EXAM # 4 | | 暗記メーカー

The R.S.S.H Delivery Company · 90問 · 6ヶ月前

通報

問題一覧

Why is 'Alert Volume' a significant metric in the context of incident response?

- It can indicate the scale of an incident and help assess the performance and capacity of detection systems

Which of the following elements is LEAST likely to be included in an organization's data retention policy?

- Classification of information

You are a security analyst at Dion Training Labs and have noticed an employee logging into the company's secure system from Tokyo, then again from Paris just 30 minutes later. What security alert does this scenario best represent?

- Impossible Travel

How does timely and effective communication and reporting of vulnerabilities assist an organization in meeting the GDPR's requirement of reporting data breaches within 72 hours of detection?

- It facilitates quicker identification of vulnerabilities enabling prompt reporting to the supervisory authority

Dion Training conducts weekly vulnerability scanning of their network and patches any identified issues within 24 hours. Which of the following best describes the company's risk response strategy?

- Mitigation

Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6: /// What type of activity occurred based on the output above?

- Port scan targeting 10.10.3.6

Dion Training Solutions is conducting a penetration test of its facilities. The penetration testing team has been augmented by an employee of the company who has general user privileges. The security staff is unaware of the testing. According to NIST, which of the following types of penetration tests is being conducted?

- A covert internal test

After issuing the command "telnet diontraining.com 80" and connecting to the server, what command conducts the banner grab?

- HEAD / HTTP/1.1

Which tool should a malware analyst utilize to track the registry's changes and the file system while running a suspicious executable on a Windows system?

- Process Monitor

Which of the following classifications would apply to patents, copyrights, and trademarks?

- Intellectual property

Which of the following sets of Linux permissions would have the least permissive to most permissive?

- 111, 734, 747

David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal?

- RDP

In 2013, retail giant Target Corporation experienced a massive data breach, exposing the credit and debit card information of 40 million customers. Following this security incident, a special team was tasked with investigating the fundamental cause of the breach, uncovering the sequence of events that led to it, and providing insights to prevent such occurrences in the future. What term best describes this deep-dive investigative process?

- Root cause analysis

Which type of threat will patches NOT effectively combat as a security control?

- Zero-day attacks

Which of the following is not normally part of an endpoint security suite?

- VPN

You've been tasked to improve the operational efficiency of your security team. One of the solutions you've proposed is to incorporate the use of plugins. How could plugins enhance your team's operations?

- By extending the capabilities of existing tools

Which of the following vulnerabilities was a zero-day exploit, meaning it was exploited before a patch became available?

- Operation Aurora

Which of the following vulnerabilities was a zero-day exploit, meaning it was exploited before a patch was available?

- Stuxnet

Which role validates the user’s identity when using SAML for authentication?

- IdP

You are conducting static analysis of an application's source code and see the following: /// If an attacker wanted to get a complete copy of the courses table and was able to substitute arbitrary strings for "id" and "certification", which of the following strings allow this to occur?

- id = "1' OR '1'=='1" and certification = "cysa' OR '1'=='1"

What term is used to describe the phase of the Cyber Kill Chain where the threat actor creates a malicious payload to exploit the vulnerabilities discovered during reconnaissance?

- Weaponization

Which tool would allow you to identify the target's operating system by analyzing the TCP/IP stack responses?

- nmap

During a simulated attack on your organization's network, the red team identified several vulnerabilities and successfully exfiltrated data. The red team then used these vulnerabilities and the steps they took to create an example of a possible real-world attack. Which framework does this attack sequence BEST represent?

- Cyber Kill Chain

When reviewing vulnerability management data trends over multiple quarters, it becomes evident that newly discovered vulnerabilities are increasing each quarter. What might this sustained trend suggest?

- Potential deficiency in current security controls

You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server?

- Malicious processes

You have been investigating how a malicious actor could exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that a rootkit's installation had modified the web server’s BIOS. After removing the rootkit and reflash the BIOS to a known good image, what should you do to prevent the malicious actor from affecting the BIOS again?

- Utilize secure boot

According to Lockheed Martin's white paper "Intel Driven Defense," which of the following technologies could disrupt an adversary's effort during the C2 phase of the kill chain?

- NIPS

Upper management at DionTech Innovations has noticed that its employees frequently download potentially harmful attachments from phishing emails. What should the company do to mitigate this risk?

