1. What are two problems that can be caused by a large number of ARP request and reply messages? (Choose two.)
All ARP request messages must be processed by all nodes on the local network.
A large number of ARP request and reply messages may slow down the switching process, leading the switch to make many changes in its MAC table.
The network may become overloaded because ARP reply messages have a very large payload due to the 48-bit MAC address and 32-bit IP address that they contain.
The ARP request is sent as a broadcast, and will flood the entire subnet.
Switches become overloaded because they concentrate all the traffic from the attached subnets.
Solution: All ARP request messages must be processed by all nodes on the local network. and A large number of ARP request and reply messages may slow down the switching process, leading the switch to make many changes in its MAC table.
2. Refer to the exhibit. Which field in the Sguil application window indicates the priority of an event or set of correlated events?
ST
AlertID
Pr
CNT
Solution: Pr.
3. Match the job titles to SOC personnel positions. (Not all options are used.)
Tier 1 Alert Analyst —> monitors incoming alerts & verifies that a true incident has occured
Tier 2 Incident Responder –> involved in deep investigation of incident
Tier 3 Subject Matter Expert –> involved in hunting for potential threads & implements thread detection tools
(not use) –> serve as the point of contact for the large organitazion
Solution: Tier 1 Alert Analyst and Tier 2 Incident Responder.
4. If the default gateway is configured incorrectly on the host, what is the impact on communications?
The host is unable to communicate on the local network.
The host can communicate with other hosts on the local network, but is unable to communicate with hosts on remote networks.
The host can communicate with other hosts on remote networks, but is unable to communicate with hosts on the local network.
There is no impact on communications.
Solution: The host can communicate with other hosts on remote networks, but is unable to communicate with hosts on the local network.
5. When a connectionless protocol is in use at a lower layer of the OSI model, how is missing data detected and retransmitted if necessary?
Connectionless acknowledgements are used to request retransmission.
Upper-layer connection-oriented protocols keep track of the data received and can request retransmission from the upper-level protocols on the sending host.
Network layer IP protocols manage the communication sessions if connection-oriented transport services are not available.
The best-effort delivery process guarantees that all packets that are sent are received.
Solution: Upper-layer connection-oriented protocols keep track of the data received and can request retransmission from the upper-level protocols on the sending host.
6. What is the prefix length notation for the subnet mask 255.255.255.224?
/25
/26
/27
/28
Solution: /27.
7. Which network monitoring tool saves captured network frames in PCAP files?
NetFlow
Wireshark
SNMP
SIEM
Solution: Wireshark.
8. What is the TCP mechanism used in congestion avoidance?
a) three-way handshake
b) socket pair
c) two-way handshake
d) sliding window
Solution: d) sliding window
Explanation: TCP uses windows to manage the rate of transmission, attempting to maximize flow while minimizing loss and retransmissions. Sliding windows are used for congestion avoidance.
9. What is the Internet?
a) It is a network based on Ethernet technology.
b) It provides network access for mobile devices.
c) It provides connections through interconnected global networks.
d) It is a private network for an organization with LAN and WAN connections.
Solution: c) It provides connections through interconnected global networks.
Explanation: The Internet provides global connections enabling communication between devices with different network technologies.
10. Which protocol is used by the traceroute command to send and receive echo-requests and echo-replies?
a) SNMP
b) ICMP
c) Telnet
d) TCP
Solution: b) ICMP
Explanation: Traceroute uses ICMP to send and receive echo-request and echo-reply messages.
11. What are two ICMPv6 messages that are not present in ICMP for IPv4? (Choose two.)
a) Neighbor Solicitation
b) Destination Unreachable
c) Host Confirmation
d) Time Exceeded
e) Router Advertisement
f) Route Redirection
Solution: a) Neighbor Solicitation, e) Router Advertisement
Explanation: ICMPv6 introduces new message types including Neighbor Solicitation and Router Advertisement.
12. Match the network security testing technique with how it is used to test network security. (Not all options are used.)
a) Network scanning tools - Probe network devices, servers, and hosts for open TCP or UDP ports.
b) Vulnerability scanning tools - Discover security weaknesses in a network or computer system.
c) Penetration testing tools - Determine the possible outcome of a successful attack on a network or computer system.
