CS333- Midterm

After a poorly handled security breach, a company updates its security policy to include an improved incident response plan. Which of the following security controls does this update address? 1. Corrective 2. Compensating 3. Deterrent 4. Detective

1

A Certificate Revocation List (CRL) has a publish period set to 24 hours. Based on the normal procedures for a CRL, what is the most applicable validity period for this certificate? 1. 26 hours 2. 1 hour 3. 23 hours 4. 72 hours

1. 26 hours

An Internet Service Provider's (ISP) customer network is under a Distributed Denial of Service (DDoS) attack. The ISP decides to use a blackhole as a remedy. How does the ISP justify their decision? 1. A blackhole drops packets for the affected IP address(es) and is in a separate area of the network that does not reach any other part of the network. 2. A blackhole makes the attack less damaging to the ISP's other customers and continues to send legitimate traffic to the correct destination. 3. A blackhole routes traffic destined to the affected IP address to a different network. Here, the ISP can analyze and identify the source of the attack, to devise rules to filter it. 4. A blackhole is preferred, as it evaluates each packet in a multi-gigabit stream against an Access Control List (ACL) without overwhelming the processing resources.

1. A blackhole drops packets for the affected IP address(es) and is in a separate area of the network that does not reach any other part of the network.

Evaluate how identification and authentication are distinct in their functions. Which of the following scenarios best illustrates a user being authenticated? 1. A user accesses a system by having their face scanned. 2. A system administrator sets up a user account for a new employee after HR sends employment verification. 3. An administrator sends an initial password to a new telecommuting employee through a VPN. 4. A user is assigned an SID.

1. A user accesses a system by having their face scanned.

Which statement best illustrates the importance of a strong true random number generator (TRNG) or pseudo-random number generator (PRNG) in a cryptographic implementation? 1. A weak number generator leads to many published keys sharing a common factor. 2. A weak number generator creates numbers that are never reused 3. A strong number generator creates numbers that are never reused. 4. A strong number generator adds salt to encryption values

1. A weak number generator leads to many published keys sharing a common factor.

Which of the following statements summarizes a disadvantage to performing an active vulnerability scan? (Select all that apply.) 1. Active scanning consumes more network bandwidth. 2. Active scanning runs the risk of causing an outage. 3. Active scanning will identify all of a system's known vulnerabilities. 4. Active scanning techniques do not use system login.

1. Active scanning consumes more network bandwidth. 2. Active scanning runs the risk of causing an outage.

Analyze the following scenarios and determine which cases call for account disablement over account lockout. (Select all that apply.) 1. Audit logs reveal suspicious activity on a privileged user's account. 2. A user's company laptop and key fob are stolen at an airport. C. 3. A user enters an incorrect password multiple times. 4. A privileged user attempts to log onto a company server outside of authorized hours.

1. Audit logs reveal suspicious activity on a privileged user's account. 2. A user's company laptop and key fob are stolen at an airport. C.

A manufacturing company hires a pentesting firm to uncover any vulnerabilities in their network with the understanding that the pen tester receives no information about the company's system. Which of the following penetration testing strategies is the manufacturing company requesting? 1. Black box 2. Sandbox 3. Gray box 4. White box

1. Black box

Which of the following password cracker attacks are combined to create a typical hybrid password attack? (Select all that apply.) 1. Brute force 2. Dictionary 3. Salt 4. PTH

1. Brute force 2. Dictionary

A network administrator uses an automated vulnerability scanner. It regularly updates with the latest vulnerability feeds. If the system regularly performs active scans and returns the presence of vulnerabilities when they do not exist, what type of error is the system most likely making? 1. False positive 2. False negative 3. Validation error 4. Configuration error

1. False positive

Consider biometric methods that are used to authenticate a user. Knowing that errors are possible, which of the following would most likely result in a security breach? 1. False positive 2. False negative 3. A low Crossover-Error-Rate (CER) 4. A low throughput

1. False positive

A company has an annual contract with an outside firm to perform a security audit on their network. The purpose of the annual audit is to determine if the company is in compliance with their internal directives and policies for security control. Select the broad class of security control that accurately demonstrates the purpose of the audit. 1. Managerial 2. Technical 3. Physical 4. Compensating