- Conduct regular training sessions to teach employees how to recognize and avoid phishing emails

Which type of personnel control is being implemented if Kirsten must receive and inventory any items that her coworker, Bob, orders?

- Separation of duties

Vulnerability scans must be conducted continuously to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next?

- Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first

Which of the following actions should you perform during the post-incident activities of an incident response?

- Perform evidence retention in accordance with the timescale defined by the regulatory or legal impact of the incident

Your organization is transitioning to a cloud environment and wants to ensure its new infrastructure is secure. What tool could you utilize to assess the security of your cloud infrastructure?

- Pacu

Matt is creating a scoping worksheet for an upcoming penetration test for his organization. Which of the following techniques is NOT usually included in a penetration test?

- Denial-of-service attacks

Your organization has just migrated to provisioning its corporate desktops as virtual machines and accessing them using thin clients. The organization believes this will enhance security since the desktop can be rewritten with a new baseline image every time the user logs into it. Based on this scenario, which of the following technologies has the organization adopted?

- VDI

You are developing a containment and remediation strategy to prevent the spread of an APT within your network. Your plan suggests creating a mirror of the company’s databases, routing all externally sourced network traffic to it, and gradually updating with pseudo-realistic data to confuse and deceive the APT as they attempt to exfiltrate the data. Once the attacker has downloaded the corrupted database, your company would then conduct remediation actions on the network and restore the correct database information to the production system. Which of the following types of containment strategies does the plan utilize?

- Segmentation-based containment that deceives the attack into believing their attack was successful

James, a network security professional, discovers a compromised device in his organization's network that is sending regular signals to a remote server. What is James observing?

- Beaconing

After an employee complains that her computer is running abnormally slow, so you conduct an analysis of the NetFlow data from her workstation. Based on the NetFlow data, you identify a significant amount of traffic from her computer to an IP address in a foreign country over port 6667 (IRC). Which of the following is the most likely explanation for this?

- Malware has been installed on her computer and is using the IRC protocol to communicate

What is the significance of root cause analysis in the aftermath of a security incident?

- It aids in understanding the factors that led to the incident, helping to prevent occurrences in the future

You are conducting threat hunting for an online retailer. Upon analyzing their web server, you identified that a single HTML response returned as 45 MB in size, but an average response is normally only 275 KB. Which of the following categories of potential indicators of compromise would you classify this as?

- Data exfiltration

A vulnerability scan has returned the following results: /// What best describes the meaning of this output?

- Connecting to the host using a null session allows enumeration of the share names on the host

Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation?

- Create a hash digest of the source drive and the image file to ensure they match

Which of the following is a common attack model of an APT attack?

- Quietly gathers information from compromised systems

Dion Training's security team recently discovered a bug in their software’s code. The development team released a software patch to remove the vulnerability caused by the bug. What type of test should a software tester perform on the application to ensure that it is still functioning properly after the patch is installed?

- Regression testing

Taylor needs to sanitize hard drives from some leased workstations before returning them to a supplier at the end of the lease period. The workstations' hard drives contained sensitive corporate data. Which is the most appropriate choice to ensure that data exposure doesn’t occur during this process?

- Purge, validate, and document the sanitization of the drives

Natalie wants to create a backup of the permissions before making changes to the Linux workstation she will remediate. What Linux tool can she use to back up the permissions of the system's complete directory structure?

- getfacl

Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor?

- VM escape

An analyst reviews the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors can access the internet. Which of the following options should the analyst recommend to best prevent these types of attacks from occurring in the future?

- Implement a VLAN to separate the HVAC control system from the open wireless network

What role does an executive summary play in incident response reporting?

- It provides a concise overview of the incident, its impact, and the response actions

Why is regulatory reporting a significant component of incident response communication?

- It ensures compliance with relevant laws and regulations that mandate reporting of certain types of incidents

You have just begun an investigation by reviewing the security logs. During the log review, you notice the following lines of code: /// What BEST describes what is occurring and what action do you recommend to stop it?

- The host is using the Windows Task Scheduler at 10:42 to run nc.exe from the temp directory to create a remote connection to 123.12.34.12; you should recommend removing the host from the network

What document typically contains high-level statements of management intent?

- Policy

Which of the following categories of controls are firewalls, intrusion detection systems, and a RADIUS server classified as?

- Technical controls

Which term refers to the process of determining which vulnerabilities to address first based on their risk scores, impact, and other factors?

- Prioritization

When applying patches as part of vulnerability management, why is it crucial to communicate the patching schedule and potential impacts to relevant stakeholders?

