Deck 37: Implementing Cisco Enterprise Network Core Technologies (ENCOR)

A) chmod 666
B) chmod 774
C) chmod 775
D) chmod 777

A) Initiate a triage meeting to acknowledge the vulnerability and its potential impact
B) Determine company usage of the affected products
C) Search for a patch to install from the vendor
D) Implement restrictions within the VoIP VLANS

A) Limit the number of API calls that a single client is allowed to make
B) Add restrictions on the edge router on how often a single client can access the API
C) Reduce the amount of data that can be fetched from the total pool of active clients that call the API
D) Increase the application cache of the total pool of active clients that call the API

A) The extension is not performing as intended because of restrictions since ports 80 and 443 should be accessible
B) The traffic is legitimate as the google chrome extension is reaching out to check for updates and fetches this information
C) There is a possible data leak because payloads should be encoded as UTF-8 text
D) There is a malware that is communicating via encrypted channels to the command and control server

A) Determine the systems involved and deploy available patches
B) Analyze event logs and restrict network access
C) Review access lists and require users to increase password complexity
D) Identify the attack vector and update the IDS signature list

A) The highest priority for handling depends on the type of institution deploying the devices
B) Vulnerability #2 is the highest priority for every type of institution
C) Vulnerability #1 and vulnerability #2 have the same priority
D) Vulnerability #1 is the highest priority for every type of institution

A) additional action must be taken by the client to complete the request
B) the server takes responsibility for error status codes
C) communication of transfer protocol-level information
D) successful acceptance of the client's request

A) Contain the malware
B) Install IPS software
C) Determine the escalation path
D) Perform vulnerability assessment

A) Determine the assets to which the attacker has access
B) Identify assets the attacker handled or acquired
C) Change access controls to high risk assets in the enterprise
D) Identify movement of the attacker in the enterprise

A) Assess the network for unexpected behavior
B) Isolate critical hosts from the network
C) Patch detected vulnerabilities from critical hosts
D) Perform analysis based on the established risk factors

A) exploitation
B) actions on objectives
C) delivery
D) reconnaissance

A) JSON
B) HTML
C) XML
D) CSV

A) Host a discovery meeting and define configuration and policy updates
B) Update the IDS/IPS signatures and reimage the affected hosts
C) Identify the systems that have been affected and tools used to detect the attack
D) Identify the traffic with data capture using Wireshark and review email filters

A) Threat scores are high, malicious ransomware has been detected, and files have been modified
B) Threat scores are low, malicious ransomware has been detected, and files have been modified
C) Threat scores are high, malicious activity is detected, but files have not been modified
D) Threat scores are low and no malicious file activity is detected

A) incident response playbooks
B) asset vulnerability assessment
C) report of staff members with asset relations
D) key assets and executives
E) malware analysis report

A) Seeds for existing domains are checked
B) A search is conducted for additional seeds
C) Domains are compared to seed rules
D) A list of domains as seeds is blocked

A) The prioritized behavioral indicators of compromise do not justify the execution of the "ransomware" because the scores do not indicate the likelihood of malicious ransomware.
B) The prioritized behavioral indicators of compromise do not justify the execution of the "ransomware" because the scores are high and do not indicate the likelihood of malicious ransomware.
C) The prioritized behavioral indicators of compromise justify the execution of the "ransomware" because the scores are high and indicate the likelihood that malicious ransomware has been detected.
D) The prioritized behavioral indicators of compromise justify the execution of the "ransomware" because the scores are low and indicate the likelihood that malicious ransomware has been detected.

