Security+ Sample Questions

You are developing a secure web application. What sort of certificate should you request to show that you are the publisher of a program?

A code signing certificate. Certificates are issued for specific purposes. A certificate issued for one purpose should not be reused for other functions.

You are distributing a software application to clients and want to provide them with assurance that the executable file has not been modified. What type of security control is appropriate for this task?

A control that provides integrity, such as a secure hash function (MD5 or SHA) would be suitable.

What techniques does anti - virus software use to identify threats?

A database of known virus patterns, which needs to be regularly updated, and heuristic analysis of suspicious code.

The company you work for has suffered numerous intrusions due to poor password management by employees. Given a significant budget to mitigate the problem, what type of security control would you use?

A multifactor authentication product would mitigate this type of problem by requiring users to authenticate with a smart card or biometric information as well as a password.

What distinguishes a rootkit from other types of Trojan?

A rootkit typically replaces kernel - level files, making it harder to detect and remove.

What is the process of digitally signing a document?

A secure hash function is used to create a message digest. The digest is then signed using the sender's private key. The resulting signature can be decrypted using the sender's public key and cannot be modified by any other agency.

What can you use to mitigate ARP poisoning attacks?

A switch that supports port authentication.

What is a Fraggle attack?

A type of Distributed Reflection Denial of Service (DRDoS) attack. The attacker bombards a network with UDP diagnostic packets directed from the faked source IP address of the victim host.

How does accounting provide non - repudiation?

A user's actions are logged on the system. Each user is associated with a unique computer account. So long as the user's authentication is secure, they cannot deny having performed the action.

Apart from natural disaster, what type of events threaten physical damage to assets?

Accidental damage, vandalism, war / terrorism

Which symmetric cipher is being selected for use in many new products?

Advanced Encryption Standard (AES) based on Rijndael.

What is the difference between authorization and authentication?

Authorization means granting a user account configured on the computer system the right to make use of a resource (allocating the user privileges on the resource). Authentication protects the validity of the user account by testing that the person accessing that account is who he says he is.

How are cryptographic authentication systems protected against replay attacks?

By timestamping session tokens so that they cannot be reused outside of the validity period.

How are cryptographic systems protected against brute force attacks?

By using key sizes that make brute force attacks computationally impossible to achieve (within a reasonable time frame).

What mechanism informs users about suspended or revoked keys?

Certificate Revocation List (CRL).

What is the principal use of symmetric encryption?

Confidentiality - symmetric ciphers are generally fast and well suited to encrypting large amounts of data. The difficult of distributing keys securely makes them less useful for integrity and authentication.

What type of access control system is based on resource ownership?

Discretionary Access Control

What general precautions should you take before contracting someone to perform system scanning?

Establish ground rules, such as the extent of testing and disruption to the network.

True or false? All backdoors are created by malware such as rootkits.

False - a backdoor may be created by legitimate software or hardware that has not been configured securely.

True or false? A honeypot is designed to prevent network attacks by intercepting them and trapping them within a secure, decoy environment.

False - a honeypot is passive. It could act as a decoy but you cannot rely on it to deter attacks against the production network.

True or false? A "Need To Know" policy can only be enforced using discretionary or role-based access control.

False - a mandatory access control systems supports the idea of domains or compartments to supplement the basic hierarchical system.

True or false? In order to create a service ticket, Kerberos passes the user's password to the target application server for authentication.

False - only the KDC verifies the password. The Ticket Granting Service sends the user's account details (SID) to the target application for authorisation (allocation of permissions) not authentication.

Why should an ISP be informed before pentesting takes place?

ISPs monitor their networks for suspicious traffic and may block the test attempts. The pentest may also involve equipment owned and operated by the ISP.

What is a lunchtime attack?

If a user logs on then leaves a workstation unattended, the user's account can be compromised by anyone able to physically access the workstation. Users should always log off or lock the workstation before leaving it.

What technique might be used to detect the presence of a hidden message within a file?

If you have a copy of the original file you can compare it to the changed file. Otherwise statistical analysis with some knowledge of the way the steganographic application works.

You have implemented a web gateway that blocks access to a social networking site. How would you categorize this type of security control?

It is a technical type of control (implemented in software) and acts as a preventive measure.

What is the basis of computer security accounting?

Log files. It is also vital that users be properly authenticated.

You are implementing security controls to protect highly confidential information that must only be made available on a "Need to Know" basis. What class of security control should you investigate?

Mandatory Access Control systems are best - suited for applying non - discretionary, need - to - know access controls.

Why might forcing users to change their password every month be counterproductive?

More users would forget their password or try to select insecure ones.

Why are most DoS attacks distributed?

