CySA Practice Exam #6 questions correctly answered 2022

CySA Practice Exam #6 questions correctly answered 2022A, B, C, F. The last phase is the actions on objectives phase. During this phase, the targeted network is now adequately controlled by the attacker. If the system or network owner does not detect the attacker, the adversary may persist for months while gaining progressively deeper footholds into the network. This is done through privilege escalation and lateral movement. Additionally, the attacker can now exfiltrate data from the network or modify data that will remain in the network. Which of the following will an adversary do during the final phase of the Lockheed Martin kill chain? (SELECT FOUR) ​ A. Exfiltrate data​ B. Privilege escalation​ C. Lateral movement through the environment​ D. Release of malicious email​ E. Wait for a user to click on a malicious link​ F. Modify data D. Since the college wants to ensure a centrally-managed enterprise console, using an active scanning engine installed on the enterprise console would best meet these requirements. Then, the college's cybersecurity analysts could perform scans on any devices connected to the network using the active scanning engine at the desired intervals. A cybersecurity analyst is working at a college that wants to increase its network's security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally-managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements? ​ A. Passive scanning engine located at the core of the network infrastructure​ B. Combination of cloud-based and server-based scanning engines​ C. Combination of server-based and agent-based scanning engines​ D. Active scanning engine installed on the enterprise console 00:02 01:10 D. The Microsoft System Center Configuration Manager (SCCM) provides remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory. Ryan needs to verify the installation of a critical Windows patch on his organization's workstations. Which method would be the most efficient to validate the current patch status for all of the organization's Windows 10 workstations? ​ A. Check the Update History manually​ B. Conduct a registry scan of each workstation to validate the patch was installed​ C. Create and run a PowerShell script to search for the specific patch in question​ D. Use SCCM to validate patch status for each machine on the domain D. To best understand a system's criticality, you should review the asset inventory and the BCP. Most organizations classify each asset in its inventory based on its criticality to the organization's operations. This helps to determine how many spare parts to have, the warranty requirements, service agreements, and other key factors to help keep these assets online and running at all times. Additionally, you can review the business continuity plan (BCP) since this will provide the organization's plan for continuing business operations in the event of a disaster or other outage. Generally, the systems or operations listed in a BCP are the most critical ones to support business operations. You are developing your vulnerability scanning plan and attempting to scope your scans properly. You have decided to focus on the criticality of a system to the organization's operations when prioritizing the system in the scope of your scans. Which of the following would be the best place to gather the criticality of a system? ​ A. Ask the CEO for a list of the critical systems​ B. Conduct a nmap scan of the network to determine the OS of each system​ C. Scope the scan based on IP subnets​ D. Review the asset inventory and BCP D. OpenIOC is essentially just a flat database of known indicators of compromise. Which analysis framework is essentially a repository of known IOCs with ties to known specific threats? ​ A. MITRE ATT&CK framework​ B. Diamond Model of Intrusion Analysis​ C. Lockheed Martin cyber kill chain​ D. OpenIOC B. ScoutSuite is used to audit instances and policies created on multi-cloud platforms. Prowler is a cloud auditing tool, but it can only be used on AWS. Pacu is an exploitation framework that is used to test the security configurations of an AWS account. OpenVAS is a general-purpose vulnerability scanner but does not deal with cloud-specific issues. Which of the following tools would you use to audit a multi-cloud environment? ​ A. OpenVAS​ B. ScoutSuite​ C. Prowler​ D. Pacu D. The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. In which phase of the security intelligence cycle is information from several different sources aggregated into useful repositories? ​ A. Feedback​ B. Analysis​ C. Dissemination​ D. Collection D. Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker's exploit is racing to modify the configuration file before the application reads the number of lives from it. A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer's phone. A hacker loves the game but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit? ​ A. Sensitive data exposure​ B. Dereferencing​ C. Broken authentication​ D. Race condition A. The nmap tool can be used to identify the target's operating system by analyzing the TCP/IP stack responses. Identification of the operating system relies on differences in how operating systems and operating system versions respond to a query, what TCP options they support, what order they send the packets in, and other details that, when combined, can provide a unique fingerprint for a given TCP stack. Which tool would allow you to identify the target's operating system by analyzing the TCP/IP stack responses? ​ A. nmap​ B. dd​ C. scanf​ D. msconfig B. Password spraying refers to the attack method that takes many usernames and loops them with a single password. We can use multiple iterations using many different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output: -=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-[443] [https-get-form] host: login: admin password: P@$$w0rd! [443] [https-get-form] host: login: admin password: C0mpT1@P@$$w0rd [443] [https-get-form] host: login: root password: P@$$w0rd! [443] [https-get-form] host: login: root password: C0mpT1@P@$$w0rd [443] [https-get-form] host: login: dion password: P@$$w0rd! [443] [https-get-form] host: login: dion password: C0mpT1@P@$$w0rd [443] [https-get-form] host: login: jason password: P@$$w0rd! [443] [https-get-form] host: login: jason password: C0mpT1@P@$$w0rd -=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-What type of attack was most likely being attempted by the attacker? ​ A. Session hijacking​ B. Password spraying​ C. Impersonation​ D. Credential stuffing C. Windows comes with DEP, which is a built-in memory protection resource. This prevents code from being run in pages that are marked as nonexecutable. DEP, by default, only protects Windows programs and services classified as essential, but it can be used for all programs and services, or all programs and services except the ones on an exception list. Which of the following should a domain administrator utilize to BEST protect their Windows workstations from buffer overflow attacks? ​ A. Install an anti-malware tool​ B. Install an anti-spyware tool​ C. Enable DEP in Windows​ D. Conduct bound checking before executing a program B. SQL injections target the data stored in enterprise databases by exploiting flaws in client-facing applications. These vulnerabilities being exploited are most often found in web applications. Which of the following is exploited by an SQL injection to give the attacker access to a database? ​ A. Operating system​ B. Web application​ C. Database server​ D. Firewall 00:02 01:10 A, B, F. Passively harvesting information from a target is the main purpose of the reconnaissance phase. Harvesting email addresses from the public internet, identifying employees on social media (particularly LinkedIn profiles), discovering public-facing servers, and gathering other publicly available information can allow an attacker to develop a more thorough understanding of a targeted organization. Which of the following will an adversary do during the reconnaissance phase of the Lockheed Martin kill chain? (SELECT THREE) ​ A. Harvest email addresses​ B. Identify employees on Social Media networks​ C. Release of malware on USB drives​ D. Acquire or develop zero-day exploits​ E. Select backdoor implants and appropriate command and control mechanisms​ F. Discover servers facing the public Internet B. TCP ACK scans can be used to determine what services are allowed through a firewall. An ACK scan sends TCP packets with only the ACK bit set. Whether ports are open or closed, the target is required to respond with an RST packet. Firewalls that block the probe usually make no response or send back an ICMP destination unreachable error. This distinction allows Nmap to report whether the ACK packets are being filtered. Which of the following scan types are useful for probing firewall rules? ​ A. TCP SYN​ B. TCP ACK​ C. TCP RST​ D. XMAS TREE C. This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, ​ A. SQL injection​ B. Buffer overflow​ C. Directory traversal​ D. XML injection B. Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn't supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal? ​ A. MySQL​ B. RDP​ C. LDAP​ D. IMAP D. Sanitizing a hard drive can be done using cryptographic erase (CE), secure erase (SE), zero-fill, or physical destruction. In this case, the hard drives already used data at rest. Therefore, the most efficient method would be to choose CE. The cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive. You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses self-encrypting drives as part of its default configuration. As you begin the eradication and recovery phase, you must sanitize the storage devices' data before restoring the data from known-good backups. Which of the following methods would be the most efficient to use to sanitize the affected hard drives? ​ A. Incinerate and replace the storage devices​ B. Conduct zero-fill on the storage devices​ C. Use a secure erase (SE) utility on the storage devices​ D. Perform a cryptographic erase (CE) on the storage devices D. Any security flaws present in a commercial or open-source library will also be present in the developed application. A library is vulnerable, just as any other application or code might be. There are both known (discovered) and unknown vulnerabilities in the libraries being integrated into the project. Therefore, the software development team needs to ensure that they monitor the applicable libraries for additional CVEs that might be uncovered later. You work as a cybersecurity analyst at a software development firm. The software developers have begun implementing commercial and open source libraries into their codebase to minimize the time it takes to develop and release a new application. Which of the following should be your biggest concern as a cybersecurity analyst? ​ A. There are no concerns with using commercial or open-source libraries to speed up developments​ B. Open-source libraries are inherently insecure because you do not know who wrote them​ C. Whether or not the libraries being used in the projects are the most up to date versions​ D. Any security flaws present in the library will also be present in the developed application C. Since your company owns the website, you can require the developer to implement a bug/code fix to prevent the form from allowing the AUTOCOMPLETE function to work on this website. The code change to perform is quite simple, simply adding "autocomplete=off" to the code's first line. The resulting code would be <form action="" autocomplete="off">. You have been asked to scan your company's website using the OWASP ZAP tool. When you perform the scan, you received the following warning:"The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Passwords may be stored in browsers and retrieved." You begin to investigate further by reviewing a portion of the HTML code from the website that is listed below: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- <form action=""> Enter your username: <BR> <input type="text" name="user" value="" autofocus><BR> Enter your Password: <BR> <input type="password" name="pass" value="" maxlength="32"><BR><input type="submit" value="submit"> </form> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based on your analysis, which of the following actions should you take? ​ A. This is a false positive and you should implement a scanner exception to ensure you don't receive this again during your next scan​ B. You recommend that the system administrator disables SSL on the server and implements TLS instead​ C. You tell the developer to review their code and implement a bug/code fix​ D. You recommend that the system administrator pushes out a GPO update to reconfigure the web browsers security settings A. This approach is an example of dual control authentication. Dual control authentication is used when performing a sensitive action. It requires the participation of two different users to login (in this case, one with the password and one with the token). Transitive trust is a technique via which a user/entity has already undergone authentication by one communication network to access resources in another communication network without having to undergo authentication a second time. Susan is worried about the security of the master account associated with a cloud service and the access to it. This service is used to manage payment transactions. She has decided to implement a new multifactor authentication process where one individual has the password to the account. Still, another user in the accounting department has a physical token to the account. To login to the cloud service with this master account, both users would need to come together. What principle is Susan implementing by using this approach?