If Lucca wants to validate the application files he has downloaded from the vendor of his
application, what information should he request from them?
A. File size and file creation date B. MD5 hash C. Private key and cryptographic hash D. Public key and cryptographic hash.
Chris wants to run John the Ripper against a Linux system’s passwords. What does he need
to attempt password recovery on the system? A. Both /etc/passwd and /etc/shadow B. /etc/shadow C. /etc/passwd D. Chris cannot recover passwords; only hashes are stored.
Mei is planning to deploy rogue access point detection capabilities for her network. If she
wants to deploy the most effective detection capability she can, which of the following
detection types should she deploy first?
A. Authorized MAC B. Authorized SSID C. Authorized channel D. Authorized vendor.
The company that Brian works for processes credit cards and is required to be compliant
with PCI DSS. If Brian’s company experiences a breach of card data, what type of disclosure
will they be required to provide?
A. Notification to local law enforcement B. Notification to their acquiring bank C. Notification to federal law enforcement D. Notification to Visa and MasterCard.
Lauren wants to create a backup of Linux permissions before making changes to the Linux
workstation she is attempting to remediate. What Linux tool can she use to back up the
permissions of an entire directory on the system? A. chbkup B. getfacl C. aclman D. There is not a common Linux permission backup tool.
Jessica wants to access a macOS FileVault 2–encrypted drive. Which of the following
methods is not a possible means of unlocking the volume?
A. Change the FileVault key using a trusted user account. B. Retrieve the key from memory while the volume is mounted. C. Acquire the recovery key. D. Extract the keys from iCloud.
Frank wants to log the creation of user accounts on a Windows workstation. What tool
should he use to enable this logging?
A. secpol.msc B. auditpol.msc C. regedit D. Frank does not need to make a change; this is a default setting.
If Suki wants to purge a drive, which of the following options will accomplish her goal?
A. Cryptographic erase B. Reformat C. Overwrite D. Repartition.
Mika wants to analyze the contents of a drive without causing any changes to the drive.
What method is best suited to ensuring this?
A. Set the “read-only” jumper on the drive. B. Use a write blocker. C. Use a read blocker. D. Use a forensic software package.
Eric has access to a full suite of network monitoring tools and wants to use appropriate
tools to monitor network bandwidth consumption. Which of the following is not a common
method of monitoring network bandwidth usage?
A. SNMP B. Portmon C. Packet sniffing D. NetFlow.
Fred is attempting to determine whether a user account is accessing other systems on his network and uses lsof to determine what files the user account has open. What information should he identify when faced with the following lsof output? A. The user account demo is connected from remote.host.com to a local system. B. The user demo has replaced the /bash executable with one they control. C. The user demo has an outbound connection to remote.host.com. D. The user demo has an inbound SSH connection and has replaced the Bash binary.
As Lauren prepares her organization’s security practices and policies, she wants to address
as many threat vectors as she can using an awareness program. Which of the following
threats can be most effectively dealt with via awareness? A. Attrition B. Impersonation C. Improper usage
D. Web.
Scott wants to recover user passwords for systems as part of a forensic analysis effort. If he
wants to test for the broadest range of passwords, which of the following modes should he
run John the Ripper in?
A. Single crack mode B. Wordlist mode C. Incremental mode D. External mode.
During a forensic investigation, Lukas discovers that he needs to capture a virtual machine
that is part of the critical operations of his company’s website. If he cannot suspend or shut
down the machine for business reasons, what imaging process should he follow?
A. Perform a snapshot of the system, boot it, suspend the copied version, and copy the
directory it resides in. B. Copy the virtual disk files and then use a memory capture tool. C. Escalate to management to get permission to suspend the system to allow a true
forensic copy. D. Use a tool like the Volatility Framework to capture the live machine completely.
Mika, a computer forensic examiner, receives a PC and its peripherals that were seized as
forensic evidence during an investigation. After she signs off on the chain of custody log
and starts to prepare for her investigation, one of the first things she notes is that each cable
and port was labeled with a color-coded sticker by the on-site team. Why are the items
labeled like this?
A. To ensure chain of custody B. To ensure correct reassembly C. To allow for easier documentation of acquisition D. To tamper-proof the system.
Laura needs to create a secure messaging capability for her incident response team. Which
of the following methods will provide her with a secure messaging tool?
