Master The SecOps Group CNSP Exam with Reliable Practice Questions

Correct : A

The prefix $2a$ identifies the bcrypt hashing algorithm, which is based on the Blowfish symmetric encryption cipher (developed by Bruce Schneier). Bcrypt is purpose-built for password hashing, incorporating:

Salt: A random string (e.g., 22 Base64 characters) to thwart rainbow table attacks.

Work Factor: A cost parameter (e.g., $2a$10$ means 2^10 iterations), making it computationally expensive to brute-force.

Format: $2a$[cost]$[salt][hash]

Example: $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy

$2a$: Bcrypt variant (original is $2$; $2a$ fixes a minor bug).

$10$: 1024 iterations.

Next 22 characters: Salt.

Remaining: Hashed password.

Used in /etc/shadow on Linux, bcrypt's adaptive nature ensures it remains secure as hardware improves. CNSP likely includes it in cryptography modules for its strength over older algorithms like MD5.

Why other options are incorrect:

B . SHA256: Part of the SHA-2 family, outputs a 64-character hexadecimal string (e.g., e3b0c442...), no $ prefix. It's faster, less suited for passwords.

C . MD5: Produces a 32-character hex string (e.g., d41d8cd9...), no prefix. It's cryptographically broken (collisions found).

D . SHA512: SHA-2 variant, 128-character hex (e.g., cf83e135...), no $ prefix, not salted by default.

Real-World Context: Bcrypt protects SSH keys and web app passwords (e.g., in PHP's password_hash()).

Correct : C

TCP (Transmission Control Protocol) ensures reliable, ordered data delivery via a connection-oriented handshake, contrasting with UDP's lightweight, connectionless approach. Analyzing each service:

C . HTTP (Hypertext Transfer Protocol): Uses TCP (port 80) for web traffic. TCP's reliability ensures HTML, images, etc., arrive intact. HTTPS (TCP 443) extends this with TLS. RFC 2616 mandates TCP.

A . SNMP (Simple Network Management Protocol): Defaults to UDP (port 161) for monitoring devices. UDP's speed suits its lightweight queries, though TCP variants exist (rarely used).

B . NTP (Network Time Protocol): Uses UDP (port 123) per RFC 5905. UDP minimizes latency for time sync, tolerating occasional packet loss.

D . IKE (Internet Key Exchange): Part of IPsec, uses UDP (port 500) per RFC 7296. UDP suits its negotiation phase; TCP isn't standard.

Security Implications: TCP services like HTTP are more prone to state-based attacks (e.g., SYN floods) than UDP counterparts. CNSP likely contrasts TCP vs. UDP in protocol analysis.

Why other options are incorrect:

A, B, D: All default to UDP for efficiency, not TCP's reliability.

Real-World Context: Firewalls prioritize TCP 80/443 rules for HTTP/HTTPS, while UDP 123 is opened for NTP servers.

Correct : B

The Windows Registry is a hierarchical database storing configuration settings for the operating system, applications, and hardware. It's physically stored as hive files on disk, located in the directory C:\Windows\System32\Config. These files are loaded into memory at boot time and managed by the Windows kernel. Key hive files include:

SYSTEM: Contains hardware and system configuration (e.g., drivers, services).

SOFTWARE: Stores software settings.

SAM: Security Accounts Manager data (e.g., local user accounts, passwords).

SECURITY: Security policies and permissions.

DEFAULT: Default user profile settings.

USERDIFF and user-specific hives (e.g., NTUSER.DAT in C:\Users<username>) for individual profiles, though these are linked to Config indirectly.

Technical Details:

Path: C:\Windows\System32\Config is the primary location for system-wide hives. Files lack extensions (e.g., 'SYSTEM' not 'SYSTEM.DAT') and are backed by transaction logs (e.g., SYSTEM.LOG) for recovery.

Access: Direct file access is restricted while Windows runs, as the kernel locks them. Tools like reg save or offline forensic utilities (e.g., RegRipper) can extract them.

Backup: Copies may exist in C:\Windows\System32\config\RegBack (pre-Windows 10 1803) or repair folders (e.g., C:\Windows\Repair).

