not be modified.
  149. C. The File System audit subcategory includes the ability to monitor for both access to objects (event ID 4663) and permission changes (event ID 4670). Manish will probably be most interested in 4670 permission change events, as 4663 events include read, write, delete, and other occurrences and can be quite noisy!
  150. B. If Manish has good reason to believe he is the only person with root access to the system, he should look for a privilege escalation attack. A remote access trojan would not directly provide root access, and a hacked root account is less likely than a privilege escalation attack. A malware infection is possible, and privilege escalation would be required to take the actions shown.
  151. B. NIST describes brute-force methods used to degrade networks or services as a form of attrition in their threat classification scheme. It may be tempting to call this improper usage, and it is; however, once an employee has been terminated, it is no longer an insider attack, even if the employee retains access.
  152. C. The original creation date (as shown by the GPS date), the device type (an iPhone X), the GPS location, and the manufacturer of the device (Apple) can all provide useful forensic information. Here, you know when the photo was taken, where it was taken, and what type of device it was taken on. This can help narrow down who took the photo or may provide other useful clues when combined with other forensic information or theories.
  153. B. A jump kit is a common part of an incident response plan and provides responders with the tools they will need without having to worry about where key pieces of equipment are during a stressful time. Crash carts are often used in datacenters to connect a keyboard, mouse, and monitor to a server to work on it. First-responder kits are typically associated with medical responders, and a grab bag contains random items.
  154. B. Chrome uses the number of seconds since midnight on January 1, 1601, for its timestamps. This is similar to the file time used by Microsoft in some locations, although the file time records time in 100 nanosecond slices instead of seconds. Since the problem did not specify an operating system and Chrome is broadly available for multiple platforms, you'll likely have recognized that this is unlikely to be a Microsoft timestamp. ISO 8601 is written in a format like this: 2017-04-02T04:01:34+00:00.
  155. B. Although it may seem like an obvious answer, Microsoft's MBSA is now outdated and does not fully support Windows 10. Marsha should select one of the other options listed to ensure that she gets a complete report.
  156. D. Facebook, as well as many other social media sites, now strip image metadata to help protect user privacy. John would need to locate copies of the photos that have not had the metadata removed and may still find that they did not contain additional useful data.
  157. D. The U.S. Department of Health and Human Services defines PHI data elements to include all “individually identifiable health information,” including an individual's physical or mental health and their payment for healthcare in the past, present, future; their identity or information that could be used to identify an individual; and the data about the provision of healthcare to individuals. It does not include educational records.
  158. A. FISMA requires that U.S. federal agencies report incidents to US-CERT. CERT/CC is the coordination center of the Software Engineering Institute and researches software and Internet security flaws as well as works to improve software and Internet security. The National Cyber Security Authority is Israel's CERT, whereas the National Cyber Security Centre is the UK's CERT.
  159. C. The order of volatility for media from least to most volatile is often listed as backups and printouts; then disk drives like hard drives and SSDs; then virtual memory; and finally CPU cache, registers, and RAM. Artifacts stored in each of these locations can be associated with the level of volatility of that storage mechanism. For example, routing tables will typically be stored in RAM, making them highly volatile. Data stored on a rewritable media is always considered more volatile than media stored on a write-only media.
  160. B. The SAM is stored in C:WindowsSystem32config but is not accessible while the system is booted. The hashed passwords are also stored in the registry at HKEY_LOCAL_MACHINESAM but are also protected while the system is booted. The best way to recover the SAM is by booting off of removable media or using a tool like fgdump.
  161. A. Modern Microsoft Office files are actually stored in a ZIP format. Alex will need to open them using a utility that can unzip them before he can manually review their contents. He may want to use a dedicated Microsoft Office forensics tool or a forensics suite with built-in support for Office documents.
  162. B. Memory pressure is a macOS-specific term used to describe the availability of memory resources. Yellow segments on a memory pressure chart indicate that memory resources are still available but are being tasked by memory management processes such as compression.
  163. D. Once a command prompt window has been closed on a Windows system, the command history is erased. If Lukas could catch the user with an open command prompt, he could press F7 and see the command history.
  164. C. Wireless evil twin attacks use a rogue AP configured to spoof the MAC address of a legitimate access point. The device is then configured to provide what looks like a legitimate login page to capture user credentials, allowing attackers to use those credentials to access other organizational resources.
  165. D. The program netcat is typically run using nc. The -k flag for netcat makes it listen continuously rather than terminating after a client disconnects, and -l determines the port that it is listening on. In this case, the netcat server is listening on TCP port 6667, which is typically associated with IRC.
  166. D. Economic impact is calculated on a relative scale, and Angela does not have all of the information she needs. A $500,000 loss may be catastrophic for a small organization and may have a far lower impact to a Fortune 500 company. Other factors like cybersecurity insurance may also limit the economic impact of a cybersecurity incident.
  167. D. Saanvi simply needs to generate a known event ID that he can uniquely verify. Once he does, he can log into the SIEM and search for that event at the time he generated it to validate that his system is sending syslogs.
  168. C. Windows includes a built-in memory protection scheme called Data Execution Prevention (DEP) that prevents code from being run in pages that are marked as nonexecutable. By default, DEP only protects “essential Windows programs and services,” but it can be enabled for all programs and services, enabled for all programs and services except those that are on an exception list, or entirely disabled.
  169. B. The NIST guidelines require validation after clearing, purging, or destroying media to ensure that the action that was taken is effective. This is an important step since improperly applying the sanitization process and leaving data partially or even fully intact can lead to a data breach.
  170. B. Tamper-proof seals are used when it is necessary to prove that devices, systems, or spaces were not accessed. They often include holographic logos that help to ensure that tampering is both visible and cannot be easily hidden by replacing the sticker. A chain-of-custody log works only if personnel actively use it, and system logs will not show physical access. If Latisha has strong concerns, she may also want to ensure that the room or space is physically secured and monitored using a camera system.
  171. C. Collecting and analyzing logs most often occurs in the detection phase, whereas connecting attacks back to attackers is typically handled in the containment, eradication, and recovery phase of the NIST incident response process.
  172. B. Maria has performed interactive behavior analysis. This process involves executing a file in a fully instrumented environment and then tracking what occurs. Maria's ability to interact with the file is part of the interactive element and allows her to simulate normal user interactions as needed or to provide the malware with an environment where it can interact like it would in the wild.
  173. C. If Raj has ensured that his destination media is large enough to contain the image, then a failure to copy is most likely because of bad media. Modification of the source data will result in a hash mismatch, encrypted drives can be imaged successfully despite being encrypted (the imager doesn't care!), and copying in RAW format is simply a bit-by-bit copy and will not cause a failure.
  174. A. Derek has created a malware analysis sandbox and may opt to use tools like Cuckoo, Truman, Minibis, or a commercial analysis tool. If he pulls apart the files to analyze how they work, he would be engaging in reverse engineering, and doing code-level analysis of executable malware would require disassembly. Darknets are used to identify malicious traffic and aren't used in this way.
  175. A. Failed SSH logins are common, either because of a user who has mistyped their password or because of scans and random connection attempts. Liam should review his SSH logs to see what may have occurred.
  176. B. By default, Run and RunOnce keys are ignored when Windows systems are booted into Safe Mode. Clever attackers may insert an asterisk to force the program to run in Safe Mode; however, this is not a common tactic.
  177. B. The setupapi file ( C:WindowsINFsetupapi.dev.log) records the first time a USB device is connected to a Windows system using the local system's time. Other device information is collected in the registry, and the system security log may contain connection information if USB device logging is specifically enabled.
  178. C. The only solution from Latisha's list that might work is to capture network flows, remove normal traffic, and then analyze what is left. Peer-to-peer botnets use rapidly changing control nodes and don't rely on a consistent, identifiable control infrastructure, which means that traditional methods of detecting beaconing will typically fail. They also use quickly changing infection packages, making signature-based detection unlikely to work. Finally, building a network traffic baseline after an infection will typically make the infection part of the baseline, resulting in failure to detect malicious traffic.
  179. B. Identifying the attacker is typically handled either during the identification stage or as part of the post-incident activities. The IR process typically focuses on capturing data and allowing later analysis to ensure that services are restored.
  180. D. Playbooks describe detailed procedures that help to ensure that organizations and individuals take the right actions during the stress of an incident. Operations guides typically cover normal operational procedures, while an incident response policy describes the high-level organizational direction and authority for incident response. An incident response program might generate a policy and a playbook but would not include the detailed instructions itself.
  181. C. This is a simple representation of a buffer overflow attack. The attacker overflows the buffer, causing the return address to be pointed to malicious code that the attacker placed in memory allocated to the process.
  182. A. Online tools like VirusTotal, MetaScan, and other online malware scanners use multiple antivirus and antimalware engines to scan files. This means they can quickly identify many malware packages. Static analysis of malware code is rarely quick and requires specialized knowledge to unpack or deobfuscate the files in many cases. Running strings can be helpful to quickly pick out text if the code is not encoded in a way that prevents it but is not a consistently useful technique. Running local antivirus or antimalware can be helpful but has a lower success rate than a multi-engine tool.
  183. D. DiskView provides a GUI-based view of the disk with each cluster marked by the files and directories it contains. du is a command-line disk usage reporting tool that can report on the size of directories and their subdirectories. df is the Linux command-line disk space usage tool, and GraphDisk was made up for this question.
  184. D. Passphrases associated with keys are not kept in the .ssh folder. It does contain the remote hosts that have been connected to, the public keys associated with those hosts, and private keys generated for use connecting to other systems.
  185. D. There are numerous reverse image search tools, including Google's reverse image search, Tineye, and Bing's Image Match. John may want to use each of these tools to check for matching images.
  186. C. This image represents an actual situation that involved a severed fiber link. Checking the secondary link would show that traffic failed over to the secondary link after a few minutes of failed connection attempts. This diagram is not sufficient to determine whether Brian has a caching server in place, but normal traffic for streaming services and videoconferences wouldn't work via a cache. If the link had failed and the card or device recovered on the same link, a resumption of normal traffic would appear. PRTG has continued to get small amounts of traffic, indicating that it is still receiving some information.
  187. C. BitLocker keys can be retrieved by analyzing hibernation files or memory dumps or via a FireWire attack for mounted drives. The BitLocker key is not stored in the MBR. After Carlos finishes this investigation, he may want to persuade his organization to require BitLocker key escrow to make his job easier in the future.
  188. A. Adam will quickly note that weekends see small drops, but Christmas vacation and summer break both see significant drops in overall traffic. He can use this as a baseline to identify unexpected traffic during those times or to understand what student and faculty behavior mean to his organization's network usage.

    This detail is not sufficient to determine top talkers, and weekend drops in traffic should be expected, rather than requiring him to look into why having fewer people on campus results in lower usage!

