Fundamentals of Information Security [State Exam | Part 2 + 23 new questions]

The following message was encrypted using a Caesar cipher with a key of 2:

fghgpf vjg ecuvng

What is the plaintext message?

What is the purpose of a digital certificate?

A company is developing a security policy for secure communication. In the exchange of critical messages between a headquarters office and a branch office, a hash value should only be recalculated with a predetermined code, thus ensuring the validity of data source. Which aspect of secure communications is addressed?

In most host-based security suites, which function provides robust logging of security-related events and sends logs to a central location?

On a Windows host, which tool can be used to create and maintain blacklists and whitelists?

Which statement describes agentless antivirus protection?

The IT security personnel of an organization notice that the web server deployed in the DMZ is frequently targeted by threat actors. The decision is made to implement a patch management system to manage the server. Which risk management strategy method is being used to respond to the identified risk?

In addressing a risk that has low potential impact and relatively high cost of mitigation or reduction, which strategy will accept the risk and its consequences?

What is a host-based intrusion detection system (HIDS)?

What type of antimalware program is able to detect viruses by recognizing various characteristics of a known malware file?

Which device in a LAN infrastructure is susceptible to MAC address-table overflow and spoofing attacks?

Which criterion in the Base Metric Group Exploitability metrics reflects the proximity of the threat actor to the vulnerable component?

In addressing an identified risk, which strategy aims to stop performing the activities that create risk?

Which statement describes the term iptables?

For network systems, which management system addresses the inventory and control of hardware and software configurations?

Which statement describes the anomaly-based intrusion detection approach?

What is the first step taken in risk assessment?

Which statement describes the threat-vulnerability (T-V) pairing?

Which security procedure would be used on a Windows workstation to prevent access to a specific set of websites?

Which statement describes the use of a Network Admission Control (NAC) solution?

Which type of antimalware software detects and mitigates malware by analyzing suspicious activities?

Which regulatory compliance regulation sets requirements for all U.S. public company boards, management and public accounting firms regarding the way in which corporations control and disclose financial information?

Which statement describes the term attack surface?

Which step in the Vulnerability Management Life Cycle determines a baseline risk profile to eliminate risks based on asset criticality, vulnerability threat, and asset classification?

When a network baseline is being established for an organization, which network profile element indicates the time between the establishment of a data flow and its termination?

In network security assessments, which type of test employs software to scan internal networks and Internet facing servers for various types of vulnerabilities?

Which statement describes the Cisco Threat Grid Glovebox?

How does using HTTPS complicate network security monitoring?

Which protocol is used to send e-mail messages between two servers that are in different e-mail domains?

Which function is provided by the Sguil application?

A system administrator has recommended to the CIO a move of some applications from a Windows server to a Linux server. The proposed server will use ext4 partitions and serve as a web server, file server, and print server. The CIO is considering the recommendation, but has some questions regarding security.
What is a daemon?

A system administrator has recommended to the CIO a move of some applications from a Windows server to a Linux server. The proposed server will use ext4 partitions and serve as a web server, file server, and print server. The CIO is considering the recommendation, but has some questions regarding security.
Because the company uses discretionary access control (DAC) for user file management, what feature would need to be supported on the server?

How can IMAP be a security threat to a company?

A system administrator runs a file scan utility on a Windows PC and notices a file lsass.exe in the Program Files directory. What should the administrator do?

How does a web proxy device provide data loss prevention (DLP) for an enterprise?

A system analyst is reviewing syslog messages and notices that the PRI value of a message is 26. What is the severity value of the message?

Which statement describes session data in security logs?

In a Cisco AVC system, in which module is NetFlow deployed?

What port number would be used if a threat actor was using NTP to direct DDoS attacks?

Which information can be provided by the Cisco NetFlow utility?

What is Tor?

Which statement describes statistical data in network security monitoring processes?

How might corporate IT professionals deal with DNS-based cyber threats?

