While reviewing network flow logs, John sees that network flow on a particular segment suddenly dropped to zero. What is the most likely cause of this?
Charlotte is having a dispute with a co-worker over access to information contained in a database maintained by her co-worker’s department. Charlotte insists that she needs the information to carry out her job responsibilities, while the co-worker insists that nobody outside the department is allowed to access the information. Charlotte does not agree that the other department should be able to make this decision, and Charlotte’s supervisor agrees with her. What type of policy could Charlotte turn to for the most applicable guidance?
Frank is conducting the recovery process after his organization experienced a security incident. During that process, he plans to apply patches to all of the systems in his environment. Which one of the following should be his highest priority for patching?
Susan’s organization suffered from a major breach that was attributed to an advanced persistent threat (APT) that used exploits of zero-day vulnerabilities to gain control of systems on her company’s network. Which of the following is the least appropriate solution for Susan to recommend to help prevent future attacks of this type?
During his investigation of a Windows system, Eric discovered that files were deleted and wants to determine whether a specific file previously existed on the computer. Which of the following is the least likely to be a potential location to discover evidence supporting that theory?
As part of her duties as an SOC analyst, Emily is tasked with monitoring intrusion detection sensors that cover her employer’s corporate headquarters network. During her shift, Emily’s IDS alarms report that a network scan has occurred from a system with IP address 10.0.11.19 on the organization’s WPA2 enterprise wireless network aimed at systems in the finance division. What data source should she check first?
Casey’s incident response process leads her to a production server that must stay online for her company’s business to remain operational. What method should she use to capture the data she needs?
During a routine upgrade, Maria inadvertently changes the permissions to a critical directory, causing an outage of her organization’s RADIUS infrastructure. How should this threat be categorized using NIST’s threat categories?
What does the nmap response “filtered” mean in port scan results?
Darcy is the security administrator for a hospital that operates in the United States and is subject to the Health Insurance Portability and Accountability Act (HIPAA). She is designing a vulnerability scanning program for the hospital’s data center that stores and processes electronic protected health information (ePHI). What is the minimum scanning frequency for this environment, assuming that the scan shows no critical vulnerabilities?
During her review of incident logs, Laura discovers the initial entry via SSH on a front-facing bastion host (A) at 8:02 a.m. If the network that Laura is responsible for is designed as shown here, what is the most likely diagnosis if the second intrusion shows up on host B at 7:15 a.m.?
Matt recently ran a vulnerability scan of his organization’s network and received the results shown here. He would like to remediate the server with the highest number of the most serious vulnerabilities first. Which one of the following servers should be on his highest priority list?
Frank has been tasked with conducting a risk assessment for the midsize bank that he works at because of a recent compromise of their online banking web application. Frank has chosen to use the NIST 800-30 risk assessment framework shown here. What likelihood of occurrence should he assign to breaches of the web application?
Hank’s boss recently came back from a CEO summit event where he learned about the importance of cybersecurity and the role of vulnerability scanning. He asked Hank about the vulnerability scans conducted by the organization and suggested that instead of running weekly scans that they simply configure the scanner to start a new scan immediately after the prior scan completes. How should Hank react to this request?
Selah’s organization suffers an outage of its point-to-point encrypted VPN because of a system compromise at its ISP. What type of issue is this?
Garrett is working with a database administrator to correct security issues on several servers managed by the database team. He would like to extract a report for the DBA that will provide useful information to assist in the remediation effort. Of the report templates shown here, which would be most useful to the DBA team?
Bob’s Solarwinds network monitoring tools provide data about a system hosted in Amazon’s AWS environment. When Bob checks his server’s average response time, he sees the results shown here.
What action should Bob take based on this information?
Alex notices the traffic shown here during a Wireshark packet capture. What is the host with IP address 10.0.2.11 most likely doing?
Jenny is evaluating the security of her organization’s network management practices. She discovers that the organization is using RADIUS for administrator authentication to network devices. What additional security control should also be in place to ensure secure operation?
