Professor Messer C part 4
A company would like to install an IPS that can observe normal network activity and block any traffic that deviates from this baseline. Which of these IPS types would be the BEST fit for this requirement? ❍ A. Heuristic ❍ B. Anomaly-based ❍ C. Behavior-based ❍ D. Signature-based
The Answer: B. Anomaly-based Anomaly-based detection will build a baseline of what it considers to be normal. Once the baseline is established, the IPS (Intrusion Prevention System) will then block any traffic that deviates from the baseline. The incorrect answers: A. Heuristic Heuristic IPS technology uses artificial intelligence to identify attacks that have no prior signature. C. Behavior-based Behavior-based IPS technology will alert if a particular type of bad behavior occurs. For example, a URL with an apostrophe and SQL command would indicate a SQL injection, and someone trying to view /etc/shadow would indicate an attempt to gain access to a protected part of the file system. This is universally considered to be bad behavior, and it would be flagged by a behavior-based IPS. D. Signature-based A signature-based IPS is looking for a specific traffic flow pattern, and once that traffic matches the signature the traffic can be blocked.
A system administrator has identified an unexpected username on a database server, and can see that the user has been transferring database files to an external server over the company's Internet connection. The administrator then performed these tasks: • Physically disconnected the Ethernet cable on the database server • Disabled the unknown account • Configured a firewall rule to prevent file transfers from the server Which of the following would BEST describe this part of the incident response process? ❍ A. Eradication ❍ B. Containment ❍ C. Lessons learned ❍ D. Preparation
The Answer: B. Containment The containment phase isolates events that can quickly spread and get out of hand. A file transfer from a database server can quickly be contained by disabling any ability to continue the file transfer. The incorrect answers: A. Eradication Eradication focuses on removing the cause of the event and restoring the systems back to their non-compromised state. C. Lessons learned After the event is over, the lessons learned phase helps everyone learn and improve the process for the next event. D. Preparation Before an event occurs, it's important to have the contact numbers, tools, and processes ready to go.
Which of these cloud deployment models would BEST describe a company that would build a cloud for their own use and would use systems and storage platforms in their data center? ❍ A. Private ❍ B. Community ❍ C. Hybrid ❍ D. Public
The Answer: A. Private A private model requires that the end user purchase, install, and maintain their own application hardware and software. This model also provides a high level of security. The incorrect answers: B. Community A community cloud model allows multiple organizations to share the same cloud resources. A cloud built in a company data center for personal use would not provide any community cloud features. C. Hybrid A hybrid cloud model combines both private and public cloud infrastructures. The description provided in the question does not include any public resources. D. Public A public cloud is built on an infrastructure that would be open to all users on the Internet
A technology startup has hired sales teams that will travel to different cities for product demonstrations. Each salesperson will receive a laptop with applications and data to support their sales efforts. The IT manager would like to prevent third-parties from gaining access to this information if the laptop is stolen. Which of the following would be the BEST way to protect this data? ❍ A. Remote wipe ❍ B. Full disk encryption ❍ C. Biometrics ❍ D. BIOS user password
The Answer: B. Full disk encryption With full disk encryption, everything written to the laptop's local drive is stored as encrypted data. If the laptop was stolen, the thief would not have the credentials to decrypt the drive data. The incorrect answers: A. Remote wipe Although a remote wipe function is useful, it's a reactive response that does not provide any data protection prior to the wipe. C. Biometrics Biometric authentication can limit access to the operating system, but the laptop's storage drive can still be removed and read from another computer. D. BIOS user password Adding a power-on BIOS password would help prevent any unauthorized access to the operating system, but the password doesn't provide any protection for the data on the laptop's storage drive.
A company has recently moved from one accounting system to another, and the new system includes integration with many other divisions of the organization. Which of the following would ensure that the correct access has been provided to the proper employees in each division? ❍ A. Location-based policies ❍ B. On-boarding process ❍ C. Account deprovisioning ❍ D. Permission and usage audit
The Answer: D. Permission and usage audit A permission and usage audit will verify that all users have the correct permissions and that all users meet the practice of least privilege. The incorrect answers: A. Location-based policies Location-based policies would assign rights and permissions based on physical location. For example, a location-based policy might allow users to login from local IP address ranges but not from locations outside of the corporate offices. B. On-boarding process The on-boarding process is used when a new person is hired or transferred into the organization. In this example, none of the users were identified as new employees. C. Account deprovisioning Account deprovisioning is the disabling of an account and archiving of user information. This process usually occurs when an employee has left the organization.