  189. C. Slack space is the space left between the end of a file and the end of a cluster. This space is left open, but attackers can hide data there, and forensic analysts can recover data from this space if larger files were previously stored in the cluster and the space was not overwritten prior to reuse.
  190. C. The process details are provided using the p flag, whereas the e flag will show extended information that includes the username and inode of the process. The -t flag shows only TCP connections, -s shows summary information, -a shows all sockets, and the -n flag shows numeric IPs, which is faster than reverse DNS queries.
  191. B. If the system contains any shutdown scripts or if there are temporary files that would be deleted at shutdown, simply pulling the power cable will leave these files in place for forensic analysis. Pulling the cord will not create a memory or crash dump, and memory-resident malware will be lost at power-off.
  192. C. If a device is powered on, the SIM should not be removed until after logical collection has occurred. Once logical collection has occurred, the device should be turned off, and then the SIM card can be removed. If this were not an iPhone, Amanda might want to check to ensure that the device is not a dual or multi-SIM device.
  193. C. Of the tools listed, only OpenVAS is a full-system vulnerability scanner. Wapiti is a web application scanner, ZAP is an attack proxy used for testing web applications, and nmap is a port scanner.
  194. B. The containment stage of incident response is aimed at limiting damage and preventing any further damage from occurring. This may help stop data exfiltration, but the broader goal is to prevent all types of damage, including further exploits or compromises.
  195. B. Logical copies of data and volumes from an unlocked or decrypted device is the most likely mobile forensic scenario in many cases. Most forensic examiners do not have access to chip-level forensic capabilities that physically remove flash memory from the circuit board, and JTAG-level acquisition may involve invasive acquisition techniques like directly connecting to chips on a circuit board.
  196. D. Although the registry contains the account creation date and time as well as the last login date and time, it does not contain the time the user first logged in. Fortunately for Wang, the SAM also contains password expiration information, user account type, the username, full name, user's password hint, when the password must be reset and when it will fail, as well as whether a password is required. The SAM does not include the number of logins for a user, but some of this detail may be available in the system logs.
  197. B. Advanced persistent threats often leverage email, phishing, or a vulnerability to access systems and insert malware. Once they have gained a foothold, APT threats typically work to gain access to more systems with greater privileges. They gather data and information and then exfiltrate that information while working to hide their activities and maintain long-term access. DDoS attacks, worms, and encryption-based extortion are not typical APT behaviors.
  198. A. Alice is performing an information impact analysis. This involves determining what data was accessed, if it was exfiltrated, and what impact that loss might have. An economic impact analysis looks at the financial impact of an event, downtime analysis reviews the time that services and systems will be down, and recovery time analysis estimates the time to return to service.
  199. D. The process flow that Carol has discovered is typically used by an advanced persistent threat. Phishing would focus on gaining credentials, whaling is similar but focused on important individuals, and a zero-day exploit leverages a newly discovered vulnerability before there is a patch or general awareness of the issue.
  200. B. She is in the identification phase, which involves identifying systems and data before they are collected and preserved.
  201. C. Carol should notify counsel and provide information about the policy and schedule that resulted in the data being removed. This will allow counsel to choose what steps to take next.
  202. C. With most e-discovery cases, reviewing the large volumes of data to ensure that only needed data is presented and that all necessary data is made available takes up the most staff time. Many organizations with larger e-discovery needs either dedicate staff or outsource efforts like this.
  203. C. Cassandra should ensure that she has at least one USB multi-interface drive adapter that can connect to all common storage drive types. If she were performing forensic analysis, she would also want to use a hardware or software write blocker to ensure that she retains forensic integrity of the acquisition. A USB-C cable and a USB hard drive are commonly found in forensic and incident response toolkits, but neither will help Cassandra connect to bare drives.
  204. B. Crime scene tape isn't a typical part of a forensic kit if you aren't a law enforcement forensic analyst or officer. Some businesses may use seals or other indicators to discourage interference with investigations. Write blockers, label makers, and decryption tools are all commonly found in forensic kits used by both commercial and law enforcement staff.
  205. B. A call list provides a list of the personnel who should or can be contacted during an incident or response scenario. Sometimes called an escalation list, they typically include the names of the staff members who should be called if there is no response. A rotation list or call rotation is used to distribute workload among a team, typically by placing a specific person on-call for a set timeframe. This may help decide who is on the call list at any given point in time. A triage triangle is made up for this question, and responsibility matrices are sometimes created to explain who is responsible for what system or application, but aren't directly used for emergency contact lists.
  206. A. John the Ripper is a common Linux password cracker. Although it is possible that an attacker might choose to call a rootkit or a malicious program used for privilege escalation “john,” it is far less likely. Since user processes are identified by the binary name, not the user's identity for the process, a user named John won't result in a process named John unless they create a binary with the same name.
  207. A. Postincident communication often involves marketing and public relations staff who focus on consumer sentiment and improving the organization's image, whereas legal often reviews statements to limit liability or other issues. Developers are typically not directly involved in postincident communications and are instead working on ensuring the security of the applications or systems they are responsible for.
  208. A. Malicious sites may run scripts intended to mine cryptocurrency or to perform other actions when they are visited or ads execute code, resulting in high processor consumption. Charles should review the sites that were visited and check them against a trusted site list tool or a reputation tool. The scenario described does not indicate that checking the binary will help, and reinstalling a browser isn't typically part of the response for high CPU usage. Disabling TLS is a terrible idea, and modern CPUs shouldn't have an issue handling secure sites.
  209. B. Mika's organization should use a change management process to avoid unauthorized changes to their web server. Mika could then check the change process logs or audit trail to determine who made the change and when. If Java had been installed without proper authorization, then this would be unauthorized software. Unexpected input often occurs when web applications are attacked, and may result in a memory overflow.
  210. C. Overflowing a memory location by placing a string longer than the program expects into a variable is a form of buffer overflow attack. Attackers may choose to use a string of the same letters to make the overflow easier to spot when testing the exploit.
  211. B. Barb can configure a behavior-based analysis tool that can capture and analyze normal behavior for her application, and then alert her when unexpected behavior occurs. Although this requires initial setup, it requires less long-term work than constant manual monitoring, and unlike signature-based or log analysis-based tools, it will typically handle unexpected outputs appropriately.
  212. B. Although all of these functions are likely able to provide important advice on disciplinary policies, the human resources team has primary responsibility for employee relations and would be the best team to include for this purpose.
  213. B. Sensitive personal information includes data related to ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, and data concerning a person's health, sex life, and sexual orientation. The other data elements in this question are examples of personally identifiable information (PII), but they do not fall under the SPI category.
  214. C. This is an example of an emergency change because the change was made without any advance approval. It was necessary to meet urgent security requirements, and Joanna should follow up as soon as possible by filing an emergency change notice.
  215. D. Tabletop exercises allow testing of the incident response process without disrupting normal business activity. This is a good approach that gathers the team together to walk through an incident scenario. Full interruption tests are disruptive to the business and would not be appropriate in this case. Checklist reviews and management reviews do not provide the requested level of interaction with the team.
  216. B. SSH communications normally take place over TCP port 22. Attackers may try to run SSH servers over different ports to avoid detection.
  217. A. Attackers commonly use scheduled tasks to achieve persistence. If an analyst forgets to check for scheduled tasks, attackers may leave a task scheduled that opens up a vulnerability at a later date, achieving persistence on the system.
  218. B. Generally speaking, analysts may obtain more forensic information when their organization has greater control over the underlying cloud resources. Infrastructure as a service (IaaS) environments provide the greatest level of control and, therefore, typically provide access to the most detailed information.
  219. A. Any of these exercises may be used to help remind incident responders of their responsibilities. Checklist reviews have the least impact on the organization because they may be done asynchronously by individual employees. The other training/exercise types listed here would require a more substantial commitment of time.
  220. C. All of these are standard port/service pairings, with the exception of SSH, which normally runs on port 22. If this is discovered frequently during attacks, analysts may wish to generate a new IoC to better recognize future attacks.
  221. D. Vulnerability mitigation, restoration of permissions, and the verification of logging and communication to security monitoring are all activities that normally occur during the eradication and recovery phase of incident response. The analysis of drive capacity consumption is the assessment of an indicator of compromise which occurs during the detection and analysis phase of incident response.
  222. A. All of these stakeholders should be included in the planning for an incident response program. However, Craig should be most careful about coordinating with external entities, such as regulatory bodies, because of their enforcement role. He should plan to coordinate more freely with internal entities, such as senior leadership, legal, and human resources.

