Mock Exam 1

  1. Which function in the Linux shell allows for collection of regex groups?
    1. pcregrep
    2. ls
    3. grep
    4. man grep
  2. Under which framework are auditable backups mandated?
    1. SOX
    2. HIPAA
    3. PCI DSS
    4. FOI
  1. Why is DNS an important service for cybersecurity operators to monitor?
    1. It is commonly used by threat actors.
    2. It is commonly used in many legitimate applications.
    3. It is commonly used by threat actors because it is also used in common legitimate applications.
    4. It can be used to identify a targeted system.
  1. An administrator suspects that a vulnerability exists on one of the host computers. It is communicating with the command and control host using HTTP messages. The hosts are all running Windows and Mozilla Firefox. Which user-agent string might be suspicious?
    1. Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
    2. Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
    3. Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/29.0
    4. Mozilla/5.0 (X11; x86_64; rv:21.0) Gecko/20100101 Firefox/21.0
  2. Which of the following is a description of deterministic analysis?
    1. Analysis based on potential vulnerabilities
    2. Analysis based on likely causes
    3. Analysis based on log files only
    4. Analysis resulting in conclusive results
  3. Which of the following is true about tcpdump compared with Wireshark?
    1. tcpdump uses relative timestamps, where as Wireshark's packet list pane uses UTC time.
    2. tcpdump uses UTC time, where Wireshark's packet list pane uses relative timestamps.
    3. Wireshark's packet details pane displays only layers 3-7, where as tcpdump can show all details in Hex and ASCII using the (-X) option.
    4. Wireshark is able to open PCAP files made in tcpdump, where tcpdump is not able to open PCAP files made in Wireshark.
  4. Which of the following correlation rules should be investigated first?
    1. A rule with priority 3 in a policy with priority 2
    2. A rule with default priority in a policy with priority 5
    3. A rule with priority 1 in a policy with priority 4
    4. A rule with priority 2 in a policy with priority 1
  5. Which of the following correctly lists the four elements under the VERIS schema?
    1. Actors, Actions, Assets, Attributes
    2. Action, Blame, Countermeasures, Device
    3. Threat, Target, Technique, Tactics
    4. Preparation, Detection, Containment, Post-Incident
  1. Which of the following is the most likely reason that a threat actor might try to capture corporate email addresses using the reconnaissance phase of the Cyber Kill Chain?
    1. To determine the format for emails within the organization in order to generate whale phishing targets from the publicly accessible directors list
    2. To make contact with potential insider threats
    3. To reveal the email hosting provider used by the corporation
    4. To determine the location of a SMTP or POP server
  2. Which of the following is a general principle for a standard data format?
    1. As generic as possible
    2. As tailored to local settings as possible
    3. As readable as possible
    4. As few formatting marks as possible
  3. Which method of allocating virtual memory allocates full pages to applications, which is faster but sometimes results in higher memory usage?
    1. HeapAlloc
    2. LocalAlloc
    3. CoTaskMemAlloc
    4. Virtual Alloc
  4. Which of the following statements is true?
    1. At the network layer, the address is maintained from the sending computer to the destination computer
    2. At the transport layer, the address is changed at every device
    3. At the application layer, the address is the application's physical ID
    4. At the physical layer, the address is the logical address of the next hop device
  5. A vulnerability allows an attacker to insert fraudulent invoices into the list that is sent to a company's finance department to be processed. Which score might this vulnerability be given?
    1. Privileges Required: High
    2. Availability: High
    3. Confidentiality: Low
    4. User Interaction: Required
  1. Which of the following are impact metrics?
    1. Attack Vector | Availability | Privileges Required
    2. Attack Vector | Attack Complexity | Privileges Required
    3. Confidentiality | Integrity | Availability
    4. Attack Complexity | User Interaction | Scope
  2. Which of the following might occur in the weaponization phase of the Cyber Kill Chain?
    1. Potential vulnerabilities are identified.
    2. Exploits are sent to users.
    3. Exploits are linked to observed vulnerabilities in the system.
    4. Privileges are escalated.
  3. Which of the following pieces of data should be kept with a hard drive removed for evidential purposes? (Select all that apply):
