SEC+ Chapter Review Questions
In a digital envelope, which key encrypts the session key?
The recipients public key (typically from the server's key pair).
Your company creates software that requires a database of stored encrypted passwords. What security control could you use to make the password database more resistant to brute force attacks?
Using a key-stretching password storage library, such as PBKDF2, improves resistance to brute-force cracking methods. You might also mention that you could use policies to make users choose longer, non-trivial passwords.
You are recommending that a business owner invest in patch management controls for PCs and laptops. What is the main risk from weak patch management procedures on such devices?
Vulnerabilities in the OS and application software such as web browsers and document readers or in PC and adapter firmware can allow threat actors to run malware and gain a foothold on the network.
What security posture assessment could a pen tester make using Netcat?
Whether it is possible to open a network connection to a remote host over a given port.
A system integrator is offering a turnkey solution for customer contact data storage and engagement analytics using several cloud services. Does this solution present any supply chain risks beyond those of the system integrator's consulting company?
Yes, the system integrator is proposing the use of multiple vendors (the cloud service providers), with potentially complex issues for collecting, storing, and sharing computer personal data across these vendors. Each company in the supply chain should be assessed for risk and compliance with cybersecurity and privacy standards.
You are consulting on threat intelligence solutions for a supplier of electronic voting machines. What type of threat intelligence source would produce the most relevant information at the lowest cost?
For critical infrastructure providers, threat data sharing via an Information Sharing and Analysis Center (ISAC) is likely to be the best option.
What two ways can biometric technology be used other than for logon authentication?
For identification based on biometric features and in continuous authentication mechanisms.
Which type of threat actor is primarily motivated by the desire for social change?
"Hacktivist."
What is a hardened configuration?
A basic principle of security is to run only services that are needed. A hardened system is configured to perform a role as client or application server with minimal possible attack surface, in terms of interfaces, ports, services, storage, system/registry permissions, lack of security controls, and vulnerabilities.
What type of forensic data is recovered using a carving tool?
A carving tool allows close inspection of an image to locate artifacts. Artifacts are data objects and structures that are not obvious from examination by ordinary file browsing tools, such as alternate data streams, cache entries, and deleted file remnants.
In organizational policies, what two concepts govern change?
A change control process governs the way changes are requested and approved. A change management process governs the way that planned change is implemented and the way that unplanned change is handled.
What vulnerabilities might default error messages reveal?
A default error message might reveal platform information and the workings of the code to an attacker.
What is a RADIUS client?
A device or server that accepts user connections, often referred to as a network access server (NAS) or as the authenticator. Using RADIUS architecture, the client does not need to be able to perform authentication itself; it performs pass-thru to an AAA server.
What type of scheduled Windows backup job does not clear the archive attribute?
A differential backup. This type of backup selects all new and modified data since the previous full backup. You could also mention copy backups, though these are usually ad hoc rather than scheduled.
What is a tabletop exercise?
A discussion based drill of emergency response procedures. Staff may role-play and discuss their responses but actual emergency conditions are not simulated.
What is a risk register?
A document highlighting the results of risk assessments in an easily comprehensible format (such as a heat map or "traffic light" grid). Its purpose is for department managers and technicians to understand risks associated with the workflows that they manage.
What type of attack against HTTPS aims to force the server to negotiate weak ciphers?
A downgrade attack.
What physical security device could you use to ensure the safety of on-site backup tapes.
A fireproof safe or vault.
Your company has been the victim of several successful phishing attempts over the past year. Attackers managed to steal credentials from these attacks and used them to compromise key systems. What vulnerability contributed to the success of these social engineers, and why?
A lack of proper user training directly contributes to the success of these social engineering attempts. Attackers can easily trick users when they are unfamiliar with the characteristics and ramifications of such deception.
What is containerization?
A mobile app or workspace that runs within a partitioned environment to prevent other (unauthorized) apps from interacting with it.
A threat actor gained access to a remote network over a VPN. Later, you discover footage of the user of the hacked account being covertly filmed while typing their password. What type of endpoint security solution might have prevented this breach?
A mobile device management suite (MDM) can prevent use of the camera function of a smartphone.
What type of interoperability agreement is designed to ensure specific performance standards?
A service level agreement (SLA). In addition, performance standards may also be incorporated in business partner agreements (BPAs).
Your consultancy includes a training segment. What type of incident response exercise will best represent a practical incident handling scenario?
A simulation exercise creates an actual intrusion scenario, with a red team performing the intrusion and a blue team attempting to identify, contain, and eradicate it.
What is the difference between a sensor and a collector, in the context of SIEM?
A SIEM collector parses input (such as log files or packet traces) into a standard format that can be recorded within the SIEM and interpreted for event correlation. A sensor collects data from the network media.
A multinational company manages a large amount of valuable intellectual property (IP) data, plus personal data for its customers and account holders. What type of business unit can used to manage such important and complex security requirements?
A Security Operations Center (SOC).
You are writing a security awareness blog for company CEOs subscribed to your threat platform. Why are backdoors and Trojans different ways of classifying and identifying malware risks?
A Trojan means a malicious program masquerading as something else; a backdoor is a covert means of accessing a host or network. A Trojan need not necessarily operate a backdoor, and a backdoor can be established by exploits other than Trojans. The term "Remote Access Trojan (RAT)" is used for a specific combination of trojan and backdoor.
What physical security system provides mitigation against juice-jacking?
A USB data blocker can be attached to the end of a cable to prevent a charging port from trying to make a data connection.
How could deception-based cybersecurity resilience strategy return fake telemetry to a threat actor?
