When an IDS system looks for a pattern indicating a known worm, what type of detection method is it using?
- A . Signature-based
- B . Anomaly-based
- C . Statistical
- D . Monitored
Why would an incident handler acquire memory on a system being investigated?
- A . To determine whether a malicious DLL has been injected into an application
- B . To identify whether a program is set to auto-run through a registry hook
- C . To list which services are installed on they system
- D . To verify which user accounts have root or admin privileges on the system
Which could be described as a Threat Vector?
- A . A web server left6 unpatched and vulnerable to XSS
- B . A coding error allowing remote code execution
- C . A botnet that has infiltrated perimeter defenses
- D . A wireless network left open for anonymous use
A
Explanation:
A threat vector is the method (crafted packet) that would be used to exercise a vulnerability (fragmentation to bypass IDS signature). An unpatched web server that is susceptible to XSS simply describes a vulnerability (unpatched) paired with a specific threat (XSS) and does not touch on the method to activate the threat. Similarly, the coding error that allows remote code execution is simply describing the pairing of a vulnerability with a threat, respectively. The botnet is an unspecified threat; there is no indication of how the threat was activated (or it’s intention/capabilities; the threat).
A security device processes the first packet from 10.62.34.12 destined to 10.23.10.7 and recognizes a malicious anomaly. The first packet makes it to 10.23.10.7 before the security devices sends a TCP RST to 10.62.34.12.
What type of security device is this?
- A . Host IDS
- B . Active response
- C . Intrusion prevention
- D . Network access control
B
Explanation:
An active response device dynamically reconfigures or alters network or system access controls, session streams, or individual packets based on triggers from packet inspection and other detection devices. Active response happens after the event has occurred, thus a single packet attack will be successful on the first attempt and blocked in future attempts. Network intrusion prevention devices are typically inline devices on the network that inspect packets and make decisions before forwarding them on to the destination. This type of device has the capability to defend against single packet attacks on the first attempt by blocking or modifying the attack inline.
Which tool uses a Snort rules file for input and by design triggers Snort alerts?
- A . snot
- B . stick
- C . Nidsbench
- D . ftester
Network administrators are often hesitant to patch the operating systems on CISCO router and switch operating systems, due to the possibility of causing network instability, mainly because of which of the following?
- A . Having to rebuild all ACLs
- B . Having to replace the kernel
- C . Having to re-IP the device
- D . Having to rebuild ARP tables
- E . Having to rebuild the routing tables
B
Explanation:
Many administrators are hesitant to upgrade the IOS on routers based on past experience with the code introducing instability into the network. It is often difficult to completely test an IOS software upgrade in a production environment because the monolithic kernel requires that the IOS be replaced before the device can be tested. Because of these reasons, IOS upgrades to resolve security flaws are often left undone in many organizations.
A company estimates a loss of $2,374 per hour in sales if their website goes down. Their webserver hosting site’s documented downtime was 7 hours each quarter over the last two years. Using the information, what can the analyst determine?
- A . Annualized loss expectancy
- B . CVSS risk score
- C . Total cost of ownership
- D . Qualitative risk posture
A
Explanation:
The annualized loss expectancy (ALE) is deduced by multiplying the single loss expectancy (SLE) by the annual rate of occurrence (ARO); in this example $2, 374 × (7 × 4), respectively. This is a form of Quantitative risk analysis. Qualitative risk posture is deduced by measuring and contrasting the likelihood (probability of occurrence) with the level of impact and by definition does not address risk using monetary figures. Total cost of ownership (TCO) is the sum of all costs (technical, administrative, environmental, et al) that are involved for a specific system, service, etc. CVSS risk scoring is not based off of this type of loss data.
To detect worms and viruses buried deep within a network packet payload, Gigabytes worth of traffic content entering and exiting a network must be checked with which of the following technologies?
- A . Proxy matching
- B . Signature matching
- C . Packet matching
- D . Irregular expression matching
- E . Object matching
When identifying malware, what is a key difference between a Worm and a Bot?
- A . A Worm gets instructions from an external control channel like an IRC server.
- B . A Worm, unlike a Bot, is installed silently as an add-on to a legitimate program.
- C . A Bot, unlike a Worm, is frequently spread through email attachments.
- D . A Bot gets instructions from an external control channel like an IRC server.
