CompTIA CySA+ Practice Tests E-Book

Table of Contents

Cover

Acknowledgments

About the Authors

About the Technical Editor

Introduction

CompTIA

Study and Exam Preparation Tips

Taking the Exam

Using This Book to Practice

Objectives Map for CompTIA CySA+ (Cybersecurity Analyst) Exam CS0-002

Chapter 1: Domain 1.0: Threat and Vulnerability Management

Chapter 2: Domain 2.0: Software and Systems Security

Chapter 3: Domain 3.0: Security Operations and Monitoring

Chapter 4: Domain 4.0: Incident Response

Chapter 5: Domain 5.0: Compliance and Assessment

Chapter 6: Practice Exam 1

Chapter 7: Practice Exam 2

Appendix: Answers to Review Questions

Answers to Chapter 1: Domain 1.0: Threat and Vulnerability Management

Answers to Chapter 2: Domain 2.0: Software and Systems Security

Answers to Chapter 3: Domain 3.0: Security Operations and Monitoring

Answers to Chapter 4: Domain 4.0: Incident Response

Answers to Chapter 5: Domain 5.0: Compliance and Assessment

Answers to Chapter 6: Practice Exam 1

Answers to Chapter 7: Practice Exam 2

Index

End User License Agreement

Guide

Cover

Table of Contents

Begin Reading

Pages

iii

iv

v

vii

ix

xi

xvii

xviii

xix

xx

xxi

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

CompTIA®Cybersecurity Analyst (CySA+™) Practice TestsExam CS0-002

Second Edition

Copyright © 2020 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-119-68379-7ISBN: 978-1-119-68392-6 (ebk.)ISBN: 978-1-119-68404-6 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2020938566

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CompTIA and CySA+ are trademarks or registered trademarks of Computing Technology Industry Association, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

For Renee, the most patient and caring person I know. Thank you for being the heart of our family.

—MJC

This book is dedicated to my longtime friend Amanda Hanover, who always combined unlimited curiosity with equally infinite numbers of questions about security topics. Amanda lost her fight with mental health struggles in 2019, but you, our reader, should know that there is support out there. Mental health challenges are a struggle that many in the security community face, and community support exists for those who need it. Visitwww.mentalhealthhackers.orgto find mental health activities at security conferences in your area, as well as resources and links to other resources. You are not alone.

And Amanda—here are a thousand more security questions for you. Your friend, David

—DAS

Acknowledgments

The authors would like to thank the many people who made this book possible. Kenyon Brown at Wiley has been a wonderful partner through many books over the years. Carole Jelen, our agent, worked on a myriad of logistic details and handled the business side of the book with her usual grace and commitment to excellence. Chris Crayton, our technical editor, pointed out many opportunities to improve our work and deliver a high-quality final product. Kezia Endsley served as developmental editor and managed the project smoothly. Thank you to Runzhi “Tom” Song, Mike's research assistant at Notre Dame, who spent hours proofreading our final copy. Many other people we'll never meet worked behind the scenes to make this book a success.

About the Authors

Mike Chapple, PhD, CISSP, is an author of the best-selling CySA+ Study Guide and CISSP (ISC)2Certified Information Systems Security Professional Official Study Guide, now in its eighth edition. He is an information security professional with two decades of experience in higher education, the private sector, and government.

Mike currently serves as teaching professor of IT, analytics, and operations at the University of Notre Dame, where he teaches courses focused on cybersecurity and business analytics.

Before returning to Notre Dame, Mike served as executive vice president and chief information officer of the Brand Institute, a Miami-based marketing consultancy. Mike also spent four years in the information security research group at the National Security Agency and served as an active duty intelligence officer in the U.S. Air Force.

Mike earned both his BS and PhD degrees from Notre Dame in computer science and engineering. He also holds an MS in computer science from the University of Idaho and an MBA from Auburn University.

David Seidl is the Vice President for Information Technology and CIO at Miami University. During his IT career, he has served in a variety of technical and information security roles, including serving at the Senior Director for Campus Technology Services at the University of Notre Dame, where he co-led Notre Dame's move to the cloud and oversaw cloud operations, ERP, databases, identity management, and a broad range of other technologies and service. He also served as Notre Dame's Director of Information Security and led Notre Dame's information security program. He has taught information security and networking undergraduate courses as an instructor for Notre Dame's Mendoza College of Business and has written books on security certification and cyberwarfare, including co-authoring CISSP (ISC)2Official Practice Tests (Sybex 2018) as well as the previous editions of both this book and the companion CompTIA CySA+ Practice Tests: Exam CS0-001.

David holds a bachelor's degree in communication technology and a master's degree in information security from Eastern Michigan University, as well as CISSP, CySA+, Pentest+, GPEN, and GCIH certifications.

About the Technical Editor

Chris Crayton, MCSE, CISSP, CASP, CySA+, A+, N+, S+, is a technical consultant, trainer, author and industry leading technical editor. He has worked as a computer technology and networking instructor, information security director, network administrator, network engineer, and PC specialist. Chris has served as technical editor and content contributor on numerous technical titles for several of the leading publishing companies. He has also been recognized with many professional and teaching awards.

Introduction

CompTIA CySA+ (Cybersecurity Analyst) Practice Tests, Second Edition is a companion volume to the CompTIA CySA+ Study Guide, Second Edition (Sybex, 2020, Chapple/Seidl). If you're looking to test your knowledge before you take the CySA+ exam, this book will help you by providing a combination of 1,000 questions that cover the CySA+ domains and easy-to-understand explanations of both right and wrong answers.

If you're just starting to prepare for the CySA+ exam, we highly recommend that you use the Cybersecurity Analyst+ (CySA+) Study Guide, Second Edition to help you learn about each of the domains covered by the CySA+ exam. Once you're ready to test your knowledge, use this book to help find places where you may need to study more or to practice for the exam itself.

Since this is a companion to the CySA+ Study Guide, this book is designed to be similar to taking the CySA+ exam. It contains multipart scenarios as well as standard multiple-choice questions similar to those you may encounter in the certification exam itself. The book itself is broken up into seven chapters: five domain-centric chapters with questions about each domain, and two chapters that contain 85-question practice tests to simulate taking the CySA+ exam itself.

