CNL_CH_11

118問 • 2年前

問題一覧

After installing a Windows server, a cybersecurity administrator needs to harden it, following security best practices. Which of the following will achieve the administrator's goal? (Select TWO)

Disabling guest accounts, Disabling NetBIOS over TCP/IP

A new security engineer has started hardening systems. One of the hardening techniques the engineer is using involves disabling remote logins to the NAS. Users are now reporting the inability to use SCP to transfer files to the NAS, even though the data is still viewable from the user's PCs. Which of the following is the MOST likely cause of this issue?

SSH was turned off instead of modifying the configuration file

A company’s bank has reported that multiple corporate credit cards have been stolen over the past several weeks. The bank has provided the names of the affected cardholders to the company’s forensics team to assist in the cyber-incident investigation. An incident responder learns the following information: ● The timeline of stolen card numbers corresponds closely with affected users making Internet-based purchases from diverse websites via enterprise desktop PCs. ● All purchase connections were encrypted, and the company uses an SSL inspection proxy for the inspection of encrypted traffic of the hardwired network. ● Purchases made with corporate cards over the corporate guest WiFi network, where no SSL inspection occurs, were unaffected. Which of the following is the MOST likely root cause?

HTTPS sessions are being downgraded to insecure cipher suites

During a CISO conference to discuss security awareness, the attendees are provided with a network connection to use as a resource. As the conference progresses, one of the attendees starts to notice delays in the connection, and the HTTPS site requests are reverting to HTTP. Which of the following best describes what is happening?

A SSL/TLS downgrade

A security administrator receives alerts from the perimeter UTM. Upon checking the logs, the administrator finds the following output: Time: 12/25 0300 - From Zone: Untrust - To Zone: DMZ - Attacker: externalip.com - Victim: 172.16.0.20 - To Port: 80 - Action: Alert - Severity: Critical - When examining the PCAP associated with the event, the security administrator finds the following information: <script> alert ("Click here for important information regarding your account! http://externalip.com/account.php"); </ script> Which of the following actions should the security administrator take?

Submit a change request to modify the XSS vulnerability signature to TCP reset on future attempts.

A dynamic application vulnerability scan identified code injection could be performed using a web form. Which of the following will be BEST remediation to prevent this vulnerability?

Implement input validations

A company's help desk received several AV alerts indicating Mimikatz attempted to run on the remote systems. Several users also reported that the new company flash drives they picked up in the break room only have 512KB of storage. Which of the following is MOST likely the cause?

The GPO blocking the flash drives is being bypassed by a malicious flash drive that is attempting to harvest plaintext credentials from memory.

An analyst is reviewing logs associated with an attack. The logs indicate an attacker downloaded a malicious file that was quarantined by the AV solution. The attacker utilized a local non-administrative account to restore the malicious file to a new location. The file was then used by another process to execute a payload. Which of the following attacks did the analyst observe?

Injection

A penetration tester was able to compromise a host using previously captured network traffic. Which of the following is the result of this action?

Replay attack

A security analyst reviews web server logs and notices the following line: 104.35. 45.53 - [22/May/2020:07 : 00:58 +0100] "GET . UNION ALL SELECT user login, user _ pass, user email from wp users—— HTTP/I.I" 200 1072 http://www.example.com/wordpress/wp—admin/ Which of the following vulnerabilities is the attacker trying to exploit?

SQLi

A security engineer is investigating a penetration test report that states the company website is vulnerable to a web application attack. While checking the web logs from the time of the test, the engineer notices several invalid web form submissions using an unusual address: "SELECT * FROM customername”. Which of the following is most likely being attempted?

SQL injection

A network-connected magnetic resonance imaging (MRI) scanner at a hospital is controlled and operated by an outdated and unsupported specialized Windows OS. Which of the following is most likely preventing the IT manager at the hospital from upgrading the specialized OS?

The MRI vendor does not support newer versions of the OS.

After a recent security breach, a security analyst reports that several administrative usernames and passwords are being sent via cleartext across the network to access network devices over port 23. Which of the following should be implemented so all credentials sent over the network are encrypted when remotely accessing and configuring network devices?

SSH

A company was compromised, and a security analyst discovered the attacker was able to get access to a service account. The following logs were discovered during the investigation: Which of the following MOST likely would have prevented the attacker from learning the service account name?

Proper error handling

An attacker is attempting to harvest user credentials on a client's website. A security analyst notices multiple attempts of random usernames and passwords. When the analyst types in a random username and password, the logon screen displays the following message: Which of the following should the analyst recommend be enabled?

