CompTIA Security + Exam
What can PPTP be used to do? Validate Wep Create a vpn over a TCP/IP network Initiate SSH connections
( Point-to-Point Tunneling Protocol) Create a VPN over a TCP/IP network
Why is DES no longer considered effective?
(Data Encryption Standard) Its keyspace was too small. Its original 56 bit keyspace is too small and can be easily brute forced.
Which media is most susceptible to EMI?
(Electromagnetic interference) Unshielded twisted-pair
What is a popular use of ECC?
(Elliptic curve cryptography) cryptography on low-power mobile devices.It requires less power for a given key strength.
What would you sue to create a HMAC?
(Hash Message Authentication Code) You could use MD5 or SHA
What does LEAP do?
(Lightweight Extensible Authentication Protocol). Provides a lightweight mutual authentication protocol for clients and uses dynamic WEP keys.
Which of the following protocols CANNOT traverse NAT? SMTP NTP L2TP FTP
(Network address translation) L2TP
What elements should be included in a good SLA? Services provided Duration Web standards covered Level of performance
(Service level agreement) Services provided Level of performance
A wrapper can be used to do which of the following?
(provide authentication services for data) Provide integrity and authentication services for data streams, such as tunneling and VPNs
What is a common vulnerability associated with SNMP?
(simple network management protocol) Default passwords
Which are risks of employees bringing their own devices in? -Data loss due to hostile apps -Geo-tagging devices allows tracking of users -Mobile devices have small screens, limiting data visualization -Mobile devices lack security features
-Data loss due to hostile apps -Geo-tagging devices allows tracking of users
Which of the following is the best description of platform as a service?(PaaS) -The offering of a computing platform in the cloud -Cloud based systems that are delivered as a virtual platform for computing -The use of the cloud to avoid server costs -The offering of software to end users from within the cloud
-The offering of a computing platform in the cloud Infrastructure as a service -Cloud based systems that are delivered as a virtual platform for computing Software as a service -The offering of software to end users from within the cloud
What is an example of a MAC address? 127.0.0.1 255.255.255.0 2001:db8:85a3::8a2e:370:733 00:07:e9:7c:c8:aa
00:07:e9:7c:c8:aa
Regarding agreements between third-party organizations, _____ and ________ business procedures should be well documented to ensure ________ with legal requirements.
1. On-boarding 2. Off-boarding 3. Complaince
One of the challenges in working with _____________ networks and/or applications is their _________.
1. Social Media 2. Terms of Use
Your study partner asks, "What are the seven steps to establish a TACACS+ connection?" How would you answer?
1. User initiates PPP authentication to the NAS 2. The NAS prompts for either a username and password(if PAP) or a challenge (if CHAP) 3. The user replies with credentials ----- different after this------- 4. The TACACS+ client sends a START request to the TACACS+ server 5. The TACACS+ server responds with either authentication complete or the client sends CONTINUE until complete 6. The TACACS+ client and server exchange authorization requests 7. The TACACS+ client acts upon services requested by the user.
In preparation for taking the CompTia Security + certification exam, you and one of your buddies are asking each other questions. Your buddy asks "What are the six steps to establish a radius connection?" How would you answer?
1. User initiates PPP authentication to the NAS 2. The NAS prompts for either a username and password(if PAP) or a challenge (if CHAP) 3. The user replies with credentials 4. The radius client sends the username and encrypted password to the RADIUS server 5. The RADIUS server responds with Access-Accept, Access-Reject, or Access Challenge 6. The RADIUS client acts upon services requested by the user.
As a computer security professional, it is very important that you are able to describe to your superiors how Kerberos authentication works. List the 6 steps.
1. User presents his credentials and requests a ticket from the key distribution center (KDC) 2. The KDC verifies credentials and issues a ticket-granting ticket(TGT) 3. The user presents a TGT and request for service to the KDC 4. The KDC verifies authorization and issues a client-to-server ticket (service ticket) 5. The user presents a request and a client-to-server ticket to the desired service 6. If the client-to-server ticket is valid, service is granted to the client.
Which of the following password lengths gives the greatest password strength? 4 characters 8 characters 15 characters single-word passphrase
15 characters
Which TCP port needs to be opened for PPTP communications?
1723
Which of the following UDP ports does RADIUS use?
1812 and 1813
What does a network mast with /24 refer to?
24 bits for the network address, 8 bits for the host address
From a practical standpoint, how many times should password entry be allowed before locking the account?
3 times
Which of the following TCP ports does TACACS+ use?
49 and 65
Which port is associated with DNS?
53
What are the 7 OSI layers?
7- Application 6-Presentation 5-Session 4-Transport 3-Network 2-Data Link 1-Physical
Your boss is trying to find more information about port-based network access control. Which of the following IEEE standards should she be looking at?
802.1x
What is the recommended timeframe to change passwords that balances password security with user convenience?
90 days
Fill in the blanks. Availability is calculated using the formula Availability = A / (B + C)
A = MTTF B = MTTF C = MTTR
While performing a port scan of your organization, you discover an Ubuntu based system with TCP port 65123 open on it. When you connect to the port using Telnet, all you see is a prompt that looks like ##. You try typing a few commands and notice that you are able to do almost anything on the system. What did you just discover?
A backdoor.
Your site survey has discovered hidden in the ceiling a rouge access point resembling one of the fire detectors. What type of device is this likely to be?
A custom wireless evil twin that is attempting to gather user information
Which of the following correctly defines the Safe Harbor principle of Notice?
A firm must identify what information is being collected, how it will be used, and who it will be shared with (give notice to user)
What is a primary security issue associated with embedded systems?
A limited budget (cost)
The CIO of your company read about public key infrastructure in a trade magazine and now feels that a new PKI system can solve all of the company's security problems. He asks you to design and implement the PKI system to support all the encryption processes used by your company and to manage and secure all the keys used. When a PKI system is used in conjunction with file and folder encryption, what is a potential risk?
A lost or damaged key can lock data away permanently
Which of the following correctly defines exposure factor?
A measure of the magnitude of loss of an asset
Which network mask corresponds to the /31 prefix?
A network prefix size of /31 corresponds to a 255.255.255.254 network mask. (because 8.8.8.8)With a /31 prefix you have 128 available subnets and 2 useable hosts per subnet.
Which of the following describes a memorandum of understanding(MOU)?
A non-contractual agreement that indicates an intended approach between parties.
Which of the following describes a warm site?
A partially configured site designed to be operational within a few days.
Which of the following most accurately describes an acceptable use policy?
A policy that communicates to users what specific uses of computer resources are permitted
Which of the following can be a single point of failure?
A process
What is the primary difference between a proxy and a firewall?
A proxy makes application-level requests on behalf of internal users A firewall typically just passes through authorized traffic.
Which of the following correctly defines password policy?
A set of rules designed to enhance computer security by requiring users to employ and maintain strong passwords.
Your vulnerability scanning tool reports that your website is vulnerable to a SQL injection attack that manipulates the values of a hidden parameter. You've tested this thoroughly by hand but cannot validate the finding. Each time you try, you get a nonstandard error message indication the query has been terminated. Your vulnerability scanner is most likely reporting:
A user error
Match the port and the service A. 139 1. FTP B.80 2. DNS C.21 3. POP3 D.3389 4. NetBIOS E.110 5. HTTP F.53 6.RDP
A. 139 & 4. NetBIOS B. 80 & 5. HTTP C. 21 & 1. FTP D. 3389 & 6. RDP E. 110 & 3. POP3 F. 53 & 2. DNS
Which of the following represents the strongest password policy provisions? A. Construction, reuse, duration, protection, consequences B. Never communicate a password by email or write it down C. Length, expiration, complexity, account sharing, password sharing/recording D. Prohibition of dictionary words, inclusion of digits, never write a password down.
A. Construction, reuse, duration, protection, consequences
Match the password policy issue with the attack it mitigates A. Password length 1. Dictionary attack B. Password File Access 2. Birthday attack C. Password Complexity 3. Brute-force attacks
A. Password Length 3. Brute-force attacks B. Password File Access 2. Birthday attack C. Password complexity 1. Dictionary attack
Match the related terms, using a one-to-one mapping: A. 802.11i . . . . . . . . . . . 1. EAP B. Captive portal . . . . 2. LEAP C. TLS . . . . . . . . . . . . . 3. CCMP D. WPS . . . . . . . . . . . . 4. PEAP . . . . . . . . . . . . . . . . . 5. HTTP
A3. 802.11i can utilize CCMP B5. Captive portals can be utilized over HTTP C4. TLS can utilize PEAP D1. WPS can utilize EAP.
