Security + Test 3
Which of the following ports should you block at the firewall if you want to prevent a remote login to a server from occurring?
22 - SSH is used for remote admin and file copying Explain: 21: FTP used to transfer files over 20 and 21 80: HTTP provides web content to browsers 143: IMAP provides client with means to access emails stored in a mailbox on a remote server
You work as the incident response team lead at Fail to Pass Systems. Sierra, a system administrator, believes an incident has occurred on the network and contacts the SOC. At 2:30 am, you are woken up by a phone call from the CEO of Fail to Pass stating an incident has occurred and that you need to solve this immediately. As you are getting dressed to drive into the office, your phone rings again. This time, the CIO starts asking you a lot of technical questions about the incident. The first you heard of this incident was 5 minutes ago from the CEO, so you don't have the answers to the CIO's questions, yet. Based on this scenario, which of the following issues needs to be documented in your lessons learned report once this incident is resolved?
A call list/escalation list Exp: Think about a disciplined approach to incident response
A cybersecurity analyst is working at a college that wants to increase its network's security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements?
Active Scanning engine installed on the enterprise console
A small business recently experienced a catastrophic data loss due to flooding from a recent hurricane. The customer had no backups, and flooding destroyed all of the hardware associated with the small business. As part of the rebuilding process, the small business contracts with your company to help create a disaster recovery plan to ensure this never reoccurs again. Which of the following recommendations should you include as part of the disaster recovery plan?
Backups should be conducted to a cloud-based storage solution
You have been asked to determine if Dion Training's web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server?
Banner Grabbing Explanation: Fastest and most accurate way Banner usually contains the server's operating system and the version number of the service (SSH) being run
Lamont is in the process of debugging a software program. As he examines the code, he discovers that it is miswritten. Due to the error, the code does not validate a variable's size before allowing the information to be written into memory. Based on Lamont's discovery, what type of attack might occur?
Buffer overflow Exp: when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold
A hacker successfully modified the sale price of items purchased through your company's website. During the investigation that followed, the security analyst has verified the web server, and the Oracle database was not compromised directly. The analyst also found no attacks that could have caused this during their log verification of the Intrusion Detection System (IDS). What is the most likely method that the attacker used to change the items' sale price?
Changing hidden form values
Which of the following describes the overall accuracy of a biometric authentication system?
Crossover error rate
A financial services company wants to donate some old hard drives from their servers to a local charity. The hard drives used in the servers are self-encrypting drives. Still, they are concerned about the possibility of residual data being left on the drives. Which of the following secure disposal methods would you recommend the company use?
Cryptographic erase Explanation: CE, storage media is encrypted by default, The encryption key is destroyed during erasing, A feature of self-encrypting drives and is often used w/ solid state devices Zero-fill not reliable for SSDs and hybrid drives (Overwrite in same category) because can be accessed still Secure erase sanitizes flash-based devices
Which law requires government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards?
FISMA (Federal Information Security Management Act) Exp: COPPA - Children under 13 HIPPA - Health info SOX - public company boards, mgmt, public accounting firms
Your intrusion detection system has produced an alert based on its review of a series of network packets. After analysis, it is determined that the network packets did not contain any malicious activity. How should you classify this alert?
False Positive Exp: occurs when an alert is triggered (the system believes malicious activity occurred) when there is no malicious activity involved.
Vulnerability scans must be conducted continuously to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next?
Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first
You just received a notification that your company's email servers have been blocklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails?
Full email header from of the spam messages
Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across many devices?
GPO Exp: Used for MS (Windows) Patch management is the process of distributing and applying updates to the software to prevent vulnerabilities from being exploited by an attacker or malware.
If you cannot ping a target because you are receiving no response or a response that states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to elicit a response from a host using TCP, what tool would you use?
Hping (assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies) Exp: Ptunnel is used as a covert channel, not to elicit a response from a host using TCP.
A competitor recently bought Dion Training's ITIL 4 Foundation training course, transcribed the video captions into a document, re-recorded the course exactly word for word as an audiobook, then published this newly recorded audiobook for sale on Audible. From Dion Training's perspective, how would you BEST classify this situation?
IP theft Exp: IP stand for intellectual property (not IP address lol)
Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out, and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours, and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system?
Implement an allow list
In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of?
Improper error handling
A corporate workstation was recently infected with malware. The malware was able to access the workstation's credential store and steal all the usernames and passwords from the machine. Then, the malware began to infect other workstations on the network using the usernames and passwords it stole from the first workstation. The IT Director has directed its IT staff to develop a plan to prevent this issue from occurring again. Which of the following would BEST prevent this from reoccurring?
Install an anti-virus or anti-malware solution that uses heuristic analysis
Dion Training has added a salt and cryptographic hash to their passwords to increase the security before storing them. To further increase security, they run this process many times before storing the passwords. What is this technique called?
Key stretching Exp: used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key
Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, how it was remediated, the effectiveness of the incident response, and any identified gaps that might require improvement?
Lessons learned
Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution?
OpenID Connect Exp: OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields.
During your review of the firewall logs, you notice that an IP address from within your company's server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address overnight each day. You have determined this has been occurring for approximately 5 days, and the affected server has since been taken offline for forensic review. Which of the following is MOST likely to increase the impact assessment of the incident?
PII of company employees and customers was exfiltrated
Your company has decided to move all of its data into the cloud. Your company is small and has decided to purchase some on-demand cloud storage resources from a commercial provider (such as Google Drive) as its primary cloud storage solution. Which of the following types of clouds is your company using?
Public
Taylor needs to sanitize hard drives from some leased workstations before returning them to a supplier at the end of the lease period. The workstations' hard drives contained sensitive corporate data. Which is the most appropriate choice to ensure that data exposure doesn't occur during this process?
Purge, validate, and document the sanitization of the drives Exp: Clearing them leaves the possibility that some tools would allow data recovery.
You are working as part of the server team for an online retail store. Due to the upcoming holidays, your boss is worried that the current servers may not be able to handle the increased demand during a big sale. Which of the following cloud computing concepts can quickly allow services to scale upward during busy periods and scale down during slower periods based on the changing user demand?
Rapid elasticity
You are investigating a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware?
Submit the files to an open-source intelligence provider like VirusTotal
You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and impacts the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why?
Syslog Exp: a centralized log management solution. By looking through the Syslog server's logs, the technician could determine which service failed on which server since all the logs are retained on the Syslog server from all the network devices and servers. Firewall logs would only help determine why the network connectivity between a host and destination may have been disrupted.
William would like to use full-disk encryption on his laptop. He is worried about slow performance, though, so he has requested that the laptop have an onboard hardware-based cryptographic processor. Based on this requirement, what should William ensure the laptop contains?
TPM
You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment?
Virtualization
You are troubleshooting an issue with a Windows desktop and need to display the machine's active TCP connections. Which of the following commands should you use?
netstat Exp: used to display active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols) on a Windows machine