1. Managerial

A networking administrator is reviewing available security products to further fine-tune the existing firewall and appliance settings. An administrator should analyze which system logs in order to tune firewall rulesets and remove or block suspect hosts and processes from the network? 1. Network-based intrusion detection system (NIDS) 2. Unified threat management (UTM) product 3. Network-based intrusion prevention system (IPS) 4. Network behavior and anomaly detection (NBAD) product

1. Network-based intrusion detection system (NIDS)

A network administrator conducts a network assessment to determine where to implement a network intrusion detection system (NIDS). Which sensor deployment option is most ideal if the admin is concerned about system overloads and resiliency in the event of power loss? 1. Passive test access point (TAP) 2. Active test access point (TAP) 3. Aggregation test access point (TAP) 4. Switched port analyzer (SPAN)/mirror port

1. Passive test access point (TAP)

An employee works on a small team that shares critical information about the company's network. When sending emails that have this information, what would be used to provide the identity of the sender and prove that the information has not been tampered with? 1. Private key 2. Digital signature 3. Public key 4. RSA algorithm

1. Private key

Consider the types of zones within a network's topology and locate the zone considered semi-trusted and requires hosts to authenticate to join. 1. Private network 2. Answer Extranet 3. Internet 4. Anonymouse

1. Private network

A security engineer is investigating a potential system breach. When compiling a report of the incident, how does the engineer classify the actor and the vector? 1. Threat 2. Vulnerability 3. Risk 4. Exploit

1. Threat

An unknowing user with authorized access to systems in a software development firm installs a seemingly harmless, yet unauthorized program on a workstation without the IT department's sanction. Identify the type of threat that is a result of this user's action. 1. Unintentional insider threat 2. Malicious insider threat 3. Intentional attack vector 4. External threat with insider knowledge

1. Unintentional insider threat

A system administrator is configuring a new Dynamic Host Configuration Protocol (DHCP) server. Consider the various types of attacks specific to DHCP and determine which steps the system administrator should take to protect the server. (Select all that apply.) 1. Use scanning and intrusion detection to pick up suspicious activity. 2. Disable DHCP snooping on switch access ports to block unauthorized servers. 3. Enable logging and review the logs for suspicious events. 4. Disable unused ports and perform regular physical inspections to look for unauthorized devices.

1. Use scanning and intrusion detection to pick up suspicious activity. 3. Enable logging and review the logs for suspicious events. 4. Disable unused ports and perform regular physical inspections to look for unauthorized devices.

What are the most common baseline account and password policies that system administrators implement? (Select all that apply.) 1. Use upper- and lower-case letters, numbers, and special characters for passwords. 2. Set a lockout duration period. 3. Disable enforcement of a password history policy for unique passwords. 4. Use a shared account for administrative work on the network.

1. Use upper- and lower-case letters, numbers, and special characters for passwords. 2. Set a lockout duration period.

A system administrator downloads and installs software from a vendor website. Soon after installing the software, the administrator's computer is taken over remotely. After closer investigation, the software package was modified, probably while it was downloading. What action could have prevented this incident from occurring? 1. Validate the software using a checksum 2. Validate the software using a private certificate 3. Validate the software using a key signing key 4. Validate the software using Kerberos

1. Validate the software using a checksum

Compare and contrast vulnerability scanning and penetration testing. Select the true statement from the following options. 1. Vulnerability scanning is conducted by a "white hat" and penetration testing is carried out by a "black hat." 2. Vulnerability scanning by eavesdropping is passive, while penetration testing with credentials is active. 3. Penetration testing and vulnerability scanning are considered "black hat" practices. 4. Vulnerability scanning is part of network reconnaissance, but penetration testing is not.

1. Vulnerability scanning is conducted by a "white hat" and penetration testing is carried out by a "black hat."

The _____ requires federal agencies to develop security policies for computer systems that process confidential information. 1. Sarbanes-Oxley Act (SOX) 2. Computer Security Act 3. Federal information Security Management Act (FISMA) 4. Gramm-Leach-Bliley Act (GLBA)

2

The IT department head returns from an industry conference feeling inspired by a presentation on the topic of cybersecurity frameworks. A meeting is scheduled with IT staff to brainstorm ideas for deploying security controls by category and function throughout the organization. Which of the following ideas are consistent with industry definitions? (Select all that apply.) 1. Deploy an operational control to monitor compliance with external regulations. 2. Schedule quarterly security awareness workshops as a preventive control to mitigate social engineering attacks. 3. Deploy agents to file servers to perform continuous backups to cloud storage as a corrective control to mitigate the impact of malware. 4. Deploy a technical control to enforce network access policies.