Match the items one to one to the corresponding Items: A. FTPS. . . . .1.Trunking B. SSH. . . . . .2. PBX C. NAT. . . . . 3. SSL/TLS D. VLAN. . . .4. SaaS . . . . . . . . . .. . 5. TCP 22 . . . . .. . . . .. . .6. PAT
A3. FTPS uses SSl/TLS to secure FTP B5. SSH uses TCP port 22 C6. A for of NAT is PAT D1. VLANs can involve trunking.
Your company has a policy to not allow any connection from overseas addresses to its network. Which security mechanism is best to employ to accomplish this goal?
ACL(access control lists) selected IP addresses can be blocked from access either at a router or at the firewall.
Which encryption algorithm can have key sizes of 128,192, and 256 bits with the key size affecting the number of rounds used in the algorithm?
AES
What is the primary enhancement WPA2 has over WEP?
AES and CCMP, they do away with the WEP implementation of the RC4 cipher and provide temporary keys.
The frequency with which an event is expected to occur on an annualized basis is the definition of: SLA SLO ALE ARO
ARO (annualized rate of occurrence)
Which of the following protocols is used to find the MAC address of another system? DHCP DNS ARP Telnet
ARP (address resolution protocol)
Place the following elements in order of volatility, from most to least volatile with respect to data during a forensic collecion: Network connections, Swap Space, ARP Cache, USB stick, Memory
ARP Cache, network connections, RAM, swap space, USB stick
What is the most volatile from a forensics point of view? ARP cache RAM memory Network connections Swap space
ARP cache
Your boss calls you into his office and asks you to outline a plan to implement security policies. Discuss the first two you'd implement and why.
Acceptable use policy, internet usage policy, and email usage policy.
List five elements that should be explicitly detailed in an acceptable use policy for mobile devices on a network.
Acceptance of company data and its restrictions on the device (remote wiping), responsibilities to have auto-lock engaged, physical protection of the device, use of only approved apps, duty to report stolen or lost devices
What is an ACL?
Access control list - it is a list of users and their permitted actions
What software controls should you review to make sure no data was compromised during the break-in?
Access controls encryption hashing
The transport layer protocol in SSH does NOT provide for which of the following? Compression Confidentiality Accounting Server authentication
Accounting
What redundancy scheme could provide instantaneous failover?
Active-Active
Your friend recommended a free software package that helps organize your playlists. You've tried it and it is great --- except for the fact that you have to wait 30 seconds every time it starts for a product video to finish before you can use it. This type of software is known as:
Adware
What does fail-safe mean when it is used to describe electronic access control systems?
All door strikes open so people may safely exit
Error and exception handling should be performed in what fashion?
All errors/exceptions should be trapped and handled in the generating routine.
Which of the following best describes the attack surface of an application?
All logins, user inputs, data fields, paths for data in/out of the application, and code that protects data paths
A lockdown drill dictates:
All occupants are to stay inside and lock all doors and windows
Which of the following can mandate information security training? PCI DSS HIPPA Best Practices All of the above
All of the above
Which of the following is a security label used by the US government to implement mandatory access control? Top Secret Secret Confidential Unclassified All of the above
All of the above
What is Unified Threat Management used for?
All-in-one network security device.
Which of the following correctly describes application whitelisting?
Allowing access only to specifically approved applications
An anomaly-based NIPS will alert in which case?
An ANOMALY-based NIPS will alert when network traffic deviates from a baseline of traffic established when the device is first installed.
What elements does an MDM solution offer a business with respect to mobile device security?
An MDM(mobile device management) police should require: Device locking with strong password Encryption of data on the device Device locking automatically after a certain period Remote locking if lost or stolen Automatic wiping after failed logins Remote wiping of device if lost or stolen
Your antivirus solution has detected malware on one of your computers. The AV program tells you the malware is located in a certain directory, but when you go to remove the malware, you discover that the directory does not exist. This is an example of:
An armored virus.
What is a zero-day exploit?
An attack that exploits a previously UNKNOWN vulnerability
Which of the following defines RAID 1?
An exact copy so that all data is mirrored on another drive
What are the two primary types of CCTV cameras?
Analog(Traditional) and IP(Ethernet)
On those laptops you're setting up for the Internet cafe, you want to make sure that no one downloads or installs anything to infect the systems. What type of protection should you install before allowing guests to use these laptops?
Antivirus software
A buffer overflow attack was launched against one of your Windows-based web servers. You'd like to know what process was affected on the server itself. Where might you look for clues as to what process was affected?
Application Log
The ____________ defines the proper configuration settings for an application.
Application configuration baseline
Application firewalls operate at what layer?
Application layer
You also want to lock down which programs can be run by the guests visiting your internet cafe. What's the best way to prevent users from running programs you don't want them to run?
Application whitelisting (only approved programs can run)
What change should you make to prevent session hijacking?
Apply SSL to the entire site, instead of just the login page
You have a mobile device that you use to access the corporate network. List 3 threats with respect to loss of sensitive data associated with the mobile device.
Apps that scrape contact lists malware that steals data physical loss of device
What is the formula for single loss expectancy? (SLE)
Asset value x EF (Exposure factor)
Diffie-Hellman is the representative of what branch of cryptography?
Asymmetric
Which algorithm is elliptic curve cryptography (ECC) a form of?
Asymmetric algorithm
When you get an SSL certificate from a web page, what kind of cipher is used?
Asymmetric, SSL certificates are part of a public key infrastructure(that uses asymmetric keys)
A unified threat management (UTM) appliance would most likely be placed:
At the edge of the corporate network where they can examine traffic entering and leaving the network (because it is a firewall, antivirus, load balancer, etc.. combined)
When building an access control list under an explicit deny approach, where would you place a "deny all" statement?
At the end of the ACL entries because ACL entries are evaluated top to bottom and anything after the "deny all" at the bottom will be dropped.
Which of the following correctly describes cross-site request forgery (XSRF)?
Attacking a system by sending malicious input and relying upon the parsers and execution elements to perform the requested actions
Kerberos is used to perform what function in a system?
Authentication
A coworker asks you to describe the principle of transitive trust. Write one sentence that describes transitive trust.
Authentication for each domain/platform trusts the authentication for all other trusted domains/platforms
You have been asked to develop software specs for a new cloud-based file sharing application that will primarily be used to store and share password information. What are the advantages to using an asymmetric cipher as part of the design?
Authentication of users Secure Key exchange Ability to add multiple users to the encryption
Your group recieves an email from your boss that instructs you to take the rest of the day off but leave your work papers where they are and your terminals unlocked when you leave. The email says the audit department needs to check everyone's machines for illegal software. You notice the email address has an extra letter in the spelling of the company name. What type of social engineering principle might be in use here?
Authority
Which of the following plans mainly emphasizes the OPERATION of the critical systems that an organization needs to function during periods of crisis? DRP IRP SLA BCP
BCP (Business continuity plan)
Your corporate firewall has the following rules applied to the incoming interface on the DMZ. If you need to block all web traffic from a malicious source IP address, where would you place an explicit deny statement for that malicious source IP address?
BEFORE the permit statement that allows any IP to reach port 80
Your boss calls you to his office and asks you to explain the advantages and disadvantages of BYOD. List two challenges BYOD presents.
BYOD blurs the lines of ownership and corporate data ownership. Another challenge is the shared location of company and personal data.
You've found a printout with a bunch of IP addresses and descriptions next to them such as "220 Microsoft ESMTP MAIL Service ready" and "220 Microsoft FTP Service" What type of activity might have generated this type of list?
Banner Grabbing
List four models that intrusion detection systems can use to detect suspect traffic. (what are they based on?)
Behavior based, signature based, anomaly based, and heuristic(algorithms).
Which of the following techniques is most likely to be employed by a credit card company looking for fraudulent transactions?
Big Data Analysis
You want to hire someone to test an application your company just developed. The app handles sensitive data, so you want to limit the amount of information you release about the application to people outside your company. Which of the following testing are you looking for?
Black-box testing
A web server in your DMS is being overwhelmed with ICMP packets from a large number of source addresses. Which of the following might be an appropriate mitigation step?
Block all ICMP packets at the firewall
What is one of the most fundamental security practices that should be followed regarding the use of Bluetooth devices?
Bluetooth should always have discover-able mode turned off unless the user is deliberately pairing a device.
For interior doors that provide access to the server room, what access control systems do you select? Bio-metrics Proximity access cards both?
