option
My Daypo

CYBEROPS

COMMENTS STADISTICS RECORDS
TAKE THE TEST
Title of test:
CYBEROPS

Description:
CyberOps Practice Exam

Author:
Honey Badger
(Other tests from this author)

Creation Date:
12/12/2020

Category:
Computers

Number of questions: 208
Share the Test:
Facebook
Twitter
Whatsapp
Share the Test:
Facebook
Twitter
Whatsapp
Last comments
No comments about this test.
Content:
Which event is user interaction? Gaining root access Executing remote code Reading and writing file permission Opening a malicious file.
Which security principle requires more than one person is required to perform a critical task? Least privilege Need to know Separation of duties Due diligence.
How is attacking a vulnerability categorized? Action on objectives Delivery Exploitation Installation.
What is the benefit of agent-based protection when compared to agentless protection? It lowers maintenance costs It provides a centralized platform It collects and detects all traffic locally It manages numerous devices simultaneously.
Which principle is being followed when an analyst gathers information relevant to a security incident to determine the appropriate course of action? Decision making Rapid response Data mining Due diligence.
One of the objectives of information security is to protect the CIA of information and systems. What does CIA mean in this context? confidentiality, identity, and authorization confidentiality, integrity, and authorization confidentiality, identity, and availability confidentiality, integrity, and availability.
What is rule-based detection when compared to statistical detection? proof of a user's identity proof of a user's action likelihood of user's action falsification of a user's identity.
A user received a malicious attachment but did not run it. Which category classifies the intrusion? weaponization reconnaissance installation delivery.
Which process is used when IPS events are removed to improve data integrity? data availability data normalization data signature data protection.
An analyst is investigating an incident in a SOC environment. Which method is used to identify a session from a group of logs? sequence numbers IP identifier 5-tuple timestamps.
What is a difference between SOAR and SIEM? SOAR platforms are used for threat and vulnerability management, but SIEM applications are not SIEM applications are used for threat and vulnerability management, but SOAR platforms are not SOAR receives information from a single platform and delivers it to a SIEM SIEM receives information from a single platform and delivers it to a SOAR.
What is the difference between mandatory access control (MAC) and discretionary access control (DAC)? MAC is controlled by the discretion of the owner and DAC is controlled by an administrator MAC is the strictest of all levels of control and DAC is object-based access DAC is controlled by the operating system and MAC is controlled by an administrator DAC is the strictest of all levels of control and MAC is object-based access.
What is the practice of giving employees only those permissions necessary to perform their specific role within an organization? least privilege need to know integrity validation due diligence.
What is the virtual address space for a Windows process? Physical location of an object in memory Set of pages that reside in the physical memory System-level memory protection feature built into the operating system Set of virtual memory addresses that can be used.
Which security principle is violated by running all processes as root or administrator? principle of least privilege role-based access control separation of duties trusted computing base.
What is the function of a command and control server? It enumerates open ports on a network device It drops secondary payload into malware It is used to regain control of the network after a compromise It sends an instruction to a compromised system.
What is the difference between deep packet inspection and stateful inspection? Deep packet inspection is more secure than stateful inspection on Layer 4 Stateful inspection verifies contents at Layer 4 and deep packet inspection verifies connection at Layer 7 Stateful inspection is more secure than deep packet inspection on Layer 7 Deep packet inspection allows visibility on Layer 7 and stateful inspection allows visibility on Layer 4.
Which evasion technique is a function of ransomware? extended sleep calls encryption resource exhaustion encoding.
Refer to the exhibit. Which two elements in the table are parts of the 5-tuple? (Choose two.) First Packet Initiator User Ingress Security Zone Source Port Initiator IP.
Drag and drop the security concept on the left onto the example of that concept on the right. Risk Assessment Vulnerability Exploit Threat.
What is the difference between statistical detection and rule-based detection models? Rule-based detection involves the collection of data in relation to the behavior of legitimate users over a period of time Statistical detection defines legitimate data of users over a period of time and rule-based detection defines it on an IF/THEN basis Statistical detection involves the evaluation of an object on its intended actions before it executes that behavior Rule-based detection defines legitimate data of users over a period of time and statistical detection defines it on an IF/THEN basis.
What is the difference between a threat and a risk? Threat represents a potential danger that could take advantage of a weakness in a system Risk represents the known and identified loss or danger in the system Risk represents the nonintentional interaction with uncertainty in the system Threat represents a state of being exposed to an attack or a compromise either physically or logically.
Which attack method intercepts traffic on a switched network? denial of service ARP cache poisoning DHCP snooping command and control.