2, 3

Which of the following considerations is most important when employing a signature-based intrusion detection system? 1. The system may produce false positives and block legitimate activity. 2. The system must create a valid baseline signature of normal activity. 3. Signatures and rules must be kept up to date to protect against emerging threats. 4. Signatures and rules must be able to detect zero-day attacks

4. Signatures and rules must be able to detect zero-day attacks

Evaluate the functions of a Network-Based Intrusion Detection System (NIDS) and conclude which statements are accurate. (Select all that apply.) 1. Training and tuning are fairly simple, and there is a low chance of false positives and false negatives. 2. A NIDS will identify and log hosts and application activity that the administrator can use to analyze and take further action. 3. Training and tuning are complex, and there is a high chance of false positive and negative rates. 4. A NIDS will identify attacks and block the traffic to stop the attack. The administrator will be able to review the reports for future prevention.

2. A NIDS will identify and log hosts and application activity that the administrator can use to analyze and take further action. 3. Training and tuning are complex, and there is a high chance of false positive and negative rates.

Assess the features and processes within biometric authentication to determine which scenario is accurate. 1. A company chooses to use a retinal scanner as it is less intrusive than iris scanners. 2. A company uses a fingerprint scanner as it is the most widely used biometric authentication method. 3. A company uses a fingerprint scanner as it is more expensive but has a straightforward process. 4. A company records information from a sample using a sensor module.

2. A company uses a fingerprint scanner as it is the most widely used biometric authentication method.

Which of the following statements best describes the trade-off when considering which type of encryption cipher to use? 1. Asymmetric encryption is the strongest hashing algorithm, which produces longer and more secure digests than symmetric encryption. 2. Asymmetric encryption requires substantially more overhead computing power than symmetric encryption. Asymmetric encryption is inefficient when transferring or encrypting large amounts of data. 3. Symmetric encryption requires substantially more overhead computing power than asymmetric encryption. Symmetric encryption is inefficient when transferring or encrypting large amounts of data. 4. Symmetric encryption is not considered as safe as asymmetric encryption, but it might be required for compatibility between security products.

2. Asymmetric encryption requires substantially more overhead computing power than symmetric encryption. Asymmetric encryption is inefficient when transferring or encrypting large amounts of data.

During the planning/scoping phase of the kill chain, an attacker decides that a Distributed Denial of Service (DDoS) attack would be the best way to disrupt the target website and remain anonymous. Evaluate the following explanations to determine the reason the attacker chose a DDoS attack. 1. A DDoS attack can launch via covert channels 2. DDoS attacks utilize botnets 3. A DDoS attack creates a backdoor to a website 4. DDoS attacks use impersonation

2. DDoS attacks utilize botnets

An employee has requested a digital certificate for a user to access the Virtual Private Network (VPN). It is discovered that the certificate is also being used for digitally signing emails. Evaluate the possible extension attributes to determine which should be modified so that the certificate only works for VPN access. 1. Valid from/to 2. Extended key usage 3. Serial number 4. Public key

2. Extended key usage

In which of these situations might a non-credentialed vulnerability scan be more advantageous than a credentialed scan? (Select all that apply.) 1. When active scanning poses no risk to system stability 2. External assessments of a network perimeter 3. Detection of security setting misconfiguration 4. Web application scanning

2. External assessments of a network perimeter 4. Web application scanning

An employee calls IT personnel and states that they received an email with a PDF document to review. After the PDF was opened, the system has not been performing correctly. An IT admin conducted a scan and found a virus. Determine the two classes of viruses the computer most likely has. (Select all that apply.) 1. Boot sector 2. Macro 3. Script 4. Non-resident

2. Macro 3. Script

Which of the following depict ways a malicious attacker can gain access to a target's network? (Select all that apply.) 1. Ethical hacking 2. Phishing 3. Shoulder surfing 4. Influence campaign

2. Phishing 3. Shoulder surfing

An employee handles key management and has learned that a user has used the same key pair for encrypting documents and digitally signing emails. Prioritize all actions that should be taken and determine the first action that the employee should take. 1. Revoke the keys. 2. Recover the encrypted data. 3. Generate a new key pair. 4. Generate a new certificate.