A server administrator would like to enable an encryption mechanism on a web site that would also ensure non-repudiation. Which of the following should be implemented on the web server? ❍ A. 3DES ❍ B. MD5 ❍ C. ECB ❍ D. RSA
The Answer: D. RSA RSA (Rivest, Shamir, and Adelman) asymmetric encryption includes the ability to encrypt, decrypt, and digitally sign data to ensure nonrepudiation. Non-repudiation would ensure that the information received by a client can be verified as sent by the server. The incorrect answers: A. 3DES 3DES (Triple DES) is a symmetric encryption algorithm that encrypts, decrypts, and encrypts again with different symmetric keys. 3DES does not provide any method of non-repudiation. B. MD5 MD5 (Message Digest version 5) is a hashing algorithm and not a method of non-repudiation. C. ECB ECB (Electronic Codebook) is a block cipher used for simple encryption tasks. ECB does not include a method for non-repudiation.
An attacker has circumvented a web-based application to send commands directly to a database. Which of the following would describe this attack type? ❍ A. Session hijack ❍ B. SQL injection ❍ C. Cross-site scripting ❍ D. Man-in-the-middle
The Answer: B. SQL injection A SQL (Structured Query Language) injection takes advantage of poorly written web applications. These web applications do not properly restrict the user input, and the resulting attack bypasses the application and "injects" SQL commands directly into the database itself. The incorrect answers: A. Session hijack If a third-party obtained the session ID of an already-authenticated user, they could effectively communicate directly to the application without a username and password. A session hijack by itself would not allow for direct database communication. C. Cross-site scripting A cross-site scripting attack commonly uses scripts at one web site to execute commands on other sites. These types of attacks take advantage of the trust of a local browser, but they don't commonly have direct access to a database. D. Man-in-the-middle A man-in-the-middle attack is often used to capture, monitor, or inject information into an existing data flow. A man-in-the-middle attack is not commonly used for SQL injection attacks.
Which of these are used to force the preservation of data for later use in court? ❍ A. Chain of custody ❍ B. Data loss prevention ❍ C. Legal hold ❍ D. Order of volatility
The Answer: C. Legal hold A legal hold is a legal technique to preserve relevant information. This process will ensure the data remains accessible for any legal preparation that occurs prior to litigation. The incorrect answers: A. Chain of custody Chain of custody ensures that the integrity of evidence is maintained. The contents of the evidence are documented, and each person who contacts the evidence is required to document their activity. B. Data loss prevention Data loss prevention (DLP) is a technique for identifying sensitive information transmitted across the network, such as Social Security numbers, credit card numbers, and other PII (Personally Identifiable Information). DLP is not a legal technique. D. Order of volatility The order of volatility is a list of how long data will remain available before it is unrecoverable. For example, information stored in a router table is more volatile than data stored on a backup tape.
Which of the following would be the MOST significant security concern when protecting against organized crime? ❍ A. Prevent users from posting passwords near their workstations ❍ B. Require identification cards for all employees and guests ❍ C. Maintain reliable backup data ❍ D. Use mantraps at all data center locations
The Answer: C. Maintain reliable backup data Organized crime is often after data, and can sometimes encrypt or delete data on a service. A good set of backups can often resolve these issues quickly and without any ransomware payments to an organized crime entity. The incorrect answers: A. Prevent users from posting passwords near their workstations Organized crime members usually access systems remotely. Although it's important that users don't write down their passwords, the organized crime members aren't generally in a position to see them. B. Require identification cards for all employees and guests Since the organized crime members rarely visit a site, having identification for employees and visitors isn't the largest concern associated with this threat actor. D. Use mantraps at all data center locations Mantraps control the flow of people through an area, and organized crime members aren't usually visiting a data center.
Which of the following would be the BEST way for application developers to test their code without affecting production systems? ❍ A. Use a firewall to separate the development network ❍ B. Configure the developer accounts for least functionality ❍ C. Run the applications in a sandbox ❍ D. Disable unnecessary services
The Answer: C. Run the applications in a sandbox A sandbox ensures that code will run in its own private environment without any interaction with outside devices or services. The incorrect answers: A. Use a firewall to separate the development network Although a firewall is a good best practice for separating networks, some traffic may be able to traverse the firewall and could potentially impact the production environment. B. Configure the developer accounts for least functionality All user accounts should be configured for least functionality, but running and testing code is certainly part of an application developer's primary responsibilities. Configuring for least functionality would not limit or restrict access to the production network. D. Disable unnecessary services Unnecessary services should always be disabled, but disabling those services would not generally provide any protection to the production network.