What does an attacker use to determine which network ports are listening on a potential target device? man-in-the-middle port scanning SQL injection ping sweep.
What is a purpose of a vulnerability management framework? identifies, removes, and mitigates system vulnerabilities detects and removes vulnerabilities in source code conducts vulnerability scans on the network manages a list of reported vulnerabilities.
Which open-sourced packet capture tool uses Linux and Mac OS X operating systems? NetScout tcpdump SolarWinds netsh.
Refer to the exhibit. Which kind of attack method is depicted in this string? cross-site scripting man-in-the-middle SQL injection denial of service.
Which two components reduce the attack surface on an endpoint? (Choose two.) secure boot load balancing increased audit log levels restricting USB ports full packet captures at the endpoint.
What is an attack surface as compared to a vulnerability? any potential danger to an asset the sum of all paths for data into and out of the application an exploitable weakness in a system or its design the individuals who perform an attack.
An intruder attempted malicious activity and exchanged emails with a user and received corporate information, including email distribution lists. The intruder asked the user to engage with a link in an email. When the fink launched, it infected machines and the intruder was able to access the corporate network. Which testing method did the intruder use? social engineering eavesdropping piggybacking tailgating.
What are two social engineering techniques? (Choose two.) privilege escalation DDoS attack phishing man-in-the-middle pharming.
Refer to the exhibit. What does the output indicate about the server with the IP address 172.18.104.139? open ports of a web server open port of an FTP server open ports of an email server running processes of the server.
How does certificate authority impact a security system? It authenticates client identity when requesting SSL certificate It validates domain identity of a SSL certificate It authenticates domain identity when requesting SSL certificate It validates client identity when communicating with the server.
When communicating via TLS, the client initiates the handshake to the server and the server responds back with its certificate for identification. Which information is available on the server certificate? server name, trusted subordinate CA, and private key trusted subordinate CA, public key, and cipher suites trusted CA name, cipher suites, and private key server name, trusted CA, and public key.
How does an SSL certificate impact security between the client and the server? by enabling an authenticated channel between the client and the server by creating an integrated channel between the client and the server by enabling an authorized channel between the client and the server by creating an encrypted channel between the client and the server.
Which attack is the network vulnerable to when a stream cipher like RC4 is used twice with the same key? forgery attack plaintext-only attack ciphertext-only attack meet-in-the-middle attack.
Which list identifies the information that the client sends to the server in the negotiation phase of the TLS handshake? ClientStart, ClientKeyExchange, cipher-suites it supports, and suggested compression methods ClientStart, TLS versions it supports, cipher-suites it supports, and suggested compression methods ClientHello, TLS versions it supports, cipher-suites it supports, and suggested compression methods ClientHello, ClientKeyExchange, cipher-suites it supports, and suggested compression methods.
Refer to the exhibit. Which type of log is displayed? IDS proxy NetFlow sys.
Refer to the exhibit. What information is depicted? IIS data NetFlow data network discovery event IPS event data.
What is the difference between the ACK flag and the RST flag in the NetFlow log session? The RST flag confirms the beginning of the TCP connection, and the ACK flag responds when the data for the payload is complete The ACK flag confirms the beginning of the TCP connection, and the RST flag responds when the data for the payload is complete The RST flag confirms the receipt of the prior segment, and the ACK flag allows for the spontaneous termination of a connection The ACK flag confirms the receipt of the prior segment, and the RST flag allows for the spontaneous termination of a connection.
Refer to the exhibit. Which type of log is displayed? proxy NetFlow IDS sys.
How is NetFlow different than traffic mirroring? NetFlow collects metadata and traffic mirroring clones data Traffic mirroring impacts switch performance and NetFlow does not Traffic mirroring costs less to operate than NetFlow NetFlow generates more data than traffic mirroring.
What makes HTTPS traffic difficult to monitor? SSL interception packet header size signature detection time encryption.
How does an attacker observe network traffic exchanged between two users? port scanning man-in-the-middle command injection denial of service.
Which type of data consists of connection level, application-specific records generated from network traffic? transaction data location data statistical data alert data.
An engineer receives a security alert that traffic with a known TOR exit node has occurred on the network. What is the impact of this traffic? ransomware communicating after infection users downloading copyrighted content data exfiltration user circumvention of the firewall.
An analyst is investigating a host in the network that appears to be communicating to a command and control server on the Internet. After collecting this packet capture, the analyst cannot determine the technique and payload used for the communication. Which obfuscation technique is the attacker using? Base64 encoding transport layer security encryption SHA-256 hashing ROT13 encryption.
What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.) Untampered images are used in the security investigation process Tampered images are used in the security investigation process The image is tampered if the stored hash and the computed hash match Tampered images are used in the incident recovery process The image is untampered if the stored hash and the computed hash match.
