Pretest 1

A bank sets up a public facing website for users to access their account. The company will host their own web services and consolidate their resources to host virtual machines on multiple virtual hosts. These virtual machines will include a web server, file server, SharePoint server, and domain name server. Which of the following ports can users access their bank accounts online? ANSWER 21 25 80 443

443

A Black Hat wants to make some easy money. The attacker infected multiple computers with Trojans and gathered farms of zombies to rent out to spammers. In this way, the spammers can use the zombies to put phishing Trojans in spam email. What did the Black Hat essentially create?

A botnet

During a security assessment, a security engineer suspects a misconfigured application and requests a user account with logon rights and certain permissions, to perform a test. What type of vulnerability scan is this, if the engineer had this level of access? An active scan A passive scan A non-credentialed scan A credentialed scan

A credentialed scan

1.0 Threats, Attacks and Vulnerabilities A user of a website entered bank account information into a form. However, the user did not know that an attacker monitored the activity and recorded the numbers the user entered. What type of spyware did the attacker use to collect this information? ANSWER An adware plug-in A rootkit A keylogger A ransomware Trojan

A keylogger

A user wants to use a custom theme for an Android smart phone. The theme requires root access to install custom firmware for its special features. An app in Google Play advertises the ability to root the phone, but is unable to. Which of the following options will provide a better chance to root the phone? Connect the phone to a laptop. Reset the phone to factory settings. Remotely access the phone. Moden phones use official apps from cellular carriers to gain root access.

Connect the phone to a laptop.

A NIDS or Network Intrusion Detection System, actively monitors the network. This appliance helps to provide real-time analysis of any malicious activity going on with the network. Management requests implementation of other security mechanisms to actively protect client computers, such as a NIDS. Which of the following will fulfill this requirement? HIPS Web firewall NIPS HIDS

HIPS

A contractor implements a secure system design for a large accounting firm. The contractor disables unnecessary services and deploys the system using only services and protocols necessary to the company. What principle does this employ? ANSWER SELECT ALL THAT APPLY Access Control List Hardening Least Privileged Least Functionality

Hardening Least Functionality WHAT YOU NEED TO KNOW In implementing a secure system, hardening is the practice of removing default values to ensure the system is more secure. One of the processes of hardening a system is that of Least Functionality. Least Functionality employs the principle of deploying systems with only the services and protocols required to perform the job.Least Privileged is a control management principle, in which individuals are only granted privileges and access to perform their tasks. Least privilege can reduce risk by limiting access to data otherwise not necessary to a user.An access control list is a set of rules that regulates what traffic is allowed or denied based on networks, ports and protocols.

A large company is about to make an industry announcement regarding a new technology. Word of the announcement has already been leaked online. As a result, the company is experiencing a rise in hacking attempts on public facing systems. Experts are now creating a risk register for the company using a variety of standard metrics. After examining the register, which two values would be used to create a scatterplot graph? (Select two). ANSWER SELECT ALL THAT APPLY Likelihood Response Impact Acceptance

Likelihood Impact

An IT security professional is required to provide risk assessment metrics for a new client during the onboarding process. The metrics for critical systems include Mean Time to Repair (MTTR), Meantime to Failure (MTTF), and Meantime Between Failures (MTBF). After reviewing systems information provided by the customer, what information will be crucial in providing results? (Select two). ANSWER SELECT ALL THAT APPLY Mission-essential functions Continuity of Operations (COOP) Identification of critical systems Impact of a potential threat

Mission-essential functions Identification of critical systems WHAT YOU NEED TO KNOW Identifying critical systems within an organization goes hand-in-hand with determining its essential functions. Critcal systems are those that the organization cannot operate without. In order to assess business risks, these systems must be identified.Identifying mission-essential functions goes hand-in-hand with identifying its critical systems. Mission-essential functions are those that are detremental to the business processes. These functions could be creating bids or proposals, invoicing, placing orders, and more. In order to assess business risks, these functions must be identified.The impact of a potential threat describes how operations of functions and systems may play out.Continuity of Operations (COOP) is a collection of processes that enable an organization to maintain normal business operations in the face of some adverse event.

