THE P.T: 2 CHRONICLE: ( ex.10 )

88問 • 6ヶ月前

問題一覧

What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes?

- Clear

This data is meant to eliminate information from being feasibly recovered even in a laboratory environment.

- Purge

This requires physical destruction of the media, such as pulverization, melting, incineration, and disintegration.

- Destroy

This is the process of decreasing or eliminating a remnant magnetic field. This is an effective method of sanitization for magnetic media, such as hard drives and floppy disks.

- Degauss

What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes?

- Clear

This data is meant to eliminate information from being feasibly recovered even in a laboratory environment.

- Purge

This requires physical destruction of the media, such as pulverization, melting, incineration, and disintegration.

- Destroy

This is the process of decreasing or eliminating a remnant magnetic field. This is an effective method of sanitization for magnetic media, such as hard drives and floppy disks.

- Degauss

When using tcpdump, which option or flag would you use to record the ethernet frames during a packet capture?

-e

This option will capture the packet's payload in hex and ASCII formats

-X

This shows I.P addresses and ports in numeric format.

-nn

This flag will show the I.P. addresses in numeric form.

-n

During the Stuxnet attack, a sophisticated worm was delivered to the victim, Iran's nuclear facilities, via an infected USB stick. Which phase of the Cyber Kill Chain does this represent?

- Delivery

What is about maintaining communication with the compromised system, not delivering a payload.

- Command and Control

This is the phase where the payload establishes a foothold on the system.

- Installation

This is about gathering information about the target system, not delivering a payload.

- Reconnaissance

Which of the following frameworks is best suited for performing a structured approach to security testing across different areas such as applications, networks, and systems?

- Open Source Security Testing Methodology Manual (OSS TMM)

This primarily focuses on understanding the relationship between four elements of an attack: the adversary, the victim, the infrastructure, and the capability. It's not geared towards security testing.

- Diamond Model of Intrusion Analysis

This framework provides a matrix of tactics, techniques, and procedures ( T.T.Ps ) used by cyber adversaries. It doesn't focus on providing a structured approach to security testing.

- MITRE ATT&CK

This Guide provides a methodology for testing the security of web applications specifically, not a comprehensive approach to security testing across different areas.

- OWASP Testing Guide

What regulation protects the privacy of student educational records?

- FERPA

This institutes requirements that help protect the privacy of an individual's financial information held by financial institutions and others, such as tax preparation companies. The privacy standards and rules created as part of GLBA safeguard private information and set penalties in the event of a violation.

- GLBA

This dictates requirements for storing and retaining documents relating to an organization's financial and business operations, including the type of documents to be stored and their retention periods. It is relevant for any publicly-traded company with a market value of at least $75 million.

- SOX

This establishes several rules and regulations regarding healthcare in the United States. With the rise of electronic medical records, HIPAA standards have been implemented to protect patient medical information privacy through restricted access to medical records and regulations for sharing medical records.

- HIPAA

What describes the infrastructure needed to support the other architectural domains in the T.O.G.A.F. framework?

- Technical architecture

This provides the organization’s approach to storing and managing information assets. This question may seem beyond the scope of the exam.

- Data architecture

This defines governance and organization and explains the interaction between enterprise architecture and business strategy.

- Business architecture

This includes the applications and systems an organization deploys, the interactions between those systems, and their relation to the business processes.

- Applications architecture

This references ( I.D.O.R. ) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks.

- Insecure direct object reference

These are commonly a result of incomplete or ad-hoc configurations, open cloud storage, misconfigured H.T.T.P. headers, unnecessary H.T.T.P. methods, permissive Cross-Origin resource sharing ( C.O.R.S ), and verbose error messages containing sensitive information.

- Weak or default configurations

This can reveal implementation details that should never be revealed, such as detailed information that can provide hackers important clues on the system's potential flaws.

- Improper error handling

This is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events.

- Race condition

Which of the following scan types are useful for probing firewall rules?

- TCP ACK

This scan can sometimes be used to determine what ports are filtered. Still, if the firewall is configured to drop packets for disallowed ports instead of sending an R.S.T packet, then a T.C.P S.Y.N. scan will not be able to determine if a firewall was there or if the port was simply unavailable. A target sends a T.C.P R.S.T packet in response to a T.C.P. ACK scan, but a T.C.P. R.S.T. is not a valid type of scan itself.

- TCP SYN

A target sends a this packet in response to a T.C.P ACK scan, but a T.C.P R.S.T. is not a valid type of scan itself.

- TCP RST

This scan will set the FIN, PSH, and U.R.G flags in the T.C.P. packet. This is a noisy type of scan and not useful for probing firewall rules.

- XMAS TREE

Referencing the infamous WannaCry ransomware attack, where the attackers exploited a vulnerability in Microsoft’s SMB protocol using an NSA tool known as EternalBlue, which phase of the Cyber Kill Chain involves the creation and preparation of this exploit for use in the attack?

- Weaponization

This phase would be when the attackers actually encrypted the files and demanded the ransom.

- Actions and Objectives

This phase involves the transmission of the malicious payload to the victim, not the creation of it.

- Delivery

This refers to the phase where the attacker establishes a channel to control the compromised system.