CompTIA

CompTIA is a nonprofit trade organization that offers certification in a variety of IT areas, ranging from the skills that a PC support technician needs, which are covered in the A+ exam, to advanced certifications like the CompTIA Advanced Security Practitioner, or CASP certification. CompTIA recommends that practitioners follow a cybersecurity career path as shown here:

The Cybersecurity Analyst+ exam is a more advanced exam, intended for professionals with hands-on experience and who possess the knowledge covered by the prior exams.

CompTIA certifications are ISO and ANSI accredited, and they are used throughout multiple industries as a measure of technical skill and knowledge. In addition, CompTIA certifications, including the CySA+, the Security+ and the CASP certifications, have been approved by the U.S. government as Information Assurance baseline certifications and are included in the State Department's Skills Incentive Program.

The Cybersecurity Analyst+ Exam

The Cybersecurity Analyst+ exam, which CompTIA refers to as CySA+, is designed to be a vendor-neutral certification for cybersecurity, threat, and vulnerability analysts. The CySA+ certification is designed for security analysts and engineers as well as security operations center (SOC) staff, vulnerability analysts, and threat intelligence analysts. It focuses on security analytics and practical use of security tools in real-world scenarios. It covers five major domains: Threat and Vulnerability Management, Software and Systems Security, Security Operations and Monitoring, Incident Response, and Compliance and Assessment. These five areas include a range of topics, from reconnaissance to incident response and forensics, while focusing heavily on scenario-based learning.

The CySA+ exam fits between the entry-level Security+ exam and the CompTIA Advanced Security Practitioner (CASP) certification, providing a mid-career certification for those who are seeking the next step in their certification and career path.

The CySA+ exam is conducted in a format that CompTIA calls “performance-based assessment.” This means that the exam uses hands-on simulations using actual security tools and scenarios to perform tasks that match those found in the daily work of a security practitioner. Exam questions may include multiple types of questions such as multiple-choice, fill-in-the-blank, multiple-response, drag-and-drop, and image-based problems.

CompTIA recommends that test takers have four years of information security–related experience before taking this exam. The exam costs $359 in the United States, with roughly equivalent prices in other locations around the globe. More details about the CySA+ exam and how to take it can be found at certification.comptia.org/certifications/cybersecurity-analyst.

Study and Exam Preparation Tips

We recommend you use this book in conjunction with the Cybersecurity Analyst+ (CySA+) Study Guide, Second Edition. Read through chapters in the study guide and then try your hand at the practice questions associated with each domain in this book.

You should also keep in mind that the CySA+ certification is designed to test practical experience, so you should also make sure that you get some hands-on time with the security tools covered on the exam. CompTIA recommends the use of NetWars-style simulations, penetration testing and defensive cybersecurity simulations, and incident response training to prepare for the CySA+.

Additional resources for hands-on exercises include the following:

Exploit-Exercises.com

provides virtual machines, documentation, and challenges covering a wide range of security issues at

exploit-exercises.lains.space

.

Hacking-Lab provides capture-the-flag (CTF) exercises in a variety of fields at

www.hacking-lab.com/index.html

.

PentesterLab provides a subscription-based access to penetration testing exercises at

www.pentesterlab.com/exercises/

.

The InfoSec Institute provides online capture-the-flag activities with bounties for written explanations of successful hacks at

ctf.infosecinstitute.com

.

Since the exam uses scenario-based learning, expect the questions to involve analysis and thought, rather than relying on simple memorization. As you might expect, it is impossible to replicate that experience in a book, so the questions here are intended to help you be confident that you know the topic well enough to think through hands-on exercises.

Taking the Exam

Once you are fully prepared to take the exam, you can visit the CompTIA website to purchase your exam voucher:

www.comptiastore.com/Articles.asp?ID=265&category=vouchers

CompTIA partners with Pearson VUE's testing centers, so your next step will be to locate a testing center near you. In the United States, you can do this based on your address or your ZIP code, while non-U.S. test takers may find it easier to enter their city and country. You can search for a test center near you at the Pearson Vue website, where you will need to navigate to “Find a test center”:

www.pearsonvue.com/comptia/

Now that you know where you'd like to take the exam, simply set up a Pearson VUE testing account and schedule an exam:

www.comptia.org/testing/testing-options/take-in-person-exam

On the day of the test, bring two forms of identification, and make sure to show up with plenty of time before the exam starts. Remember that you will not be able to take your notes, electronic devices (including smartphones and watches), or other materials in with you.

After the Cybersecurity Analyst+ Exam

Once you have taken the exam, you will be notified of your score immediately, so you'll know if you passed the test right away. You should keep track of your score report with your exam registration records and the email address you used to register for the exam.

Maintaining Your Certification

CompTIA certifications must be renewed on a periodic basis. To renew your certification, you can either pass the most current version of the exam, earn a qualifying higher-level CompTIA or industry certification, or complete sufficient continuing education activities to earn enough continuing education units (CEUs) to renew it.

CompTIA provides information on renewals via their website at

www.comptia.org/continuing-education

When you sign up to renew your certification, you will be asked to agree to the CE program's Code of Ethics, to pay a renewal fee, and to submit the materials required for your chosen renewal method.

A full list of the industry certifications you can use to acquire CEUs toward renewing the CySA+ can be found at

www.comptia.org/continuing-education/choose/renew-with-a-single-activity/earn-a-higher-level-comptia-certification

Using This Book to Practice

This book is composed of seven chapters. Each of the first five chapters covers a domain, with a variety of questions that can help you test your knowledge of real-world, scenario, and best practices–based security knowledge. The final two chapters are complete practice exams that can serve as timed practice tests to help determine whether you're ready for the CySA+ exam.

We recommend taking the first practice exam to help identify where you may need to spend more study time and then using the domain-specific chapters to test your domain knowledge where it is weak. Once you're ready, take the second practice exam to make sure you've covered all the material and are ready to attempt the CySA+ exam.

As you work through questions in this book, you will encounter tools and technology that you may not be familiar with. If you find that you are facing a consistent gap or that a domain is particularly challenging, we recommend spending some time with books and materials that tackle that domain in depth. This can help you fill in gaps and help you be more prepared for the exam.

Objectives Map for CompTIA CySA+ (Cybersecurity Analyst) Exam CS0-002

The following objective map for the CompTIA CySA+ (Cybersecurity Analyst) certification exam will enable you to find where each objective is covered in the book.

