CySA+ Practice Test 1 with correct answers 2024

Which one of the following objectives is not one of the three main objectives that information security professionals must achieve to protect their organizations against cybersecurity threats? - correct answer nonrepudiation Tommy is assessing the security database servers in his datacenter and realizes that one of them is missing a critical Oracle security patch. What type of situation has Tommy detected? - correct answer vulnerability Ben is preparing to conduct a cybersecurity risk assessment for his organization. If he chooses to follow the standard process proposed by NIST, which one of the following steps would come first? - correct answer Identify threats Cindy is conducting a cybersecurity risk assessment and is considering the impact that a failure of her city's power grid might have on the organization. What type of threat is she considering? - correct answer environmental Which one of the following categories of threat requires that cybersecurity analysts consider the capability, intent and targeting of the threat source? - correct answer adversarial Vincent is responding to a security incident that compromised one of his organization's web servers. He does not believe that the attackers modified or stole any information, but they did disrupt access to the organization's website. What cybersecurity objective did this attack violate? - correct answer availability Which one of the following is an example of an operational security control? - correct answer penetration tests Encryption software, network firewalls, and antivirus software are all examples of _________________ security controls. - correct answer technical Paul recently completed a risk assessment and determined that his network was vulnerable to hackers connecting to open ports on servers. He implemented a network firewall to reduce the likelihood of a successful attack. What risk management strategy did Paul choose to pursue? - correct answer risk mitigation Robert's organization has a BYOD policy, and he would like to ensure that devices connected to the network under this policy have current antivirus software. What technology can best assist him with this goal? - correct answer network access control When performing 802.1x authentication, what protocol does the authenticator use to communicate with the authentication server? - correct answer RADIUS Juan is configuring a new device that will join his organization's wireless network. The wireless network uses 802.1x authentication. What type of agent must be running on the device for it to join this network? - correct answer 802.1x supplicant Rick is preparing a firewall rule that will allow network traffic from external systems to a web server running the HTTPS protocol. What TCP port must he allow to pass through the firewall? - correct answer 443 What type of firewall provides the greatest degree of contextual information and can include information about users and applications in its decision-making process? - correct answer Next Generation Firewalls Wayne is configuring a jump box server that system administrators will connect to from their laptops. Which port should definitely not be open on the jump box? - correct answer 23 Tom would like to deploy consistent security settings to all of his Windows settings simultaneously. What technology can he use to achieve this goal? - correct answer group policy object During what phase of a penetration test should the testers obtain written authorization to conduct the test? - correct answer planning Which step occurs first during the attack phase of a penetration test? - correct answer gaining access Barry is participating in a cybersecurity wargame exercise. His role is to attempt to break into adversary systems. What team is he on? - correct answer red Which one of the following techniques might be used to automatically detect and block malicious software that does not match known malware signatures? - correct answer sandboxing Kevin would like to implement a specialized firewall that can protect against SQL injection, cross-site scripting, and similar attacks. What technology should he choose? - correct answer WAF What method is used to replicate DNS information for DNS servers but is also a tempting exploit target for attackers? - correct answer zone transfers ____________ is a suite of DNS security specifications. - correct answer DNSSEC What flag does nmap use to enable operating system identification? - correct answer -o What command line tool can be used to determine the path that traffic takes to a remote system? - correct answer traceroute Traceroute is a command-line tool that uses __________ to trace the route that a packet takes to a host. - correct answer ICMP What type of data can frequently be gathered from images taken on smartphones? - correct answer EXIF EXIF or Exchangeable Image Format data often includes ________________, allowing the images to be mapped and identified to a specific device or type of camera. - correct answer location and camera data Which Cisco log level is the most critical? - correct answer 0 Which Cisco log level is used for debugging information and is at the bottom of the scale? - correct answer 7 During passive intelligence gathering, you are able to run netstat on a workstation located at your target's headquarters. What information would you not be able to find using netstat on a Windows system? - correct answer Active IPX connections Active TCP connections and the executables that are associated with them, and route table information are all available via ____________. - correct answer Netstat Which type of Windows log is most likely to contain information about a file being deleted? - correct answer security logs What organization manages the global IP address space? - correct answer IANA Before Ben sends a Word document, he uses the built-in Document Inspector to verify that the file does not contain hidden content. What is this process called? - correct answer metadata purging What type of analysis is best suited to identify a previously unknown malware package operating on a compromised system? - correct answer heuristic analysis Which of the following is not a common DNS anti-harvesting technique? - correct answer registering manually CAPTCHAs, rate limiting, and blacklisting systems or networks that are gathering data are all common ___________ techniques. - correct answer anti-DNS harvesting The __________ flag indicates a zone transfer in both the dig and host utilities. - correct answer axfr Which of the following is not a reason that penetration testers often perform packet capture while conducting port and vulnerability scanning? - correct answer plausible deniability A ____________ is often used to document work, including the time that a given scan or process occurred, and it can also be used to provide additional data for further analysis. - correct answer packet capture What process uses information such as the way that a system's TCP stack responds to queries, what TCP options it supports, and the initial window size it uses? - correct answer OS detection What tool would you use to capture IP traffic information to provide flow and volume information about a network? - correct answer netflow __________ provides information about local connections, which applications have made them, and other useful local system information. - correct answer netstat What method used to replicate DNS information between DNS servers can also be used to gather large amounts of information about an organization's systems? - correct answer zone transfer Selah believes that an organization she is penetration testing may have exposed information about their systems on their website in the past. What site might help her find an older copy of their website? - correct answer The Internet Archive During an information gathering exercise, Chris is asked to find out detailed personal information about his target's employees. What is frequently the best place to find this information? - correct answer social media Which lookup tool provides information about a domain's registrar and physical location? - correct answer Whois ____________ will provide IP address or hostname information. - correct answer nslookup __________ will provide IPv4 and IPv6 information as well as email service information. - correct answer host ___________ attempts to identify the path to a remote host as well as the systems along the route. - correct answer traceroute What federal law requires the use of vulnerability scanning on information systems operated by federal government agencies? - correct answer FISMA Gary is the system administrator for a federal agency and is responsible for a variety of information systems. Which systems must be covered by vulnerability scanning programs? - correct answer high-, moderate-, and low-impact systems What tool can administrators use to help identify the systems present on a network prior to conducting vulnerability scans? - correct answer asset inventory The asset inventory supplements automated tools with other information to detect systems present on a network. The asset inventory provides critical information for __________________. - correct answer vulnerability scans Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans? - correct answer quarterly Which is not an example of a vulnerability scanning tool? - correct answer snort QualysGuard, Nessus, and OpenVAS are all examples of ___________________. - correct answer vulnerability scanning tools Bethany is the vulnerability management specialist for a large retail organization. She completed her last PCI DSS compliance scan in March. In April, the organization upgraded their point-of-sale system, and Bethany is preparing to conduct new scans. When must she complete the new scan? - correct answer immediately Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanners? - correct answer read only Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. Which SCAP component can Jason turn to for assistance? - correct answer common product enumeration Common Product Enumeration (CPE) is a ________________ component that provides standardized nomenclature for product names and versions. - correct answer SCAP Bill would like to run an internal vulnerability scan on a system for PCI DSS compliance purposes. Who is authorized to complete one of these scans? - correct answer any qualified individual Which type of organization is the most likely to face a regulatory requirement to conduct vulnerability scans? - correct answer government agency What minimum level of impact must a system have under FISMA before the organization is required to determine what information about the system is discoverable by adversaries? - correct answer high What term describes an organization's willingness to tolerate risk in their computing environment? - correct answer risk appetite If an organization is extremely ____________, it may choose to conduct scans more frequently to minimize the amount of time between when a vulnerability comes into existence and when it is detected by a scan. - correct answer risk averse Which one of the following factors is least likely to impact vulnerability scanning schedules? - correct answer staff availability Barry placed all of his organization's credit card processing systems on an isolated network dedicated to card processing. He has implemented appropriate segmentation controls to limit the scope of PCI DSS to those systems through the use of VLANs and firewalls. When Barry goes to conduct vulnerability scans for PCI DSS compliance purposes, what systems must he scan? - correct answer systems on the isolated network Ryan is planning to conduct a vulnerability scan of a business critical system using dangerous plug-ins. What would be the best approach for the critical scan? - correct answer run the scan in a test environment Which one of the following activities is not part of the vulnerability management life cycle? - correct answer reporting Detection, remediation, and testing are the three life-cycle phases for ____________. - correct answer vulnerability management What approach to vulnerability scanning incorporates information from agents running on the target servers? - correct answer continuous monitoring Continuous monitoring incorporates data from agent-based approaches to vulnerability detection and reports security-related configuration changes to the _______________ platform as soon as they occur, providing the ability to analyze those changes for potential vulnerabilities. - correct answer vulnerability management Brian is seeking to determine the appropriate impact categorization for a federal information system as he plans the vulnerability scanning controls for that system. After consulting management, he discovers that the system contains information that, if disclosed improperly, would have a serious adverse impact on the organization. How should this system be categorized? - correct answer moderate impact Jessica is reading reports from vulnerability scans run by a different part of her organization using different products. She is responsible for assigning remediation resources and is having difficulty prioritizing issues from different sources. What SCAP component can help Jessica with this task? - correct answer CVSS The Common Vulnerability Scoring Systems (CVSS) provides a standardized approach for measuring and describing the severity of ___________. - correct answer security vulnerabilities Sarah would like to run an external vulnerability scan on a system for PCI DSS compliance purposes. Who is authorized to complete one of the scans? - correct answer an approved scanning vendor Tom is reviewing a vulnerability scan report and finds that one of the servers on his network suffers from an internal IP address disclosure vulnerability. What protocol is likely in use on this network that resulted in this vulnerability? - correct answer Network Access Translation (NAT) A network uses Network Access Translation (NAT) to map public and private IP addresses but a ______________ inadvertently discloses its private IP address to remote systems. - correct answer server Which one of the CVSS metrics would contain information about the number of times that an attacker must successfully authenticate to execute an attack? - correct answer Authentication (Au) The Authentication metric describes the authentication hurdles an attacker would need to clear to ___________ a vulnerability. - correct answer exploit Which one of the following values for the CVSS access complexity metric would indicate that the specified attack is simplest to exploit? - correct answer low A _____________ access complexity of "low" indicates that exploiting the vulnerability does not require any specialized conditions. - correct answer CVSS Which one of the following values for the confidentiality, integrity, or availability CVSS metric would indicate the potential for total compromise of a system? - correct answer complete (C) What is the most recent version of CVSS that is currently available? - correct answer 3.0 Which one of the following metrics is not included in the calculation of CVSS exploitability score? - correct answer vulnerability age The __________________ is computed using the access vector, access complexity, and authentication metrics. - correct answer CVSS exploitability score Kevin recently identified a new security vulnerability and computed its CVSS base score as 6.5. Which risk would this vulnerability fall into? - correct answer high __________________ with a CVSS score higher than 6.0 but less than 10.0 fall into the high risk