Walter, a security administrator, is evaluating a new application that uses HTTPS to transfer information between a database and a web server. Walter wants to ensure that this traffic flow will not be vulnerable to a man-in-the-middle attack. Which of the following should Walter examine while the application is executing to check for this type of vulnerability? ❍ A. The FQDN of the web server ❍ B. The IP address of the database server ❍ C. The digital signature on the web server certificate ❍ D. The session ID associated with the authenticated session
The Answer: C. The digital signature on the web server certificate The digital signature on the certificate is signed by a trusted certificate authority (CA). If the certificate viewed in the browser is not signed by the expected CA, then a man-in-the-middle attack may be in progress. The incorrect answers: A. The FQDN of the web server The FQDN (Fully Qualified Domain Name) of the web server will show the server name used by the application, but it won't provide any notification that a man-in-the-middle attack has occurred. B. The IP address of the database server The name and IP address of the end devices do not have to change for a man-in-the-middle attack to occur. In some cases, there's no obvious difference between a normal traffic flow and a traffic flow that has been subject to a man-in-the-middle attack. D. The session ID associated with the authenticated session A common client hijacking attack involves the use of valid session IDs. This would allow a third-party to connect to a device without requiring any additional authentication, but simply viewing the session ID would not indicate a man-in-the-middle attack.
A company often invites vendors for meetings in the corporate conference room. During these meetings, the vendors often require an Internet connection for demonstrations. Which of the following should the company implement to maintain the security of the internal network resources? ❍ A. NAT ❍ B. Ad hoc wireless workstations ❍ C. Intranet ❍ D. Guest network with captive portal
The Answer: D. Guest network with captive portal A guest network would allow access to the Internet but prevent any access to the internal network. The captive portal would prompt each guest for authentication or to agree to terms of use before granting access to the network. The incorrect answers: A. NAT NAT (Network Address Translation) is a method of modifying IP addresses when traversing the network, but NAT itself does not provide any additional security mechanisms. B. Ad hoc wireless workstations Ad hoc wireless devices are able to communicate with each other without the use of an access point. There are no additional security features included with an ad hoc connection. C. Intranet The intranet is a private internal network used by company employees. It's common to provide the highest protection to the intranet resources, so a company would not commonly connect the intranet to a public conference room.
A recent audit has found that an internal company server is using unencrypted FTP to transfer files from a building HVAC system. Which of the following should be configured to provide secure data transfers? ❍ A. Require secure LDAP ❍ B. Install web services with HTTPS ❍ C. Create a DNSSEC record ❍ D. Install an SSL certificate for the FTP service
The Answer: D. Install an SSL certificate for the FTP service FTP (File Transfer Protocol) over SSL (Secure Sockets Layer) is the FTPS (FTP over SSL) protocol. To enable SSL, the server will need to have an SSL certificate that can be used by the FTP service. The incorrect answers: A. Require secure LDAP LDAP is commonly used for authentication and directory services, so securing LDAP would not provide any data confidentiality for FTP data transfers. B. Install web services with HTTPS HTTPS would provide encrypted data transfers for web services, but it would not provide any additional encryption capabilities for the FTP protocol. C. Create a DNSSEC record DNSSEC (Domain Name Server Security Extensions) can be used to validate DNS responses, but it does not provide any additional encryption or confidentiality for FTP.
During a regional power outage, a company was unable to process credit card transactions through the point of sale terminal. To work around this issue, the cashiers manually recorded the card information and called the credit card clearinghouse for approval. Which of these would BEST describe this recovery process? ❍ A. Alternate business practice ❍ B. Tabletop exercise ❍ C. Failover ❍ D. Differential recovery
The Answer: A. Alternate business practice Modifying the normal business process for another working option is an alternate business practice. This alternate can be less efficient, but it can provide a useful option while the original business practice is unavailable. The incorrect answers: B. Tabletop exercise Performing a full-scale disaster drill can be costly and time consuming. Most of the logistics associated with the disaster recovery process can instead be discussed in a conference room using a tabletop exercise. This simulated disaster process is often used to work through logistics without physically performing an actual drill. C. Failover A failover process allows for the normal recovery of a business process without any significant change to normal operations. In this example, the business process itself was significant affected by the power issues and a failover did not appear to be in operation. D. Differential recovery A differential backup creates a copy of every file that has changed since the last full backup. A differential recovery uses a full backup and each differential backup to complete the recovery process.
