CNL_CH_5

83問 • 2年前

問題一覧

A security analyst is reviewing a penetration-testing report from a third-party contractor. The penetration testers used the organization's new API to bypass a driver to perform privilege escalation on the organization's web servers. Upon looking at the API, the security analyst realizes the particular API call was to a legacy system running an outdated OS. Which of the following is the MOST likely attack type?

Shimming

The Chief Information Security Officer wants to prevent exfiltration of sensitive information from employee cell phones when using public USB power charging stations. Which of the following would be

USB data blocker

An organization discovered files with proprietary financial data have been deleted. The files have been recovered from backup but every time the Chief Financial Officer logs in to the file server, the same files are deleted again. No other users are experiencing this issue. Which of the following types of malware is MOST likely causing this behavior?

Logic bomb

A systems administrator reports degraded performance on a virtual server. The administrator increases the virtual memory allocation, which improves conditions, but performance degrades again after a few days. The administrator runs an analysis tool and sees the following output: ==3214== timeAttend.exe analyzed ==3214== ERROR SUMMARY: ==3214== malloc/free: in use at exit: 4608 bytes in 18 blocks. ==3214== checked 82116 bytes ==3214== definitely lost: 4608 bytes in 18 blocks. The administrator terminates the timeAttend.exe, observes system performance over the next few days, and notices that the system performance does not degrade. Which of the following issues is MOST likely occurring?

Memory leak

Which of the following is the GREATEST security concern when outsourcing code development to third-party contractors for an internet-facing application?

Unknown backdoor

Which of the following tools is effective in preventing a user from accessing unauthorized removable media?

USB data blocker

A large financial services firm recently released information regarding a security breach within its corporate network that began several years before. During the time frame in which the breach occurred, indicators show an attacker gained administrative access to the network through a file downloaded from a social media site and subsequently installed it without the user's knowledge. Since the compromise, the attacker was able to take command and control the computer systems anonymously while obtaining sensitive corporate and personal employee information. Which of the following methods did the attacker MOST likely use to gain access?

ARAT

Which of the following is an effective tool to stop or prevent the exfiltration of data from a network?

DLP

A company has drafted an insider-threat policy that prohibits the use of external storage devices. Which of the following would BEST protect the company from data exfiltration via removable media?

Blocking removable-media devices and write capabilities using a host-based security tool

A company recently experienced a data breach and the source was determined to be an executive who was charging a phone in a public area. Which of the following would MOST likely have prevented this breach?

A USB data blocker

A security analyst has received an alert about being sent via email. The analyst’s Chief Information Security Officer (CISO) has made it clear that PII must be handled with extreme care. From which of the following did the alert MOST likely originate?

DLP

After returning from a conference, a user's laptop has been operating slower than normal and overheating and the fans have been running constantly During the diagnosis process, an unknown piece of hardware is found connected to the laptop's motherboard. Which of the following attack vectors was exploited to install the hardware?

Removable media

A DBA reports that several production server hard drives were wiped over the weekend. The DBA also reports that several Linux servers were unavailable due to system files being deleted unexpectedly. A security analyst verified that software was configured to delete data deliberately from those servers. No backdoors to any servers were found. Which of the following attacks was MOST likely used to cause the data toss?

Logic bomb

A network administrator has been alerted that web pages are experiencing long load times. After determining it is not a routing or DNS issue, the administrator logs in to the router, runs a command, and receives the following output: Which of the following is the router experiencing? (CPU overused)

Resource exhaustion

Several users have opened tickets with the help desk. The help desk has reassigned the tickets to a security analyst for further review The security analyst reviews the following metrics: Which of the following is MOST likely the result of the security analyst's review?

Corporate PCs have been turned into a botnet

An employee received a word processing file that was delivered as an email attachment The subject line and email content enticed the employee to open the attachment. Which of the following attack vectors BEST matches this malware?