Objectives Map

Objective

Chapter

1.0 THREAT AND VULNERABILITY MANAGEMENT

1.1 Explain the importance of threat data and intelligence.

Chapter 1

1.2 Given a scenario, utilize threat intelligence to support organizational security.

Chapter 1

1.3 Given a scenario, perform vulnerability management activities.

Chapter 1

1.4 Given a scenario, analyze the output from common vulnerability assessment tools.

Chapter 1

1.5 Explain the threats and vulnerabilities associated with specialized technology.

Chapter 1

1.6 Explain the threats and vulnerabilities associated with operating in the cloud.

Chapter 1

1.7 Given a scenario, implement controls to mitigate attacks and software vulnerabilities.

Chapter 1

2.0 SOFTWARE AND SYSTEMS SECURITY

2.1 Given a scenario, apply security solutions for infrastructure management.

Chapter 2

2.2 Explain software assurance best practices.

Chapter 2

2.3 Explain hardware assurance best practices.

Chapter 2

3.0 SECURITY OPERATIONS AND MONITORING

3.1 Given a scenario, analyze data as part of security monitoring activities.

Chapter 3

3.2 Given a scenario, implement configuration changes to existing controls to improve security.

Chapter 3

3.3 Explain the importance of proactive threat hunting.

Chapter 3

3.4 Compare and contrast automation concepts and technologies.

Chapter 3

4.0 INCIDENT RESPONSE

4.1 Explain the importance of the incident response process.

Chapter 4

4.2 Given a scenario, apply the appropriate incident response procedure.

Chapter 4

4.3 Given an incident, analyze potential indicators of compromise.

Chapter 4

4.4 Given a scenario, utilize basic digital forensic techniques.

Chapter 4

5.0 COMPLIANCE AND ASSESSMENT

5.1 Understand the importance of data privacy and protection.

Chapter 5

5.2 Given a scenario, apply security concepts in support of organizational risk mitigation.

Chapter 5

5.3 Explain the importance of frameworks, policies, procedures, and controls.

Chapter 5

Chapter 1Domain 1.0: Threat and Vulnerability Management

EXAM OBJECTIVES COVERED IN THIS CHAPTER:

1.1 Explain the importance of threat data and intelligence.

Intelligence sources

Confidence levels

Indicator management

Threat classification

Threat actors

Intelligence cycle

Commodity malware

Information sharing and analysis communities

1.2 Given a scenario, utilize threat intelligence to support organizational security.

Attack frameworks

Threat research

Threat modeling methodologies

Threat intelligence sharing with supported functions

1.3 Given a scenario, perform vulnerability management activities.

Vulnerability identification

Validation

Remediation/mitigation

Scanning parameters and criteria

Inhibitors to remediation

1.4 Given a scenario, analyze the output from common vulnerability assessment tools.

Web application scanner

Infrastructure vulnerability scanner

Software assessment tools and techniques

Enumeration

Wireless assessment tools

Cloud infrastructure assessment tools

1.5 Explain the threats and vulnerabilities associated with specialized technology.

Mobile

Internet of Things (IoT)

Embedded

Real-time operating system (RTOS)

System-on-Chip (SoC)

Field programmable gate array (FPGA)

Physical access control

Building automation systems

Vehicles and drones

Workflow and process automation systems

Industrial control systems (ICS)

Supervisory control and data acquisition (SCADA)

1.6 Explain the threats and vulnerabilities associated with operating in the cloud.

Cloud service models

Cloud deployment models

Function as a service (FaaS)/serverless architecture

Infrastructure as code (IaC)

Insecure application programming interface (API)

Improper key management

Unprotected storage

Logging and monitoring

1.7 Given a scenario, implement controls to mitigate attacks and software vulnerabilities.

Attack types

Vulnerabilities

Olivia is considering potential sources for threat intelligence information that she might incorporate into her security program. Which one of the following sources is most likely to be available without a subscription fee?

Vulnerability feeds

Open source

Closed source

Proprietary

During the reconnaissance stage of a penetration test, Cynthia needs to gather information about the target organization's network infrastructure without causing an IPS to alert the target to her information gathering. Which of the following is her best option?

Perform a DNS brute-force attack.

Use an nmap ping sweep.

Perform a DNS zone transfer.

Use an nmap stealth scan.

Roger is evaluating threat intelligence information sources and finds that one source results in quite a few false positive alerts. This lowers his confidence level in the source. What criteria for intelligence is not being met by this source?

Timeliness

Expense

Relevance

Accuracy

What markup language provides a standard mechanism for describing attack patterns, malware, threat actors, and tools?

STIX

TAXII

XML

OpenIOC

A port scan of a remote system shows that port 3306 is open on a remote database server. What database is the server most likely running?

Oracle

Postgres

MySQL

Microsoft SQL

Brad is working on a threat classification exercise, analyzing known threats and assessing the possibility of unknown threats. Which one of the following threat actors is most likely to be associated with an advanced persistent threat (APT)?

Hacktivist

Nation-state

Insider

Organized crime

During a port scan of her network, Cynthia discovers a workstation that shows the following ports open. What should her next action be?

Determine the reason for the ports being open.

Investigate the potentially compromised workstation.

Run a vulnerability scan to identify vulnerable services.

Reenable the workstation's local host firewall.

Charles is working with leaders of his organization to determine the types of information that should be gathered in his new threat intelligence program. In what phase of the intelligence cycle is he participating?

Dissemination

Feedback

Analysis

Requirements

As Charles develops his threat intelligence program, he creates and shares threat reports with relevant technologists and leaders. What phase of the intelligence cycle is now occurring?

Dissemination

Feedback

Collection

Requirements

What term is used to describe the groups of related organizations who pool resources to share cybersecurity threat information and analyses?

SOC

ISAC

CERT

CIRT

Which one of the following threats is the most pervasive in modern computing environments?

Zero-day attacks

Advanced persistent threats

Commodity malware

Insider threats

Singh incorporated the Cisco Talos tool into his organization's threat intelligence program. He uses it to automatically look up information about the past activity of IP addresses sending email to his mail servers. What term best describes this intelligence source?

Open source

Behavioral

Reputational

Indicator of compromise

Consider the threat modeling analysis shown here. What attack framework was used to develop this analysis?

