Certification : CCNA Cyber Ops - SECOPS # 210-255

During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve its integrity?

Options are :

  • collection (Correct)
  • examination
  • reporting
  • investigation

Answer : collection

You see 100 HTTP GET and POST requests for various pages on one of your webservers. The user agent in the requests contain php code that, if executed, creates and writes to a new php file on the webserver. Which category does this event fall under as defined in the Cyber Kill Chain Model of Intrusion?

Options are :

  • delivery
  • reconnaissance
  • action on objectives
  • installation (Correct)
  • exploitation

Answer : installation

Which two options can be used by a threat actor to determine the role of a server? (Choose two.)

Options are :

  • PCAP
  • tracert
  • running processes (Correct)
  • hard drive configuration
  • applications (Correct)

Answer : running processes applications

Which process is being utilized when IPS events are removed to improve data integrity?

Options are :

  • data normalization (Correct)
  • data availability
  • data protection
  • data signature

Answer : data normalization

In Microsoft Windows, as files are deleted the space they were allocated eventually is considered available for use by other files. This creates alternating used and unused areas of various sizes. What is this called?

Options are :

  • network file storing
  • free space fragmentation (Correct)
  • alternate data streaming
  • defragmentation

Answer : free space fragmentation

Which two components are included in a 5-tuple? (Choose two.)

Options are :

  • port number (Correct)
  • destination IP address (Correct)
  • data packet
  • user name
  • host logs

Answer : port number destination IP address

Which CVSSv3 metric value increases when the attacker is able to modify all files protected by the vulnerable component?

Options are :

  • confidentiality
  • integrity (Correct)
  • availability
  • complexity

Answer : integrity

Which option is generated when a file is run through an algorithm and generates a string specific to the contents of that file?

Options are :

  • URL
  • hash (Correct)
  • IP address
  • destination port

Answer : hash

Which regular expression matches “color� and “colour�?

Options are :

  • col[0-9]+our
  • colo?ur
  • colou?r (Correct)
  • [a-z]{7}

Answer : colou?r

In VERIS, an incident is viewed as a series of events that adversely affects the information assets of an organization. Which option contains the elements that every event is comprised of according to VERIS incident model?

Options are :

  • victim demographics, incident description, incident details, discovery & response
  • victim demographics, incident details, indicators of compromise, impact assessment
  • actors, attributes, impact, remediation
  • actors, actions, assets, attributes (Correct)

Answer : actors, actions, assets, attributes

Which statement about threat actors is true?

Options are :

  • They are any company assets that are threatened.
  • They are any assets that are threatened.
  • They are perpetrators of attacks. (Correct)
  • They are victims of attacks.

Answer : They are perpetrators of attacks.

What is the opposite of the Confidentiality, Integrity, and Availability (CIA) triad pertinent to risk management?

Options are :

  • Misuse, Exposure, Unavailability
  • Authorization, Nonrepudiation, Integrity
  • Disclosure, Alteration, Destruction (Correct)
  • Nonconfidentiality, Disintegrity, Unavailability

Answer : Disclosure, Alteration, Destruction

Which of the following data might be most interesting for threat actors from a profitability point of view?

Options are :

  • Personally identifiable information (PII) such as HIPAA
  • An organization’s intellectual property (IP)
  • Personal credit card data
  • All of these answers are correct. (Correct)

Answer : All of these answers are correct.

Which of the following are valid examples of attack vectors? (Choose three)

Options are :

  • A malicious email attachment or a malicious link on an email (Correct)
  • Click bait leading to malicious web page content (Correct)
  • An exploited network service used maliciously (Correct)
  • A request to return stolen equipment

Answer : A malicious email attachment or a malicious link on an email Click bait leading to malicious web page content An exploited network service used maliciously

What are the basic tenets of information security pertinent to forensics and information management?

Options are :

  • Security, Integrity, and Availability
  • Confidentiality, Intimacy, and Availability
  • Confidentiality, Integrity, and Availability (Correct)
  • Secured Access, Network Connectivity, and Insights

Answer : Confidentiality, Integrity, and Availability

The concept that objects and subjects should have only the access needed is known as which of the following?

Options are :

  • Least access
  • Least privilege (Correct)
  • Least insights
  • Least needs

Answer : Least privilege

Which attack involves an attacker falsifying the source address, that is, the IP address or MAC address?

Options are :

  • A spoofing attack (Correct)
  • An investigation attack
  • A social engineering attack
  • A Distributed Denial-of-Service (DDoS) attack

Answer : A spoofing attack

Many organizations, for example, Microsoft, use the DREAD model for threat modeling. What does DREAD stand for?