category. - correct answer Vulnerabilities Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred. - correct answer false positive Which one of the following is not a common source of information that may be correlated with vulnerability scan results? - correct answer database tables Logs, SIEM reports, and configuration management systems are likely to contain information relevant to assessing a __________________. - correct answer vulnerability scan report Which one of the following operating systems' support has been discontinued and should be avoided on production networks. - correct answer Windows Server 2003 In what type of attack does the attacker place more information in a memory location than is allocated for that use? - correct answer buffer overflow The Dirty COW attack is an example of what type of vulnerability? - correct answer privilege escalation In October 2016, security researchers announced the discovery of a Linux kernel vulnerability dubbed Dirty COW. This vulnerability, present in the Linux kernel for nine years, was extremely easy to exploit and provided successful attackers with __________________ of affected systems. - correct answer administrative control Which protocol should never be used on a public network? - correct answer Telnet Betty is selecting a transport encryption protocol for use in a new public website she is creating. What protocol would be the best choice? - correct answer TLS 1.1 Which one of the following conditions would not result in a certificate warning during a vulnerability scan of a web server? - correct answer inclusion of a public encryption key __________________ are intended to provide public key encryptions and would not cause an error during a vulnerability scan of a web server: using an untrusted CA, certificate expiration, and mismatched certificate name would cause an error. - correct answer Digital certificates What software component is responsible for enforcing the separation of guest systems in a virtualized infrastructure? - correct answer hypervisor The __________________runs a special operating system known as a hypervisor that mediates access to the underlying hardware resources. - correct answer virtualized data center In what type of attack does the attacker seek to gain access to resources assigned to a different virtual machine? - correct answer VM escape __________________ are the most serious issue that can exist in a virtualized environment, particularly when a virtual host runs systems of differing security levels. In an escape attack, the attacker has access to a single virtual host and then manages to leverage that access to intrude on the resources assigned to a different virtual machine. - correct answer VM escape vulnerabilities Which one of the following terms is not typically used to describe the connection of physical devices to a network? - correct answer Intrusion detection systems (IDS) Intrusion detection systems (IDS) are a __________________ used to detect network or host attacks. - correct answer security control The Internet of Things (IoT), supervisory control and data acquisition (SCADA) systems, and industrial control systems (ICS) are all associated with connecting __________________ to a network. - correct answer physical world objects Monica discovers that an attacker posted a message in a web forum that she manages that is attacking users who visit the site. Which one of the following attack types is most likely to have occurred? - correct answer cross-site scripting (XSS) In a __________________, an attacker embeds scripting commands on a website that will later be executed by an unsuspecting visitor accessing the site. The idea is to trick a user visiting a trusted site into executing malicious code placed there by an untrusted third party. - correct answer cross-site scripting (XSS) attack Alan is reviewing web server logs after an attack and finds many records that contain semicolons and apostrophes in queries from end users. What type of attack should he suspect? - correct answer SQL injection In an __________________, the attacker seeks to use a web application to gain access to an underlying database. Semicolons and apostrophes are characteristic of this attack. - correct answer SQL injection attack Which one of the following is an example of a computer security incident? - correct answer former employee crashes a server A user accessing a secure file and an administrator changing a file permission settings are examples of __________________ not security incidents. - correct answer security events During what phase of the incident response process would an organization implement defenses designed to reduce the likelihood of a security event? - correct answer Preparation Organizations should build solid, defense-in-depth approaches to cybersecurity during the preparation phase of the __________________. The controls built during this phase serve to reduce the likelihood and impact of future incidents. - correct answer incident response process Alan is responsible for developing his organization's detection and analysis capabilities. He would like to purchase a system that can combine log records from multiple sources to detect potential security incidents. What type of system is best suited to meet Alan's security objective? - correct answer SIEM A security information and event management (SIEM) system correlates log entries from multiple sources and attempts to identify potential __________________. - correct answer security incidents Ben is working to classify the functional impact of an incident. The incident has disabled email service for approximately 30 percent of his organization's staff. How should Ben classify the functional impact of this incident according to the NIST scale? - correct answer medium According to the NIST scale, the definition of medium functional impact is that the organization has lost the ability to provide a __________________ to a subset of system users. - correct answer critical service According to the NIST scale, assigning a __________________ functional impact is only done when the organization can provide all critical services to all users at diminished efficiency. - correct answer low According to the NIST scale, assigning a __________________ functional impact is only done if a critical service is not available to all users. - correct answer high What phase of the incident response process would include measures designed to limit the damage caused by an ongoing breach? - correct answer containment, eradication, and recovery The __________________ contained in the containment, eradication, and recovery phases are designed to limit the damage caused by an ongoing security incident. - correct answer containment protocols Grace is the CSIRT team leader for a business unit within NASA, a federal agency. What is the minimum amount of time that Grace must retain incident handling records? - correct answer three years Karen is responding to a security incident that resulted from an intruder stealing files from a government agency. Those files contained unencrypted information about protected critical infrastructure. How should Karen rate the information impact of this loss? - correct answer proprietary breach In a proprietary breach, __________________ proprietary information is accessed or exfiltrated. - correct answer unclassified __________________ is an example of unclassified proprietary information. - correct answer protected critical infrastructure information (PCII) Matt is concerned about the fact that log records from his organization contain conflicting timestamps due to unsynchronized clocks. What protocol can he use to synchronize clocks throughout the enterprise? - correct answer network time protocol (NTP) Which one of the following document types would outline the authority of a CSIRT responding