440 Appendix ■ Answers
76. A. 2 01.19.7.45 is a public IP address. RFC 1918 addresses are in the ranges 10.0.0.0 to
0.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255.
APIPA addresses are assigned between 169.254.0.0 to 169.254.255.254, and 127.0.0.1
is a loopback address (although technically the entire 127.x.x.x network is reserved for
loopback).7 7. A. Risks are the combination of a threat and a vulnerability. Threats are the external
forces seeking to undermine security, such as the hacker in this case. Vulnerabilities are
the internal weaknesses that might allow a threat to succeed. In this case the missing patch
is the vulnerability. In this scenario, if the hacker attempts a SQL injection attack (threat)
against the unpatched server (vulnerability), the result is website defacement.- C. The three categories of data destruction are clear (overwriting with nonsensitive data),
purge (removing all data), and destroy (physical destruction of the media). Degaussing is
an example of a purging technique. - A. Hot sites contain all of the hardware and data necessary to restore operations and may
be activated very quickly. - B. Syslog uses UDP port 514. TCP-based implementations of syslog typically use port
6514. The other ports may look familiar because they are commonly used TCP ports: 443
is HTTPS, 515 is the LPD print service, and 445 is used for Windows SMB. - B. PSH is a TCP flag used to clear the buffer, resulting in immediately sending data, and
URG is the TCP urgent flag. These flags are not present in UDP headers. - B. Fagan inspection is a highly formalized review and testing process that uses planning,
overview, preparation, inspection, rework, and follow-up steps. Static inspection looks at
code without running it, dynamic inspection uses live programs, and interface testing tests
where code modules interact. - D. The system is set to overwrite the logs and will replace the oldest log entries with new
log entries when the file reaches 20 MB. The system is not purging archived logs because
it is not archiving logs. Since there can only be 20 MB of logs, this system will not have
stored too much log data, and the question does not provide enough information to know
if there will be an issue with not having the information needed. - D. The image shown is from a network connected web camera. This is likely an Internet
of Things (IoT) botnet, much like the Mirai botnet that had a major impact on world
Internet traffic in 2016. - A. Alejandro is in the first stage of the incident response process, detection. During this
stage, the intrusion detection system provides the initial alert, and Alejandro performs
preliminary triaging to determine if an intrusion is actually taking place and whether the
scenario fits the criteria for activating further steps of the incident response process (which
include response, mitigation, reporting, recovery, remediation, and lessons learned). - C. After detection of a security incident, the next step in the process is response, which
should follow the organization’s formal incident response procedure. The first step of
this procedure is activating the appropriate teams, including the organization’s computer
security incident response team (CSIRT).