During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve its integrity? examination investigation collection reporting.
Which step in the incident response process researches an attacking host through logs in a SIEM? detection and analysis preparation eradication containment.
A malicious file has been identified in a sandbox analysis tool. Which piece of information is needed to search for additional downloads of this file by other hosts? file type file size file name file hash value.
Refer to the exhibit. What is the potential threat identified in this Stealthwatch dashboard? Host 10.201.3.149 is sending data to 152.46.6.91 using TCP/443. Host 152.46.6.91 is being identified as a watchlist country for data transfer. Traffic to 152.46.6.149 is being denied by an Advanced Network Control policy. Host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91.
Refer to the exhibit. What is the potential threat identified in this Stealthwatch dashboard? A policy violation is active for host 10.10.101.24 A host on the network is sending a DDoS attack to another inside host There are two active data exfiltration alerts. A policy violation is active for host 10.201.3.149.
Which security technology allows only a set of pre-approved applications to run on a system? application-level blacklisting host-based IPS application-level whitelisting antivirus.
An investigator is examining a copy of an ISO file that is stored in CDFS format. What type of evidence is this file? data from a CD copied using Mac-based system data from a CD copied using Linux system data from a DVD copied using Windows system data from a CD copied using Windows.
Which piece of information is needed for attribution in an investigation? proxy logs showing the source RFC 1918 IP addresses RDP allowed from the Internet known threat actor behavior 802.1x RADIUS authentication pass arid fail logs.
What does cyber attribution identity in an investigation? cause of an attack exploit of an attack vulnerabilities exploited threat actors of an attack.
A security engineer has a video of a suspect entering a data center that was captured on the same day that files in the same data center were transferred to a competitor. Which type of evidence is this? best evidence prima facie evidence indirect evidence physical evidence.
Refer to the exhibit. Which event is occurring? A binary named "submit" is running on VM cuckoo1 A binary is being submitted to run on VM cuckoo1 A binary on VM cuckoo1 is being submitted for evaluation A URL is being evaluated to see if it has a malicious binary.
Refer to the exhibit. In which Linux log file is this output found? /var/log/authorization.log /var/log/dmesg var/log/var.log /var/log/auth.log.
An engineer runs a suspicious file in a sandbox analysis tool to see the outcome. The analysis report shows that outbound callouts were made post infection. Which two pieces of information from the analysis report are needed to investigate the callouts? (Choose two.) signatures host IP addresses file size dropped files domain names.
An analyst is exploring the functionality of different operating systems. What is a feature of Windows Management Instrumentation that must be considered when deciding on an operating system? queries Linux devices that have Microsoft Services for Linux installed deploys Windows Operating Systems in an automated fashion is an efficient tool for working with Active Directory has a Common Information Model, which describes installed hardware and software.
What causes events on a Windows system to show Event Code 4625 in the log messages? The system detected an XSS attack Someone is trying a brute force attack on the network Another device is gaining root access to the system A privileged user successfully logged into the system.
Refer to the exhibit. What does the message indicate? an access attempt was made from the Mosaic web browser a successful access attempt was made to retrieve the password file a successful access attempt was made to retrieve the root of the website a denied access attempt was made to retrieve the password file.
Refer to the exhibit. This request was sent to a web application server driven by a database. Which type of web server attack is represented? parameter manipulation heap memory corruption command injection blind SQL injection.
A SOC analyst is investigating an incident that involves a Linux system that is identifying specific sessions. Which identifier tracks an active program? application identification number active process identification number runtime identification number process identification number.
An offline audit log contains the source IP address of a session suspected to have exploited a vulnerability resulting in system compromise. Which kind of evidence is this IP address? best evidence corroborative evidence indirect evidence forensic evidence.
While viewing packet capture data, an analyst sees that one IP is sending and receiving traffic for multiple devices by modifying the IP header. Which technology makes this behavior possible? encapsulation TOR tunneling NAT.
Which tool is commonly used by threat actors on a webpage to take advantage of the software vulnerabilities of a system to spread malware? exploit kit rootkit vulnerability kit script kiddie kit.
A security engineer has a video of a suspect entering a data center that was captured on the same day that files in the same data center were transferred to a competitor. Which type of evidence is this? best evidence prima facie evidence indirect evidence physical evidence.
Which type of evidence supports a theory or an assumption that results from initial evidence? probabilistic indirect best corroborative.
Which two elements are assets in the role of attribution in an investigation? (Choose two.) context session laptop firewall logs threat actor.
What are three key components of a threat-centric SOC? (Choose three.) people compliances processes regulations technologies.