Fake telemetry means that when a threat actor runs port or host discovery scans, a spoof response is returned. This could lead the threat actor to waste time probing the port or host IP address trying to develop an attack vector that does not actually exist.
True or false? The contents of the HOSTS file are irrelevant as long as a DNS service is properly configured.
False (probably). The contents of the HOSTS file are written to the DNS cache on startup. It is possible to edit the registry to prioritize DNS over HOSTS, though.
True or false? Band selection has a critical impact on all aspects of the security of a wireless network.
False - band selection can affect availability and performance, but does not have an impact in terms of either confidentiality or integrity.
Which cryptographic technology is most useful for sharing medical records with an analytics company?
Homomorphic encryption allows calculations to be performed while preserving privacy and confidentiality by keeping the data encrypted.
Which terms are used to discuss levels of site resiliency?
Hot, warm, and cold sites, referring to the speed with which a site can failover.
In what two ways can an IP address be used for context-based authentication?
An IP address can represent a logical location (subnet) on a private network. Most types of public IP addresses can be linked to a geographical location, based on information published by the registrant that manages that block of IP address space.
What is the difference between locked and disabled accounts?
An account enters a locked state because of a policy violation, such as an incorrect password being entered. Lockout is usually applied for a limited duration. An account is usually disabled manually, using the account properties. A disabled account can only be re-enabled manually.
How might wireless connection methods be used to compromise the security of a mobile device processing corporate data?
An attacker might set up some sort of rogue access point (Wi-Fi) or cell tower (cellular) to perform eavesdropping or man-in-the-middle attacks. For personal area network (PAN) range communications, there might be an opportunity for an attacker to run exploit code over the channel.
What type of development model(s) allow users to select the make and model of the mobile device?
Bring your own device (BYOD), and choose your own device (CYOD).
What is the name of the policy that prevents users from choosing old passwords again?
Enforce password history.
Which life cycle process manages continuous release of code to the production environment?
Continuous deployment.
What is control risk?
Control risk arises when a security control is ineffective at mitigating the impact and/or likelihood of the risk factor it was deployed to mitigate. The control might not work as hoped, or it might become less effective over time.
What is DNS server cache poisoning?
Corrupting the records of a DNS server to point traffic destined for a legitimate domain to a malicious IP address.
You are preparing a briefing paper for customers on the organizational consequences of data and privacy breaches. You have completed sections for reputation damage, identity theft, and IP theft. Following the CompTIA Security+ objectives, what other section should you add?
Data and privacy breaches can lead legislators or regulators to impose fines. In some cases, these fines can be substantial (calculated as a percentage of turnover).
To what data state does a trusted execution environment apply data protection?
Data in processing / data in use.
What type of physical destruction media sanitization method is not suitable for USB thumb drives?
Degaussing is ineffective against all types of flash media, including thumb drives, SSDs, hybrid drives, and memory cards.
A company has installed motion-activated floodlighting on the grounds around its premises. What class and function is this security control?
It would be classified as a physical control and its function is both detecting and deterring.
You are assisting with the preparation for security briefings on embedded systems tailored to specific implementations of embedded systems. Following the CompTIA Security+ syllabus, you have created the industry-specific advice for the following sectors - which sector is missing? Facilities, Industrial, Manufacturing, Energy, ???
Logistics. Transportation of components for assembly or distribution of finished products.
Your CEO wants to know if the company's threat intelligence platform makes effective use of OSINT. What is OSINT?
Open-Source Intelligence (OSINT) is cybersecurity-relevant information harvested from public websites and data records. In terms of threat intelligence specifically, it refers to research and data feeds that are made publicly available.
What mechanism provides the most reliable means of associating a client with a particular server node when load balancing?
Persistence is a layer 7 mechanism that works by injecting a session cookie. This is generally more reliable than the layer 4 source IP affinity mechanism.
What is meant by PII?
Personally identifiable information is any data that could be used to identify, contact, or locate an individual.
What is the main advantage of IKE v2 over IKE v1?
Rather than just providing mutual authentication of the host endpoints, IKE v2 supports a user account authentication method, such as extensible authentication protocol (EAP).
What type of risk mitigation option is offered by purchasing insurance?
Risk transference.
Which of the following would be accessed by likelihood and impact: vulnerability, threat, or risk?
Risk. To assess likelihood and impact, you must identify both the vulnerability and the threat posed by a potential exploit.
What are two main options for mobile camera surveillance?
Robot sentries and drone/UAV-mounted cameras.
Company policy requires that you ensure your smartphone is secured from unauthorized access in case it is lost or stolen. To prevent someone from accessing data on the device immediately after it has been turned on, what security control should be used?
Screen lock.
You are improving back-end database security to ensure that requests deriving from front-end web servers are authenticated. What general class of attack is this designed to mitigate?
Server-side request forgery (SSRF) causes a public server to make an arbitrary request to a back-end server. This is made much harder if the threat actor has to defeat an authentication or authorization mechanism between the web server and the database server.
What type of organizational policies ensure that at least two people have oversight of a critical business process?
Shared authority, job rotation, and mandatory enforced vacation / holidays.
What metric could be used to make a quantitative calculation of risk due to a specific threat to a specific function or asset?
Single loss expectancy (SLE) or Annual loss expectancy (ALE). ALE is SLE multiplied by ARO (Annual rate of occurrence).
What is SDV?
Software defined visibility (SDV) gives API-based access to network infrastructure and hosts so that configuration and state data can be reported in near real-time. This facilitates greater automation in models and technologies such as zero trust, inspection of east/west data center traffic, and use of security orchestration and automated response tools (SOAR).