Which of the following malware types would cause a workstation to participate in a DDoS? ❍ A. Bot ❍ B. Logic bomb ❍ C. Ransomware ❍ D. Keylogger
The Answer: A. Bot A bot (robot) is malware that installs itself on a system and then waits for instructions. It's common for botnets to use thousands of bots to perform DDoS (Distributed Denial of Service) attacks. The incorrect answers: B. Logic bomb A logic bomb waits for a predefined event to occur. The scope of devices infected with a logic bomb are relatively small and localized as compared to a botnet. C. Ransomware Ransomware locks a system and prevents it from operating. The locked device does not commonly participate in a DDoS. D. Keylogger A keylogger will silently capture keystrokes and transmit an archive of those keystrokes to a third-party. A keylogger does not commonly participate in a DDoS.
A system administrator has configured MAC filtering on the corporate access point, but access logs show that unauthorized users are accessing the network. The administrator has confirmed that the address filter includes only authorized MAC addresses. Which of the following should the administrator configure to prevent this authorized use? ❍ A. Enable WPA2 encryption ❍ B. Remove unauthorized MAC addresses from the filter ❍ C. Modify the SSID name ❍ D. Modify the channel
The Answer: A. Enable WPA2 encryption A MAC (Media Access Control) address can be spoofed on a remote device, which means anyone within the vicinity of the access point can view legitimate MAC addresses and spoof them to avoid the MAC filter. To ensure proper authentication, the system administrator can enable WPA2 (Wi-Fi Protected Access version 2) and use a shared password or configure 802.1X to integrate with an existing name service. The incorrect answers: B. Remove unauthorized MAC addresses from the filter Since MAC addresses are visible when capturing packets, any unauthorized users affected by the removal of a MAC address would simply obtain the remaining MAC addresses in use and spoof those addresses to gain access. C. Modify the SSID name The SSID (Service Set Identifier) is the name associated with the wireless network. The name of the access point is not a security feature, so changing the name would not provide any additional access control. D. Modify the channel The frequencies used by the access point are chosen to minimize interference with nearby wireless devices. These wireless channels are not security features and changing the frequency would not limit unauthorized access.
A security administrator would like use employee-owned mobile phones to unlock the door of the data center using a sensor on the wall. The users would authenticate on their phones with a fingerprint before the door would unlock. Which of the following features should the administrator use? (Select TWO) ❍ A. NFC ❍ B. Remote wipe ❍ C. Containerization ❍ D. Biometrics ❍ E. Push notification
The Answer: A. NFC and D. Biometrics The wall sensor will be activated with the phone's NFC (Near-field Communication) electronics and would authenticate using the biometric fingerprint reader on the phone. The incorrect answers: B. Remote wipe Although remote wipe can be a useful management tool for a mobile device, there's no need to include remote wipe capabilities with this particular application. The door unlocking process would still require authentication using the user's fingerprint if the phone was lost or stolen. C. Containerization This application doesn't appear to store any confidential local data, so keeping the enterprise data separate from the personal data isn't a significant concern. E. Push notification A push notification will cause alerts to appear on the phone without any user intervention. In this app, all of the actions are initiated by the user.
A company has identified a web server data breach that resulted in the theft of 150 million customer account records containing financial information. A study of the events leading up to the breach show that a security update to the company's web server software was available for two months prior to the breach. Which of the following would have prevented this breach from occurring? ❍ A. Patch management ❍ B. Full disk encryption ❍ C. Disable unnecessary services ❍ D. Application whitelisting
The Answer: A. Patch management This question describes an actual breach that occurred in 2017 to web servers at a large credit bureau. This breach resulted in the release of almost 150 million customer names, Social Security numbers, addresses, and birth dates. A web server vulnerability announced in March of 2017 was left unpatched, and attackers exploited the vulnerability two months later in May. The attackers were in the credit bureau network for 76 days before they were discovered. A formal patch management process would have clearly identified this vulnerability and would have given the credit bureau the opportunity to mitigate or patch the vulnerability well before it would have been exploited. The incorrect answers: B. Full disk encryption Full disk encryption (FDE) would prevent unauthenticated access to the data, but the web server would be an authorized user and would have normal access to the areas of the operating system that are necessary for normal operation. Enabling FDE would not provide any additional security against a data breach. C. Disable unnecessary services It's always a good best practice to disable unnecessary services, but this breach attacked a very necessary web service. D. Application whitelisting Whitelisting applications would prevent unauthorized applications from running, but it would not prevent an attack to the whitelisted web service application.
