CYSA Practice Exam 2

CYSA+ Practice Exam 2

Ty is reviewing the scan report for a Windows system joined to his organization's domain and finds the vulnerability shown here. What should be Ty's most significant concern related to this vulnerability?

Window shows sections for 3 administrator account's password does not expire and threat, and options for first detected, last detected, vendor reference, user modified, et cetera.

The presence of this vulnerability indicates that an attacker may have compromised his network.The presence of this vulnerability indicates a misconfiguration on the target server.The presence of this vulnerability indicates that the domain security policy may be lacking appropriate controls.The presence of this vulnerability indicates a critical flaw on the target server that must be addressed immediately. - C. The presence of this vulnerability does indicate a misconfiguration on the targeted server, but that is not the most significant concern that Ty should have. Rather, he should be alarmed that the domain security policy does not prevent this configuration and should know that many other systems on the network may be affected. This vulnerability is not an indicator of an active compromise and does not rise to the level of a critical flaw.

During an incident investigation, Chris discovers that attackers were able to query information about his routers and switches using SNMP. Chris finds that his routers used "public" and "private" as their community strings. Which of the following is not an appropriate action to take to help secure SNMP in Chris's organization?

Add complexity requirements to the SNMP community string.Enable and configure SNMP v2c.Enable and require TLS setting for SNMP.Apply different SNMP community strings to devices with different security levels. - B.SNMP v1 through v2c all transmit data in the clear. Instead, Chris should move his SNMP monitoring infrastructure to use SNMP v3. Adding complexity requirements helps to prevent brute-force attacks against community strings, while TLS protects against data capture. Using different community strings based on security levels helps to ensure that a single compromised string can't impact all of the devices on a network.

Heidi runs a vulnerability scan of the management interface of her organization's virtualization platform and finds the severity 1 vulnerability shown here. What circumstance, if present, should increase the severity level of this vulnerability to Heidi?

Window shows section for 1 remote management service accepting unencrypted credentials detected and options for first detected, last detected, vendor reference, user modified, et cetera.

Lack of encryption Missing security patch Exposure to external networks Out-of-date antivirus signatures - C. This vulnerability has a low severity, but that could be dramatically increased if the management interface is exposed to external networks. If that were the case, it is possible that an attacker on a remote network would be able to eavesdrop on administrative connections and steal user credentials.

Out-of-date antivirus definitions and missing security patches may also be severe vulnerabilities, but they do not increase the severity of this specific vulnerability.

The lack of encryption is already known because of the nature of this vulnerability, so confirming that fact would not change the severity assessment.

Nancy ran a port scan against a network switch located on her organization's internal network and discovered the results shown here. She ran the scan from her workstation on the employee VLAN. Which one of the following results should be of greatest concern to her?

Image shows programming codes which read Nmap scan report for 10.1.0.121), host is up (0.049 latency), et cetera, and table shows columns for PORT and STATE.

Port 22 Port 23 Port 80 Ports 8192 to 8194 - B. Both ports 22 and 23 should be of concern to Nancy because they indicate that the network switch is accepting administrative connections from a general- use network. Instead, the switch should only accept administrative connections from a network management VLAN.

Of these two results, port 23 should be of the greatest concern because it indicates that the switch is allowing unencrypted telnet connections that may be subject to eavesdropping.

The results from ports 80 and 8192 to 8194 are of lesser concern because they are being filtered by a firewall.

Evan is troubleshooting a vulnerability scan issue on his network. He is conducting an external scan of a website located on the web server shown in the diagram. After checking the Apache httpd logs on the web server, he saw no sign of the scan requests. Which one of the following causes is the least likely issue for him to troubleshoot?

Diagram shows Internet connected to firewall (via IDS), which is connected to internal network and DMZ (via IPS), where internal network is connected to workstation and file server and DMZ is connected to email server and web server.

The scans are being blocked by an intrusion prevention system.The scans are being blocked by an Apache .htaccess file.The scans are being blocked by a network firewall.The scans are being blocked by a host firewall. - B. All of the scenarios described here could result in failed vulnerability scans and are plausible on this network. However, the fact that the Apache logs do not show any denied requests indicates that the issue is not with an .htaccess file on the server. If this were the case, Evan would see evidence of it in the Apache logs.

Sam is looking for evidence of software that was installed on a Windows 10 system. He believes that the programs were deleted and that the suspect used both registry and log cleaners to hide evidence. What Windows feature can't he use to find evidence of the use of these programs?

The MFT Volume shadow copies The shim (application compatibility) cache Prefetch files - C. The shim cache is used by Windows to track scripts and programs that need specialized compatibility settings. It is stored in the registry at shutdown, which means that a thorough registry cleanup will remove program references from it. The master file table (MFT), volume shadow copies, and prefetch files can all contain evidence of deleted applications.

Patricia is evaluating the security of an application developed within her organization. She would like to assess the application's security by supplying it with invalid inputs. What technique is Patricia planning to use?

Fault injection Stress testing Mutation testing Fuzz testing - D. Fuzz testing involves sending invalid or random data to an application to test its ability to handle unexpected data. Fault injection directly inserts faults into error- handling paths, particularly error-handling mechanisms that are rarely used or might otherwise be missed during normal testing. Mutation testing is related to fuzzing and fault injection, but rather than changing the inputs to the program or introducing faults to it, mutation testing makes small modifications to the program itself. Stress testing is a performance test that ensures applications and the systems that support them can stand up to the full production load.

A port scan conducted during a security assessment shows the following results. What type of device has most likely been scanned?

Nmap scan report for EXAMPLE (192.168.1.79) Host is up (1.00s latency).

Not shown: 992 closed ports

PORT STATE

21/tcp open 23/tcp open 80/tcp open 280/tcp open 443/tcp open 515/tcp open 631/tcp open 9100/tcp open

Nmap done: 1 IP address (1 host up) scanned in 124.20 seconds

A wireless access point A server A printer A switch - C. While TCP ports 21, 23, 80, and 443 are all common ports, 515 and 9100 are commonly associated with printers.

Kim is reviewing the data gathered by the first responder to a security incident and comes across a text file containing the output shown here. What command generated this output?

Image shows table with columns for proto, recv-Q, send-Q, local address, foreign address, and state.

traceroute netstat ifconfig sockets - B. The netstat command is used to generate a list of open network connections on a system, such as the one shown here. traceroute is used to trace the network path between two hosts. ifconfig is used to display network configuration information on Linux and Mac systems. The sockets command does not exist.

Which of the following is not one of the major categories of security event indicators described by NIST 800-61?

Alerts from IDS, IPS, SIEM, AV, and other security systems Logs generated by systems, services, and applications Exploit developers Internal and external sources - C. NIST identifies four major categories of security event indicators: alerts, logs, publicly available information, and people both inside and outside the organization. Exploit developers may provide some information but are not a primary source of security event information.

During an nmap scan of a network, Charles receives the following response from nmap: