Security+ SY0-601
What are rainbow tables?
-- provides precomputed values for cryptographic hashes. -- commonly used for cracking passwords stored on a system in hashed form.
Transmission Control Protocol (TCP)
-A connection-oriented protocol -Uses a three way handshake
public certificate in P7B format with what extension
.cer
private certificate in P12 format with what extension
.pfx
What is the difference bw RAID5 and RAID6
5 has a single parity and can lose one disk, 6 has double parity and can lose 2 disks
Describe how a managed switch with 802.1x works
802.1x authenticates users and devices connecting to a switch. Normally, the user or device has a server to authenticate them without the need to disable ports on the switch. An unauthorized user is prevented from using the port as they have no certificate
If i dont have NIDS on my network, which device can passively monitor network traffic
A NIPS can passively monitor on the network as it can fulfill the functionality of a NIDS if there is no NIDS on your network
What type of attack is a man in the middle attack using an SSL3.0 browser that uses a CBC
A POODLE attack is a MITM attack and uses Cipher Block Chaining
What is an RAT
A Remote Access Trojan is a trojan that sends out the users username and password to an external source so that a remote session can be created
What type of device can be used to automate the collection of log files across many different devices
A SIEM server can correlate log files from many devices and notify you of potential attacks
Three different groups of workers are in an open plan office and they are all connected to the same physical switch. What can be done to isolate them from each other
A VLAN can be used for departmental isolation on the same switch
Type 1 hypervisor
A bare metal hypervisor in which you install directly on the server's hardware.
What is the fastest attack that can crack any password
A brute force attack
What needs to be installed on the endpoint if you are using EAP-TLS for wireless authentication
A certificate on the endpoint as TLS needs x509 certificate
Security as a Service (SECaaS)
A cloud model in which all security services are delivered from the cloud to the enterprise. It provides identity management
SMTP (Simple Mail Transfer Protocol)
A communications protocol that enables sending email from a client to a server or between servers.
What are the two reasons why a computer might not receive an ip address from a DHCP server
A computer might not receive an IP address from a DHCP server due to resource exhaustion or network connectivity
DNS Cache
A database on a computer that stores information about IP addresses and their associated host names. It can exist on clients as well as on name servers.
What network device should you use to manage a high volume of web traffic
A load balancer because it sends the requests to the least utilized node that is healthy
Explain Man-in-the-Middle attacks.
A man-in-the-middle attack is an active interception of data on a network. The attacker can inject code in either direction. This can be facilitated by ARP poisoning, spoofing, etc.
How do 802.1x and port security differ? which one gives me more functionality
A managed switch uses 802.1x which authenticates the device but does not disable the port when port security merely disables the port. 802.1x provides more functionality
Why would I make a risk assessment for one of my main suppliers?
A manufacturer company would carry out a supply chain risk assessment because they need a reputable supplier of raw materials so that they can manufacture goods
What is the difference bw an MOU and an MOA
A memorandum of understanding is a formal agreement bw two parties, but it is not legally binding, whereas a memorandum of agreement is similar, but is legally binding
If a network admin wants to set up a VPN, what is the most secure protocol that they can use
A network admin could use AES as the strongest protocol for an L2TP/IPSec VPN as it can use 256 bit
If an network admin wanted to collect the statuses and reports of network devices, what secure protocol could they use
A network admin could use SMTP v3 to securely collect the status and reports from network devices
How does spear phishing differ from a phishing attack?
A phishing attack that has been sent to a group of users
Post Office Protocol (POP)
A protocol that resides on an incoming mail server. The current version is POP3.
Internet Message Access Protocol (IMAP)
A protocol used to retrieve email messages. IMAP is similar to POP3, but with some advanced features. The main difference between the two is that IMAP generally leaves the email on the mail server.
What is inherent risk?
A raw risk before it has been mitigated
How does a reply attack differ from a man-in-the-middle attack?
A reply attack is similar to a MITM attack, except the intercepted packet is replayed at a later date
What type of virus attacks the Windows/System32 folder on Windows, or the Bash shell on Linux
A rootkit virus
Which network device connects two network together
A router and it works at Layer 3 of the OSI reference model
What is the difference between a signature and an anomaly based NIDS
A signature based NIDS works off a known database of variants An anomaly based one starts with the database and can learn about new patterns or threats
host-based intrusion detection system (HIDS)
A software-based application that runs on a local host computer that can detect an attack as it occurs.
Privileged Access Management (PAM)
A solution that stores the privileged account in a bastion domain to help protect them from an attack
What type of internal device connects users on the same network
A switch, normally in a star topology
What type of virus inserts .dll into either the SysWOW64 or System32 folder
A trojan inserts a .dll into either the SysWOW64 or System 32 folder
What is a vulnerability in relation to risk management
A weakness that an attacker can exploit
I am trying to use the internet but my wireless session keeps crashing—what type of attack is this?
A wireless disassociation attack is where the attacker prevents the victim from connection to the WAP
What type of virus replicates itself and uses either ports 4444 or 5000
A worm
Microsoft RADIUS
AAA server using UDP port 1812 - non proprietary
Accounting
AAA server where they log the details of when someone logs in and out; used for billing purposes. logged into SQL database. uses UDP port 1813
What type of attack is a local attack and how can I prevent that attack
ARP attack by using IPSec
If a user installs pirate software on their corporate laptop, which policy have they violated
Acceptable Use Policy (AUP)
What type of HTTP status code lets you know you have made a successful connection to a web server
An HTTP status code of 200 ok lets you know that a successful connection has been made
What is the purpose of an ISA
An Interconnection Security Agreement (ISA) states how connections should be made between two business partners. They decide on what type of connection and how to secure it; for example, they may use a VPN to communicate.
What type of firewall can act as an intrusion prevention device, a statefull firewall, and can inspect encrypted SSL and HTTPS packets
An NGFW by carrying out deep packet filtering
Someone at work has suffered a cardiac arrest and the first aid delegate takes out a defibrillator that gives instructions of the steps to take. What had been built into the device to give these instructions?