What is a Type II hypervisor?
Software that manages virtual machines that have been installed to a guest OS. This is in contrast to a Type I (or "bare metal") hypervisor, which interfaces directly with the host hardware.
What is a dissolvable agent?
Some network access control (NAC) solutions perform host health checks via a local agent, running on the host. A dissolvable agent is one that is executed in the host's memory and CPU but not installed to a local disk.
What is the difference between the role of data steward and the role of data custodian?
The data steward role is concerned with the quality of data (format, labeling, normalization, etc). The data custodian role focuses on the system hosting the data assets and its access control mechanisms.
Which command-line tool allows image creation from disk media on any Linux host?
The dd tool is installed on all Linux distributions.
Why are OS-enforced file access controls not sufficient in the event of the loss or theft of a computer or mobile device?
The disk (or other storage) could be attached to a foreign system and the administrator could take ownership of the files. File-level, full disk encryption (FDE), or self-encrypting drives (SED) mitigate this by requiring the presence of the user's decryption key to read the data.
You are discussing execution and validation security for DOM scripting with the web team. A junior team member wants to know if this relates to client-side or server-side code. What is your response?
The document object model (DOM) is the means by which a script (JavaScript) can change the way a page is rendered. As this change is rendered by the browser, it is client-side code.
What is the significance of the fact that digital evidence is latent?
The evidence cannot be seen directly but must be interpreted so the validity of the interpreting process must be unquestionable.
How might an integer overflow be used as a part of a buffer overflow?
The integer value could be used to allocate less memory than a process expects, making a buffer overflow easier to achieve.
You are discussing a redesign of network architecture with a client, and they want to know the difference between extranet and internet is. How can you explain it?
The internet is an external zone where none of the hosts accessing your services can be assumed trusted or authenticated. An extranet is a zone allowing controlled access to semi-trusted hosts, implying some sort of authentication. The hosts are semi-trusted because they are not under administrative control of the organization (as they are owned by suppliers, customers, business partners, contractors, and so on).
A log shows that a PowerShell IEX process attempted to create a threat in the target image c:\Windows\System32\lsass.exe. What is the aim of this attack?
The local security authority subsystem service (LSASS) enforces security policies, including authentication and password changes. Consequently, it holds hashes of user passwords in memory. Attacks on lsass.exe are typically credential dumping to steal those hashes.
How does MTD relate to availability?
The maximum tolerable downtime (MTD) metric expresses the availability requirement for a particular business function.
You are advising a company about backup requirements for a few dozen application servers hosting tens of terabytes of data. The company requires online availability of short-term backups, plus offsite security media and long-term archive storage. The company cannot use a cloud solution. What type on on-premises storage solution is best suited to the requirement?
The offsite and archive requirements are best met by a tape solution, but the online requirement may need a RAID array, depending on speed. The requirement is probably not large enough to demand a storage area network (SAN), but could be provisioned as part of one.
What is the best option for monitoring traffic passing from host-to-host on the same switch?
The only option for monitoring intra-switch traffic is to use a mirrored port.
What IPsec mode would you use for data confidentiality on a private network?
Transport mode with encapsulating security payload (ESP). Tunnel mode encrypts the IP header information, but this is unnecessary on a private network. Authentication header (AH) provides message authentication and integrity but not confidentiality.
You are providing security consultancy to assist a company with improving incident response procedures. The business manager wants to know why an out-of-band contact mechanism for responders is necessary. What do you say?
The response team needs a secure channel to communicate over without alerting the threat actor. There may also be availability issues with the main communication network, if it has been affected by the incident.
What factors determine the selection of security controls in terms of overall budget?
The risk (as determined by impact and likelihood) compared to the cost of controls. This metric can be calculated as return on security investment (ROSI).
What is Microsoft's TLS VPN solution?
The secure sockets tunneling protocol (SSTP).
What bit of information confirms the identity of an SSH server to a client?
The server's public key (host key). Note that this can only be trusted if the client trusts that the public key is valid. The client might confirm this manually or using a certificate authority.
You have been asked to produce a summary of pros and cons for the products Chef and Puppet. What type of virtualization or cloud computing technology do these support?
These are orchestration tools. Orchestration facilitates "automation of automation," ensuring that scripts and API calls are made in the right order and at the right time to support overall workflow.
Other than endpoint protection software, what resources can provide indicators of pass the hash attacks?
These attacks are revealed by use of certain modes of NTLM authentication within the security (audit) log of the source and target hosts. These indicators can be prone to false positives, however, as many services use NTLM authentication legitimately.
What is the purpose of directory services?
To store information about network resources and users in a format that can be accessed and updated using standard queries.
You are preparing a solution overview on privacy enhancing technologies based on CompTIA Security+ syllabus objectives. You have completed notes under the following headings - which other report section do you need? Data minimization, anonymization, pseudo-anonymization, data-masking, aggregation/banding.
Tokenization. Replacing data with a randomly-generated token from a separate token server or vault. This allows reconstruction of the original data if combined with the token vault.
True or false? A maliciously designed USB battery charger could be used to exploit a mobile device on connection.
True, though the vector is known to the mobile OS and handset vendors so the exploit is unlikely to be able to run without user authorization.
True or false? A virtual IP is a means by which two appliances can be put in a fault tolerant configuration to respond to requests for the same IP address?
True.
True or false? DNSSEC depends on a chain of trust from the root servers down.
True.