to a security incident? - correct answer policy An organization's __________________ should contain a clear description of the authority assigned to the CSIRT while responding to an active security incident. - correct answer incident response policy A cross-site scripting attack is an example of what type of threat vector? - correct answer web A __________________ is an attack executed from a website or web-based application. - correct answer web attack A cross-site scripting (XSS) attack is used to steal credentials or redirect to a site that exploits a browser vulnerability and installs __________________. - correct answer malware Which one of the following parties is not commonly the target of external communications during an incident? - correct answer the perpetrator __________________ members do not normally communicate directly with the perpetrator of a cybersecurity incident. - correct answer CSIRT Robert is finishing a draft of a proposed incident response policy for his organization. Who would be the most appropriate person to sign the policy? - correct answer CEO The __________________ provides the CSIRT with the authority needed to do their job. Therefore, it should be approved by the highest possible level of authority within the organization, preferably the CEO. - correct answer incident response policy Which one of the following is not an objective of the containment, eradication, and recovery phase of incident response? - correct answer detect an incident in progress Implementing a containment strategy, identifying the attackers, and eradicating the effects of an incident are all objectives of the __________________ of incident response. - correct answer containment, eradication and recovery phase Renee is responding to a security incident that resulted in the unavailability of a website critical to her company's operations. She is unsure of the amount of time and effort that it will take to recover the website. How should Renee classify the recoverability effort? - correct answer extended __________________effort occurs when the time to recovery is unpredictable. In those cases, additional resources and outside help are typically needed. - correct answer extended recoverability Which one of the following is an example of an attrition attack? - correct answer brute-force password attack An __________________ attack employs brute-force methods to compromise, degrade, or destroy systems, networks, or services - for example, a DDoS attack intended to impair or deny access to a service or application or a brute-force attack against an authentication mechanism. - correct answer attrition attack Who is the best facilitator for a post-incident lessons-learned session? - correct answer independent facilitator __________________ sessions are most effective when facilitated by an independent party who was not involved in the incident response effort. - correct answer Lessons-learned Which one of the following elements is not normally found in an incident response policy? - correct answer procedures for rebuilding systems Procedures for rebuilding systems are highly technical and would normally be included in a playbook or procedure document rather than an __________________. - correct answer incident response policy A man-in-the-middle attack is an example of what type of threat vector? - correct answer impersonation An __________________ involves the replacement of something benign with something malicious - for example, spoofing, man-in-the-middle attacks, rogue wireless access points, and SQL injection attacks. - correct answer impersonation attack Tommy is the CSIRT team leader for his organization and is responding to a newly discovered security incident. What document is most likely to contain step-by-step instructions that he might follow in the early hours of the response effort? - correct answer playbook __________________ playbooks contain detailed step-by-step instructions that guide the early response to a cybersecurity incident. - correct answer incident response Organizations typically have __________________ for high-severity and frequently occurring incident types. - correct answer playbooks Hank is responding to a security event where the CEO of his company had her laptop stolen. The laptop was encrypted but contained sensitive information about the company's employees. How should Hank classify the information impact of this security event? - correct answer none An encrypted laptop containing sensitive information about company's employees would not qualify as a __________________ with measurable information impact, because encryption was used to protect the contents of the laptop. - correct answer security incident A __________________ determines which clients may access a wired or wireless network. - correct answer NAC A __________________ creates a unique fingerprint of a file. - correct answer hash A __________________ filters network connections based upon source, destination, and port. - correct answer firewall A __________________ system intentionally created to appear vulnerable. - correct answer honeypot A __________________ attempts to recover source code from binary code. - correct answer decompiler An __________________ scans a system for malicious software. - correct answer antivirus A __________________ protects against SQL injection attacks. - correct answer WAF A __________________ deploys configuration settings to multiple Windows systems. - correct answer GPO __________________is a route to a system. - correct answer Traceroute __________________ opens services via a network. - correct answer Nmap __________________ monitors IP traffic flow and volume. - correct answer Netflow __________________ provides organizational contact information associated with domain registration. - correct answer Whois __________________ identifies connections listed by protocol. - correct answer Netstat __________________ identified zone transfer. - correct answer Dig __________________ is used for packet capture. - correct answer Wireshark __________________ is used for social media geotagging. - correct answer Creepy In CVSS2#AV:N/AC:L/Au:N/C:P:/I:N/A:N, __________________ indicates that an attacker may exploit the vulnerability remotely over a network. This is the most serious value for this metric. - correct answer AV:N In CVSS2#AV:N/AC:L/Au:N/C:P:/I:N/A:N, __________________ indicates that exploiting the vulnerability does not require any specialized conditions. This is the most serious value for this metric. - correct answer AC:L In CVSS2#AV:N/AC:L/Au:N/C:P:/I:N/A:N, __________________ indicates that attackers do not need to authenticate to exploit the vulnerability. This is the most serious value for this metric. - correct answer Au:N In CVSS2#AV:N/AC:L/Au:N/C:P:/I:N/A:N, __________________ indicates that a successful exploitation of this vulnerability would yield partial access to information. This is the middle value for this metric. - correct answer C:P In CVSS2#AV:N/AC:L/Au:N/C:P:/I:N/A:N, __________________ indicates that a successful exploitation of this vulnerability would have no integrity impact. This is the least serious value for this metric. - correct answer I:N In CVSS2#AV:N/AC:L/Au:N/C:P:/I:N/A:N, __________________indicates that a successful exploitation of this vulnerability would have no availability impact. This is the least serious value for this metric. - correct answer A:N A CVSS vector rating of __________________ indicates that exploiting the vulnerability requires somewhat specialized conditions. This is the middle value for this metric. - correct answer AC:M In the CVSS vector rating, AV stands for: - correct answer access vector In the CVSS vector rating, AC stands for: - correct answer access complexity In the CVSS vector rating, Au stands for: - correct answer authentication In the