Solution: AD
Explanation: Network scanning tools are used to probe network devices for open ports, vulnerability scanning tools discover security weaknesses, and penetration testing tools determine potential attack outcomes.
13. What are two monitoring tools that capture network traffic and forward it to network monitoring devices? (Choose two.)
a) SPAN
b) network tap
c) SNMP
d) SIEM
e) Wireshark
Solution: b) network tap, a) SPAN
Explanation: Network taps and SPAN are used to capture network traffic and forward it to monitoring devices for analysis.
14. Which network monitoring tool is in the category of network protocol analyzers?
a) SNMP
b) SPAN
c) Wireshark
d) SIEM
Solution: c) Wireshark
Explanation: Wireshark is a network protocol analyzer used to capture and analyze network traffic.
15. Based on the command output shown, which file permission or permissions have been assigned to the other user group for the data.txt file?
a) full access
b) read, write
c) read
d) read, write, execute
Solution: c) read
Explanation: The file permissions indicate that the other user group has read-only access to the data.txt file.
16. What are three benefits of using symbolic links over hard links in Linux? (Choose three.)
a) They can link to a directory.
b) They can be compressed.
c) Symbolic links can be exported.
d) They can be encrypted.
e) They can link to a file in a different file system.
f) They can show the location of the original file.
Solution: a) They can link to a directory, e) They can link to a file in a different file system, f) They can show the location of the original file
Explanation: Symbolic links in Linux offer flexibility by allowing linking to directories, files in different file systems, and showing the location of the original file.
17. A network security specialist is tasked to implement a security measure that monitors the status of critical files in the data center and sends an immediate alert if any file is modified. Which aspect of secure communications is addressed by this security measure?
a) origin authentication
b) data integrity
c) nonrepudiation
d) data confidentiality
Solution: b) data integrity
Explanation: This security measure ensures data integrity by monitoring file modifications and immediately alerting to any unauthorized changes.
18. A network administrator is configuring an AAA server to manage TACACS+ authentication. What are two attributes of TACACS+ authentication? (Choose two.)
a) TCP port 40
b) encryption for all communication
c) single process for authentication and authorization
d) UDP port 1645
e) encryption for only the password of a user
f) separate processes for authentication and authorization
Solution: b) encryption for all communication, f) separate processes for authentication and authorization
Explanation: TACACS+ authentication encrypts all communication and employs separate processes for authentication and authorization.
19. In an attempt to prevent network attacks, cyber analysts share unique identifiable attributes of known attacks with colleagues. What three types of attributes or indicators of compromise are helpful to share? (Choose three.)
a) IP addresses of attack servers
b) changes made to end system software
c) netbios names of compromised firewalls
d) features of malware files
e) BIOS of attacking systems
f) system ID of compromised systems
Solution: a) IP addresses of attack servers, b) changes made to end system software, d) features of malware files
Explanation: Sharing indicators of compromise such as IP addresses, changes in system software, and features of malware files can help in preventing network attacks.
20. Which two types of messages are used in place of ARP for address resolution in IPv6? (Choose two.)
a) anycast
b) broadcast
c) neighbor solicitation
d) echo reply
e) echo request
f) neighbor advertisement
Solution: c) neighbor solicitation, f) neighbor advertisement
Explanation: In IPv6, ARP is replaced by neighbor solicitation and neighbor advertisement messages for address resolution.
21. What is indicated by a true negative security alert classification?
a) An alert is verified to be an actual security incident.
b) An alert is incorrectly issued and does not indicate an actual security incident.
c) Normal traffic is correctly ignored and erroneous alerts are not being issued.
d) Exploits are not being detected by the security systems that are in place.
Solution: c) Normal traffic is correctly ignored and erroneous alerts are not being issued.
Explanation: True negative security alert classification indicates that normal traffic is correctly identified and no erroneous alerts are generated.