A receptionist at a manufacturing company recently received an email from the CEO that asked for a copy of the internal corporate employee directory. The receptionist replied to the email and attached a copy of the directory. It was later determined that the email address was not sent from the CEO and the domain associated with the email address was not a corporate domain name. What type of training could help prevent this type of situation in the future? ❍ A. Recognizing social engineering ❍ B. Using emails for personal use ❍ C. Proper use of social media ❍ D. Understanding insider threats
The Answer: A. Recognizing social engineering Impersonating the CEO is a common social engineering technique. There are many ways to recognize a social engineering attack, and it's important to train everyone to spot these situations when they are occurring. The incorrect answers: B. Using emails for personal use It's important that everyone understands the proper use of email and avoid personal use of the corporate email service. In this instance, however, the receptionist was not using email for personal use. C. Proper use of social media The attack vector used in this situation was email. Social media sites were not used in this particular example. D. Understanding insider threats Although the attacker wasn't identified, we could assume that an employee would already have access to the internal corporate employee directory.
A manufacturing company is working with a third-party to perform a vulnerability scan of their application services. The company would like a list of vulnerabilities that employees could possibly exploit on the company's internal networks. Which of the following would be the BEST way for the third-party to meet this requirement? ❍ A. Run a credentialed vulnerability scan ❍ B. Capture packets of the application traffic flows from the internal network ❍ C. Identify an exploit and perform a privilege escalation ❍ D. Scan the network during normal working hours
The Answer: A. Run a credentialed vulnerability scan A credentialed scan would provide login access and allow the scan to run as a standard user on the network. The incorrect answers: B. Capture packets of the application traffic flows from the internal network A non-intrusive packet capture would not provide any significant vulnerability information, and it would not be possible to test for additional vulnerabilities with just the packets. C. Identify an exploit and perform a privilege escalation There's no guarantee that any of the systems will be vulnerable to an exploit, and there's also no guarantee that such an exploit would provide any user access. D. Scan the network during normal working hours Scanning a network from the outside or without credentials would not provide a list of vulnerabilities from the user's perspective, regardless of the time of day.
Two companies have merged, but they will be maintaining separate network infrastructures. However, the security administrators of both companies would like to share information between the two companies. If a user is properly authenticated on either network, they should automatically gain access to resources on the other network without any additional authentication. Which of the following would provide this functionality? ❍ A. Two-way trust ❍ B. Multi-factor authentication ❍ C. Non-transitive trust ❍ D. Single-factor authentication
The Answer: A. Two-way trust A two-way trust creates a trust relationship between two domains that act as peers. The two domains trust each other equally. The incorrect answers: B. Multi-factor authentication A multi-factor authentication uses more than one factor to authenticate a single user. The trust relationship described in the question describes the access that is provided once the authentication is complete. C. Non-transitive trust Non-transitive trusts are specifically created and apply only to a single domain. D. Single-factor authentication Single-factor authentication uses one factor during the authentication process. The trust relationship in the question describes the access once the authentication is complete.
