CySA Practice Exam #2 question with complete solution

CySA Practice Exam #2 question with complete solution C. The attack vector explains what type of access that the attacker must have to a system or network and does not refer to the types of specialized conditions that must exist. In this case, the A rating refers to Adjacent, where the attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS). An attack vector of Network (N) would allow the attack to extend beyond these options and conduct remote exploitation of the vulnerability. An attack vector of Local (L) would require the attacker to locally exploit the workstation via the keyboard or over an SSH connection. An attack vector of Physical (P) would require the attacker to physically touch or manipulate the vulnerable component themselves, such as conducting a cold boot attack. You were interpreting a Nessus vulnerability scan report and identified a vulnerability in the system with a CVSS attack vector rating of A. Based on this information, which of the following statements would be true? ​ A. The attacker must have physical or logical access to the affected system​ B. Exploiting the vulnerability requires the existence of specialized conditions​ C. The attacker must have access to the local network that the system is connected to​ D. Exploiting the vulnerability does not require any specialized conditions C. This is an example of an XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter an application's intended logic, and XML Injection can cause the insertion of malicious content into resulting messages/documents. You are analyzing the SIEM for your company's e-commerce server when you notice the following URL in the logs of your SIEM:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ​ A. SQL injection​ B. Buffer overflow​ C. XML injection​ D. Session hijacking 00:48 01:10 B. To mitigate the risk of data remanence, you should implement full disk encryption. This method will ensure that all data is encrypted and cannot be exposed to other organizations or the underlying IaaS provider. Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud? ​ A. Zero-wipe drives before moving systems​ B. Use full-disk encryption​ C. Use data masking​ D. Span multiple virtual disks to fragment data B. This results from the vulnerability scan conducted shows an enumeration of open Windows shares on an Apache server. The enumeration results show three share names (print$, files, Temp) were found using a null session connection. There is no associated CVE with this vulnerability, but it is not a false positive. Not all vulnerabilities have a CVE associated with them. A vulnerability scan has returned the following results: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Detailed Results10.56.17.21 (APACHE-2.4) Windows SharesCategory: WindowsCVE ID: -Vendor Ref: -Bugtraq ID: -Service Modified - 8.30.2017 Enumeration Results:print$ c:windowssystem32spooldriversfiles c:FileShareAccountingTemp c:temp -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What best describes the meaning of this output? ​ A. There is an unknown bug in an Apache server with no Bugtraq ID​ B. Connecting to the host using a null session allows enumeration of the share names on the host​ C. Windows Defender has a known exploit that must be resolved or patched​ D. There is no CVE present, so this is a false positive caused by Apache running on a Windows server C. The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights. In which phase of the security intelligence cycle is published information relevant to security issues provided to those who need to act on that information? ​ A. Feedback​ B. Analysis​ C. Dissemination​ D. Collection B. Banner grabbing requires a connection to the host to grab the banner successfully. This is an active reconnaissance activity. Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company? ​ A. WHOIS lookups​ B. Banner grabbing​ C. BGP looking glass usage​ D. Registrar checks B. A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output: -=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=- 10.1.1.1 - - [10/Jan/2020:13:23:51 +0000] "POST /vpn/../vpns/portal/scripts/ HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT " 10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] "GET /vpn/../vpns/portal/ HTTP/1.1" 200 941 "-" "USERAGENT" 10.1.1.1 - - [10/Jan/2020:16:12:31 +0000] "POST /vpns/portal/scripts/ HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT" -=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=- What type of attack was most likely being attempted by the attacker? ​ A. SQL injection​ B. Directory traversal​ C. XML injection​ D. Password spraying C. A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users' devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the server's response back to the external client. What is a reverse proxy commonly used for? ​ A. Allowing access to a virtual private cloud​ B. To prevent the unauthorized use of cloud services from the local network​ C. Directing traffic to internal services if the contents of the traffic comply with policy​ D. To obfuscate the origin of a user within a network C. Advanced Persistent Threat (APT) attackers are sophisticated and have access to financial and technical resources typically provided by a government. An APT is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware. Which of the following types of attackers are sophisticated and highly organized people or teams typically sponsored by a nation-state? ​ A. Script kiddies​ B. Hacktivists​ C. Advanced Persistent Threat​ D. Ethical hacker B. The -O flag indicates to nmap that it should attempt to identify the target's operating system during the scanning process. It does this by evaluating the responses it received during the scan against its signature database for each operating system. If you want to conduct an operating system identification during a nmap scan, which syntax should you utilize? ​ A. nmap -os​ B. nmap -O​ C. nmap -id​ D. nmap -osscan B. Microsoft's Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. It allows an administrator to create a policy and deploy it across many devices in the domain or network. Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across many devices? ​ A. Patch management​ B. GPO​ C. HIPS​ D. Anti-malware A. Which term defines the collection of all points from which an adversary could interact with a system and cause it to function in a way other than how it was designed? ​ A. Attack surface​ B. Attack vector​ C. Threat model​ D. Adversary capability set 00:03 01:10 C. This is an example of an XSS attack as recorded by a web server's log. In this example, the XSS attack was obfuscated by the attacker using HTML encoding. The encoding of %27%27 translates to two single quote marks (' '). While you don't need to be able to decode the exact string used in the logs, when you see HTML encoding on the exam, it is usually going to be an XSS attack unless you see SQL or XML statements in the string, which in this case there are neither of those. You are analyzing the logs of a web server and see the following entry: -=-=-=-=-=--=-=-=-=-=--=-=-=-=-=- 192.168.1.25 - - [05/Aug/2020:15:16:42 -0400] "GET /%27%27;!-%22%3CDION%3E=&{()} HTTP/1.1″ 404 310 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.12)Gecko/2 Ubuntu/19.04 (disco dingo) Firefox/3.0.12″ -=-=-=-=-=--=-=-=-=-=--=-=-=-=-=- Based on this entry, which of the following attacks was attempted? ​ A. XML injection​ B. Buffer overflow​ C. XSS​ D. SQL injection B. Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best results. Which of the following vulnerability scans would provide the best results if you want to determine if the target's configuration settings are correct? ​ A. Non-credentialed scan​ B. Credentialed scan​ C. External scan​ D. Internal scan C. Which of the following is the default nmap scan type when you do not provide a flag when issuing the command? ​ A. A TCP FIN scan​ B. A TCP connect scan​ C. A TCP SYN scan​ D. A UDP scan C. Vulnerability scanners typically cannot confirm that a blind SQL injection with the execution of code has previously occurred. Which of the following is the most difficult to confirm with an external vulnerability scan? ​ A. Cross-site scripting (XSS)​ B. Cross-site request forgery (XSRF/CSRF)​ C. Blind SQL injection​ D. Unpatched web server A, B, D, F. You identified a critical vulnerability in one of your organization's databases. You researched a solution, but it will require the server to be taken offline during the patch installation. You have received permission from the Change Advisory Board to implement this emergency change at 11 pm once everyone has left the office. It is now 3 pm; what action(s) should you take now to best prepare for implementing this evening's change? (SELECT ALL THAT APPLY) ​ A. Ensure all stakeholders are informed of the planned outage​ B. Document the change in the change management system​ C. Take the server offline at 10 pm in preparation for the change​ D. Identify any potential risks associated with installing the patch​ E. Take the opportunity to install a new feature pack that has been requested​ F. Validate the installation of the patch in a staging environment B. Formal verification methods use a mathematical model of the inputs and outputs of a system to prove that the system works as specified in all cases. Given the level of certainty achieved through formal verification methods, this approach provides the single greatest mitigation against this threat. Formal methods are designed for use in critical software in which corner cases must be eliminated. Dion Consulting Group has recently received a contract to develop a networked control system for a self-driving car. The company's CIO is concerned about the liability of a security vulnerability being exploited that may result in the death of a passenger or an innocent bystander. Which of the following methodologies would provide the single greatest mitigation if successfully implemented? ​ A. Rigorous user acceptance testing​ B. Formal methods of verification​ C. DevSecOps​ D. Peer review of source code A. Zone transfers provide an easy way to send all the DNS information from one DNS server to another, but an attacker could also use it for reconnaissance against your organization. For this reason, most administrators disable zone transfers from untrusted servers. What method might a system administrator use to replicate the DNS information from one DNS server to another, but could also be used maliciously by an attacker? ​ A. Zone transfers​ B. DNS registration​ C. CNAME​ D. DNSSEC A. A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role. Nicole's organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role? ​ A. MSSP​ B. IaaS​ C. PaaS​ D. SaaS A. Pair programming is a real-time process that would meet this requirement. It utilizes two developers working on one workstation, where one developer reviews the code being written in real-time by the other developer. James is working with the software development team to integrate real-time security reviews into some of their SDLC processes. Which of the following would best meet this requirement? ​ A. Pair Programming​ B. Pass-around code review​ C. Tool-assisted review​ D. Formal code review D. Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks. What control provides the best protection against both SQL injection and cross-site scripting attacks? ​ A. Hypervisors​ B. Network layer firewalls​ C. CSRF​ D. Input validation