Which term represents a potential danger that could take advantage of a weakness in a system? vulnerability risk threat exploit.
Which type of exploit normally requires the culprit to have prior access to the target system? local exploit denial of service system vulnerability remote exploit.
At which layer is deep packet inspection investigated on a firewall? internet transport application data link.
Which NIST IR category stakeholder is responsible for coordinating incident response among various business units, minimizing damage, and reporting to regulatory agencies? CSIRT PSIRT public affairs management.
Which of the following access control models use security labels to make access decisions? Mandatory Access Control (MAC) Role-based Access Control (RBAC) Identity-based Access Control (IBAC) Discretionary Access Control (DAC).
How is attacking a vulnerability categorized? action on objectives delivery exploitation installation.
What two are examples of UDP-based attacks? (Choose two.) SYN flood SQL slammer UDP flooding MAC address flooding.
Which two elements are used for profiling a network? (Choose two.) session duration total throughput running processes listening ports OS fingerprint.
A security engineer deploys an enterprise-wide host/endpoint technology for all of the company’s corporate PCs. Management requests the engineer to block a selected set of applications on all PCs. Which technology should be used to accomplish this task? application whitelisting/blacklisting network NGFW host-based IDS antivirus/antispyware software.
Which two elements of the incident response process are stated in NIST Special Publication 800-61 r2? (Choose two.) detection and analysis post-incident activity vulnerability management risk assessment vulnerability scoring.
Which utility blocks a host portscan? HIDS sandboxing host-based firewall antimalware.
Which type of algorithm encrypts data bit by bit? block asymmetric stream symmetric.
Which of the following is deployed on an endpoint as an agent or standalone application? NIPS NGFW HIDS NIDS.
Which of the following represents an exploitable, unpatched, and unmitigated weakness in software? vulnerability exploit threat breach.
Which of the following describes a TCP injection attack? Many TCP SYN packets are captures with the same sequence number, source, and destination IP address, but different payloads. there is an abnormally high volume of scanning from numerous sources many TCP SYN packets are captured with the same sequence number, but different source and destination IP addresses and different payloads an attacker performs actions slower than normal.
How are attributes of ownership and control of an object managed in Linux? permissions rights iptables processes.
Which tool is included with Security Onion that is used by Snort to automatically download new rules? PulledPork ELK Wireshark Sguil.
Which tool included in Security Onion is an interactive dashboard interface to Elasticsearch data? Zeek Wireshark Kibana Sguil.
A NIDS/NIPS has identified a threat. Which type of security data will be generated and sent to a logging device? alert session statistical transaction.
Which statement describes an operational characteristic of NetFlow? NetFlow captures the entire contents of a packet. NetFlow can provide services for user access control. NetFlow collects basic information about the packet flow, not the flow data itself. NetFlow flow records can be viewed by the tcpdump tool.
Which regular expression would match any string that contains 4 consecutive zeros? {0-4} [0-4] 0{4} ^0000.
Refer to the exhibit. Which technology generated the event log? Wireshark Netflow web proxy syslog.
Refer to the exhibit. A security specialist is using Wireshark to review a PCAP file generated by tcpdump. When the client initiated a file download request, which source socket pair was used? 209.165.202.133:48598 209.165.202.133:6666 209.165.200.235:6666 209.165.200.235:48598.
Match the security service with the description. ACL SNMP NetFlow Port mirroring.
Using Tcpdump and Wireshark, a security analyst extracts a downloaded file from a pcap file. The analyst suspects that the file is a virus and wants to know the file type for further examination. Which Linux command can be used to determine the file type? file tail nano ls -l.
Match the IPS alarm with the description. false positive false negative true positive true negative .
What is a feature of an IPS? It can stop malicious packets. It is deployed in offline mode. It has no impact on latency. It is primarily focused on identifying possible incidents.
Which three fields are found in both the TCP and UDP headers? (Choose three.) window checksum options sequence number destination port source port.
What are two motivating factors for nation-state sponsored threat actors? (Choose two.) industrial espionage showing off their hacking skill disruption of trade or infrastructure social or personal causes financial gain.
Which type of data is used by Cisco Cognitive Intelligence to find malicious activity that has bypassed security controls, or entered through unmonitored channels, and is operating inside an enterprise network? statistical session alert transaction.
Which type of evasion technique splits malicious payloads into smaller packets in order to bypass security sensors that do not reassemble the payloads before scanning them? pivoting traffic fragmentation protocol-level misinterpretation traffic insertion.
Which type of cyber attack is a form of MiTM in which the perpetrator copies IP packets off the network without modifying them? compromised key eavesdropping denial-of-service IP spoofing.