An SoC gives instruction on the steps to take when using a defibrillator; however if it detects a pulse, it will not send a charge
Security Assertion Markup Language (SAML)
An XML-based standard used to exchange authentication and authorization information. (used with federated services)
What is the only way to prevent a brute force attack
An account locked with a low value
What is a watering hole attack?
An attack infects a website that a certain group of people visit regularly.
VM Escape
An attack that allows an attacker to access the host system from within a virtual machine. The primary protection is to keep hosts and guests up to date with current patches.
How does an attacker carry out password spraying
An attacker works out what standard naming convention a company is using and then they obtain the names of employees from the internet. then they try common passwords against those accounts
What is the purpose of an exit interview
An exit interview is to find out the reason why the employee has decided to leave; it may be the management style or other factors in the company. The information from an exit interview may help the employer improve terms and conditions and therefore have a higher retention rate.
Pass the Hash Attack
An exploit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.
What is the purpose of an incident response plan
An incident response plan is written for a particular incident and lays out how it should be tackled and the key personnel required.
OpenID Connect
An open source standard used for identification on the Internet. It is typically used with OAuth and it allows clients to verify the identity of end users without managing their credentials.
How can we calculate the ALE
Annual Loss Expectancy is calculated by multiplying the SLE by the ARO (# of losses per year). If I lose six laptops a year worth 1000 each. ALE would be 6000
Why would a company run an annual security awareness training program
Annual Security awareness training advises employees of the risk of using email the internet and posting info on social media websites. It also informs employees of any new risks posed since the last training
What is a gray box pen tester given?
At least one piece of information; normally they get limited information
Who uses AIS and what is its distribution
Automated Indicator Sharing was invented by the US federal government to exchange info about cyber attacks from the state down to the local level
a PEM certificate is in what format
Base64
What type of server would both an SIEM server and a Microsoft domain controller benefit from having installed on a network
Both a SIEM server and a microsoft domain controller using Kerberos authentication are dependent on a NTP server to keep the clock times on the hosts up to date. Otherwise, the SIEM server cannot put events into chronological order and Kerberos clients cannot log in
What is the downside to using two load balancers in an active/active mode
Both of the load balancers are working close to capacity and if one of these load balancers fail, then the users would find that the traffic is slower
For what type of attack would I use the strcpy tool
Buffer overflow attack
What is the driving force of a BIA
Business Impact Analysis is just money; It looks at the financial impact following an event. The loss of earnings, the cost of purchasing new equipment, and regulatory fines are calculated
What are the three portions of a distinguished name and the order that they come in
CN, OU, DC
If BitLocker is checking upon boot up that the software has not been tampered with, what is this known as
Checking the integrity of the software as it is being loaded is known as attestation
What are the three components of CIA
Confidentiality, Integrity, Availability
What is the purpose of code signing
Confirms the application's source of origin Validates the application's integrity
What type of threat actor would demand payment from you or threaten to publish customer information that you hold on social media
Criminal Syndicates would threaten you and demand payment as they are financially driven
What type of attack is a multiple SYN flood attack on a well known website that takes it down
DDoS
Which protocol can i use to prevent DNS poisoning
DNSSEC, which produces RRSIG records
What happens when a users private key becomes corrupt
DRA recovers the data by obtaining a copy of the private key from the key escrow
What type of system is susceptible to a birthday attack
Digital Signatures
Why would a company use two different vendors for their broadband
Diversity, so that if one vendor had a disaster, the other would keep providing the broadband
What type of attack would I use shimming or refactoring for
Driver manipulation attack
What is an embedded electronic system? Give 2 examples
Embedded electronic systems have software embedded into the hardware; some use SoC. Examples are microwave ovens, gaming console, etc.
How can I prevent a pass-the-hash attack?
Enabling Kerberos or disabling NTLM
When I go to a restaurant, how can I protect myself against card cloning
Ensure that the server does not disappear with your card; make sure it is always visible to you
NTP
Ensures that the clock times of all computers/ servers are synced
A company has a leak in the roof, and before it can be repaired, theres heavy rain, resulting in 6 laptops being water damaged. What type of disaster is this
Environmental threat
At what stage of incident response procedures would you reduce the services running on a computer on a domain controller that is infected with malware
Eradication where we remove viruses and reduce the services being used, it should be isolated
What is the difference bw fat, and thin wireless controllers
FAT wireless controller is standalone and it has its own setting and DHCP addresses configured locally Thin wireless controller pushes out the setting to multiple WAPs
What protocol is used to transfer large files remotely
FTPS because it uses two ports: 989/990
Type II in biometric authentication
Failure Acceptance Rate, people that are not permitted to access your network are given access
What type of attack is distributing fake software
Fake software that will not install is a hoax. An email alert telling you to delete a system file as it is a virus is also a hoax.
User Datagram Protocol (UDP)
Faster but less reliable because it is connectionless
FTP
File Transfer Protocol
The Hosts File
Flat file where entries are manually inserted and read from top to bottom
when would you use a private CA
For internal use only
What is the purpose of GDPR
GDPR was developed by the EU to protect an individuals right to privacy
What is tailgating
Gaining unauthorized access to restricted areas by following another person
why would an engineer carry out a site survey prior to installing a wireless network
He would ensure that the WAPs are place where there is no interference.
HVAC
Heating, Ventilation and Air Conditioning
Network Address Translation (NAT)
Hides the internal network from those on the external network
What is home automation?
Home automation is where you can control temperature, lighting, entertainment systems, alarm systems, and many appliances.
What type of IPS protects VMs from attack
Host Based IPS (HIPS)
HTTP
HyperText Transfer Protocol - the protocol used for transmitting web pages over the Internet
What modes would you use a L2TP/IPSec tunnel over the internet and then internally?