Error handling

A user recently entered a username and password into a recruiting application website that had been forged to look like the legitimate site. Upon investigation, a security analyst the identifies the following: ● The legitimate websites IP address is 10.1.1.20 and eRecruit local resolves to this IP ● The forged website's IP address appears to be 10.2.12.99, based on NetFlow records ● All three of the organization's DNS servers show the website correctly resolves to the legitimate IP ● DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the approximate time of the suspected compromise. Which of the following MOST likely occurred?

An attacker temporarily poisoned a name server

A security analyst was asked to evaluate a potential attack that occurred on a publicly accessible section of the company's website The malicious actor posted an entry in an attempt to trick users into clicking the following: Which of the following was MOST likely observed?

XSS

A security analyst is reviewing application logs to determine the source of a breach and locates the following log: Which Of the following has been observed?

SQLI

During an incident response, a security analyst observes the following log entry on the web server. Which of the following BEST describes the type of attack the analyst is experience?

Directory traversal

A junior security analyst is conducting an analysis after passwords were changed on multiple accounts without users' interaction. The SIEM have multiple login entries with the following text: Which of Ihe following is the MOST likely attack conducted on the environment?

Malicious script

A company is upgrading its wireless infrastructure to WPA2-Enterprise using EAP-TLS. Which of the following must be part of the security architecture to achieve AAA? (Select TWO)

PKI., RADIUS

A security engineer is building a file transfer solution to send files to a business partner. The users would like to drop off the files in a specific directory and have the server send it to the business partner. The connection to the business partner is over the internet and needs to be secure. Which of the following can be used?

SSH

During an internal penetration test, a security analyst identified a network device that had accepted cleartext authentication and was configured with a default credential. Which of the following recommendations should the security analyst make to secure this device?

Configure SNMPv3.

A security analyst is evaluating solutions to deploy an additional layer of protection for a web application. The goal is to allow only encrypted communications without relying on network devices. Which of the following can be implemented?

HTTP security header

Which of the following are the MOST likely vectors for the unauthorized inclusion of vulnerable code in a software company’s final software releases? (Select TWO.)

Included third-party libraries, Vendors/supply chain

A security engineer updated an application on company workstations. The application was running before the update, but it is no longer launching successfully. Which of the following most likely needs to be updated?

Approved first

An air traffic controller receives a change in flight plan for an morning aircraft over the phone. The air traffic controller compares the change to what appears on radar and determines the information to be false. As a result, the air traffic controller is able to prevent an incident from occurring. Which of the following is this scenario an example of?

Vishing

A manager for the development team is concerned about reports showing a common set of vulnerabilities. The set of vulnerabilities is present on almost all of the applications developed by the team. Which of the following approaches would be most effective for the manager to use to address this issue?

Invest in secure coding training and application security guidelines.

During a recent cybersecurity audit, the auditors pointed out various types of vulnerabilities in the production area. The production area hardware runs applications that are critical to production. Which of the following describes what the company should do first to lower the risk to the production hardware?

Apply patches.

A security administrator would like to ensure all cloud servers will have software preinstalled for facilitating vulnerability scanning and continuous monitoring. Which of the following concepts should the administrator utilize?

Provisioning

Which of the following security design features can a development team analyze the deletion or editing of data sets without affecting the copy?

Version control

While performing a threat-hunting exercise, a security analyst sees some unusual behavior occurring in an application when a user changes the display name. The security analyst decides to perform a static code analysis and receives the following pseudocode: function change.display.name set variable $displayname [8] print "Enter a new display name:" getstring ($displayname) goto function exit.display.name.string Which of the following attack types best describes the root cause of the unusual behavior?

Buffer overflow

Which of the following can reduce vulnerabilities by avoiding code reuse?

Code obfuscation

A candidate attempts to go to http://comptia.org but accidentally visits http://comptiia.org. The malicious website looks exactly like the legitimate website. Which of the following best describes this type of attack?

Typosquatting

After installing a patch on a security appliance an organization realized a massive data exfiltration occurred. Which Of the following describes the incident?

Supply chain attack

A security engineer needs to recommend a solution to defend against malicious actors misusing protocols and being allowed through network defenses. Which of the following will the engineer MOST likely recommend?

A next-generation firewall

A penetration tester is fuzzing an application to identify where the EIP of the stack is located on memory. Which of the following attacks is the penetration tester planning to execute?