Options are :

  • Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability (Correct)
  • Damage potential, Republic Voting, Exploitability, Affected users, and Discoverability
  • Damage potential, Reproducibility, Exportability, Affected sentiments, and Discoverability
  • Dangerous option, Reproducibility, Exploitability, Amenability, and Discoverability

Answer : Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability

Which of the following is an acceptable way to dispose of evidence?

Options are :

  • Throw the evidence into recycling or garbage bin.
  • Securely store the evidence inside a vault.
  • Store it and use it as and when necessary.
  • Destroy it or return to chain of custody. (Correct)

Answer : Destroy it or return to chain of custody.

What is an attack vector as defined by NIST?

Options are :

  • An attack vector is tool that can be leveraged by the attacker to infiltrate a network.
  • An attack vector is a segment of the entire pathway that an attack uses to access a vulnerability. (Correct)
  • An attack vector is the path from attack initiation to attack conclusion and may leverage existing vulnerabilities.
  • An attack vector involves exploiting known risks and escalating the privileges of the target network device or computer.

Answer : An attack vector is a segment of the entire pathway that an attack uses to access a vulnerability.

What are the three foundation principles of Information Security?

Options are :

  • Confidentiality, Integrity, and Availability (Correct)
  • Confidentiality, Backup, and Availability
  • Secure Access, Integrity, and Availability
  • Covert Operations, Intimacy, and Attack

Answer : Confidentiality, Integrity, and Availability

Arachni, Skipfish, and w3af are examples of what?

Options are :

  • Web proxies
  • Web application scanners (Correct)
  • Password crackers
  • Security assessment tools

Answer : Web application scanners

Which of the following terms refers to a construct that restricts an application’s or a program’s access privileges to a part of the system?

Options are :

  • Static analysis
  • Dynamic analysis
  • Sandboxing (Correct)
  • Virtualization

Answer : Sandboxing

Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted and executed as part of a query. Which of the following injection flaws involves the injection of malicious code through a web application?

Options are :

  • SQL injection (Correct)
  • Web form manipulation
  • Malforming the GET and POST requests
  • Footprinting

Answer : SQL injection

A threat modeling technique STRIDE was created by Loren Kohnfelder and PraeritGarg. What does STRIDE stand for?

Options are :

  • Sparring, Tampering, Replay, Information disclosure, Denial of service, and Elevation of privilege
  • Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege (Correct)
  • Spoofing, Tampering, Replay, Incidence management, Denial of service, and Elevation of privilege
  • Spoofing, Tampering, Repudiation, Information disclosure, Distributed Denial of service, and Privilege Escalation

Answer : Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege

Many security and vulnerability assessment tools are available. These can be used by security researchers for finding evidence and recovering data. John the Ripper is an example of one such tool used for what?

Options are :

  • Password cracking (Correct)
  • Security scanning
  • Eavesdropping
  • Packet analysis

Answer : Password cracking

What is the first sector (or sector zero) of a hard disk known as?

Options are :

  • Master boot record (Correct)
  • System boot record
  • Primary boot record
  • Boot record

Answer : Master boot record

Which of the following is an intrusion detection system?

Options are :

  • Wireshark
  • Metasploit
  • Nessus
  • NetFlow
  • Snort (Correct)

Answer : Snort

Which two of the following options are penetration-testing tools? (Choose two.)

Options are :

  • Wireshark
  • Metasploit (Correct)
  • Nessus (Correct)
  • Snort
  • Netwitness
  • NetFlow

Answer : Metasploit Nessus

In NSM data types, which three statements are true about session data and transaction data? (Choose three.)

Options are :

  • Session data is summary data that is associated with network conversations. (Correct)
  • Transaction data is summary data that is associated with network conversations.
  • A SOC analyst examining transaction data is analogous to a detective examining a phone bill.
  • A SOC analyst examining session data is analogous to a detective examining a phone bill. (Correct)
  • Session data captures the details that are associated with requests and responses.
  • Transaction data generally lies between session data and full packet capture. (Correct)
  • Transaction data is based on the IP 5-tuple: source IP address, source port, destination IP address, destination port, and transport layer protocol.

Answer : Session data is summary data that is associated with network conversations. A SOC analyst examining session data is analogous to a detective examining a phone bill. Transaction data generally lies between session data and full packet capture.

What is the last action of the attacker when following the classic kill chain model?

Options are :

  • exploitation
  • reconnaissance
  • installation
  • delivery
  • actions on objectives (Correct)

Answer : actions on objectives

Which two statements are true regarding the reconnaissance phase in the cyber kill chain model? (Choose two.)