IPSec in tunnel mode is used across the internet or external networks, and IPSec in transport mode is used bw hosts internally
Describe how IPSec tunnel mode works
IPSec in tunnel mode is used with an L2TP/IPSec VPN session where both the AH and ESP are encrypted
What can we do to slow down a brute force attack
If account lockout is not available, the best way to slow down a brute-force attack is to make the password length longer or to salt passwords.
If I wanted to back up data to a backup device but at the same time prevent someone from deleting the data, what device do I need to use?
If data is backed up to a Write Once Read Many (WORM) drive, the data cannot be deleted or altered
If i receive an alert that server1 has a virus and i inspect the server and there are no viruses what is this known as
If one of the monitoring systems reports a virus and you manually check and find no virus, this is known as a false positive
If the CRL is going slow, what should I implement?
If the CRL is going slow, an OCSP is used as it provides faster validation.
What would be the benefit to first line support if the company were to adopt CYOD instead of BYOD
If they adopt BYOD, they might have to support hundreds of different devices, but if they adopt CYOD, there would be a limited number of devices to make support easier
What would happen if the last process of the incident response process was not carried out
If we do not carry out lessons learned, the incident may reoccur. Lessons learned is a detective control where we try to identify and address any weaknesses
Name two methods for preventing the replay attack
Input validation and stored procedures (best one)
What category of device are my smart TV and wearable tech
IoT devices
ACK Packet
It acknowledges both kinds of packets and then the data is sent
DHCP
It allocates IP addresses dynamically to computers
Why would I use the scanless tool
It allows anonymous port scanning so that it cannot be traced back to you
What is the benefit of using the Docker tool to protect your registry
It allows you to isolate applications into separate space called containers. The registry can now be isolated in a separate containers, making it more secure
What is the purpose of SSAE
It assists CPA in carrying out the auditing of SOC reports
What is the purpose of a captive portal for a wireless network
It can ask you to agree to an AUP and provide additional validation, such as your email address or facebook or google account details
What is the benefit of network card teaming
It can help load balance the network traffic and provide redundancy if one card fails
Explain the port mirror process and name another device that could be used for the same process
It can make a copy of the data going to the port and divert it to another device for analysis. A tap is another device that can be used for the same purpose. However, a tap is more expensive
SNMP (Simple Network Management Protocol)
It can monitor the status of network devices and provide reports if required
What two things can a wifi Analyzer perform
It can troubleshoot wireless connectivity and discover the SSID inside a packet going to the WAP
what is the purpose of a router
It connects external networks and routes IP packets
Cloud region
It consists of multiple physical location called zones; data can be spread across multiple zones for redundancy
What are the two main reasons why I would receive an APIPA address of 169.254.1.1
It could be resource exhaustion where the DHCP server has run out of IP addresses or it could be network connectivity bw the client and the DHCP server
What is a SOC type 2 report and what is its distribution
It deals with the effectiveness of the control and has limited access as it provides a detailed report about a company
What is the purpose of a network access control? Name the two agents that it uses
It ensures that devices connecting to your network are fully patched. There are two agents: one that is permanent and another that is dissolvable that is for single use
What is the purpose of job rotation
It ensures that employees work in all departments so that if someone leaves at short notice or is ill, cover can be provided. It also ensures that any fraud or theft can be detected.
What is the benefit of introducing a separation of duties in the finance department
It ensures that nobody in the department carried out both parts of a transaction
What is the purpose of using HSTS
It ensures that the web browser only accepts secure connections and prevents XSS
What is the purpose of a privacy notice
It gives consent for data only to be collected and used for one specific purpose
What does the linux permission 764 do
It gives owner read, write, and execute access, the group read and write access, and other users access
What is the purpose of SFlow
It gives you clear visibility of network traffic patterns and can identify malicious traffic
What is the benefit of an HTML 5 VPN
It has no infrastructure to be set up as it uses certificates for encryption
What are the two portions of an IPSec packet
It has the authenticated header that uses either SHA1 or MD5 and an Encapsulated Payload (ESP) that uses DES, 3DES, or AES.
What is the purpose of IOCs
It informs members of their It security community of IP addresses, hashes, or URLs where they have discovered newly released malware
What is an integer overflow attack
It inserts a number larger than what is allowed.
What type of attack is a man in the middle attack
It is a Tojan that intercepts your session bw your browser and the internet; it obtains financial transactions
What is the purpose of a screened subnet and what type of web server is located there
It is a boundary layer that hosts an extranet server; it is sometimes known as the extranet zone. It used to be called the DMZ
What is the purpose of an endpoint protection and response solution
It is a centralized console that continuously monitors the computer and makes automatic alerting when a threat has been detected. It uses machine learning
What is a botnet
It is a group of computers that have been infected so that they can be used to carry out malicious acts without the real attacker being identified; Used for DDoS attack
What is the purpose of SoC
It is a low-power integrated chip that integrates all of the components of a computer or electronic system. An example would be the controller for a defibrillator. Think of it as an operating system stored on a small chip.
What is the purpose of a keylogger
It is a piece of software that could run from a USB flash drive plugged into the back of a computer, which then records all the keystrokes being used. It can capture sensitive data that is typed in, such as bank account details and passwords.
Why would a cybersecurity team change the SSD hard drives in the company's laptop to an Opal drive
It is a self encrypting drive where the encryption keys are stored on the hard drive controller and are therefore immune to a cold boot attack and are compatible with all operating systems. They do not have vulnerabilities of software based encryption. As a hardware solution, they outperform software solutions
What is the MITRE ATT&CK framework used for
It is a spreadsheet that shows groups of adversaries, which can be drilled down to see the attack methods and tools used by them
What type of service is spotify
It is a subcription service where the user pays a monthly fee; it is a pay per use model
Why would someone use Angry IP
It is an IP scanner that would scan an IP range to determine hosts that are active or inactive
What type of IP address 2001:123A:0000:ABC0:00AB:0DCS:0023 and how can we simplify it
It is an IP version 6 address and you can simplify it by changing the leading zeros to 2001:123A::ABC0:AB:DCS:23
What is an on-path attack?