Answers to Chapter 5: Domain 5.0: Compliance and Assessment

  1. B. Although many security controls may address this objective, the most directly related one is data classification. By classifying data, the organization will be able to clearly communicate protection requirements for different types of information.
  2. B. The advanced persistent threat (APT) group is an example of an external threat to the organization. If there is also some vulnerability in the organization's security defenses that might allow that APT to successfully attack the organization, then a risk exists.
  3. D. This approach is risk-based because it allows the organization to address the standard based on their business environment. A prescriptive standard, such as PCI DSS, does not offer this flexibility. HIPAA is still a law that contains security requirements, so it is not appropriate to describe it as optional or minimal.
  4. A. Network segmentation is a risk mitigation activity. Threat intelligence, vulnerability scanning, and systems assessments are all valuable tools in helping an organization identify risks.
  5. A. The two factors that determine the severity of a risk are its probability and magnitude. Impact is a synonym for magnitude. Likelihood is a synonym for probability. Controls are a risk mitigation technique that might be applied to reduce the magnitude and/or probability after determining the severity of a risk.
  6. B. This background screening is taking place prior to employment. Therefore, it is a preventive control, designed to prevent the organization from hiring someone who might pose a security risk.
  7. D. OAuth redirects are an authentication attack that allows an attacker to impersonate another user.
  8. C. This is an example of data masking, removing enough digits from sensitive information to render it non-sensitive. Tokenization would replace the existing number with an unrelated number. Purging would remove the data completely. The data is not deidentified because the customer's name appears on the receipt.
  9. C. All of these information sources may be useful during Renee's assessment, but the most useful item would be the results of an independent security assessment that evaluates the vendor's security controls.
  10. C. The HIPAA security rule specifically addresses the confidentiality, integrity, and availability of protected health information. The HIPAA privacy rule governs the privacy of that information. There is no specific rule addressing nonrepudiation.
  11. A. The use of a threat intelligence feed to block connections at the firewall reduces the likelihood of a successful attack and is, therefore, a risk mitigation activity.
  12. D. Gary is changing business practices to eliminate the risk entirely. This is, therefore, an example of risk avoidance.
  13. C. Purchasing insurance is the most common example of risk transference—it's shifting liability to a third party.
  14. B. Internal audit provides the ability to perform the investigation with internal resources, which typically reduces cost. External auditors would normally be quite expensive and bring a degree of independence that is unnecessary for an internal investigation. The IT manager would not be a good candidate for performing the assessment because they may be involved in the embezzlement or may have close relationships with the affected employees. There is no need to bring in law enforcement at this point, opening the company to unnecessary scrutiny and potential business disruption.
  15. B. The Gramm–Leach–Bliley Act (GLBA) includes regulations covering the cybersecurity programs at financial institutions, including banks. The Health Insurance Portability and Accountability Act (HIPAA) covers healthcare providers, insurers, and health information clearinghouses. The Family Educational Rights and Privacy Act (FERPA) applies to educational institutions. The Sarbanes–Oxley Act (SOX) applies to publicly traded companies.
  16. D. This is an example of purpose limitation: ensuring that information is used only for disclosed purposes. It is not data retention or disposal because Alfonso is not making any decisions to keep or discard data. Similarly, it is not data minimization because he is not choosing not to collect information or to discard unnecessary information.
  17. B. This is the type of engineering trade-off that security engineers must make on a regular basis. The level of encryption Florian is choosing meets the organization's standards, and there is no reason to believe that it introduces unnecessary security or compliance risk.
  18. B. The Information Technology Infrastructure Library (ITIL) framework places security management into the service design core activity. The other processes in service design are design coordination, service catalog management, service-level management, availability management, capacity management, IT service continuity management, and supplier management.
  19. B. A tabletop exercise gathers the team in one place to walk through the response to a hypothetical incident. A checklist review does not gather the team or utilize a scenario. Parallel tests and full interruption tests involve the activation of incident response procedures.
  20. B. Data sovereignty says that data is subject to the laws of the jurisdiction where it is stored, processed, or transmitted. This is the issue that concerns Oskar's organization. There is no discussion of minimizing the data collected or retained, or limiting the purposes for which information may be used.
  21. C. Changes in team members may cause someone to initiate a review, but it is more likely that a review would be initiated based on changes in the processes protected by the security program, control requirements (such as compliance obligations), or a control failure (such as a security incident).
  22. B. This is a tricky question because two options—risk avoidance and risk mitigation—can both limit the probability of a risk occurring. However, risk avoidance is more likely to do so because it eliminates the circumstances that created the risk, whereas risk mitigation simply introduces controls to reduce the likelihood or impact of a risk. Risk acceptance does not change the probability or magnitude of a risk. Risk transference limits the potential magnitude by transferring financial responsibility to another organization but does not impact probability.
  23. C. ISO 27001 is the current standard governing cybersecurity requirements. ISO 9000 is a series of quality management standards. ISO 17799 covered information security issues but is outdated and has been withdrawn. ISO 30170 covers the Ruby programming language.
  24. C. All of these controls would be effective ways to prevent the loss of information. However, only a background investigation is likely to uncover information that might make a potential employee susceptible to blackmail.
  25. B. All of the controls listed are network security controls. Of those listed, a data loss prevention (DLP) system is specifically designed for the purpose of identifying and blocking the exfiltration of sensitive information and would be the best control to meet Martin's goal. Intrusion prevention systems (IPSs) may be able to perform this function on a limited basis, but it is not their intent. Intrusion detection systems (IDSs) are even more limited in that they are detective controls only and would not prevent the exfiltration of information. Firewalls are not designed to serve this purpose.
  26. A. Full-disk encryption (FDE) prevents anyone who gains possession of a device from accessing the data it contains, making it an ideal control to meet Martin's goal. Strong passwords may be bypassed by directly accessing the disk. Cable locks are not effective for devices used by travelers. Intrusion prevention systems are technical controls that would not affect someone who gained physical access to a device.
  27. A. This question forces you to choose from several good options, as do many questions on the exam. We can rule out insurance because that does not alter the probability of a risk occurring. The remaining three options all do reduce the likelihood, but the best choice is minimizing the amount of data retained and the number of locations where it is stored, since this removes that data from the potential of a breach.
  28. A. Kwame should take action to communicate the risk factors to management and facilitate a risk-informed discussion about possible courses of action. He should do this prior to taking any more aggressive action.
  29. C. There is no explicit security domain in the COBIT standard. The four COBIT domains are Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.
  30. B. An organization's acceptable use policy (AUP) should contain information on what constitutes allowable and unallowable use of company resources. This policy should contain information to help guide Mia's next steps.
  31. C. The exposure factor (EF) is the percentage of the facility that risk managers expect will be damaged if the risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $5 million in damage divided by the $10 million facility value, or 50%.
  32. B. The annualized rate of occurrence (ARO) is the number of times that risk analysts expect a risk to happen in any given year. In this case, the analysts expect an earthquake once every 200 years, or 0.005 times per year.
  33. A. The annualized loss expectancy (ALE) is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $5,000,000 and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $25,000.
  34. B. Moving the datacenter to a location where earthquakes are not a risk is an example of risk avoidance, because it is completely avoiding the risk. If the location simply had a lower risk of earthquake, then this strategy would be risk mitigation.
  35. D. Purchasing insurance is always an example of risk transference, as it transfers risk from the entity purchasing the policy to the insurance company.
  36. C. Risk acceptance is the deliberate decision to not take any other risk management action and simply to carry on with normal activity in spite of the risk.
  37. C. The classification levels under the U.S. government information classification scheme are, in ascending order, Confidential, Secret, and Top Secret. Private is not a government classification.
  38. B. The purpose of a DLP system is to detect and block unauthorized transfers of information outside of an organization. The sentence that best describes this purpose is that they can use labels to apply appropriate security policies.
  39. A. PCI DSS has a fairly short minimum password length requirement. Requirement 8.2.3 states that passwords must be a minimum of seven characters long and must include a mixture of alphabetic and numeric characters.
  40. D. Mandatory vacations are designed to force individuals to take time away from the office to allow fraudulent activity to come to light in their absence. The other controls listed here (separation of duties, least privilege, and dual control) are all designed to prevent, rather than detect, fraud.
  41. D. Transport Layer Security (TLS) is the current standard for encrypting data in transit. Secure Sockets Layer (SSL) previously filled this need, but it is no longer considered secure. Full-disk encryption (FDE) is used to protect data at rest, and data loss prevention (DLP) systems do not apply encryption to all web traffic.
  42. B. This situation violates the principle of separation of duties. The company appears to have designed the controls to separate the creation of vendors from the issuance of payments, which is a good fraud-reduction practice. However, the fact that they are cross-trained to back each other up means that they have the permissions assigned to violate this principle.
  43. D. After accepting a risk, the organization takes no action other than to document the risk as accepted. Implementing additional security controls or designing a remediation plan would not be risk acceptance but would instead fit into the category of risk mitigation. There is no need to repeat the business impact assessment.
  44. C. Robin would achieve the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing tangible, financial risks, whereas qualitative risk assessment is good for intangible risks. Combining the two techniques provides a well-rounded risk picture.
  45. A. In a security exercise, the red team is responsible for offensive operations, whereas the blue team is responsible for defensive operations. The white team serves as the neutral referees, whereas the purple team combines elements of the red team and blue team.
  46. A. Separation of duties is the most effective way to mitigate this risk. Administrators who have access to perform privileged activities on systems should not also have the ability to alter log files. Two-person control could work but would be very cumbersome. Job rotation and security awareness would not address this risk.
  47. A. Automated deprovisioning ties user account removal to human resources systems. Once a user is terminated in the human resources system, the identity and access management infrastructure automatically removes the account. Quarterly user access reviews may identify accounts that should have been disabled, but they would take a long time to do so, so they are not the best solution to the problem. Separation of duties and two-person control are designed to limit the authority of a user account and would not remove access.
  48. C. Annual reviews of security policies are an industry standard and are sufficient unless there are special circumstances, such as a new policy or major changes in the environment. Monthly or quarterly reviews would occur too frequently, whereas waiting five years for the review is likely to miss important changes in the environment.
  49. A. The first step in performing a risk assessment is to undertake the risk identification process.
  50. C. The Advanced Encryption Standard (AES) is a secure, modern encryption algorithm that is appropriate for data at rest. It replaces the Data Encryption Standard (DES), which is no longer considered secure. SSL and TLS technologies are for use with data in transit.
  51. C. The GDPR applies to European Union (EU) residents. Although data sovereignty controls are important to excluding an organization from GDPR coverage, data sovereignty would not restrict certain customers from doing business with the organization. Geographic access requirements could block potential customers from accessing her organization's resources from within the European Union.
  52. C. Watermarking technology applies an invisible identifier to a document that is intended to survive copying and modification. Watermarking can be used to prove the origin of a file.
  53. D. The most relevant policy here is the organization's data retention policy, which should outline the standards for keeping records before destruction or disposal.
  54. B. Fences are preventive controls because a tall fence can prevent an intruder from gaining access to a secure facility. They are also deterrent controls because the presence of a fence may deter an intruder from attempting to gain access. They are physical security controls because they restrict physical access. They are not corrective controls because they do not play a role after a physical intrusion occurs.
  55. D. It is sometimes difficult to distinguish between cases of least privilege, separation of duties, and dual control. Least privilege means that an employee should only have the access rights necessary to perform their job. That is not the case in this scenario because accountants need to be able to approve payments. Separation of duties occurs when the same employee does not have permission to perform two different actions that, when combined, could undermine security. That is not the case here because both employees are performing the same action: approving the payment. Dual control occurs when two employees must jointly authorize the same action. That is the case in this scenario. Security through obscurity occurs when the security of a control depends on the secrecy of its mechanism.