ATT&CK

Cyber Kill Chain

STRIDE

Diamond

Jamal is assessing the risk to his organization from their planned use of AWS Lambda, a serverless computing service that allows developers to write code and execute functions directly on the cloud platform. What cloud tier best describes this service?

SaaS

PaaS

IaaS

FaaS

Lauren's honeynet, shown here, is configured to use a segment of unused network space that has no legitimate servers in it. What type of threats is this design particularly useful for detecting?

Zero-day attacks

SQL injection

Network scans

DDoS attacks

Nara is concerned about the risk of attackers conducting a brute-force attack against her organization. Which one of the following factors is Nara most likely to be able to control?

Attack vector

Adversary capability

Likelihood

Total attack surface

Fred believes that the malware he is tracking uses a fast flux DNS network, which associates many IP addresses with a single fully qualified domain name as well as using multiple download hosts. How many distinct hosts should he review based on the NetFlow shown here?

Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows

2020-07-11 14:39:30.606 0.448 TCP 192.168.2.1:1451->10.2.3.1:443 10 1510 1

2020-07-11 14:39:30.826 0.448 TCP 10.2.3.1:443->192.168.2.1:1451 7 360 1

2020-07-11 14:45:32.495 18.492 TCP 10.6.2.4:443->192.168.2.1:1496 5 1107 1

2020-07-11 14:45:32.255 18.888 TCP 192.168.2.1:1496->10.6.2.4:443 11 1840 1

2020-07-11 14:46:54.983 0.000 TCP 192.168.2.1:1496->10.6.2.4:443 1 49 1

2020-07-11 16:45:34.764 0.362 TCP 10.6.2.4:443->192.168.2.1:4292 4 1392 1

2020-07-11 16:45:37.516 0.676 TCP 192.168.2.1:4292->10.6.2.4:443 4 462 1

2020-07-11 16:46:38.028 0.000 TCP 192.168.2.1:4292->10.6.2.4:443 2 89 1

2020-07-11 14:45:23.811 0.454 TCP 192.168.2.1:1515->10.6.2.5:443 4 263 1

2020-07-11 14:45:28.879 1.638 TCP 192.168.2.1:1505->10.6.2.5:443 18 2932 1

2020-07-11 14:45:29.087 2.288 TCP 10.6.2.5:443->192.168.2.1:1505 37 48125 1

2020-07-11 14:45:54.027 0.224 TCP 10.6.2.5:443->192.168.2.1:1515 2 1256 1

2020-07-11 14:45:58.551 4.328 TCP 192.168.2.1:1525->10.6.2.5:443 10 648 1

2020-07-11 14:45:58.759 0.920 TCP 10.6.2.5:443->192.168.2.1:1525 12 15792 1

2020-07-11 14:46:32.227 14.796 TCP 192.168.2.1:1525->10.8.2.5:443 31 1700 1

2020-07-11 14:46:52.983 0.000 TCP 192.168.2.1:1505->10.8.2.5:443 1 40 1

1

3

4

5

Which one of the following functions is not a common recipient of threat intelligence information?

Legal counsel

Risk management

Security engineering

Detection and monitoring

Alfonzo is an IT professional at a Portuguese university who is creating a cloud environment for use only by other Portuguese universities. What type of cloud deployment model is he using?

Public cloud

Private cloud

Hybrid cloud

Community cloud

During a network reconnaissance exercise, Chris gains access to a PC located in a secure network. If Chris wants to locate database and web servers that the company uses, what command-line tool can he use to gather information about other systems on the local network without installing additional tools or sending additional traffic?

ping

traceroute

nmap

netstat

Kaiden's organization uses the AWS public cloud environment. He uses the CloudFormation tool to write scripts that create the cloud resources used by his organization. What type of service is CloudFormation?

SaaS

IAC

FaaS

API

What is the default nmap scan type when nmap is not provided with a scan type flag?

A TCP FIN scan

A TCP connect scan

A TCP SYN scan

A UDP scan

Isaac wants to grab the banner from a remote web server using commonly available tools. Which of the following tools cannot be used to grab the banner from the remote host?

Netcat

Telnet

Wget

FTP

Lakshman wants to limit what potential attackers can gather during passive or semipassive reconnaissance activities. Which of the following actions will typically reduce his organization's footprint the most?

Limit information available via the organizational website without authentication.

Use a secure domain registration.

Limit technology references in job postings.

Purge all document metadata before posting.

Cassandra's nmap scan of an open wireless network (192.168.10/24) shows the following host at IP address 192.168.1.1. Which of the following is most likely to be the type of system at that IP address based on the scan results shown?

A virtual machine

A wireless router

A broadband router

A print server

Several organizations recently experienced security incidents when their AWS secret keys were published in public GitHub repositories. What is the most significant threat that could arise from this improper key management?

Total loss of confidentiality

Total loss of integrity

Total loss of availability

Total loss of confidentiality, integrity, and availability

Latisha has local access to a Windows workstation and wants to gather information about the organization that it belongs to. What type of information can she gain if she executes the command

nbtstat -c

?

MAC addresses and IP addresses of local systems

NetBIOS name-to-IP address mappings

A list of all NetBIOS systems that the host is connected to

NetBIOS MAC-to-IP address mappings

Tracy believes that a historic version of her target's website may contain data she needs for her reconnaissance. What tool can she use to review snapshots of the website from multiple points in time?

Time Machine

Morlock

Wayback Machine

Her target's web cache

After Kristen received a copy of an nmap scan run by a penetration tester that her company hired, she knows that the tester used the

-O

flag. What type of information should she expect to see included in the output other than open ports?

OCMP status

Other ports

Objective port assessment data in verbose mode

Operating system and Common Platform Enumeration (CPE) data

Andrea wants to conduct a passive footprinting exercise against a target company. Which of the following techniques is not suited to a passive footprinting process?

WHOIS lookups

Banner grabbing

BGP looking glass usage

Registrar checks

While gathering reconnaissance data for a penetration test, Charlene uses the MXToolbox MX Lookup tool. What can she determine from the response to her query shown here?

The mail servers are blacklisted.

The mail servers have failed an SMTP test.

The mail servers are clustered.

There are two MX hosts listed in DNS.

Alex wants to scan a protected network and has gained access to a system that can communicate to both his scanning system and the internal network, as shown in the image here. What type of nmap scan should Alex conduct to leverage this host if he cannot install nmap on system A?

A reflection scan

A proxy scan

A randomized host scan

A ping-through scan

As a member of a blue team, Lukas observed the following behavior during an external penetration test. What should he report to his managers at the conclusion of the test?

A significant increase in latency

A significant increase in packet loss

Latency and packet loss both increased.

No significant issues were observed.

As part of an organizationwide red team exercise, Frank is able to use a known vulnerability to compromise an Apache web server. Once he has gained access, what should his next step be if he wants to use the system to pivot to protected systems behind the DMZ that the web server resides in?

Vulnerability scanning

Privilege escalation

Patching

Installing additional tools

Maddox is conducting an inventory of access permissions on cloud-based object buckets, such as those provided by the AWS S3 service. What threat is he seeking to mitigate?

Insecure APIs

Improper key management

Unprotected storage

Insufficient logging and monitoring

Alex has been asked to assess the likelihood of reconnaissance activities against her organization (a small, regional business). Her first assignment is to determine the likelihood of port scans against systems in her organization's DMZ. How should she rate the likelihood of this occurring?

Low

Medium

High

There is not enough information for Alex to provide a rating.

Lucy recently detected a cross-site scripting vulnerability in her organization's web server. The organization operates a support forum where users can enter HTML tags and the resulting code is displayed to other site visitors. What type of cross-site scripting vulnerability did Lucy discover?

Persistent

Reflected

DOM-based

Blind

Which one of the following tools is capable of handcrafting TCP packets for use in an attack?

Arachni

Hping

Responder

Hashcat

Which one of the following IoT components contains hardware that can be dynamically reprogrammed by the end user?

RTOS

SoC

FPGA

MODBUS

Florian discovered a vulnerability in a proprietary application developed by his organization. The application performs memory management using the

malloc()

function and one area of memory allocated in this manner has an overflow vulnerability. What term best describes this overflow?

Buffer overflow

Stack overflow

Integer overflow

Heap overflow

The company that Maria works for is making significant investments in infrastructure-as-a-service hosting to replace its traditional datacenter. Members of her organization's management have Maria's concerns about data remanence when Lauren's team moves from one virtual host to another in their cloud service provider's environment. What should she instruct her team to do to avoid this concern?

Zero-wipe drives before moving systems.

Use full-disk encryption.

Use data masking.

Span multiple virtual disks to fragment data.

Lucca wants to prevent workstations on his network from attacking each other. If Lucca's corporate network looks like the network shown here, what technology should he select to prevent laptop A from being able to attack workstation B?

An IPS

An IDS

An HIPS

An HIDS

Geoff is reviewing logs and sees a large number of attempts to authenticate to his VPN server using many different username and password combinations. The same usernames are attempted several hundred times before moving on to the next one. What type of attack is most likely taking place?

Credential stuffing

Password spraying

Brute-force

Rainbow table

The company that Dan works for has recently migrated to an SaaS provider for its enterprise resource planning (ERP) software. In its traditional on-site ERP environment, Dan conducted regular port scans to help with security validation for the systems. What will Dan most likely have to do in this new environment?

Use a different scanning tool.

Rely on vendor testing and audits.

Engage a third-party tester.

Use a VPN to scan inside the vendor's security perimeter.

Lakshman uses Network Miner to review packet captures from his reconnaissance of a target organization. One system displayed the information shown here. What information has Network Miner used to determine that the PC is a Hewlett-Packard device?

The MAC address

The OS flags

The system's banner

The IP address

Kaiden is configuring a SIEM service in his IaaS cloud environment that will receive all of the log entries generated by other devices in that environment. Which one of the following risks is greatest with this approach in the event of a DoS attack or other outage?

Inability to access logs

Insufficient logging

Insufficient monitoring

Insecure API

Which one of the following languages is least susceptible to an injection attack?

HTML

SQL

STIX

XML

Which one of the following types of malware would be most useful in a privilege escalation attack?

Rootkit

Worm

Virus

RAT

Ricky discovered a vulnerability in an application where privileges are checked at the beginning of a series of steps, may be revoked during those steps, and then are not checked before new uses of them later in the sequence. What type of vulnerability did he discover?

Improper error handling

Race condition

Dereferencing

Sensitive data exposure

Matthew is analyzing some code written in the C programming language and discovers that it is using the functions listed here. Which of these functions poses the greatest security vulnerability?

strcpy()

main()

printf()

scanf()

Abdul is conducting a security audit of a multicloud computing environment that incorporates resources from AWS and Microsoft Azure. Which one of the following tools will be most useful to him?

ScoutSuite

Pacu

Prowler

CloudSploit

Jake is performing a vulnerability assessment and comes across a CAN bus specification. What type of environment is most likely to include a CAN bus?

Physical access control system

Building automation system

Vehicle control system

Workflow and process automation system

Darcy is conducting a test of a wireless network using the Reaver tool. What technology does Reaver specifically target?

WPA

WPA2

WPS

WEP

Azra believes that one of her users may be taking malicious action on the systems she has access to. When she walks past her user's desktop, she sees the following command on the screen:

user12@workstation:/home/user12# ./john -wordfile:/home/user12/mylist.txt -format:lm hash.txt

What is the user attempting to do?

They are attempting to hash a file.

They are attempting to crack hashed passwords.

They are attempting to crack encrypted passwords.

They are attempting a pass-the-hash attack.

nmap provides a standardized way to name hardware and software that it detects. What is this called?

CVE

HardwareEnum

CPE

GearScript

Lakshman wants to detect port scans using syslog so that he can collect and report on the information using his SIEM. If he is using a default CentOS system, what should he do?

Search for use of privileged ports in sequential order.

Search for connections to ports in the

/var/syslog

directory.

Log all kernel messages to detect scans.

Install additional tools that can detect scans and send the logs to syslog.

Greg is concerned about the use of DDoS attack tools against his organization, so he purchased a mitigation service from his ISP. What portion of the threat model did Greg reduce?