A security engineer is capturing packets on an internal company network and is documenting the IP addresses and MAC addresses associated with the local network devices. Which of these commands would provide the MAC address of the default gateway at 10.11.1.1? ❍ A. ping 10.11.1.1 arp -a ❍ B. tracert 10.11.1.1 ❍ C. dig 10.11.1.1 ❍ D. ipconfig /all
The Answer: A. ping 10.11.1.1 arp -a The arp (Address Resolution Protocol) command can be used to view the local ARP cache. The cache contains a lookup table containing IP addresses and their associated MAC (Media Access Control) address. If an engineer pings a device on the local network and then views the ARP cache, they will see the MAC address that was resolved during the ARP process. The incorrect answers: B. tracert 10.11.1.1 The tracert (traceroute) command will display the IP addresses of routers between two devices. MAC addresses are not displayed in the traceroute output. C. dig 10.11.1.1 The dig (Domain Information Groper) command is used to gather information from DNS (Domain Name System) servers. MAC address information is not viewable with the dig command. D. ipconfig /all The ipconfig command will display IP address and MAC address information for the local Windows computer, but it does not show the MAC address information of the default gateway
The clients in a small office authenticate to a secure wireless access point using WPA2-Enterprise. Which of the following would be MOST commonly associated with this connection? ❍ A. RC4 ❍ B. AES ❍ C. IPsec ❍ D. 3DES
The Answer: B. AES WPA2 (Wi-Fi Protected Access II) is a wireless encryption protocol, and WPA2-Enterprise indicates that the authentication to the WPA2- protected wireless network uses a centralized authentication database using a protocol such as RADIUS (Remote Authentication Dial-In User Service). In this question, however, the answers focused on different encryption protocols and their use, regardless of the authentication method used. CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) and AES (Advanced Encryption Standard) are the primary protocols used in WPA2. The incorrect answers: A. RC4 RC4 (Rivest Cipher 4) is a stream cipher commonly associated with the older WEP (Wired Equivalent Privacy) encryption standard. RC4 is not used with WPA2. C. IPsec IPsec (Internet Protocol Security) is a common protocol for connecting host and site VPNs (Virtual Private Networks). IPsec is not part of WPA2 encryption. D. 3DES 3DES (Triple Data Encryption Standard) is a symmetric encryption protocol that is commonly used on IPsec and other VPN technologies. 3DES is not part of WPA2 encryption
During an initial network connection, a supplicant communicates to an authenticator, which then sends an authentication request to an Active Directory database. Which of the following would BEST describe this authentication technology? ❍ A. RADIUS Federation ❍ B. AES ❍ C. 802.1X ❍ D. PKI
The Answer: C. 802.1X IEEE 802.1X is a standard for port-based network access control (NAC). When 802.1X is enabled, devices connecting to the network do not gain access until they provide the correct authentication credentials. This 802.1X standard refers to the client as the supplicant, the switch is commonly configured as the authenticator, and the back-end authentication server is a centralized user database such as Active Directory. The incorrect answers: A. RADIUS Federation RADIUS (Remote Authentication Dial-In User Service) Federation is a method of combining federation with the RADIUS protocol. This would allow members of one organization to authenticate to the network of another organization using their normal credentials. B. AES AES (Advanced Encryption Standard) is a common encryption protocol, and it does not describe a supplicant, authenticator, or authentication server. D. PKI PKI (Public Key Infrastructure) is a method of describing the public-key encryption technologies and its supporting policies and procedures. PKI does not require the use of supplicants, authenticators, or authentication servers.
A set of corporate security policies is what kind of security control? ❍ A. Compensating ❍ B. Detective ❍ C. Administrative ❍ D. Physical
The Answer: C. Administrative An administrative control is a guideline that would control how people act, such as security policies and standard operating procedures. The incorrect answers: A. Compensating A compensating security control doesn't prevent an attack, but it does restore from an attack using other means. A security policy does not provide a way to restore from an attack. B. Detective A detective control may not prevent access, but it can identify and record any intrusion attempts. Security policies do not provide any identification or recording of intrusions. D. Physical A physical control would block access. For example, a door lock or security guard would be a physical control.
A company runs two separate applications out of their data center. The security administrator has been tasked with preventing all communication between these applications. Which of the following would be the BEST way to implement this security requirement? ❍ A. Firewall ❍ B. Protected distribution ❍ C. Air gap ❍ D. VLANs
The Answer: C. Air gap An air gap is a physical separation between networks. Air gapped networks are commonly used to separate networks that must never communicate to each other. The incorrect answers: Firewall A firewall would provide a method of filtering traffic between networks, but firewalls can often be misconfigured and inadvertently allow some traffic to pass. Although this is one option, it's not the best option given the alternative of an air gap. B. Protected distribution A protected distribution is a physically secure cabled network. This usually consists of a sealed metal conduit to protect from taps and cable cuts. A protected distribution does not restrict traffic between networks. D. VLANs A VLAN (Virtual Local Area Network) is a logical method of segmenting traffic within network switches. Although this segmentation is effective, it's not as secure as an air gap.