2. Recover the encrypted data.

A company is reviewing the options for installing a new wireless network. They have requested recommendations for utilizing WEP, WPA, or WPA2. Differentiate between Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). Determine which of the following statements accurately distinguishes between the options. (Select all that apply.) 1. WEP and WPA use RC4 with a Temporal Key Integrity Protocol (TKIP), while WPA2 uses a 24-bit Initialization Vector (IV). WPA2 combines the 24- bit IV with an Advanced Encryption Standard (AES) to add security. ou Answered 2. WEP is the strongest encryption scheme, followed by WPA2, then WPA. WEP is difficult to crack when protected by a strong password, or if deploying enterprise authentication. WPA2 is more vulnerable to decryption due to replay attack possibilities. 3. WPA and WEP use RC4, while WEP uses a 24-bit Initialization Vector (IV). WPA uses a Temporal Key Integrity Protocol (TKIP), and WPA2 uses an Advanced Encryption Standard (AES) for encryption. 4. WPA2 is the strongest encryption scheme, followed by WPA, then WEP. WPA2 is difficult to crack if protected by a strong password, or if deploying enterprise authentication. WEP is more vulnerable to decryption due to replay attack possibilities.

2. WEP is the strongest encryption scheme, followed by WPA2, then WPA. WEP is difficult to crack when protected by a strong password, or if deploying enterprise authentication. WPA2 is more vulnerable to decryption due to replay attack possibilities. 4. WPA2 is the strongest encryption scheme, followed by WPA, then WEP. WPA2 is difficult to crack if protected by a strong password, or if deploying enterprise authentication. WEP is more vulnerable to decryption due to replay attack possibilities.

A website with many subdomains has been issued a web server certificate for domain validation. This certificate verifies the parent domain and all subdomains (to a single level). This certificate is also known as which of the following? 1. SAN certificate 2. Wildcard certificate 3. Root certificate 4. Code signing certificate

2. Wildcard certificate

Analyze and compare the access control models in terms of how Access Control Lists (ACL) are written and determine which statement accurately explains the Discretionary Access Control (DAC) model. 1. A DAC model is the most flexible and weakest access control model. Administrative accounts have control of the resource and grants rights to others. 2. A DAC model is the least flexible and strongest access control model. The owner has full control over the resource and grants rights to others. ou Answered 3. A DAC model is the least flexible and strongest access control model. Administrative accounts have control of the resource and grant rights to others. 4. A DAC model is the most flexible and weakest access control model. The owner has full control over the resource and grants rights to others.

3. A DAC model is the least flexible and strongest access control model. Administrative accounts have control of the resource and grant rights to others.

Evaluate the differences between stream and block ciphers and select the true statement. 1. A block cipher is suitable for communication applications. 2. A stream cipher is subjected to complex transposition and substitution operations, based on the value of the key used. 3. A block cipher is padded to the correct size if there is not enough data in the plaintext. 4. A stream cipher's plaintext is divided into equal-sized blocks.

3. A block cipher is padded to the correct size if there is not enough data in the plaintext.

Which of the following are types of log collection for SIEM? (Select all that apply.) 1. Log aggregation 2. Firewall 3. Agent-based 4. Listener/Collector

3. Agent-based 4. Listener/Collector

An organization routinely communicates directly to a partner company via a domain name. The domain name now leads to a fraudulent site for all users. Systems administrators for the organization find incorrect host records in DNS. What do the administrators believe to be the root cause? 1. A server host has a poisoned arp cache. 2. Some user systems have invalid hosts file entries. 3. An attacker masquerades as an authoritative name server. 4. The domain servers have been hijacked.