It is an interception attack, for example, a replay or a man in the middle attack
what is the purpose of a switch
It is an internal device connecting computers being used in the same location
What is the purpose of a UPS
It is basically a battery that is a standby device that that when the computer power fails, it kicks in.
As part of application development, when would you apply quality assurance
It is completed during the staging environment where users test the new application with real data
How does an attacker carry out credential harvesting
It is done by a phishing attack where you are warned that you have been hacked, and it gives you a link to the website to resolve it; that way, when they try to login, they collect your details
What is the purpose of an incident response exercise
It is for carrying out the incident response plan and planning for any shortfalls
What is bluejacking
It is hijacking someones bluetooth phone so that you can take control of it and send text messages
What is dead code and how should it be treated
It is never used, but could introduce errors into the program life cycle; it should be removed.
What is the purpose of a web app firewall and where it is normally placed
It is normally installed on a web server as its job is to protect web applications from attack
What is the first stage in risk assessment
It is risk assessment is identifying and classifying an asset. How the asset is treated, accessed, or scored is based on the classification.
What is the purpose of obfuscation
It is taking code and making it obscure so that, if it is stolen, it will not be understood. XOE and ROT13 could be used for this
What is the WAP master password, and how would you protect it
It is the admin password, and it should be encrypted to protect it
Why do we use fingerprinting
It is the deep analysis of a host
What is the purpose of a jump server
It is to allow a remote SSH session to a device or a VM in a screened subnet or the cloud
what is the purpose of a vpn
It is to create a tunnel across unsafe networks from home or a hotel to the workplace.
Why would a company introduce a clean desk policy
It is to ensure that no document containing company data is left unattended overnight.
How does a logic bomb virus work
It is triggered off by an event; for example, a Fourth of July logic bomb would activate when the date on the computer was July 4.
What is implicit deny and which 2 devices does it affect
It is used by both the firewall and the router. If there is no allow rule they get the last rule which is deny all.
What is the purpose of BPA
It is used by companies in a joint venture and it lays out each party's contribution, their rights and responsibilities, how decisions are made, and who makes them.
When would someone use the Harvester tool
It is used to collect the email addresses of a particular domain from search engines such as Google
Explain a phishing attack
It is when a user receives an email asking them to fill in a form requesting their bank details.
What is multiparty risk
It is when someone wins a contract and subcontracts to a third party who could sabotage your systems
What is bluesnarfing?
It is when steal someones contracts from their bluetooth phone
What is the main problem with a race condition when using an application
It is when two threads of an application access the same data
Explain how port security works
It is where a port on a switch is disabled to prevent someone from using a particular wall jack
How is pretexting used in an attack
It is where an attacker manufactures a scenario such as saying there is suspicious activity on their account, and they ask you to confirm your account details so they can steal them
What is tokenization and why is it stronger than encryption
It is where data is replaced by a stateless token and the actual data is held in a vault by a payment provider
Explain input validation and name three types of attacks that this could prevent
It is where data that is in the correct format is validated prior to being inserted into the system. SQL injection, buffer overflow, and integrity overflow are prevented using this
What is a zero-trust network and where is it likely to be used
It is where nothing is trusted., and every user or device must prove their identity before accessing the network. This would be used in the cloud
What is domain hijacking
It is where someone tries to register your domain, access your hosted control panel, and set up a website that is similar to yours
What is an inline NIPS
It is where the incoming traffic passes through and is screened by the NIPS.
What is the purpose of risk transference
It is where the risk is medium to high and you wish to offload the risk to a third party, for example, insuring your car.
Why is operational tech vulnerable to attack
It is where we have removed CCTV standalone systems that were airgapped and we now use a fully integrated solution that is fully connected, leaving them vulnerable
What is an impact assessment
It is where you evaluate the risk of collecting big data and and what tools can be used to mitigate the risk of holding so much data
What is a pivot
It is where you gain access to a network, so that you can launch an attack on a secondary system
What type of attack is session hijacking
It is where your cookies are stolen so that someone can pretend to be you.
Which is the purpose of web caching on a proxy server
It keeps copies of the web pages locally, ensuring faster access to the web pages and preventing the need to open a session to the internet
What is the purpose of a risk register
It lays out all of the risks that a company faces; each risk will have a risk owner who specializes in that area as well as the risk treatment.
What is the purpose of a measured boot
It logs information about the firmware and application and stores this log in the TPM chips. This can be used to check the health status of the host and antimalware can check during the boot process that the software is trustworthy
How does East-West traffic operate
It moves laterally between servers within a data center
Describe how a fileless virus operates
It piggybacks itself onto a legitimate application, and they both launch together. Using malwarebytes would alert you of both launching at the same time
LRS
It replicates 3 copies of your data to a single physical location; this is the cheapest option
SYN/ACK packet
It says what the next packet will be
Which VPN session type would you use on a site-to-site VPN?
It should be used in always-on mode as opposed to dial-on-demand
Type 2 hypervisor
It sits on top of an operating system
Why is tokenization deemed more secure than encryption
It takes sensitive data, such as credit card number, and replaces it with random data, so that it cannot be reversed. Encryption can be reversed
What is a whaling attack
It targets a CEO or a high-level executive in a company.
How does AI tainting help attackers
It uses ML to teach the machine to think like a human and detect attacks. If it is tainted, it will ignore attacks by the attackers
Secrets management
It uses a vault to store keys, passwords, tokens, and SSH keys used for privilege accounts. It uses RSA 2048 bit-key to protect access keys
What is the purpose of the ISO standard 27701
It was developed as a standard as an extension of 27001/27002 to be used for privacy information management
How does the shadow IT threat actor operate and what type of attack could benefit from their actions
It would connect their own computers to your network without your consent and could lead to pivoting
How can I prevent a replay attack in a microsoft environment
Kerberos authentication uses USN and timestamps and can prevent a replay attack, as the USN packets and the timestamps need to be successful
Which secure protocol can be used to prevent a pass-the-hash attack
Kerberos prevents this attack and Kerberos uses AD which stores the passwords in an encrypted database
Most secure tunneling protocol
L2TP/IPSec
What is the most secure VPN tunneling protocol
L2TP/IPSec because it uses AES encryption for the ESP
A system admin is managing a directory service using a protocol that uses TCP port 389. What protocol are they using and which protocol can be used to carry out the same task securely
LDAP uses TCP port 389 and is used to manage directory services. It can be replaced by LDAPS TCP port 636, which is more secure
What is the purpose of MTBF
Mean Time Between Failure (MTBF) is the measurement of the reliability of a system.
What information can be established from an MTTR
Mean Time to Repair is the average time to takes to repair the system, but in the exam, it could be seen as the time to repair a system and not the average time
What is the passive device that sits on your internal network
NIDS
What is a wireless shortrange payment type
Near field communication
What type of device hides the internal network from hackers on the internet
Network Address Translator (NAT)
Which type of IPS is placed behind the firewall as an additional layer of security?
Network based IPS (NIPS)
Would you go to your online banking if you are in a hotel that uses Open Authentication
No because it is not secure
how to identify a certificate
OID
What is data masking
Obscuring data such that it cannot identify a specific person, but remains practically useful.
What type of threat intelligence does the Malware Information Sharing Project provide
Open Source Intelligence (OSINT)
What is the purpose of a SOAR system playbook
Playbooks contain a set of rules to enable the SOAR to take preventative action as an event occurs
Why would a cybersecurity team use the MITRE ATT&CK Framework
Prepare your business against different adversaries. Can see which tactics and techniques they use. take mitigation steps to avoid attacks
What is the purpose of DHCP snooping
Prevent rogue DHCP servers from operating openly on your network
What RAID model has a minimum of three disks? How many disks can it afford to lose?
RAID 5; one
What RAID models has a minimum of four disks
RAID 6
What types of records are created by DNSSEC
RRSIG records for each DNS host and a DNSKEY record used to sign the KSK or ZSK
What is crypto-malware?
Ransomware where the victims hard drive is encrypted and held to ransom; it could also have popups
What is the relationship bw the RPO and the RTO
Recovery Point Object is the acceptable downtime that a company can suffer without causing damage to the company, whereas the Recovery Time Object is the time it takes for the company to return to an operational state - this should be within the RPO
What are the rules of behavior
Rules of behavior are how people should conduct themselves at work to prevent discrimination or bullying.
Telnet
Runs remote commands on devices such as routers but it is in plain text
Which protocol can be used to digitally sign an email between 2 people
S/MIME
What is the purpose of a SCADA system
SCADA systems are industrial control systems used in the refining of uranium, oil, or gas.
What type of network is used by a virtual network so that the route requests are forwarded to a controller
SDN is used in a virtual environment when the routing requests are forwarded to a controller
Which protocol allows a user to put a Skype session on hold, speak to another person, and then come back to the first caller
SIP
What type of attack uses the phase 1=1
SQL injection attack
Which protocol can be used to secure video conferencing
SRTP
If an IT admin uses Telnet to run remote commands on a router, which secure protocol can it be replaced with
SSH
How can I store passwords to prevent a dictionary attack?
Salting password inserts a random value dictionary does not contain random characters
What would happen if i tried to sell my car and sent an email about it to everyone who worked in my company using my Gmail account
Sending an email out to everyone who works in your company using your gmail account is a violation of the AUP and could lead to disciplinary action
During a disaster recovery exercise, the IRP team is given a scenario to respond to. What type of exercise are they likely to carry out
Simulation
When using WPA3-Personal, what replaces the preshared key
Simultaneous Authentication of Equals (SAE) as it is more secure as the password is never transmitted and it is immune to offline attacks
What is the purpose of SLE and how it is calculated
Single Loss Expectancy is the cost of the loss of one item; if I lose a tablet worth 1000, the SLE is 1000
What type of attack is it if I receive an email from my comp CEO, telling me to complete the form attacked by clicking on a link in the email
Social Engineering Authority Attack
One of my bosses asks me to give them information that one of my peers gave them last week. I am not too sure, but I give them the information. What type of attack is this?
Social engineering consensus attack, where the person being attacked wants to be accepted by their peers
One of the junior members of the IT team installs more copies of a piece of software than are allowed by the licenses that the company has purchased. What have they just carried out
Software licensing compliance violation
If I install a freeware program that analyzes my computer and then finds 40,000 exploits and asks me to purchase the full version, what type of attack is this
Subtle form of ransomeware
What type of attack is it if I am in a ATM queue and someone has their phone to one side so that they can film the transaction
Subtle shoulder surfing attack
Cisco TACACS+
TCP Port 49
DNS (Domain Name System)
The Internet's system for converting alphabetic names into numeric IP addresses.
TFTP (Trivial File Transfer Protocol)
The UDP version of a file transfer; not as secure as the files are transferred
if two companies rented offices on the same floor of a building, what could the building admin implement to isolate them from each other
The building admin would normally have companies located in the same physical location connected to the switches. They could provide departmental isolation by using VLANs
What type of file is created when your computer suffers a blue screen of death
The contents of memory are saved in a dump file and this can be used to investigate the event
Say I use the nbtstat -an command and the output shows me the following: IAN <00> IAN <20> What naming convention is used and what format is being shown
The format is NETBIOS, where the name is up to 15 characters long with a service identifier. In this example, the host is called Ian; <00> indicates the workstation service and <20> indicates the server service
If a process does not suffer buffer overflow, but fails within a specified period of time and this causes the process to fail, what method am i using
The real time operating system (RTOS) process data as it comes in without any buffer delays. The process will fail if it is not carried out within a certain period of time
SYN Packet
The sending host informs the receiving host of the number of its next packet
what is the purpose of STP
The spanning tree protocol prevents switches from looping, which slows the switch down
What is the perfect way to set up error handling in an IT system
The user to get generic information but for the log files to include a full description of the error
Why would an auditor look for single items that could cause the failure of whole computer systems
They are measuring BIA as the most important factor to avoid is a single point of failure
If a company suffered a data breach, what would be the impact if one of their customers suffered identity fraud
They are most likely going to be sued by the customer
What should the help desk do when an incident has just been reported?
They identify the incident response plan required and the key personnel that need to be notified
How does an attacker use a malicious USB drive
They leave it inside a company where it can be found. There is only one shortcut, so when the finder puts it into a computer to try and find the owner, they click on the only visible file and get infected. The attacker can now control the computer
How does an invoice attack work
They obtain a legitimate invoice and sends the company reminders that it needs to be paid, but they substitute the bank details with their own
What is the motivation of script kiddie
They want to be on national news and TV as they seek fame
When a developer wants to analyze code when it is running, what type of code analyzer will they use
They will use dynamic code analysis so they can use fuzzing to test the code
Why would you use STIX/TAXII
They work together so that Cyber Threat Intelligence can be distributed over HTTP
What do hackers that use tools from the dark web use to remain anonymous
They would use Tor software, The Onion Router, which has thousands of relays to prevent detection
What is the most secure version of wireless
This is WAP3 as it has AES encryption up to 256 bit, whereas WPA2 only uses 128 bit encryption
Why would someone use the website www.virustotal.com
This is a code repository that holds info about malware signatures and code
Your company has carried out a tabletop exercise followed by a walk through. What type of plan has just been carried out
This is an example of a functional recovery plan
If someone brought their own laptop to be used at work, apart from an on-boarding policy, what other policy should be introduced?
This is called BYOD and this is covered by two policies: the onboarding policy and the Acceptable Use Policy. The AUP lays out how the laptop can be used
open source intelligence
This is legal intelligence that is obtained from the public domain
What is the purpose of Capture the Flag exercises
This is training for both red and blue teams where they capture a flag when they achieve each level of training. When they have completed all levels they are fit to become full blown red or blue team members.
What is load balancing persistence or affinity
This is where the host is sent to the same server for the session
What happens during the containment phase of the disaster recovery process
This is where we isolate or quarantine an infected machine
What happens during the recovery phase of the disaster recovery phase
This is where we put infected machines back online, restore data or reimage desktops
What happens during the eradication phase of the disaster recovery process
This is where we remove malware and turn off services that we do not need
What is IP theft?
This is where your intellectual property has been stolen, like copyright
What mode is an L2TP/IPSec VPN if it encrypts both the header and the payload
This would be IPSec in tunnel mode and would be used externally
What type of hacker might participate in a bug bounty program
This would be a gray hat hacker as he is provided with limited info
What is the purpose of mandatory vacations
To ensure that an employee takes at least five days of holiday and someone provides cover for them; this also ensures that fraud or theft can be detected.
What is certificate pinning used for
To prevent a CA from being compromised and fraudulent certificates being issued
Why should you place your first WAP on channel 1, your second WAP on channel 11 and your third on channel 6
To prevent interference by overlapping the wireless channels
What is the purpose of using SE Android
To segment business data and prevent application outside of the Knox container from accessing resources inside the container
Which protocol protects data in transit
Transport Layer Security (TLS)
What can be installed on a node of a SAN to provide redundancy
Two Host Bus Adaptors on each node will give two separate paths to them
If i misspell a website but I still get there, what type of attack is this
Typosquatting
What is needed for a secure boot - UEFI or BIOS
UEFI is a modern version of BIOS and is needed for secure boot
COPOA
UK law to seek data stored overseas and give their law enforcement faster access to evidence held by providers
The CLOUD Act
US law so that they could obtain evidence from other countries for the purpose of FBI
Name three different categories of incident
Unauthorized access, loss of computers or data, loss of availability, malware attack, DDoS attack, power failure, Natural Disasters, Cybersecurity incidents
What is the firewall that does content filtering, URL filtering, and malware inspection
Unified Threat Management provides value for money
What is a UAV? Give two examples.
Unmanned aerial vehicles are drones or small model aircraft that can be sent to areas where manned aircraft cannot go. They can be fitted with a camera to record events or take aerial phots; ex. determine the spread of forest fire
What three things should I do to protect the data stored on my smartphone
Use screen logs, strong passwords, and use FDE to protect the data at rest
If I am an Android developer, what can I obtain from the internet to help me make an application and get it to market quickly?
Using a third party library will help a developer obtain code from the internet to help make an application and get it to market quickly. There are many for Android and Javascript
How can I prevent an attack by a rogue WAP
Using an 802.1x authentication switch can prevent an attack by a rogue WAP, as the device needs to authenticate itself to attach to the switch.
What type of authentication is the most prone to errors
Using passwords for authentication is more prone to errors as certs and smart cards dont tend to have many errors
How can I prevent a SQL injection attack other than input validation
Using stored procedures
Give an example of embedded systems that can be used with vehicles
Vehicles that are either self parking or self driving
What two groups of ppl might use a guest wireless network
Visitors and employees on their lunch breaks
What is the weakest version of wireless encryption
WEP bc it only has 40 bit encryption
What is the most secure version of WPA2
WPA2-CCMP as it uses AES encryption that is 128 bits
If a friend comes to visit me in my house and asks for the wireless password, what am I giving them
We are giving them the Pre-Shared Key (PSK)
What is the purpose of secure cookies
We can set the secure flag on a website to ensure that cookies are only downloaded when there is a secure HTTPS session
What is the purpose of risk avoidance
When a risk is deemed too dangerous or high risk and could end in loss of life or financial loss, we would treat the risk with risk avoidance and avoid the activity
What is the purpose of the security team controlling the HVAC in a data center
When a security team controls the HVAC in a data center, they can ensure that the temp is regulated and the servers remain available. They also know which rooms are occupied based on the use of air conditioning and electricity
What is the authentication protocol that uses tickets and prevents replay attacks
When using Kerberos authentication, a TGT session is established, where the user obtains an encrypted ticket. Kerberos uses USN and timestamps to prevent replay attacks.