Monitoring the transmission of data across the network using a man-in-the-middle attack presents a threat against which type of data?
- A . At-rest
- B . In-transit
- C . Public
- D . Encrypted
Which type of media should the IR team be handling as they seek to understand the root cause of an incident?
- A . Restored media from full backup of the infected host
- B . Media from the infected host, copied to the dedicated IR host
- C . Original media from the infected host
- D . Bit-for-bit image from the infected host
A
Explanation:
By imaging the media with tools such as dd or Ghost and analyzing the copy, you preserve the original media for later analysis so that the results can be recreated by another competent examiner if necessary.
An incident response team is handling a worm infection among their user workstations. They created an IPS signature to detect and block worm activity on the border IPS, then removed the worm’s artifacts or workstations triggering the rule. Despite this action, worm activity continued for days after. Where did the incident response team fail?
- A . The team did not adequately apply lessons learned from the incident
- B . The custom rule did not detect all infected workstations
- C . They did not receive timely notification of the security event
- D . The team did not understand the worm’s propagation method
B
Explanation:
Identifying and scoping an incident during triage is important to successfully handling a security incident. The detection methods used by the team didn’t detect all the infected workstations.
A legacy server on the network was breached through an OS vulnerability with no patch available. The server is used only rarely by employees across several business units. The theft of information from the server goes unnoticed until the company is notified by a third party that sensitive information has been posted on the Internet.
Which control was the first to fail?
- A . Security awareness
- B . Access control
- C . Data classification
- D . Incident response
C
Explanation:
The legacy system was not properly classified or assigned an owner. It is critical that an organization identifies and classifies information so proper controls and measures should be put in place. The ultimate goal of data classification is to make sure that all information is properly protected at the correct level.
This was not a failure of incident response, access control or security awareness training.
Analyze the screenshot below.
Which of the following attacks can be mitigated by these configuration settings?
- A . A Denial-of-Service attack using network broadcasts
- B . A Replay attack
- C . An IP masquerading attack
- D . A MAC Flood attack
D
Explanation:
Both BPDU Guard and Root Guard are used to prevent a new switch from becoming the Root Bridge. They are very similar but use different mechanisms.
Rootguard allows devices to use STP, but if they send superior BDPUs (i.e. they attempt to become the Root Bridge), Root Guard disables the port until the offending BPDUs cease. Recovery is automatic. If Portfast is enabled on a port, BPDU Guard will disable the port if a BPDU is received. The port stays disabled until it is manually re-enabled. Devices behind such ports cannot use STP, as the port would be disabled as soon as they send BPDUs (which is the default behavior of switches).
Of the following pieces of digital evidence, which would be collected FIRST from a live system involved in an incident?
- A . Event logs from a central repository
- B . Directory listing of system files
- C . Media in the CDrom drive
- D . Swap space and page files
D
Explanation:
Best practices suggest that live response should follow the order of volatility, which means that you want to collect data which is changing the most rapidly.
The order of volatility is:
Memory
Swap or page file
Network status and current / recent network connections
Running processes
Open files
Which of the following attacks would use “..” notation as part of a web request to access restricted files and directories, and possibly execute code on the web server?
- A . URL directory
- B . HTTP header attack
- C . SQL injection
- D . IDS evasion
- E . Cross site scripting
At the start of an investigation on a Windows system, the lead handler executes the following commands after inserting a USB drive.
What is the purpose of this command?
C: >dir / s / a dhsra d: > a: IRCD.txt
- A . To create a file on the USB drive that contains a listing of the C: drive
- B . To show hidden and archived files on the C: drive and copy them to the USB drive
- C . To copy a forensic image of the local C: drive onto the USB drive
- D . To compare a list of known good hashes on the USB drive to files on the local C: drive
C
Explanation:
This command will create a text file on the collection media (in this case you would probably be using a USB flash drive) named IRCD.txt that should contain a recursive directory listing of all files on the desk.
Why might an administrator not be able to delete a file using the Windows del command without specifying additional command line switches?
- A . Because it has the read-only attribute set
- B . Because it is encrypted
- C . Because it has the nodel attribute set
- D . Because it is an executable file
Why would the pass action be used in a Snort configuration file?
- A . The pass action simplifies some filtering by specifying what to ignore.
