CIST 2601 Final
In which situation is an asymmetric key algorithm used?
A network administrator connects to a Cisco router with SSH. *The SSH protocol uses an asymmetric key algorithm to authenticate users and encrypt data transmitted. The SSH server generates a pair of public/private keys for the connections. Encrypting files before saving them to a storage device uses a symmetric key algorithm because the same key is used to encrypt and decrypt files. The router authentication with CHAP uses a symmetric key algorithm. The key is pre-configured by the network administrator. A VPN may use both an asymmetric key and a symmetric encryption algorithm. For example in an IPSec VPN implementation, the data transmission uses a shared secret (generated with an asymmetric key algorithm) with a symmetric encryption algorithm used for performance.
Which two statements are characteristics of a virus? (Choose two.)
A virus typically requires end-user activation. A virus can be dormant and then activate at a specific time or date. *The type of end user interaction required to launch a virus is typically opening an application, opening a web page, or powering on the computer. Once activated, a virus may infect other files located on the computer or other computers on the same network.
Because of implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this?
Authorization. *One of the components in AAA is authorization. After a user is authenticated through AAA, authorization services determine which resources the user can access and which operations the user is allowed to perform.
Which two statements describe access attacks? (Choose two.)
Buffer overflow attacks write data beyond the allocated buffer memory to overwrite valid data or to exploit systems to execute malicious code. Password attacks can be implemented by the use of brute-force attack methods, Trojan horses, or packet sniffers. *An access attack tries to gain access to a resource using a hijacked account or other means. The five types of access attacks include the following:password - a dictionary is used for repeated login attempts
How might DNS be used by a threat actor to create mayhem?
Collect personal information and encode the data in outgoing DNS queries.. *Malware could be used by a threat actor to collect stolen encoded data, decode it, and then gain access to corporate data such as a username/password database.
Which protocol translates a website name such as www.cisco.com into a network address?
DNS. *Domain Name Service translates names into numerical addresses, and associates the two. DHCP provides IP addresses dynamically to pools of devices. HTTP delivers web pages to users. FTP manages file transfers.
Which two roles are typically performed by a wireless router that is used in a home or small business? (Choose two.)
Ethernet switch, access point. *In addition to its roles as router, a typical SOHO wireless router acts as both a wireless access point and an Ethernet switch. RADIUS authentication is provided by an external server. A WLAN controller is used in enterprise deployments to manage groups of lightweight access points. A repeater is a device that enhances an incoming signal and retransmits it.
Why would a network administrator choose Linux as an operating system in the Security Operations Center (SOC)?
It can be acquired at no charge.. *There are several reasons why Linux is a good choice for the SOC.Linux is open source.
Which statement describes the policy-based intrusion detection approach?
It compares the operations of a host against well-defined security rules. *With the anomaly-based intrusion detection approach, a set of rules or policies are applied to a host. Violation of these policies is interpreted to be the result of a potential intrusion.
How is a source IP address used in a standard ACL?
It is the criterion that is used to filter traffic. *The only filter that can be applied with a standard ACL is the source IP address. An extended ACL is used to filter on such traffic as the source IP address, destination IP address, type of traffic, and type of message.
What are two advantages of the NTFS file system compared with FAT32? (Choose two.)
NTFS provides more security features. NTFS supports larger partitions. *The file system has no control over the speed of access or formatting of drives, and the ease of configuration is not file system-dependent.
According to NIST, which step in the digital forensics process involves preparing and presenting information that resulted from scrutinizing data?
Reporting. *NIST describes the digital forensics process as involving the following four steps:
What is a difference between symmetric and asymmetric encryption algorithms?
Symmetric encryption algorithms use pre-shared keys. Asymmetric encryption algorithms use different keys to encrypt and decrypt data. *Asymmetric algorithms can use very long key lengths in order to avoid being hacked. This results in the use of significantly increased resources and time compared to symmetric algorithms.
A technician notices that an application is not responding to commands and that the computer seems to respond slowly when applications are opened. What is the best administrative tool to force the release of system resources from the unresponsive application?
Task Manager. *Use the Task Manager Performance tab to see a visual representation of CPU and RAM utilization. This is helpful in determining if more memory is needed. Use the Applications tab to halt an application that is not responding.
Which statement identifies an important difference between the TACACS+ and RADIUS protocols?
The TACACS+ protocol allows for separation of authentication from authorization. *One key difference between TACACS+ and RADIUS protocols is that TACACS+ provides flexibility by separating authentication and authorization processes. RADIUS, on the other hand, combines authentication and authorization as one process.
In a networking class, the instructor tells the students to ping the other computers in the classroom from the command prompt. Why do all pings in the class fail?
The Windows firewall is blocking the ping. *Unsuccessful pings usually indicate a network problem which eliminates the virus option. In this case computers in the same classroom would also be on the same network. Port 25 is used used by the email SMTP protocol, not by ping.
What two assurances does digital signing provide about code that is downloaded from the Internet? (Choose two.)