True or false? RTO expresses the amount of time required to identify and resolve a problem within a single system or asset.
True.
True or false? Static NAT means mapping a single public/external IP address to a single private/internal IP address.
True.
True or false? The following string is an example of a distinguished name: CN=ad, DC=classroom, DC=com.
True.
True or false? To ensure evidence integrity, you must make a hash of the media before making an image.
True.
True or false? When deploying a non-transparent proxy, you must configure clients with the proxy address and port.
True.
True or false? Backup media can be onsite, but offline.
True. As a security precaution, backup media can be taken offline at the completion of a job to mitigate the risk of malware corrupting the backup.
What is the risk from a VM escaping attack?
VM escaping refers to attacking other guest OSes or the hypervisor or host from within a virtual machine. Attacks may be to steal information, perform Denial of Service (DoS), infect the system with malware, and so on.
What is the principal use of grep in relation to log files?
grep is used to search the content of files.
If a windows system file fails a file integrity check, should you suspect a malware infection?
Yes - malware is a likely cause that you should investigate.
The network manager is recommending the use of "thin" access points to implement the wireless network. What additional appliance or software is required and what security advantages should this have?
You need a wireless controller to configure and manage the access points. This makes each access point more tamper-proof as there is no local administration interface. Configuration errors should also be easier to identify.
You need to correlate intrusion detection data with web server log files. What component must you deploy to collect IDS alerts in a SIEM?
You need to deploy a sensor to send network packet captures or intrusion detection alerts to the SIEM.
What areas of a business of workflow must you examine to assess multiparty risk?
You need to examine supply chain dependencies to identify how problems with one or more suppliers would impact your business. You also need to examine customer relationships to determine what liabilities you have in the event of an incident impacting your ability to supply a product or service and what impact disruption of important customer accounts would have, should cyber incidents disrupt their business.
A client and a server have agreed on the use of the cipher suite ECDHE-ECDSA-AES256-GCM-SHA384 for a TLS session. What is the key strength of the symmetric encryption algorithm?
256-Bit AES.
A technician is seeing high volumes of 403 forbidden errors in a log. What type of network appliance or server is producing these logs?
403 Forbidden is an HTTP status code, so most likely a web server. Another possibility is a web proxy or gateway.
What addressing component must be installed or configured for NB-IoT?
A LTE-based cellular radio, such as a narrowband IoT, uses a subscriber identity module (SIM) card as an identifier. The can either be installed as a plug-in card or configured as an eSIM chip on the system board or feature in a SoC design.
Which sanitization solution meets all the following requirements: compatible with both HDD and SDD media, fast operation, and leaves the media in a reusable state?
A crypto erase or instant secure erase (ISE) sanitizes media by encrypting the data and then erasing the cryptographic key.
What type of dynamic testing tool would you use to check input validation on a web form?
A fuzzer can be used to submit known unsafe strings and randomized input to test whether they are made safe by input validation or not.
What is the difference between security group and role-based permissions management?
A group is simply a container for several user objects. Any organizing principle can be applied. In a role-based access control system, groups are tightly defined according to job functions. Also, a user should (logically) only possess the permission of one role at one time.
What type of interoperability agreement would be appropriate at the outset of two companies agreeing to work with one another?
A memorandum of understanding (MOU).
What type of data source would you look for evidence of a suspicious MTA in?
A message transfer agent (MTA) is an SMTP server. You might inspect an SMTP log or the internet header metadata of an email message.
What distinguishes host-based personal software firewall from a network firewall appliance?
A personal firewall software can block processes from accessing a network connection as well as applying filtering rules. A personal firewall protects the local host only, while a network firewall filters traffic for all hosts on the segment behind the firewall.
What is the effect of a memory leak?
A process claims memory locations but never releases them, reducing the amount of memory available to other processes. This will damage performance, could prevent other processes from starting, and if left unchecked, could crash the OS.
You have been asked to monitor baseline API usage so that a rate limiter value can be set. What is the purpose of this?
A rate limited will mitigate denial of service (DoS) attacks on the API, where a malicious entity generates millions of spurious requests to block legitimate ones. You need to establish a baseline to ensure continued availability for legitimate users by setting the rate limit at an appropriate level.
How does elasticity differ from scalability?
A scalable system is one that responds to increased workloads by adding resources without exponentially increasing costs. An elastic system is able to assign or un-assign resources as needed to match either an increased workload or a decreased workload.
What is an SDK and how does it affect secure development?
A software development kit (SDK) contains tools and code examples released by a vendor to make developing applications within a particular environment (framework, programming language, OS) easier. Any element in the SDK could contain vulnerabilities that could then be transferred to the developer's code or application.
What is meant by a public cloud?
A solution hosted by a third party cloud service provider (CSP) and shared between subscribers (multi-tenant). This sort of cloud solution has the greatest security concerns.
What use is a TPM when implementing full disk encryption?
A trusted platform module provides a secure mechanism for creating and storing the key used to encrypt the data. Access to the key is provided by configuring a password. The alternative is usually to store the private key on a USB stick.
How does accounting provide non-repudiation?
A user's actions are logged on the system. Each user is associated with a unique computer account. As long as the user's authentication is secure and the logging system is tamper-proof, they cannot deny having performed the action.
What is a VDE?
A virtual desktop environment (VDE) is the workspace presented when accessing an instance in a virtual desktop infrastructure (VDI) solution. VDI is the whole solution (host server and virtualization platform, connection protocols, connection/session broker, and client access devices).
What is a WAF?