Which is an example of social engineering? an anonymous programmer directing a DDoS attack on a data center an unidentified person claiming to be a technician collecting user information from employees a computer displaying unauthorized pop-ups and adware the infection of a computer by a virus carried by a Trojan.
Which type of analysis relies on different methods to establish the likelihood that a security event has happened or will happen? deterministic statistical log probabilistic.
Which access control model allows users to control access to data as an owner of that data? mandatory access control nondiscretionary access control discretionary access control attribute-based access control.
What are the three impact metrics contained in the CVSS 3.0 Base Metric Group? (Choose three.) confidentiality remediation level integrity attack vector exploit availability.
Which access control model applies the strictest access control and is often used in military and mission critical applications? discretionary mandatory nondiscretionary attribute-based.
What is the principle behind the nondiscretionary access control model? It applies the strictest access control possible. It allows access decisions to be based on roles and responsibilities of a user within the organization. It allows users to control access to their data as owners of that data. It allows access based on attributes of the object be to accessed.
Which attack is integrated with the lowest levels of the operating system of a host and attempts to completely hide the activities of the threat actor on the local system? rootkit traffic insertion traffic substitution encryption and tunneling.
Which tool captures full data packets with a command-line interface only? nfdump NBAR2 tcpdump Wireshark.
To which category of security attacks does man-in-the-middle belong? DoS access reconnaissance social engineering.
What is an example of a local exploit? Port scanning is used to determine if the Telnet service is running on a remote server. A threat actor performs a brute force attack on an enterprise edge router to gain illegal access. A buffer overflow attack is launched against an online shopping website and causes the server crash. A threat actor tries to gain the user password of a remote host by using a keyboard capture software installed on it by a Trojan.
Which Cisco appliance can be used to filter network traffic contents to report and deny traffic based on the web server reputation? Cisco Web Security Appliance (WSA) Cisco Application Visibility and Control (AVC) Cisco ASA is a firewall appliance. Cisco Email Security Appliance (ESA).
Which evasion method describes the situation that after gaining access to the administrator password on a compromised host, a threat actor is attempting to login to another host using the same credentials? pivoting traffic substitution resource exhaustion protocol-level misinterpretation.
What are two examples of DoS attacks? (Choose two.) port scanning SQL injection ping of death phishing buffer overflow.
Which type of attack is carried out by threat actors against a network to determine which IP addresses, protocols, and ports are allowed by ACLs? Social engineering denial of service phishing reconnaissance.
Refer to the exhibit. A security analyst is reviewing an alert message generated by Snort. What does the number 2100498 in the message indicate? the id of the user that triggers the alert the message length in bits the Snort rule that is triggered the session number of the message.
Which two attacks target web servers through exploiting possible vulnerabilities of input functions used by an application? (Choose two.) SQL injection port scanning port redirection trust exploitation cross-site scripting.
Which security function is provided by encryption algorithms? key management authorization integrity confidentiality.
Which security endpoint setting would be used by a security analyst to determine if a computer has been configured to prevent a particular application from running? baselining blacklisting services whitelisting.
Refer to the exhibit. Which technology would contain information similar to the data shown for infrastructure devices within a company? Apache server firewall HIDS syslog server.
At the request of investors, a company is proceeding with cyber attribution with a particular attack that was conducted from an external source. Which security term is used to describe the person or device responsible for the attack? threat actor fragmenter tunneler skeleton.
Which Windows application is commonly used by a cybersecurity analyst to view Microsoft IIS access logs? Event Viewer Notepad SIEM Word.
Which two algorithms use a hashing function to ensure message integrity? (Choose two.) SEAL AES 3DES MD5 SHA.
Which type of evidence cannot prove an IT security fact on its own? best corroborative indirect hearsay.
What is an example of privilege escalation attack? A DDoS attack is launched against a government server and causes the server to crash. A port scanning attack finds that the FTP service is running on a server that allows anonymous access. A threat actor performs an access attack and gains the administrator password. A threat actor sends an email to an IT manager to request the root access.
A threat hunter is concerned about a significant increase in TCP traffic sourced from port 53. It is suspected that malicious file transfer traffic is being tunneled out using the TCP DNS port. Which deep packet inspection tool can detect the type of application originating the suspicious traffic? syslog analyzer NBAR2 NetFlow IDS/IPS Wireshark.
Which type of evaluation includes the assessment of the likelihood of an attack, the type of threat actor likely to perpetrate such an attack, and what the consequences could be to the organization if the exploit is successful? penetration testing risk analysis vulnerability identification server profiling.
When establishing a network profile for an organization, which element describes the time between the establishment of a data flow and its termination? session duration total throughput routing protocol convergence bandwidth of the Internet connection.
