Sec+ 2
An organization considers a new third-party vendor to provide critical technology solutions. It is nearing the final stages of the vendor selection process and wants to ensure a robust assessment of the vendor's security practices and risk management capabilities. Provided approval is granted, which method would be MOST suitable for the organization to gain an in-depth understanding of the vendor's security controls, identify potential vulnerabilities in its systems, and validate the effectiveness of its security measures?
Penetration testing is a proactive and in-depth method of testing a vendor's defenses. It helps organizations discover potential vulnerabilities in the vendor's systems, networks, and applications that attackers could exploit.
Incident response steps
Preparation Detection analysis Containment Eradication recovery Post-incident activity - lessons learned
Using Security Information and Event Management (SIEM) software, organizations can analyze data from different sources in one place, also known as a "single pane of glass."
SIEM allows for a comprehensive view of network devices and improves the ability to detect and respond to security incidents.
An organization stores its sensitive data on physical storage devices. It wants to bolster security measures due to a rise in industrial espionage and the risk of physical theft of these devices. Which of the following encryption strategies would be the MOST effective for the organization to choose?
Self-Encrypting Drives (SEDs) encrypt the entire contents of a storage device, making them ideal for when the physical theft of the storage device is a concern. Even if a threat actor steals a drive, the actor cannot access the data without unlocking the device with the correct credentials.
A cybersecurity analyst for a large organization is enhancing the company's security posture. The analyst notices increased alerts related to a particular known exploit in the company's server software. The company's intrusion detection system (IDS) uses a predefined set of rules, provided by security personnel, to identify events that are unacceptable. What type of detection method is the company using in this scenario?
Since the exploit is known and the IDS already has a rule set for signature-based detection of this specific exploit, enhancing or focusing on signature-based detection would be the most effective method.
credential harvestin
Social engineering techniques for gathering valid credentials to use to gain unauthorized access.
A newly appointed Information Security Officer at a startup company is improving IT security. The current IT environment lacks standardized security configurations, and various operating systems, applications, and network devices are in use. The officer decides to implement secure baseline configurations but also wants to ensure the chosen approach can adapt to evolving threats and handle the diversity in the company's IT environment. What is the MOST appropriate approach to achieve these goals?
The CIS Benchmarks offer best practice guidelines for various domains and are always up to date with evolving threats. A configuration management tool can help automate the deployment of these configurations, ensuring consistency across diverse systems.
reconnaissance
The actions taken to gather information about an individual or organization's computer systems and software. This typically involves collecting information such as the types of systems and software used, user account information, data types, and network configuration.
A tech company employs the Single Loss Expectancy (SLE) and Annualized Loss Expectancy (ALE) models for quantitative assessment and uses subjective judgment for qualitative analysis. They use a "heat map" or "traffic light" impact matrix to represent the severity of the risk, its likelihood, cost of controls, etc. What is the primary benefit of the company's approach of combining both quantitative and qualitative risk assessment methods?
The company's approach employs both numerical data for precision (quantitative) and subjective judgment for situations in which precise data is unavailable (qualitative). This mixed approach provides a comprehensive understanding of the risks, their potential impact, and the likelihood of their occurrence.
Users in a particular wireless network segment are complaining that websites are frequently slow to load or unavailable or filled with advertising. On investigation, each host in the segment is set to use an unauthorized DNS resolver. Which attack type is the likely cause for this?
The hosts are likely to be receiving their configuration from a malicious Dynamic Host Configuration Protocol (DHCP) server. This is likely to have been achieved via an on-path attack, such as a rogue access point or evil twin access point.
An organization is planning to secure its data in all its states: at rest, in transit, and in use. This includes large volumes of data that it continuously transfers over the network. Which of the following schemes is the BEST approach to achieve this while maintaining efficiency and security?
The optimal solution is to implement a combination of asymmetric and symmetric encryption. Symmetric encryption is for the bulk data, while asymmetric encryption is for securely distributing the symmetric keys. This scheme balances security with computational efficiency.
DNS Client Cache Poisoning
The presence of suspect entries in the HOSTS file is an indicator that the machine has been compromised.
lateral movement
The process by which an attacker is able to move from one part of a computing environment to another.