A. Text messaging B. A Jabber server with TLS enabled C. Email with TLS enabled D. A messaging application that uses the Signal protocol.
Lakshman needs to sanitize hard drives that will be leaving his organization after a lease is
over. The drives contained information that his organization classifies as sensitive data that
competitors would find valuable if they could obtain it. Which choice is the most appropriate
to ensure that data exposure does not occur during this process?
.
A. Clear, validate, and document B. Purge the drives. C. Purge, validate, and document. D. The drives must be destroyed to ensure no data loss.
Latisha is the IT manager for a small company and occasionally serves as the organization’s
information security officer. Which of the following roles should she include as the leader of her organization’s CSIRT?
A. Her lead IT support staff technician B. Her organization’s legal counsel C. A third-party IR team lead D. She should select herself.
Latisha wants to ensure that the two most commonly used methods for preventing Linux
buffer overflow attacks are enabled for the operating system she is installing on her servers.
What two related technologies should she investigate to help protect her systems?
A. The NX bit and ASLR B. StackAntismash and DEP C. Position-independent variables and ASLR D. DEP and the position-independent variables.
Angela is attempting to determine when a user account was created on a Windows 10 workstation.
What method is her best option if she believes the account was created recently?
A. Check the System log. B. Check the user profile creation date. C. Check the Security log. D. Query the registry for the user ID creation date.
Lauren wants to detect administrative account abuse on a Windows server that she is
responsible for. What type of auditing permissions should she enable to determine whether
users with administrative rights are making changes?
A. Success B. Fail C. Full control D. All.
Because of external factors, Eric has only a limited time period to collect an image from
a workstation. If he collects only specific files of interest, what type of acquisition has he performed?
A. Logical B. Bit-by-bit C. Sparse D. None of the above.
Kelly sees high CPU utilization in the Windows Task Manager, as shown here, while reviewing a system’s performance issues. If she wants to get a detailed view of the CPU usage by application, with PIDs and average CPU usage, what native Windows tool can she use to gather that detail? A. Resource Monitor B. Task Manager C. iperf D. Perfmon.
A. The memory usage is stable and can be left as it is. B. The memory usage is high and must be addressed. C. Roger should enable automatic memory management. D. There is not enough information to make a decision.
NIST defines five major types of threat information types in NIST SP 800-150, “Guide to Cyber Threat Information Sharing.”
1. Indicators, which are technical artifacts or observables that suggest an attack is imminent, currently underway, or compromise may have already occurred
2. Tactics, techniques, and procedures that describe the behavior of an actor
3. Security alerts like advisories and bulletins
4. Threat intelligence reports that describe actors, systems, and information being targeted and the methods being used
5. Tool configurations that support collection, exchange, analysis, and use of threat information
Which of these should Frank seek out to help him best protect the midsize organization he
works for against unknown threats? A. 1, 2, and 5 B. 1, 3, and 5 C. 2, 4, and 5 D. 1, 2, and 4.
Vlad wants to determine whether the user of a company-owned laptop accessed a malicious
wireless access point. Where can he find the list of wireless networks that the system knows about?
A. The registry B. The user profile directory C. The wireless adapter cache D. Wireless network lists are not stored after use.
Susan needs to perform forensics on a virtual machine. What process should she use to ensure she gets all of the forensic data she may need?
A. Suspend the machine and copy the contents of the directory it resides in. B. Perform a live image of the machine. C. Suspend the machine and make a forensic copy of the drive it resides on. D. Turn the virtual machine off and make a forensic copy of it.
A. The files need to be compressed. B. The destination drive is formatted FAT32. C. The destination drive is formatted NTFS. D. The files are encrypted.
Christina’s organization recently suffered an incident where an attacker connected to their
wireless network. In response, she is configuring ongoing monitoring for rogue devices on her
monitoring system and wants to select an appropriate reset condition for rogue MAC address
alerts. Which of the options shown here is best suited to handling rogue devices if she wants to
avoid creating additional work for her team? A. Reset when no longer true. B. Reset after a time period. C. No reset condition; trigger each time the condition is met. D. No reset action; manually remove the alert from the active alerts list.
Which of the following is not an important part of the incident response communication process? A. Limiting communication to trusted parties B. Disclosure based on public feedback C. Using a secure method of communication D. Preventing accidental release of incident-related information.
A. The network link has failed. B. A DDoS is in progress. C. An internal system is transferring a large volume of data. D. The network link has been restored.