Both
What is the difference between MITRE and OWASP?
Both give info about software errors OWASP is for web applications MITRE is for standard programs
Input validation is especially well suited for the following vulnerabilities:
Buffer overflow XSS XSRF Path Traversal
How do firewalls affect PPTP transmissions?
By blocking TCP port 1723, a firewall can block the establishment of PPTP
Which of the following acronyms is related to implementing wireless in a secure manner? CCMP DHCP DNSSEC SSH
CCMP (Counter Mode with Cipher Block Chaining Message Authentication Protocol) It is part of the 802.11i standard
Which of the following would you use to authenticate users in a confidential fashion? CHAP PAP
CHAP (Challenge Handshake Authentication Protocol) it protects authentication information via a handshake and key exchange
A key element in using PKI certificate based security is the use of which of the following? Digital signature web of trust RA CRL
CRL (Certificate Revocation List)
You've been asked to set up a temporary Internet cafe for a conference your company is hosting. You have ten laptops to use in your cafe and need to keep them from "wandering off" once you have them set up and running. What should you use to help physically secure these laptops?
Cable Locks
Which term refers to the conversion of a name to its simplest form?
Canonicalization
Which security practices will be best for the networks that are used for guests?
Captive Portal and LEAP. Captive portal will allow users who have never used the system before to successfully authenticate, and a site survey is always a good practice to ensure availability
Guests are able to connect to the wireless network but are unable to access any web pages. This is most likely a failure of the _______.
Captive portal
When a wireless network allows you to connect but only allows access to a single website, it is called an: (like login pages at hotels or public wifi spots)
Captive portal, it will allow wireless connections but will not allow any traffic through until the user has authenticated to the portal website.
A sniffer can be used to do which of the following?
Capture traffic on the local network segment ony
You have seen several users attempting to perform directory traversal attacks on your site. What action will you take?
Check web access control lists and validate all directory permissions
If you are trying to extinguish an electrical fire, what class of handheld fire extinguisher do you use?
Class C
Your newly instated control testing policy has identified a problem with escape routes, as shown by confused personnel during a drill. What is the best remediation?
Clearer signage and a modified escape plan
Which of the following is the least favorable location for security checks?
Client-side code
An application is being delayed after one of the testers discovered a major bug. Now developers are being tasked to examine each other's code line by line and find any remaining bugs. What are these developers doing?
Code review
Which of the following describes communications between a TACACS + client and server?
Communication between a TACACS+ client (typically a NAS) and a TACACS+ server is secure, But, the communication between a user (typically a pc) and the TACACS+ client is subject to compromise.
You are starting a sensitive application development project with another organization. Both organizations would like to share the same development platform, but neither organization wants to allow the other organization to access its internal networks. What is the most appropriate type of cloud service to use in this scenario?
Community cloud, shares resources but also reserves some resources. (not public)
Which of the following is not a social engineering principle? Scarcity Intimidation Condolence Trust
Condolence
Due to your good work on the website, the CISO has asked for your help with random behavior occurring on the Wi-Fi system. In some parts of the building the wireless signal is available but does not allow any traffic through. What measures could help with this issue?
Conduct a site survey Find rouge access points Search for sources of interference
A management VLAN allows administrators to do which of the following?
Connect to the switch remotely using Telnet, SSH, or web interface.
Which of the following correctly describes "authentication" in the authentication, authorization, and accounting (AAA) protocols?
Connects access to a previously approved user ID
You receive a facebook friend request form someone you dont know, but have a lot of friends in common so you accept. A few weeks later you receive a request from the same person asking you to click a link and take a survey. When you click the link, your antivirus program warns you that the site you are about to connect with is attempting to load malware to your system. What social engineering principle did you fall victim to?
Consensus/social proof
Your boss has asked you to prepare for the executive staff meeting a one-slide presentation that outlines the five components of a good password policy. List the five points you'd put on that slide.
Construction Reuse Restrictions Duration Protection of passwords Consequences
Your boss is considering outsourcing the network security tasks for your organization. There are several proposals to look at, many of which claim to "collect information from security controls and perform analysis based on pre-established metrics." What capability are these vendors referring to?
Continuous security monitoring
Privacy can be viewed as ____ over one's own data.
Control
What is the cause of false positives in bio-metric systems?
Conversion from an analog value to digital encoding
When electronic equipment is exposed to water, even if all the recommended cleanup procedures are followed, what can cause long-term damage?
Corrosion of the metal components
Your organization wants someone to examine your intranet portal to assess the threat from a malicious insider. What kind of testing is the most appropriate for this situation?
Credentialed testing
Explain to your coworker the key difference between cross-site request forgery (XSRF) and cross-site scripting (XSS)
Cross site request forgery (XSRF) exploits the trust a site has in the user's browser, while cross-site scripting (XSS) exploits the trust a user has for the site.
Which of the following is one of the common web attack methodologies?
Cross-site scripting (XSS)
The Smurf attack is an example of what kind of attack?
DDoS
You have been tasked with implementing a risk management strategy to limit the risk associated with data loss or theft. Which of the following would you include in your implementation plan (Choose all that apply). Change Management Perform Routine Audits Data Loss Prevention (DLP) controls Data Minimization Policies
DLP controls and Data Minimization Policies
Which of the following servers would you be likely to place in a DMZ?
DMZ is designed to allow your organization to expose public services to the internet. 3 most common types of servers in DMZ are Web Servers, DNS servers, and SMTP servers(email)
What runs on port 53?
DNS
You've noticed some strange behavior today on your organization's system. This mornings things were working fine, but now when you enter the URL for your main web page, you get a web page written in a foreign language. What is occurring?
DNS poisoning
One of your SANs is reaching capacity. During your investigations, you notice a very large number of transaction logs and backups from the customer service database. When you ask why there are so many logs, you're told that no one knows how long they're supposed to keep those logs and when it's okay to delete them. What should your organization develop to help prevent runaway accumulation of log files?
Data Retention Policy
When data is stored on a hard drive and is not currently being accessed this is referred to as:
Data at rest
Your organization is looking to redesign its network perimeter. Your boss wants to purchase a new "all in one" device and put everything behind that device on a flat network. Others in the meeting argue that it would be better to have a primary firewall, a DMZ for public services, a secondary firewall, and a firewall separating the server farm from the rest of the network. What security principle is your boss overlooking that the others in the meeting are not?
Defense in Depth (layered defense) which uses multiple security layers to provide more resistance to potential attacks.
Which of the following is a TYPE of control?
Detective, the 4 types of controls are preventive, detective, corrective, and compensation
Which protocol is designed to replace RADIUS?
Diameter
List 3 types of password attacks
Dictionary, brute-force, hybrid, and birthday attacks
What is the primary benefit of stenography over encryption?
Difficulty detecting it
Your colleague tells you that he has prepared a server for the production environment. He says that he has patched it, made sure all the accounts have strong passwords, and removed all the development code that was on it. When you scan the server, a large number of open ports respond. What did your colleague forget to do when securing this server?
Disable unnecessary services
What is best practice for secure router configuration?
Disabling echo, chargen, andother simple services Disabling IP source route Enabling logging
Why is it important to disable unused features on mobile devices?
Disabling unused features reduces the avenues of attack
Your organization has just recovered from a large system failure and the members of the incident response team are about to go back to their normal duties. What should you do with the entire group before the response team is officially disbanded?
Document any lessons learned during the recovery process
Which of the following describes an interconnection security agreement?
Documents the security requirements associated with interconnected IT systems.
In ACLs, an implicit deny will apply to network traffic that:
Does not match any entry in the ACL. Implicit deny is a "catch-all" at the end of the ALCs so anything that gets past the implicit deny is dropped.
Contactless cards are most often used where?
Door access control systems
Which is an example of fault tolerance in a computer system?
Dual power supplies RAID 5 configured disks Multiple network interface controllers
You see several people digging in trash bins behind your office, what might have they been doing?
Dumpster diving
Which of the following are methods to implement 802.1x? EAP-RC2 EAP-MD5 EAP-TTLS EAP-TLS
EAP-TTLS EAP-TLS
The CIO of your company read about public key infrastructure in a trade magazine and now feels that a new PKI system can solve all of the company's security problems. He asks you to design and implement the PKI system to support all the encryption processes used by your company and to manage and secure all the keys used. Which of the following is most likely to provide perfect forward secrecy? 3DEH, Blowfish, EDH, SHA3
EDH (Ephemeral Diffie-Hellman) - the key part is ephemeral, which refers to the use of a temporary (and not reused) key, this provides for perfect forward secrecy
Why is halon no longer used in fire suppression systems?