Macro-enabled file

An administrator is experiencing issues when trying to upload a support file to a vendor A pop-up message reveals that a payment card number was found in the file, and the file upload was blocked. Which of the following controls is most likely causing this issue and should be checked FIRST?

DLP

A company recently experienced a significant data loss when proprietary Information was leaked to a competitor. The company took special precautions by using proper labels; however, email filter logs do not have any record of the incident. An Investigation confirmed the corporate network was not breached, but documents were downloaded from an employee's COPE tablet and passed to the competitor via cloud storage. Which of the following is the BEST remediation for this data leak?

DLP

Certain users are reporting their accounts are being used to send unauthorized emails and conduct suspicious activities. After further investigation, a security analyst notices the following; ● All users share workstations throughout the day ● Endpoint protection was disabled on several workstations throughout the network. ● Travel times on logins from the affected users are impossible ● Sensitive data is being uploaded to external sites ● All user account passwords were forced to be reset and the issue continued Which of the following attacks is being used to compromise the user accounts?

Keylogger

A technician needs to prevent data loss in a laboratory. The laboratory is not connected to any external networks. Which of the following methods would BEST prevent the exfiltration of data? (Select TWO)

Drive encryption, USB blocker

A company has just experienced a malware attack affecting a large number of desktop users. The antivirus solution was not able to block the malware, but the HIDS alerted to C2 calls as ` ̃Troj.Generic'. Once the security team found a solution to remove the malware, they were able to remove the malware files successfully, and the HIDS stopped alerting. The next morning, however, the HIDS once again started alerting on the same desktops, and the security team discovered the files were back. Which of the following BEST describes the type of malware infecting this company's network?

Rootkit

Which of the following would MOST likely be a result of improperly configured user accounts?

Privilege escalation - account

The exploitation of a buffer-overrun vulnerability in an application will MOST likely lead to:

arbitrary code execution.

While investigating a data leakage incident a security analyst reviews access control to cloud hosted data. The following information was presented in a security posture report: Policy to control external application integration: Admin authorized only - 47 active integration to third-party applications - 2 applications authorized by admin - 45 applications authorized by users - 32 OAuth apps authorize to access data Based on the report, which of the following was the MOST likely attack vector used against the company?

Supply chain

A company is experiencing an increasing number of systems that are locking up on Windows startup. The security analyst clones a machine, enters into safe mode, and discovers a file in the startup process that runs Wstart.bat. @echo off :asdhbawdhbasdhbawdhb start notepad.exe start notepad.exe start calculator.exe start calculator.exe goto asdhbawdhbasdhbawdhb Given the file contents and the system's issues, which of the following types of malware is present?

Logic bomb

A news article states that a popular web browser deployed on all corporate PCs is vulnerable to a zero-day attack. Which of the following MOST concerns the Chief Information Security Officer about the information in the news article?

No patches are available for the web browser

Which of the following conditions impacts data sovereignty?

International operations

Which of the technologies is used to actively monitor for specific file types being transmitted on the network?

Data loss prevention

A security analyst is investigating multiple hosts that are communicating to external IP addresses during the hours of 2:00 a.m - 4:00 am. The malware has evaded detection by traditional antivirus software. (signature based) Which of the following types of malware is MOST likely infecting the hosts?

Logic bomb

A security engineer is concerned that the strategy for detection on endpoints is too heavily dependent on previously defined attacks. The engineer would like a tool to monitor for changes to key files and network traffic on the device. Which of the following tools BEST addresses both detection and prevention?

HIPS

A Chief Information Officer is concerned about employees using company-issued laptops to steal data when accessing network shares. Which of the following should the company Implement?

DLP

A company acquired several other small companies. The company that acquired the others is transitioning network services to the cloud. The company wants to make sure that performance and security remain intact. Which of the following BEST meets both requirements?

Integration and auditing

An organization wants to enable built-in FDE on all laptops Which of the following should the organization ensure is Installed on all laptops?