Jake is building a forensic image of a compromised drive using the dd command with its default settings. He finds that the imaging is going very slowly. What parameter should he adjust first?
What purpose does a honeypot system serve when placed on a network as shown here?
Danielle’s security team has found consistent evidence of system compromise over a period of weeks, with additional evidence pointing to the systems they are investigating being compromised for years. Despite her team’s best efforts, Danielle has found that her team cannot seem to track down and completely remove the compromise. What type of attack is Danielle likely dealing with?
Which one of the following metrics would be most useful in determining the effectiveness of a vulnerability remediation program?
Mike’s nmap scan of a system using the command nmap 192.168.1.100 does not return any results. What does Mike know about the system if he is sure of its IP address, and why?
What is the purpose of creating an MD5 hash for a drive during the forensic imaging process?
After completing his unsuccessful forensic analysis of the hard drive from a workstation that was compromised by malware, Ben sends it to be re-imaged and patched by his company’s desktop support team. Shortly after the system returns to service, the device once again connects to the same botnet. What action should Ben take as part of his next forensic review if this is the only system showing symptoms like this?
Part of the forensic data that Susan was provided for her investigation was a Wireshark packet capture. The investigation is aimed at determining what type of media an employee was consuming during work. What is the more detailed analysis that Susan can do if she is provided with the data shown here?
Which one of the following is not a characteristic of an information systems security audit?
Mark is a cybersecurity analyst for a large company but is helping a nonprofit organization in his free time. He would like to begin a vulnerability scanning program for that company but does not have any funds available to purchase a tool. What open source tool can he use?
Mika wants to run an nmap scan that includes all TCP ports and uses service detection. Which of the following nmap commands should she execute?
Which of the following is not classified as an eradication by CompTIA?
Dan is a cybersecurity analyst for a healthcare organization. He ran a vulnerability scan of the VPN server used by his organization. His scan ran from inside the data center against a VPN server also located in the data center. The complete vulnerability report is shown here. What action should Dan take next?
Gina is testing a firewall ruleset for use on her organization’s new CheckPoint firewall. She would like the firewall to allow unrestricted web browsing for users on the internal network, with the exception of sites listed on a Blocked Hosts list that the cybersecurity team maintains. She designed the ruleset shown here. What, if any, error does it contain?
Jay received an alert from his organization’s SIEM that it detected a potential attack against a web server on his network. However, he is unsure whether the traffic generating the alert actually entered the network from an external source or whether it came from inside the network. The NAT policy at the network perimeter firewall rewrites public IP addresses, making it difficult to assess this information based upon IP addresses. Jay would like to perform a manual log review to locate the source of the traffic. Where should he turn for the best information?
Jim ran a traceroute command to discover the network path between his system and the CompTIA website. He received the results shown here. What can he conclude from these results?
Which one of the following types of vulnerability scans would provide the least information about the security configuration of a system?
After finishing a forensic case, Sam needs to wipe the media that he is using to prepare it for the next case. Which of the following methods is best suited to preparing the hard drive that he will use if he wants to be in compliance with NIST SP 800-88?
After reading the NIST standards for incident response, Chris spends time configuring the NTP service on each of his servers, workstations, and appliances throughout his network. What phase of the incident response process is he working to improve?
Susan is the ISO for her company and is notified that a zero-day exploit has been released that can result in remote code execution on all Windows 10 workstations on her network because of an attack against Windows domain services. She wants to limit her exposure to this exploit but needs the systems to continue to be able to access the Internet. Which of the following approaches is best for her response?
Fred has configured SNMP to gather information from his network devices and issues the following command:
$ snmpgetnext -v 1 -c public device1
He receives a response that includes the following data:
ip.ipRouteTable.ipRouteEntry.ipRouteDest
ip.ipRouteTable.ipRouteEntry.ipRouteNextHop
ip.ipRouteTable.ipRouteEntry.ipRouteDest.0.0.0.0 = IpAddress: 0.0.0.0
ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.0.0.0.0 = IpAddress: 10.0.11.1
What local command could he have executed to gather the same information?