Security Implications: The registry is a prime target for attackers (e.g., persistence via Run keys) and malware (e.g., WannaCry modified registry entries). CNSP likely emphasizes securing this directory (e.g., NTFS permissions) and auditing changes (e.g., via Event Viewer, Event ID 4657). Compromising these files offline (e.g., via physical access) can extract password hashes from SAM.

Why other options are incorrect:

A . C:\Windows\debug: Used for debug logs (e.g., memory.dmp) or tools like DebugView, not registry hives. It's unrelated to core configuration storage.

C . C:\Windows\security: Contains security-related files (e.g., audit logs, policy templates), but not the registry hives themselves.

D . All of the above: Only B is correct; including A and C dilutes accuracy.

Real-World Context: Forensic analysts target C:\Windows\System32\Config during investigations (e.g., parsing SAM with Mimikatz offline).

Correct : A

An IPv6 address, defined in RFC 4291, is a 128-bit address designed to replace IPv4's 32-bit scheme, vastly expanding address space (2^128 vs. 2^32). An octet is 8 bits (1 byte). To calculate octets in IPv6:

128 bits 8 bits/octet = 16 octets.

Representation:

IPv6 is written as eight 16-bit hexadecimal blocks (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334), separated by colons.

Each block is 16 bits (2 bytes), so 8 blocks = 16 octets.

Contrast with IPv4 (e.g., 192.168.0.1), which has 4 octets (32 bits).

Technical Note: Your original input flagged this question's phrasing as potentially misleading, suggesting 'octets' is an IPv4 term, while IPv6 uses '16-bit groups' or 'hextets.' While technically accurate (RFC 4291 uses '16-bit blocks'), 'octets' remains a common, if informal, term in security contexts for byte-wise analysis (e.g., packet crafting). CNSP might use 'octets' to test byte-level understanding, though 'groups' is more precise for IPv6. Here, 16 octets (128 bits) is correct either way.

Security Implications: IPv6's larger address space complicates scanning (e.g., Nmap struggles with 2^128 possibilities) but introduces risks like misconfigured Neighbor Discovery Protocol (NDP). Understanding its structure aids in firewall rules and IDS signatures.

Why other options are incorrect:

B . 32: Implies 256 bits (32 8), far exceeding IPv6's 128-bit design.

C . 64: Suggests 512 bits (64 8), unrelated to IPv6 or any IP standard.

D . 128: Misinterprets octets as bits; 128 bits = 16 octets, not 128 octets.

Real-World Context: IPv6 packet analysis (e.g., Wireshark) breaks addresses into 16 octets for raw data inspection.

Correct : A

WannaCry is a ransomware attack that erupted in May 2017, infecting over 200,000 systems across 150 countries. It exploited the EternalBlue vulnerability (MS17-010) in Microsoft Windows SMBv1, targeting unpatched systems (e.g., Windows XP, Server 2003). Developed by the NSA and leaked by the Shadow Brokers, EternalBlue allowed remote code execution.

Ransomware Mechanics:

Encryption: WannaCry used RSA-2048 and AES-128 to encrypt files, appending extensions like .wcry.

Ransom Demand: Displayed a message demanding $300--$600 in Bitcoin, leveraging a hardcoded wallet.

Worm Propagation: Self-replicated via SMB, scanning internal and external networks, unlike typical ransomware requiring user interaction (e.g., phishing).

Malware Context: While WannaCry is malware (malicious software), 'ransomware' is the precise subcategory, distinguishing it from viruses, trojans, or spyware. Malware is a broad term encompassing any harmful code; ransomware specifically encrypts data for extortion. CNSP likely classifies WannaCry as ransomware to focus on its payload and mitigation (e.g., patching, backups).

Why other options are incorrect:

B . Malware: Correct but overly generic. WannaCry's defining trait is ransomware behavior, not just maliciousness. Specificity matters in security taxonomy for threat response (e.g., NIST IR 8019).

Real-World Context: WannaCry crippled NHS hospitals, highlighting patch management's criticality. A kill switch (a domain sinkhole) halted it, but variants persist.