TPM

An organization discovered a disgruntled employee exfiltrated a large amount of PII data by uploading files. Which of the following controls should the organization consider to mitigate this risk?

DLP

Given the following snippet of Python code: Which of the following types of malware MOST likely contains this snippet?

Keylogger

A network architect wants a server to have the ability to retain network availability even if one of the network switches it is connected to goes down. Which of the following should the architect implement on the server to achieve this goal?

NIC teaming

A security administrator Installed a new web server. The administrator did this to Increase the capacity (or an application due to resource exhaustion on another server. Which of the following algorithms should the administrator use to split the number of the connections on each server in half?

Round-robin

A security engineer is concerned the strategy for detection on endpoints is too heavily dependent on previously defined attacks. The engineer wants a tool that can monitor for changes to key files and network traffic for the device. Which of the following tools should the engineer select?

HIDS

After a phishing scam for a user's credentials, the red team was able to craft a payload to deploy on a server. The attack allowed the installation of malicious software that initiates a new remote session. Which of the following types of attacks has occurred?

Privilege escalation

A major clothing company recently lost a large amount of proprietary information. The security officer must find a solution to ensure this never happens again. Which of the following is the BEST technical implementation to prevent this from happening again?

Configure DLP solutions

Which of the following would BEST identify and remediate a data-loss event in an enterprise using third-party, web-based services and file-sharing platforms?

CASB

A Chief Security Officer (CSO) was notified that a customer was able to access confidential internal company files on a commonly used file-sharing service. The file-sharing service is the same one used by company staff as one of its approved third-party applications. After further investigation, the security team determines the sharing of confidential files was accidental and not malicious. However, the CSO wants to implement changes to minimize this type of incident from reoccurring but does not want to impact existing business processes. Which of the following would BEST meet the CSO's objectives?

DLP

A financial organization has adopted a new secure, encrypted document-sharing application to help with its customer loan process. Some important PII needs to be shared across this new platform, but it is getting blocked by the DLP systems. Which of the following actions will BEST allow the PII to be shared with the secure application without compromising the organization’s security posture?

Configure the DLP policies to whitelist this application with the specific PII

A security administrator has noticed unusual activity occurring between different global instances and workloads and needs to identify the source of the unusual traffic. Which of the following log sources would be BEST to show the source of the unusual traffic?

HIDS (Host-based intrusion detection system)

A security administrator needs to inspect in-transit files on the enterprise network to search for PII (Personally Identifiable Information), credit card data, and classification words. Which of the following would be the BEST to use?

Network DLP solution

An organization with a low tolerance for user inconvenience wants to protect laptop hard drives against loss or data theft. Which of the following would be the MOST acceptable?

SED (Self Encrypting Drive)

Remote workers in an organization use company-provided laptops with locally installed applications and locally stored data. Users can store data on a remote server using an encrypted connection. The organization discovered data stored on a laptop had been made available to the public. Which of the following security solutions would mitigate the risk of future data disclosures?

FDE

An administrator is experiencing issues when trying to upload a support file to a vendor. A pop-up message reveals that a payment card number was found in the file, and the file upload was blocked. Which of the following controls is most likely causing this issue and should be checked FIRST?

DLP

An end user reports a computer has been acting slower than normal for a few weeks. During an investigation, an analyst determines the system is sending the user's email address and a ten-digit number to an IP address once a day. The only recent log entry regarding the user's computer is the following: Which of the following is the MOST likely cause of the issue?

The end user purchased and installed a PUP (potentially unwanted programs) from a web browser

While checking logs, a security engineer notices a number of end users suddenly downloading files with the .tar.gz extension. Closer examination of the files reveals they are PE32 files. The end users state they did not initiate any of the downloads. Further investigation reveals the end users all clicked on an external email containing an infected MHT file with an href link a week prior. Which of the following is MOST likely occurring?

A RAT was installed and is transferring additional exploit tools.