After scanning a network device located in her organization’s data center, Shannon noted the vulnerability shown here. What is the minimum version level of SNMP that Shannon should be running?
When Frank was called in to help with an incident recovery effort, he discovered that the network administrator had configured the network as shown here. What type of incident response action best describes what Frank has encountered?
As part of the forensic investigation of a Linux workstation, Alex needs to determine what commands may have been issued on the system. If no anti-forensic activities have taken place, what is the best location for Alex to check for a history of commands issued on the system?
Ben is preparing to reuse media that contained data that his organization classifies as “moderate” value. If he wants to follow NIST SP-800-88’s guidelines, what should he do to the media if the media will not leave his organization’s control?
Crystal is attempting to determine the next task that she should take on from a list of security priorities. Her boss told her that she should focus on activities that have the most “bang for the buck.” Of the tasks shown here, which should she tackle first?
During the analysis of an incident that took place on her network, Tammy discovered that the attacker used a stolen cookie to access a web application. Which one of the following attack types most likely occurred?
When Pete connects to his organization’s network, his PC runs the NAC software his systems administrator installed. The software communicates to the edge switch he is plugged into, which validates his login and system security state. What type of NAC solution is Pete using?
Curt is conducting a forensic analysis of a Windows system and needs to determine whether a program was set to automatically run. Which of the following locations should he check for this information?
During a security assessment, Scott discovers that his organization has implemented a multifactor authentication requirement for systems that store and handle highly sensitive data. The system requires that users provide both a password and a four-digit PIN. What should Scott note in his findings about this system?
What concept measures how easy data is to lose?
During a reconnaissance exercise, Mika uses the following command:
root@demo:~# nc -v 10.0.2.9 8080
www.example.com [10.0.2.9] 8080 (http-alt) open
GET / HTTP/1.0
What is she doing?
Steps like those listed here are an example of what type of incident response preparation?
While analyzing the vulnerability scan from her web server, Kristen discovers the issue shown here. Which one of the following solutions would best remedy the situation?
Charles is building an incident response playbook for his organization that will address command and control client-server traffic detection and response. Which of the following information sources is least likely to be part of his playbook?
Which one of the following mechanisms may be used to enhance security in a context-based authentication system?
Susan’s organization has faced a significant increase in successful phishing attacks, resulting in compromised accounts. She knows that she needs to implement additional technical controls to prevent successful attacks. Which of the following controls will be the most effective while remaining relatively simple and inexpensive to deploy?
Carol recently fell victim to a phishing attack. When she clicked the link in an email message that she received, she was sent to her organization’s central authentication service and logged in successfully. She did verify the URL and certificate to validate that the authentication server was genuine. After authenticating, she was sent to a form that collected sensitive personal information that was sent to an attacker. What type of vulnerability did the attacker most likely exploit?
As a penetration tester, Max uses Wireshark to capture all of his testing traffic. Which of the following is not a reason that Max would capture packets during penetration tests?
Rich recently configured new vulnerability scans for his organization’s business intelligence systems. The scans run late at night when users are not present. Rich received complaints from the business intelligence team that the performance burden imposed by the scanning is causing their overnight ETL jobs to run too slowly and they are not completing before business hours. How should Rich handle this situation?
Which one of the following regulations imposes compliance obligations specifically only upon financial institutions?
Bryce ran a vulnerability scan on his organization’s wireless network and discovered that many employees are bringing their personally owned devices onto the corporate network (with permission) and those devices sometimes contain serious vulnerabilities. What mobile strategy is Bryce’s organization using?
Richard uses the following command to mount a forensic image. What has he specified in his command?
sansforensics@siftworkstation:~/Case1$ sudo mount RHINOUSB.dd /mnt/usb -t auto -o loop, noexec,ro
Javier ran a vulnerability scan of a new web application created by developers on his team and received the report shown here. The developers inspected their code carefully and do not believe that the issue exists. They do have a strong understanding of SQL injection issues and have corrected similar vulnerabilities in other applications. What is the most likely scenario in this case?