  56. B. The Information Technology Infrastructure Library (ITIL) is specifically designed to offer a set of compatible IT processes.
  57. A. The rules of engagement for a penetration test outline the activities that are (and are not) permissible during a test. Carmen should include her requirement in the penetration test's rules of engagement.
  58. C. The Health Insurance Portability and Accountability Act (HIPAA) mandates the safeguarding of protected health information (PHI). Sensitive personal information (SPI) and personally identifiable information (PII) may fall under HIPAA but do not necessarily do so. Payment card information is covered by the Payment Card Industry Data Security Standard (PCI DSS).
  59. A. Data owners bear ultimate responsibility for safeguarding the information under their care, even if they do not personally implement or manage the security controls.
  60. D. This data appears to be tokenized, as the Social Security Numbers (SSN) have been replaced with a sequential field. This is a hallmark that the numbers are not randomly generated and are likely reversible using a lookup table.
  61. B. The characters in the Social Security Number (SSN) field appear to be nonsequential and arbitrary. It is most likely that this data has been encrypted and requires a decryption key to recover the contents of the SSN field.
  62. A. In this report, the first five digits of the Social Security Number (SSN) have been replaced with Xs. This is clearly an example of data masking.
  63. D. Any of these terms could reasonably be used to describe this engagement. However, the term audit best describes this effort because of the formal nature of the review and the fact that the board requested it.
  64. B. A procedure offers a step-by-step process for completing a cybersecurity activity. The VPN instructions that Gavin is creating are best described using this term.
  65. D. The five security functions described in the NIST Cybersecurity Framework are identify, protect, detect, respond, and recover.
  66. A. Succession planning is designed to create a pool of reserve candidates ready to step into positions when a vacancy occurs. This is an important continuity control. The other security controls may have the incidental side effect of exposing employees to other responsibilities, but they are not designed to meet this goal.
  67. B. Backups are used to recover operations in the wake of a security incident. Therefore, they are best described as corrective controls.
  68. D. Vendor due diligence is designed to identify vulnerabilities due to the supplier relationship. In an infrastructure-as-a-service (IaaS) environment, the customer is responsible for managing the security of data stored in the environment to prevent data exfiltration. The customer is also responsible for operating system and security group configuration. Vendor due diligence may uncover vendor viability issues, which may impact future vendor availability.
  69. C. An organization's code of conduct or ethics describes expected behavior of employees and affiliates and serves as a backstop for situations not specifically addressed in policy.
  70. C. Requests for an exception to a security policy would not normally include a proposed revision to the policy. Exceptions are documented variances from the policy because of specific technical and/or business requirements. They do not alter the original policy, which remains in force for systems not covered by the exception.
  71. D. Although all the COBIT components are useful to an organization seeking to implement the COBIT framework, only the maturity models offer an assessment tool that helps the organization assess its progress.
  72. D. Account management policies describe the account lifecycle from provisioning through active use and decommissioning, including removing access upon termination. Data ownership policies clearly state the ownership of information created or used by the organization. Data classification policies describe the classification structure used by the organization and the process used to properly assign classifications to data. Data retention policies outline what information the organization will maintain and the length of time different categories of information will be retained prior to destruction.
  73. A. The Health Insurance Portability and Accountability Act (HIPAA) covers the handling of protected health information (PHI) by healthcare providers, insurers, and health information clearinghouses. The Gramm–Leach–Bliley Act (GLBA) includes regulations covering the cybersecurity programs at financial institutions, including banks. The Family Educational Rights and Privacy Act (FERPA) applies to educational institutions. The Sarbanes–Oxley Act (SOX) applies to publicly traded companies.
  74. B. Separation of duties is a principle that prevents individuals from having two different privileges that, when combined, could be misused. Separating the ability to create vendors and authorize payments is an example of two-person control.
  75. D. Two-person control is a principle that requires the concurrence of two different employees to perform a single sensitive action. Requiring two signatures on a check is an example of a two-person control.
  76. B. Mandatory vacations and job rotation plans are able to detect malfeasance by requiring an employee's absence from his or her normal duties and exposing them to other employees. Privilege use reviews have a manager review the actions of an employee with privileged system access and would detect misuse of those privileges. Background investigations uncover past acts and would not be helpful in detecting active fraud. They are also typically performed only for new hires.
  77. A. All of the mechanisms listed here may be used to protect private information. However, acceptable use policies, privacy policies, and data ownership policies are internal policies that would not be binding on former employees. To manage this risk, Chris's organization should have all employees sign nondisclosure agreements (NDAs) that remain binding after the end of the employment relationship.
  78. A. The role of the white team is to control the exercise, serving as a neutral party to facilitate events and moderate disputes. The red team is responsible for offensive operations, whereas the blue team is responsible for defensive operations. The term “Swiss team” is not used in security exercises.
  79. C. The Gramm–Leach–Bliley Act (GLBA) regulates the handling of sensitive customer information by financial institutions in the United States. The Payment Card Industry Data Security Standard (PCI DSS) regulates credit card information and may apply to Dan's bank, but it is a contractual obligation and not a law. The Health Insurance Portability and Accountability Act (HIPAA) governs protected health information. The Sarbanes–Oxley (SOX) Act governs the financial reporting of publicly traded companies.
  80. A. This is an example of dual control (or two-person control) where performing a sensitive action (logging onto the payment system) requires the cooperation of two individuals. Separation of duties is related but would involve not allowing the same person to perform two actions that, when combined, could be harmful.
  81. C. The rules of engagement (RoE) for a penetration test outline the permissible and impermissible activities for testers. If there are any systems, techniques, or information that is off-limits, this should be clearly stated in the RoE.
  82. C. It is normal to find statements in an information security policy that declare the importance of cybersecurity to the organization, designate a specific individual as responsible for the cybersecurity function, and grant that individual authority over cybersecurity. Specific requirements, such as requiring multifactor authentication for financial systems would be more appropriately placed in a standard than a policy.
  83. B. In a risk-informed external participation effort, the organization understands its role in the larger ecosystem with respect to either its own dependencies or dependents, but not both. That describes the situation in Ben's scenario.
  84. B. Guidelines are optional advice, by definition. Policies and standards are always mandatory. Procedures may be mandatory or optional, depending on the organizational context.
  85. B. The white team is responsible for interpreting rules and arbitrating disputes during a security exercise. The white team leader would be the most appropriate person from this list to answer Kaitlyn's question.
  86. A. Documents that are not intended for public release, but would not cause significant damage if accidentally or intentionally released, should be classified as internal documents.
  87. B. The annualized rate of occurrence (ARO) is calculated as the number of times an attack should be expected in a given year. This may be expressed as a decimal or percentage. The scenario tells us that there is a 10% chance of an attack in a given year. This could be described as an ARO of 10%, or 0.1.
  88. D. The single loss expectancy (SLE) is the amount of damage expected to occur as the result of a single successful attack. In this case, the scenario provides this information as $75,000.
  89. C. The annualized loss expectancy (ALE) is the amount of damage expected in any given year. It is calculated by multiplying the SLE ($75,000) by the ARO (10%) to get the ALE ($7,500).
  90. C. Determining the single best category for a control is always tricky, as many controls can cross categories in terms of their purpose. In this case, we are told that the control exists to reduce the likelihood of an attack, making it a preventive control.
  91. D. A DDoS mitigation service takes action to reduce the load on the network by blocking unwanted traffic. This is a technical intervention and is best described as a technical control.
  92. A. PCI DSS includes many explicit requirements that apply regardless of the operating environment and is, therefore, best described as a prescriptive control.
  93. C. PCI DSS allows organizations that cannot meet a specific PCI DSS requirement to implement a compensating control that mitigates the risk. This is the process Piper is following in this scenario.
  94. D. The purpose of this control is to reduce the probability of an attack. Implementing controls designed to reduce the probability or magnitude of a risk is a risk mitigation activity.
  95. D. The proper ordering of the NIST Cybersecurity Framework tiers (from least mature to most mature) is: Partial; Risk Informed; Repeatable; Adaptive.
  96. D. Sharing data outside the organization normally requires the consent of the data owner. Ruth should consult the data ownership policy for assistance in determining the identities of the appropriate data owner(s) that she should consult.
  97. A. This activity is almost certainly a violation of the organization's acceptable use policy (AUP), which should contain provisions describing appropriate use of networks and computing resources belonging to the organization.
  98. B. Standards describe specific security controls that must be in place for an organization. Ryan would not include a list of algorithms in a high-level policy document, and this information is too general to be useful as a procedure. Guidelines are not mandatory, so they would not be applicable in this scenario.
  99. D. Framework Profiles describe how a specific organization might approach the security functions covered by the Framework Core. The Framework Core is a set of five security functions that apply across all industries and sectors: identify, protect, detect, respond, and recover. The Framework Implementation Tiers assess how an organization is positioned to meet cybersecurity objectives.
  100. D. ISO 27001 is a voluntary standard, and there is no law or regulation requiring that healthcare organizations, financial services firms, or educational institutions adopt it.
  101. B. It is sometimes difficult to distinguish between cases of least privilege, separation of duties, and dual control. Least privilege means that an employee should only have the access rights necessary to perform their job. While this may be true in this scenario, you do not have enough information to make that determination because you do not know whether access to the database would help the security team perform their duties. Separation of duties occurs when the same employee does not have permission to perform two different actions that, when combined, could undermine security. That is the case here because a team member who had the ability to both approve access and access the database may be able to grant themselves access to the database. Dual control occurs when two employees must jointly authorize the same action. Security through obscurity occurs when the security of a control depends on the secrecy of its mechanism.
  102. C. Succession planning and cross-training both serve to facilitate continuity of operations by creating a pool of candidates for job vacancies. Of these, only cross-training encompasses actively involving other people in operational processes, which may also help detect fraud. Dual control and separation of duties are both controls that deter fraud, but they do not facilitate the continuity of operations.
  103. C. Organizations may require all of these items as part of an approved exception request. However, the documentation of scope, duration of the exception, and business justification are designed to clearly describe and substantiate the exception request. The compensating control, on the other hand, is designed to ensure that the organization meets the intent and rigor of the original requirement.
  104. A. The continual service improvement (CSI) activity in ITIL is designed to increase the quality and effectiveness of IT services. It is the umbrella activity that surrounds all other ITIL activities.
  105. C. This is an example of separation of duties. Someone who has the ability to transfer funds into the account and issue payments could initiate a very large fund transfer, so Berta has separated these responsibilities into different roles. Separation of duties goes beyond least privilege by intentionally changing jobs to minimize the access that an individual has, rather than granting them the full permissions necessary to perform their job. This is not an example of dual control because a single individual can still perform each action.
  106. A. Data ownership policies clearly state the ownership of information created or used by the organization. Data classification policies describe the classification structure used by the organization and the process used to properly assign classifications to data. Data retention policies outline what information the organization will maintain and the length of time different categories of information will be retained prior to destruction. Account management policies describe the account life cycle from provisioning through active use and decommissioning.
  107. D. The automatic blocking of logins is a technical activity and this is, therefore, a technical control. Physical controls are security controls that impact the physical world. Operational controls include the processes that we put in place to manage technology in a secure manner. Managerial controls are procedural mechanisms that an organization follows to implement sound security management practices.
  108. D. Data retention policies describe what information the organization will maintain and the length of time different categories of information will be retained prior to destruction, including both minimum and maximum retention periods. Data classification would be covered by the data classification policy.
  109. A. Using information for a purpose other than the one that was disclosed to subjects violates the purpose limitation principle of privacy. The other issues in this scenario all represent violations of security but are not necessarily privacy issues.