EPA regulations have banned halon systems
The twist in Category 5 or 6 network cabling is designed to prevent ________.
Electromagnetic Interference
Which of the following is not a step you'd perform when hardening a production system? Disable unnecessary services Disable unnecessary accounts Enable TCP services Configure auditing
Enable TCP services (these should actually be disabled)
Which of the following is NOT a best practice for secure router configuration? (because they will send traffic in cleartext)
Enabling Telnet access or SNMP . You should NOT enable telnet or SNMP because they send traffic in cleartext.
What is being compromised during an IV attack?
Encryption, IV (Initialization vector) attack seeks to attack the implementation of encryption around the way the cipher initializes. This is a known weakness in the WEP encryption standard for Wi-Fi networks.
Which of the following implements the strongest domain password policy?
Enforce password history, maximum password age, minimum password age, minimum password length.
Which of the following correctly identifies risk transference?
Engagement of a 3rd party organization that manages specific types of risks
Describe why a data classification system is important to an enterprise.
Ensures that company information is properly protected. It provides the foundation for a company disposal and destruction policy. It also is fundamental for defining access controls and role-based access controls.
Which of the following is a popular use of key escrow?
Enterprise environment, so they don't lose data if the primary passphrase is lost
You want to install some new software on a system that you only have regular user account, and the system won't allow you to load new software. Your friend gives you a USB key with a program called "runme.bat" on it. After you run the program the screen flashes and all the programs you had open close, but you are now able to install the new software. What did that program on the USB key do?
Executed privilege escalation
Which of the following correctly describes cross-site scripting?
Exploiting the trust a user has for the site
802.1x defines the encapsulation of EAP. What is EAP?
Extensible Authentication Protocol
What are unique characteristics of one-time pads?
Extremely difficult key sharing (the key length matches or exceeds the input length of the plaintext.) Unbreakable(It is very random)
TCP port 21 is associated with which protocol?
FTP
What runs on port 21?
FTP
Advances in technology allow a CCTV system to be paired with ________ for tracking individuals.
Facial recognition
List three important factors to mitigate account risks.
Factors used to mitigate risk associated with user accounts include password complexity, account lockout, account disablement, shared accounts, and generic account prohibitions.
Which of the following provides valuable information during investigations of intrusions?
Failed login attempts (among others)
List 3 significant issues associated with jailbroken or rooted mobile devices.
Failure to update Unknown state of internal protection Legal issues with respect to licensing
A very attractive woman is standing at the door to the building asking for someone to let her in because she has forgotten her ID. A young man stops and chats with the woman for a few minutes and then finally lets her into the building. What social engineering principle is the woman using to get access to the building?
Familiarity/Liking
To improve security against intrusions, what security controls should you immediately review for effectiveness?
Fencing, Control Testing, and Lighting
You have been asked to develop software specs for a new cloud-based file sharing application that will primarily be used to store and share password information. Where would you use a symmetric cipher as part of the design?
File transfers to and from the cloud (Symmetric ciphers are good at performing encryption quickly, allowing for good file transfer speeds)
Flood guard functionally might protect against which of the following attacks?
Flood guards protect from ping floods, port floods, and DoS attacks. A smurf attack is a DoS attack where attacker sends ICMP packets with victims spoofed IP address to a network broadcast address. The result is a flood of ICMP response packets targeted at the victim.
Flood guards are related to which elements of network security? Spanning tree IDS/IPS Routing Physical Security
Flooding-type attacks can be caught using an intrusion detection (or prevention) system
A 4KB cluster holding a 2KB portion of a deleted file consists of what elements?
Free space only.
The best process to use for determining unexpected input validation problems is _____.
Fuzzing
Why is it important to disable geo-tagging on your mobile device?
Geo-tagging can inadvertently expose the location where photos were taken.
You are setting up a web server that will use SSL/TLS for all pages. Which option is best for protecting the encryption keys from hackers? SAN TPM HSM AES
HSM (hardware security module) can store keys for applications and provide increased cryptographic capabilities for high-volume activities as SSL/TLS
What runs on port 80?
HTTP
What runs on port 443?
HTTPS
Why is hashing a unique form of cryptography?
Hashing is a one-way function, with no way to extract the plaintext from the ciphertext.
What do load balancers use to determine if a host is operational?
Health Checking
What does SSL depend on for authentication?
Hierarchy of trust established by the root CA
List five typical data classification categories.
High, medium, low, sensitive, unclassified, confidential, secret, top secret, public
Which of the following defines a security policy?
High-level statements created by management that lay out the organization positions on particular issues.
What is the primary benefit of hot and cold aisles?
Higher server density in the data center (more servers)
An email is circulating around your organization warning people of a new virus. The email instructs you to search your system for files named "mmsystem.dll" and delete them. What type of social engineering attack is this?
Hoax
Your boss just read an article about how companies are setting up fake websites to trick attackers into focusing on the fake websites instead of the actual production systems. Now he wants you to build something similar for your DMZ. He tells you to "make it inviting" to the attackers. What is your boss really asking you to set up?
Honeypot
Your manager is extremely worried about attacks occurring inside your network between systems. He's convinced that someone from Engineering is attacking his systems "just to mess with him". You don't currently have any good way to monitor the traffic between your manager's system and the rest of the network. Which of the following capabilities would you recommend to help him see if he is really being attacked?
Host based intrusion detection system
Your boss wants you to create a "golden image" for all corporate workstations. You are in charge of ensuring that all of the right software and drivers are installed and that the configuration of the system is correct before you create the image. This process is known as:
Host software baselining
The Internet cafe you are building will be directly connected to the Internet. You will need to protect each system from Internet-based scans, probes, and attacks. What kind of protective mechanism should you deploy to protect against Internet-based threats?
Host-based firewall
Which device does not segregate data link layer traffic? Switch Hub Bridge VLAN
Hub
Your organization has experienced a widescale, network-based compromise and customer records have been stolen. You've been asked to assemble an incident response team at your organization. Which of the following individuals are you LEAST likely to put on your response team? Public Relations Human Resources Network Operations Legal
Human Resources
What runs on port 143?
IMAP
Why should passwords not be written down?
If an attacker gains physical access to a work area, it is easier to find a password.
Your coworker tells you that he's devised a great way to remember his password, and now he just changes the last two characters each time a password change is required. What is the weakness of what your friend is doing?
If his account were compromised, it could be devised that he is just incrementally changing the password by only two characters.
A colleague asks you to look at his computer screen. He received an email from his bank asking him to log in and verify a recent withdrawal. The colleague did click the link but hasn't done anything else because the website looks a bit off to him. What attack technique might be used in this case?
Impersonation
You have been asked to develop software specs for a new cloud-based file sharing application that will primarily be used to store and share password information. What key exchange method would be optimal for an online solution?
In-band key exchange, because the delays caused by out-of-band key exchange would limit usability and slow adoption of the application
Challenges that are inherent in alternative environments, such as SCADA systems, include which of the following? Infrequent updates Reduced capabilities Single control purpose Trusted network connections
Infrequent updates Trusted network connections
Your boss wants you to come up with a "set starting point" for all windows 8 workstations in your organization. He wants you to build a golden image that's secure and can be used to load all the other desktops before any department-specific software is loaded. What has your boss asked you to create?
Initial baseline configuration
What factors are important to a digital signature?
Integrity and non-repudiation
A man is standing in your building with letters FBI on his back. He is asking everyone entering your building to show him their driver's license and employee ID. He then asks them a series of questions about where they work, what they do, how long they've been with the company. He threatens to throw them in jail for failing to cooperate. What type of social engineering principle might be in use here?
Intimidation
Your boss wants a network device that will detect malicious network traffic as it happens and stop it from reaching systems inside your network. She has asked you to come up with several options. You should start researching with which of the following?
Intrusion Prevention System (BOTH detects and stops traffic)
The CIO of your company read about public key infrastructure in a trade magazine and now feels that a new PKI system can solve all of the company's security problems. He asks you to design and implement the PKI system to support all the encryption processes used by your company and to manage and secure all the keys used. The CIO asks you to ensure that all emails have strict non-repudiation. How can a PKI system solve this issue?
Issuing a digital certificate to all users for signing emails
Why would an integer overflow be a security issue?
It can crash applications It can cause applications to corrupt data It can create buffer overflow opportunities
Why is the buffer overflow such a popular attack?