If a user account on a Windows host has authenticated to an Active Directory domain network, the Local Security Authority Subsystem Service (LSASS) caches various secrets in memory and in the Security Account Manager (SAM) registry database to facilitate single sign-on. These secrets include the following:
-Kerberos Ticket Granting Ticket (TGT) and session key. This allows the host to request service tickets to access applications. -Service tickets for applications where the user has started a session. -NT hash of local and domain user and service accounts that are currently signed in, whether interactively or remotely over the network. Early Windows business networks used NT LAN Manager (NTLM) challenge and response authentication. While the NTLM protocol is deprecated for most uses, the NT hash is still used as the credential storage format. The NT hash is used where legacy NTLM authentication is still allowed, and can be involved in signing Kerberos requests and responses.
DNS attack indicators
A DNS server may log an event each time it handles a request to convert between a domain name and an IP address. DNS event logs can hold a variety of information that may supply useful security intelligence and attack indicators, such as the following: -The types of queries a host has made to DNS. -Hosts that are in communication with suspicious IP address ranges or domains. -Statistical anomalies such as spikes or consistently large numbers of DNS lookup failures, which may point to computers that are infected with malware, misconfigured, or running obsolete or faulty applications.
syn flood attack
A DoS attack where the attacker sends numerous SYN requests to a target server, hoping to consume enough resources to prevent the transfer of legitimate traffic.
password spraying
A brute force attack in which multiple user accounts are tested with a dictionary of common passwords.
downgrade attack
A cryptographic attack where the attacker exploits the need for backward compatibility to force a computer system to abandon the use of encrypted messages in favor of plaintext messages.
An employee at a company is having difficulty remembering a complex password and is looking for a more secure and memorable alternative. What type of credential would be the BEST recommendation?
A device-specific PIN with any characters and length
arp poisoning
A network-based attack where an attacker with access to the target local network segment redirects an IP address to the MAC address of a computer that is not the intended recipient. This can be used to perform a variety of attacks, including DoS, spoofing, and on-path (previously known as man-in-the-middle).
environmental attack
A physical threat directed against power, cooling, or fire suppression systems.
birthday attack
A type of password attack that exploits weaknesses in the mathematical algorithms used to encrypt passwords, in order to take advantage of the probability of different password inputs producing the same encrypted output.
network attack
An attack directed against cabled and/or wireless network infrastructure, including reconnaissance, denial of service, credential harvesting, on-path, privilege escalation, and data exfiltration.
credential replay
An attack that uses a captured authentication token to start an unauthorized session without having to discover the plaintext password for an account.
hybrid password attack
An attack that uses multiple attack methods, including dictionary, rainbow table, and brute force attacks when trying to crack a password.
DNS poisoning
An attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP address of the attacker's choosing.
password attack
Any attack where the attacker tries to gain unauthorized access to and use of passwords.
In an IT environment, automation and scripting play a critical role in managing services and access. How does automation assist security analysts in their daily tasks?
Automation and scripting are essential tools for managing services and access within an IT environment. This includes enabling or disabling services, modifying access rights, and maintaining the lifecycle of IT resources, which directly aligns with the tasks of security analysts.
A company has implemented a zone-based security topology with different levels of trust and access control requirements for hosts within its network perimeter. The company has various zones, including a low-privilege zone for printers, an enterprise local area network (LAN) for client devices, a guest zone, and a zone for public-facing servers. Which of the following statements about the inter-zone traffic is correct?
Client devices on the enterprise LAN can typically make authorized requests to different zones, but they cannot accept new connection requests. This is to ensure control over the communication flow and to prevent potential unauthorized connections.
A multinational organization is planning to expand its services to various locations across the globe. The organization requires a flexible IT infrastructure that can easily adapt to rapid business growth but also maintain data security and meet different legal and regulatory requirements. Which of the following architecture models would be MOST suitable for this organization?
Cloud
An organization wants to ensure the security of its sensitive data stored on the company's physical drives, with varying levels of access for different users. Which of the following encryption methods would BEST suit this requirement?
Combining volume encryption with file encryption would solve the organization's needs. It allows encryption of the storage resource and individual files, granting granular control for different users' access levels.
A technology company identifies a potential risk in the form of data breaches due to vulnerabilities in its e-commerce application. The company has assessed that the likelihood of occurrence is high, and the impact could be significant, leading to loss of customer trust and potential legal liabilities. The company has assigned a team to manage this risk and to implement necessary security measures to mitigate it. Which of the following is the BEST description of the role this team is performing?
The risk owner is responsible for managing a particular risk, which includes identifying and assessing the risk, implementing measures to mitigate it, monitoring the effectiveness of the measures, and taking corrective actions as necessary.
DNS-Based On-Path Attacks
If the threat actor has access to the same local network as the victim, the attacker can use ARP poisoning to respond to DNS queries from the victim with spoofed replies. This might be combined with a denial of service attack on the victim's legitimate DNS server. A rogue DHCP could be used to configure clients with the address of a DNS resolver controlled by the threat actor.