CVSS vector rating, C stands for: - correct answer confidentiality In the CVSS vector rating, I stands for: - correct answer integrity In the CVSS vector rating, A stands for: - correct answer availability Conducting a lessons-learned review session would occur in the __________________ incident response phase. - correct answer post-incident activity Receiving a report from a staff member about a malware infection would occur in the __________________ incident response phase. - correct answer detection and analysis Upgrading the organization's firewall to block a new type of attack would occur in the __________________ incident response phase. - correct answer preparation Recovering normal operations after eradicting an incident would occur in the __________________ incident response phase. - correct answer containment, eradication, and recovery Identifying the attacker(s) and attacking system(s) would occur in the __________________ incident response phase. - correct answer containment, eradication, and recovery Interpreting log entries using a SIEM to identify a potential incident would occur in the __________________ incident response phase. - correct answer detection and analysis Assembling the hardware and software required to conduct an incident investigation would occur in the __________________ incident response phase. - correct answer preparation __________________ are a set of packets passing from a source system to a destination system in a given time interval. - correct answer flows __________________ is a Windows tool that monitors memory, CPU, and disk usage. - correct answer Resmon __________________ is a tool for testing the maximum available bandwidth for a network. - correct answer iPerf __________________ is a network management and monitoring tool that provides central visibility into flows and SNMP data for an entire network. - correct answer PRTG __________________ is traffic sent to a command and control system by a PC that is part of a botnet. - correct answer beaconing __________________ is a protocol for collecting information like status and performance about devices on a network. - correct answer SNMP __________________ is a Linux command that displays processes, memory utilization, and other details about running programs. - correct answer top __________________ is a Windows tool that monitors a wide range of devices and services, including energy, USB, and disk usage. - correct answer Perfmon __________________ is a Linux tool used to create disk images. - correct answer dd __________________ is used to determine whether a drive is forensically sound. - correct answer md5sum __________________ is a memory forensics and analysis suite. - correct answer Volatility Framework __________________ is a full-featured forensic suite. - correct answer FTK __________________ is a drive and file wiping utility sometimes used for anti-forensic purposes. - correct answer eraser __________________ is a device used to prevent forensic software from modifying a drive while accessing it. - correct answer write blocker __________________ is a tool used to review Windows memory dumps. - correct answer WinDBG __________________ is a device used to create a complete forensic image and validate without a PC. - correct answer forensic drive duplicator In Incident Response, which CompTIA category would you assign patching? - correct answer validation In Incident Response, which CompTIA category would you assign sanitization? - correct answer eradication In Incident Response, which CompTIA category would you assign lessons learned? - correct answer post-incident activities In Incident Response, which CompTIA category would you assign reimaging? - correct answer eradication In Incident Response, which CompTIA category would you assign secure disposal? - correct answer eradication In Incident Response, which CompTIA category would you assign isolation? - correct answer containment In Incident Response, which CompTIA category would you assign scanning? - correct answer validation In Incident Response, which CompTIA category would you assign removal? - correct answer containment In Incident Response, which CompTIA category would you assign reconstruction? - correct answer eradication In Incident Response, which CompTIA category would you assign permission verification? - correct answer validation In Incident Response, which CompTIA category would you assign user account review? - correct answer validation In Incident Response, which CompTIA category would you assign segmentation? - correct answer containment In Policy, what outlines a step-by-step process for carrying out a cybersecurity activity? - correct answer procedure In Policy, what includes advice based on best practices for achieving security goals that are not mandatory? - correct answer guidelines In Policy, what provides high-level requirements for a cybersecurity program? - correct answer policy In Policy, what offers detailed requirements for achieving security control objectives? - correct answer standard In Security Architecture, _____________ is a security design that protects all elements of the environment at the same level using the same tools and techniques. - correct answer uniform protection In Security Architecture, _____________ is the portion of an organization, system, or network that can be attacked. - correct answer attack surface In Security Architecture, _____________ are controls that include processes and policies. - correct answer administrative controls In Security Architecture, _____________ are a protected network or location separated from other security zones by protective controls. - correct answer protected enclaves In Security Architecture, _____________ is a security control that prevents individuals from performing sensitive actions without a trusted peer reviewing and approving their actions. - correct answer dual control In Security Architecture, _____________ is a part of a system that, if it fails, will cause the failure of the entire system. - correct answer single point of failure In Security Architecture, _____________ is a personnel security control that can help to identify individuals who are exploiting the rights they have as part of their job. - correct answer mandatory vacation In Security Architecture, _____________ is a control that remediates a gap or flaw in another control. - correct answer compensating control In Identity and Access Management, __________ is a Cisco-designed authentication protocol. - correct answer TACACs+ In Identity and Access Management, __________ is the set of claims made about an account holder. - correct answer identity In Identity and Access Management, __________ is Microsoft's identity federation system. - correct answer ADFS In Identity and Access Management, __________ is an issue that occurs when accounts gain more rights over time due to role changes. - correct answer privilege creep In Identity and Access Management, __________ is where LDAP is deployed in this role. - correct answer directory service In Identity and Access Management, __________ is an open standard for authorization used for websites and applications. - correct answer OAuth 2.0 In Identity and Access Management, __________ is an XML-based protocol used to exchange authentication and authorization data. - correct answer SAML In Identity and Access Management, __________ is a common AAA system for network devices. - correct answer RADIUS In Security Tools, __________ is a source control management tool. - correct answer subversion In Security Tools, __________ is an SDLC model that relies on sprints to accomplish tasks based on user stories. - correct answer Agile In Security Tools, __________ is a code analysis that is done using a running application. - correct answer dynamic code analysis In Security Tools, __________ is a