- B . The pass action passes the packet onto further rules for immediate analysis.
- C . The pass action serves as a placeholder in the snort configuration file for future rule updates.
- D . Using the pass action allows a packet to be passed to an external process.
- E . The pass action increases the number of false positives, better testing the rules.
A
Explanation:
The pass action is defined because it is sometimes easier to specify the class of data to ignore rather than the data you want to see. This can cut down the number of false positives and help keep down the size of log data. False positives occur because rules failed and indicated a threat that is really not one. They should be minimized whenever possible. The pass action causes the packet to be ignored, not passed on further. It is an active command, not a placeholder.
On which layer of the OSI Reference Model does the FWSnort utility function?
- A . Physical Layer
- B . Data Link Layer
- C . Transport Layer
- D . Session Layer
- E . Application Layer
C
Explanation:
The FWSnort utility functions as a transport layer inline IPS.
Which command tool can be used to change the read-only or hidden setting of the file in the screenshot?
- A . attrib
- B . type
- C . tasklist
- D . dir
A
Explanation:
attrib Cr or +r will remove or add the read only attribute from a file.
Which Unix administration tool is designed to monitor configuration changes to Cisco, Extreme and Foundry infrastructure devices?
- A . SNMP
- B . Netflow
- C . RANCID
- D . RMON
C
Explanation:
RANCID is a Unix tool which can be used to monitor changes to the following networked devices and more: IOS, CatOS, PIX, Juniper, Foundry, HP ProCurve, Extreme.
If a Cisco router is configured with the “service config” configuration statement, which of the following tools could be used by an attacker to apply a new router configuration?
- A . TFTPD
- B . Hydra
- C . Ettercap
- D . Yersinia
Who is ultimately responsible for approving methods and controls that will reduce any potential risk to an organization?
- A . Senior Management
- B . Data Owner
- C . Data Custodian
- D . Security Auditor
An internal host at IP address 10.10.50.100 is suspected to be communicating with a command and control whenever a user launches browser window.
What features and settings of Wireshark should be used to isolate and analyze this network traffic?
- A . Filter traffic using ip.src = = 10.10.50.100 and tcp.srcport = = 80, and use Expert Info
- B . Filter traffic using ip.src = = 10.10.50.100 and tcp.dstport = = 53, and use Expert Info
- C . Filter traffic using ip.src = = 10.10.50.100 and tcp.dstport = = 80, and use Follow TCP stream
- D . Filter traffic using ip.src = = 10.10.50.100, and use Follow TCP stream
Michael, a software engineer, added a module to a banking customer’s code. The new module deposits small amounts of money into his personal bank account. Michael has access to edit the code, but only code reviewers have the ability to commit modules to production. The code reviewers have a backlog of work, and are often willing to trust the software developers’ testing and confidence in the code.
Which technique is Michael most likely to engage to implement the malicious code?
- A . Denial of Service
- B . Race Condition
- C . Phishing
- D . Social Engineering
A company wants to allow only company-issued devices to attach to the wired and wireless networks. Additionally, devices that are not up-to-date with OS patches need to be isolated from the rest of the network until they are updated.
Which technology standards or protocols would meet these requirements?
- A . 802.1x and Network Access Control
- B . Kerberos and Network Access Control
- C . LDAP and Authentication, Authorization and Accounting (AAA)
- D . 802.11i and Authentication, Authorization and Accounting (AAA)
When attempting to collect data from a suspected system compromise, which of the following should generally be collected first?
- A . The network connections and open ports
- B . The contents of physical memory
- C . The current routing table
- D . A list of the running services
Before re-assigning a computer to a new employee, what data security technique does the IT department use to make sure no data is left behind by the previous user?
- A . Fingerprinting
- B . Digital watermarking
- C . Baselining
- D . Wiping
What feature of Wireshark allows the analysis of one HTTP conversation?
- A . Follow UDP Stream
- B . Follow TCP Stream
- C . Conversation list > IPV4
- D . Setting a display filter to ‘tcp’
B
Explanation:
Follow TCP Stream is a feature of Wireshark that allows the analysis of a single TCP conversation between two hosts over multiple packets. Filtering packets using tcp in the filter box will return all TCP packets, not grouping by a single TCP conversation. HTTP is TCP not UDP, so you cannot follow a HTTP stream over UDP.