22. Which statement describes the anomaly-based intrusion detection approach?
a) It compares the antivirus definition file to a cloud-based repository for latest updates.
b) It compares the behavior of a host to an established baseline to identify potential intrusions.
c) It compares the signatures of incoming traffic to a known intrusion database.
d) It compares the operations of a host against a well-defined security policy.
Solution: b) It compares the behavior of a host to an established baseline to identify potential intrusions.
Explanation: The anomaly-based intrusion detection approach identifies potential intrusions by comparing host behavior to a baseline.
23. Match the description to the antimalware approach. (Not all options are used.)
a) signature-based – by recognizing various characteristics of known malware files
b) heuristics-based – by recognizing general features shared by various types of malware
c) behavior-based – through analysis of suspicious activities
Solution: AD
Explanation: Antimalware programs employ signature-based, heuristics-based, and behavior-based approaches to detect and prevent malware.
24. Which two protocols are associated with the transport layer? (Choose two.)
a) ICMP
b) IP
c) UDP
d) PPP
e) TCP
Solution: c) UDP, e) TCP
Explanation: UDP and TCP are protocols associated with the transport layer in both the OSI and TCP/IP models.
25. A network administrator is creating a network profile to generate a network baseline. What is included in the critical asset address space element?
a) the time between the establishment of a data flow and its termination
b) the TCP and UDP daemons and ports that are allowed to be open on the server
c) the IP addresses or the logical location of essential systems or data
d) the list of TCP or UDP processes that are available to accept data
Solution: c) the IP addresses or the logical location of essential systems or data
Explanation: The critical asset address space element in a network profile includes the IP addresses or logical locations of essential systems or data.
26. What are the three impact metrics contained in the CVSS 3.0 Base Metric Group? (Choose three.)
a) confidentiality
b) remediation level
c) integrity
d) attack vector
e) exploit
f) availability
Solution: a) confidentiality, c) integrity, f) availability
Explanation: The three impact metrics contained in the CVSS 3.0 Base Metric Group are confidentiality, integrity, and availability.
27. What is a characteristic of DNS?
a) DNS servers can cache recent queries to reduce DNS query traffic.
b) All DNS servers must maintain mappings for the entire DNS structure.
c) DNS servers are programmed to drop requests for name translations that are not within their zone.
d) DNS relies on a hub-and-spoke topology with centralized servers.
Solution: a) DNS servers can cache recent queries to reduce DNS query traffic.
Explanation: DNS servers can cache recent queries to reduce DNS query traffic and improve efficiency.
28. What are two differences between HTTP and HTTP/2? (Choose two.)
a) HTTP/2 uses a compressed header to reduce bandwidth requirements.
b) HTTP/2 uses multiplexing to support multiple streams and enhance efficiency.
c) HTTP/2 uses different status codes than HTTP does to improve performance.
d) HTTP/2 issues requests using a text format whereas HTTP uses binary commands.
e) HTTP has a different header format than HTTP/2 has.
Solution: a) HTTP/2 uses a compressed header to reduce bandwidth requirements, b) HTTP/2 uses multiplexing to support multiple streams and enhance efficiency
Explanation: HTTP/2 introduces several improvements over HTTP, including compressed headers and multiplexing to enhance performance.
29. Match the steps with the actions that are involved when an internal host with IP address 192.168.10.10 attempts to send a packet to an external server at the IP address 209.165.200.254 across a router R1 that is running dynamic NAT. (Not all options are used.)
AD
Explanation: The translation of the IP addresses from 209.65.200.254 to 192.168.10.10 will take place when the reply comes back from the server.
30. A router has received a packet destined for a network that is in the routing table. What steps does the router perform to send this packet on its way? Match the step to the task performed by the router.
AD
31. What are two shared characteristics of the IDS and the IPS? (Choose two.)
a) Both have minimal impact on network performance.
b) Both are deployed as sensors.
c) Both analyze copies of network traffic.
d) Both use signatures to detect malicious traffic.
e) Both rely on an additional network device to respond to malicious traffic.
Solution: b) Both are deployed as sensors, d) Both use signatures to detect malicious traffic
Explanation: IDS and IPS both act as sensors and use signatures to detect and respond to malicious traffic.