Which term describes a threat actor who has advanced skills and pursues a social agenda? organized crime script kiddie corporate/industrial spies hacktivist.
Refer to the exhibit. A security specialist is checking if files in the directory contain ADS data. Which switch should be used to show that a file has ADS attached? /a /r /d /s.
The SOC manager is reviewing the metrics for the previous calendar quarter and discovers that the MTTD for a breach of password security perpetrated through the Internet was forty days. What does the MTTD metric represent within the SOC? Window of time required to stop the spread of malware in the network the average time that it takes to identify valid security incidents that have occurred the time required to stop the incident from causing further damage to systems or data the average time that it takes to stop and remediate a security incident.
A cybersecurity analyst is performing a CVSS assessment on an attack where a web link was sent to several employees. Once clicked, an internal attack was launched. Which CVSS Base Metric Group Exploitability metric is used to document that the user had to click on the link in order for the attack to occur? scope integrity requirement availability requirement user interaction.
When a server profile for an organization is being established, which element describes the TCP and UDP daemons and ports that are allowed to be open on the server? critical asset address space service accounts software environment listening ports.
Which two actions should be taken during the preparation phase of the incident response life cycle defined by NIST? (Choose two.) Fully analyze the incident. Meet with all involved parties to discuss the incident that took place. Detect all the incidents that occurred. Acquire and deploy the tools that are needed to investigate incidents. Create and train the CSIRT.
Which component is a pillar of the zero-trust security approach that focuses on the secure access of devices, such as servers, printers, and other endpoints, including devices attached to IoT? workflows workloads workplace workforce.
A security analyst is reviewing the information contained in a Wireshark capture created during an attempted intrusion. The analyst wants to correlate the Wireshark information with the log files from two servers that may have been compromised. What type of information can be used to correlate the events found in these multiple data sets? ISP geolocation data IP five-tuples logged-in user account ownership metadata.
A security analyst is investigating a cyber attack that began by compromising one file system through a vulnerability in a custom software application. The attack now appears to be affecting additional file systems under the control of another security authority. Which CVSS v3.0 base exploitability metric score is increased by this attack characteristic? privileges required scope attack complexity user interaction.
What will match the regular expression ^83? any string that includes 83 any string that begins with 83 any string with values greater than 83 any string that ends with 83.
What is a key difference between the data captured by NetFlow and data captured by Wireshark? NetFlow provides transaction data whereas Wireshark provides session data. NetFlow data is analyzed by tcpdump whereas Wireshark data is analyzed by nfdump. NetFlow collects metadata from a network flow whereas Wireshark captures full data packets. NetFlow data shows network flow contents whereas Wireshark data shows network flow statistics.
Which three IPv4 header fields have no equivalent in an IPv6 header? (Choose three.) flag identification TTL fragment offset version protocol.
What classification is used for an alert that correctly identifies that an exploit has occurred? false negative false positive true positive true negative.
During the detection and analysis phase of the NIST incident response process life cycle, which sign category is used to describe that an incident might occur in the future? attrition impersonation precursor indicator.
According to the Cyber Kill Chain model, after a weapon is delivered to a targeted system, what is the next step that a threat actor would take? action on objectives exploitation weaponization installation.
A company is applying the NIST.SP800-61 r2 incident handling process to security events. What are two examples of incidents that are in the category of precursor? (Choose two.) multiple failed logins from an unknown source log entries that show a response to a port scan an IDS alert message being sent a newly-discovered vulnerability in Apache web servers a host that has been verified as infected with malware.
A network administrator is creating a network profile to generate a network baseline. What is included in the critical asset address space element? the time between the establishment of a data flow and its termination the TCP and UDP daemons and ports that are allowed to be open on the server the IP addresses or the logical location of essential systems or data the list of TCP or UDP processes that are available to accept data.
Which NIST-defined incident response stakeholder is responsible for coordinating incident response with other stakeholders and minimizing the damage of an incident? human resources IT support the legal department management.
What is defined in the policy element of the NIST incident response plan? how to handle incidents based on the mission and functions of an organization a roadmap for updating the incident response capability the metrics used for measuring incident response capability in an organization how the incident response team of an organization will communicate with organization stakeholders.
What is the responsibility of the human resources department when handling a security incident as defined by NIST? Review the incident policies, plans, and procedures for local or federal guideline violations. Perform disciplinary actions if an incident is caused by an employee. Coordinate the incident response with other stakeholders and minimize the damage of an incident. Perform actions to minimize the effectiveness of the attack and preserve evidence.