code analysis done using a running application that relies on sending unexpected data to see if the application fails. - correct answer fuzzing In Security Tools, __________ is a formal code review process that relies on specified entry and exit criteria for each phase. - correct answer Fagan inspection In Security Tools, __________ is a code review process that requires one developer to explain their code to another developer. - correct answer over the shoulder In Security Tools, __________ is the first SDLC model, replaced in many organizations but still used for very complex systems. - correct answer waterfall In Security Tools, __________ is an Agile term that describes the list of features needed to complete a project. - correct answer backlog Which format does dd produce files in? - correct answer RAW Files remnants found in clusters that have been only partially rewritten by new files are found in what type of space? - correct answer slack Mike is looking for information about files that were changed on a Windows system. Which of the following is least likely to contain useful information for his investigation? - correct answer event logs The __________ contain specific information about files. - correct answer Master File Table (MFT) and file indexes (INDX files) __________ help show differences between files and locations at a point in time. - correct answer Volume shadow copies Alice wants to copy a drive without any chance of it being modified by the copying process. What type of device should she use to ensure that this does not happen? - correct answer a write blocker __________ ensure that no changes are made to a source drive when creating a forensic copy. - correct answer write blockers Frederick wants to determine if a thumb drive was ever plugged into a Windows system. How can he test for this? - correct answer use the USB Historian A __________ provides a list of devices that logged in the Windows Registry. - correct answer USB Historian What two files may contain encryption keys normally stored only in memory on a Window system? - correct answer core dumps and hibernation files Core dumps and hibernation files both contain an image of the live memory of a system, potentially allowing __________ to be retrieved from the stored file. - correct answer encryption keys The __________ provides information about file layout. - correct answer Master File Table (MFT) The __________ contains system information. - correct answer Registry Jeff is investigating a system compromise and knows that the first event was reported on October 5th. What forensic tool capability should he use to map other events found in logs and files to this date? - correct answer a timeline Timelines are one of the most useful tools when conducting an investigation of a compromise or other event. __________ provide built-in timeline capabilities to allow this type of analysis. - correct answer Forensic tools To verify that the original disk has not changed, run __________ prior to and after the cloning process. - correct answer MD5sum Jennifer wants to perform memory analysis and forensics for Windows, macOS , and Linux systems. Which of the following best suits her needs? - correct answer The Volatility Framework LiME and fmem are __________ used to perform memory analysis and forensics. - correct answer Linux tools __________ is a Windows-only tool, used to perform memory analysis and forensics. - correct answer DumpIt Alex is conducting a forensic examination of a Windows system and wants to determine if an application was installed. Where can he find the Windows installer log files for a user named Jim? - correct answer C:WindowsJimAppDataLocalTemp __________ are typically kept in the user's temporary app data folder. - correct answer Windows Installer logs Kathleen needs to find data contained in memory but only has an image of an offline Windows system. Where does she have the best chance of recovering the information she needs? - correct answer %SystemRoot%MEMORY.DMP __________ are stored in %SystemRoot%MEMORY.DMP and contain the memory state of the system when the system crash occurred. - correct answer Windows crash dumps __________ is a Windows debugger. - correct answer WinDbg Carl does not have the ability to capture data from a cell phone using forensic or imaging software, and the phone does not have removeable storage. Fortunately, the phone was not set up with a PIN or screen lock. What is his best option to ensure he can see email and other data stored there? - correct answer manual access Manual access is used when phones cannot be __________ or accessed as a volume or filesystem. Manual access requires that the phone be reviewed by hand, with pictures and notes preserved to document the contents of the phone. - correct answer forensically imaged What forensic issue might the presence of a program like CCleaner indicate? - correct answer anti-forensic activities __________ is a PC cleanup utility that wipes Internet history, destroys cookies and other cashed data, and can impeded forensic investigations. - correct answer CCleaner Which of the following is not a potential issue with live imaging of a system? - correct answer unallocated space will be captured Unallocated space is typically not captured during a __________, potentially resulting in data being missed. - correct answer live image Remnant data from the tool, memory and drive contents changing while the image is occurring, and malware detecting the tool are all possible issues that may occur when __________ a system. - correct answer live imaging During his investigation, Jeff, a certified forensic examiner, is provided with a drive image created by an IT staff member and is asked to add it to his forensic case. What is the most important issue Jeff could encounter if the case goes to court? - correct answer inability to certify chain of custody Susan has been asked to identify the applications that start when a Windows system does. Where should she look first? - correct answer the Registry Windows stores information about programs that run when Windows starts in the Registry as __________ Registry keys, which run each time a user logs in. - correct answer Run and RunOnce During a forensic investigation Ben asks Chris to sit with him and to sign off on the actions he has taken. What is he doing? - correct answer maintaining chain of custody While maintaining chain of custody, one person acts as a __________ to the process for the actions another person is taking. - correct answer validator and witness Which tool is not commonly used to generate the hash of a forensic copy? AES - correct answer MD5, SHA1, and built-in hashing tools in FTK and other commercial tools are commonly used for creating __________. - correct answer forensic hashes Which of the following Linux command-line tools will show you how much disk space is in use? - correct answer df In Linux command-line tools, __________ tools will show you information about processes, CPU, and memory utilization. - correct answer top and ps In Linux command-line tools, __________ is a multifunction tool for listing open files. - correct answer lsof Which one of the phases of incident response involves primarily active undertakings designed to limit the damage that an attacker might cause? - correct answer containment, eradication, and recovery The containment, eradication, and recovery phase of __________ includes active undertakings designed to minimize the damage caused by the incident and restore normal operations as quickly as possible. - correct answer incident response Which one of the following criteria is not normally used when evaluating the appropriateness of a cybersecurity incident containment strategy? - correct answer log records generated by the strategy NIST recommends using six criteria to __________ a