Mei’s team has completed the initial phases of their incident response process and is assessing
the time required to recover from the incident. Using the NIST recoverability effort categories,
the team has determined that they can predict the time to recover but will require
additional resources. How should she categorize this using the NIST model?
A. Regular B. Supplemented C. Extended D. Not recoverable.
When Abdul arrived at work this morning, he found an email in his inbox that read, “Your
systems are weak; we will own your network by the end of the week.” How would he categorize
this sign of a potential incident if he was using the NIST SP 800-61 descriptions of incident signs?
A. An indicator B. A threat C. A risk D. A precursor.
As the CISO of her organization, Mei is working on an incident classification scheme and
wants to base her design on NIST’s definitions. Which of the following options should she
use to best describe a user accessing a file that they are not authorized to view?
A. An incident B. An event C. An adverse event D. A security incident.
In his role as a small company’s information security manager, Mike has a limited budget
for hiring permanent staff. Although his team can handle simple virus infections, he does
not currently have a way to handle significant information security incidents. Which of the
following options should Mike investigate to ensure that his company is prepared for security incidents?
A. Outsource to a third-party SOC B. Create an internal SOC C. Hire an internal incident response team D. Outsource to an incident response provider.
Degaussing is an example of what form of media sanitization?
A. Clearing B. Purging C. Destruction D. It is not a form of media sanitization.
While reviewing storage usage on a Windows system, Brian checks the volume shadow copy storage as shown here:
C:\WINDOWS\system32>vssadmin list Shadowstorage vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
Shadow Copy Storage association
For volume: (C:)\\?\Volume{c3b53dae-0e54-13e3-97ab-806e6f6e69633}\
Shadow Copy Storage volume: (C:)\\?\Volume{c3b53dae-0e54-13e3-
97ab-806e6f6e6963}\
Used Shadow Copy Storage space: 25.6 GB (2%)
Allocated Shadow Copy Storage space: 26.0 GB (2%)
Maximum Shadow Copy Storage space: 89.4 GB (10%)
What purpose does this storage serve, and can he safely delete it? A. It provides a block-level snapshot and can be safely deleted. B. It provides secure hidden storage and can be safely deleted. C. It provides secure hidden storage and cannot be safely deleted. D. It provides a block-level snapshot and cannot be safely deleted.
Near the end of a typical business day, Suki is notified that her organization’s email servers
have been blacklisted because of email that appears to originate from her domain. What
information does she need to start investigating the source of the spam emails?
A. Firewall logs showing SMTP connections B. The SMTP audit log from her email server C. The full headers of one of the spam messages D. Network flows for her network.
While checking for bandwidth consumption issues, Bohai uses the ifconfig command on
the Linux box that he is reviewing. He sees that the device has sent less than 4 GB of data,
but his network flow logs show that the system has sent over 20GB. What problem has
Bohai encountered?
A. A rootkit is concealing traffic from the Linux kernel. B. Flow logs show traffic that does not reach the system. C. ifconfig resets traffic counters at 4 GB. D. ifconfig only samples outbound traffic and will not provide accurate information.
Max wants to improve the effectiveness of the incident analysis process he is responsible for
as the leader of his organization’s CSIRT. Which of the following is not a commonly recommended
best practice based on NIST’s guidelines?
A. Profile networks and systems to measure the characteristics of expected activity. B. Perform event correlation to combine information from multiple sources. C. Maintain backups of every system and device. D. Capture network traffic as soon as an incident is suspected.
A. Run Windows Explorer as an administrator and repeat the copy. B. Open the file using fmem. C. Run cmd.exe as an administrator and repeat the copy. D. Shut the system down, remove the drive, and copy it from another system.
Stefan wants to prevent evil twin attacks from working on his wireless network. Which of
the following is not a useful method for detecting evil twins?
A. Check for BSSID. B. Check the SSID. C. Check the attributes (channel, cipher, authentication method). D. Check for tagged parameters like the organizational unique identifier.
A. The System Reserved partition B. The System Reserved and Unallocated partitions C. The System Reserved and C: partitions D. The C: and unallocated partitions.
Luke needs to verify settings on a macOS computer to ensure that the configuration items
he expects are set properly. What type of file is commonly used to store configuration settings
for macOS systems? A. The registry B. .profile files C. Plists D. .config files.
|