What is the benefit of a defense-in-depth approach? All network vulnerabilities are mitigated. The need for firewalls is eliminated. Only a single layer of security at the network core is required. The effectiveness of other security measures is not impacted when a security mechanism fails.
Which type of analysis relies on predefined conditions and can analyze applications that only use well-known fixed ports? statistical deterministic log probabilistic.
Refer to the exhibit. Approximately what percentage of the physical memory is still available on this Windows system? 32% 53% 68% 90%.
Which Windows tool can be used by a cybersecurity administrator to secure stand-alone computers that are not part of an active directory domain? PowerShell Windows Defender Local Security Policy Windows Firewall.
What are three benefits of using symbolic links over hard links in Linux? (Choose three.) They can show the location of the original file. Symbolic links can be exported. They can be compressed. They can be encrypted. They can link to a directory. They can link to a file in a different file system.
When attempting to improve system performance for Linux computers with a limited amount of memory, why is increasing the size of the swap file system not considered the best solution? A swap file system uses hard disk space to store inactive RAM content. A swap file system cannot be mounted on an MBR partition. A swap file system only supports the ex2 file system. A swap file system does not have a specific file system.
Refer to the exhibit. A security analyst is reviewing the logs of an Apache web server. Which action should the analyst take based on the output shown? Notify the appropriate security administration for the country. Restart the server. Notify the server administrator. Ignore the message.
Which technique could be used by security personnel to analyze a suspicious file in a safe environment? whitelisting baselining sandboxing blacklisting.
A security professional is making recommendations to a company for enhancing endpoint security. Which security endpoint technology would be recommended as an agent-based system to protect hosts against malware? IPS HIDS baselining blacklisting.
A cybersecurity analyst has been called to a crime scene that contains several technology items including a computer. Which technique will be used so that the information found on the computer can be used in court? rootkit log collection Tor unaltered disk image.
Which SOC technology automates security responses by using predefined playbooks which require a minimum amount of human intervention? SOAR Wireshark NetFlow SIEM syslog.
What is the first line of defense when an organization is using a defense-in-depth approach to network security? proxy server firewall IPS edge router.
Which access control model assigns security privileges based on the position, responsibilities, or job classification of an individual or group within an organization? rule-based role-based discretionary mandatory.
Which metric in the CVSS Base Metric Group is used with an attack vector? the presence or absence of the requirement for user interaction in order for an exploit to be successful the number of components, software, hardware, or networks, that are beyond the control of the attacker and that must be present in order for a vulnerability to be successfully exploited the determination whether the initial authority changes to a second authority during the exploit the proximity of the threat actor to the vulnerability.
Which field in the IPv6 header points to optional network layer information that is carried in the IPv6 packet? traffic class flow label next header version.
Which data security component is provided by hashing algorithms? integrity confidentiality key exchange authentication.
Which attack surface, defined by the SANS Institute, is delivered through the exploitation of vulnerabilities in web, cloud, or host-based applications? human network host software.
What is the main goal of using different evasion techniques by threat actors? to launch DDoS attacks on targets to identify vulnerabilities of target systems to prevent detection by network and host defenses to gain the trust of a corporate employee in an effort to obtain credentials.
How can NAT/PAT complicate network security monitoring if NetFlow is being used? It disguises the application initiated by a user by manipulating port numbers. It changes the source and destination MAC addresses. It conceals the contents of a packet by encrypting the data payload. It hides internal IP addresses by allowing them to share one or a few outside IP addresses.
Which statement describes the function provided by the Tor network? It conceals packet contents by establishing end-to-end tunnels It distributes user packets through load balancing. It allows users to browse the Internet anonymously. It manipulates packets by mapping IP addresses between two networks.
When establishing a server profile for an organization, which element describes the type of service that an application is allowed to run on the server? user account listening port service account software environment.
What will a threat actor do to create a back door on a compromised target according to the Cyber Kill Chain model? Add services and autorun keys. Collect and exfiltrate data. Open a two-way communications channel to the CnC infrastructure. Obtain an automated tool to deliver the malware payload.
Which three things will a threat actor do to prepare a DDoS attack against a target system on the Internet? (Choose three.) Install a black door on the target system. Obtain an automated tool to deliver the malware payload. Establish two-way communications channels to the CnC infrastructure with zombies. Collect and exfiltrate data. Compromise many hosts on the Internet. Install attack software on zombies.
What is specified in the plan element of the NIST incident response plan? organizational structure and the definition of roles, responsibilities, and levels of authority metrics for measuring the incident response capability and effectiveness priority and severity ratings of incidents incident handling based on the mission of the organization.