A) Perform a vulnerability assessment
B) Conduct a data protection impact assessment
C) Conduct penetration testing
D) Perform awareness testing

A) Classify the criticality of the information, research the attacker's motives, and identify missing patches
B) Determine the damage to the business, extract reports, and save evidence according to a chain of custody
C) Classify the attack vector, understand the scope of the event, and identify the vulnerabilities being exploited
D) Determine the attack surface, evaluate the risks involved, and communicate the incident according to the escalation plan

A) assessment scope
B) event severity and likelihood
C) incident response playbook
D) risk model framework

A) use of the Nmap tool to identify the vulnerability when the new code was deployed
B) implementation of a firewall and intrusion detection system
C) implementation of an endpoint protection system
D) use of SecDevOps to detect the vulnerability during development

A) DLP for data in motion
B) DLP for removable data
C) DLP for data in use
D) DLP for data at rest

A) ExecutedMalware.ioc
B) Crossrider.ioc
C) ConnectToSuspiciousDomain.ioc
D) W32.AccesschkUtility.ioc

A) Meet with privileged users to increase awareness and modify the rules for threat tags and anomalous behavior alerts
B) Change the SOAR configuration flow to remove the automatic remediation that is increasing the false positives and triggering threats
C) Add a confirmation step through which SOAR informs the affected user and asks them to confirm whether they made the attempts
D) Increase incorrect login tries and tune anomalous user behavior not to affect privileged accounts

A) To collect security data from authentication failures and cyber attacks and forward it for analysis
B) To search and compare security data against acceptance standards and generate reports for analysis
C) To compare security alerts against configured scenarios and trigger system responses
D) To collect and analyze security data from network devices and servers and produce alerts

A) 401
B) 402
C) 403
D) 404
E) 405

A) x-frame-options
B) x-content-type-options
C) x-xss-protection
D) x-test-debug

A) Isolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack
B) Identify the server owner through the CMDB and contact the owner to determine if these were planned and identifiable activities
C) Review the server backup and identify server content and data criticality to assess the intrusion risk
D) Perform behavioral analysis of the processes on an isolated workstation and perform cleaning procedures if the file is malicious

A) website redirecting traffic to ransomware server
B) website hosting malware to download files
C) web server vulnerability exploited by malware
D) cross-site scripting vulnerability to backdoor server

A) SNMPv2
B) TCP small services
C) port UDP 161 and 162
D) UDP small services

A) Analyze environmental threats and causes
B) Inform the product security incident response team to investigate further
C) Analyze the precursors and indicators
D) Inform the computer security incident response team to investigate further

A) The malware is performing comprehensive fingerprinting of the host, including a processor, motherboard manufacturer, and connected removable storage.
B) The malware is a ransomware querying for installed anti-virus products and operating systems to encrypt and render unreadable until payment is made for file decryption.
C) The malware has moved to harvesting cookies and stored account information from major browsers and configuring a reverse proxy for intercepting network activity.
D) The malware contains an encryption and decryption routine to hide URLs/IP addresses and is storing the output of loggers and webcam captures in locally encrypted files for retrieval.

A) modify code to return error on restrictions def return false_user(username, minlen)
B) automate the restrictions def automate_user(username, minlen)
C) validate the restrictions, def validate_user(username, minlen)
D) modify code to force the restrictions, def force_user(username, minlen)

A) Move the IPS to after the firewall facing the internal network
B) Move the IPS to before the firewall facing the outside network
C) Configure the proxy service on the IPS
D) Configure reverse port forwarding on the IPS

A) a DOS MZ executable format
B) a MS-DOS executable archive
C) an archived malware
D) a Windows executable file

A) Restrict the number of requests based on a calculation of daily averages. If the limit is exceeded, temporarily block access from the IP address and return a 402 HTTP error code.
B) Implement REST API Security Essentials solution to automatically mitigate limit exhaustion. If the limit is exceeded, temporarily block access from the service and return a 409 HTTP error code.
C) Increase a limit of replies in a given interval for each API. If the limit is exceeded, block access from the API key permanently and return a 450 HTTP error code.
D) Apply a limit to the number of requests in a given time interval for each API. If the rate is exceeded, block access from the API key temporarily and return a 429 HTTP error code.