Buffer overflow

A company is receiving emails with links to phishing sites that look very similar to the company's own website address and content. Which of the following is the BEST way for the company to mitigate this attack?

Generate a list of domains similar to the company's own and implement a DNS sinkhole for each.

A security analyst is investigating some users who are being redirected to a fake website that resembles www.comptia.org. The following output was found on the naming server of the organization: Which of the following attacks has taken place?

DNS poisoning

A security engineer is reviewing log files after a third party discovered usernames and passwords for the organization’s accounts. The engineer sees there was a change in the IP address for a vendor website one earlier. This change lasted eight hours. Which of the following attacks was MOST likely used?

DNS poisoning

A user is attempting to navigate to a website from inside the company network using a desktop. When the user types in the URL. https://www.site.com, the user is presented with a certificate mismatch warning from the browser. The user does not receive a warning when visiting http://www.anothersite.com. Which of the following describes this attack?

DNS poisoning

A company is setting up a web server on the Internet that will utilize both encrypted and unencrypted web-browsing protocols. A security engineer runs a port scan against the server from the Internet and sees the following output: Which of the following steps would be best for the security engineer to take NEXT?

Block SSH access from the Internet.

A SOC operator is analyzing a log file that contains the following entries: Which of the following explains these log entries?

Command injection and directory traversal attempts

During a recent incident an external attacker was able to exploit an SMB vulnerability over the internet. Which of the following action items should a security analyst perform FIRST to prevent this from occurring again?

Block unneeded TCP 445 connections

An organization has activated an incident response plan due to a malware outbreak on its network. The organization has brought in a forensics team that has identified an internet-facing Windows server as the likely point of initial compromise. The malware family that was detected is known to be distributed by manually logging on to servers and running the malicious code. Which of the following actions would be BEST to prevent reinfection from the initial infection vector?

Block port 3389 inbound from untrusted networks

Which of the following statements BEST describes zero-day exploits?

A zero-day exploit is initially undetectable and no patch for it exists

During a recent security assessment, a vulnerability was found in a common OS. The OS vendor was unaware of the issue and promised to release a patch within next quarter. Which of the following BEST describes this type of vulnerability?

Zero day

A research company discovered that an unauthorized piece of software has been detected on a small number of machines in its lab. The researchers collaborate with other machines using port 445 and on the Internet using port 443. The unauthorized software is starting to be seen on additional machines outside of the lab and is making outbound communications using HTTPS and SMB. The security team has been instructed to resolve the problem as quickly as possible causing minimal disruption to the researchers. Which of the following contains the BEST course of action in this scenario?

Place the machines with the unapproved software in containment.

Which of the following will MOST likely adversely impact the operations of unpatched traditional programmable-logic controllers, running a back-end LAMP server and OT (operational technology) systems with human-management interfaces that are accessible over the Internet via a web interface? (Choose two)

Cross-site scripting, SQLinjection

A cybersecurity analyst reviews the log files from a web server and sees a series of files that indicates a directory-traversal attack has occurred. Which of the following is the analyst MOST likely seeing?

http://sample.url.com/someotherpageonsite/../../../etc/shadow

A security analyst is investigating suspicious traffic on the web server located at IP address 10.10.1.1. A search of the WAF logs reveals the following output: Which of the following is MOST likely occurring?

SQLi attack

A Chief Information Security Officer wants to ensure the organization is validating and checking the Integrity of zone transfers. Which of the following solutions should be implemented?

DNSSEC

Which of the following is the FIRST environment in which proper, secure coding should be practiced?

Development

Which of the following is an example of risk avoidance?

Not installing new software to prevent compatibility errors

A software company adopted the following processes before releasing software to production; ● Peer review ● Static code scanning ● Signing A considerable number of vulnerabilities are still being detected when code is executed on production. Which of the following security tools can improve vulnerability detection in this environment?

Dynamic code analysis tool

An organization maintains several environments in which patches are developed and tested before deployed to an operation status. Which of the following is the environment in which patches will be deployed just prior to being put into an operational status?

Staging

An organization has developed an application that needs a patch to fix a critical vulnerability. In which of the following environments should the patch be deployed LAST?

Production

Which of the following describes the continuous delivery software development methodology?

Agile

Which of the following is the MOST relevant security check to be performed before embedding third-party libraries in developed code?

Assess existing vulnerabilities affecting the third-party code and the remediation efficiency of the libraries' developers.