What is the responsibility of the IT support group when handing an incident as defined by NIST? coordinates the incident response with other stakeholders and minimizes the damage of an incident performs disciplinary measures if an incident is caused by an employee performs actions to minimize the effectiveness of the attack and preserve evidence reviews the incident policies, plans, and procedures for local or federal guideline violations.
Match the definition to the Microsoft Windows term. (Not all options are used.) database of hardware, software, users, and settings used to manage remote computers provides access needed by the userspace process.
Match the definition to the Microsoft Windows term. (Not all options are used.) runs in the background to support the operating system and applications instructions executed by the processor a currently executing program.
Match the description to the Linux term. (Not all options are used.) a running instance of a computer program creates a copy of a process due to multitasking determines user rights to a file.
Match the antimalware approach to the description. signature-base heuristic-base behavior-base.
Match the security concept to the description. threat vulnerability exploit risk.
Match the information security component with the description. availability confidentiality integrity.
Match the Windows term to the description. alternate data streams EFI FAT32 MACE NTFS.
Match the NIST incident response stakeholder with the role. information assurance legal department IT support management Human resources.
Match the NIST incident response life cycle phase with the description. post-incident activities containment, eradication, and recovery detection and analysis preparation.
Place the seven steps defined in the Cyber Kill Chain in the correct order. Delivery Installation Exploitation Weaponization Reconnaissance Action on objectives Command and Control.
Which category relates to improper use or disclosure of PII data? legal compliance regulated contractual.
Which regex matches only on all lowercase letters? [a−z]+ [^a−z]+ a−z+ a*z+.
In a SOC environment, what is a vulnerability management metric? code signing enforcement full assets scan internet exposed devices single factor authentication.
Which two pieces of information are collected from the IPv4 protocol header? UDP port to which the traffic is destined TCP port from which the traffic was sourced source IP address of the packet destination IP address of the packet UDP port from which the traffic is sourced.
Which HTTP header field is used in forensics to identify the type of browser used? referrer host user-agent accept-language.
Which type of data collection requires the largest amount of storage space? alert data transaction data session data full packet capture.
Which evasion technique is indicated when an intrusion detection system begins receiving an abnormally high volume of scanning from numerous sources? resource exhaustion tunneling traffic fragmentation timing attack.
Which signature impacts network traffic by causing legitimate traffic to be blocked? false negative true positive true negative false positive.
What is the difference between inline traffic interrogation and traffic mirroring? Inline inspection acts on the original traffic data flow Traffic mirroring passes live traffic to a tool for blocking Traffic mirroring inspects live traffic for analysis and mitigation Inline traffic copies packets for analysis and security.
What is the expected result when the "Allow subdissector to reassemble TCP streams" feature is enabled? insert TCP subdissectors extract a file from a packet capture disable TCP streams unfragment TCP.
Which application protocol is in this PCAP file? SSH TCP TLS HTTP.
What is an attack surface as compared to vulnerability? any potential danger to an asset the sum of all paths for data into and out of the application an exploitable weakness in a system or its design the individuals who perform an attack.
What is personally identifiable information that must be safeguarded from unauthorized access? date of birth driver's license number gender zip code.
Which artifact is used to uniquely identify a detected file? file timestamp file extension file size file hash.
Which event artifact is used to identity HTTP GET requests fora specific file? destination IP address TCP ACK HTTP status code URL (Uniform Resource Locator).
What should a security analyst consider when comparing inline traffic interrogation with traffic tapping to determine which approach to use in the network? Tapping interrogation replicates signals to a separate port for analyzing traffic Tapping interrogations detect and block malicious traffic Inline interrogation enables viewing a copy of traffic to ensure traffic is in compliance with security policies Inline interrogation detects malicious traffic but does not block the traffic.
An analyst discovers that a legitimate security alert has been dismissed. Which signature caused this impact on network traffic? true negative false negative false positive true positive.
Which regular expression matches "color" and "colour"? colo?ur col[0−8]+our colou?r col[0−9]+our.
A system administrator is ensuring that specific registry information is accurate. Which type of configuration information does the HKEY_LOCAL_MACHINE hive contain? file extension associations hardware, software, and security settings for the system currently logged in users, including folders and control panel settings all users on the system, including visual settings.
Which of the following describes a TCP injection attack? Many TCP SYN packets are captures with the same sequence number, source, and destination IP address, but different payloads. there is an abnormally high volume of scanning from numerous sources many TCP SYN packets are captured with the same sequence number, but the different source and destination IP addresses and different payloads an attacker performs actions slower than normal.
Match the file system term used in Linux to the function. ext4 journaling swap file system MBR.
Report abuse Terms of use
HOME
CREATE TEST
COMMENTS
STADISTICS
RECORDS
Author's Tests