- To help management make effective risk base decisions on system disruptions due to patching

The Security Operations Center Director for Dion Training received a pop-up message on his workstation that said, “You will regret firing me; just wait until Christmas!” He suspects the message came from a disgruntled former employee who may have set up a piece of software to create this pop-up on his machine. The director is now concerned that other code might be lurking within the network that could negatively affect Christmas. He directs his team of cybersecurity analysts to begin searching the network for this suspicious code. What type of malware should they be searching for?

- Logic bomb

Nicole's organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role?

- MSSP

You are a security investigator at a high-security installation which houses significant amounts of valuable intellectual property. You are investigating the utilization of George's credentials and are trying to determine if his credentials were compromised or if he is an insider threat. In the break room, you overhear George telling a coworker that he believes he is the target of an ongoing investigation. Which of the following step in the preparation phase of the incident response was likely missed?

- Development of a communication plan

After a security incident has been handled, what post-incident activity involves the detailed examination of the incident to identify the primary cause or causes, often using tools to analyze logs, network traffic, and other data?

- Root cause analysis

You have just finished running an nmap scan on a server are see the following output: /// Based on the output above, which of the following ports listed as open represents the most significant security vulnerability to your network?

- 23

You just finished conducting a remote scan of a class C network block using the following command "nmap -sS 202.15.73.0/24". The results only showed a single web server. Which of the following techniques would allow you to gather additional information about the network?

- Perform a scan from on-site

Your organization's server is hit with a ransomware attack, encrypting critical business data. You've been asked to communicate with a third-party vendor who provides data backup services for your company. In this scenario, which stakeholder role do you MOST align with?

- Incident response communication

An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. Which of the following challenges do you now have to overcome as part of the recovery and remediation efforts?

- The attack widely fragmented the image across the host file system

Stephane was asked to assess the technical impact of a reconnaissance performed against his organization. He has discovered that a third party has been performing reconnaissance by querying the organization's WHOIS data. Which category of technical impact should he classify this as?

- Low

A security analyst is conducting a log review of the company's web server and found two suspicious entries: /// The analyst contacts the web developer and asks for a copy of the source code to the logon.php script. The script is as follows: /// Based on source code analysis, which type of vulnerability is this web server vulnerable to?

- SQL injection

Nick is participating in a security exercise as part of the network defense team for his organization. Which team is Nick playing on?

- Blue team

Your organization has noticed an increase in the number of security incidents being detected. To better understand the situation and measure the effectiveness of your incident response process, what key performance indicator (KPI) could you use?

- Alert volume

You have run a vulnerability scan and received the following output: /// Which of the following categories should this be classified as?

- Web application cryptography vulnerability

You are conducting an incident response and have traced the attack source to some compromised user credentials. After performing log analysis, you discover that the attack was successfully authenticated from an unauthorized foreign country. Your management is now asking for you to implement a solution to help mitigate this type of attack from occurring again. Which of the following should you implement?

- Context-based authentication

Which element of the preparation phase of the incident management life cycle primarily involves the creation of detailed strategies and procedures to effectively detect, respond to, and recover from network security incidents?

- Incident response plan

You have been given access to a Windows system located on an Active Directory domain as part of a white box penetration test. Which of the following commands would provide information about other systems on this network?

- net use

Which of the following roles should coordinate communications with the media during an incident response?

- Public relations

A forensic analyst needs to access a macOS encrypted drive that uses FileVault 2. Which of the following methods is NOT a means of unlocking the volume?

- Conduct a brute-force attack against the FileVault 2 encryption

You've been asked to create a script to automate your organization's vulnerability scanning process and report any detected vulnerabilities. The tool you're integrating with has an API that can be utilized for this purpose. What language, often used in cybersecurity for scripting, could you use to write this script?

- Python

The IT department of a company has noticed inconsistencies in the settings of its various servers. This has been causing errors and potential security risks. What strategy should the company adopt to ensure consistency?

- Implementing a standardized set of rules for system settings

Aymen is creating a procedure for the remediation of vulnerabilities discovered within his organization. He wants to ensure that any vendor patches are tested before deploying them into the production environment. What type of environment should his organization establish?

- Staging

During a port scan, you discover a service running on a registered port. Based on this, what do you know about this service?

- The service is running on a port between 1024 and 49151

Which of the following tools is considered a web application scanner?

- ZAP

Which of the following techniques would best mitigate malware that utilizes a fast flux network for its command and control infrastructure?