A web application firewall (WAF) is designed to protect HTTP and HTTPS applications. It can be configured with signatures of known attacks against applications, such as injection based attacks or scanning attacks.
You are consulting with a medium-size company about endpoint security solutions. What advantages does a cloud-based analytics platform have over an on-premises solution that relies on signature updates?
Advanced Persistent Threat (APT) malware can use many techniques to evade signature-based detection. A cloud analytics platform, backed by machine learning, can apply more effective behavioral-based monitoring and alerting.
Which two components are required to ensure power redundancy for a blackout period extending over 24 hours?
An uninterruptable power supply (UPS) is required to provide failover for the initial blackout event, before switching over to a standby generator to supply power over a longer period.
Why should detailed vendor and product assessments be required before allowing the use of IoT devices in the enterprise?
As systems with considerable computing and networking functionality, these devices are subject to the same sort of vulnerabilities and exploits as ordinary workstations and laptops. It is critical to assess the vendor's policies in terms of the security design for the product and support for identifying and mitigating any vulnerabilities discovered in its use.
How does RAID support fault tolerance?
Aside from RAID 0, RAID provides redundancy between a group of disks, so that if one disk were to fail, that data may be recoverable from the other disks in the array.
What is the principal risk of deploying an intrusion prevention system with behavior-based detection?
Behavior-based detection can exhibit high false positive rates, where legitimate activity is wrongly identified as malicious. With automatic prevention, this will block many legitimate users and hosts from the network, causing availability and support issues.
What is usually the purpose of the default rule on a firewall?
Block any traffic not specifically allowed (implicit deny).
A sales executive is attending meetings at a professional conference that is also being attended by representatives of other companies in his field. At the conference, he uses his smartphone with a bluetooth headset to stay in touch with his clients. A few days after the conference, he finds that the competitor's sales representatives are getting in touch with his key contacts and influencing them by revealing what he thought was private information from his email and calendar. This is an example of which threat?
Bluesnarfing.
How can an enterprise DMZ be implemented?
By using two firewalls (external and internal) around a screened subnet, or by using a triple-homed firewall (one with three network interfaces).
What are the risks of not having a documented IP schema?
Configuration errors are more likely, especially where complex access control lists (ACLs) and security monitoring sensor deployment is required.
Which security property is assured by symmetric encryption?
Confidentiality - symmetric ciphers are generally fast and well suited to bulk encrypting large amounts of data.
What are the properties of a secure information processing system?
Confidentiality, Integrity, Availability (and Non-Repudiation).
What steps should you take to secure an SNMPv2 server?
Configure strong community names and use access control lists to restrict management operations to known hosts.
What is secure staging?
Creating secure development environments for the different phases of a software development project (initial development server, test/integration server, staging [user test] server, production server).
Why is it vital to ensure the security of an organization's DNS?
DNS resolves domain names. If it were to be corrupted, users could be directed to spoofed websites. Disrupting DNS can also perform denial of service.
What vulnerabilities does a rogue DHCP server expose users to?
Denial of service (providing an invalid email address configuration) and spoofing (providing a malicious address configuration - one that points to a malicious DNS, for instance).
What configuration change could you make to prevent misuse of a developer account?
Disable the account.
What port security feature mitigates ARP poisoning?
Dynamic ARP inspection - though this relies upon DHCP snooping being enabled.
Why should an organization design role-based training programs?
Employees have different levels of technical knowledge and different work priorities. This means that a "one size fits all" approach to security training is impractical.
You want to deploy a wireless network where only clients with domain-issued digital certificates can join the network. What type of authentication mechanism is suitable?
EAP-TLS is the best choice because it requires that both server and client be installed with valid certificates.
How could you prevent a malicious attacker from engineering a switching loop from a host connected to a standard switch port?
Enable the appropriate guards (portfast and BPDU guard) on access ports.
Which protocol protects the contents for a VoIP conversation from eavesdropping?
Encrypted VoIP data is carried over the secure real-time transport protocol (SRTP).
What is a cloud access security broker?
Enterprise management software mediating access to cloud services by users to enforce information and access policies and audit usage.
Why is a rooted or jailbroken device a threat to enterprise security?
Enterprise mobility management (EMM) solutions depend on the device user not being able to override their settings or change the effect of the software. A rooted or jailbroken device means that the user could subvert the access controls.
John is given a laptop for official use and is on a business trip. When he arrives at his hotel, he turns on his laptop and finds a wireless access point with the name of the hotel, which he connects to for sending official communications. He may become a victim of which wireless threat?
Evil twin.
True or false? A TLS VPN can only provide access to web-based network resources.
False. A transport layer security (TLS) VPN uses TLS to encapsulate the private network data and tunnel it over the network. They private network data could be frames of IP-level packets and is not constrained by application-layer protocol type.
True or false? As they protect data at the highest layer of the protocol stack, application-based firewalls have no basic packet filtering functionality.
False. All firewall types can perform basic packet filtering (by IP address, protocol type, port number, and so on).
True or false? Only Microsoft's operating systems and applications require security patches.
False. Any vendor's or open source software or firmware can contain vulnerabilities and need patching.
True or false? SOAR is intended to provide wholly automated incident response solutions.
False. Incident response is too complex to be wholly automated. SOAR assists the provision of runbooks, which orchestrates the sequence of response and automate parts of it, but still requires decision-making from a human responder.
True or false? It is important to publish all security alerts to all members of staff.
False. Security alerts should be sent to those able to deal with them at a given level of security awareness and on a need-to-know basis.
True or false? The first responder is whoever first reports an incident to the CIRT.