A company's security engineer is working on a project to simplify the employee onboarding and offboarding process. One of the project goals is to allow individuals to use their personal phones for work purposes. If the user leaves the company, the company data will be removed but the user's data would remain intact. Which of these technologies would meet this requirement? ❍ A. Policy management ❍ B. Geofencing ❍ C. Containerization ❍ D. Storage encryption
The Answer: C. Containerization The storage segmentation of containerization keeps the enterprise apps and data separated from the user's apps and data. During the offboarding process, only the company information is deleted and the user's personal data is retained. The incorrect answers: A. Policy management Policies can often be managed through a mobile device manager, allowing the security administrator to limit the use of certain apps, camera functions, or data storage. These management functions are important, but they don't necessarily affect the separation of storage or removal of data inside of the mobile device. B. Geofencing Geofencing restricts or allows features when a mobile device is in a particular location. Geofencing will not have any effect on the separation of data inside of a mobile device. D. Storage encryption If a mobile device is lost or stolen, storage encryption ensures that the data will remain confidential. The encryption process itself does not provide any separation between enterprise data and user data.
An application team has been provided with a hardened version of Linux to use for a new application rollout, and they are installing a web service and the application code on the server. Which of the following should the application team implement to BEST protect the application from attacks? ❍ A. Build a backup server for the application ❍ B. Run the application in a cloud-based environment ❍ C. Implement a secure configuration of the web service ❍ D. Send application logs to the SIEM via syslog
The Answer: C. Implement a secure configuration of the web service The support pages for many services will include a list of hardening recommendations. This hardening may include account restrictions, file permission settings, internal service configuration options, and other settings to ensure that the service is as secure as possible. The incorrect answers: A. Build a backup server for the application Of course, you should always have a backup. Although the backup may help recover quickly from an attack, the backup itself won't protect the application from attacks. B. Run the application in a cloud-based environment The location of the application service won't provide any significant protection against attacks. Some cloud-based services may include some additional security features, but many do not. Given the options available, running the application in the cloud would not be the best option available. D. Send application logs to the SIEM via syslog It's always useful to have a consolidated set of logs, but the logs on the SIEM (Security Information and Event Management) server won't protect the application from attacks.
Daniel, a penetration tester, would like to gather some reconnaissance information before the formal penetration test begins. To provide a more focused test, Daniel would like to compile a list of open ports for each server participating in the test. Which of these would be the BEST way to gather this information? ❍ A. Capture network traffic with a protocol analyzer ❍ B. Send a phishing email with an application survey ❍ C. Use social engineering on the main switchboard operator ❍ D. Run a network scanner on each server's IP address
The Answer: D. Run a network scanner on each server's IP address A network scanner, or port scanner, is designed to query every possible port on an IP address and log any ports that appear to be open. This can sometimes be time consuming, so collecting this information prior to a penetration test can decrease the timeframe required for the pentest. The incorrect answers: A. Capture network traffic with a protocol analyzer If a packet capture would be possible, it would certainly contain a subset of open ports on a server. Unfortunately, it would only show the ports that were in use during the capture, and it would not provide a comprehensive list of all open ports across all servers of interest. B. Send a phishing email with an application survey Asking the users for application information might provide some insight into possible open ports, but it wouldn't associate those applications with any particular IP address. The survey would also not provide a comprehensive list of all open ports across all servers. C. Use social engineering on the main switchboard operator Social engineering is useful for gathering information about people or company processes, but it doesn't help gather information about open ports on an IP address.
A development team has instituted a life-cycle that relies on a sequential design process. Each step of the process must be completed before the next step can begin. Which of the following life-cycle models is being used by the developers? ❍ A. Agile ❍ B. Rapid ❍ C. Anamorphic ❍ D. Waterfall
The Answer: D. Waterfall The waterfall life-cycle of software development separates the process into sequential phases where one phase occurs at a time, and the output of that phase provides the deliverable for the next phase. For example, the requirements process might occur first, and only after the requirements are complete can the process continue to the analysis phase. The incorrect answers: A. Agile The agile development model relies on the quick creation of code, ongoing collaboration with the customer, and a quick response to change and update the software as the project proceeds. B. Rapid The rapid, or rapid prototyping model, creates a working model of an application that can then be examined and evaluated before any final code is written. C. Anamorphic An anamorphic development model focuses on the scope of a project to build multiple iterations of an application before a final version is created.
