Ty is reviewing the scan report for a Windows system joined to his organization's domain and finds the vulnerability shown here. What should be Ty's most significant concern related to this vulnerability?
The presence of this vulnerability indicates that an attacker may have compromised his network.
The presence of this vulnerability indicates a misconfiguration on the target server.
The presence of this vulnerability indicates that the domain security policy may be lacking appropriate controls.
The presence of this vulnerability indicates a critical flaw on the target server that must be addressed immediately.
Heidi runs a vulnerability scan of the management interface of her organization's virtualization platform and finds the severity 1 vulnerability shown here. What circumstance, if present, should increase the severity level of this vulnerability to Heidi?
Lack of encryption
Missing security patch
Exposure to external networks
Out-of-date antivirus signatures
Rowan ran a port scan against a network switch located on her organization's internal network and discovered the results shown here. She ran the scan from her workstation on the employee VLAN. Which one of the following results should be of greatest concern to her?
Port 22
Port 23
Port 80
Ports 8192 to 8194
Evan is troubleshooting a vulnerability scan issue on his network. He is conducting an external scan of a website located on the web server shown in the diagram. After checking the web server logs, he saw no sign of the scan requests. Which one of the following causes is the least likely issue for him to troubleshoot?
The scans are being blocked by an intrusion prevention system.
The scans are being blocked by a rule within the web server application.
The scans are being blocked by a network firewall.
The scans are being blocked by a host firewall.
Sam is looking for evidence of software that was installed on a Windows system. He believes that the programs were deleted and that the suspect used both registry and log cleaners to hide evidence. What Windows feature can't he use to find evidence of the use of these programs?
The MFT
Volume shadow copies
The shim (application compatibility) cache
Prefetch files
Mila is evaluating the security of an application developed within her organization. She would like to assess the application's security by supplying it with invalid inputs. What technique is Mila planning to use?
Fault injection
Stress testing
Mutation testing
Fuzz testing
A port scan conducted during a security assessment shows the following results. What type of device has most likely been scanned?
Nmap scan report for EXAMPLE (192.168.1.79)Host is up (1.00s latency).Not shown: 992 closed portsPORT STATE21/tcp open23/tcp open80/tcp open280/tcp open443/tcp open515/tcp open631/tcp open9100/tcp openNmap done: 1 IP address (1 host up) scanned in 124.20 seconds
A wireless access point
A server
A printer
A switch
Which of the following is not one of the major categories of security event indicators described by NIST 800-61?
Alerts from IDS, IPS, SIEM, AV, and other security systems
Logs generated by systems, services, and applications
Exploit developers
Internal and external sources
During an nmap scan of a network, Charles receives the following response from nmap:
Starting Nmap 7.80 ( https://nmap.org ) Nmap done: 256 IP addresses (0 hosts up) scanned in 29.74 seconds
What can Charles deduce about the network segment from these results?
There are no active hosts in the network segment.
All hosts on the network segment are firewalled.
The scan was misconfigured.
Charles cannot determine if there are hosts on the network segment from this scan.
Oskar is designing a vulnerability management program for his company, a hosted service provider. He would like to check all relevant documents for customer requirements that may affect his scanning. Which one of the following documents is least likely to contain this information?
BPA
SLA
MOU
BIA
During a port scan of a server, Gwen discovered that the following ports are open on the internal network:
TCP port 25.
TCP port 80.
TCP port 110.
TCP port 443.
TCP port 1521.
TCP port 3389.
Of the services listed here, for which one does the scan not provide evidence that it is likely running on the server?
Web
Database
SSH
Email
As part of her forensic analysis of a wiped thumb drive, Selah runs Scalpel to carve data from the image she created. After running Scalpel, she sees the following in the audit.log file created by the program. What should Selah do next?
Run a data recovery program on the drive to retrieve the files.
Run Scalpel in filename recovery mode to retrieve the actual filenames and directory structures of the files.
Review the contents of the scalpelout folder.
Use the identified filenames to process the file using a full forensic suite.
