Dragonfly Industries requires firewall rules to go through a change management system before they are configured. Review the change management log.
Which of the following lines in your firewall ruleset has expired and should be removed from the configuration?
- A . access-list outbound permit tcp host 10.1.1.7 any eq smtp
- B . access-list outbound deny tcp any host 74.125.228.2 eq www
- C . access-list inbound permit tcp 8.8.0.0 0.0.0.255 10.10.12.252 eq 8080
- D . access-list inbound permit tcp host 8.8.207.97 host 10.10.12.100 eq ssh
Which of the following actions produced the output seen below?
- A . An access rule was removed from firewallrules.txt
- B . An access rule was added to firewallrules2.txt
- C . An access rule was added to firewallrules.txt
- D . An access rule was removed from firewallrules2.txt
An organization has implemented a policy to detect and remove malicious software from its network.
Which of the following actions is focused on correcting rather than preventing attack?
- A . Configuring a firewall to only allow communication to whitelisted hosts and ports
- B . Using Network access control to disable communication by hosts with viruses
- C . Disabling autorun features on all workstations on the network
- D . Training users to recognize potential phishing attempts
An Internet retailer’s database was recently exploited by a foreign criminal organization via a remote attack. The initial exploit resulted in immediate root-level access.
What could have been done to prevent this level of access being given to the intruder upon successful exploitation?
- A . Configure the DMZ firewall to block unnecessary service
- B . Install host integrity monitoring software
- C . Install updated anti-virus software
- D . Configure the database to run with lower privileges
As part of an effort to implement a control on E-mail and Web Protections, an organization is monitoring their webserver traffic.
Which event should they receive an alert on?
- A . The number of website hits is higher that the daily average
- B . The logfiles of the webserver are rotated and archived
- C . The website does not respond to a SYN packet for 30 minutes
- D . The website issues a RST to a client after the connection is idle
Implementing which of the following will decrease spoofed e-mail messages?
- A . Finger Protocol
- B . Sender Policy Framework
- C . Network Address Translation
- D . Internet Message Access Protocol
After installing a software package on several workstations, an administrator discovered the software opened network port TCP 23456 on each workstation. The port is part of a software management function that is not needed on corporate workstations.
Which actions would best protect the computers with the software package installed?
- A . Document the port number and request approval from a change control group
- B . Redirect traffic to and from the software management port to a non-default port
- C . Block TCP 23456 at the network perimeter firewall
- D . Determine which service controls the software management function and opens the port, and disable it
Given the audit finding below, which CIS Control was being measured?
- A . Controlled Access Based on the Need to Know
- B . Controlled Use of Administrative Privilege
- C . Limitation and Control of Network Ports, Protocols and Services
- D . Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
- E . Inventory and Control of Hardware Assets
According to attack lifecycle models, what is the attacker’s first step in compromising an organization?
- A . Privilege Escalation
- B . Exploitation
- C . Initial Compromise
- D . Reconnaissance
Which of the following items would be used reactively for incident response?
- A . A schedule for creating and storing backup
- B . A phone tree used to contact necessary personnel
- C . A script used to verify patches are installed on systems
- D . An IPS rule that prevents web access from international locations
A security incident investigation identified the following modified version of a legitimate system file on a compromised client:
C:WindowsSystem32winxml.dll Addition Jan. 16, 2014 4:53:11 PM
The infection vector was determined to be a vulnerable browser plug-in installed by the user.
Which of the organization’s CIS Controls failed?
- A . Application Software Security
- B . Inventory and Control of Software Assets
- C . Maintenance, Monitoring, and Analysis of Audit Logs
- D . Inventory and Control of Hardware Assets
What type of Unified Modelling Language (UML) diagram is used to show dependencies between logical groupings in a system?
- A . Package diagram
- B . Deployment diagram
- C . Class diagram
- D . Use case diagram
An organization is implementing a control within the Application Software Security CIS Control.
How can they best protect against injection attacks against their custom web application and database applications?
- A . Ensure the web application server logs are going to a central log host
- B . Filter input to only allow safe characters and strings
- C . Configure the web server to use Unicode characters only
- D . Check user input against a list of reserved database terms
What is a recommended defense for the CIS Control for Application Software Security?
- A . Keep debugging code in production web applications for quick troubleshooting
- B . Limit access to the web application production environment to just the developers
- C . Run a dedicated vulnerability scanner against backend databases
- D . Display system error messages for only non-kernel related events
A need has been identified to organize and control access to different classifications of
information stored on a fileserver.
Which of the following approaches will meet this need?