ZRS
Where 3 copies of the data are replicated to three separate zones within your region
Cleanup phase
Where the systems are returned back to the original state
How do I access a wireless network if I use WPS and what type of attack is it vulnerable against
With WPS, you push the button to connect to the wireless network, it is susceptible to a brute force attack as it has a password stored on a device
What is a certificate known as:
X509 Certificate
What does a CA sign
X509 certificates
What type of attack uses HTML tags with JavaScript
XSS uses HTML tags with JavaScript.
How can i tell whether my laptop fails to get an IP address from a DHCP server
You cannot get an IP address from a DHCP server, you would receive a 169.254.x.x IP address. This is known as APIPA. This could be caused by network connectivity or resource exhaustion
How can we keep company data separate from personal data on a cell phone that is being used as a BYOD device so that offboarding is easy to achieve
You could segment the data using storage segmentation or containerization
If I am staying in a hotel and their wifi is not working, how can i get access to the internet
You could use your phone as a hotspot
How can i prevent someone from accessing a medical centers network by plugging their laptop into a port in the waiting room
You should enable port security, where you turn the port off the switch. This will prevent further use of the wall jack
If my cell phone has been lost or stolen, what should be done using MDM
You should remote wipe it
How can i prevent someone from plugging a rogue access point to my network
You would enable 802.1x on the switch itself. 802.1x ensures that the device is authenticated before being able to use the port
What type of exploit has no patches and cannot be detected by NIDS or NIPS
Zero-day virus
hybrid cloud
a computer is using a mixture of on-prem and the cloud
DNS Server
a computer or a group of computers that maintain a database to enable a computer to know the IP address of a URL
what is an air gap
a computer or device has no physical connections such as wifi or ethernet cable
what does a PGP use
a trust model known as a web of trust
What is an evil twin?
a wireless access point with the same SSID as the legitimate access point
how to prevent brute force attacks
account lockdown with low value
what are corrective controls?
actions you take to recover from an incident
What are the four key elements of the Diamond Model of Intrusion Analysis framework
adversary, capabilities, infrastructure, and victims
FAR
allows unauthorized user access
Elasticity
allows you to increase and decrease cloud resources as you need them
What happens in the IKE phase of a VPN session?
an IPSec session, Diffie Hellman using UDP Port 500 sets up a secure session before the data is transferred.
privilege account
an account with administrative rights
What is social engineering
an attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords
password vault
application that stores passwords using AES-256 encryption and it is only as secure as the master key
what is stage C of cloud forensic process
ascertain the type of tech behind the cloud
Dynamic KBA
asks you details about your account that are not previously stored questions
DH
asymmetric technique that creates a secure tunnel
account recertification
audit of user accounts and permissions that is usually carried out by an auditor
federated services
authentication method that can be used by two third parties; it uses SAML and extended attributes
When can I use curl or nmap
banner grabbing
Name two tools that can be used for key stretching
bcrypt and PBKDF2
Two key stretching algorithms
brypt and PBKDF2
when would you use a public CA
business to business activities
SIEM System
carry out activity monitoring and notify the administrative of any changes to user accounts
Name three types of mobile device connection methods
cellular, wireless, bluetooth
Unified Threat Management (UTM)
comprehensive security management tool that combines multiple security tools, including firewalls, virtual private networks, intrusion detection systems, and web content filtering and anti-spam software
VPN solution
creates secure connection from remote location to your corporate network
What are the four stages of the information life cycle
creation, use, retention, and disposal
What tools can I use as a sandbox to analyze files for malware
cuckoo
SaaS (Software as a Service)
customer application written by a vendor and you cannot migrate it
researching an incident requires what?
detective controls where all of the evidence is gathered
what do you do when when somebody leaves the company
disable their account and reset the password
How can an attacker find the DNS records from your domain
dnsenum tool
data at rest on usb flash drive
done via full disk encryption
AES-256
encrypt a military mobile telephone
what is ECC used for
encrypt data on a smartphone as it is small and fast and uses the DH handshake
symmetric encryption
encrypt large amounts of data as it uses one key
streams
encrypt one bit at a time
CASB
ensures policies between on-prem and cloud are enforced
Salting a password
ensures that duplicate passwords are never stored and makes things more difficult for attacks by increasing the key size
perfect forward secrecy
ensures that there is no link bw the servers private key and the session key. if vpn servers key is compromised, it cannot decrypt the session
Hashing
ensures the integrity of data; sha-1 and md5
session key
ensures the security of communications bw a computer and a server or a computer and another computer
DHE and ECDHE
ephemeral keys that are short lived, one time keys
What types of disks does a SAN use
fast disks, such as SSDs
Where will a diskless virtual host access its storage?
from an SAN
Diskless virtual host
get its disk space from an SAN
Credential vulnerability
has the most permissions; has the ability to audit, scan documents, check account information, check certificates, provide accurate information
What provides data integrity where it is measured before and after accessing the data
hashing
If i want to find out what attack methods a potential hacker is using, what do i need to set up
honeypot
two types of name resolution
hostname revolution = most common NETBIOS = legacy name resolution that is rarely used
What is an example of cloud storage available to a personal user
iCloud, google drive, microsoft, onedrive, or dropbox
What type of attack could involve dressing up as a police officer
impersonation attack
Name three different roles required to deal with an incident
incident response manager: a top level manager takes charge security analyst: provides tech support for the incident IT auditor: checks that the company is compliant Risk analyst: Evaluates all aspects of risk HR: Sometimes, employees are involved in the incident Legal: Gives advice and makes decisions on legal issues public relations: Deals with the press to reduce the impact on the companys reputation
LDAP (Lightweight Directory Access Protocol)
insecure version that creates, stores, manages objects in directory services
what is the best way to control entry into a data center
install a mantrap
Infrastructure as a Service (IaaS)
install the operating systems and patch the machines. The CSP provides bare-metal computers
fog computing
intermediary between the device and the cloud; allows data to be processed closer to the device; reduces latency and cost
what is the purpose of the VPN concentrator
is to set up the secure session for a VPN.