A root cause analysis reveals that a web application outage was caused by one of the company’s developers uploading a newer version of the third-party libraries that were shared among several applications. Which of the following implementations would be BEST to prevent the issue from reoccurring?

Containerization

Which of the following concepts BEST describes tracking and documenting changes to software and managing access to files and systems?

Version control

A new vulnerability in the SMB protocol on the Windows systems was recently discovered, but no patches are currently available to resolve the issue. The security administrator is concerned the servers in the company's DMZ will be vulnerable to external attack; however, the administrator cannot disable the service on the servers, as SMB is used by a number of internal systems and applications on the LAN. Which of the following TCP ports should be blocked for all external inbound connections to the DMZ as a work around to protect the servers? (Select TWO)

139, 445

The website http://companywebsite.com requires users to provide personal information, including security question responses, for registration. Which of the following would MOST likely cause a data breach?

Unsecure protocol (http)

A company is concerned about its security after a red-team exercise. The report shows the team was able to reach the critical servers due to the SMB being exposed to the Internet and running NTLMv1. Which of the following BEST explains the findings?

Open ports and services

An analyst has determined that a server was not patched and an external actor exfiltrated data on port 139. Which of the following sources should the analyst review to BEST ascertain how the incident could have been prevented?

The vulnerability scan output

Which two features are available only in next-generation firewalls (NGFW)? (Choose two )

deep packet inspection, application awareness

The security team received a report of copyright infringement from the IP space of a live corporate network. The report provided a precise time stamp for the incident as well as the name of the copyrighted file. The analyst has been tasked with determining the infringing source machine and instructed to implement measures to prevent such incidents from occurring again. Which of the following is MOST capable of accomplishing both tasks?

NGFW

A systems administrator is looking for a solution that will help prevent OAuth applications from being leveraged by hackers to trick users into authorizing the use of their corporate credentials. Which of the following BEST describes this solution?

WAF

A company recently suffered a breach in which an attacker was able to access the internal mail servers and directly access several user inboxes. A large number of email messages were later posted online. Which of the following would BEST prevent email contents from being released should another breach occur?

Implement S/MIME to encrypt the emails at rest

A recent security audit revealed that a popular website with IP address 172.16.1.5 also has an FTP service that employees were using to store sensitive corporate data. The organization's outbound firewall processes rules top-down. Which of the following would permit HTTP and HTTPS, while denying all other services for this host?

access-rule permit tcp destination 172.16.1.5 port 80 access-rule permit tcp destination 172.16.1.5 port 443 access-rule deny tcp destination 172.16.1.5 port 21

Name: Wikipedia.org Address: 208.80.154.224 Which of the following attacks MOST likely occurred on the user’s internal network?

DNS poisoning

A Chief Security Officer (CSO) has asked a technician to devise a solution that can detect unauthorized execution privileges from the OS in both executable and data files, and can work in conjunction with proxies or UTM. Which of the following would BEST meet the CSO's requirements?

Sandboxing

The new Chief Executive Officer (CEO) of a large company has announced a partnership with a vendor that will provide multiple collaboration applications to make remote work easier. The company has a geographically dispersed staff located in numerous remote offices in different countries. The company's IT administrators are concerned about network traffic and load if all users simultaneously download the application. Which of the following would work BEST to allow each geographic region to download the software without negatively impacting the corporate network?

Modify the corporate firewall rules.

An attacker is attempting to exploit users by creating a fake website with the URL www.validwebsite.com. The attacker's intent is to imitate the look and feel of a legitimate website to obtain personal information from unsuspecting users. Which of the following social-engineering attacks does this describe?

Typosquatting

A user received an SMS on a mobile phone that asked for bank details. Which of the following social-engineering techniques was used in this case?

Smishing

An analyst is generating a security report for the management team. Security guidelines recommend disabling all listening unencrypted services. Given this output from Nmap: Which of the following should the analyst recommend to disable?

23/tcp

A Chief Security Office's (CSO's) key priorities are to improve preparation, response, and recovery practices to minimize system downtime and enhance organizational resilience to ransomware attacks. Which of the following would BEST meet the CSO's objectives? (Best practices)

Implement application whitelisting and centralized event-log management, and perform regular testing and validation of full backups.

A transitive trust:

is automatically established between a parent and a child

An analyst visits an internet forum looking for information about a tool. The analyst finds a thread that appears to contain relevant information. One of the posts says the following: Which of the following BEST describes the attack that was attempted against the forum readers?