Lonnie ran a vulnerability scan of a server that he recently detected in his organization that is not listed in the organization's configuration management database. One of the vulnerabilities detected is shown here. What type of service is most likely running on this server?
Database
Web
Time
Network management
Jorge would like to use a standardized system for evaluating the severity of security vulnerabilities. What SCAP component offers this capability?
CPE
CVE
CVSS
CCE
When performing threat-hunting activities, what are cybersecurity analysts most directly seeking?
Vulnerabilities
Indicators of compromise
Misconfigurations
Unpatched systems
Taylor is preparing to run vulnerability scans of a web application server that his organization recently deployed for public access. He would like to understand what information is available to a potential external attacker about the system as well as what damage an attacker might be able to cause on the system. Which one of the following scan types would be least likely to provide this type of information?
Internal network vulnerability scan
Port scan
Web application vulnerability scan
External network vulnerability scan
While analyzing a packet capture in Wireshark, Chris finds the packet shown here. Which of the following is he unable to determine from this packet?
That the username used was gnome
That the protocol used was FTP
That the password was gnome123
That the remote system was 137.30.120.40
Cynthia's review of her network traffic focuses on the graph shown here. What occurred in late June?
Beaconing
High network bandwidth consumption
A denial-of-service attack
A link failure
Carlos arrived at the office this morning to find a subpoena on his desk requesting electronic records in his control. What type of procedure should he consult to determine appropriate next steps, including the people he should consult and the technical process he should follow?
Evidence production procedure
Monitoring procedure
Data classification procedure
Patching procedure
Which stage of the incident response process includes activities such as adding IPS signatures to detect new attacks?
Detection and analysis
Containment, eradication, and recovery
Postincident activity
Preparation
Gloria is configuring vulnerability scans for a new web server in her organization. The server is located on the screened subnet (DMZ) network, as shown here. What type of scans should Gloria configure for best results?
Gloria should not scan servers located in the screened subnet (DMZ).
Gloria should perform only internal scans of the server.
Gloria should perform only external scans of the server.
Gloria should perform both internal and external scans of the server.
Pranab is preparing to reuse media that contained data that his organization classifies as having “moderate” value. If he wants to follow NIST SP 800-88's guidelines, what should he do to the media if the media will not leave his organization's control?
Reformat it
Clear it
Purge it
Destroy it
Susan is building an incident response program and intends to implement NIST's recommended actions to improve the effectiveness of incident analysis. Which of the following items is not an NIST-recommended incident analysis improvement?
Perform behavioral baselining.
Create and implement a logging policy.
Set system BIOS/UEFI clocks regularly.
Maintain an organizationwide system configuration database.
Jim's nmap port scan of a remote system showed the following list of ports:
PORT STATE SERVICE80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds902/tcp open iss-realsecure912/tcp open apex-mesh3389/tcp open ms-wbt-server
What operating system is the remote system most likely running?
Windows
Linux
An embedded OS
macOS
Helen is seeking to protect her organization against attacks that involve the theft of user credentials. In most organizations, which one of the following threats poses the greatest risk of credential theft?
DNS poisoning
Phishing
Telephone-based social engineering
Shoulder surfing
As part of her duties as a security operations center (SOC) analyst, Emily is tasked with monitoring intrusion detection sensors that cover her employer's corporate headquarters network. During her shift, Emily's IDS reports that a network scan has occurred from a system with IP address 10.1. 1.19 on the organization's unauthenticated guest wireless network aimed at systems on an external network. What should Emily's first step be?
Report the event to the impacted third parties.
Report the event to law enforcement.
Check the system's MAC address against known assets.
Check authentication logs to identify the logged-in user.
Sai works in an environment that is subject to the Payment Card Industry Data Security Standard (PCI DSS). He realizes that technical constraints prevent the organization from meeting a specific PCI DSS requirement and wants to implement a compensating control. Which one of the following statements is not true about proper compensating controls?
The control must include a clear audit mechanism.