A) HIPAA
B) FISMA
C) COBIT
D) PCI DSS

A) System maintenance is delegated to software systems
B) Comprehensive initial designs support robust systems
C) Scripts and manual configurations work together to ensure repeatable routines
D) System downtime is grouped and scheduled across the infrastructure

A) customer data
B) internal database
C) internal cloud
D) Internet

A) The token is obtained by providing a password. The REST client requests access to a resource using the access token. The REST API validates the access token and gives access to the resource.
B) The token is obtained by providing a password. The REST API requests access to a resource using the access token, validates the access token, and gives access to the resource.
C) The token is obtained before providing a password. The REST API provides resource access, refreshes tokens, and returns them to the REST client. The REST client requests access to a resource using the access token.
D) The token is obtained before providing a password. The REST client provides access to a resource using the access token. The REST API encrypts the access token and gives access to the resource.

A) DDoS attack
B) phishing attack
C) virus outbreak
D) malware outbreak

A) Remove the shortcut files
B) Check the audit logs
C) Identify affected systems
D) Investigate the malicious URLs

A) Run and analyze the DLP Incident Summary Report from the Email Security Appliance
B) Ask the company to execute the payload for real time analysis
C) Investigate further in open source repositories using YARA to find matches
D) Obtain a copy of the file for detonation in a sandbox

A) Run the sudo sysdiagnose command Run the sudo sysdiagnose command
B) Run the sh command sh
C) Run the w command w
D) Run the who command who

A) chmod +x ex.sh
B) source ex.sh
C) chroot ex.sh
D) sh ex.sh

A) to securely configure machines to limit the attack surface
B) to create the logic that triggers alerts when anomalies occur
C) to identify vulnerabilities within an operating system
D) to analyze attacks to identify threat actors and points of entry

A) web security solution
B) email security solution
C) endpoint security solution
D) network security solution

A) continuous delivery
B) continuous integration
C) continuous deployment
D) continuous monitoring

A) aligning access control policies
B) exfiltration during data transfer
C) attack using default accounts
D) data exposure from backups

A) TCP port scan
B) TCP flood
C) DNS flood
D) DNS tunneling

A) Top Peers
B) Top Hosts
C) Top Conversations
D) Top Ports

A) Evaluate service disruption and associated risk before prioritizing patches.
B) Perform root cause analysis for all detected vulnerabilities.
C) Remediate all vulnerabilities with descending CVSS score order.
D) Temporarily shut down unnecessary services until patch deployment ends.

A) blocked by a configured access policy rule
B) allowed by a configured access policy rule
C) blocked by an intrusion policy rule
D) allowed in the default action

A) Verify hash integrity.
B) Remove all personally identifiable information.
C) Ensure the online sandbox is GDPR compliant.
D) Lock the file to prevent unauthorized access.

A) Mask PAN numbers
B) Encrypt personal data
C) Encrypt access
D) Mask sales details

A) servers
B) website
C) payment process
D) secretary workstation

A) It does not cover the costs to restore stolen identities as a result of a cyber attack
B) It does not cover the costs to hire forensics experts to analyze the cyber attack
C) It does not cover the costs of damage done by third parties as a result of a cyber attack
D) It does not cover the costs to hire a public relations company to help deal with a cyber attack

A) x-test-debug
B) strict-transport-security
C) x-xss-protection
D) x-content-type-options

A) phishing
B) dumpster diving
C) social engineering
D) privilege escalation

A) the assurance of system uniformity throughout the whole delivery process
B) the ability to recover from failures while keeping critical services running
C) the necessity of setting maintenance of individual deployment environments
D) the ability to set the target environment configuration regardless of the starting state

A) reduces the attack surface
B) increases the speed of patch deployment
C) reduces the steps needed to mitigate threats
D) increases the availability of threat alerts

A) Run and evaluate a full packet capture on the workloads, review SIEM logs, and define a root cause.
B) Run and evaluate a full packet capture on the workloads, review SIEM logs, and plan mitigation steps.
C) Check SOAR to learn what the security systems are reporting about the overnight events, research the attacks, and plan mitigation step.
D) Check SOAR to know what the security systems are reporting about the overnight events, review the threat vectors, and define a root cause.