Refer to the exhibit. A junior network engineer is handed a print-out of the network information shown. Which protocol or service originated the information shown in the graphic?

Which technology is used in Cisco Next-Generation IPS devices to consolidate multiple security layers into a single platform?

Which Windows log contains information about installations of software, including Windows updates?

Which Windows log records events related to login attempts and operations related to file or object access?

What does it indicate if the timestamp in the HEADER section of a syslog message is preceded by a period or asterisk symbol?

Which protocol is a name resolution protocol often used by malware to communicate with command-and-control (CnC) servers?

How is the hash value of files useful in network security investigations?

Which tool is a Security Onion integrated host-based intrusion detection system?

Which type of evidence supports an assertion based on previously obtained evidence?

Which tool is developed by Cisco and provides an interactive dashboard that allows investigation of the threat landscape?

Which term is used to describe the process of converting log entries into a common format?

According to NIST, which step in the digital forensics process involves extracting relevant information from data?

A law office uses a Linux host as the firewall device for the network. The IT administrator is adding a rule to the firewall iptables to block internal hosts from connecting to a remote device that has the IP address 209.165.202.133. Which command should the administrator use?

What procedure should be avoided in a digital forensics investigation?

Which statement describes a feature of timestamps in Linux?

Which tool is included with Security Onion that is used by Snort to automatically download new rules?

Which tool would an analyst use to start a workflow investigation?

What is indicated by a Snort signature ID that is below 3464?

How does an application program interact with the operating system?

A threat actor has successfully breached the network firewall without being detected by the IDS system. What condition describes the lack of alert?

Use the following scenario to answer the questions. a company has just had a cybersecurity incident. The threat actor or actors appeared to have a goal of network disruption and appeared to use a common security hack tool that overwhelmed a particular server with a large amount of traffic, which rendered the server inoperable.
How would a certified cybersecurity analyst classify this type of threat actor?

Use the following scenario to answer the questions. a company has just had a cybersecurity incident. The threat actor or actors appeared to have a goal of network disruption and appeared to use a common security hack tool that overwhelmed a particular server with a large amount of traffic, which rendered the server inoperable.
The security team at this company has removed the compromised server and preserved it with the security hack still embedded. What type of evidence is this?

Use the following scenario to answer the questions. a company has just had a cybersecurity incident. The threat actor or actors appeared to have a goal of network disruption and appeared to use a common security hack tool that overwhelmed a particular server with a large amount of traffic, which rendered the server inoperable.
Which type of attack was achieved?

Use the following scenario to answer the questions. a company has just had a cybersecurity incident. the threat actor or actors appeared to have a goal of network disruption and appeared to use a common security hack tool that overwhelmed a particular server with a large amount of traffic, which rendered the server inoperable.
What would be the threat attribution in this case?

Which statement describes the status after the Security Onion VM is started?

Refer to the exhibit. A network security analyst is using the Follow TCP Stream feature in Wireshark to rebuild the TCP transaction. However, the transaction data seems indecipherable. What is the explanation for this?

What is the tool that has alert records linked directly to the search functionality of the Enterprise Log Search and Archive (ELSA)?

Which action should be included in a plan element that is part of a computer security incident response capability (CSIRC)?

What is the objective the threat actor in establishing a two-way communication channel between the target system and a CnC infrastructure?

After containment, what is the first step of eradicating an attack?

What is defined in the SOP of a computer security incident response capability (CSIRC)?

A school has a web server mainly used for parents to view school events, access student performance indicators, and communicate with teachers. The network administrator suspects a security-related event has occurred and is reviewing what steps should be taken.

The threat actor has already placed malware on the server causing its performance to slow. The network administrator has found and removed the malware as well as patched the security hole where the threat actor gained access. The network administrator can find no other security issue. What stage of the Cyber Kill Chain did the threat actor achieve?

A school has a web server mainly used for parents to view school events, access student performance indicators, and communicate with teachers. The network administrator suspects a security-related event has occurred and is reviewing what steps should be taken.