Why are the roles and responsibilities of the IRP team important
it can make them more effective when a disaster happens
what does a CA have
it has a root certificate, which it uses to sign keys
What is the defense in depth model
it has multiple layers to protect data and resources
hash
it is one way and cannot be reversed
where do you store CA when not in use
keep it offline when it is not in use
first stage in encryption
key exchange
What is the last phase of the incident response process
lessons learned where we review why the incident was successful
rainbow tables
list of precomputed words showing their hash values. you will get rainbow tables for md5 and different rainbow tables for sha-1
obfuscation
make the source code look obscure so that if it is stolen, it cannot be understood. it masks the data and could use either XOR or ROT13 to obscure the data
POODLE
man in the middle attack on a downgraded SSL 3.0
what are the three control categories
managerial, operational, and physical
collision attack
match two hash values to obtain a password
Diameter
more modern server form of RADIUS that is TCP based and uses EAP
public cloud
multi tenant
smart card
multi-factor as the card is something you have, and inserting it into a card reader is something you do, and the PIN is something you know
CBC
needs all of the blocks of data to decrypt the data
certificate signing request
new certificate request
password history
number of passwords you can use before you can reuse your current password
HOTP
one time password that does not expire until it is used
Kerberos authentication protocol
only one that uses tickets; uses timestamps/updated sequence numbers to prevent replay attacks; does not use NLTM to prevent pass the hash attacks
examples of single-factor
password, pin, date of birth
community cloud
people from the same industry, such as a group of lawyers, design and share the cost of a bespoke application and its hosting, making it cost effective
encryption
plain text is taken and turned into a ciphertext
IEE802.1x
port based authentication that authenticates users and devices
What is the first phase of the incident response process and what happens there
preparation phase where the plan is already written in advance of any attack
DLP
prevents sensitive or PII information from being emailed out of a company or being stolen
What is least privilege
process of giving an employee the minimal permissions to perform their job
Ticket-Granting Ticket (TGT)
process where user logs in to a AD domain using kerberos authentication and receives a service ticket
data at rest
protected by FDE; stored on a database in background server so it needs database encryption
data in use
protected by full memory encryption
digital signature
provides both integrity and non-repudiation
FRR
rejects authorized user access
CSP
responsible for the hardware fails
key stretching
salts the password being stored so that duplicate passwords are never stored, and it also increases the length of keys the make things harder for brute force attack
data in transit
secured by using TLS, HTTPS, or L2TP/IPSec Tunnel
time-based one-time password (TOTP)
short life span of 30-60 seconds
CAC
similar to a smart card as it uses certificates, but it is used by the military and has a picture and the details of the user on the front, as well as their blood group and geneva convention category on the reverse side
code signing software
similar to hashing the software and ensuring the integrity of the software
private cloud
single tenet setup where you own the hardware
shibboleth
small, open source federation services protocol
What are used in conjunction with PIN
smart card, CAC card, or PIV card
What is the fastest backup solution
snapshot
What type of attack is it if a fireman arrives and then you let them into a server room to put out a fire
social engineering urgency attack
White box tester can access what
source code
key escrow
stores and manages private keys for third parties
AES
strongest encryption for L2TP/IPSec VPN tunnel
block ciphers
take blocks of data; will be used for large amounts of data
what does an architect build
the CA or intermediary authorities
distributive allocation
the load is spread evenly across a number of resources, ensuring no one resource is over utilized. ex. load balancer
major benefit of public cloud
there is no capital expenditure
what does a data owner do (dac)
they decide who has access to data
what does the data administrator do (mac)
they grant access to data
What does a data custodian do (mac)
they store and manage data
What is the most likely way an attack would gain control of an MFP
through its network interface
What is the purpose of MAC filtering
to allow or deny a connection based on the client's Media Access Control (MAC) address.
why are firewall rules designed
to mitigate risk and they are technical controls
how many accounts should system administrator have
two
What is a bridge trust model
two separate PKI entities want to set up cross-certification, the root CAs would set up a trust model between themselves
service account
type of administrative account that allows apps to have a higher level of privileges to run on desktop/server.
Certificate Authority
ultimate authority as it holds the master key (root key)
complex password uses three what
uppercase, lowercase, and non programming special characters
extended validation
used by financial institutions as it provides a much higher level of trust for X509; url background turns green
Hardware Security Module (HSM)
used by the key escrow as it securely stores and manages certificates
Subject Alternative Name (SAN)
used on multiple domains
wildcard certificate
used on multiple servers in same domain
Steganography
used to conceal data
Certificate Revocation List
used to determine whether a certificate is valid
encryption is used for what
used to protect data so that it cannot be reviewed or accessed
credential manager
used to store generic and windows 10 accounts. the user therefore does not have to remember the account details
Lightweight Directory Access Protocol (LDAP)
used to store objects in X500 format and search AD objects such as users, printers, groups, or computers
PAP authentication
uses a password in clear text; captured easily by a packet sniffer
What type of attack can include leaving a voicemail
vishing attack
DES
weakest encryption for L2TP/IPSec VPN tunnel
Certificate Stapling
where a web server uses an OCSP for faster certificate authentication, bypassing the CRL
What is rule-based access control
where the access is applied to the whole department
availability
where the data is available
Confidentiality
where the data is encrypted; preventing other people from viewing the data
integrity
where the data uses hashes
What benefit does WPA3 bring to IoT devices
wifi Easy Connect makes it very easy to connect IoT devices such as a smartphone by simply using a QR code
When using WPA3 wireless, what replaces WPA2-Open Authentication
wifi enhanced open is the WPA3 equivalent of Open Systems Authentication; it does not use a password and prevents easedropping
How close does an attacker need to be for an NFC attack
within 4 cm of a card
If a company has suffered several threats of company laptops, what could you use to prevent further threats
you could tag the laptops and set up geofencing to prevent thefts. RFID is another option
on-prem
you own the building and work solely from there
biometric authentication
you use part of your body or voice for authentication