The control must meet the intent and rigor of the original requirement.
The control must provide a similar level of defense as the original requirement provides.
The control must be above and beyond other requirements.
Lou recently scanned a web server in his environment and received the vulnerability report shown here. What action can Lou take to address this vulnerability?
Configure TLS.
Replace the certificate.
Unblock port 443.
Block port 80.
Which of the following factors is not typically considered when determining whether evidence should be retained?
Media life span
Likelihood of civil litigation
Organizational retention policies
Likelihood of criminal prosecution
Match each of the following with the appropriate element of the CIA triad:
A hard drive failure resulting in a service outage
A termination letter that is left on a printer and read by others in the department
Modification of an email's content by a third party
Niesha discovered the vulnerability shown here on a server running in her organization. What would be the best way for Niesha to resolve this issue?
Disable the use of AES-GCM.
Upgrade OpenSSH.
Upgrade the operating system.
Update antivirus signatures.
As part of her postincident recovery process, Alicia creates a separate virtual network as shown here to contain compromised systems she needs to investigate. What containment technique is she using?
Segmentation
Isolation
Removal
Reverse engineering
Jennifer is reviewing her network monitoring configurations and sees the following chart for a system she runs remotely in Amazon's Web Services (AWS) environment more than 400 miles away. What can she use this data for?
Incident response; she needs to determine the issue causing the spikes in response time.
The high packet loss must be investigated, since it may indicate a denial-of-service attack.
She can use this data to determine a reasonable response time baseline.
The high response time must be investigated, since it may indicate a denial-of-service attack.
The Windows system that Abdul is conducting live forensics on shows a partition map, as shown here. If Abdul believes that a hidden partition was deleted resulting in the unallocated space, which of the following type of tool is best suited to identifying the data found in the unallocated space?
File carving
Wiping
Partitioning
Disk duplication
During a postmortem forensic analysis of a Windows system that was shut down after its user saw strange behavior, Pranab concludes that the system he is reviewing was likely infected with a memory-resident malware package. What is his best means of finding the malware?
Search for a core dump or hibernation file to analyze.
Review the INDX files and Windows registry for signs of infection.
Boot the system and then use a tool like the Volatility Framework to capture live memory.
Check volume shadow copies for historic information prior to the reboot.
Juliette's organization recently suffered a cross-site scripting attack, and she plans to implement input validation to protect against the recurrence of such attacks in the future. Which one of the following HTML tags should be most carefully scrutinized when it appears in user input?
<SCRIPT>
<XSS>
<B>
<EM>
Jessie needs to prevent port scans like the scan shown here. Which of the following is a valid method for preventing port scans?
Not registering systems in DNS
Using a firewall to restrict traffic to only ports required for business purposes
Using a heuristic detection rule on an IPS
Implementing port security
What information can be gathered by observing the distinct default values of the following TCP/IP fields during reconnaissance activities: initial packet size, initial TTL, window size, maximum segment size, and flags?
The target system's TCP version.
The target system's operating system.
The target system's MAC address.
These fields are useful only for packet analysis.
Brooke would like to find a technology platform that automates workflows across a variety of security tools, including the automated response to security incidents. What category of tool best meets this need?
SIEM
NIPS
SOAR
DLP
Miray needs to identify the device or storage type that has the lowest order of volatility. Which of the following is the least volatile?
Network traffic
A solid-state drive
A spinning hard drive
A DVD-ROM
After receiving complaints about a system on Anastasia's network not performing correctly, she decides to investigate the issue by capturing traffic with Wireshark. The captured traffic is shown here. What type of issue is Anastasia most likely seeing?
A link failure
A failed three-way handshake
A DDoS
A SYN flood
After finishing a forensic case, Lucas needs to wipe the media that he is using to prepare it for the next case. Which of the following methods is best suited to preparing the SSD that he will use?
Degauss the drive.
Zero-write the drive.
Use a PRNG.
Use the ATA Secure Erase command.