It can provide arbitrary code execution
How does a block cipher handle plaintext input?
It divides the input into predefined lengths, and pads the remainder to maintain a set length.
How is near field communication like Ethernet?
It does not enforce security itself, but relies on higher-level protocols such as SSL
How is TKIP a security benefit?
It enforces security using a single WEP key for a short amount of time.
Why is cross-site scripting(XSS) successful?
It folds malicious code in with verified content from a compromised site.
What is the most important thing to remember regarding performing forensics on a mobile device?
It is best to rely on specifically trained personnel
Why is MAC address filtering rarely used?
It is cumbersome to implement Attackers can clone a working MAC address The use of 802.1x for network authentication has replaced it.
Which of the following is a limitation of a memorandum of understand?
It is more formal than a handshake but lacks the binding powers of a contract.
What is a key advantage of palisade steel fencing?
It is nearly impossible to climb
Why is it important to terminate employee access upon employee termination?
It is well-known that mobile devices/users often still have access months after termination
What is the purpose of mobile device management?(MDM)
It provides the capability to secure, monitor, and support mobile devices
The company has used the same locks for several years. What are the justifications you would use to request a card-based access system?
It provides time based access controls It makes it easier to remove access to parties no longer authorized It is a fail-safe in an emergency situation, improving evacuation.
INCIDENT RESPONSE SCENARIO: How would an intrusion detection system help you respond to this incident?
It would provide an earlier warning that the attack was happening. They are designed to recognize an attack immediately
Which of the following technologies is used to help secure access to "big data"?
Kerberos-based authentication
When comparing two different implementations of the same algorithms for cryptographic strength, what is the best guide?
Key length in bits
What are the advantages of non-water based fire suppression?
Less damage to electrical systems
List three items that are important for determining risk:
Likelihood of threat, discoverability of vulnerability, and value of impact to asset.
Your boss calls you into his office and asks you to outline a plan to implement a security awareness program. Outline a training program with at least two areas of training you think all personnel should receive.
List of policies Train employees, track completion, and define the period of recurring training.
What type of testing should be performed to ensure your network/systems can support mobile device connections?
Load testing
A building escape route is usually required by:
Local building codes
The CISO has come to you seeking advice on fostering good user habits. Outline at least 7 important principles that could be incorporated into an annual employee training program.
Lock door to office keep clean desk shred paper containing info do not discuss work with family be aware of who is around when discussing info Good password policies Do not leave important things in your car unprotected.
You boot your computer on April 1st and a large pop-up appears that reads "Ha Ha Ha" with the Joker's face underneath it. When the pop-up disappears, all the icons are missing from your desktop. What type of malware was your computer infected with?
Logic Bomb (took place at a certain time)
Your boss asks you to reconfigure the network to also support a bring your own device (BYOD) initiative. Which security measure on the corporate network would not be compatible?
MAC address filter
Name five methods through which network segregation can be accomplished:
MAC address filtering IP address routing VLANs Access control management Application Layer filtering
When enabling port security on a switch interface, traffic is usually restricted based on:
MAC addresses. Port security allows you to restrict traffic based on MAC addresses.
Which of these can accomplish network segregation? Whitelisting MAC filtering VLANsf Blacklisting
MAC filtering VLANS
Your organization has a computer in an open lobby a the front of the building. The system is secured in a locked cabinet at night, but someone has been unplugging the PC from the wall and using the network jack behind the desk to surf the Internet with another computer. What type of mitigation technique could you use to stop unauthorized use of that network jack?
MAC filtering, this way you can lock down the network jack to the MAC address of the PC in the locked cabinet.
Which of the following can be used to assist in hardening a network? MAC limiting Rogue user detection Disable unused ports
MAC limiting and disabling unused ports
Your boss has asked you to identify two of the most dangerous software errors that your company should address as soon as possible. State where you can find the latest top 25 list of the most dangerous software errors.
MITRE
If an attacker is able to insert himself into an encrypted conversation between you and a secure web server, he has successfully executed what type of attack?
Man-in-the-Middle attack
Which of the following is a CLASS of control?
Management, the 3 classes of controls are management, technical, and operational
What is a means of governing access control that is under full control of the operating system without any user intervention?
Mandatory access control
In which of the following areas is evidence MOST likely to be lost if a compromised system is shut down before evidence collection is complete? Raw Disk Blocks Memory Contents File system information USB drives
Memory Contents
Why is a site survey important to wireless security?
Minimizing the strength of the signal sent outside of the physical walls of the building can reduce the risk of attacks.
ECC is particularly suited for use in securing what?
Mobile devices, because ECC requires less power (Elliptic Curve Cryptography)
What does MAC stand for when discussing MAC times in file analysis?
Modified, accessed, and created
Which of the following correctly defines SQL injection?
Modifying a database query statement through false input to a function
Regular evacuation drills have shown that employees are taking too much time getting out of the building because they are bringing their laptops with them. When questioned, they state that critical data only exists on their machines. What is the security control to correct the issue?
More data redundancy
Place the following collection items in order of volatility: ARP cache, USB drives, RAM, Temporary file system/swap space, CPU register contents, live network connections, data on hard disk.
Most volatile CPU Register contents, ARP cache, live network connections, memory(RAM), temporary file system, date on hard disk, USB drives. Least
What runs on port 139?
NetBIOS
During your investigation of a security breach, you discover the corporate fileserver is connected to a VLAN that is accessible to systems in the development environment. This violates which security principle?
Network Separation Having production and development assets interconnected is a violation of the network separation principle. You have to physically or logically separate networks used for development and production.
What are 3 critical static environment security methods?
Network segmentation manual updates firmware control control redundancy
You have been asked to develop software specs for a new cloud-based file sharing application that will primarily be used to store and share password information. When would non-repudiation be important to your application?
Non-repudiation is important in a collaborative environment so that changes to documents can be securely tracked and the person who made the changes cannot deny having made the changes.
You've been working in the security business for a few years now. You've just hired a new intern. You have about 15 minutes before your next meeting and would like to share some of your security experience with your new intern. List five aspects of Safe Harbor principles that you could discuss with your employee.
Notice, Choice, Onward Transfer, Security, Data Integrity, Access, and Enforcement.
A chain of custody form records the handling of how many items?
ONLY 1 per form
Where should input validation be performed in an application
On the server after submission
Which of the following accurately describes IT contingency planning?
One of the most important aspects of business continuity planning.
What is meant by the word "stateful" with respect to firewalls?
Only packets matching an active connection(public ips) are allowed through. it looks at the connection NOT JUST A SINGLE PACKET
Which of the following defines differential backup?
Only the files and software that have changed since the last full backup are backed up.
Your colleague is in the process of securing a Windows Server 2012 computer. He's removed all unnecessary software, turned off unnecessary services, turned on the firewall, patched it, and so on. What process is your colleague performing?
Operating system hardening
Which of the following correctly defines acceptable use policy?
Outlines what the organization considers to be appropriate use of company resources
Cleartext passwords are a weakness associated with which protocol? CHAP PAP certificate-based authentication Kerberos
PAP
Which of the following is NOT a function supported by Point-to-Point Protocol(PPP)? Password Authentication Protocol (PAP) Establish, configure, and test links using link control protocols (LCP) Establish and configure different network protocols using network control protocols (NCP) Encapsulate datagrams across serial links
PAP is not supported, because it is a totally different protocol.
In multifactor authentication which of the following is not a possession factor (something a user has)? One-time pad Magnetic card stripe PIN USB token
PIN, it is a knowledge factor, (something you know)
What runs on port 110?
POP3
A VPN connection over a WAN CANNOT be established using what protocol? Ipsec PPTP L2TP PPP
PPP, (Point to point protocol) it is a plaintext protocol that does not provide security
Which of the following is NOT a type of backup? Incremental Partial Differential Delta
Partial
You want to place a tool on the network that will continuously look for vulnerabilities on your network. Your network admin refuses to allow anything that might interfere with network traffic. What type of tool could use that would be a compromise between the two positions?
Passive network vulnerability scanner
List five protections that should be considered before allowing mobile devices to access critical data on the network
Passwords Security of key store device encryption locking of device remote wiping of device failed login protections antivirus/anti-malware protections
Your colleague who is helping you set up the Internet cafe just asked you if the laptops you're setting up are protected against a recently discovered vulnerability. You are quite sure they are protected because you employ which of the following to ensure security updates are installed on a regular basis?
Patch management system
Why is it important for web application firewall to perform SSL inspection?