Likelihood

Total attack surface

Impact

Adversary capability

Lucas believes that an attacker has successfully compromised his web server. Using the following output of

ps

, identify the process ID he should focus on.

root 507 0.0 0.1 258268 3288 ? Ssl 15:52 0:00 /usr/sbin/rsyslogd -n

message+ 508 0.0 0.2 44176 5160 ? Ss 15:52 0:00 /usr/bin/dbusdaemon --system --address=systemd: --nofork --nopidfile --systemd-activa

root 523 0.0 0.3 281092 6312 ? Ssl 15:52 0:00 /usr/lib/accountsservice/accounts-daemon

root 524 0.0 0.7 389760 15956 ? Ssl 15:52 0:00 /usr/sbin/NetworkManager --no-daemon

root 527 0.0 0.1 28432 2992 ? Ss 15:52 0:00 /lib/systemd/systemd-logind

apache 714 0.0 0.1 27416 2748 ? Ss 15:52 0:00 /www/temp/webmin

root 617 0.0 0.1 19312 2056 ? Ss 15:52 0:00 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid

root 644 0.0 0.1 245472 2444 ? Sl 15:52 0:01 /usr/sbin/VBoxService

root 653 0.0 0.0 12828 1848 tty1 Ss+ 15:52 0:00 /sbin/agetty --noclear tty1 linux

root 661 0.0 0.3 285428 8088 ? Ssl 15:52 0:00 /usr/lib/policykit-1/polkitd --no-debug

root 663 0.0 0.3 364752 7600 ? Ssl 15:52 0:00 /usr/sbin/gdm3

root 846 0.0 0.5 285816 10884 ? Ssl 15:53 0:00 /usr/lib/upower/upowerd

root 867 0.0 0.3 235180 7272 ? Sl 15:53 0:00 gdm-session-worker [pam/gdm-launch-environment]

Debian-+ 877 0.0 0.2 46892 4816 ? Ss 15:53 0:00 /lib/systemd/systemd --user

Debian-+ 878 0.0 0.0 62672 1596 ? S 15:53 0:00 (sd-pam)

508

617

846

714

Geoff is responsible for hardening systems on his network and discovers that a number of network appliances have exposed services, including telnet, FTP, and web servers. What is his best option to secure these systems?

Enable host firewalls.

Install patches for those services.

Turn off the services for each appliance.

Place a network firewall between the devices and the rest of the network.

While conducting reconnaissance of his own organization, Ian discovers that multiple certificates are self-signed. What issue should he report to his management?

Self-signed certificates do not provide secure encryption for site visitors.

Self-signed certificates can be revoked only by the original creator.

Self-signed certificates will cause warnings or error messages.

None of the above.

During the reconnaissance stage of a penetration test, Fred calls a number of staff at the target organization. Using a script he prepared, Fred introduces himself as part of the support team for their recently installed software and asks for information about the software and its configuration. What is this technique called?

Pretexting

OSINT

A tag-out

Profiling

Carrie needs to lock down a Windows workstation that has recently been scanned using nmap with the results shown here. She knows that the workstation needs to access websites and that the system is part of a Windows domain. What ports should she allow through the system's firewall for externally initiated connections?

80, 135, 139, and 445

80, 445, and 3389

135, 139, and 445

No ports should be open.

Adam's port scan returns results on six TCP ports: 22, 80, 443, 515, 631, and 9100. If Adam needs to guess what type of device this is based on these ports, what is his best guess?

A web server

An FTP server

A printer

A proxy server

In his role as the SOC operator, Manish regularly scans a variety of servers in his organization. After two months of reporting multiple vulnerabilities on a Windows file server, Manish recently escalated the issue to the server administrator's manager.

At the next weekly scan window, Manish noticed that all the vulnerabilities were no longer active; however, ports 137, 139, and 445 were still showing as open. What most likely happened?

The server administrator blocked the scanner with a firewall.

The server was patched.

The vulnerability plug-ins were updated and no longer report false positives.

The system was offline.

While conducting reconnaissance, Piper discovers what she believes is an SMTP service running on an alternate port. What technique should she use to manually validate her guess?

Send an email via the open port.

Send an SMTP probe.

Telnet to the port.

SSH to the port.

What two pieces of information does nmap need to estimate network path distance?

IP address and TTL

TTL and operating system

Operating system and BGP flags

TCP flags and IP address

Helen is using the Lockheed Martin Cyber Kill Chain to analyze an attack that took place against her organization. During the attack, the perpetrator attached a malicious tool to an email message that was sent to the victim. What phase of the Cyber Kill Chain includes this type of activity?

Weaponization

Delivery

Exploitation

Actions on objectives

During an on-site penetration test of a small business, Ramesh scans outward to a known host to determine the outbound network topology. What information can he gather from the results provided by Zenmap?

There are two nodes on the local network.

There is a firewall at IP address 96.120.24.121.

There is an IDS at IP address 96.120.24.121.

He should scan the 10.0.2.0/24 network.

Use the following network diagram and scenario to answer questions 69–71.

Marta is a security analyst who has been tasked with performing nmap scans of her organization's network. She is a new hire and has been given this logical diagram of the organization's network but has not been provided with any additional detail.

Marta wants to determine what IP addresses to scan from location A. How can she find this information?

Scan the organization's web server and then scan the other 255 IP addresses in its subnet.

Query DNS and WHOIS to find her organization's registered hosts.

Contact ICANN to request the data.

Use traceroute to identify the network that the organization's domain resides in.

If Marta runs a scan from location B that targets the servers on the datacenter network and then runs a scan from location C, what differences is she most likely to see between the scans?

The scans will match.

Scans from location C will show no open ports.

Scans from location C will show fewer open ports.

Scans from location C will show more open ports.

Marta wants to perform regular scans of the entire organizational network but only has a budget that supports buying hardware for a single scanner. Where should she place her scanner to have the most visibility and impact?

Location A

Location B

Location C

Location D

Andrea needs to add a firewall rule that will prevent external attackers from conducting topology gathering reconnaissance on her network. Where should she add a rule intended to block this type of traffic?

The firewall

The router

The distribution switch

The Windows server

Brandon wants to perform a WHOIS query for a system he believes is located in Europe. Which NIC should he select to have the greatest likelihood of success for his query?

AFRINIC

APNIC

RIPE

LACNIC

While reviewing Apache logs, Janet sees the following entries as well as hundreds of others from the same source IP. What should Janet report has occurred?