Luis is creating a vulnerability management program for his company. He only has the resources to conduct daily scans of approximately 10 percent of his systems, and the rest will be scheduled for weekly scans. He would like to ensure that the systems containing the most sensitive information receive scans on a more frequent basis. What criterion is Luis using?
Data privacy
Data remanence
Data retention
Data classification
Peter is designing a vulnerability scanning program for the large chain of retail stores where he works. The store operates point-of-sale terminals in its retail stores as well as an e-commerce website. Which one of the following statements about PCI DSS compliance is not true?
Peter's company must hire an approved scanning vendor to perform vulnerability scans.
The scanning program must include, at a minimum, weekly scans of the internal network.
The point-of-sale terminals and website both require vulnerability scans.
Peter may perform some required vulnerability scans on his own.
Rachel discovered the vulnerability shown here when scanning a web server in her organization. Which one of the following approaches would best resolve this issue?
Patching the server
Performing input validation
Adjusting firewall rules
Rewriting the application code
What nmap feature is enabled with the -O flag?
OS detection
Online/offline detection
Origami attack detection
Origination port validation
Jose is working with his manager to implement a vulnerability management program for his company. His manager tells him that he should focus on remediating critical and high-severity risks to externally accessible systems. He also tells Jose that the organization does not want to address risks on systems without any external exposure or risks rated medium or lower. Jose disagrees with this approach and believes that he should also address critical and high-severity risks on internal systems. How should he handle the situation?
Jose should recognize that his manager has made a decision based upon the organization's risk appetite and should accept it and carry out his manager's request.
Jose should discuss his opinion with his manager and request that the remediation criteria be changed.
Jose should ask his manager's supervisor for a meeting to discuss his concerns about the manager's approach.
Jose should carry out the remediation program in the manner that he feels is appropriate because it will address all of the risks identified by the manager as well as additional risks.
Susan needs to test thousands of submitted binaries. She needs to ensure that the applications do not contain malicious code. What technique is best suited to this need?
Sandboxing
Implementing a honeypot
Decompiling and analyzing the application code
Fagan testing
When conducting a quantitative risk assessment, what term describes the total amount of damage expected to occur as a result of one incident?
EF
SLE
AV
ALE
Rhonda recently configured new vulnerability scans for her organization's datacenter. Completing the scans according to current specifications requires that they run all day, every day. After the first day of scanning, Rhonda received complaints from administrators of network congestion during peak business hours. How should Rhonda handle this situation?
Adjust the scanning frequency to avoid scanning during peak times.
Request that network administrators increase available bandwidth to accommodate scanning.
Inform the administrators of the importance of scanning and ask them to adjust the business requirements.
Ignore the request because it does not meet security objectives.
After restoring a system from 30-day-old backups after a compromise, administrators at Piper's company return the system to service. Shortly after that, Piper detects similar signs of compromise again. Why is restoring a system from a backup problematic in many cases?
Backups cannot be tested for security issues.
Restoring from backup may reintroduce the original vulnerability.
Backups are performed with the firewall off and are insecure after restoration.
Backups cannot be properly secured.
Captured network traffic from a compromised system shows it reaching out to a series of five remote IP addresses that change on a regular basis. Since the system is believed to be compromised, the system's Internet access is blocked, and the system is isolated to a quarantine VLAN.
When forensic investigators review the system, no evidence of malware is found. Which of the following scenarios is most likely?
The system was not infected, and the detection was a false positive.
The beaconing behavior was part of a web bug.
The beaconing behavior was due to a misconfigured application.
The malware removed itself after losing network connectivity.
Which one of the following ISO standards provides guidance on the development and implementation of information security management systems?
ISO 27001
ISO 9000
ISO 11120
ISO 23270
Mika's forensic examination of a compromised Linux system is focused on determining what level of access attackers may have achieved using a compromised www account. Which of the following is not useful if she wants to check for elevated privileges associated with the www user?
/etc/passwd
/etc/shadow
/etc/sudoers
/etc/group
Tracy is validating the web application security controls used by her organization. She wants to ensure that the organization is prepared to conduct forensic investigations of future security incidents. Which one of the following OWASP control categories is most likely to contribute to this effort?