False. The first responder would be the member of the CIRT to handle the report.
True or false? A customer is limited to creating one VPC per account?
False. There are limits to the number of virtual private clouds that can be created, but more than one is allowed.
True or false. While fully customizable by the customer, embedded systems are based on either the Raspberry Pi or the Arduino design.
False. These are examples of one-board computers based on the system on chip (SoC) design. They are widely used in education and leisure. Some are used for industrial applications or for proof-of-concept designs, but most embedded systems are manufactured to specific requirements.
True or false? The account with which you register for the CSP services is not an account with root privileges.
False. This account is the root account and has full privileges. It should not be used for day-to-day administration or configuration.
True or false? Serverless means running computer code on embedded systems.
False. With serverless, the provision of functions running in containers is abstracted from the underlying server hardware. The point is that as a consumer, you do not perform any server management. The servers are still present, but they are operated and maintained by the cloud service provider.
You are supporting a SIEM deployment at a customer location. The customer wants to know whether flow records can be ingested. What type of data source is a flow record?
Flow records are generated by NetFlow or IP flow information export (IPFIX) probes. A flow record is data that matches a flow record, which is a particular combination of keys (IP endpoints and protocol/port types).
Why are exercises an important part of creating a disaster recovery plan?
Full scale or functional exercises can identify mistakes in the plan that might not be apparent when drafting procedures. It also helps to familiarize staff with the plan.
Which response header provides protection against SSL stripping attacks?
HTTP Strict Transport Security (HSTS).
A recent security evaluation concluded that your company's network design is too consolidated. Hosts with wildly different functions and purposes are grouped together on the same logical area of the network. In the past, this has enabled attackers to easily compromise large swaths of network hosts. What technique do you suggest will improve the security of the network design, and why?
In general, you should start implementing some form of network segmentation to put hosts with the same security requirements within segregated zones. For example, the workstations in each business department can be grouped in their own subnets to prevent a compromise of one subnet from spreading to another. Likewise, with VLANs, you can more easily manage the logical segmentation of the network without disrupting the physical infrastructure (i.e. devices, cables, etc).
A company's web services are suffering performance issues because updates keep failing to run on certain systems. What type of architecture could address this issue?
Infrastructure as code (IaC) means that provisioning is performed entirely from standard scripts and configuration data. The absence of manual configuration adjustments or ad hoc scripts to change settings is designed to eliminate configuration drift so that updates run consistently between the development and production environments.
What type of programming practice defends against injection-style attacks, such as inserting SQL commands into a database application from a site search form?
Input validation provides some mitigation against this type of input being passed to an application via a user form. Output encoding could provide another layer of protection by checking that the query that the script passes to the database is safe.
What sort of maintenance must be performed on signature-based monitoring software?
Installing definition/signature updates and removing definitions that are not relevant to the hosts or services running on your network.
Describe some key considerations that should be made when hosting data or systems via a cloud solutions provider.
Integrate auditing and monitoring procedures and systems with on-premises detection, identify responsibility for implementing security controls (such as patching or backup), identify performance metrics in an SLA, and assess risks to privacy and confidentiality from breaches at the service provider.
For what type of account would interactive logon be disabled?
Interactive logon refers to starting a shell. Service accounts do not require this type of access. Default superuser accounts, such as Administrator and root, may also be disabled, or limited to use in system recovery or repair.
What are the advantages of a decentralized, discretionary access control policy over a mandatory access control policy?
It is easier for users to adjust the policy to fit changing business needs. Centralized policies can easily become inflexible and bureaucratic.
You've fulfilled your role in the forensic process and now you plan on handing the evidence over to an analysis team. What important process should you observe during the transition, and why?
It is important to uphold a record of how evidence is handled in a chain of custody. The chain of custody will help verify that everyone who handled the evidence is accounted for, including when the evidence was in each person's custody. This is an important tool in validating the integrity of the evidence.
What format is often used to write permissions statements for cloud resource policies?
JavaScript Object Notation (JSON).
Which protocol is often used in conjunction with IPSec to provide a remote access client VPN with user authentication?
Layer 2 tunneling protocol (L2TP).
What field provides traffic marking for a QoS system at layer 3?
Layer 3 refers to the DiffServ field in the IP header.
What is the policy that states users should be allocated the minimum sufficient permissions?
Least privilege.
What physical site security controls act as deterrents?
Lighting is one of the most effective deterrents. Any highly visible security control (guards, fence, walls, dogs, barricades, CCTV, signage, etc) will act as a deterrent.
Which attack framework provides descriptions of specific TTPs?
MITREs ATT&CK framework.
What security controls might be used to implement protected distribution of cabling?
Make conduit physically difficult to access, use alarms to detect attempts to interfere with conduit, and use shielding cabling.
What is measured by MTBF?
Mean time between failures (MTBF) represents the expected reliability of a product over its lifetime.
A company has been using a custom developed client-server application for customer management, accessed from remote sites over a VPN. Rapid overseas growth has led to numerous complaints from employees that the system suffers many outages and cannot cope with the increased number of users and access by client devices such as smart phones. What type of architecture could produce a solution that is more scalable?
Microservices is a suitable architecture for replacing monolithic client-server applications that do not meet the needs of a geographically diverse, mobile workforce. By breaking the application into microservice components and hosting these in cloud containers, performance can scale to demand. Web-based APIs are better suited to browser-based access on different device types.
Why might forcing users to change their password every month be counterproductive?
More users would forget their password, try to select unsecure ones, or write them down/record them in a non-secure way (like a sticky note).
Why are so many network DoS attacks distributed?
Most attacks depend on overwhelming the victim. This typically requires a large number of hosts or bots.
Which software tool is most appropriate for forwarding Windows event logs to a syslog-compatible server?
NXlog is designed as a multi-platform logging system.
What low level networking feature will facilitate a segmentation-based approach to containing intrusion events?
Network segmentation is primarily achieved by virtual LANs (VLANs). A VLAN can be isolated from the rest of the network.
Is WPS a suitable authentication method for enterprise networks?
No, an enterprise network will use RADIUS authentication. WPS uses PSK and there are weaknesses in the protocol.
Does Syslog perform all the functions of a SIEM?
No, syslog allows remote hosts to send logs to a server, but syslog does not aggregate/normalize the log data or run correlation rules to identify alertable events.
You must recover the contents of the ARP cache as vital evidence of a man-in-the-middle attack. Should you shut down the PC and image the hard drive to preserve it?
No, the ARP cache is stored in memory and will be discarded when the computer is powered off. You can either dump the system memory or run the arp utility and make a screenshot. In either case, make sure that you record the process and explain your actions.
You are discussing a security awareness training program for an SME's employees. The business owner asserts that as they do not run Microsoft Office desktop apps, there should be no need to cover document security and risks from embedded macros and scripts. Should you agree and not run this part of the program?
No. While visual basic for applications (VBA) can only be used with Microsoft Office, other types of document can contain embedded scripts, such as JavaScript in PDFs. Other Office suites, such as OpenOffice and LibreOffice, use scripting languages for macros too.
What range of information classifications could you implement in a data labeling project?
One set of tags could indicate the degree of confidentiality (public, confidential/secret, or critical/top secret). Another tagging schema could distinguish proprietary from private/sensitive personal data.
What use might a proximity reader be for site security?
One type of proximity reader allows a lock to be operated by a contactless smart card. Proximity sensors can also be used to track objects via RFID tags.
What countermeasures can you use against the threat of malicious firmware code?
Only use reputable suppliers for peripheral devices and strictly controlled sources for firmware updates. Consider use of a sheep dip sandboxed system to observe a device before allowing it to be attached to a host in the enterprise network. Use execution control software to allow only approved USB vendors.
.What container would you use if you want to apply a different security policy to a subnet or objects within the same domain?
Organization unit (OU).
What coding practice provides specific mitigation against XSS?
Output encoding ensures that strings are made safe for the context they are being passed to, such as when a JavaScript variable provides output to render as HTML. Safe means that the string does not contain unauthorized syntax elements, such as script tags.
Which port(s) and security method should be used by a mail client to submit messages for delivery by an SMTP server?
Port 587 with STARTTLS (explicit TLS) or port 465 with implicit TLS.
Other than cost, what factor primarily constrains embedded systems in terms of compute and networking?
Power. Many embedded systems must operate on battery power, and charging the batteries is an onerous task, so power-hungry systems like processing and high-bandwidth or long-range networking are constrained.
What are the six phases of the incident response lifecycle?
Preparation, identification, containment, eradication, recovery, and lessons learned.
What should be the first action at a crime scene during a forensic investigation?
Preserve the crime scene by recording everything as is, preferably on video.
You are providing security advice and training to a customer's technical team. One asks how they can identify when a buffer overflow occurs. What is your answer?
Real time detection of a buffer overflow is difficult, and is typically only achieved by security monitoring software (anti-virus, endpoint detection and response, or user and entity behavior analytics) or by observing the host closely within a sandbox. An unsuccessful attempt is likely to cause the process to crash with an error message. If the attempt is successful, the process is likely to show anomalous behavior, such as starting another process, opening network connections or writing AutoRun keys in the registry. These indications could be recorded using logging and system monitoring tools.
An employee's car was recently broken into, and the thief stole a company tablet that held a great deal of sensitive data. You've already taken the precaution of securing plenty of backups of that data. What should you do to be absolutely certain that the data does not fall into the wrong hands?
Remotely wipe the device, also referred to as a kill switch.
What type of files most need to be audited to perform third-party credential management?
SSH and API keys are often un-securely embedded in computer code or uploaded mistakenly to repositories alongside code. Also, managing shared credentials can be difficult, and many sites resort to storing them in a shared spreadsheet.
What security protocol does SFTP use to protect the connection and which port does an SFTP server listen on by default?
Secure shell (SSH) over TCP port 22.
You are working on a cloud application that allows users to log on with social media accounts over the web and from a mobile application. Which protocols would you consider and which would you choose as most suitable?
Security association markup language (SAML) and Oauth+ OpenID Connect (OIDC). OAuth with OIDC as an authentication layer offers better support for native mobile apps so is probably the best choice.
What is the purpose of SIEM?
Security information and event management (SIEM) products aggregate IDS alerts and host logs from multiple sources, then perform correlation analysis on the observables collected to identify indicators of compromise and alert administrators to potential incidents.
What risk type arises from shadow IT?
Shadow IT is the deployment of hardware, software, or cloud services without the sanction of the system owner (typically the IT department). The system owner will typically be liable for software compliance / license risks.
What factor is most likely to reduce a system's resiliency?
Single point of failure.
What is a SOP?
Standard Operating Procedure is a step-by-step listing of the actions that must be completed for any given task.
Why is subnetting useful in secure network design?
Subnet traffic is routed, allowing it to be filtered by devices such as a firewall. An attacker must be able to gather more information about the configuration of the network and overcome more barriers to launch successful attacks.
