CompTIA CS0-002 - CompTIA CySA+ Certification Exam (CS0-002)

An active scan is a type of system vulnerability scan that involves sending probes or packets to the target system, and analyzing the responses or behaviors of the system. An active scan can help obtain critical information about the system, such as open ports, running services, operating system, software versions, etc. An active scan can also use OVAL XML language to review and calculate the discovered risk. OVAL stands for Open Vulnerability and Assessment Language, and it is a standard for describing and exchanging information about system vulnerabilities and configurations.

The company is transferring the risk for the vulnerability to the software vendor. Risk transfer is a risk treatment strategy that involves shifting the potential loss or impact of a risk to a third party, such as an insurance company or a vendor. Risk transfer does not eliminate the risk, but it reduces the organization’s exposure or liability for the risk1. In this scenario, the company is transferring the risk for the vulnerability in the out-of-support database software to the software vendor by signing an extended support contract. The extended support contract means that the software vendor will continue to provide security patches and updates for the software until the company can complete the software update. This reduces the likelihood and impact of a potential exploit of the vulnerability.

This line from the output most likely indicates that attackers could quickly use brute force and determine the negotiated secret session key, as it represents a weak cipher suite that uses an outdated encryption algorithm, a small key size, and no forward secrecy. A cipher suite is a combination of cryptographic algorithms and parameters that are used to establish a secure communication channel between two parties. The cipher suite in this line consists of four components: TLS_RSA_WITH_DES_CBC_SHA 56.

TLS stands for Transport Layer Security, and it is a protocol that provides security and privacy for network communications.

RSA stands for Rivest-Shamir-Adleman, and it is an algorithm that uses public-key cryptography for key exchange and authentication.

DES stands for Data Encryption Standard, and it is an algorithm that uses symmetric-key cryptography for data encryption.

CBC stands for Cipher Block Chaining, and it is a mode of operation that encrypts each block of data by XORing it with the previous ciphertext block.

SHA stands for Secure Hash Algorithm, and it is an algorithm that produces a fixed-length hash value from any input data.

56 stands for the key size in bits, which indicates how strong or secure the encryption is.

The cipher suite in this line is weak because:

DES is an outdated encryption algorithm that has been broken by brute force attacks, as it has a small key size of 56 bits, which can be easily guessed by modern computers.

RSA does not provide forward secrecy, which means that if the RSA private key is compromised, all past and future communications encrypted with that key can be decrypted by an attacker.

SHA is also an outdated hash algorithm that has been replaced by newer versions such as SHA-2 or SHA-3, as it has some vulnerabilities and weaknesses.

A daemon is a program that runs in the background on a system and performs certain tasks or services without user intervention. A daemon’s binary is the executable file that contains the code and instructions for the daemon to run. The server log shows that the daemon’s binary was changed on Aug 1 2020 at 00:00:01 by an unknown user with UID 0 (root). This is the greatest security concern, because it could indicate that an attacker has gained root access to the system and modified the daemon’s binary with malicious code that could compromise the system’s security or functionality. Four consecutive days of monitoring being skipped in the log, the process identifiers for the running service changing, or the PIDs continuously changing are not security concerns, but rather normal events that could occur due to system maintenance, updates, restarts, or scheduling. Reference: https://www.linux.com/training-tutorials/what-are-linux-daemons/

Promiscuous mode is the mode that must be supported by the scanner’s NIC to assist with the company’s request of passive network monitoring. Promiscuous mode is a mode of operation for a network interface controller (NIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is specifically programmed to receive. This mode is normally used for packet sniffing, the practice of collecting and logging packets that pass through the network for further analysis, such as the analysis of traffic or bandwidth usage1. Promiscuous mode makes sure all transmitted data packets are received and read by network adapters.

The Internet usage trend report shows that User 4 has an unusually high amount of data downloaded compared to other users. User 4 downloaded 2.5 GB of data in one day, while the average data downloaded by other users was around 0.2 GB. This could indicate that User 4 is engaged in some suspicious or malicious activity, such as downloading unauthorized or illegal content, exfiltrating sensitive data, or installing malware. Therefore, the security analyst should investigate User 4 further to determine the nature and source of the data downloaded.

Use data-at-rest scans to locate and identify sensitive data. This option is the best DLP consideration for addressing the sensitive data on the file servers. Data-at-rest scans are performed on data that is stored on a device or a network, such as file servers, and can help identify and classify sensitive data based on predefined policies or rules. The other options are not relevant for this scenario, as they either deal with data in transit (network DLP appliances), data in use (endpoint DLP agents), or cloud-based data (CASB device).

A directory traversal attack is a type of web application attack that exploits insufficient input validation or filtering to access files or directories that are outside of the web root folder. A directory traversal attack can allow an attacker to read, modify, or execute files on the target server that are not intended to be accessible via web requests. The URL in the alert contains an example of a directory traversal attack, as indicated by the use of “…/” sequences in the query string. These sequences are used to navigate up one level in the directory hierarchy, potentially reaching sensitive files or folders on the server. In this case, the attacker is trying to access /etc/passwd file, which contains user account information on Linux systems.

Deidentifying a data subject means removing or obscuring any data that can be used to identify, locate, or contact an individual, such as names, addresses, phone numbers, email addresses, social security numbers, etc. Deidentifying a data subject throughout the organization’s applications can help comply with the new regulation that requires only retaining the minimum amount of data on a person to perform the organization’s necessary activities.

Segmenting the network to include all legacy systems is a strategy that can prevent the propagation of the malware throughout the network, by isolating the systems that cannot be patched from the rest of the network. Segmenting the network can also reduce the exposure and impact of the malware, by limiting its access to other resources or systems.