Implement logging.
Validate all inputs.
Parameterize queries.
Error and exception handling.
Jamal is using agent-based scanning to assess the security of his environment. Every time that Jamal runs a vulnerability scan against a particular system, it causes the system to hang. He spoke with the system administrator, who provided him with a report showing that the system is current with patches and has a properly configured firewall that allows access from only a small set of trusted internal servers. Jamal and the server administrator both consulted the vendor, and they are unable to determine the cause of the crashes and suspect that it may be a side effect of the agent. What would be Jamal's most appropriate course of action?
Approve an exception for this server.
Continue scanning the server each day.
Require that the issue be corrected in 14 days and then resume scanning.
Decommission the server.
During an nmap port scan using the -sV flag to determine service versions, Ling discovers that the version of SSH on the Linux system she is scanning is not up-to-date. When she asks the system administrators, they inform her that the system is fully patched and that the SSH version is current. What issue is Ling most likely experiencing?
The system administrators are incorrect.
The nmap version identification is using the banner to determine the service version.
nmap does not provide service version information, so Ling cannot determine version levels in this way.
The systems have not been rebooted since they were patched.
Tyler scans his organization's mail server for vulnerabilities and finds the result shown here. What should be his next step?
Shut down the server immediately.
Initiate the change management process.
Apply the patch.
Rerun the scan.
Carla is performing a penetration test of a web application and would like to use a software package that allows her to modify requests being sent from her system to a remote web server. Which one of the following tools would not meet Carla's needs?
Nessus
Burp Suite
Zed Attack Proxy (ZAP)
Tamper Data
Alex learns that a recent Microsoft patch covers a zero-day exploit in Microsoft Office that occurs because of incorrect memory handling. The flaw is described as potentially resulting in memory corruption and arbitrary code execution in the context of the current privilege level. Exploitation of the flaws can occur if victims open a specifically crafted Office document in a vulnerable version of Microsoft Office.
If Alex finds out that approximately 15 of the workstations in his organization have been compromised by this malware, including one workstation belonging to a domain administrator, what phase of the incident response process should he enter next?
Preparation
Detection and analysis
Containment, eradication, and recovery
Postincident activity
Maria wants to use a security benchmark that is widely used throughout the industry to baseline her systems as part of a hardening process. Which of the following organizations provides a set of freely available benchmarks for operating systems?
The Center for Internet Security
CompTIA
PCI SSC
OWASP
Sally's organization wants to prioritize their vulnerability remediation efforts. Which of the following items is not typically critical to prioritization of remediation efforts?
A list of affected hosts
The risk score of the vulnerability
The vulnerability's name or CVE
The organization or individual that discovered the vulnerability
Chris is reviewing network flow data from systems in his organization and notices that a number of the systems are contacting a remote IP address periodically through the day. He suspects the systems may be compromised. What type of behavior is he most likely seeing?
Data exfiltration
Port scans
Beaconing
Rogue devices
What concern may drive organizations to communicate with customers impacted by a breach within a specific timeline?
Regulatory compliance
Media awareness
Social media interaction
Police involvement
Yuri wants to check if an IP address is known to be malicious. Which of the following options is the most useful way for him to manually check current information about an IP address or hostname?
The SANS Top 20
AbuseIPDB
WHOIS
Cuckoo Sandbox
Carla's organization is a managed security provider that uses the ITIL, and Carla wants to determine if her team is meeting the service level agreements her organization has agreed to meet for their customers for vulnerability management notifications happening within 24 hours. What is Carla attempting to assess?
A VMO
A SLO
An NDA
A VMS
Joanna's organization has been performing a forensic investigation of a compromised system. Her team's analysis indicates that a number of commonly available tools were used by the attacker and that the attacker was using basic, rather than advanced skills and techniques. What type of threat actor is Joanna most likely dealing with?