Performing an SSL inspection is important because otherwise an attacker could use the SSL channel to get threats past the firewall.
Which of the following correctly describes data that can be used to identify a specific individual or from which contact information of an individual can be derived?
Personally Identifiable Information (PII)
What is the correct description of a Computer Incident Response Team (CIRT)?
Personnel, processes, and plans to handle business interruptions.
When you're connecting a router what connections should you avoid?
Plain text connections like Telnet.
Your organization is infected with a piece of malware that you just can't seem to get rid of. It seems like every time a system is cleaned and you update all the antivirus definitions within your organization, another system shows signs of the infection. What type of malware might you be facing in this example?
Polymorphic malware (changing)
What makes a website vulnerable to SQL injection?
Poorly filtered input fields
If you need multiple internal hosts to single external IP address, you might use:
Port Address Translation, it allows multiple internal hosts to share a single external IP address.
While examining network logs, you notice a large amount of TCP traffic coming from an external IP address directed at the web server in your DMZ. The destination port seems to be different for each packet you examine. What type of traffic are you likely seeing in your logs?
Port Scan
Your boss promised to help out the audit department and has enlisted you. They're looking for a list of every system in the server farm and what servers are responding on each of those systems. What kind of tool might you use to create this type of list?
Port scanner, it can detect the systems and probe any active ports on those systems.
Your boss is in a meeting and sends you an IM asking you to help him remember the four different TYPES of controls. What do you send to him in your response?
Preventive, Detective, Corrective, and Compensating
What are the three types of auditing?
Privilege Usage Escalation
The probability of a backup being needed is 20%. The cost to restore with no backup is $100,000. The cost of implementing your backup strategy is $10,000. Assume these are annual costs. What is the cost of not having backups?
Probability x cost of restoring with no backup .20% x $100,000 = $20,000
Which of the following correctly defines change management?
Procedures followed when modifying software or IT infrastructure.
Which of the following describes what a business partnership agreement typically includes?
Profit sharing and the addition or removal of partners.
Why does a network protocol analyzer need to be in promiscuous mode?
Promiscuous mode tells the network adapter to process ALL packets that it receives not just the packets for its MAC address and broadcast packets.
You need something that will help you more effectively analyze the traffic on your network, something that will record traffic at the packet level so you can look for problems like ARP storms, duplicate MAC addresses, and so on. What type of tool should you be shopping for?
Protocol analyzer
Which of the following correctly defines the principle of least privilege?
Providing a user with the minimum set of rights and privileges that he or she needs to perform required functions.
A message digest provides integrity by:
Providing a value that can be independently verified to show if the message changed
What is the purpose of high availability?
Providing the ability to maintain availability of data and operational processing despite a disrupting event.
For exterior building doors, what access control systems do you select? Bio-metrics Proximity access cards both?
Proximity access cards, quicker for outside entrance.
What is the benefit of quantitative risk assessment?
Quantitative risk assessment relies on expert judgment and experience
To achieve reliability and speed improvements through the use of RAID which form would you use?
RAID 5 offers both
Which of the following algorithms is a stream cipher? RC4 RC2 MD4 MD5
RC4
What runs on port 3389?
RDP
Which cipher depends on the difficulty in factoring primes?
RSA -- the public key is the product of two very large prime numbers. RSA is an asymmetric cipher with a public and private key.
The CIO of your company read about public key infrastructure in a trade magazine and now feels that a new PKI system can solve all of the company's security problems. He asks you to design and implement the PKI system to support all the encryption processes used by your company and to manage and secure all the keys used. What algorithms are you likely to need to support all of the goals the CIO has laid out for you? SSL, SHA, AES, DES, RSA, CHAP
RSA would be the public key cipher, AES would be the symmetric cipher SHA as the hashing algorithm
Your friend's computer is showing a pop-up that reads "WARNING! Your computer has been used in illegal activities and has been locked by the authorities. To access your computer you must pay a fine to..." Nothing your friend does will get rid of the pop-up and they can't use their computer. What is your friend's computer infected with?
Ransomware
When collecting evidence for a computer forensics investigation, which of the following is last in the order of volatility? file system information memory contents swap files raw disk blocks
Raw disk blocks, evidence will survive much longer here
While working on an investigation, a colleague hands you a list of file creation and access times taken from a compromised workstation. In order to match the times with file access and creation times from other systems, what do you need to account for?
Record time offsets
What is the process of automatically switching from a failed system to a replacement system?
Redundant systems
You suspect a user's workstation is infected with malware and are about to begin an investigation. If you want to reduce the likelihood that this workstation will infect other systems on your network, but you still want to preserve as much evidence as possible, which of the following should you do?
Remove the network cable from the workstation
The two elements of application hardening are _________ and _____.
Removing unneeded services Securing remaining configuration
What type of network attack uses repetition or delay of valid data transmissions?
Replay attack
Which of the following describes the elements of interoperability agreements?
Responsibilities/expectations of the parties, business objectives, and environment.
What is the process used to identify potential hazards and evaluate their impact called?
Risk Assessment
The CEO places in his office a Wireless access point (WAP) what type of attack vector has he unwittingly enabled?
Rogue AP
Your organization is having a serious problem with people bringing in laptops and tablets from home and connecting them to the corporate network. The organization already has a policy against this, but it doesn't seem to help. Which of the following mitigation techniques might help with this situation?
Rogue machine detection
Which of the following devices is most capable of providing infrastructure security? Router Switch Bridge VLAN
Router
INCIDENT RESPONSE SCENARIO: Which logs should be examined to determine if an intruder breached internal systems?
Router, Firewall, and IDS are the primary logs that should be checked to determine what the attacker's path and target were.
INCIDENT RESPONSE SCENARIO: From analyzing the network traffic, you have determined that the attack has compromised a desktop in the sales department and is now sending outbound spam emails. Which devices can be used to eliminate this traffic?
Router, Firewall, and Spam filter. Routers and firewalls are both designed to effectively filter any email connections from that desktop. A spam filter can filter the outbound email stream which can be helpful in case of malware infection.
List five examples of alternative environments
SCADA and automation systems Mobile devices game consoles embedded systems mainframes
You have been asked to review a service level agreement (SLA) that has been provided to your company by a third-party service provider. List the three elements you should ensure are included in the SLA:
SLA should: define specific services to be performed specify the level of performance specify methods used to manage and resolve issues
Annualized loss expectancy can best be defined by which of the following equations?
SLE(Single Loss Expectancy) x ARO(Annualized rate of occurrence)
What runs on port 25?
SMTP
Which protocol is used to manage network devices?
SNMP (Simple Network Management Protocol)
Which protocol can create a security vulnerability in switches, firewalls, and routers because it authenticates using a cleartext password?
SNMP (Simple Network Management Protocol) SNMPv1 and SNMPv2 authenticate with a cleartext password. Anyone monitoring packets can capture password.
What threats could you attempt to eliminate through input sanitization? (web server)
SQL and LDAP injections so that no raw commands are passed to supporting applications
Which is the greatest attack/threat vector for web apps?
SQL injection
What runs on port 22?
SSH
Which protocol is a countermeasure for network sniffing?
SSH
You've been asked to help configure a router that is used to connect to a remote branch office to your corporate headquarters. The router will need to be managed remotely from the corporate headquarters. Which of the following protocols would you recommend be used to manage the remote router?
SSH is the most secure choice for remote management of a router. It allows remote command line login, remote command execution, etc.. all in an encrypted session.
What would be a better option than Telnet?
SSL
Your colleague tells you about this great new technique for testing new applications and software that he downloads from the internet. He uses a virtual machine to test the software and see if it does anything malicious. If it does, then he simply deletes the affected virtual machine. Your colleague is describing what security practice?
Sandboxing
What is the process of identifying the elements and configuration of your network?
Scanning
Your coworker has just run to the printer to retrieve a piece of paper and is now getting ready to run out the door. When you ask where she is going, she says "I have to go now-- there's only a few left" You look at the piece of paper in her hand and its a TV sale. What type of social engineering principle is in use in this example?
Scarcity
Quantum cryptography is best used for what? Secure key distribution Mobile Devices Message integrity Authentication
Secure key distribution
Which of the following are common logs associated with a system?(Choose all that apply) Security Failure System Data Integrity
Security and System are both common system logs
A user is having issues with her domain account locking multiple times throughout the day. She suspects someone is trying to brute force her account or lock her out on purpose. Which of the logs would show the source of the other login attempts?