[ 21/Jul/2020:02:18:33 -0500] - - 10.0.1.1 "GET /scripts/sample.php" "-" 302 336 0

[ 21/Jul/2020:02:18:35 -0500] - - 10.0.1.1 "GET /scripts/test.php" "-" 302 336 0

[ 21/Jul/2020:02:18:37 -0500] - - 10.0.1.1 "GET /scripts/manage.php" "-" 302 336 0

[ 21/Jul/2020:02:18:38 -0500] - - 10.0.1.1 "GET /scripts/download.php" "-" 302 336 0

[ 21/Jul/2020:02:18:40 -0500] - - 10.0.1.1 "GET /scripts/update.php" "-" 302 336 0

[ 21/Jul/2020:02:18:42 -0500] - - 10.0.1.1 "GET /scripts/new.php" "-" 302 336 0

A denial-of-service attack

A vulnerability scan

A port scan

A directory traversal attack

Chris wants to gather as much information as he can about an organization using DNS harvesting techniques. Which of the following methods will most easily provide the most useful information if they are all possible to conduct on the network he is targeting?

DNS record enumeration

Zone transfer

Reverse lookup

Domain brute-forcing

Geoff wants to perform passive reconnaissance as part of an evaluation of his organization's security controls. Which of the following techniques is a valid technique to perform as part of a passive DNS assessment?

A DNS forward or reverse lookup

A zone transfer

A WHOIS query

Using maltego

Mike's penetration test requires him to use passive mapping techniques to discover network topology. Which of the following tools is best suited to that task?

Wireshark

nmap

netcat

Angry IP Scanner

While gathering DNS information about an organization, Ryan discovered multiple AAAA records. What type of reconnaissance does this mean Ryan may want to consider?

Second-level DNS queries

IPv6 scans

Cross-domain resolution

A CNAME verification

After Carlos completes a topology discovery scan of his local network, he sees the Zenmap topology shown here. What can Carlos determine from the Zenmap topology view?

There are five hosts with port security enabled.

DemoHost2 is running a firewall.

DemoHost4 is running a firewall.

There are four hosts with vulnerabilities and seven hosts that do not have vulnerabilities.

Scott is part of the white team who is overseeing his organization's internal red and blue teams during an exercise that requires each team to only perform actions appropriate to the penetration test phase they are in. During the reconnaissance phase, he notes the following behavior as part of a Wireshark capture. What should he report?

The blue team has succeeded.

The red team is violating the rules of engagement.

The red team has succeeded.

The blue team is violating the rules of engagement.

Jennifer analyzes a Wireshark packet capture from a network that she is unfamiliar with. She discovers that a host with IP address 10.11.140.13 is running services on TCP ports 636 and 443. What services is that system most likely running?

LDAPS and HTTPS

FTPS and HTTPS

RDP and HTTPS

HTTP and Secure DNS

Kai has identified a privilege escalation flaw on the system she targeted in the first phase of her penetration test and is now ready to take the next step. According to the NIST 800-115 standard, what is step C that Kai needs to take, as shown in this diagram?

System browsing

Scanning

Rooting

Consolidation

When Scott performs an nmap scan with the

-T

flag set to 5, what variable is he changing?

How fast the scan runs

The TCP timeout flag it will set

How many retries it will perform

How long the scan will take to start up

While conducting a port scan of a remote system, Henry discovers TCP port 1433 open. What service can he typically expect to run on this port?

Oracle

VNC

IRC

Microsoft SQL

While application vulnerability scanning one of her target organizations web servers, Andrea notices that the server's hostname is resolving to a

cloudflare.com

host. What does Andrea know about her scan?

It is being treated like a DDoS attack.

It is scanning a CDN-hosted copy of the site.

It will not return useful information.

She cannot determine anything about the site based on this information.

While tracking a potential APT on her network, Cynthia discovers a network flow for her company's central file server. What does this flow entry most likely show if 10.2.2.3 is not a system on her network?

Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows

2017-07-11 13:06:46.343 21601804 TCP 10.1.1.1:1151->10.2.2.3:443 9473640 9.1 G 1

2017-07-11 13:06:46.551 21601804 TCP 10.2.2.3:443->10.1.1.1:1151 8345101 514 M 1

A web browsing session

Data exfiltration

Data infiltration

A vulnerability scan

Part of Tracy's penetration testing assignment is to evaluate the WPA2 Enterprise protected wireless networks of her target organization. What major differences exist between reconnaissances of a wired network versus a wireless network?

Encryption and physical accessibility

Network access control and encryption

Port security and physical accessibility

Authentication and encryption

Ian's company has an internal policy requiring that they perform regular port scans of all of their servers. Ian has been part of a recent effort to move his organization's servers to an infrastructure as a service (IaaS) provider. What change will Ian most likely need to make to his scanning efforts?

Change scanning software

Follow the service provider's scan policies

Sign a security contract with the provider

Discontinue port scanning

During a regularly scheduled PCI compliance scan, Fred has discovered port 3389 open on one of the point-of-sale terminals that he is responsible for managing. What service should he expect to find enabled on the system?

MySQL

RDP

TOR

Jabber

Saanvi knows that the organization she is scanning runs services on alternate ports to attempt to reduce scans of default ports. As part of her intelligence-gathering process, she discovers services running on ports 8080 and 8443. What services are most likely running on these ports?

Botnet C&C

Nginx

Microsoft SQL Server instances

Web servers

Lauren wants to identify all the printers on the subnets she is scanning with nmap. Which of the following

nmap

commands will not provide her with a list of likely printers?

nmap -sS -p 9100,515,631 10.0.10.15/22 -oX printers.txt

nmap -O 10.0.10.15/22 -oG - | grep printer >> printers.txt

nmap -sU -p 9100,515,631 10.0.10.15/22 -oX printers.txt

nmap -sS -O 10.0.10.15/22 -oG | grep >> printers.txt

Chris knows that systems have connected to a remote host on TCP ports 1433 and 1434. If he has no other data, what should his best guess be about what the host is?

A print server

A Microsoft SQL server

A MySQL server

A secure web server running on an alternate port

What services will the following nmap scan test for?

nmap -sV -p 22,25,53,389 192.168.2.50/27

Telnet, SMTP, DHCP, MS-SQL

SSH, SMTP, DNS, LDAP

Telnet, SNMP, DNS, LDAP

SSH, SNMP, DNS, RDP

While conducting a topology scan of a remote web server, Susan notes that the IP addresses returned for the same DNS entry change over time. What has she likely encountered?