Which of the following descriptions is true about fail-open and fail-closed configurations for security devices in the event of a failure?
In a fail-open configuration, the system maintains network or host access, if possible, in the event of a failure. In a fail-closed configuration, the system blocks access or enters the most secure state available in the event of a failure.
A company is considering moving its applications and data to the cloud. The company handles sensitive data and wants to maintain control over the security of its applications and data. It is considering using an infrastructure-as-a-service (IaaS) model. Which of the following is a key responsibility the company will need to manage in an IaaS model?
In an IaaS model, the customer is responsible for protecting the operating systems it deploys on the cloud infrastructure. This includes tasks like applying security updates and patches, managing access controls, and implementing intrusion detection systems.
A multinational corporation is sending sensitive data to various regional offices securely. What is an optimal cryptographic method to employ in this situation?
In this case, symmetric encryption encrypts the data due to its efficiency, while asymmetric encryption securely exchanges the symmetric keys between offices. This approach, known as hybrid encryption, combines the strengths of both methods.
In the context of information security, an organization discovers a zero-day vulnerability in its database software. At the same time, a known hacking group has expressed intentions to target entities using this specific software. Which of the following BEST describes this situation's relation to vulnerability, threat, and risk?
This option illustrates a scenario in which an external group (threat) threatens a vulnerability (the software weakness), raising the possibility of a security breach (risk).
What is an amplification attack?
Where the attacker spoofs the victim's IP in requests to several reflecting servers (often DNS or NTP servers). The attacker crafts the request so that the reflecting servers respond to the victim's IP with a large message, overwhelming the victim's bandwidth.
Wireless Replay and Key Recovery
Wireless authentication is vulnerable to various types of replay attacks that aim to capture the hashes used when a wireless station associates with an access point. Once the hash is captured, it can be subjected to offline brute force and dictionary cracking. A KRACK attack uses a replay mechanism that targets the WPA and WPA2 4-way handshake. KRACK is effective regardless of whether the authentication mechanism is personal or enterprise. It is important to ensure both clients and access points are fully patched against such attacks.
A major software vendor becomes aware of a new zero-day vulnerability in one of its products due to an anonymous tip. The vulnerability could potentially allow unauthorized access to sensitive data stored in the software. The vendor is currently creating a patch to address the issue. Which of the following BEST describes the current risk to the software users and the appropriate response from the software vendor?
Zero-day vulnerabilities represent significant risk, and the vendor should prioritize creating a patch. Disclosing the vulnerability to the public before a patch is ready could increase the risk.
In a network with a defense-in-depth strategy
a firewall is usually at the network border and serves as a preventive control. Its main function is to enforce access rules for traffic entering (ingress) and leaving (egress) the network.
Partition encryption
allows for the encryption of different disk areas with different keys, but it may need to offer more granularity for controlling multiple user access to individual files.
Port control software
allows the company to restrict which devices can connect via USB, preventing the use of unauthorized USB storage devices. This would directly address the problem without unduly limiting other uses of the laptop's physical ports.
Volume encryption
allows the encryption of a storage resource with a single file system. Without combining it with file encryption, it may not offer the required granularity for multiple-user access.
The ISO/IEC 27018 standard
also pertains to information security, protecting personally identifiable information (PII) in public clouds. Although it may also be useful, it is less comprehensive than ISO/IEC 27001 for general information security management.
Which tool assesses different facets of cloud services, such as network bandwidth, virtual machine status, and program health in a network environment?
application monitor
Proper stakeholder management and a comprehensive communication plan
are crucial elements of an Incident Response Plan. They can prevent information leakage and provide guidelines for responding to a crisis, reducing the damage to the organization's reputation. This is likely the main missing element in the incident response plan.
Key Risk Indicators (KRI)
are metrics used to predict potential risks, not a role that manages and mitigates risks.
Computer worms
are self-replicating malware that can spread across networks without user intervention. The continuous network requests to random IP ranges and increased memory usage indicate a worm's behavior
It is essential to have de-duplication in e-discovery software tools
as it removes duplicate files and copies often found in computer systems. This process reduces the amount of data to analyze, making the investigation more efficient. De-duplication is a process that aims to eliminate duplicate and unnecessary files
Public-facing servers
can accept requests from the internet but are generally unable to initiate requests to the enterprise LAN.
A hybrid cloud model
can present security challenges, including the complexity of managing multiple cloud environments and enforcing consistent security policies across all environments.