A user's PC was recently infected by malware. The user has a legacy printer without vendor support, and the user's OS is fully patched. The user downloaded a driver package from the internet. No threats were found on the downloaded file, but during file installation, a malicious runtime threat was detected. Which of the following is the MOST likely cause of the infection?

The driver has malware installed and was refactored upon download to avoid detection.

A user reports trouble using a corporate laptop. The laptop freezes and responds slowly when writing documents and the mouse pointer occasional disappears. The task list shows the following results: Which of the following is MOST likely the issue?

Keylogger

A company recently implemented a new security system. In the course of configuration, the security administrator adds the following entry: #Whitelist USB\VID_13FE&PID_4127&REV_0100 – Which of the following security technologies is MOST likely being configured?

Removable media control

A university with remote campuses, which all use different service providers, loses Internet connectivity across all locations. After a few minutes, Internet and VoIP services are restored, only to go offline again at random intervals, typically within four minutes of services being restored. Outages continue throughout the day, impacting all inbound and outbound connections and services. Services that are limited to the local LAN or WiFi network are not impacted, but all WAN and VoIP services are affected. Later that day, the edge-router manufacturer releases a CVE outlining the ability of an attacker to exploit the SIP protocol handling on devices, leading to resource exhaustion and system reloads. Which of the following BEST describe this type of attack? (Choose two)

DoS, Memory leak

A user downloaded an extension for a browser, and the used device later became infected. The analyst, who is investigating the incident saw various logs where the attacker was hiding activity by deleting data The following was observed running:

PowerShell

During an incident response, an analyst applied rules to all inbound traffic on the border firewall and implemented ACLs on each critical server. Following an investigation, the company realizes it is still vulnerable because outbound traffic is not restricted, and the adversary is able to maintain a presence in the network. In which of the following stages of the Cyber Kill Chain is the adversary currently operating?

Command and control

A retail store has a business requirement to deploy a kiosk computer In an open area. The kiosk computer's operating system has been hardened and tested. A security engineer is concerned that someone could use removable media to install a rootkit. Which of the following should the security engineer configure to BEST protect the kiosk computer?

Measured boot

An attacker was easily able to log in to a company's security camera by performing a basic online search for a setup guide for that particular camera brand and model. Which of the following BEST describes the configurations the attacker exploited?

Default settings

An auditor is performing an assessment of a security appliance with an embedded OS that was vulnerable during the last two assessments. Which of the following BEST explains the appliance’s vulnerable state?

The vendor has not supplied a patch for the appliance.

A user is trying to upload a tax document, which the corporate finance department requested, but a security program is prohibiting the upload. A security analyst determines the file contains Pll, Which of the following steps can the analyst take to correct this issue?

Modify the exception list on the DLP to allow the upload

Which of the following is the BEST example of a cost-effective physical control to enforce a USB removable media restriction policy?

Implementing a GPO that will restrict access to authorized USB removable media and regularly verifying that it is enforced

Which of the following is constantly scanned by internet bots and has the highest risk of attack in the case of the default configurations?

Surveillance systems

A company is implementing a DLP solution on the file server. The file server has PII, financial information, and health information stored on it. Depending on what type of data that is hosted on the file server, the company wants different DLP rules assigned to the data. Which of the following should the company do to help to accomplish this goal?

Classify the data

A company wants to restrict emailing of PHI documents. The company is implementing a DLP solution. In order to restrict PHI documents, which of the following should be performed FIRST?

Classification

The alert indicates an attacker entered thousands of characters into the text box of a web form. The web form was intended for legitimate customers to enter their phone numbers. Which of the attacks has most likely occurred?

Buffer overflow

A security administrator examines the ARP table of an access switch and sees the following output: Which of the following is a potential threat that is occurring on this access switch?