containment strategy: the potential damage to resources, the need for evidence preservation, service availability, time and resources required (including cost), effectiveness of the strategy, and duration of the solution. - correct answer evaluate Which choice is one of the six criteria NIST recommends to evaluate a containment strategy? - correct answer the potential damage to resources Which choice is one of the six criteria NIST recommends to evaluate a containment strategy? - correct answer the need for evidence preservation Which choice is one of the six criteria NIST recommends to evaluate a containment strategy? - correct answer service availability Which choice is one of the six criteria NIST recommends to evaluate a containment strategy? - correct answer time and resources required (including cost) Which choice is one of the six criteria NIST recommends to evaluate a containment strategy? - correct answer effectiveness of the strategy Which choice is one of the six criteria NIST recommends to evaluate a containment strategy? - correct answer duration of the solution Alice is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places this system on a quarantine VLAN with limited access to other networked systems. What containment strategy is Alice pursuing? - correct answer segmentation Alice confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and decides instead to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems. The attacker can still control the system to allow Alice to continue monitoring the incident. What strategy is she pursuing? - correct answer isolation After observing the attacker, Alice decides to remove the Internet connection entirely, leaving the systems running but inaccessible from outside the quarantine VLAN. What strategy is she pursuing? - correct answer removal What tool may be used to isolate an attacker so that they may not cause damage to production systems but may still be observed by cybersecurity analysts? - correct answer sandbox Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which one of the following activities should be Tamara's first priority? - correct answer containment Which one of the following activities does CompTIA classify as part of the recovery validation effort? - correct answer scanning CompTIA includes ____________________ in the set of validation activities that cybersecurity analysts should undertake in the aftermath of a security incident. - correct answer patching CompTIA includes ____________________ in the set of validation activities that cybersecurity analysts should undertake in the aftermath of a security incident. - correct answer permissions CompTIA includes ____________________ in the set of validation activities that cybersecurity analysts should undertake in the aftermath of a security incident. - correct answer security scanning CompTIA includes ____________________ in the set of validation activities that cybersecurity analysts should undertake in the aftermath of a security incident. - correct answer verifying logging/communication to monitoring Which one of the following pieces of information is most critical to conducting a solid incident recovery effort? - correct answer root cause of the attack Understanding the root cause of an attack is critical to the ____________________. Analysts should examine all available information to help reconstruct the attackers' actions. This information is crucial to remediating security controls and preventing future similar attacks. - correct answer incident recovery effort Lynda is disposing of a drive containing sensitive information that was collected during the response to a cybersecurity incident. The information is categorized as a high security risk and she wishes to reuse the media during a future incident. What is the appropriate disposition for this information? - correct answer purge In the NIST Guidelines for Media Sanitation, ____________________ applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. - correct answer clear In the NIST Guidelines for Media Sanitation, ____________________ applies physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques. - correct answer purge In the NIST Guidelines for Media Sanitation, ____________________ renders data recover infeasible using state-of-the-art laboratory techniques and results in the subsequent inability to use the media for storage of data. - correct answer destroy In the NIST Guidelines for Media Sanitation, an example of clearing is typically applied through: ______________. - correct answer rewriting with a new value or using a menu option to reset the device to the factory state In the NIST Guidelines for Media Sanitation, an example of purging includes: __________________. - correct answer Degaussing, overwriting, block erase, and cryptographic erase activities when performed through the use of dedicated, standardized device commands In the NIST Guidelines for Media Sanitation, an example of destroying includes____________________. - correct answer disintegration, pulverization, melting, and incinerating In the NIST Guidelines for Media Sanitation, if the security categorization is low and it is not leaving the organization's control, it can be ____________________. - correct answer cleared then validated In the NIST Guidelines for Media Sanitation, if the security categorization is low and it is leaving the organization's control, it should be ____________________. - correct answer purged then validated In the NIST Guidelines for Media Sanitation, if the security categorization is moderate and the media will not be reused, it should be ____________________. - correct answer destroyed then validated In the NIST Guidelines for Media Sanitation, if the security categorization is moderate and the media will be reused AND is not leaving the organization's control, it should be ____________________. - correct answer cleared then validated In the NIST Guidelines for Media Sanitation, if the security categorization is moderate and the media will be reused AND is leaving the organization's control, it should be ____________________. - correct answer purged then validated In the NIST Guidelines for Media Sanitation, if the security categorization is high and the media will not be reused, it should be ____________________. - correct answer destroyed then validated In the NIST Guidelines for Media Sanitation, if the security categorization is high and the media will be reused AND is not leaving the organization's control, it should be ____________________. - correct answer purged then validated In the NIST Guidelines for Media Sanitation, if the security categorization is high and the media will be reused AND is leaving the organization's control, it should be ____________________. - correct answer destroyed then validated Which one of the following activities is not normally conducted during the recovery validation phase? - correct answer implement new firewall rules New firewall rules, if required, would be implemented during the ______________. - correct answer eradication and recovery phase The ______________ includes verifying accounts and permissions, verifying the logging is working properly, and conducting vulnerability scans. - correct answer validation phase What incident response activity focuses on removing any artifacts of the incident that may remain on the organization's network? - correct answer eradication Eradication, during an incident response activity, may include: ______________. - correct answer removal of any malicious code from the network, sanitization of compromised media, and securing of compromised user accounts Which one of the following is not a common use of formal incident reports? - correct answer sharing with other organizations Formal incident reports should be classified and not disclosed to external parties. Formal