Answers to Chapter 6: Practice Exam 1

  1. B. The sudden drop to zero is most likely to be an example of link failure. A denial-of-service attack could result in this type of drop but is less likely for most organizations. High bandwidth consumption and beaconing both show different traffic patterns than shown in this example.
  2. C. This is fundamentally a dispute about data ownership. Charlotte's coworker is asserting that her department owns the data in question, and Charlotte disagrees. Although the other policies mentioned may have some relevant information, Charlotte should first turn to the data ownership policy to see whether it reinforces or undermines her coworker's data ownership claim.
  3. B. During an incident recovery effort, patching priority should be placed on systems that were directly involved in the incident. This is one component of remediating known issues that were actively exploited.
  4. B. Signature-based attack detection methods rely on knowing what an attack or malware looks like. Zero-day attacks are unlikely to have an existing signature, making them a poor choice to prevent them. Heuristic (behavior) detection methods can indicate compromises despite the lack of signatures for the specific exploit. Leveraging threat intelligence to understand new attacks and countermeasures is an important part of defense against zero-day attacks. Building a well-designed and segmented network can limit the impact of compromises or even prevent them.
  5. D. The Windows registry, Master File Tables, and INDX files all contain information about files, often including removed or deleted files. Event logs are far less likely to contain information about a specific file location.
  6. C. Since Emily's organization uses WPA2 Enterprise, users must authenticate to use the wireless network. Associating the scan with an authenticated user will help incident responders identify the device that conducted the scan.
  7. A. Normally, forensic images are collected from systems that are offline to ensure that a complete copy is made. In cases like this where keeping the system online is more important than the completeness of the forensic image, a live image to an external drive using a portable forensic tool such as FTK Imager Lite, dd, or similar is the correct choice.
  8. B. Accidental threats occur when individuals doing their routine work mistakenly perform an action that undermines security. In this case, Maria's actions were an example of an accident that caused an availability issue.
  9. A. When nmap returns a response of “filtered,” it indicates that nmap cannot tell whether the port is open or closed. Filtered results are often the result of a firewall or other network device, but a response of filtered does not indicate that a firewall or IPS was detected. When nmap returns a “closed” result, it means that there is no application listening at that moment.
  10. D. Despite that vulnerability scanning is an important security control, HIPAA does not offer specific requirements for scanning frequency. However, Darcy would be well advised to implement vulnerability scanning as a best practice, and daily or weekly scans are advisable.
  11. C. The likeliest issue is a problem with the NTP synchronization for both of the hosts, because of an improperly set time zone or another time issue. The ruleset only allows traffic initiated by host A, making it impossible for host B to be the source of a compromise of A. The other options are possible, but the most likely issue is an NTP problem.
  12. D. The most serious vulnerabilities shown in this report are medium-severity vulnerabilities. Server D has the highest number (8) of vulnerabilities at that severity level.
  13. C. When an event of the type that is being analyzed has occurred within the recent past (often defined as a year), assessments that review that event will normally classify the likelihood of occurrence as high since it has already occurred.
  14. C. The CEO's suggestion is a reasonable approach to vulnerability scanning that is used in some organizations, often under the term continuous scanning. He should consider the request and the impact on systems and networks to determine a reasonable course of action.
  15. B. This is an example of an availability issue. If data had been modified, it would have been an integrity issue, while exposure of data would have been a confidentiality issue. Accountability from the outsourced vendor isn't discussed in the question.
  16. D. The Technical Report will contain detailed information on a specific host and is designed for an engineer seeking to remediate the system. The PCI Technical Report would focus on credit card compliance issues, and there is no indication that this server is used for credit card processing. The Qualys Top 20 Report and Executive Report would contain summary information more appropriate for a management audience and would cover an entire network, rather than providing detailed information on a single system.
  17. D. Jiang needs to perform additional diagnostics to determine the cause of the latency.

    Unfortunately for Jiang, this chart does not provide enough information to determine why the maximum response time rises to high levels on a periodic basis. Since the events are not regularly timed, it is relatively unlikely that a scheduled task is causing the issue. Network cards do not have latency settings; latency is caused by network traffic, system response times, and similar factors. Increasing the speed of a network link may help with latency, but you do not have enough information to make that determination.