32. Which statement describes a typical security policy for a DMZ firewall configuration?
AD
Explanation: A typical security policy for a DMZ firewall configuration involves selective permitting of traffic and inspection of traffic originating from internal networks.
33. After complaints from users, a technician identifies that the college web server is running very slowly. A check of the server reveals that there are an unusually large number of TCP requests coming from multiple locations on the Internet. What is the source of the problem?
AD
Explanation: The symptoms suggest that the server is under a distributed denial of service (DDoS) attack, indicated by a large number of TCP requests from multiple locations.
34. Which two statements describe access attacks? (Choose two.)
a) Password attacks can be implemented by the use of brute-force attack methods, Trojan horses, or packet sniffers.
b) To detect listening services, port scanning attacks scan a range of TCP or UDP port numbers on a host.
c) Port redirection attacks use a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN.
d) Trust exploitation attacks often involve the use of a laptop to act as a rogue access point to capture and copy all network traffic in a public location, such as a wireless hotspot.
e) Buffer overflow attacks write data beyond the allocated buffer memory to overwrite valid data or to exploit systems to execute malicious code.
Solution: a) Password attacks can be implemented by the use of brute-force attack methods, b) To detect listening services, port scanning attacks scan a range of TCP or UDP port numbers on a host.
Explanation: An access attack tries to gain access to a resource using a hijacked account or other means.
35. Which two actions can be taken when configuring Windows Firewall? (Choose two.)
a) Turn on port screening.
b) Manually open ports that are required for specific applications.
c) Allow a different software firewall to control access.
d) Enable MAC address authentication.
e) Perform a rollback.
Solution: b) Manually open ports that are required for specific applications, c) Allow a different software firewall to control access
Explanation: Windows Firewall can be configured to manually open specific ports and allow other software firewalls to control access.
36. Which statement describes the state of the administrator and guest accounts after a user installs Windows desktop version to a new computer?
a) By default, the guest account is enabled but the administrator account is disabled.
b) By default, both the administrator and guest accounts are enabled.
c) By default, both the administrator and guest accounts are disabled.
d) By default, the administrator account is enabled but the guest account is disabled.
Solution: c) By default, both the administrator and guest accounts are disabled.
Explanation: When a user installs the Windows desktop version, both the administrator and guest accounts are created automatically, but they are disabled by default.
37. What is a purpose of entering the nslookup cisco.com command on a Windows PC?
a) to check if the DNS service is running
b) to connect to the Cisco server
c) to test if the Cisco server is reachable
d) to discover the transmission time needed to reach the Cisco server
Solution: c) to test if the Cisco server is reachable
Explanation: The nslookup command queries DNS servers to find out the IP address or addresses associated with the domain name cisco.com, helping to determine if the Cisco server is reachable.
38. How is the event ID assigned in Sguil?
a) All events in the series of correlated events are assigned the same event ID.
b) Only the first event in the series of correlated events is assigned a unique ID.
c) All events in the series of correlated events are assigned the same event group ID.
d) Each event in the series of correlated events is assigned a unique ID.
Solution: d) Each event in the series of correlated events is assigned a unique ID.
Explanation: In Sguil, each event receives a unique event ID, allowing for individual identification and tracking.
39. Which two types of network traffic are from protocols that generate a lot of routine traffic? (Choose two.)
a) routing updates traffic
b) Windows security auditing alert traffic
c) IPsec traffic
d) STP traffic
e) SSL traffic
Solution: a) routing updates traffic, d) STP traffic
Explanation: Routine network management traffic such as routing updates and STP traffic can generate a lot of routine traffic, which may be less critical for cybersecurity analysis.
40. What are two elements that form the PRI value in a syslog message? (Choose two.)
a) facility
b) timestamp
c) severity
d) header
e) hostname
Solution: a) facility, c) severity
Explanation: The PRI in a syslog message consists of two elements, the facility and severity of the message.