incident reports: ______________. - correct answer create an institutional memory of the incident that is useful when developing new security controls and training new security team members, serve as an important record of the incident if there is ever legal action that results from an incident. Which one of the following data elements would not normally be included in an evidence log? - correct answer malware signatures Sondra determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. What strategy would meet Sondra's goal? - correct answer none, even removing a system from the network doesn't guarantee that the attack will not continue. An attacker can run a script on a server that detects when it has been removed from the network and then proceeds to destroy data stored on the server. Joe would like to determine the appropriate disposition of a flash drive used to gather highly sensitive evidence during an incident response effort. He does not need to reuse the drive but wants to return it to its owner, an outside contractor. What is the appropriate disposition? - correct answer destroy Which one of the following is not typically found in a cybersecurity incident report? - correct answer identity of the attacker ______________ should include a chronology of events, estimates of the impact, and documentation of lessons learned, in addition to other information. - correct answer Incident Reports What NIST publication contains guidance on cybersecurity incident handling? - correct answer SP 800-61 NIST SP 800-61 is the ______________. - correct answer Computer Security Incident Handling Guide NIST SP 800-53 is the ______________. - correct answer Security and Privacy Controls for Federal Information Systems and Organizations NIST SP 800-88 is the ______________. - correct answer Guidelines for Media Sanitization NIST SP 800-18 is the ______________. - correct answer Guide for Developing Security Plans for Federal Information Systems Computer Security Incident Handling Guide - correct answer NIST SP 800-61 Security and Privacy Controls for Federal Information Systems and Organizations - correct answer NIST SP 800-53 Guidelines for Media Sanitization - correct answer NIST SP 800-88 Guide for Developing Security Plans for Federal Information Systems - correct answer NIST SP 800-18 Which one of the following is not a purging activity? - correct answer resetting to factory state Resetting a device to factory state is an example of ______________. - correct answer data clearing Ben is responding to a security incident and determines that the attacker is using systems on Ben's network to attack a third party. Which one of the following containment approaches will prevent Ben's systems from being used in this manner? - correct answer removal from the system Joe is authoring a document that explains to system administrators one way that they might comply with the organization's requirement to encrypt all laptops. What type of document is Joe writing? - correct answer guideline If someone is authoring a guideline, it indicates that ______________ with the document is not mandatory. - correct answer compliance Which one of the following statements is not true about compensating controls under PCI DSS? - correct answer controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement In ______________, controls must meet the intent and rigor of the original requirement and must provide a similar level of defense as the original requirement. - correct answer compensating controls under PCI DSS What law creates cybersecurity obligations for healthcare providers and others in the health industry? - correct answer HIPAA Which one of the following is not one of the five core security functions defined by the NIST Cybersecurity Framework? - correct answer contain The five core security functions, as defined by the NIST Cybersecurity Framework are: - correct answer identify, protect, detect, respond, and recover What International Organization for Standardization (ISO) standard applies to information security management controls? - correct answer ISO 27001 ISO 27001, is published by the International Organization for Standardization (ISO) and is titled ______________. - correct answer Information technology - Security techniques - Information security management systems - Requirements Which document must normally be approved by the CEO or similarly high-level executive? - correct answer policy What SABSA architecture layer corresponds to the designer's view of security architecture? - correct answer Logical Security Architecture What SABSA architecture layer corresponds to the Architect's view of security architecture? - correct answer Conceptual Security Architecture What SABSA architecture layer corresponds to the Business view of security architecture? - correct answer Contextual Security Architecture What SABSA architecture layer corresponds to the Builder's view of security architecture? - correct answer Physical Security Architecture What SABSA architecture layer corresponds to the Tradesman's view of security architecture? - correct answer Component Security Architecture What SABSA architecture layer corresponds to the Service Manager's view? - correct answer Security Service Management Architecture What law governs the financial records of publicly traded companies? - correct answer Sarbanes-Oxley (SOX) Act What TOGAF domain provides the organization's approach to storing and managing information assets? - correct answer data architecture In the TOGAF domain, __________________ defines governance and organization and explains the interaction between enterprise architecture and business strategy. - correct answer Business architecture In the TOGAF domain, __________________ includes the applications and systems that an organization deploys, the interactions between those systems, and their relation to business processes. - correct answer Applications architecture In the TOGAF domain, __________________ provides the organization's approach to storing and managing information assets. - correct answer Data architecture In the TOGAF domain, __________________ describes the infrastructure needed to support the other architectural domains. - correct answer Technical architecture The TOGAF domain also includes the __________________ which describes how an organization might move through the cyclical process of developing its own enterprise architecture. - correct answer Architecture Development Method (ADM) __________________ is a framework that offers a comprehensive approach to IT service management within the modern enterprise. - correct answer The Information Technology Infrastructure Library (ITIL) The Information Technology Infrastructure Library (ITIL) covers five core activities. __________________ is one of these activities and is central in the life cycle. - correct answer Service Strategy The Information Technology Infrastructure Library (ITIL) covers five core activities. __________________ is one of three connected to the Service Strategy in the life cycle. - correct answer Service Design The Information Technology Infrastructure Library (ITIL) covers five core activities. __________________ is one of three connected to the Service Strategy in the life cycle. - correct answer Service Operation The Information Technology Infrastructure Library (ITIL) covers five core activities. __________________ is one of three connected to the Service Strategy in the life cycle. - correct answer Service Transition The Information Technology Infrastructure Library (ITIL) covers five core activities. __________________ is considered continuous in the life cycle. - correct answer Continual Service Improvement __________________ are security controls that impact the physical world: fences, perimeter lighting, locks, fire suppression systems, and burglar alarms.