  18. C. This image shows a SYN-based port scan. The traffic is primarily made up of TCP SYN packets to a variety of common ports, which is typical of a SYN-based port scan.
  19. A. RADIUS sends passwords that are obfuscated by a shared secret and MD5 hash, meaning that its password security is not very strong. RADIUS traffic between the RADIUS network access server and the RADIUS server is typically encrypted using IPsec tunnels or other protections to protect the traffic. Kerberos and TACACS+ are alternative authentication protocols and are not required in addition to RADIUS. SSL is no longer considered secure and should not be used to secure the RADIUS tunnel.
  20. B. The most likely cause of this slowness is an incorrect block size. Block size is set using the bs flag and is defined in bytes. By default, dd uses a 512-byte block size, but this is far smaller than the block size of most modern disks. Using a larger block size will typically be much faster, and if you know the block size for the device you are copying, using its native block size can provide huge speed increases. This is set using a flag like bs = 64k. The if and of flags adjust the input and output files, respectively, but there is no indication that these are erroneous. The count flag adjusts the number of blocks to copy and should not be changed if Jake wants to image the entire disk.
  21. B. A honeypot is used by security researchers and practitioners to gather information about techniques and tools used by attackers. A honeypot will not prevent attackers from targeting other systems, and unlike a tarpit, it is not designed to slow down attackers. Typically, honeypot data must be analyzed to provide useful information that can be used to build IDS and IPS rules.
  22. B. Advanced persistent threats (APTs) are highly skilled attackers with advanced capabilities who are typically focused on specific objectives. To accomplish those objectives, they often obtain and maintain long-term access to systems and networks using powerful tools that allow them to avoid detection and to stay ahead of responders who attempt to remove them.
  23. B. Of these choices, the most useful metric would be the time required to resolve critical vulnerabilities. This is a metric that is entirely within the control of the vulnerability remediation program and demonstrates the responsiveness of remediation efforts and the time that a vulnerability was present. The number of vulnerabilities resolved and the number of new vulnerabilities each month are not good measures of the program's effectiveness because they depend on the number of systems and services covered by the scan and the nature of those services.
  24. C. By default nmap scans 1,000 of the most common TCP ports. Mike only knows that the system he scanned had no reachable (open, filtered, or closed) TCP ports in that list.
  25. D. Once they are connected via a write blocker, a checksum is created (often using MD5 or SHA1). If this hash matches the hash of forensic images, they exactly match, meaning that the drive's contents were not altered and that no files were added to or deleted from the drive.
  26. C. Although BIOS infections are relatively rare, some malware does become resident in the system's firmware or BIOS. Once there, analysis of the hard drive will not show the infection. If the desktop support team at Ben's company has fully patched the system and no other systems are similarly infected, Ben's next step should be to validate that elements of the system he did not check before, such as the BIOS, are intact.
  27. C. Wireshark includes the ability to export packets. In this case, Susan can select the GIF89a detail by clicking that packet and then export the actual image to a file that she can view.
  28. C. The Lockheed Martin Cyber Kill Chain traces the steps used to conduct an attack. The Diamond Model and the MITRE ATT&CK model are used to classify attacks. STIX is a standard format for describing threats.
  29. B. The Modbus protocol is used to interconnect SCADA systems. The CAN Bus standard is used in vehicle systems. RTOS is an acronym for real-time operating system and SoC is an acronym for System on a Chip. Neither RTOS nor SoC is a networking protocol.
  30. C. Scanning the full range of TCP ports can be done using a SYN scan ( -sS) and declaring the full range of possible ports (1-65535). Service version identification is enabled with the -sV flag.
  31. A. The software-as-a-service (SaaS) model requires the cloud service provider to secure the entire service stack. Other models provide customers with greater degrees of control and responsibility over security.
  32. D. Dan does not need to take any action. This is a very low criticality vulnerability (1/5), and it is likely not exploitable from outside the datacenter. It is not necessary to remediate this vulnerability, and there is no indication that it is a false positive report. Overall, this is a very clean scan result for a VPN server.
  33. C. This rule base contains a shadowed rule. The rule designed to deny requests to access blocked sites will never trigger because it is positioned below the rule that allows access to all sites. Reversing the order of the first two rules would correct this error. There are no orphaned rules because every rule in the rule base is designed to meet a security requirement. There are no promiscuous rules because the rules do not allow greater access than intended, they are simply in the wrong order.
  34. C. All of the data sources listed in this question may provide Kwame with further information about the attack. However, firewall logs would be best positioned to answer his specific question about the source of the attack. Since the firewall is performing network address translation (NAT), it would likely have a log entry of the original (pre-NAT) source IP address of the traffic.
  35. D. These results show the network path between Jim's system and the CompTIA web server. It is not unusual to see unknown devices in the path, represented by * * * because those devices may be configured to ignore traceroute requests. These query results do indicate that the network path passes through Chicago, but this does not mean that the final destination is in Chicago. There is no indication that the website is down. 216.182.225.74 is the system closest to Jim in this result, whereas 216.55.11.62 is the closest system to the remote server.
  36. D. An uncredentialed scan provides far less information than a credentialed scan or an agent-based scan because both credentialed and agent-based scans are able to gather configuration information from the target systems. External scans also provide less information than internal scans because they are filtered by border firewalls and other security devices. Therefore, an uncredentialed external scan would provide the least information.
  37. B. NIST SP800-88, along with many forensic manuals, requires a complete zero wipe of the drive but does not require multiple rounds of wiping. Degaussing is primarily used for magnetic media-like tapes and may not completely wipe a hard drive (and may, in fact, damage it). Using the ATA Secure Erase command is commonly used for SSDs.
  38. B. NIST recommends that clock synchronization is performed for all devices to improve the ability of responders to conduct analysis, part of the detection and analysis phase of the NIST incident response process. Although this might occur in the preparation phase, it is intended to improve the analysis process.
  39. A. Latisha knows that Windows domain services can be blocked using a network firewall. As long as she builds the correct ruleset, she can prevent external systems from sending this type of traffic to her Windows workstations. She may still want to segment her network to protect the most important workstations, but her first move should be to use her firewalls to prevent the traffic from reaching the workstations.
  40. C. Luis's SNMP command requested the route table from the system called device1. This can be replicated on the local system using netstat -nr. The traceroute command provides information about the path between two systems. The route command could be used to get this information, but the command listed here adds a default gateway rather than querying current information. ping -r records the route taken to a site for a given number of tries (between 1 and 9).
  41. D. When the Internet Engineering Task Force (IETF) endorsed SNMP v3.0 as a standard, it designated all earlier versions of SNMP as obsolete. Shannon should upgrade this device to SNMP v3.0.
  42. B. The systems in the containment network are fully isolated from the rest of the network using logical controls that prevent any access. To work with the systems that he needs to access, Saanvi will need to either have firewall rules added to allow him remote access to the systems or physically work with them.
  43. B. On Linux systems that use the Bash shell, $home/.bash_history will contain a log of recently performed actions. Each of the others was made up for this question.
  44. D. Implementing firewall rules is an attempt to reduce the likelihood of a risk occurring. This is, therefore, an example of a risk mitigation strategy.
  45. C. Task 3 strikes the best balance between criticality and difficulty. It allows Crystal to remediate a medium criticality issue with an investment of only 6 hours of time. Task 2 is higher criticality but would take 12 weeks to resolve. Task 1 is the same criticality but would require a full day to fix. Task 4 is lower criticality but would require the same amount of time to resolve as Task 1.
  46. D. The use of a stolen cookie is the hallmark of a session hijacking attack. These attacks focus on taking over an already existing session, either by acquiring the session key or cookies used by the remote server to validate the session or by causing the session to pass through a system the attacker controls, allowing them to participate in the session.
  47. C. Pete's organization is using an agent based, out-of-band NAC solution that relies on a locally installed agent to communicate to existing network infrastructure devices about the security state of his system. If Pete's organization used dedicated appliances, it would be an in-band solution, and of course not having an agent installed would make it agentless.
  48. B. The registry contains autorun keys that are used to make programs run at startup. In addition, scheduled tasks, individual user startup folders, and DLLs placed in locations that will be run by programs (typically malicious DLLs) are all locations where files will automatically run at startup or user login.
  49. B. The biggest issue in this scenario is that both factors are knowledge-based factors. A true multifactor system relies on more than one type of distinct factor including something you know, something you have, or something you are (and sometimes where you are). This system relies on two things you know, and attackers are likely to acquire both from the same location in a successful attack.
  50. A. The order of volatility of data measures how easy the data is to lose. The Volatility Framework is a forensic tool aimed at memory forensics, while data transience and data loss prediction are not common terms.
  51. C. Mika is using netcat to grab the default HTTP response from a remote server. Using netcat like this allows penetration testers to gather information quickly using scripts or manually when interaction may be required or tools are limited.
  52. B. Playbooks contain specific procedures used during a particular type of cybersecurity incident. In this case, the playbook entry addresses malware command and control traffic validation. Creating a CSIRT or IR plan occurs at a higher level, and IR-FAQs is not a common industry term.
  53. D. Kristen should upgrade the web server to the most current secure version of TLS: TLS 1.2. SSL 3.0 has vulnerabilities similar to those in TLS 1.0 and is not a suitable alternative. IPsec is not effective for web communications. Disabling the use of TLS would jeopardize the security of information sent to and from the server and would create additional risk, rather than remedying the situation.
  54. C. Relatively few organizations run honeypots because of the effort required to maintain and analyze the data they generate. DNS queries and other traffic logs, threat intelligence feeds, and notifications from staff are all common information sources for a variety of types of incident detection.
  55. D. Context-based authentication may leverage a wide variety of information. Potential attributes include time of day, location, device fingerprint, frequency of access, user roles, user group memberships, and IP address/reputation.
  56. B. Application or token-based multifactor authentication ensures that the exposure of a password because of successful phishing email does not result in the compromise of the credential. Password complexity increases fail to add security since complex passwords can still be compromised by phishing attacks, biometric multifactor authentication is typically expensive to implement and requires enrollment, and OAuth-based single sign-on will not prevent phishing attacks; instead, it can make it easier for attackers to move between multiple services.
  57. D. In an open redirect attack, users may be sent to a genuine authentication server and then redirected to an untrusted server through the OAuth flow. This occurs when the authentication server does not validate OAuth server requests prior to redirection.
  58. B. Although packet capture can help Max document his penetration test and gather additional information about remote systems through packet analysis, as well as help troubleshoot connection and other network issues, sniffers aren't useful for scanning for vulnerabilities on their own.
  59. D. Rich should not attempt to solve this problem on his own or dictate a specific solution. Instead, he should work with the business intelligence team to find a way to both meet their business requirements and accomplish the security goals achieved by scanning.
  60. D. The Gramm–Leach–Bliley Act (GLBA) applies specifically to the security and privacy of information held by financial institutions. HIPAA applies to healthcare providers. PCI DSS applies to anyone involved in the processing of credit card transactions. This does include financial institutions but is not limited to those institutions as it also applies to merchants and service providers. Sarbanes–Oxley applies to all publicly traded corporations, which includes, but is not limited to, some financial institutions.
  61. C. Policies that allow employees to bring personally owned devices onto corporate networks are known as Bring Your Own Device (BYOD) policies. Corporate-owned personally enabled (COPE) strategies allow employees to use corporate devices for personal use. SAFE is not a mobile device strategy.
  62. B. Jamal knows that mounting forensic images in read-only mode is important. To prevent any issues with executable files, he has also set the mounted image to noexec. He has also taken advantage of the automatic filesystem type recognition built into the mount command and has set the device to be a loop device, allowing the files to be directly interacted with after mounting.
  63. D. Blind SQL injection vulnerabilities are difficult to detect and are a notorious source of false positive reports. Javier should verify the results of the tests performed by the developers but should be open to the possibility that this is a false positive report, as that is the most likely scenario.
  64. B. netcat is often used as a port scanner when a better port scanning tool is not available. The -z flag is the zero I/O mode and is used for scanning. Although -v is useful, it isn't required for scanning and won't provide a scan by itself. The -sS flag is used by nmap and not by netcat.
  65. C. eFuse technology from IBM allows developers to send commands to computer chips that allow them to be permanently reprogrammed by “blowing” an eFuse.
  66. A. During penetration tests, the red team members are the attackers, the blue team members are the defenders, and the white team establishes the rules of engagement and performance metrics for the test.
  67. C. Lauren knows that the file she downloaded and computed a checksum for does not match the MD5 checksum that was calculated by the providers of the software. She does not know it the file is corrupted or if attackers have modified the file but may want to contact the providers of the software to let them know about the issue, and she definitely shouldn't execute or trust the file!
  68. C. Microsoft announced the end of life for Internet Explorer and will no longer support it in the future. However, they still provide support for Internet Explorer 11, which is widely used. This is the only version of Internet Explorer currently considered secure.
  69. D. Although it may be tempting to assign blame based on an IP address, attackers frequently use compromised systems for attacks. Some may also use cloud services and hosting companies where they can purchase virtual machines or other resources using stolen credit cards. Thus, knowing the IP address from which an attack originated will typically not provide information about an attacker. In some cases, deeper research can identify where an attack originated, but even then knowing the identity of an attacker is rarely certain.
  70. B.  Auth.log will contain new user creations and group additions as well as other useful information with timestamps included. /etc/passwd does not include user creation dates or times. Checking file creation and modification times for user home directories and Bash sessions may be useful if the user has a user directory and auth.log has been wiped or is unavailable for some reason.
  71. B. Completely removing the systems involved in the compromise will ensure that they cannot impact the organization's other production systems. Although attackers may be able to detect this change, it provides the best protection possible for the organization's systems.
  72. C. Piper should deploy the patch in a sandbox environment and then thoroughly test it prior to releasing it in production. This reduces the risk that the patch will not work well in her environment. Simply asking the vendor or waiting 60 days may identify some issues, but it does not sufficiently reduce the risk because the patch will not have been tested in her company's environment.
  73. C. The most likely scenario is that Kent ran the scan from a network that does not have access to the CRM server. Even if the server requires strong authentication and/or encryption, this would not prevent ports from appearing as open on the vulnerability scan. The CRM server runs over the web, as indicated in the scenario. Therefore, it is most likely using ports 80 and/or 443, which are part of the default settings of any vulnerability scanner.
  74. D. nmap provides multiple scan modes, including a TCP SYN scan, denoted by the -sS flag. This is far stealthier than the full TCP connect scan, which uses the -sT flag. Turning off pings with the -P0 flag helps with stealth, and setting the scan speed using the -T flag to either a 0 for paranoid or a 1 for sneaky will help bypass many IDSs by falling below their detection threshold.
  75. C. Disabling unnecessary services reduces the attack service by decreasing the number of possible attack vectors for gaining access to a server.
  76. C. Of the criteria listed, the operating system installed on the systems is the least likely to have a significant impact on the likelihood and criticality of discovered vulnerabilities. All operating systems are susceptible to security issues.
  77. A. In this case, the identity or network location of the server is not relevant. Donna is simply interested in the most critical vulnerability, so she should select the one with the highest severity. In vulnerability severity rating systems, severity 5 vulnerabilities are the most critical, and severity 1 are the least critical. Therefore, Donna should remediate the severity 5 vulnerability in the file server.
  78. A. Policies are the highest-level component of an organization's governance documentation. They are set at the executive level and provide strategy and direction for the cybersecurity program. Standards and procedures derive their authority from policies. Frameworks are not governance documents but rather provide a conceptual structure for organizing a program. Frameworks are usually developed by third-party organizations, such as ISACA or ITIL.
  79. A. Vulnerability scanning information is most effective in the hands of individuals who can correct the issues. The point of scans is not to “catch” people who made mistakes. Mateo should provide the administrators with access. The security team may always monitor the system for unremediated vulnerabilities, but they should not act as a gatekeeper to critical information.
  80. C. SNMP v3 is the current version of SNMP and provides message integrity, authentication, and encryption capabilities. Mateo may still need to address how his organization configures SNMP, including what community strings they use. SNMP versions 1 and 2 do not include this capability, and version 4 doesn't exist.
  81. A. All of these technologies promise to bring the benefits of automation to security work. However, only machine learning is capable of providing automated insight.
  82. B. This vulnerability results in an information disclosure issue. Paul can easily correct it by disabling the directory listing permission on the cgi-bin directory. This is unlikely to affect any other use of the server because he is not altering permissions on the CGI scripts themselves. Blocking access to the web server and removing CGI from the server would also resolve the vulnerability but would likely have an undesirable business impact.
  83. C. Observable occurrences are classified as events in NIST's scheme. Events with negative consequences are considered adverse events, while violations (or event imminent threats of violations) are classified as security incidents.
  84. A. This is a valid DNS search result from dig. In this dig request, the DNS server located at 172.30.0.2 answered Mei's request and responded that the comptia.org server is located at 198.134.5.6.
  85. C. The most likely issue is that an intrusion prevention system is detecting the scan as an attack and blocking the scanner. If this were a host or network firewall issue, Fran would most likely not be able to access the server using a web browser. It is less likely that the scan is misconfigured given that Fran double-checked the configuration.