A credentialed scan
comes with a user account that has login rights to various hosts, enabling it to conduct a more in-depth analysis, which is particularly useful in detecting misconfigured applications or security settings.
The controller
determines the purposes and means of processing personal data. In this case, the startup decides how the data processes and manages its collection, making it the controller.
A non-credentialed scan
does not have login rights, and its view only includes what the host exposes to an unprivileged user on the network.
Fundamental security concepts like the confidentiality, integrity, and availability (CIA) triad, access control, and frameworks
form the foundation of understanding for cybersecurity professionals.
System logs
from routers focus on the operation and status of the router itself, not specifically on recording events related to wireless network attacks.
A heartbeat message
indicates availability and does not directly analyze or interpret network traffic.
A boot sector virus
infects the boot sector of a hard disk or a floppy disk. The suspicious file came through an email, which does not suggest a boot sector virus.
Simple Network Management Protocol (SNMP) traps
inform a management system of notable events, such as port failures or excessive CPU utilization, primarily dealing with hardware issues rather than traffic pattern analysis.
External compliance reporting
involves preparing and sending compliance-related information, such as data access logs, to external regulatory authorities.
Retrospective network analysis (RNA)
involves recording the totality of network events at a packet header or payload level. It allows detailed analysis of captured traffic to identify attack tools, data exfiltration attempts, and suspicious domains.
The NIST Special Publication 800-63 standard
is a U.S. government standard for digital identity guidelines. While it may offer useful guidelines for parts of the company's security needs, it is less comprehensive than ISO/IEC 27001.
A governance committee
is a specialized group comprised of subject matter experts, stakeholders, and representatives from relevant departments and focuses on specific issues such as security, risk management, audit, or compliance.
Symmetric encryption
is efficient for bulk data encryption, but distributing symmetric keys is challenging and can present security risks.
Internal compliance reporting
is for internal review and refinement of processes. It is not concerned with preparing logs for regulatory authorities
The data custodian
is responsible for maintaining and protecting the data. While the startup does handle the data, its primary role is not merely safeguarding it but deciding how to use and process it.
The data subject
is the individual who provides personal data to an organization. In this scenario, the users giving feedback are the data subjects.
Active/Active Clustering
is the most suitable for a 24/7 e-commerce business. Both nodes in this setup process the connections concurrently, maximizing the utilization of available resources.
online password attack
is where the threat actor interacts with the authentication service directly—a web login form or VPN gateway, for instance. An online password attack can show up in audit logs as repeatedly failed logins and then a successful login, or as successful login attempts at unusual times or locations. Apart from ensuring the use of strong passwords by users, online password attacks can be mitigated by restricting the number or rate of login attempts, and by shunning login attempts from known bad IP addresses.
Viruses usually require user intervention
like opening an infected file or attachment. They also typically write themselves to the disk
HIDS
mainly focuses on detection and alerting but may not have the comprehensive response capabilities necessary to deal with advanced persistent threats.
offline attack
means that the attacker has managed to obtain a database of password hashes, such as %SystemRoot%\System32\config\SAM , %SystemRoot%\NTDS\NTDS.DIT (the Active Directory credential store) or /etc/shadow . O
Fail-open means
preservation of network or host access, if possible, while fail-closed means blocked access or the system entering the most secure state available.
Fail-open
prioritizes availability over confidentiality and integrity, while fail-closed prioritizes confidentiality and integrity over availability.
The data processor
processes personal data on behalf of the data controller and acts under the authority and instructions of the data controller. The data processor is not allowed to make decisions alone regarding the processing of the data.
Digital certificates managed by a Certificate Authority (CA)
provide an effective way to verify the identity of entities involved in communication. A CA is a trusted third party that issues digital certificates, which contain the public key of the entity and some identity information.
ISO/IEC 27001
provides a comprehensive framework for an information security management system (ISMS), ensuring adequate and proportionate security controls. It is suitable for international use and ideal for a multinational company.
Access point logs
record network behavior related to wireless access. In this scenario, disassociation events recorded in access point logs can indicate a threat actor attempting to attack the wireless network.
Command and control (C2 or C&C), beaconing, and persistence
refer to techniques and malicious code that allow a threat actor to operate a compromised host remotely, and maintain access to it over a period of time. The threat actor has to disguise the incoming command and outgoing beaconing activity as part of the network's regular traffic, such as by using encrypted HTTPS connections. Detection of this type of activity usually depends on identifying anomalous connection endpoints, such as connections to IP addresses in countries that do not respect copyright or privacy laws. There can also be indicators on the compromised host, such as the malware itself and unauthorized startup items.