- Utilize a secure recursive DNS resolver to a third-party secure DNS resolver

What is the purpose of conducting a 'lessons learned' exercise after a security incident?

- It identifies strengths and weaknesses in the incident response process

Joseph is interpreting a vulnerability that has a CVSS (v3.1) base score of 8.3. In what risk category would this vulnerability fit?

- High

Which party in a federation provides services to members of the federation?

- RP

A web developer wants to protect their new web application from a man-in-the-middle attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies?

- Setting the secure attribute on the cookie

In order to improve efficiency in your security operations, you want to minimize human engagement. Which of the following actions would be most effective in achieving this goal?

- Implementing automation for routine tasks

A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized?

- Exact data match

In 2014, Sony Pictures Entertainment suffered a major cyberattack that led to the theft and leak of confidential data. In response to the incident, a pre-established set of procedures were invoked. These procedures contained detailed guidelines for handling such scenarios, from initial detection to post-incident recovery. What term is typically used to refer to these detailed procedural guidelines?

- Playbooks

A supplier needs to connect several laptops to an organization’s network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the network's security posture. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier’s laptops?

- Implement a jumpbox system

A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output: /// What type of attack was most likely being attempted by the attacker?

- Password spraying

You walked up behind a penetration tester in your organization and saw the following output on their Kali Linux terminal:- /// What type of test is the penetration tester currently conducting?

- Conducting a brute force login attempt of a remote service on 192.168.1.142

Which phase of the Secure Software Development Life Cycle (SDLC) focuses on identifying potential security issues?

- Testing

A cybersecurity analyst is working for a university that is conducting a big data medical research project. The analyst is concerned about the possibility of an inadvertent release of PHI data. Which of the following strategies should be used to prevent this?

- Conduct tokenization of the PHI data before ingesting it into the big data application

THE P.T: 1 CHRONICLE: ( ex.9 )

THE P.T: 1 CHRONICLE: ( ex.9 )

90問 • 6ヶ月前

The R.S.S.H Delivery Company · 88問 · 6ヶ月前

THE P.T: 2 CHRONICLE: ( ex.10 )

THE P.T: 2 CHRONICLE: ( ex.10 )

88問 • 6ヶ月前

The R.S.S.H Delivery Company · 89問 · 6ヶ月前

THE P.T. 3: CHRONICLE: ( ex.12 )

THE P.T. 3: CHRONICLE: ( ex.12 )

89問 • 6ヶ月前

The R.S.S.H Delivery Company · 52問 · 6ヶ月前

THE P.T. 4: CHRONICLE: ( ex.11 )

THE P.T. 4: CHRONICLE: ( ex.11 )

52問 • 6ヶ月前

The R.S.S.H Delivery Company · 92問 · 6ヶ月前

THE P.T. 5: CHRONICLE: ( ex.13 )

THE P.T. 5: CHRONICLE: ( ex.13 )

92問 • 6ヶ月前

The R.S.S.H Delivery Company · 90問 · 6ヶ月前

THE P.T. 6: CHRONICLE: ( ex.14 )

THE P.T. 6: CHRONICLE: ( ex.14 )

90問 • 6ヶ月前

The R.S.S.H Delivery Company · 48問 · 6ヶ月前

THE P.T. 7: ( ex.15 )

THE P.T. 7: ( ex.15 )

48問 • 6ヶ月前

EXAM #1 |

EXAM #1 |

The R.S.S.H Delivery Company · 5問 · 9ヶ月前

1 ) Identify Security Control Types

1 ) Identify Security Control Types

5問 • 9ヶ月前

The R.S.S.H Delivery Company · 8問 · 9ヶ月前

2 ) Threat Intelligence

2 ) Threat Intelligence

8問 • 9ヶ月前

EXAM #2 |

EXAM #2 |

The R.S.S.H Delivery Company · 17問 · 9ヶ月前

3 ) Classifying Threats

3 ) Classifying Threats

17問 • 9ヶ月前

EXAM # 3 |

EXAM # 3 |

The R.S.S.H Delivery Company · 16問 · 9ヶ月前

4 ) Threat Hunting

4 ) Threat Hunting

16問 • 9ヶ月前

The R.S.S.H Delivery Company · 9問 · 9ヶ月前

5 ) Network Forensics

5 ) Network Forensics

9問 • 9ヶ月前

EXAM # 5 |

EXAM # 5 |