    1. Name of the investigator
    2. Date of collection
    3. Tools used for hard drive removal
    4. Suspect Name
  4. Which of the following statements on integrity of evidence during data normalization is untrue?
    1. Some data is removed during the normalization process.
    2. The format of data is changed during the normalization process.
    3. Only a copy of the original data should be changed during the normalization process.
    4. Changing the data does not affect integrity if the process is documented.
  5. Which of the following is not one of the 18 identifiable features according to HIPAA?
    1. Last name and initial
    2. Cell phone number
    3. Year of birth
    4. Email address
  6. Which of the following is an example of probabilistic analysis?
    1. An HTTP communication with a known command and control server is identified as a potential threat.
    2. Analysis of a suspicious piece of software in a sandbox shows the same behaviors as a piece of known malware.
    3. A flow involving a connection via the corporate VPN is labeled as safe.
    4. A flow involving a Tor exit node is identified as a potential threat.
  7. Looking at the following screenshot, what is suspicious about the NetFlow records?

 

    1. An external is port scanning the internal server.
    2. An internal host is sending large amounts of data out of the network.
    3. An internal host has established a very long session with another internal host.
    4. Several similar external addresses have established sessions with internal hosts.
  1. Which character on the Linux command line allows the results of one function to be passed to another?
    1. The pipe character (|)
    2. The greater than sign (>)
    3. The caret sign (^)
    4. The ampersand character (&)
  1. Which attributes would be scored under VERIS if an encrypted USB pen drive was stolen?
    1. All attributes have to be given a score under VERIS.
    2. Confidentiality is affected as for all lost items.
    3. Availability is affected as the device is not available for use by the legitimate user.
    4. Confidentiality and Availability are both affected, so both should be scored.
  2. Which of the following statements is true?
    1. The layer 2 address is assigned by the system administrator.
    2. The layer 3 address cannot be changed.
    3. The layer 3 address is hierarchical.
    4. The layer 2 address is assigned by the IANA.
  3. Which of the following entities must comply with SOX?
    1. Any company that processes Visa Electron card payments
    2. A privately held corporation in America
    3. A Canadian charity with US branch offices
    4. A European company that has over 300 US shareholders
  4. Which of the following is true about a telnet session?
    1. NetFlow would record two flows.
    2. Telnet would show flows to port 22.
    3. Telnet will encrypt the flow.
    4. Telnet does not require a password.
  5. A user in finance follows a link sent to them from HACME bank, their company's business banking supplier. The user accessed it through Mozilla Firefox on Windows 10. Which log is suspicious?
    1. GET HACME.com/login.php HTTP/1.1 in the proxy log
    2. Records to [hacme.com]:443 in NetFlow, where [hacme.com] is the correct IP address for the bank's web server
    3. user-agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 in the proxy log
    4. Records to [hacme.com]:80 in NetFlow, where [hacme.com] is the correct IP address for the bank's web server
  6. Which of the following VERIS entries would describe loss of data caused by a wildfire affecting a data center?
    1. Asset: P - Maintenance | Action: Physical: .Variety: Unknown
    2. Actor: External | Action: Physical: .Variety: Tampering
    3. Asset: U - Other | Action: Environmental
    4. Actor: External | Action: Environmental
  7. Which is the best description of a logical copy of a disk?
    1. Best evidence
    2. A copy of every sector on a disk
    3. A copy of the files on a disk
    4. Unaltered disk image
  8. A network administrator is investigating 10 user service desk tickets saying they are unable to connect to the wireless network. The network has not been compromised. Which of the following might be the cause of this? 