If the web server runs Microsoft IIS, which Windows tool would the network administrator use to view the access logs?

A school has a web server mainly used for parents to view school events, access student performance indicators, and communicate with teachers. The network administrator suspects a security-related event has occurred and is reviewing what steps should be taken.

Reports of network slowness lead the network administrator to review server alerts. The administrator confirms that an alert was an actual security incident. Which type of security alert classification would this be?

A school has a web server mainly used for parents to view school events, access student performance indicators, and communicate with teachers. The network administrator suspects a security-related event has occurred and is reviewing what steps should be taken.

The network administrator believes that the threat actor used a commonly available tool to slow the server down. The administrator concludes that based on the source IP address identified in the alert, the threat actor was probably one of the students. What type of hacker would the student be classified as?

What is the goal of an attack in the installation phase of the Cyber Kill Chain?

Which meta-feature element in the Diamond Model describes information gained by the adversary?

What is a benefit of using the VERIS community database?

A threat actor has identified the potential vulnerability of the web server of an organization and is building an attack. What will the threat actor possibly do to build an attack weapon?

Which action is taken in the postincident phase of the NIST incident response life cycle?

Which top-level element of the VERIS schema would allow a company to log who the actors were, what actions affected the asset, which assets were affected, and how the asset was affected?

What is the role of vendor teams as they relate to CSIRT?

Which schema or model was created to anonymously share quality information about security events to the security community?

What is the purpose of the policy element in a computer security incident response capability of an organization, as recommended by NIST?

What information is gathered by the CSIRT when determining the scope of a security incident?

What is the main purpose of exploitations by a threat actor through the weapon delivered to a target during the Cyber Kill Chain exploitation phase?

Which term is used in the Diamond Model of intrusion to describe a tool that a threat actor uses toward a target system?

What is the role of a Computer Emergency Response Team?

A threat actor collects information from web servers of an organization and searches for employee contact information. The information collected is further used to search personal information on the Internet. To which attack phase do these activities belong according to the Cyber Kill Chain model?

In which phase of the NIST incident response life cycle is evidence gathered that can assist subsequent investigations by authorities?

The entrepreneur is concerned about company employees having uninterrupted access to important resources and data. Which of the CIA triad components would address the concern?

What is the Stream Ciphers?

“Vulnerability Broker” Threat Actors ...

Definition of the attack " Sniffer "…

Which type of security threat can be described as software that attaches itself to another program to execute a specific unwanted function?

What is the significant characteristic of worm malware?

Hint:
Virus requires a host program to run, worms can run by themselves. Automatically replicates itself and spreads across the network from system to system

What is the purpose of a reconnaissance attack on a computer network?

Type of access attack that attempts to manipulate individuals into performing actions or divulging confidential information needed to access a network.

What kind of DDOS term are malware designed to infect a host and communicate with a handler system and can also log keystrokes, gather passwords, capture and analyze packets, and more?

What term DDoS attack refers to a group of zombies infected using self-propagating malware (i.e., bots) and are controlled by handlers?

What term DDoS attack refers to a master command-and-control server controlling groups of zombies?

What term DDoS attack refers to a group of compromised hosts (i.e. agents) that run malicious code referred to as robots (i.e. bots) ?

What term DDoS attack refers to the malware designed to infect a host and communicate with a handler system. It can also log keystrokes, gather passwords, capture and analyze packets, and more...

What term DDoS attack refers to a group of zombies infected using self-propogating malware (i.e. bots) and are controlled by handlers.

What DDOS attack term refers to the threat actor in control of the botnet handlers?

Which tool is used to provide a list of open ports on network devices?

The security policy of an organization allows employees to connect to the office intranet from their homes. Which type of security policy is this?

What is IPS?

What is the ACL?

________ is an usually part of a router firewall, which permits or denies traffic based on Layer 3 and Layer 4 information.

This type firewalls filters IP traffic between a pair of bridged interfaces

What systems provide real time reporting and long-term analysis of security events?