MAC flooding on Fa0/2 port

A security analyst is investigating network issues between a workstation and a company server. The workstation and server occasionally experience service disruptions, and employees are forced to reconnect to the server. In addition, some reports indicate sensitive information is being leaked from the server to the public. The workstation IP address is 192.168.1.103, and the server IP address is 192.168.1.101. The analyst runs arp -a On a separate workstation and obtains the following results: Which of the following is most likely occurring?

On-path attack

A company has numerous employees who store PHI data locally on devices. The Chief Information Officer wants to implement a solution to reduce external exposure of PHI but not affect the business. The first step the IT team should perform is to deploy a DLP solution

in monitoring mode.

A security analyst is assisting a team of developers with best practices for coding. The security analyst would like to defend against the use of SQL injection attacks. Which of the following should the security analyst recommend first?

Input validation

A security analyst is reviewing packet capture data from a compromised host on the network. In the packet capture analyst locates packets that contain large amounts of text. Which of the following is most likely installed on a compromised host?

Keylogger

A security analyst reviews web server logs and finds the following string galleries file—. ./../../../../. . / . ./etc/passwd Which of the following attacks was performed against the web server?

Directory traversal

Which of the following is a solution that can be used to stop a disgruntled employee from copying confidential data to a USB drive?

DLP

The Chief Information Security Officer came across a news article outlining a mechanism that allows certain OS passwords to be bypassed. The security team was then tasked with determining which method could be used to prevent data loss in the corporate environment in case an attacker bypasses authentication. Which of the following will accomplish this objective?

FDE

A company recently experienced an inside attack using a corporate machine that resulted in data compromise. Analysis indicated an unauthorized change to the software circumvented technological protection measures, The analyst was tasked with determining the best method to ensure the integrity of the systems remains intact and local and remote boot attestation can take place. Which of the following would provide the BEST solution?

TPM

Several employees return to work the day after attending an industry trade show. That same day, the security manager notices several malware alerts coming from each of the employee’s workstations. The security manager investigates but finds no signs of an attack on the perimeter firewall or the NIDS. Which of the following is MOST likely causing the malware alerts?

A fileless virus that is contained on a vCard that is attempting to execute an attack

A security audit has revealed that a process control terminal is vulnerable to malicious users installing and executing software on the system. The terminal is beyond end-of-life support and cannot be upgraded, so it is placed on a protected network segment. Which of the following would be MOST effective to implement to further mitigate the reported vulnerability?

Application whitelisting

The lessons-learned analysis from a recent incident reveals that an administrative office worker received a call from someone claiming to be from technical support. The caller convinced the office worker to visit a website, and then download and install a program masquerading as an antivirus package. The program was actually a backdoor that an attacker could later use to remote control the worker's PC. Which of the following would be BEST to help prevent this type of attack in the future?

Application whitelisting

A RAT that was used to compromise an organization’s banking credentials was found on a user’s computer. The RAT evaded antivirus detection. It was installed by a user who has local administrator rights to the system as part of a remote management tool set. Which of the following recommendations would BEST prevent this from reoccurring?

Enforce application whitelisting.

A systems analyst determines the source of a high number of connections to a web server that were initiated by ten different IP addresses that belong to a network block in a specific country. Which of the following techniques will the systems analyst MOST likely implement to address this issue?

Firewall rules

An organization blocks user access to command-line interpreters but hackers still managed to invoke the interpreters using native administrative tools. Which of the following should the security team do to prevent this from happening in the future?

Disable the built-in OS utilities as long as they are not needed for functionality.

Which Of the following vulnerabilities is exploited by an attacker overwriting a register with a malicious address that changes the execution path?

Buffer overflow

A security analyst receives alerts about an internal system sending a large amount of unusual DNS queries to systems on the internet over short periods of time during non-business hours. Which of the following is most likely occurring?

Data is being exfiltrated.

Which of the following tools can assist with detecting an employee who has accidentally emailed a file containing a customer's Pll?

DLP

CNL_CH_1

Son Cagrı · 3回閲覧 · 185問 · 2年前

CNL_CH_1