Comparing Kerberos to Public Key Infrasrtucture (PKI), what is the main advantage of Kerberos over PKI? ANSWER PKI uses asymmetric encryption, while Kerberos uses asymmetric encryption with timestamps PKI uses asymmetric encryption, while Kerberos uses symmetric encryption with timestamps PKI uses symmetric encryption, while Kerberos uses symmetric encryption without timestamps PKI uses symmetric encryption, while Kerberos uses asymmetric encryption with timestamps

PKI uses asymmetric encryption, while Kerberos uses symmetric encryption with timestamps WHAT YOU NEED TO KNOW The main advantage Kerberos adds to encryption over PKI is the use of symmetric encryption with timestamps, allowing mutual authentication while mitigating the risk of replay attacks with a timestamp. The key difference between PKI and Kerberos is how the data is encrypted, symmetrically (with Kerberos) or asymmetrically (with PKI).PKI uses asymmetric encryption, while Kerberos uses symmetric encryption. Timestamping the tickets/tokens for single-sign on in Kerberos gives it proof against replay attacks.The key difference between PKI and Kerberos is how the data is encrypted, symmetrically (with Kerberos) or asymmetrically (with PKI).PKI encryption is asymmetric, as it uses a private key it does not share with the network, and a public key it shares for exchanging information.Kerberos uses symmetric encryption with timestamps.

A video game developer incorporates user input in the software design to make the game unpredictable for players. Which of the following algorithms is the developer applying in the software design? ANSWER PRNG TRNG Deprecated algorithm Secret Algorithm

PRNG WHAT YOU NEED TO KNOW A Pseudo random number generator (PRNG) uses software routines to simulate randomness. The algorithm usually uses data, such as mouse and keyboard input timing, process IDs, and hard drive samples, as a seed.A true random number generator (TRNG) is a method of generating random values by sampling physical phenomena, such as atmospheric noise, that has a high rate of entropy. It is not an algorithm.A deprecated algorithm is one with known weaknesses, but is still allowed to be used.A secret algorithm is one where details of the cipher are hidden and unavailable for review by third-party researchers. This is a type of "security by obscurity".

A recent security situation at a local medium-sized business has resulted in a need for IT security expertise. All business procedures, workflows, and productivity as they relate to IT will need to be reviewed. From the review, the determined Maximum Tolerable Downtime (MTD) that the business can endure will need to be identified. When combined, which two metrics cannot exceed the MTD? Recovery Point Objective (RPO) Recovery Time Objective (RTO) Work Recovery Time (WRT) Mission Essential Function (MEF)

Recovery Time Objective (RTO) Work Recovery Time (WRT)

How does forcing a system application to run in sandbox mode overcome the weakness of Discretionary Access Control (DAC)? ANSWER Sandbox mode enacts a Rule-Based Access Control (RBAC) and restricts logged-in users from circumventing the security system. Sandbox mode enacts Role-Based Access Control (RBAC), fixing misconfigurations created by DAC during the allocation of access. Sandbox mode adds an extra layer to DAC, requiring all access requests to first go through the system administrator's discretionary control before being forwarded. Sandbox mode enforces the Access Control List (ACL) by sifting through all of the available users and passwords to ensure malicious scripts do not slip through the security system.

Sandbox mode enacts a Rule-Based Access Control (RBAC) and restricts logged-in users from circumventing the security system. WHAT YOU NEED TO KNOW Sandbox mode is an example of a rule-based access control measure, designed to protect computer and network systems founded on discretionary access from misconfigurations that can result from DAC. Running in "sandbox" mode prevents malicious scripts on a website from circumventing the security system by using the privileges of a logged-on user. The key is to restrict access based on a rule for privileges, rather than allocating permissions based on the user's identity.Sandbox mode doesn't actively enforce the access control list or sift through names of users; remember, it is based on rule, not user identity.While enacting rule-based access controls can improve upon systems built with DAC, it is not done by further tasking the system administrator.Rule-based control will help overcome DAC's weakness, as DAC is already a role-based control.

A new WAP (wireless access point), connected to the network, provides wireless access to employees with company iPads. The iPads can connect to the WAP with a password, but without Internet access. The IT (Information Technology) Manager informed the network admin about 802.1x on the network. Using this information, what should the network admin evaluate to resolve the Internet access issue? (Select two). Set up MAC filtering. Set up the WPA2-Enterprise option. Cache websites require a proxy server. The RADIUS server requires authentication with WAP.

Set up the WPA2-Enterprise option. The RADIUS server requires authentication with WAP.