Options are :

  • External to the network, threat actors review available information and resources about your organization and public-facing network assets. (Correct)
  • Potential targets are selected when they are considered to be relatively protected and guarded.
  • Company websites, news articles, and social media can be used to develop a list of potential targets of network infiltration vectors. (Correct)
  • During the reconnaissance phase, threat actors will randomly select the target network.

Answer : External to the network, threat actors review available information and resources about your organization and public-facing network assets. Company websites, news articles, and social media can be used to develop a list of potential targets of network infiltration vectors.

Which two statements are true regarding the weaponization phase in the cyber kill chain model? (Choose two.)

Options are :

  • The designers of the weapon would not need to worry about the vulnerabilities of the targets that are discovered during reconnaissance.
  • The weaponization phase’s goal is that of the development of cyber weapons that could be used to degrade some aspect of the operation of the targeted system or the network as a whole, or to gain initial access into the target system or network for follow-on actions. (Correct)
  • Choosing the appropriate weapon is not very easy because there are no existing pre-developed or tested attacks.
  • Examples of cyber weapons include viruses, code injection, exploits for system vulnerabilities, etc. (Correct)
  • The attacker cannot develop their own weapon to breach the target network.

Answer : The weaponization phase’s goal is that of the development of cyber weapons that could be used to degrade some aspect of the operation of the targeted system or the network as a whole, or to gain initial access into the target system or network for follow-on actions. Examples of cyber weapons include viruses, code injection, exploits for system vulnerabilities, etc.

Which capability is available when only the SOC operates at the highest level of the hunting maturity model (HM4)?

Options are :

  • detecting IDS or IPS malicious behaviors
  • automating of the analysis procedures (Correct)
  • incorporating hunt techniques from external sources
  • using machine learning to assist with the analysis

Answer : automating of the analysis procedures

Logs from a DHCP server can be leveraged to accomplish which of the following?

Options are :

  • attributing a unique username to an IP address
  • mapping an IP address to a hostname
  • identifying the web browser version that is used by a client
  • attributing a unique device to an IP address (Correct)

Answer : attributing a unique device to an IP address

Which vulnerability is required to make SQL injection attacks possible?

Options are :

  • improper user input validation by the web application (Correct)
  • improper SQL database schema
  • improper trust relationship between the web application and the SQL database
  • improper SQL syntax validation by the SQL database

Answer : improper user input validation by the web application

Identify the network corporate asset that should receive the highest priority when investigating a potential threat within an organization.

Options are :

  • remote employee PC connected to a DMZ network segment over a VPN connection
  • employee’s iPhone attached to a public wi-fi hotspot with no connectivity to the network
  • research and development server residing within the data center (Correct)
  • laptop of an employee that recently attended a security conference

Answer : research and development server residing within the data center

When is the best time to obtain a baseline about the network?

Options are :

  • as soon as the network is set up without any user traffics on the network
  • before the network is set up
  • as soon as the network is set up and operating under normal use (Correct)
  • as soon as we find any anomalies in the network

Answer : as soon as the network is set up and operating under normal use

Which statement is true about conducting a Security Incident Investigation?

Options are :

  • The Tier 1 SOC analyst should perform an in-depth Malware file analysis, using such as VirusTotal and Malwr.com
  • Slowly and methodically investigate and document every alert, including false positives, until the next alert arrives in the queue
  • Spend more time in investigating the false positive events to help prevent future attacks
  • Approach every investigation with an open-mind, reserving judgment until discovering definitive evidence of the presence of either a false or true positive event. (Correct)
  • Quickly disregard the true positive events, as these will require more time for the analysts to investigate

Answer : Approach every investigation with an open-mind, reserving judgment until discovering definitive evidence of the presence of either a false or true positive event.

In an organization, who typically develops the plays in the playbook?

Options are :

  • a team of SOC security analysts (Correct)
  • a team of SOC managers
  • a team of incident response handlers
  • a team of IT analysts

Answer : a team of SOC security analysts

Which two items affect the success of deploying a SIEM project? (Choose two.)

Options are :

  • form factor of a SIEM appliance
  • engineering specifications of the SIEM (Correct)
  • business requirements (Correct)
  • SIEM vendor

Answer : engineering specifications of the SIEM business requirements

When implementing a SIEM solution, why is it important to have a good estimate of the rate of events per second that are coming into the SIEM and the historical events storage requirements?

Options are :

  • determine the form factor of the SIEM
  • determine the API requirements between the SIEM and the other security devices that are feeding events into the SIEM
  • establish the analyst workflow requirements
  • estimate the disk size of the back-end events storage (Correct)

Answer : estimate the disk size of the back-end events storage

Which industry term describes security WMS vendors?

Options are :

  • SOAR (Correct)
  • SWMS
  • SIEM
  • CTI

Answer : SOAR

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions
  • Reply