Jason Dion’s Practice Exam 4 of 5 correctly answered

Jason Dion’s Practice Exam 4 of 5 correctly answeredWhich of the following must be combined with a threat to create risk? A.Malicious actor B.Mitigation C.Vulnerability D.Exploit C.Vulnerability Explanation OBJ-1.4: A risk results from the combination of a threat and a vulnerability. A vulnerability is a weakness in a device, system, application, or process that might allow an attack to take place. A threat is an outside force that may exploit a vulnerability. Remember, a vulnerability is something internal to your organization's security goals. Therefore, you can control, mitigate, or remediate a vulnerability. A threat is external to your organization's security goals. A.A threat could be a malicious actor, a software exploit, a natural disaster, or other external factors. In the case of an insider threat, they are considered an external factor for the purposes of threats and vulnerabilities since their goals lie outside your organization's security goals. Which of the following commands would NOT provide domain name information and details about a host? A.dig -x [ip address] B. host [ip address] C. nslookup [ipaddress] D. sc [ip address] D. sc [ip address] Explanation OBJ-1: Service control (sc) is a Windows command that allows you to create, start, stop, query, or delete a Windows service. The dig command will give you information on when a query was performed, the details that were sent and what flags were sent as well. In most cases, host and nslookup will also provide similar information. David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal? A.MySQL B.RDP C.LDAP D.IMAP B.RDP Explanation OBJ-1: Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn't supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993. A penetration tester is conducting an assessment of a wireless network that is secure using WPA2 Enterprise encryption. Which of the following are major differences between conducting reconnaissance of a wireless network versus a wired network? (SELECT TWO) A.Encryption B.Network Access Control C.Port security D.Authentication E.Physical accessibility F.MAC filerting A.Encryption E.Physical accessibility Explanation OBJ-1: Most wireless networks utilize end-to-end encryption, whereas wired networks do not. Physical accessibility is another major difference between wireless and wired networks since wireless networks can be accessed from a distance using powerful antennas. Authentication, MAC filtering, and network access control (NAC) can be implemented equally on both wired and wireless networks. Port security is only applicable to wired networks. You have been asked to review the SIEM event logs for suspected APT activity. You have been given several indicators of compromise, such as a list of domain names and IP addresses. What is the BEST action to take in order to analyze the suspected APT activity? A.Use the IP addresses to search through the event logs B.Analyze the trends of the events while manually reviewing them to see if any indicators match C.Create an advanced query that includes all of the indicators and review any matches D.Scan for vulnerabilities with exploits known to previously have been used by an APT B.Analyze the trends of the events while manually reviewing them to see if any indicators match Explanation OBJ-1: You should begin by analyzing the trends of the events while manually reviewing each of them to determine if any of the indicators match. If you only searched through the event logs using the IP addresses, this would not be sufficient as many APTs hide their activity by compromising and using legitimate networks and their IP addresses. If you only use the IP addresses to search the event logs, you would miss any events that correlated only to the domain names. If you create an advanced query will all of the indicators, your search of the event logs will find nothing because no single event will include all of these IPs and domain names. Finally, while scanning for vulnerabilities known to have been used by the APTs is a good practice, it would only be effective in determining how to stop future attacks from occurring, not for determining whether or not an attack has already occurred. You are conducting a code review of a program and observe the following calculation of 0xffffffff + 1 was attempted, but the result was returned as 0x. Based on this, what type of exploit could be created against this program? A.SQL injection B.Impersonation C.Integer Overflow attack D.Password Spraying C.Integer Overflow attack Explanation OBJ-1.2: Integer overflows and other integer manipulation vulnerabilities frequently result in buffer overflows. An integer overflow occurs when an arithmetic operation results in a number that is too large to be stored in the space allocated for it. Integers are stored in 32 bits on the x86 architecture; therefore, if an integer operation results in a number greater than 0xffffffff, an integer overflow occurs, as was the case in this example. SQL injection is an attack that injects a database query into the input data directed at a server by accessing the client-side of the application. Password spraying is a type of brute force attack in which multiple user accounts are tested with a dictionary of common passwords. Impersonation is the act of pretending to be another person or system for the purpose of fraud. Which of the following programs was designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military? A.Trusted Foundry (RF) B.Supplies Assured (SA) C.Supply Secure (SS) D.Trusted Access Program (TAP A.Trusted Foundry (RF) Explanation OBJ-1.4: The Trusted Foundry program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military. Trusted Foundry was created to provide a chain of custody for classified/unclassified integrated circuits, ensure there is no reasonable threat related to supply disruption, prevent intentional/unintentional modification of integrated circuits, and protect integrated circuits from reverse engineering and vulnerability testing. A salesperson's laptop has become unresponsive after attempting to open a PDF in their email. A cybersecurity analyst reviews the IDS and anti-virus software for any alerts or unusual behavior but finds nothing suspicious. Which of the following threats would BEST classify this scenario? A.Ping of death B.Zero-day malware C.PII exfiltration D.RAT B.Zero-day malware Explanation OBJ-1.2: Based on the scenario provided, it appears that the laptop has become the victim of a zero-day attack. A zero-day attack is an attack that exploits a potentially serious software security weakness that the vendor or developer may be unaware of. This means that there will not be a signature available in the IDS or anti-virus definition file. Therefore, it cannot be combatted with traditional signature-based detection methods. PII (personally identifiable information) exfiltration is the unauthorized copying, transfer or retrieval of PII data from a computer or server. A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. Based on the information provided in the scenario, we do not have any indications that a ping packet was sent, that PII has been exfiltrated, or that the attack now has remote control of the laptop. Since neither the IDS nor anti-virus alerted on the PDF, it is most likely a form of a zero-day attack. Which of the following techniques would allow an attacker to get a full listing of your internal DNS information if your DNS server is not properly secured? A.Zone transfers B.Split horizon C.FQDN resolution D.DNS Poisoning A.Zone transfers Explanation OBJ-1.2: A DNS zone transfer provides a full listing of DNS information. If your organization's internal DNS server is improperly secured, this can allow an attacker to gather this information by performing a zone transfer. Fully qualified domain name (FQDN) resolution is a normal function of DNS that converts a domain name like to its corresponding IP address. Split horizon is a method of preventing a routing loop in a network. DNS poisoning is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites. During which phase of an attack would a penetration tester seek to gain complete control of a system? A.Planning B.Attack C.Reporting D.Discovery B.Attack Explanation OBJ-1.4: During the attack phase, the attacker seeks to gain access to a system, escalate that access to obtain complete control, and then conduct browsing to identify mechanisms to gain access to additional systems. The planning phase is where the scope for the assignment is defined and management approvals, documents, and agreements are signed. The discovery phase is where the actual testing starts; it can be regarded as an information-gathering phase. The attack phase is at the heart of any penetration test, it is the part of the process where a penetration test attempts to exploit a system, conduct privilege escalation, and then pivot or laterally move around the network. The reporting phase is focused on the development of the final report that will be presented to management at the conclusion of the penetration test.