An employee extracts proprietary information from the company and sells it to other companies. An investigation began, to include an extensive search of the employee's desk, computer, and email. There are no signs of using an external hard drive to extract information. However, large amounts of emails sent to different companies over the course of two months, included harmless texts, pictures, and a description of where he would like to go on vacation. What did the employee use to extract information from the company's computers? ANSWER Steganography Wireshark BitLocker RAT

Steganography

Fingerprint scanning is one of the most straightforward methods of biometric identification. Which of these concerns are most pertinent to the use of this technology? (Select two). ANSWER SELECT ALL THAT APPLY Surfaces must be clean and dry Revocability of credentials High expense of installation Ease of spoofing

Surfaces must be clean and dry Ease of spoofing WHAT YOU NEED TO KNOW Ease of spoofing is a concern- it's relatively easy to obtain a copy of a person's fingerprint and make a model. Fingerprinting is also associated with criminality, so there's a stigma attached to fingerprint identification.Revocability is an issue with all biometric factors, but because fingerprint scanning technology is cheaper in comparison to other technologies, accessing and revoking certificates is also easier to do.Cleanliness of reader and of fingerprints are issues in getting a "good read" of a fingerprint. Body temperature can also affect the readability of fingerprint scans on devices such as smart phones (cold hands may not activate the scanner).While expense is a concern for all biometrics, fingerprint scanning is cost-effective when compared to most other biometric scanning technologies.

The company wants to test out a new feature called a "flood guard" on their circuit-level firewall to prevent attacks, such as ARP (address resolution protocol) poisoning. While further testing continues on the new feature, what is another method to secure the network from the attack, without compromising the dynamic re-use of switch ports where necessary? ANSWER Enable SSH on the switches Enable SNMP traps Disable unused ports Configure MAC Filters on the switches

THE CORRECT ANSWER Configure MAC Filters on the switches WHAT YOU NEED TO KNOW MAC (media access control) filters specify which device MAC addresses are allowed to connect to switch ports. This is a manual, but effective way to prevent MAC floods. Disabling unused ports will prevent the dynamic reusing of ports on switches. A hacker with physical access to a switch can connect to an active port and gain access, if MAC filtering is not implemented. SSH or secure shell is a secure way of gaining administrative access to a switch or router. This does not prevent MAC floods. SNMP (simple network management protocol) is beneficial for device monitoring and automated alerts.

The local body shop offers free Wi-Fi to customers while they are in the waiting area. When customers want to join the shop's network, they are directed to a page that requires an agreement to terms and offers them a coupon for an oil change. Analyze the scenario to determine what event occured. ANSWER The customer authenticated to a captive portal The shop's hotspot implements Extensible Authentication Protocol Tunneled Transport Layer Security (EAP-TLS) The shop's network is configured for open authentication Wi-Fi Protected Setup (WPS) is offered by the shop

The customer authenticated to a captive portal

An administrator enables the (Internet Protocol) IPv4 ICMP (Internet Control Message Protocol) rule in the Windows Firewall to ensure the remote server is pingable on the network. The administrator begins a remote desktop session with the remote server from a workstation and fails to connect. Which of the following is most likely the cause of this issue? ANSWER The in-bound remote desktop rule got disabled. The administrator does not have the right permissions. The out-bound remote desktop rule got disabled. The server's network cable got disconnected.

The in-bound remote desktop rule got disabled. WHAT YOU NEED TO KNOW Many hardened images with basic security settings will have the remote desktop rule for in-bound connections disabled. Enabling this rule will allow RDP (Remote Desktop Protocol) sessions to enter into the system.The out-bound rule will affect attempts at the source server when an admins attempts a remote desktop session. However, this is most commonly left enabled by Windows Firewall.If the server's network cable was disconnected, then configuring the ICMP (Internet Control Message Protocol) rule would not be possible.The administrator has permissions to make changes to Windows Firewall rules, so admin most likely has rights to log in remotely using remote desktop.

During a vulnerability scan, the auditor performs Open Source Intelligence (OSINT) gathering on the network presence of a company. What type of technique did the auditor perform? ANSWER Initial exploitation YOU WERE CORRECT Passive reconnaissance A pivot point Active reconnaissance

YOU WERE CORRECT Passive reconnaissance

A systems administrator recently hardened two servers (Linux and Windows), disabling unused ports and setting up a software firewall to specific port connections and protocols. These servers support employees at an external branch that operate on wireless network connections and laptops. Which of the following tools will help audit the server's security settings with the least amount of effort? ANSWER SELECT ALL THAT APPLY tshark Wireless scanner AirPcap tcpdump

tshark tcpdump WHAT YOU NEED TO KNOW tcpdump is a command-line packet capture utility built-in to most Linux distributions that output a description of the contents of each packet received on a network interface. tshark is a terminal version of Wireshark that also captures and displays packet information from any network interface. This can run on a Windows computer. A wireless scanner scans for SSIDs (security set identifiers), frequency band, channel usage, and things of that nature. It is not applicable to this situation. AirPcap is a wireless adapter designed specifically for packet capture. It is not applicable to this situation.