A hacktivist
A nation-state actor
A script kiddie
Organized crime
Michelle wants to provide metrics for her security team's incident response capabilities. Which of the following is not a common measure for teams like hers?
Mean time to detect
Mean time to respond
Mean time to remediate
Mean time to compromise
Tony is working with information from a closed-source threat feed and combines the feed information with his own organization's vulnerability management data and asset databases. What activity is Tony performing?
IoC analysis
Geolocation
Active defense
Data enrichment
Which of the following is not a common inhibitor to remediation of vulnerabilities?
Legacy systems
Organizational policies
The potential to degrade functionality
Organizational governance processes
Greg wants to assess the confidence levels for his threat intelligence data. What three common items are most frequently used to determine confidence in threat intelligence?
Timeliness, source quality, and cost
Accuracy, threat actor, and likelihood
Timeliness, relevance, and accuracy
Accuracy, source quality, and cost
Valerie's incident response process includes moving a compromise system to a separate VLAN that retains access to the Internet but does not allow contact with other systems on her network. What containment process has she implemented?
Segmentation
IoC-based response
Isolation
Sanitization
Isaac wants to view network traffic from a potentially compromised Linux machine. What tool can he use from the command line to view and analyze his network traffic?
Wireshark
tcpdump
Ettercap
cat /dev/eth0
Beena wants to ensure that her vulnerability management program is performing as expected. What technique should she use to look at its performance over time so she can see if she has problematic behaviors or practices?
A regularly created list of the top 10 most common vulnerabilities
A report showing remediation and patching trends
A list of zero-day vulnerabilities and the time to remediate them
A list of service level objectives
Valentine is reviewing network flow logs and sees a 30 GB data transfer between a database server and a system outside of her organization. For reviews, how should she flag the event?
Potential data exfiltration
Potential use of unauthorized privileges
A potential malicious process
Potential high drive capacity consumption
Selah wants to use appropriate metrics to determine how well her incident response process is working. Which of the following metrics is not commonly used to assess incident response processes?
Mean time to remediate
Meant time to detect
Mean time to respond
Mean time to defend
Gary wants to use NTP to help with his log analysis efforts. What is Gary doing?
Setting appropriate logging levels
Removing unnecessary logs using a trust process
Time synchronization
Validating log entries against the originals
Nathan's organization has been notified that there is a vulnerability in a legacy system that does not have vendor support. Nathan needs to ensure that the system is not compromised due to the vulnerability. What should Nathan implement to address this issue?
A patching plan
A compensating control
A remediation plan
An alternate patch
The endpoint detection and response (EDR) system that Li's organization uses has detected Windows workstations communicating between each other on the network on port 8944. What should Li flag this traffic as?
Beaconing
A port scan
Unexpected bandwidth consumption
Irregular peer-to-peer communication
What phase of incident response needs to happen before customer communications can occur?
Perform stakeholder identification.
Document lessons learned.
Prepare a timeline.
Conduct a root-cause analysis.
Jake wants to ensure that only authorized IP addresses can send email on behalf of his organization but doesn't want to require certificates and signatures for the validation. What should he implement?
DKIM
DMARC
S/MIME
SPF
Katie has been reviewing her organization's vulnerability management reports and notices that systems that are part of a cloud-hosted cluster continue to show a recurring issue where vulnerabilities re-appear when the cluster is scaled up to handle higher loads. What is the most likely issue that Katie should ask the system administrators about?
Reinstallation of the same software package instead of a patched version
A lack of update to the original cluster image
Patches failing to install
A compromise restoring the system to a vulnerable state
What open source intelligence source is accessible only using a TOR enabled browser or system?
Social media
The Dark Web
Blogs
Government bulletins
Bob's organization wants to adopt passwordless authentication. What will they need to provide to users to adopt this solution?
PINs
Biometric identifiers
Hardware tokens
New passwords
Hillary is working on improving her organization's security response processes and wants to integrate security tools from multiple vendors together. What type of integration should she look for to optimize the ability for systems to work together and exchange data?