- Command and Control

After a major ransomware attack on your organization, a comprehensive review process is initiated. This review involves dissecting the incident to identify what went wrong, what went well, and what steps can be taken to prevent such an event from happening again in the future. What is the term used for this critical part of the post-incident phase?

- Lessons learned

This is a detailed investigation of an incident to understand its origin, extent, and impact. While it can inform lessons learned, it does not itself represent the comprehensive review process aimed at improving future responses.

- Forensic analysis

This analysis seeks to identify the origin of an incident, but does not involve a broad review of the incident response process with the aim of improving future responses.

- Root cause analysis

These exercises are a part of the preparation phase of the incident management lifecycle and are used to test the effectiveness of an organization's incident response plan. They do not involve reviewing past incidents to improve future responses.

- Tabletop exercise

A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation?

- Rules of engagement

This is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve monetary exchange.

- Memorandum of understanding

This policy is a policy that governs employees' use of company equipment and internet services.

- Acceptable use policy

A service level agreement contains the operating procedures and standards for a service contract.

- Service Level Agreement ( S.L.A. )

Which of the following protocols could be used inside a virtual system to manage and monitor the network?

- SNMP

Is used for email.

- SMTP

are used for routing network data.

- BGP

are used for routing network data.

- EIGRP

If an attacker can compromise an Active Directory domain by utilizing an attack to grant administrative access to the domain controllers for all domain members, which type of attack is being used?

- Golden ticket

This is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials

- Lateral movement

This is the process of harvesting an account's cached credentials when the user logs in to a single sign-on ( S.S.O. ) system. This would then allow the attacker to use the credentials on other systems, as well.

- Pass the hash

This is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.

- Pivoting

Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services?

- TACACS+

This is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but Cisco did not develop it.

- RADIUS

This is used to authenticate a user or network host to an authenticating entity. This is an authentication protocol but does not provide authorization or accounting services.

- CHAP

This is a network authentication protocol designed to provide strong mutual authentication for client/server applications using secret-key cryptography developed by M.I.T.

- Kerberos

Which of the following automatically combines multiple disparate sources of information to form a complete picture of events for analysts to use during an incident response or when conducting proactive threat hunting?

- Data enrichment

This is a software development method in which code updates are tested and committed to development or build server/code repositories rapidly, and is unrelated to this question.

- Continuous integration

These are forms of artificial intelligence that may be used to conduct data enrichment activities, but individually they are not sufficient to answer this question.

- Machine learning

These are forms of artificial intelligence that may be used to conduct data enrichment activities, but individually they are not sufficient to answer this question.

- Deep learning

You are conducting a quick nmap scan of a target network. You want to conduct an SYN scan, but you don't have raw socket privileges on your workstation. Which of the following commands should you use to conduct the SYN scan from your workstation?

- nmap -sT

This flag would conduct a Xmas scan where the FIN, PSH, and URG flags are used in the scan.

- nmap -sX

This flag would conduct an operating system detection scan of the target system.

- nmap -O

This flag is more often conducted, but it requires raw socket access on the scanning workstation.

- nmap -sS

In the Mirai botnet attack, thousands of IoT devices, such as cameras and routers, were infected and used to launch large-scale DDoS attacks. In the Diamond Model of Intrusion Analysis, what do these IoT devices represent?

- Infrastructure

This refers to the tools and techniques used in the attack, not the resources used in the attack.

- Capability

The Victim is the target of the attack, not the resources used in the attack.

- Victim

This is the entity conducting the attack, not the resources used in the attack.

- Adversary

A vulnerability scanner has reported that a vulnerability exists in the system. Upon validating the report, the analyst determines that this reported vulnerability does not exist on the system. What is the proper term for this situation?

- False positive

This occurs when a scanner does not detect a vulnerability, but the vulnerability actually exists on the scanned system.

- False negative

This occurs when a scanner detects a vulnerability, and the vulnerability exists on the scanned system.

- True positive

This occurs when a scanner does not detect a vulnerability because the vulnerability does not exist on the scanned system.

- True negative

Which protective feature is used to prevent a buffer overflow attack from specific applications by randomizing where a program's components are run from in memory?

- ASLR

This feature protects processes against exploits that try to execute code from a writable memory area (stack/heap). This also prevents code from being run from a non-executable memory region

- DEP

This is a library that contains code and data that can be used by more than one program at the same time.

- DLL

A dynamic link library (DLL) is a library that contains code and data that can be used by more than one program at the same time.

- DLP

Which phase of the Cyber Kill Chain involves the attacker maintaining communication with the compromised system to facilitate data exfiltration or further exploitation?

- Command and Control

This involves transmitting the weaponized payload to the victim, not maintaining communication with the compromised system.

- Delivery

This involves taking advantage of a vulnerability in the system or application to execute the payload, not maintaining communication with the compromised system.

- Exploitation

This involves creating a malicious payload, not maintaining communication with the compromised system.

- Weaponization

Which of the following tools is useful for capturing Windows memory data for forensic analysis?

- Memdump

This tool is used to conduct forensic disk images.

- dd

This is used for packet capture and analysis.

- Wireshark

This is a commonly used vulnerability scanner.

- Nessus

THE P.T: 1 CHRONICLE: ( ex.9 )

The R.S.S.H Delivery Company · 90問 · 6ヶ月前

THE P.T: 1 CHRONICLE: ( ex.9 )