Regulated data
refers to specific categories of information subject to legal or regulatory requirements regarding their handling, storage, and protection, which typically includes sensitive or personally identifiable information (PII), such as healthcare records and social security numbers.
Data retention policy enforcement
refers to the rules guiding how long an organization holds onto different data types. While essential, this does not directly relate to preparing logs for submission to regulatory authorities.
Trade secret data
refers to valuable, confidential information that gives a business a competitive advantage.
GDPR
requires companies to protect the personal data and privacy of EU citizens for transactions that occur within the EU. At the same time, CCPA provides California residents with specific rights regarding their personal information.
Involving procedures that enable patients to request the deletion of their data, complying with the right to be forgotten
requires the healthcare provider to evaluate whether these requests align with the current legal framework.
Pivoting/lateral movement/insider attack
the general procedure is to use the foothold to execute a process remotely, using a tool such as PsExec or PowerShell. The attacker might be seeking data assets or may try to widen access by changing the system security configuration, such as opening a firewall port or creating an account. If the attacker has compromised an account, these commands can blend in with ordinary network operations, though they could be anomalous behavior for that account.
credential dumping
the malware might try to access the credentials file (SAM on a local Windows workstation) or sniff credentials held in memory by the lsass.exe system process. Additionally, a DCSync attack attempts to trick a domain controller into replicating its user list along with their credentials with a rogue host.
While network monitors can provide valuable information on the state of network appliances
they primarily focus on aspects like CPU/memory load status, disk capacity, network link utilization, and similar data.
persistence
this is a mechanism that allows the threat actor's backdoor to restart if the host reboots or the user logs off. Typical methods are to use AutoRun keys in the registry, adding a scheduled task, or using Windows Management Instrumentation (WMI) event subscriptions.
shellcode
this is a minimal program designed to exploit a vulnerability in the OS or in a legitimate app to gain privileges, or to drop a backdoor on the host if run as a Trojan. Having gained a foothold, this type of attack will be followed by some type of network connection to download additional tools.
Non-resident viruses or file infectors
typically latch onto executable files and programs. Although the attachment is executable (.jar), the main indicator is the file's double extension, which suggests a script virus.
A script virus
uses the programming features available in local scripting engines for the OS and/or browser, such as JavaScript. The scenario mentions an attached file with a .jar extension and is executable.
Asymmetric encryption
while secure, is not efficient for encrypting large amounts of data due to its high computational overhead.
Advanced Endpoint Protection (AEP) solution with Endpoint Detection and Response (EDR) capability
would be the most effective. This approach doesn't just attempt to prevent initial execution of threats, but provides real-time and historical visibility into potential compromises and aids in the remediation process.
Given the complexities and benefits of secure protocols, which statement BEST guides the chief information security officer's (CISO) approach to implementing them?
Adopting a holistic approach that balances various factors ensures the optimal security posture, addressing the company's protection needs and operational demands. This is the best approach to ensure the selected approach meets the operational requirements without excessive costs.
arp
Broadcast mechanism by which the hardware MAC address of an interface is matched to an IP address on a local network segment.
A company's IT department has noticed irregularities in network usage and resource allocation. Which tool would be MOST beneficial in collecting the metadata and statistics from the network traffic?
Flow collectors record metadata and statistics about network traffic, thereby identifying trends and patterns, detecting anomalies, and providing visualization tools that simplify the interpretation of traffic data.
DDoS indicators
DDoS attacks can be diagnosed by traffic spikes that have no legitimate explanation, but they can usually only be mitigated by providing high availability services, such as load balancing and cluster services. In some cases, a stateful firewall can detect a DDoS attack and automatically block the source. However, for many of the techniques used in DDoS attacks, the source addresses will be randomly spoofed or launched by bots, making it difficult to stop the attack at the source.
DNS Server Cache Poisoning
DNS server cache poisoning aims to corrupt the records held by the DNS server itself. This can be accomplished by performing DoS against the server that holds the authorized records for the domain, and then spoofing replies to requests from other name servers. Another attack involves getting the victim name server to respond to a recursive query from the attacking host. A recursive query compels the DNS server to query the authoritative server for the answer on behalf of the client. The attacker's DNS, masquerading as the authoritative name server, responds with the answer to the query, but also includes a lot of false domain:IP mappings for other domains that the victim DNS accepts as genuine. The nslookup or dig tool can be used to query the name records and cached records held by a server to discover whether any false records have been inserted