3. An attacker masquerades as an authoritative name server.

A system analyst is tasked with searching the dark web for harvested customer data. Because these sites cannot be found in a standard website search, what must the analyst have in order to search for the harvested information? 1. The Onion Router (TOR) 2. Dark web search engine 3. Dark Website URL 4. Open Source Intelligence (OSINT)

3. Dark Website URL

Digital certificates are based on the X.509 standard that defines the fields (or information) about a subject (or entity using the certificate) and the certificate's issuer. Which of the following fields would not be included in a standard public certificate? 1. Extensions 2. Public key 3. Endorsement key 4. Subject

3. Endorsement key

One aspect of threat modeling is to identify potential threat actors and the risks associated with each one. When assessing the risk that any one type of threat actor poses to an organization, what are the most critical factors to profile? (Select all that apply.) 1. Education 2. Socioeconomic status 3. Intent 4. Motivation

3. Intent 4. Motivation

An employee is having coffee at an outdoor coffee shop and is not taking precautions against someone watching their screen while working on a company project. A person a few tables over watches the employee enter their credentials and then takes photos of the work they are completing with their smartphone. Which form of social engineering is being used in this situation? 1. Vishing 2. Lunchtime attack 3. Shoulder surfing 4. Man-in-the-middle attack

3. Shoulder surfing

An employee has arrived to work and logged into the network with their smart card. This employee now has access to the company databases, email, and shared network resources. Evaluate all of the basic authorization policies and determine the policy best illustrated in this scenario. 1. Least privilege 2. Implicit deny 3. Single Sign-On (SSO) 4. Access key

3. Single Sign-On (SSO)

What is Open Source Intelligence (OSINT)? 1. Obtaining information, physical access to premises, or even access to a user account through the art of persuasion 2. The means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources 3. Using web search tools and social media to obtain information about the target 4. Using software tools to obtain information about a host or network topology

3. Using web search tools and social media to obtain information about the target

Evaluate the typical weaknesses found in network architecture and determine which statement best aligns with a security weakness. 1. A company has a single network channel. 2. A company has many different systems to operate one service. 3. A company has a habit of implementing quick fixes. 4. A company has a flat network architecture.

4. A company has a flat network architecture.

Analyze the following attacks to determine which best illustrates a pharming attack. 1. A customer gets an email that appears to be from their insurance company. The email contains a link that takes the user to a fake site that looks just like the real insurance company site. 2. An employee gets a call from someone claiming to be in the IT department. The caller says there was a problem with the network, so they need the employee's password in order to restore network privileges. 3. A company's sales department often has after-hour training sessions, so they order dinner delivery online from the restaurant across the street. An attacker is able to access the company's network by compromising the restaurant's unsecure website. 4. A customer enters the correct URL address of their bank, which should point to the IP address 172.1.24.4. However, the browser goes to 168.254.1.1, which is a fake site designed to look exactly like the real bank site.

4. A customer enters the correct URL address of their bank, which should point to the IP address 172.1.24.4. However, the browser goes to 168.254.1.1, which is a fake site designed to look exactly like the real bank site.

A system administrator uses a Graphical User Interface (GUI) remote administration tool over TCP port 3389 to manage a server operating Windows 2016. Evaluate the types of remote administration tools to conclude which protocol the administrator is using. 1. Secure Shell 2. Telnet 3. Dynamic Host Configuration Protocol 4. Remote Desktop

4. Remote Desktop

A hacker is able to install a keylogger on a user's computer. What is the hacker attempting to do in this situation? 1. Key management 2. Encryption 3. Obfuscation 4. Steal confidential information

4. Steal confidential information

Based on knowledge of the fundamentals of One-time Passwords (OTP), which of the following choices represents the problem that exists with HMAC-based One-time Password Algorithm (HOTP) and is addressed by Time-based One-time Password Algorithm (TOTP)? 1. HOTP is not configured with a shared secret. 2. The server is not configured with a counter in HOTP. 3. Only the HOTP server computes the hash. 4. Tokens can be allowed to continue without expiring in HOTP.

4. Tokens can be allowed to continue without expiring in HOTP.

Analyze the methods for authentication to a Secure Shell (SSH) and determine which statement best summarizes the host-based authentication method. 1. The user's private key is configured with a passphrase that must be input to access the key. 2. The client submits credentials that are verified by the SSH server using RADIUS. 3. The client submits a Ticket Granting Ticket (TGT) that is obtained when the user logged onto the workstation. 4.The client sends a request for authentication and the server generates a challenge with the public key.

4.The client sends a request for authentication and the server generates a challenge with the public key.

The National Institute of Standards and Technology (NIST) provides a framework that classifies security-related functions. Which description aligns with the "respond" function? A. Evaluate risks, threats, and vulnerabilities. B. Perform ongoing, proactive monitoring. C. Implement resilience to restore systems. orrect Answer D. Identify, analyze, and eradicate threats.

D