The code is authentic and is actually sourced by the publisher. The code has not been modified since it left the software publisher. *Digitally signing code provides several assurances about the code:
Which scenario is probably the result of activities by a group of hacktivists?
The internal emails related to the handling of an environmental disaster by a petroleum company appear on multiple websites. *Hacktivists are typically hackers who protest against a variety of political and social ideas. Hacktivists publicly protest against organizations or governments by posting articles and leaking sensitive information. Accessing school database and changing grades is probably made by a few script kiddies. Offers from someone to restore data for a hefty fee is a ransomware attack. Attacking the major power grid is typically conducted by a government.
What is a network tap?
a passive device that forwards all traffic and physical layer errors to an analysis device. *A network tap is used to capture traffic for monitoring the network. The tap is typically a passive splitting device implemented inline on the network and forwards all traffic, including physical layer errors, to an analysis device.
A threat actor has gained administrative access to a system and achieved the goal of controlling the system for a future DDoS attack by establishing a communication channel with a CnC owned by the threat actor. Which phase in the Cyber Kill Chain model describes the situation?
action on objectives. *The Cyber Kill Chain specifies seven steps (or phases) and sequences that a threat actor must complete to accomplish an attack:
What commonly motivates cybercriminals to attack networks as compared to hactivists or state-sponsored hackers?
financial gain. *Cybercriminals are commonly motivated by money. Hackers are known to hack for status. Cyberterrorists are motivated to commit cybercrimes for religious or political reasons.
A network security professional has applied for a Tier 2 position in a SOC. What is a typical job function that would be assigned to a new employee?
further investigating security incidents. *In a typical SOC, the job of a Tier 2 incident responder involves deep investigation of security incidents.
As described by the SANS Institute, which attack surface includes the use of social engineering?
human attack surface. *The SANS Institute describes three components of the attack surface:
Which type of data would be considered an example of volatile data?
memory registers. *Volatile data is data stored in memory such as registers, cache, and RAM, or it is data that exists in transit. Volatile memory is lost when the computer loses power.
Which two net commands are associated with network resource sharing? (Choose two.)
net use, net share
What is a function of SNMP?
provides a message format for communication between network device managers and agents. *SNMP is an application layer protocol that allows administrators to manage devices on the network by providing a messaging format for communication between network device managers and agents.
Which Windows Event Viewer log includes events regarding the operation of drivers, processes, and hardware?
system logs. *By default Windows keeps four types of host logs:
Refer to the exhibit. A network security specialist issues the command tcpdump to capture events. What does the number 6337 indicate?
the process id of the tcpdump command. *After the tcpdump command is issued, the device displays the message, [1] 6337. The message indicates that the process with PID 6337was sent to the background.
Which three technologies should be included in a security information and event management system in a SOC? (Choose three.)
threat intelligence, security monitoring, vulnerability tracking. *Technologies in a SOC should include the following:Event collection, correlation, and analysis
Why would threat actors prefer to use a zero-day attack in the Cyber Kill Chain weaponization phase?
to avoid detection by the target. *When a threat actor prepares a weapon for an attack, the threat actor chooses an automated tool (weaponizer) that can be deployed through discovered vulnerabilities. Malware that will carry desired attacks is then built into the tool as the payload. The weapon (tool plus malware payload) will be delivered to the target system. By using a zero-day weaponizer, the threat actor hopes that the weapon will not be detected because it is unknown to security professionals and detection methods are not yet developed.
Which two characteristics describe a worm? (Choose two.)
travels to new computers without any intervention or knowledge of the user, is self-replicating. *Worms are self-replicating pieces of software that consume bandwidth on a network as they propagate from system to system. They do not require a host application, unlike a virus. Viruses, on the other hand, carry executable malicious code which harms the target machine on which they reside.
Which two services are provided by the NetFlow tool? (Choose two.)
usage-based network billing, network monitoring. *NetFlow efficiently provides an important set of services for IP applications including network traffic accounting, usage-based network billing, network planning, security, denial of service monitoring capabilities, and network monitoring.
Which method can be used to harden a device?
use SSH and disable the root account access over SSH. *The basic best practices for device hardening are as follows:
What is the responsibility of the human resources department when handling a security incident?
Apply disciplinary measures if an incident is caused by an employee. *The human resources department may be called upon to perform disciplinary measures if an incident is caused by an employee.
Which technique is necessary to ensure a private transfer of data using a VPN?
Encryption. *Confidential and secure transfers of data with VPNs require data encryption.
How do cybercriminals make use of a malicious iFrame?
The iFrame allows the browser to load a web page from another source. *An inline frame or iFrame is an HTML element that allows the browser to load a different web page from another source.
What are three responsibilities of the transport layer? (Choose three.)
meeting the reliability requirements of applications, if any. identifying the applications and services on the client and server that should handle transmitted data. multiplexing multiple communication streams from many users or applications on the same network. *The transport layer has several responsibilities. Some of the primary responsibilities include the following:
Which Linux command could be used to discover the process ID (PID) for a specific process before using the kill command?
ps