Answers to Chapter 7: Practice Exam 2

  1. C. The presence of this vulnerability does indicate a misconfiguration on the targeted server, but that is not the most significant concern that Ty should have. Rather, he should be alarmed that the domain security policy does not prevent this configuration and should know that many other systems on the network may be affected. This vulnerability is not an indicator of an active compromise and does not rise to the level of a critical flaw.
  2. B. SNMP v1 through v2c all transmit data in the clear. Instead, Chris should move his SNMP monitoring infrastructure to use SNMP v3. Adding complexity requirements helps to prevent brute-force attacks against community strings, whereas TLS protects against data capture. Using different community strings based on security levels helps to ensure that a single compromised string can't impact all of the devices on a network.
  3. C. This vulnerability has a low severity, but that could be dramatically increased if the management interface is exposed to external networks. If that were the case, it is possible that an attacker on a remote network would be able to eavesdrop on administrative connections and steal user credentials. Out-of-date antivirus definitions and missing security patches may also be severe vulnerabilities, but they do not increase the severity of this specific vulnerability. The lack of encryption is already known because of the nature of this vulnerability, so confirming that fact would not change the severity assessment.
  4. B. Both ports 22 and 23 should be of concern to Rowan because they indicate that the network switch is accepting administrative connections from a general-use network. Instead, the switch should only accept administrative connections from a network management VLAN. Of these two results, port 23 should be of the greatest concern because it indicates that the switch is allowing unencrypted telnet connections that may be subject to eavesdropping. The results from ports 80 and 8192 to 8194 are of lesser concern because they are being filtered by a firewall.
  5. B. All of the scenarios described here could result in failed vulnerability scans and are plausible on this network. However, the fact that the Apache logs do not show any denied requests indicates that the issue is not with an .htaccess file on the server. If this were the case, Evan would see evidence of it in the Apache logs.
  6. C. The shim cache is used by Windows to track scripts and programs that need specialized compatibility settings. It is stored in the registry at shutdown, which means that a thorough registry cleanup will remove program references from it. The master file table (MFT), volume shadow copies, and prefetch files can all contain evidence of deleted applications.
  7. D. Fuzz testing involves sending invalid or random data to an application to test its ability to handle unexpected data. Fault injection directly inserts faults into error-handling paths, particularly error-handling mechanisms that are rarely used or might otherwise be missed during normal testing. Mutation testing is related to fuzzing and fault injection, but rather than changing the inputs to the program or introducing faults to it, mutation testing makes small modifications to the program itself. Stress testing is a performance test that ensures applications and the systems that support them can stand up to the full production load.
  8. C. Although TCP ports 21, 23, 80, and 443 are all common ports, 515 and 9100 are commonly associated with printers.
  9. B. The netstat command is used to generate a list of open network connections on a system, such as the one shown here. traceroute is used to trace the network path between two hosts. ifconfig is used to display network configuration information on Linux and Mac systems. The sockets command does not exist.
  10. C. NIST identifies four major categories of security event indicators: alerts, logs, publicly available information, and people both inside and outside the organization. Exploit developers may provide some information but are not a primary source of security event information.
  11. D. A host that is not running any services or that has a firewall enabled that prevents responses can be invisible to nmap. Charles cannot determine whether there are hosts on this network segment and may want to use other means such as ARP queries, DHCP logs, and other network layer checks to determine whether there are systems on the network.
  12. D. The business impact assessment (BIA) is an internal document used to identify and assess risks. It is unlikely to contain customer requirements. Service level agreements (SLAs), business partner agreements (BPAs), and memorandums of understanding (MOUs) are much more likely to contain this information.
  13. C. Web servers commonly run on ports 80 (for HTTP) and 443 (for HTTPS). Database servers commonly run on ports 1433 (for Microsoft SQL Server), 1521 (for Oracle), or 3306 (for MySQL). Remote Desktop Protocol services commonly run on port 3389. Simple Mail Transfer Protocol (SMTP) runs on port 25. There is no evidence that SSH, which uses port 22, is running on this server.
  14. C. You may not be familiar with Scalpel or other programs you encounter on the exam. In many cases, the problem itself will provide clues that can help you narrow down your answer. Here, pay close attention to the command-line flags, and note the -o flag, a common way to denote an output file. In practice, Scalpel automatically creates directories for each of the file types that it finds. Selah simply needs to visit those directories to review the files that she has recovered. She does not need to use another program. The filenames and directory structures may not be recoverable when carving files.
  15. C. Trusted foundries are part of the Department of Defense's (DoD) program that ensures that hardware components are trustworthy and have not been compromised by malicious actors. A Trusted Platform Module (TPM) is a hardware security module, OEMs are original equipment manufacturers but may not necessarily have completed trusted hardware sources, and gray-market providers sell hardware outside of their normal or contractually allowed areas.
  16. D. Resource exhaustion is a type of structural failure as defined by the NIST threat categories. It might be tempting to categorize this as accidental because Adam did not notice the alarms; however, accidental threats are specifically caused by individuals doing routine work who undermine security through their actions. In this case, the structural nature of the problem is the more important category.
  17. B. Although all of these policies may contain information about data security, Pranab is specifically interested in grouping information into categories of similar sensitivity. This is the process of data classification. A data retention policy would contain information on the data life cycle. An encryption policy would describe what data must be encrypted and appropriate encryption techniques. A data disposal policy would contain information on properly destroying data at the end of its lifecycle.
  18. A. The Windows equivalent to the Linux ifconfig command is ipconfig. netstat displays information about open network connections rather than network interface configuration. The ifconfig and netcfg commands do not exist on Windows.
  19. B. The PHP language is used for the development of dynamic web applications. The presence of PHP on this server indicates that it is a web server. It may also be running database, time, or network management services, but the scan results provide no evidence of this.
  20. C. The Common Vulnerability Scoring System (CVSS) provides a standardized method for rating the severity of security vulnerabilities.
  21. B. The defining characteristic of threat hunting is that you are searching out compromises that have already occurred. Therefore, you are looking for indicators of compromise. Vulnerabilities, unpatched systems, and misconfigurations are all things that vulnerability management activities, rather than threat hunting activities, would seek to identify.
  22. A. An internal network vulnerability scan will provide an insider's perspective on the server's vulnerabilities. It may provide useful information, but it will not meet Taylor's goal of determining what an external attacker would see.
  23. A. FTP sends the username in a separate packet. Chris can determine that this was an FTP connection, that the password was gnome123, and that the FTP server was 137.30.120.40.
  24. B. The spike shown just before July appears to be out of the norm for this network since it is almost four times higher than normal. Cynthia may want to check to see what occurred during that time frame to verify whether it was normal traffic for her organization.
  25. A. Evidence production procedures describe how the organization will respond to subpoenas, court orders, and other legitimate requests to produce digital evidence. Monitoring procedures describe how the organization will perform security monitoring activities, including the possible use of continuous monitoring technology. Data classification procedures describe the processes to follow when implementing the organization's data classification policy. Patching procedures describe the frequency and process of applying patches to applications and systems under the organization's care.
  26. D. This Windows system is likely running an unencrypted (plain-text) web server, as well as both the Microsoft RPC and Microsoft DS services on TCP 135 and 335, respectively. SSH would typically be associated with port 22, while email via SMTP is on TCP port 25.
  27. B. The IT Infrastructure Library (ITIL) provides guidance on best practices for implementing IT service management, including help desk support. ISO provides high-level standards for a wide variety of business and manufacturing processes. COBIT provides control objectives for IT governance. PCI DSS provides security standards for handling credit card information.
  28. D. Adding new signatures (prior to an incident) is part of the preparation phase because it prepares an organization to detect attacks.
  29. D. For best results, Gloria should combine both internal and external vulnerability scans because this server has both public and private IP addresses. The external scan provides an “attacker's eye view” of the web server, while the internal scan may uncover vulnerabilities that would be exploitable only by an insider or an attacker who has gained access to another system on the network.
  30. B. NIST SP-800-88 recommends clearing media and then validating and documenting that it was cleared. Clearing uses logical techniques to sanitize data in user-addressable storage locations and protects against noninvasive data recovery techniques. This level of security is appropriate to moderately sensitive data contained on media that will remain in an organization.
  31. C. NIST recommends the usage of NTP to synchronize clocks throughout organizational infrastructure, thus allowing logs, alerts, and other data to be analyzed more easily during incident response. Manually setting clocks results in time skew, incorrect clocks, and other time-related problems.
  32. A. TCP 135, 139, and 445 are all common Windows ports. The addition of 3389, the remote desktop port for Windows, makes it most likely that this is a Windows server.
  33. D. Adam's Snort rule is looking for a specific behavior, in this case, web traffic to example.com's download script. Rules looking for anomalies typically require an understanding of “normal,” whereas trend-based rules need to track actions over time, and availability-based analysis monitors uptime.
  34. C. Identity providers (IDPs) provide identities, make assertions about those identities to relying parties, and release information to relying parties about identity holders. Relying parties (RP), also known as service providers (SP), provide services to members of the federation and should handle the data from both users and identity providers securely. The consumer is the end user of the federated services.
  35. B. Although all the techniques listed may be used to engage in credential theft, phishing is, by far, the most common way that user accounts become compromised in most organizations.
  36. C. In most organizations, Emily's first action should be to verify that the system is not one that belongs to the organization by checking it against her organization's asset inventory. If the system is a compromised system on the wrong network, she or her team will need to address it. In most jurisdictions, there is no requirement to notify third parties or law enforcement of outbound scans, and since the guest wireless is specifically noted as being unauthenticated, there will not be authentication logs to check.
  37. D. The strings command prints strings of printable characters in a file and does not show Linux permission information. The contents of the sudoers file, the output of the groups command, and the stat command can all provide useful information about user or file permissions.
  38. C. The scenario describes a dual-control (or two-person control) arrangement, where two individuals must collaborate to perform an action. This is distinct from separation of duties, where access controls are configured to prevent a single individual from accomplishing two different actions that, when combined, represent a security issue. There is no indication that the company is performing privileged account monitoring or enforcing least privilege given in this scenario.
  39. A. The PCI DSS compensating control procedures do not require that compensating controls have a clearly defined audit mechanism, although this is good security practice. They do require that the control meet the intent and rigor of the original requirement, provide a similar level of defense as the original requirement, and be above and beyond other requirements.
  40. B. This error indicates that the digital certificate presented by the server is not valid. Lou should replace the certificate with a certificate from a trusted CA to correct the issue.
  41. D. Data retention policies specify the appropriate lifecycle for different types of information. In this example, a data retention policy would likely have instructed the organization to dispose of the unneeded records, limiting the number that were compromised. A data ownership policy describes who bears responsibility for data and is less likely to have a direct impact on this incident. An acceptable use policy could limit the misuse of data by insiders, but there is no indication that this was an insider attack. An account management policy may be useful in pruning unused accounts and managing privileges, but there is no indicator that these issues contributed to the impact of this incident.
  42. A. Incident data should be retained as necessary regardless of media life span. Retention is often driven by the likelihood of civil or criminal action, as well as by organizational standards.
  43. D. An outage is an availability issue, data exposures are confidentiality issues, and the integrity of the email was compromised when it was changed.
  44. B. The best way to resolve this issue would be to upgrade to OpenSSH 6.4, as stated in the solution section of the report. Disabling the use of AES-GCM is an acceptable workaround, but upgrading to a more current version of OpenSSH is likely to address additional security issues not described in this particular vulnerability report. There is no indication that an operating system upgrade would correct the problem. The vulnerability report states that there is no malware associated with this vulnerability, so antivirus signature updates would not correct it.
  45. A. The firewall rules continue to allow access to the compromised systems, while preventing them from attacking other systems. This is an example of segmentation. Segmentation via VLANs, firewall rules, or other logical methods can help to protect other systems, while allowing continued live analysis.
  46. C. Jennifer can use this information to help build her baseline for response times for the AWS server. A 200 ms response time for a remotely hosted server is well within a reasonable range. There is nothing in this chart that indicates an issue.
  47. A. Scalpel is a carving tool designed to identify files in a partition or volume that is missing its index or file allocation table. DBAN is a wiping tool, parted is a partition editor, and dd is used for disk duplication. You may encounter questions about programs you are unfamiliar with on the exam. Here, you can eliminate tools that you are familiar with like DBAN, parted, or dd and take a reasonable guess based on that knowledge.
  48. A. Pranab's best option is to look for a hibernation file or core dump that may contain evidence of the memory-resident malware. Once a system has been shut down, a memory-resident malware package will be gone until the system is re-infected, making reviews of the registry, INDX files, and volume shadow copies unlikely to be useful. Since the system was shut down, he won't get useful memory forensics from a tool like the Volatility Framework unless the machine is re-infected.
  49. A. The <SCRIPT> tag is used to mark the beginning of a code element, and its use is indicative of a cross-site scripting attack. <XSS> is not a valid HTML tag. The <B> (for bold text) and <EM> (for italics) tags are commonly found in normal HTML input.
  50. C. An intrusion prevention system (or other device or software with similar capabilities) to block port scans based on behavior is the most effective method listed. Not registering systems in DNS won't stop IP-based scans, and port scans will still succeed on the ports that firewalls allow through. Port security is a network switch–based technology designed to limit which systems can use a physical network port.
  51. B. NIST's functional impact categories range from none to high, but this event fits the description for a medium event; the organization has lost the ability to provide a critical service to a subset of system users. If the entire network had gone down, Pranab would have rated the event as a high-impact event, whereas if a single switch or the network had a slowdown, he would have categorized it as low.
  52. B. Operating system fingerprinting relies on the differences between how each operating system (and sometimes OS versions) handles and sets various TCP/IP fields, including initial packet size, initial TTL, window size, maximum segment size, and the don't fragment, sackOK, and nop flags.
  53. C. Although any of these tools may provide some security automation capability, the purpose of a security orchestration, automation, and response (SOAR) platform is to perform this type of automation across other solutions.
  54. D. The order of volatility of common storage locations is as follows:
    1. CPU cache, registers, running processes, and RAM
    2. Network traffic
    3. Disk drives (both spinning and magnetic)
    4. Backups, printouts, and optical media (including DVD-ROMs and CDs)