A) Measure confidentiality level of downloaded documents.
B) Report to the incident response team.
C) Escalate to contractor's manager.
D) Communicate with the contractor to identify the motives.

A) post-authorization by non-issuing entities if there is a documented business justification
B) by entities that issue the payment cards or that perform support issuing services
C) post-authorization by non-issuing entities if the data is encrypted and securely stored
D) by issuers and issuer processors if there is a legitimate reason

A) IEC62446
B) IEC62443
C) IEC62439-3
D) IEC62439-2

A) grep -i "yellow" colors.txt
B) locate "yellow" colors.txt
C) locate -i "Yellow" colors.txt
D) grep "Yellow" colors.txt

A) Implement a patch management process.
B) Scan the company server files for known viruses.
C) Apply existing patches to the company servers.
D) Automate antivirus scans of the company servers.
E) Define roles and responsibilities in the incident response playbook.

A) Disable memory limit.
B) Disable CPU threshold trap toward the SNMP server.
C) Enable memory tracing notifications.
D) Enable memory threshold notifications.

A) Allow list only authorized hosts to contact the application's IP at a specific port.
B) Allow list HTTP traffic through the corporate VLANS.
C) Allow list traffic to application's IP from the internal network at a specific port.
D) Allow list only authorized hosts to contact the application's VLAN.

A) Assign the issue to the incident handling provider because no suspicious activity has been observed during business hours.
B) Review the SIEM and FirePower logs, block all traffic, and document the results of calling the call center.
C) Define the access points using StealthWatch or SIEM logs, understand services being offered during the hours in question, and cross-correlate other source events.
D) Treat it as a false positive, and accept the SIEM issue as valid to avoid alerts from triggering on weekends.

A) Block local to remote HTTP/HTTPS requests on the firewall for users who triggered the rule.
B) Inform the user by enabling an automated email response when the rule is triggered.
C) Inform the incident response team by enabling an automated email response when the rule is triggered.
D) Create an automation script for blocking URLs on the firewall when the rule is triggered.

A) {1}, {2}
B) {1}, {3}
C) console_ip, api_token
D) console_ip, reference_set_name

A) Update the cached header metadata.
B) Confirm the resource's location.
C) Increase the allowed user limit.
D) Modify the session timeout setting.

A) IaaS
B) PaaS
C) DaaS
D) SaaS

A) Determine the type of data stored on the affected asset, document the access logs, and engage the incident response team.
B) Identify who installed the application by reviewing the logs and gather a user access log from the HR department.
C) Verify user credentials on the affected asset, modify passwords, and confirm available patches and updates are installed.
D) Initiate a triage meeting with department leads to determine if the application is owned internally or used by any business unit and document the asset owner.

A) Address Resolution Protocol poisoning
B) session hijacking attack
C) teardrop attack
D) Domain Name System poisoning

A) Determine if there is internal knowledge of this incident.
B) Check incoming and outgoing communications to identify spoofed emails.
C) Disconnect the network from Internet access to stop the phishing threats and regain control.
D) Engage the legal department to explore action against the competitor that posted the spreadsheet.

A) Disconnect the affected server from the network.
B) Analyze the source.
C) Access the affected server to confirm compromised files are encrypted.
D) Determine the attack surface.

A) Orchestration combines a set of automated tools, while automation is focused on the tools to automate process flows.
B) Orchestration arranges the tasks, while automation arranges processes.
C) Orchestration minimizes redundancies, while automation decreases the time to recover from redundancies.
D) Automation optimizes the individual tasks to execute the process, while orchestration optimizes frequent and repeatable processes.