A route change

Fast-flux DNS

A load balancer

An IP mismatch

Kwame is reviewing his team's work as part of a reconnaissance effort and is checking Wireshark packet captures. His team reported no open ports on 10.0.2.15. What issue should he identify with their scan based on the capture shown here?

The host was not up.

Not all ports were scanned.

The scan scanned only UDP ports.

The scan was not run as root.

Allan's nmap scan includes a line that starts with

cpe:/o

. What type of information should he expect to gather from the entry?

Common privilege escalation

Operating system

Certificate performance evaluation

Hardware identification

While scanning a network, Frank discovers a host running a service on TCP ports 1812 and 1813. What type of server has Frank most likely discovered?

RADIUS

VNC

Kerberos

Postgres

Nihar wants to conduct an nmap scan of a firewalled subnet. Which of the following is not an nmap firewall evasion technique he could use?

Fragmenting packets

Changing packet header flags

Spoofing the source IP

Appending random data

Which of the following commands will provide Ben with the most information about a host?

dig -x [ip address]

host [ip address]

nslookup [ip address]

zonet [ip address]

Fred's reconnaissance of an organization includes a search of the Censys network search engine. There, he discovers multiple certificates with validity dates as shown here:

Validity

2018-07-07 00:00:00 to 2019-08-11 23:59:59 (400 days, 23:59:59)

2017-07-08 00:00:00 to 2019-08-12 23:59:59 (400 days, 23:59:59)

2018-07-11 00:00:00 to 2019-08-15 23:59:59 (400 days, 23:59:59)

What should Fred record in his reconnaissance notes?

The certificates expired as expected, showing proper business practice.

The certificates were expired by the CA, possibly due to nonpayment.

The system that hosts the certificates may have been compromised.

The CA may have been compromised, leading to certificate expiration.

When Casey scanned a network host, she received the results shown here. What does she know based on the scan results?

The device is a Cisco device.

The device is running CentO.

The device was built by IBM.

None of the above.

Fred conducts an SNMP sweep of a target organization and receives no-response replies from multiple addresses that he believes belong to active hosts. What does this mean?

The machines are unreachable.

The machines are not running SNMP servers.

The community string he used is invalid.

Any or all of the above may be true.

Angela wants to gather detailed information about the hosts on a network passively. If she has access to a Wireshark PCAP file from the network, which of the following tools can she use to provide automated analysis of the file?

Ettercap

NetworkMiner

Sharkbait

Dradis

While performing reconnaissance of an organization's network, Angela discovers that

web.organization.com

,

www.organization.com

, and

documents.organization.com

all point to the same host. What type of DNS record allows this?

A CNAME

An MX record

An SPF record

An SOA record

Aidan operates the point-of-sale network for a company that accepts credit cards and is thus required to be compliant with PCI DSS. During his regular assessment of the point-of-sale terminals, he discovers that a recent Windows operating system vulnerability exists on all of them. Since they are all embedded systems that require a manufacturer update, he knows that he cannot install the available patch. What is Aidan's best option to stay compliant with PCI DSS and protect his vulnerable systems?

Replace the Windows embedded point-of-sale terminals with standard Windows systems.

Build a custom operating system image that includes the patch.

Identify, implement, and document compensating controls.

Remove the POS terminals from the network until the vendor releases a patch.

What occurs when Mia uses the following command to perform an nmap scan of a network?

nmap -sP 192.168.2.0/24

A secure port scan of all hosts in the 192.168.0.0 to 192.168.2.255 network range

A scan of all hosts that respond to ping in the 192.168.0.0 to 192.168.255.255 network range

A scan of all hosts that respond to ping in the 192.168.2.0 to 192.168.2.255 network range

A SYN-based port scan of all hosts in the 192.168.2.0 to 192.168.2.255 network range

Amir's remote scans of a target organization's class C network block using nmap (

nmap -sS 10.0.10.1/24

) show only a single web server. If Amir needs to gather additional reconnaissance information about the organization's network, which of the following scanning techniques is most likely to provide additional detail?

Use a UDP scan.

Perform a scan from on-site.

Scan using the

-p 1-65535

flag.

Use nmap's IPS evasion techniques.

Damian wants to limit the ability of attackers to conduct passive fingerprinting exercises on his network. Which of the following practices will help to mitigate this risk?

Implement an IPS.

Implement a firewall.

Disable promiscuous mode for NICs.

Enable promiscuous mode for NICs.

Wang submits a suspected malware file to

malwr.com

and receives the following information about its behavior. What type of tool is

malwr.com

?

A reverse-engineering tool

A static analysis sandbox

A dynamic analysis sandbox

A decompiler sandbox

As part of his active reconnaissance activities, Frank is provided with a shell account accessible via SSH. If Frank wants to run a default nmap scan on the network behind the firewall shown here, how can he accomplish this?

ssh -t 192.168.34.11 nmap 192.168.34.0/24

ssh -R 8080:192.168.34.11:8080 [remote account:remote password]

ssh -proxy 192.168.11 [remote account:remote password]

Frank cannot scan multiple ports with a single

ssh

command.

Angela captured the following packets during a reconnaissance effort run by her organization's red team. What type of information are they looking for?

Vulnerable web applications

SQL injection

Directory traversal attacks

Passwords

Which sources are most commonly used to gather information about technologies a target organization uses during intelligence gathering?

OSINT searches of support forums and social engineering

Port scanning and social engineering

Social media review and document metadata

Social engineering and document metadata

Sarah has been asked to assess the technical impact of suspected reconnaissance performed against her organization. She is informed that a reliable source has discovered that a third party has been performing reconnaissance by querying WHOIS data. How should Sarah categorize the technical impact of this type of reconnaissance?

High

Medium

Low

She cannot determine this from the information given.

Rick is reviewing flows of a system on his network and discovers the following flow logs. What is the system doing?

ICMP "Echo request"

Date flow start Duration Proto Src IP Addr:Port->Dst IP Addr:Port Packets Bytes Flows

2019-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.6:8.0 11 924 1

2019-07-11 04:58:59.518 10.000 ICMP 10.2.2.6:0->10.1.1.1:0.0 11 924 1

2019-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.7:8.0 11 924 1

2019-07-11 04:58:59.518 10.000 ICMP 10.2.2.7:0->10.1.1.1:0.0 11 924 1

2019-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.8:8.0 11 924 1