    1. DHCP pool depletion caused by too many users
    2. DHCP pool depletion caused by excessively long lease time
    3. MAC address filtering on the access point
    4. Disruption of the network between the Access Point and the DHCP server
  1. Which of the following is a reason to attempt threat actor attribution?
    1. To deter future attacks
    2. To prevent poor publicity
    3. To help detect future attacks
    4. To allow the SOC to demonstrate its abilities
  2. The following data is extracted from a data stream. Which application layer protocol is most likely?
    Source: 10.10.10.10.52357
    Destination: 10.10.10.128.443
    1. DNS
    2. SSL
    3. SSH
    4. DHCP
  3. Which system components are not in the scope of PCI DSS security requirements?
    1. Technologies that store, process, or transmit cardholder data
    2. Applications that share data with applications in the CDE
    3. Systems in the same subnet or VLAN as the CDE
    4. Systems on the transmission path for cardholder data that are on public infrastructure (for example, the internet)
  4. What feature of the IP 5-tuple makes it suitable for correlation of network events?
    1. The 5-tuple identifies the application layer protocols involved.
    2. The 5-tuple identifies the specific physical address of the source and destination.
    3. The 5-tuple is unchanged throughout the journey from host to host.
    4. The 5-tuple includes details of the route taken from start to finish.
  1. Which organization draws data from a number of sources in order to provide insights into future actions or trends?
    1. Coordination centers
    2. Analysis centers
    3. Managed security service providers
    4. Distributed Internal CSIRTs
  2. Which actions are carried out in the detection and analysis phase of an incident response?
    1. Profiling networks and servers to establish new baselines for activity
    2. Updating IPS/IDS/Firewalls
    3. Placing infected hosts in quarantine
    4. Verification of suspected incident
  3. Which of the following is not a reason to use retrospective analysis?
    1. Detecting polymorphic malware through behavioral analysis is slow.
    2. Long dwell times between breach and detection.
    3. Not all threats have existing signatures.
    4. To detect future threat.
  4. Which of the 4 As relates to the impact of the incident on the affected organization?
    1. Assets
    2. Actors
    3. Attributes
    4. Actions
  5. Which command could be issued in Command Prompt on a user device to determine who was logged into it?
    1. last | grep "logged in"
    2. query user
    3. w
    4. whoami
  1. A legitimate file enters the system, but the IDS incorrectly flags it as malicious. What does the administrator have to do?
    1. Nothing. The IDS has taken no action, so the file reached its intended target.
    2. Find, contain, and remove the malicious file. The IDS was correct, but has taken no preventative action.
    3. Advise the intended user, and remove the file from quarantine.
    4. Run a virus scan.
  2. Where would you find a log of non-critical system messages?
    1. ~/log
    2. /var/log/messages
    3. /etc/log/info
    4. /bin/info
  3. In which phase of the Cyber Kill Chain might an exploited device signal the attacker using a bespoke HTTP message?
    1. Exploration
    2. Communication
    3. Actions on objectives
    4. Command and control
  4. What is the defining characteristic of an attack that has completed the installation phase in the Cyber Kill Chain?
    1. An attacker has hands-on-keyboard access.
    2. An attacker has persistent access.
    3. An attacker has achieved their objective.
    4. An attacker has executed the exploit.
  5. Which of the following regex statements could be used to match the terms beginning in SS (for example, SSH and SSL) but not SSD?
    1. (SSH | SSL)
    2. [SSHL^D]
    3. SS[^D]
    4. SS(H|L)
  1. Which of these questions might be asked to test the planning for containment, eradication, and recovery within the organization?
    1. What precursors of the incident, if any, might the organization detect
    2. What could be done to prevent similar incidents
    3. To which people would the team report the incident
    4. Which sources of evidence, if any, should be acquired
  2. In which phase of the Cyber Kill Chain might an attacker attempt to take services offline?
    1. Reconnaissance
    2. Exploitation
    3. Actions on objectives
    4. Command and control
  3. What is the most significant benefit of using a SIEM over the systems individually?
    1. Cybersecurity operators need only review a single log
    2. Understanding of the context of each entry
    3. Alerts all come from a single source
    4. Automated normalization
  4. How does NetFlow use the IP 5-tuple?
    1. As a primary key
    2. To determine whether a new connection is being established
    3. To identify the appropriate flow
    4. To apply the ACL
  5. What Cisco technology can be used to reveal layer-7 information?
    1. CDP
    2. LLDP
    3. NetFlow
    4. NBAR
  6. Which of the following questions does not relate to the lesson-based hardening phase in incident handling?
    1. How could communication with the public be improved?
    2. How should employees be trained differently?
    3. What changes need to be made to the security audit and compliance policies?
    4. Have all the customer effects from the incident been reset?
  1. How does NTP help log collation?
    1. By maintaining a unified time across all the devices in the network
    2. By maintaining a unified time format across all the devices in the network
    3. By providing time with a greater precision than would otherwise be available
    4. By coordinating when each service submits its logs to the collator
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.226.104.250