41. Which three pieces of information are found in session data? (Choose three.)
a) default gateway IP address
b) source and destination port numbers
c) Layer 4 transport protocol
d) source and destination MAC addresses
e) user name
f) source and destination IP addresses
Solution: b) source and destination port numbers, c) Layer 4 transport protocol, f) source and destination IP addresses
Explanation: Session data typically includes information such as source and destination IP addresses, port numbers, and the Layer 4 protocol in use.
42. What kind of ICMP message can be used by threat actors to perform network reconnaissance and scanning attacks?
a) ICMP mask reply
b) ICMP router discovery
c) ICMP unreachable
d) ICMP redirects
Solution: c) ICMP unreachable
Explanation: ICMP unreachable messages can be used by threat actors to perform network reconnaissance and scanning attacks.
43. A flood of packets with invalid source IP addresses requests a connection on the network. The server busily tries to respond, resulting in valid requests being ignored. What type of attack has occurred?
a) TCP session hijacking
b) TCP SYN flood
c) TCP reset
d) UDP flood
Solution: b) TCP SYN flood
Explanation: A TCP SYN flood attack involves overwhelming a server with TCP SYN packets, causing it to consume resources and become unresponsive to legitimate traffic.
44. An attacker is redirecting traffic to a false default gateway in an attempt to intercept the data traffic of a switched network. What type of attack could achieve this?
a) DNS tunneling
b) TCP SYN flood
c) DHCP spoofing
d) ARP cache poisoning
Solution: d) ARP cache poisoning
Explanation: ARP cache poisoning involves manipulating the ARP cache of devices on a network to redirect traffic to a false default gateway, allowing an attacker to intercept data traffic.
45. What is the most common goal of search engine optimization (SEO) poisoning?
a) to increase web traffic to malicious sites
b) to build a botnet of zombies
c) to trick someone into installing malware or divulging personal information
d) to overwhelm a network device with maliciously formed packets
Solution: a) to increase web traffic to malicious sites
Explanation: SEO poisoning aims to manipulate search engine results to increase traffic to malicious websites, often to distribute malware or conduct phishing attacks.
46. Users report that a database file on the main server cannot be accessed. A database administrator verifies the issue and notices that the database file is now encrypted. The organization receives a threatening email demanding payment for the decryption of the database file. What type of attack has the organization experienced?
a) man-in-the-middle attack
b) DoS attack
c) ransomware
d) Trojan horse
Solution: c) ransomware
Explanation: In a ransomware attack, the attacker compromises the victim computer and encrypts the hard drive so that data can no longer be accessed by the user. The attacker then demands payment from the user to decrypt the drive.
47. What two kinds of personal information can be sold on the dark web by cybercriminals? (Choose two.)
a) city of residence
b) Facebook photos
c) name of a bank
d) name of a pet
e) street address
Solution: c) name of a bank, e) street address
Explanation: Personally identifiable information (PII) is any information that can be used to positively identify an individual. Examples of PII include the name of a bank and street address.
48. What three services are offered by FireEye? (Choose three.)
a) blocks attacks across the web
b) creates firewall rules dynamically
c) identifies and stops latent malware on files
d) subjects all traffic to deep packet inspection analysis
e) deploys incident detection rule sets to network security tools
f) identifies and stops email threat vectors
Solution: c) identifies and stops latent malware on files, d) subjects all traffic to deep packet inspection analysis, f) identifies and stops email threat vectors
Explanation: FireEye is a security company that offers services such as identifying and stopping latent malware on files, subjecting all traffic to deep packet inspection analysis, and identifying and stopping email threat vectors.
49. After containment, what is the first step of eradicating an attack?
a) Change all passwords.
b) Patch all vulnerabilities.
c) Hold meetings on lessons learned.
d) Identify all hosts that need remediation.
Solution: d) Identify all hosts that need remediation.
Explanation: Once an attack is contained, the next step is to identify all hosts that will need remediation so that the effects of the attack can be eliminated.
50. Which activity is typically performed by a threat actor in the installation phase of the Cyber Kill Chain?
a) Install a web shell on the target web server for persistent access.
b) Harvest email addresses of user accounts.
c) Open a two-way communication channel to the CnC infrastructure.
d) Obtain an automated tool to deliver the malware payload.