Chris is able to break into a host in a secured segment of a network during a penetration test. Unfortunately, the rules of engagement state that he is not allowed to install additional software on systems he manages to compromise. How can he use netcat to perform a port scan of other systems in the secured network segment?
Catherine is working with the architect on the design of a new data center for her organization. She is concerned about the intrusion alarms that will notify security personnel of an attempted break-in to the facility. What type of control is Catherine designing?
In his role as a security manager, Fred and a small team of experts have prepared a scenario for his security and system administration teams to use during their annual security testing. His scenario includes the rules that both the defenders and attackers must follow, as well as a scoring rubric that he will use to determine which team wins the exercise. What term should Fred use to describe his team’s role in the exercise?
Lauren downloads a new security tool and checks its MD5. What does she know about the software she downloaded if she receives the following message:
Martha ran a vulnerability scan against a series of endpoints on her network and received the vulnerability report shown here. She investigated further and found that several endpoints are running Internet Explorer 7. What is the minimum version level of IE that is considered secure?
During an incident investigation, Chris is able to identify the IP address of the system that was used to compromise multiple systems belonging to his company. What can Chris determine from this information?
Nick believes that an attacker has compromised a Linux workstation on his network and has added a new user. Unfortunately, most logging was not enabled on the system. Which of the following is most likely to provide useful information about which user was created most recently?
After a major compromise involving what appears to be an APT, Jaime needs to conduct a forensic examination of the compromised systems. Which containment method should he recommend to ensure that he can fully investigate the systems that were involved while minimizing the risk to his organization’s other production systems?
Michelle is attempting to remediate a security vulnerability and must apply a patch to a production database server. The database administration team is concerned that the patch will disrupt business operations. How should Michelle proceed?
Kent ran a vulnerability scan of an internal CRM server that is routinely used by employees, and the scan reported that no services were accessible on the server. Employees continued to use the CRM application over the web without difficulty during the scan. What is the most likely source of Kent’s result?
Steve needs to perform an nmap scan of a remote network and wants to be as stealthy as possible. Which of the following nmap commands will provide the stealthiest approach to his scan?
Which element of the COBIT framework contains the high-level requirements that an organization should implement to manage its information technology functions?
Jenna is configuring the scanning frequency for her organization’s vulnerability scanning program. Which one of the following is the least important criteria for Jenna to consider?
Donna is interpreting a vulnerability scan from her organization’s network, shown here. She would like to determine which vulnerability to remediate first. Donna would like to focus on the most critical vulnerability according to the potential impact if exploited. Assuming the firewall is properly configured, which one of the following vulnerabilities should Donna give the highest priority?
Which one of the following document categories provides the highest-level authority for an organization’s cybersecurity program?
Chris is planning a vulnerability scanning program for his organization and is scheduling weekly scans of all the servers in his environment. He was approached by a group of system administrators who asked that they be given direct access to the scan reports without going through the security team. How should Chris respond?
During an incident investigation, Chris discovers that attackers were able to query information about his routers and switches using SNMP. In addition, he discovers that the SNMP traffic was sent in plain text through his organization’s network management backend network. Which version of SNMP would provide encryption and authentication features to help him prevent this in the future?
Which one of the following statements is true about virtualized operating systems?
While reviewing a report from a vulnerability scan of a web server, Paul encountered the vulnerability shown here. What is the easiest way for Paul to correct this vulnerability with minimal impact on the business?
A log showing a successful user authentication is classified as what type of occurrence in NIST’s definitions?
Sally used the dig command to attempt to look up the IP address for CompTIA’s website and received the results shown here. What can Sally conclude from these results?
Fran is trying to run a vulnerability scan of a web server from an external network, and the scanner is reporting that there are no services running on the web server. She verified the scan configuration and attempted to access the website running on that server using a web browser on a computer located on the same external network and experienced no difficulty. What is the most likely issue with the scan?