CompTIA CS0-002 - CompTIA CySA+ Certification Exam (CS0-002)

Port triggering is a technique that allows inbound traffic to access certain ports on a device only after an outbound traffic request has been made from those ports. It can enhance the security and performance of a device by opening ports only when needed and closing them when not in use. The output from the network enumeration activities shows that port 21 (FTP) and port 22 (SSH) are open only after port 80 (HTTP) has been accessed, which indicates that port triggering is most likely being used. A web application firewall, an intrusion prevention system, port isolation, or port address translation are other techniques that can affect network traffic, but they do not match the description of the output from the network enumeration activities. Reference: https://www.techopedia.com/definition/3846/port-triggering

 The analyst should check for change tickets as the next step, given that the firewall is reporting different firmware versions on scans than were reported in previous scans. Change tickets are records of any authorized changes made to a system or a network, such as updating firmware, installing patches, or modifying configurations. Checking for change tickets can help verify if the firmware change was intentional and approved, or if it was unauthorized or malicious.

A tabletop exercise is a simulation of a security incident or scenario that involves the participation of key stakeholders and decision-makers. It can be used to test and validate the effectiveness of the organization’s plans, policies, and procedures, such as the risk management plan, incident response plan, and system security plan. A tabletop exercise can also help identify gaps or weaknesses in the plans and improve the communication and coordination among the participants. An internal management review, a control assessment, a peer review, or a scripting are other possible methods to evaluate and validate a new product’s security capabilities, but they are not as comprehensive or interactive as a tabletop exercise. Reference: https://www.csoonline.com/article/3444488/what-is-a-tabletop-exercise-how-to-run-a-security-scenario-in-6-steps.html

Static analysis of the code is a technique that scans the source code or the compiled code of an application without executing it, to identify potential vulnerabilities, errors, or bugs. Static analysis can help uncover all the software vulnerabilities, safeguard the interest of the software’s end users, reduce the likelihood that a defective program will enter production, and preserve the interests of the software producer by improving the quality and security of the code before it is deployed or run1

This is the best method to operationalize these loCs to detect future attacks because it allows the company to collect, correlate, analyze, and alert on the indicators of compromise (loCs) from various sources and systems. A SIEM stands for security information and event management, which is a software or service that provides centralized visibility and management of security events and data.

Three common types of file carving methods are as follows: Header- and footer-based carving, which focuses on headers like those found in JPEG files. For example, JPEGs can be found by looking for \xFF\xD8 in the header and \xFF\xD9 in the footer. Content-based carving techniques look for information about the content of a file such as character counts and text recognition. File structure-based carving techniques that use information about the structure of files.

File carving is a technique for recovering files from raw data bytes by scanning and rebuilding them based on their file headers and footers. File headers and footers are sequences of bytes that indicate the beginning and end of a file format, such as JPEG, PDF, ZIP, etc. File carving can be used to reconstruct files that are deleted, corrupted, fragmented, or encrypted by bypassing the file system structure and looking for recognizable patterns in the data3 The analyst used file carving to reconstruct files from a hard disk by scanning the raw data bytes and rebuilding them based on their file headers and footers.

A compensating control, also called an alternative control, is a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time.

"Compensating controls are additional security measures that you take to address a vulnerability without remediating the underlying issue."

A compensating control is a control that reduces the risk of an existing or potential control weakness2 In this case, the lack of segregation of duties in the accounting department is a control weakness that increases the risk of fraud or error. The quarterly reviews by a different officer are a compensating control that reduces this risk by providing an independent verification of the transactions recorded by the controller.

A hash is a mathematical function that produces a unique value for a given input. A hash can be used to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive by comparing the hash values of both drives. If the hash values match, then the drives are identical. If the hash values differ, then there is some discrepancy between the drives. Inserting the hard drive on a test computer and booting the computer, recording the serial numbers of both hard drives, or comparing the file-directory listing of both hard drives are not reliable methods to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive. Reference: https://www.forensicswiki.org/wiki/Hashing

 UEFI, or Unified Extensible Firmware Interface, is a specification that defines the software interface between an operating system and platform firmware. UEFI replaces the legacy BIOS (Basic Input/Output System) interface that was used to boot and configure computers. UEFI provides several advantages over BIOS, such as faster boot times, better security features, larger disk support, graphical user interface, etc. One of the security features that UEFI supports is Secure Boot, which is a mechanism that ensures that only authorized software can run during the boot process. Secure Boot prevents unauthorized or malicious code from loading or executing before the operating system starts. Secure Boot works by verifying the digital signature of each piece of boot software against a database of trusted keys stored in UEFI firmware. If the signature is valid, the software is allowed to run; otherwise, it is blocked or rejected.

Investing in a failover and redundant system, as necessary, is the best solution to improve the availability of the organization’s systems based on past incidents. A failover system is a backup system that automatically takes over the operation of a primary system in case of a failure or outage. A redundant system is a duplicate system that runs simultaneously with the primary system and provides backup functionality if needed. Investing in a failover and redundant system can help to ensure that the organization’s systems are always available and can handle the workload without interruption or degradation .