Solution: a) Install a web shell on the target web server for persistent access.
Explanation: In the installation phase of the Cyber Kill Chain, the threat actor establishes a back door into the system to allow for continued access to the target.
51. When dealing with a security threat and using the Cyber Kill Chain model, which two approaches can an organization use to help block potential exploitations on a system? (Choose two.)
a) Collect email and web logs for forensic reconstruction.
b) Conduct full malware analysis.
c) Train web developers for securing code.
d) Build detections for the behavior of known weaponizers.
e) Perform regular vulnerability scanning and penetration testing.
Solution: c) Train web developers for securing code, e) Perform regular vulnerability scanning and penetration testing.
Explanation: Among other measures, training web developers in securing code and performing regular vulnerability scanning and penetration testing can help block potential exploitations on systems.
52. How might corporate IT professionals deal with DNS-based cyber threats?
a) Limit the number of simultaneously opened browsers or browser tabs.
b) Monitor DNS proxy server logs and look for unusual DNS queries.
c) Use IPS/IDS devices to scan internal corporate traffic.
d) Limit the number of DNS queries permitted within the organization.
Solution: b) Monitor DNS proxy server logs and look for unusual DNS queries.
Explanation: Corporate IT professionals can deal with DNS-based cyber threats by monitoring DNS proxy server logs and looking for unusual DNS queries, which could indicate potential threats.
53. How does using HTTPS complicate network security monitoring?
a) HTTPS adds complexity to captured packets.
b) HTTPS cannot protect visitors to a company-provided web site.
c) Web browser traffic is directed to infected servers.
d) HTTPS can be used to infiltrate DNS queries.
Solution: a) HTTPS adds complexity to captured packets.
Explanation: HTTPS adds extra overhead to the HTTP-formed packet. HTTPS encrypts using secure socket layer (SSL), which adds complexity to packet captures due to the additional messages involved in establishing an encrypted data connection.
55. What are the two important components of a public key infrastructure (PKI) used in network security? (Choose two.)
a) intrusion prevention system
b) digital certificates
c) symmetric encryption algorithms
d) certificate authority
e) pre-shared key generation
Solution: b) digital certificates, d) certificate authority
Explanation: A public key infrastructure uses digital certificates and certificate authorities to manage asymmetric key distribution.
56. Which three algorithms are designed to generate and verify digital signatures? (Choose three.)
a) 3DES
b) IKE
c) DSA
d) AES
e) ECDSA
f) RSA
Solution: c) DSA, e) ECDSA, f) RSA
Explanation: There are three Digital Signature Standard (DSS) algorithms that are used for generating and verifying digital signatures: Digital Signature Algorithm (DSA), Elliptic Curve Digital Signature Algorithm (ECDSA), and Rivest-Shamir Adelman Algorithm (RSA).
57. Which section of a security policy is used to specify that only authorized individuals should have access to enterprise data?
a) statement of authority
b) identification and authentication policy
c) campus access policy
d) Internet access policy
e) statement of scope
f) acceptable use policy
Solution: b) identification and authentication policy
Explanation: The identification and authentication policy section of the security policy typically specifies authorized persons that can have access to network resources and identity verification procedures.
58. Refer to the exhibit. A cybersecurity analyst is viewing captured packets forwarded on switch S1. Which device has the MAC address d8:cb:8a:5c:d5:8a?
a) PC-A
b) DNS server
c) web server
d) router DG
e) router ISP
Solution: d) router DG
Explanation: The Wireshark capture is a DNS response from the DNS server to PC-A. Because the packet was captured on the LAN that the PC is on, router DG would have encapsulated the response packet from the ISP router into an Ethernet frame addressed to PC-A and forwarded the frame with the MAC address of PC-A as the destination.