XSS attack

A security engineer obtained the following output from a threat intelligence source that recently performed an attack on the company's server: * php----🡪 website * 2f----🡪 hexadecimal (/) Which of the following BEST describes this kind of attack?

Directory traversal

Which of the following would be the BEST resource for a software developer who is looking to improve secure coding practices for web applications?

OWASP (Open Web Application Security Project)

A software company is analyzing a process that detects software vulnerabilities at the earliest stage possible. The goal is to scan the source looking for unsecure practices and weaknesses before the application is deployed in a runtime environment. Which of the following would BEST assist the company with this objective?

Use static code analysis

When used at the design stage, which of the following improves the efficiency, accuracy, and speed of a database?

Normalization

A bank detects fraudulent activity on a user's account. The user confirms transactions completed yesterday on the bank's website at https://www.company.com. A security analyst then examines the user's Internet usage logs and observes the following output: Which of the following has MOST likely occurred?

SSL stripping

A security analyst sees the following log output while reviewing web logs: Which of the following mitigation strategies would be BEST to prevent this attack from being successful?

Input validation

A development team employs a practice of bringing all the code changes from multiple team members into the same development project through automation. A tool is utilized to validate the code and track source code through version control. Which of the following BEST describes this process?

Continuous integration

During an incident response, a security analyst observes the following log entry on the web server. Which of the following BEST describes the type of attack the analyst is experiencing?

Directory traversal

A security analyst is reviewing the output of a web server log and notices a particular account is attempting to transfer large amounts of money. Which of the following types of attack is MOST likely being conducted?

CSRF

Several large orders of merchandise were recently purchased on an e-commerce company's website. The totals for each of the transactions were negative values, resulting in credits on the customers' accounts. Which of the following should be implemented to prevent similar situations in the future?

Ensure input validation is in place to prevent the use of invalid characters and values.

A security analyst is reviewing a new website that will soon be made publicly available. The analyst sees the following in the URL: http://dev-site.comptia.org/home/show.php?sessionID=77276554&loc=us The analyst then sends an internal user a link to the new website for testing purposes, and when the user clicks the link, the analyst is able to browse the website with the following URL: http://dev-site.comptia.org/home/show.php?sessionID=98988475&loc=us Which of the following application attacks is being tested?

Session replay?

A security administrator is trying to determine whether a server is vulnerable to a range of attacks. After using a tool, the administrator obtains the following output: Which of the following attacks was successfully implemented based on the output?

Directory traversal

A company just developed a new web application for a government agency. The application must be assessed and authorized prior to being deployed. Which of the following is required to assess the vulnerabilities resident in the application?

Static code analysis

A security analyst is investigating a phishing email that contains a malicious document directed to the company's Chief Executive Officer (CEO). Which of the following should the analyst perform to understand the threat and retrieve possible IoCs?

Install a sandbox to run the malicious payload in a safe environment

Users reported several suspicious activities within the last two weeks that resulted in several unauthorized transactions. Upon investigation, the security analyst found the following: ● Multiple reports of breached credentials within that time period ● Traffic being redirected in certain parts of the network ● Fraudulent emails being sent by various internal users without their consent Which of the following types of attacks was MOST likely used?

Cross site scripting

A security analyst was deploying a new website and found a connection attempting to authenticate on the site's portal. While investigating the incident, the analyst identified the following Input in the username field: Which of the following BEST explains this type of attack?

SQL injection on the field to bypass authentication

Developers are writing code and merging it into shared repositories several times a day, where it is tested automatically. Which of the following concepts does this BEST represent?

Continuous integration

Developers are about to release a financial application, but the number of fields on the forms that could be abused by an attacker is troubling. Which of the following techniques should be used to address this vulnerability?

Implement input validation

A user's login credentials were recently compromised During the investigation, the security analyst determined the user input credentials into a pop-up window when prompted to confirm the username and password. However the trusted website does not use a pop-up for entering user credentials. Which of the following attacks occurred?

Cross-site scripting

A junior security analyst is reviewing web server logs and identifies the following pattern in the log file: Which of the following types of attacks is being attempted and how can it be mitigated?

Directory traversal: implement a WAF

100

A customer has reported that an organization's website displayed an image of a smiley face rather than the expected web page for a short time two days earlier. A security analyst reviews log tries and sees the following around the time of the incident: Which of the following is MOST likely occurring?

DNS poisoning

CNL_CH_1

Son Cagrı · 3回閲覧 · 185問 · 2年前

CNL_CH_1