- A . Organize files according to the user that created them and allow the user to determine permissions
- B . Divide the documents into confidential, internal, and public folders, and ser permissions on each folder
- C . Set user roles by job or position, and create permission by role for each file
- D . Divide the documents by department and set permissions on each departmental folder
Below is a screenshot from a deployed next-generation firewall.
These configuration settings would be a defensive measure for which CIS Control?
- A . Controlled Access Based on the Need to Know
- B . Limitation and Control of Network Ports, Protocols and Services
- C . Email and Web Browser Protections
- D . Secure Configuration for Network Devices, such as Firewalls, Routers and Switches.
Based on the data shown below.
Which wireless access point has the manufacturer default settings still in place?
- A . Starbucks
- B . Linksys
- C . Hhonors
- D . Interwebz
Which of the following should be used to test antivirus software?
- A . FIPS 140-2
- B . Code Red
- C . Heartbleed
- D . EICAR
Which of the following best describes the CIS Controls?
- A . Technical, administrative, and policy controls based on research provided by the SANS Institute
- B . Technical controls designed to provide protection from the most damaging attacks based on current threat data
- C . Technical controls designed to augment the NIST 800 series
- D . Technical, administrative, and policy controls based on current regulations and security best practices
An attacker is able to successfully access a web application as root using ‘ or 1 = 1 . as the password. The successful access indicates a failure of what process?
- A . Input Validation
- B . Output Sanitization
- C . URL Encoding
- D . Account Management
An organization has implemented a control for Controlled Use of Administrative Privileges. They are collecting audit data for each login, logout, and location for the root account of their MySQL server, but they are unable to attribute each of these logins to a specific user.
What action can they take to rectify this?
- A . Force the root account to only be accessible from the system console.
- B . Turn on SELinux and user process accounting for the MySQL server.
- C . Force user accounts to use ‘sudo’ f or privileged use.
- D . Blacklist client applications from being run in privileged mode.
Beta corporation is doing a core evaluation of its centralized logging capabilities. The security staff suspects that the central server has several log files over the past few weeks that have had their contents changed.
Given this concern, and the need to keep archived logs for log correction applications, what is the most appropriate next steps?
- A . Keep the files in the log archives synchronized with another location.
- B . Store the files read-only and keep hashes of the logs separately.
- C . Install a tier one timeserver on the network to keep log devices synchronized.
- D . Encrypt the log files with an asymmetric key and remove the cleartext version.
Which of the following is a benefit of stress-testing a network?
- A . To determine device behavior in a DoS condition.
- B . To determine bandwidth needs for the network.
- C . To determine the connectivity of the network
- D . To determine the security configurations of the network
Which of the following is a reliable way to test backed up data?
- A . Verify the file size of the backup
- B . Confirm the backup service is running at the proper time
- C . Compare data hashes of backed up data to original systems
- D . Restore the data to a system
John a network administrator at Northeast High School. Faculty have been complaining that although they can detect and authenticate to the faculty wireless network, they are unable to connect. While troubleshooting, John discovers that the wireless network server is out of DHCP addresses due to a large number of unauthorized student devices connecting to the network.
Which course of action would be an effective temporary stopgap to secure the network until a permanent solution can be found?
- A . Limit access to allowed MAC addresses
- B . Increase the size of the DHCP pool
- C . Change the password immediately
- D . Shorten the DHCP lease time
An organization is implementing a control for the Limitation and Control of Network Ports, Protocols, and Services CIS Control.
Which action should they take when they discover that an application running on a web server is no longer needed?
- A . Uninstall the application providing the service
- B . Turn the service off in the host configuration files
- C . Block the protocol for the unneeded service at the firewall
- D . Create an access list on the router to filter traffic to the host
What is the first step suggested before implementing any single CIS Control?
- A . Develop an effectiveness test
- B . Perform a gap analysis
- C . Perform a vulnerability scan
- D . Develop a roll-out schedule
Which of the following assigns a number indicating the severity of a discovered software vulnerability?
- A . CPE
- B . CVE
- C . CCE
- D . CVSS
What could a security team use the command line tool Nmap for when implementing the Inventory and Control of Hardware Assets Control?
- A . Control which devices can connect to the network
- B . Passively identify new devices
- C . Inventory offline databases
- D . Actively identify new servers
An organization wants to test its procedure for data recovery.
Which of the following will be most effective?
- A . Verifying a file can be recovered from backup media
- B . Verifying that backup process is running when it should
- C . Verifying that network backups can’t be read in transit
- D . Verifying there are no errors in the backup server logs