59. What kind of message is sent by a DHCPv4 client requesting an IP address?
a) DHCPDISCOVER broadcast message
b) DHCPDISCOVER unicast message
c) DHCPOFFER unicast message
d) DHCPACK unicast message
Solution: a) DHCPDISCOVER broadcast message
Explanation: When the DHCPv4 client requests an IP address, it sends a DHCPDISCOVER broadcast message seeking a DHCPv4 server on the network.
62. How does a security information and event management system (SIEM) in a SOC help the personnel fight against security threats?
a) by integrating all security devices and appliances in an organization
b) by analyzing logging data in real time
c) by combining data from multiple technologies
d) by dynamically implementing firewall rules
Solution: c) by combining data from multiple technologies
Explanation: A security information and event management system (SIEM) combines data from multiple sources to help SOC personnel collect and filter data, detect and classify threats, analyze and investigate threats, and manage resources to implement preventive measures.
63. At which OSI layer is a source IP address added to a PDU during the encapsulation process?
a) network layer
b) transport layer
c) data link layer
d) application layer
Solution: a) network layer
Explanation: The source IP address is added to a PDU (Protocol Data Unit) during the encapsulation process at the network layer of the OSI model.
65. Why is DHCP preferred for use on large networks?
a) Hosts on large networks require more IP addressing configuration settings than hosts on small networks.
b) It prevents sharing of files that are copyrighted.
c) It is a more efficient way to manage IP addresses than static address assignment.
d) Large networks send more requests for domain to IP address resolution than do smaller networks.
e) DHCP uses a reliable transport layer protocol.
Solution: c) It is a more efficient way to manage IP addresses than static address assignment.
Explanation: Static IP address assignment requires personnel to configure each network host with addresses manually. DHCP provides a much more efficient means of configuring and managing IP addresses on large networks than does static address assignment.
66. Which NIST incident response life cycle phase includes continuous monitoring by the CSIRT to quickly identify and validate an incident?
a) postincident activities
b) detection and analysis
c) containment, eradication, and recovery
d) preparation
Solution: b) detection and analysis
Explanation: It is in the detection and analysis phase of the NIST incident response life cycle that the CSIRT identifies and validates incidents through continuous monitoring. The NIST defines four stages of the incident response life cycle.
67. What will a threat actor do to create a back door on a compromised target according to the Cyber Kill Chain model?
a) Add services and autorun keys.
b) Collect and exfiltrate data.
c) Obtain an automated tool to deliver the malware payload.
d) Open a two-way communications channel to the CnC infrastructure.
Solution: a) Add services and autorun keys.
Explanation: Once a target system is compromised, the threat actor will establish a back door into the system to allow for continued access to the target. Adding services and autorun keys is a way to create a point of persistent access.
68. Which type of evidence supports an assertion based on previously obtained evidence?
a) direct evidence
b) corroborating evidence
c) best evidence
d) indirect evidence
Solution: b) corroborating evidence
Explanation: Corroborating evidence is evidence that supports a proposition already supported by initial evidence, therefore confirming the original proposition. Circumstantial evidence is evidence other than first-hand accounts of events provided by witnesses.
69. A technician is configuring email on a mobile device. The user wants to be able to keep the original email on the server, organize it into folders, and synchronize the folders between the mobile device and the server. Which email protocol should the technician use?
a) POP3
b) MIME
c) IMAP
d) SMTP
Solution: c) IMAP
Explanation: The IMAP protocol allows email data to be synchronized between a client and server. Changes made in one location, such as marking an email as read, are automatically applied to the other location. POP3 is also an email protocol. However, the data is not synchronized between the client and the server. SMTP is used for sending email, and is typically used in conjunction with the POP3 protocol. MIME is an email standard that is used to define attachment types, and allows extra content like pictures and documents to be attached to email messages.
70. What is the goal of an attack in the installation phase of the Cyber Kill Chain?
a) Break the vulnerability and gain control of the target.
b) Establish command and control (CnC) with the target system.
c) Create a back door in the target system to allow for future access.
d) Use the information from the reconnaissance phase to develop a weapon against the target.
Solution: c) Create a back door in the target system to allow for future access.
Explanation: In the installation phase of the Cyber Kill Chain, the threat actor establishes a back door into the system to allow for continued access to the target.