    Thus, the least volatile storage listed is the DVD-ROM.

  55. A. This vulnerability states that there is a missing patch to the Windows operating system. In a bare-metal hypervisor, the only place that Windows could be running is as a guest operating system. Therefore, this is the location where Henry must apply a patch. The results also show the use of unsupported guest operating systems, which is also a guest operating system issue.
  56. C. The hallmark of a Tier 3 risk management program is that there is an organization-wide approach to managing cybersecurity risk. In a Tier 4 program, there is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
  57. D. The repeated SYN packets are likely a SYN flood that attempts to use up resources on the target system. A failed three-way handshake might initially appear similar but will typically not show this volume of attempts. A link failure would not show traffic from a remote system, and a DDoS would involve more than one system sending traffic.
  58. D. Oracle databases default to TCP port 1521. Traffic from the “outside” system is being denied when it attempts to access an internal system via that port.
  59. D. The ATA Secure Erase command wipes all of an SSD, including host-protected area partitions and remapped spare blocks. Degaussing is used for magnetic media such as tapes and is not effective on SSDs, whereas zero writing or using a pseudorandom number generator to fill the drive will not overwrite data in the host-protected area or spare blocks, which are used to wear-level most SSDs.
  60. D. Data classification is a set of labels applied to information based upon their degree of sensitivity and/or criticality. It would be the most appropriate choice in this scenario. Data retention requirements dictate the length of time that an organization should maintain copies of records. Data remanence is an issue where information thought to be deleted may still exist on systems. Data privacy may contribute to data classification but does not encompass the entire field of data sensitivity and criticality in the same manner as data classification. For example, a system may process proprietary business information that would be very highly classified and require frequent vulnerability scanning. Unless that system also processed personally identifiable information, it would not trigger scans under a system based solely upon data privacy.
  61. D. The output that Bob sees is from a password-cracking tool. He can tell this by reading the header and realizing that the file contains unhashed passwords. Of the tools listed, only Cain & Abel and John the Ripper are password-cracking utilities. Metasploit is an exploitation framework, whereas ftk is a forensics toolkit. Cain & Abel is a Windows-based tool, and this appears to be command-line output. Therefore, the output is from John the Ripper, a command-line password-cracking utility available for all major platforms.
  62. B. During a security exercise, the red team is responsible for offensive operations, while the blue team handles defensive operations. The white team serves as the referees. There is no black team.
  63. B. PCI DSS only requires scanning on at least a quarterly basis and after any significant changes. Weekly scanning is a best practice but is not required by the standard. Peter must hire an approved scanning vendor to perform the required quarterly external scans but may conduct the internal scans himself. All systems in the cardholder data environment, including both the website and point-of-sale terminals, must be scanned.
  64. A. The vulnerability description mentions that this is a cross-site scripting (XSS) vulnerability. Normally, XSS vulnerabilities are resolved by performing proper input validation in the web application code. However, in this particular case, the XSS vulnerability exists within Microsoft IIS server itself and not in a web application. Therefore, it requires a patch from Microsoft to correct it.
  65. C. Fast-flux DNS networks use many IP addresses behind one (or a few) fully qualified domain names. Logging DNS server queries and reviewing them for hosts that look up the DNS entries associated with the command-and-control network can quickly identify compromised systems.

    Unfortunately, antivirus software is typically not updated quickly enough to immediately detect new malware. Since the fast-flux DNS command-and-control relies on frequent changes to the C&C hosts, IP addresses change quickly, making them an unreliable detection method. Finally, reviewing email to see who received the malware-laden message is useful but won't indicate whether the malware was successful in infecting a system without additional data.

  66. A. The -O flag enables operating system detection for nmap.
  67. A. Mika is using both a knowledge-based factor in the form of her password and something she has in the form of the token. Possession of the token is the “something she has.”
  68. B. The most appropriate step for Jose to take is to discuss his opinion with his manager and see whether the manager is willing to change the guidelines. As a security professional, it is Jose's ethical responsibility to share his opinion with his manager. It would not be appropriate for Jose to act against his manager's wishes. Jose should also not ask to speak with his manager's supervisor until he has had an opportunity to discuss the issue thoroughly with his manager.
  69. A. Susan's best option is to use an automated testing sandbox that analyzes the applications for malicious or questionable behavior. While this may not catch every instance of malicious software, the only other viable option is decompiling the applications and analyzing the code, which would be incredibly time-consuming. Since she doesn't have the source code, Fagan inspection won't work (and would take a long time too), and running a honeypot is used to understand hacker techniques, not to directly analyze application code.
  70. B. The single loss expectancy (SLE) is the amount of damage expected from a single occurrence of an incident. The annualized loss expectancy (ALE) is the amount of loss expected from a risk during a given year. The exposure factor (EF) is the percentage of an asset that is expected to be damaged during an incident, and the asset value (AV) is the total value of the asset in question.
  71. C. A data loss prevention (DLP) system may be able to intercept and block unencrypted sensitive information leaving the web server, but it does not apply cryptography to web communications. Transport Layer Security (TLS) is the most direct approach to meeting Chris' requirement, because it encrypts all communication to and from the web server. Virtual private networks (VPNs) may also be used to encrypt network traffic, adding a layer of security. Full-disk encryption (FDE) may also be used to protect information stored on the server in the event the disk is stolen.
  72. C. Network Access Control (NAC) can combine user or system authentication with client-based or clientless configuration and profiling capabilities to ensure that systems are properly patched and configured and are in a desired security state. Whitelisting is used to allow specific systems or applications to work, port security is a MAC address filtering capability, and EAP is an authentication protocol.
  73. D. The best option presented is for Chris to remove the drive and purge the data from it. Destroying the drive, unless specified as allowable in the lease, is likely to cause contractual issues. Reformatting a drive that contains highly sensitive data will not remove the data, so neither reformatting option is useful here. In a best-case scenario, Chris will work to ensure that future devices either have built-in encryption that allows an easy secure wipe mode or a dedicated secure wipe mode, or he will work to ensure that the next lease includes a drive destruction clause.
  74. A. The most reasonable response is for Rhonda to adjust the scanning parameters to avoid conflicts with peak business periods. She could ask for additional network bandwidth, but this is likely an unnecessary expense. Adjusting the business requirements is not a reasonable response, as security objectives should be designed to add security in a way that allows the business to operate efficiently, not the other way around. Ignoring the request would be very harmful to the business relationship.
  75. B. When restoring from a backup after a compromise, it is important to ensure that the flaw that allowed attackers in is patched or otherwise remediated. In many environments, backups can be restored to a protected location where they can be patched, validated, and tested before they are restored to service.
  76. D. Recurring beaconing behavior with a changing set of systems is a common characteristic of more advanced malware packages. It is most likely that this system was compromised with malware that deleted itself when its ability to check in with a command-and-control system was removed, thus preventing the malware from being captured and analyzed by incident responders.
  77. A. ISO 27001 provides guidance on information security management systems. ISO 9000 applies to quality management. ISO 11120 applies to gas cylinders. ISO 23270 applies to programming languages.
  78. B.  /etc/shadow contains password hashes but does not provide information about privileges. Unlike /etc/passwd, it does not contain user ID or group ID information and instead contains only the username and hashed password.

    /etc/passwd, /etc/sudoers, and /etc/group may all contain evidence of the www user receiving additional privileges.

  79. A. Logging of application and server activity may provide valuable evidence during a forensic investigation. The other three controls listed are proactive controls designed to reduce the risk of an incident occurring and are less likely to directly provide information during a forensic investigation.
  80. A. This is an appropriate case for an exception to the scanning policy. The server appears to be secure, and the scanning itself is causing a production issue. Jamal should continue to monitor the situation and consider alternative forms of scanning, but it would not be appropriate to continue the scanning or set an artificial deadline that is highly unlikely to be met. Decommissioning the server is an excessive action as there is no indication that it is insecure, and the issue may, in fact, be a problem with the scanner itself.
  81. A. The best defense against a man-in-the-middle attack is to use HTTPS with a digital certificate. Users should be trained to pay attention to certificate errors to avoid accepting a false certificate. Input validation and patching would not be an effective defense against man-in-the-middle attacks because man-in-the-middle attacks are network-based attacks. A firewall would be able to block access to the web application but cannot stop a man-in-the-middle attack.
  82. B. Although nmap provides service version identification, it relies heavily on the information that the services provide. In some cases, fully patched services may provide banner information that does not show the minor version or may not change banners after a patch, leading to incorrect version identification.
  83. B. Tyler should initiate his organization's change management process to begin the patching process. This is a medium severity vulnerability, so there is no need to apply the patch in an emergency fashion that would bypass change management. Similarly, shutting down the server would cause a serious disruption and the level of severity does not justify that. Finally, there is no need to rerun the scan because there is no indication that it is a false positive result.
  84. A. Carla is looking for a tool from a category known as interception proxies. They run on the tester's system and intercept requests being sent from the web browser to the web server before they are released onto the network. This allows the tester to manually manipulate the request to attempt the injection of an attack. Burp, ZAP, and Tamper Data are all examples of interception proxies. Nessus is a vulnerability scanner and, while useful in penetration testing, does not serve as an interception proxy.
  85. C. Alex needs to quickly move into containment mode by limiting the impact of the compromise. He can then gather the evidence and data needed to support the incident response effort, allowing him to work with his organization's desktop and IT support teams to return the organization to normal function.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.6.243