Security logs
Network separation is used primarily to:
Separate networks for security reasons
The CFO has come to you seeking advice on important principles she should consider to prevent financial improprieties in the accounts payable department. Which of the following are elements that can help implement the principle of least privilege.
Separation of Duties Job rotation Implicit deny Layered security
What is an SLA?
Service level agreement
Which of the following represents two simple rules an SLA should satisfy?
Services provided and level of performance.
SSH uses public keys for what purpose?
Session key exchange and Client Authentication
The level of risk associated with an attack is measured by which of the following? Severity Exploit-ability Vulnerability Likelihood
Severity Likelihood
Firmware updates in static systems:
Should be done manually and in a tightly controlled process.
On the bus you notice a woman peering over the seat infront of her at a laptop being used. The women appears to be taking notes, what is she doing?
Shoulder surfing
You are about to enter your PIN in at an ATM when you notice a flash behind you. They are frantically tapping buttons on the screen and avoiding eye contact with you. What type of attack might this person be attempting?
Shoulder surfing
INCIDENT RESPONSE SCENARIO: You find that the attack has come through the router and firewall to an unidentified desktop machine. You have the IP addresses but not the traffic content. What is likely your next step?
Since you are not sure if the attack is still ongoing, use a protocol analyzer to examine traffic.
How do you calculate Annualized Loss Expectancy?
Single Loss Expectancy x annualized rate of occurrence (1 time/100 days)
The CIO of your company read about public key infrastructure in a trade magazine and now feels that a new PKI system can solve all of the company's security problems. He asks you to design and implement the PKI system to support all the encryption processes used by your company and to manage and secure all the keys used. The desktop support team wants to add another authentication factor. What would be your recommendation?
Smart cards with digital signatures, they could leverage the new PKI implementation and provide an in-house solution for two-factor authentication.
A developer wants you to set up a system she can run multiple tests on with the ability to return the system to its starting configuration over and over again as she tests out different versions of code. She thinks virtualization might be the way to go. What virtualization capability will help satisfy her testing and rollback requirement?
Snapshots
Your organization is considering migrating from quickbooks 2009 to Quickbooks online (a web-based solution). QuickBooks Online is an example of:
Software as a Service
Which of the following is not a remote-access method? A. Remote desktop software B. Terminal emulation C. SaaS D. Secure Shell
Software as a Service is a cloud model, not a remote-access model.
Which of the following is an example of the principle of separation of duties?
Software developers should not have access to production data AND source code files
A fingerprint is an example of:
Something you are
List five different factors that can be used to establish identity, and give an example of each.
Something you know (password) Something you have (token) Something you are(biometric) Something you do(walk/gait or typing pattern) Somewhere you are(current location)
Why is delay-based filtering effective against spam?
Spam generators do not wait for the SMTP banner and can be identified as a spammer because of this bad behavior.
Which of the following protocols is used in loop protection efforts?
Spanning Trees! Multiple Spanning Tree Rapid Spanning Tree Spanning Tree
What is Trunking?
Spanning single VLAN across multiple switches.
Everyone in your organization's sales department received an email stating they were going to receive an award as the salesperson of the year. At the end of the email was a link that would allow them to enter the name they wanted to be placed on the award they would receive. The email turned out to be fake and clicking the link infected the user's computer with Malware. What type of activity is this?
Spear Phishing
When discussing virtualization, a snapshot is:
State of a virtual machine at an exact point in time.
You need to set up a DMZ but want to keep the servers inside the DMZ on a private address space. You have plenty of public IP address space and just want to map each server's private address to a unique public address. What type of NAT would be most appropriate?
Static NAT, often called one-to-one NAT
What is SCADA?
Supervisory control and data acquisition controls automated systems in cyber-physical environments like traffic lights, energy plants, water plants
Loop protection involves which of the following? Switches VPNs Physical security remote access
Switches. Loops can be formed at layer 2 (data link) and the Spanning Tree Protocol(STP) is typically used to prevent loops
Who is responsible for access control on objects in the mandatory access control (MAC) model?
System administrator
Which of the following types of log entries will you NOT find in Windows Security Logs? Account logon events Object access events Policy change events System shutdown events
System shutdown events, they're in the system event log
Which of the following describes fuzzing?
Systematic application of malformed inputs
What port does SSH use?
TCP 22
Which port should be opened on a firewall to permit email traffic to pass?
TCP 25
What port does HTTPS use?
TCP 443
What ports are used with SSH? TCP port 22 only UDP port 22 only TCP port 22 and a high-order port
TCP port 22 and a high-order port(used to transfer data)
Which port does Telnet use?
TCP port 23
What port does HTTP use?
TCP port 80
Which of the following is not commonly used file-hashing algorithm? MD5 SHA-1 SHA-2 TLS
TLS
Your boss wants you to order her a new laptop, one with a special chip that will allow her to store encryption keys using BitLocker to protect her drive. What special chip is your boss talking about?
TPM (Trusted Platform Module)
What is part of many new system boards that provides a hardware-based cryptographic module used by many applications on a system?
TPM (Trusted platform module)
At the main door of your office building you see a man standing by the card swipe talking on his phone. He waits until someone swipes their card and walks through the door. Then, just before the door closes, he grabs it and walks through without swiping. He just gained access to your building by:
Tailgating
What is the difference between a IDS and a IPS?
The IPS Intrusion prevention system (also has HIPS and NIPS) can block things as well as alert. An IDS can only alert.
Why doesn't turning off SSID broadcast improve security?
The SSID is in the header of packets being sent wirelessly
You've been asked to perform some testing on a new web application your organization has developed. The CEO wants you to perform gray-box testing. What will you need in order to perform this type of testing?
The URL of the application and documentation of the data structures and algorithms used.
When examining a packet capture from your network, you notice a large number of packets with the URG, PUSH, and FIN flags set. What type of traffic are you seeing in that packet capture?
The XMAS attack
Which of the following best defines social engineering?
The art of deceiving another person to reveal confidential information
The probability of a backup being needed is 20%. The cost to restore with no backup is $100,000. The cost of implementing your backup strategy is $10,000. Assume these are annual costs. Explain why you would choose to use backups or choose not to use backups.
The cost of backups $10,000 is less than the annualized cost of restoring without a backup, so backups should be utilized.
You are in the midst of presenting a proposal to your client on risk management. Just as you start your presentation, the CEO stops you and asks, "Tell me in two sentences the differences between business continuity planning and disaster recovery planning" Give a one-sentence description of business continuity planning and a one-sentence description of disaster recovery planning that distinguishes between the two terms.
The focus of business continuity planning is on continued operation of a business, albeit at a reduced level or through different means during some period of time. Disaster recovery planning is focused specifically on recovering from a disaster.
What is the password dilemma?
The more difficult we make it for attackers to guess our passwords and the more frequently we force password changes, the more difficult the passwords are for users to remember and the more likely they are to write them down.
What is the best policy to use when administrating a firewall?
The principle of LEAST ACCESS is best to use, you want to block as much as possible while allowing authorized traffic through.
When a CSR is generated, what is actually sent to the CA?
The public key of the applicant and some identifying information.
What is the definition of privacy?
The right to control information about you and what others can do with that information.
What issues should a security policy for alternative environments address?
The same issues that are addressed in regular IT environments. 1. Assess what needs to be accomplished. 2. Systems should be protected according the risk of failure.
Which of the following describes system integration?
The set of processes designed to produce synergy from the linkage of all the components.
What is one reason that mobile devices can complicate support?
The sheer variety of available devices can severely complicate the support training required.
You are enabling port security on a switch that handles connections for your company's customer help desk. Company policy prohibits employees from connecting personal devices to the corporate network. To help ensure that only corporate computer systems are connected, what type of port security would you select?
The static method. It would enable you to specifically define the MAC addresses that are allowed to connect to each port of the switch.
What is a false positive in terms of bio-metrics?
The system allows access to an unauthorized user
Which of the following is a challenge when using social networks for business purposes?
The terms of use typically can't be negotiated.
Which of the following correctly defines phishing?
The use of social engineering to trick a user into responding to an email to initiate a malware-based attack
What is a threat to VPN over open wireless?
The user must connect to the open wireless BEFORE starting VPN, allowing an attacker a potential window of time to compromise the machine.
What makes steganography so hard to detect?
There are many images on the internet It involves changes in the image that are too subtle to detect. Data can be encrypted and encoded in a proprietary manner.
Which of the following best defines static systems?
They are configured for specific functions and designed to run unaltered. (so they don't get updates) Ex: embedded systems in cars, SCADA
Which of the following describes a characteristic of alternative systems?