Most attacks depend on overwhelming the victim. This typically requires a large number of hosts.

When considering non - accidental threats, what important distinctions can be made to identify different threat sources?

Motive - whether the threat is structured or unstructured; whether the threat is internal or external to the organization.

What type of tool(s) would be used in a footprinting attack?

Network mapper / port scanner and packet sniffer - the idea is to understand how the network is configured, what hosts are present, and what services they run.

Is it possible to eavesdrop on the traffic passing over a company's internal network from the internet?

No - to eavesdrop the sniffer has to be attached to the same local network segment

A user maintains a list of commonly used passwords in a file located deep within the computer's directory structure. Is this secure password management?

No. This is security by obscurity. The file could probably be easily discovered using Search tools.

What term is used to describe a property of a secure network where a sender cannot deny having sent a message?

Non - repudiation

In what scenario would PAP be an appropriate cryptographic method?

None - the Password Authentication Protocol uses plaintext ASCII passwords with no cryptographic protection. This could only be used securely if the endpoints established a secure tunnel (using IPsec for instance).

What is shoulder surfing?

Observing someone entering their password or PIN

What does it mean if key recovery agent is subject to "M of N" control?

Of "N" agents configured to perform key recovery, "M" must be present to authorize a recovery operation.

What steps should be taken to enroll a new user?

Perform identity proofing to confirm the user's identity, issue authentication credentials securely, and assign appropriate permissions / privileges to the account

Which offers better security - MD5 or SHA?

SHA

What are the disadvantages of performing penetration testing against a simulated test environment?

Setting up a replica of a production environment is costly and complex. It may be very difficult to create a true replica, so potential vulnerabilities may be missed.

What key features are provided by Kerberos?

Single sign-on and support for mutual authentication.

What options exist for creating a key repository?

Software-based storage means that keys are stored in a CA application running on a standard operating system. Hardware-based storage means that a key is stored on a dedicated device, such as a smart card.

What techniques to viruses use to avoid detection by anti - virus software?

Stealth (infecting files slowly or moving from file to file) disguise the virus code (metamorphic or polymorphic virus), or disabling the A-V software (retrovirus)

What does it mean if a certificate extension is marked as critical?

That the application processing the certificate must be able to interpret the extension correctly, otherwise it should reject the certificate.

How does a replay attack work?

The attacker captures some data used to log on or start a session legitimately. The attacker then disrupts the legitimate session and resends the captured data to re - enable the connection.

Why might an ARP poisoning tool be of use to an eavesdropper?

The attacker could trick computers into sending traffic through the attacker's computer and therefore examine traffic that would not normally be accessible to him (on a switched network).

What should be done before a certificate expires?

The certificate should be renewed.

What cryptographic information is stored in a digital certificate?

The owner's public key and the algorithms used for encryption. The certificate also stores a digital signature from the issuing CA.

What features of a one-time pad make the system cryptographically secure?

The pad must be generated randomly and must not be re-used.

What does it mean if a cryptographic module is FIPS?

The product has been tested under the US government's Federal Information Processing Standard.

What are the weaknesses of a hierarchical trust model?

The structure depends heavily on the integrity of the root CA and trust relationships are limited to one organization only.

What is meant by a black box pentest?

The tester will attempt to penetrate the security system without having any privileged knowledge about its configuration.

How do social engineering attacks succeed?

They generally depend on lack of security awareness in users. An attacker can either be intimidating (exploiting users' ignorance of technical subjects or fear of authority) or persuasive (exploiting the "customer service" mindset to be helpful developed in most organizations).

Is the goal social engineering to gain access to premises or a computer system?

This is usually the end goal but may not be the immediate goal of the social engineering attack. Information gathering can be just as useful (for instance, discovering what operating systems and applications the company runs or obtaining user information).

Your company creates software that requires a database of stored encrypted passwords. What security control could you use to make the password database more resistant to brute force attacks?

Using a key stretching password storage library (such as brcypt or PBKDF2) would improve resistance to brute force cracking methods.

What trust model enables users to sign one another's certificates, rather than using Cas?

Web of Trust

Why might a standalone installation of Windows XP be more vulnerable to password cracking than in Windows 7?

Windows XP uses weak LM responses by default.

Is it possible to discover what ports are open on a web server from another computer on the internet?

Yes (providing the web server is not protected against port scanning).

Your company issues vouchers by email for various products and events. What security control could you use to prove the authenticity of the vouchers?

You could use steganography to embed an authenticity code in the voucher file.

You want to ensure that data stored on backup media cannot be read by third-parties. What type of security control should you choose?

You require a security control that delivers confidentiality, such as encryption.