They are designed without typical security functionality as part of their structure.
What is unique about mainframes with respect to security?
They are highly flexible and can host many different VM operating systems
Which of the following describes a pitfall of new or proprietary algorithms?
They could have unknown weaknesses
What makes rouge access points a threat?
They could potentially allow any person access to the corporate network
What is an important factor to remember regarding policies and procedures?
They may be mandated by outside regulation.
Why can't smoke detectors tell the difference between cooking smoke and furnishings being on fire?
They measure ions in the air, and any smoke inhibits ions.
How do many types of high-security locks accomplish bump resistance?
They use patented keyways and control blank distribution
What is the difference between NIDS and HIDS?
They're both IDS(intrusion detection systems). A HIDS is a Host Intrusion Detection system and a NIDS is a Network intrusion Detection system.
Which of the following is not a type of IDS? Hybrid Network based Threat based Host based
Threat based
What is another way of describing Challenge Handshake Authentication Protocol (CHAP)?
Three-way handshake
Your organization is setting up three new buildings on a local campus, all connecting to the same core router. You have only one available address space, 10.10.10.0, to handle the routing between those three new buildings. What subnet mask will you need to use to create separate subnets for each of those three buildings.
To create 3 subnetworks you will need a 255.255.255.192 subnet mask. This will give you four separate networks with 62 host addresses each.
Why should most organizations use a content filtering proxy? (what policy?)
To enforce a network acceptable use policy.
Why are session keys utilized?
To get the benefits of both types of encryption ciphers
Your organization experienced a physical break-in that was captured by a security camera system. When handling the drive containing the video of the break-in over to the police, you're asked to fill out a form that documents the description of the drive, serial number, condition, and so on. Why would you be asked to fill out that kind of form?
To maintain chain of custody for evidence.
Which of the following is a way to defend against buffer overflow errors?
Treat all input from the outside a function as hostile
Your entire office is passing around a PowerPoint presentation of dancing and singing hamsters. Everyone thinks it's great until the next morning when everyone's hard drives appear to have been erased. The dancing hamster file is an example of a:
Trojan
If an operating system is certified for use in multilevel security environments, it might also be called which of the following?
Trusted operating system
How can you prevent bluesnarfing?
Turn off pairing when not actively adding a device
How is TwoFish superior to its predecessor, Blowfish?
TwoFish has LESS of a vulnerability against certain classes of WEAK KEYS
You are the IT director for a medium-sized grocery store chain. The company has outgrown the data center that was part of its primary distribution warehouse and is going to be implementing a brand-new data center in a newly leased building. The data center build-out has not yet been done, and the CEO has asked you to make recommendations. What fire suppression systems would you recommend?
Type ABC handheld extinguishers(works for most situations) Inergen-based system(safe chemical system)
www.whitehouse.com is a famous example of
Typo squatting
Which ports are associated with NetBIOS?
UDP 137 UDP 138 TCP 139
The program TFTP uses which port for data transfer?
UDP 69
Why is free Wi-Fi, such as in coffee shops, a popular target for session hijacking?
Unsecured Wi-Fi allows the attacker to sniff the wireless session for a user's session cookie
An email appears in your inbox, it asks you to click the link for a special offer. When you click it, it takes you to a webpage that describes a fantastic offer on a new car. All you have to do is click the link, complete a survey before the big red timer at the top of the page counts down from 30 to 0. What type of social engineering principle is at work in this case?
Urgency
What are four examples of technical controls?
User authentication(passwords), Logical access controls, antivirus/malware software, firewalls, intrusion systems, etc....
You have been asked to develop software specs for a new cloud-based file sharing application that will primarily be used to store and share password information. In what situation would this application benefit from key escrow?
User forgets their private key passphrase Government legal action
Is a VLAN or a VPN more secure?
VPN
What is an issue associated with the jailbreaking of a mobile device?
Vendor updates to the OS may no longer be properly applied
What is a VLAN?
Virtual local area networks- info is carried in broadcast mode only to devices within a VLAN. It allows segregation of different domains/groups on the network.
What is a piece of code that relies upon another file for replication on a system?
Virus
Your office phone rings and the person at the other end tells you she is from HR and is conducting a random audit of employee records. She requests your full name, email address, date of birth, Social security number, and bank account number to validate the information stored in HR's records. This could be what type of attack?
Vishing
You are working on a penetration test and discover a web server that appears to be vulnerable to SQL injection attacks in the login field. Your team lead clears you to see if you can get into the system using the SQL injection attack. It works. What penetration testing step have you just performed?
Vulnerability exploitation (find a vulnerability and then use tools or techniques that exercise that vulnerability to gain access)
Which of the following tools or methods is most likely to show you which servers in your server farm allow anonymous access to shares, have TCP port 80 open, and are running an old version of PHP?
Vulnerability scanner can show all 3
What two modes does WPA2 operate in, and what is the key difference between them?
WPA2 can either operate in Enterprise mode or Personal mode. Enterprise mode requires an external 802.1x authentication. Personal mode utilizing a pre-shared key for authentication.
Which security practice(s) will be best for the networks that are used for employees?
WPA2, Site Survey, Disable SSID broadcast. WPA2 should be used to encrypt communications with the corporate network A site survey will ensure good coverage for all the locations from which the employees need access. Disabling SSID broadcast will not affect corporate-owned devices configured to only attach to a single wireless network, and eliminates guest confustion
A list of Wi-Fi access points in an area is most likely generated by? (someone documented all of the access points in the area)
War driving
Which of the following is NOT a common use of cross-site scripting attacks? Information theft Deploying malware Website defacement Session Hijacking
Website Defacement
The CEO of your organization calls you in to ask about an email. It instructs him to click a link and verify his user id, password, date of birth, and social security number. What type of attack is this?
Whaling
A password policy should address the following questions: _________________ and _____________________ .
What is an acceptable level of risk? How secure does the system need to be? How often should users change their passwords? What account lockout policy should be used? What password composition rules should be enforced?
When would disabling SSID broadcasting make the most sense?
When providing guest wireless outside of the firewall that is not intended to be public.
List three issues that should be addressed when sharing personally identifiable information with a third party:
When sharing PII with third party: Clearly designate elements that are being collected State what the PII will be used for Designate Security Provisions
When would out-of-band key exchange be used?
When using varying length keys, such as a one-time pad.
When would you use a directional-type antenna?
When you want to communicate with a single remote client
You are a risk management consultant. You find yourself on the elevator with the VP of your client. She has asked you to give her the "elevator pitch" on developing a business impact analysis(BIA). List six key questions that should be addressed during a BIA.
Who is responsible for the operation of this function? What do these individuals need to perform that function? When should this function be accomplished relative to other functions? Where will this function be performed? How is this function performed(what is the process)? Why is this function so important or critical to the organization?
When capturing a system image from a computer system, what type of device should you use when connecting the evidence drive?
Write Blocker
To sniff all network traffic connected to your computer, what is necessary?
Your NIC card must be in promiscuous mode
An organization wanting to create a restricted-access, Internet-accessible resource for processing sensitive data might consider using:
a private cloud
How do you calculate Single Loss Expectancy?
asset value ($$$) x exposure factor
The major configurations of IPsec include all except which of the following? Host to host single tunnel Tunnel inside a tunnel concatenated tunnels
concatenated tunnels
You enter the elevator to find CEO standing next to you. She asks you to describe the key elements that should be considered in BYOD devices. List 5 essential elements of BYOD strategy.
device locking with strong password data encryption automatic device locking automatic wiping remote locking
Network access control (NAC) is implemented when:
devices initially attempt to access the network
What is an SMTP server used for?
Which of the following is an example of the unique risks associated with an alternative environment device?
it allows total control of a physical system (HVAC, elevators, alarms, etc..)
The attribute that prevents someone from later denying their actions:
nonrepudiation
A company adopting an Infrastructure as a Service (IaaS) model would typically pay on a per ____ basis
on a per-use basis
What is another term for protocol analyzers?
packet sniffer
What type of firewall works primarily on port and IP addresses?
packet-filtering firewall
Application delivery-only Platform as a Service (PaaS) offerings generally focus on:
security and scalability
An intrusion detection system is most like which of the following physical security measures?
security camera, it detects the problem but doesn't react to it or solve the problem.
List the following backup methods in order of size from smallest to largest: Full, delta, incremental
smallest - Delta med- Incremental largest-Full
What is a wrapper?
something that encloses or contains some other system Example:Trojan horse, tunneling, VPN solutions