Your log shows that the Notepad process on a workstation running as the local administrator account has started an unknown process on an application server running as the SYSTEM account. What type of attack(s) are represented in this intrusion event?
The Notepad process has been compromised, possibly using buffer overflow or a DLI/process injection attack. The threat actor has then performed lateral movement and privilege escalation, gaining higher privileges through remote code execution on the application server.
What is meant by scheduling in the context of load balancing?
The algorithm and metrics that determine which node a load balancer picks to handle a request.
How does a replay attack work in the context of session hijacking?
The attacker captures some data, such as a cookie, used to log on or start a session legitimately. The attacker then resends the captured data to re-enable the connection.
Why might an ARP poisoning tool be of use to a threat actor performing network reconnaissance?
The attacker could trick computers into sending traffic through the attacker's computer (performing a MitM/on-path attack) and, therefore, examine traffic that would not normally be accessible to him (on a switched network).
How does a clickjacking attack work?
The attacker inserts an invisible layer into a trusted web page that can intercept or redirect input without the user realizing.
How might an attacker exploit a web application to perform shell injection attacks?
The attacker needs to find a vulnerable input method, such as a form control, URL, or script parser, that will allow the execution of OS shell commands.
You have been asked to investigate a web server for possible intrusion. You identify a script with the following code. What language is the code in, and does it seem likely to be malicious? import os, sockets, syslog def r_conn(ip) s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM) s.connect(("logging.trusted.foo",514))
The code is written in Python. It uses various modules with default library code to interact with the OS and network, and also the syslog logging platform. The first lines of code define a function to connect to a host over port 514 (syslog). SOCK_DGRAM is a UDP connection, which is standard for syslog. Most likely the script is for remote logging and unlikely to be malicious, especially if trusted.foo is a known domain.
How does a specifically configured complier inhibit attacks through software diversity?
The compiler can apply obfuscation routines to make the code difficult for a threat actor to reverse engineer and analyze for vulnerabilities.
You are preparing a white paper on configuration management essentials for your customers. You have the following headings already: diagrams, standard naming conventions, internet protocol (IP) schema. If you are basing your paper on the CompTIA Security+ objectives, what other topic should you cover?
The configuration baseline is an essential concept as it allows unauthorized change to be detected more easily and planned change to be managed more easily.
When using S/MIME, which key is used to encrypt a message?
The recipient's public key (principally). The public key is used to encrypt a symmetric session key and (for performance reasons) the session key does the actual data encoding. The session key and, therefore, the message text can then only be recovered by the recipient, who uses the linked private key to decrypt it.
What are the advantages of SASL over LDAPS?
The simple authentication and security layer (SASL) allows a choice of authentication providers and encryption (sealing)/integrity (signing) mechanisms. By contrast, LDAPS uses transport layer security (TLS) to encrypt traffic, but users still authenticate via simple binding. Also, SASL is the standards-based means of configuring LDAP security.
You are reviewing security and privacy issues relating to a membership database for a hobbyist site with a global audience. The site currently collects account details with no further information. What should be added to be in compliance with data protection regulations?
The site should add a privacy notice explaining the purposes the personal information is collected and used for. The form should provide a means for the user to give explicit and informed consent to this privacy notice.
Antivirus software has reported the presence of malware, but cannot remove it automatically. Apart from the location of the affected file, what information will you need to remediate the system manually?
The string identifying the malware. You can use this to reference the malware on the A-V vendor's site, and obtain manual removal and prevention advice.
Why might a file timestamp not show the time at which a crime was committed?
The time stamp may record the UTC time rather than the local time. An offset would need to be applied (and it might need to be demonstrated that the computers time zone was correctly set).
What use is made of a TPM for NAC attestation?
The trusted platform module (TPM) is a tamper-proof (at least in theory) cryptographic module embedded in the CPU or chipset. This can provide a means to sign the report of the system configuration so that a network access control (NAC) policy enforcer can trust it.
What is the process of sideloading?
The user installs an app directly onto the device rather than from an official app store.
What is the risk of not following a tested order of restoration when recovering a site from a major incident?
There may be unmet dependencies between systems that are started in the wrong order. This could lead to boot failures and data corruption.
How does VSS assist a backup solution?
The volume shadow copy service creates snapshots for the backup software to use, avoiding problems with file locks and uncompleted database transactions.
Which tools can you use to restrict the use of PowerShell on Windows 10 clients?
There are various group-policy based mechanisms, but for Windows 10, the Windows Defender Application Control (WDAC) framework provides the most powerful toolset for execution control policies.
What policy describes preventing any type of unauthorized computing, network, or storage connection to a protected host?
This can be described as an air gap or secure area demilitarized zone.
You are investigating a client workstation that has not obtained updates to its endpoint protection software for days. On the workstation you discover thousands of executable files with random names. The local endpoint log reveals that all of them have been scanned and identified as malware. You can find no evidence of further intrusion on the network. What is the likely motive of the threat actor?
This could be an offline tainted data attack against the endpoints software identification engine.
Which security attribute is ensured by monitoring API latency and correcting any problems quickly?
This ensures availability of services.
What is a pre-shared key?
This is a type of group authentication used when the infrastructure for authenticating securely (Via RADIUS, for instance) is not available. The systems depends on the strength of the passphrase used for the key.
What feature allows you to filter traffic arriving at an instance?
This is accomplished by assigning the instance to a security group with the relevant policy configured.
What type of network requires the network to account for east-west traffic?
This is typical of data center or server farm, where a single external request causes multiple cascading requests between servers within the data center. This is a problem for a perimeter security model, as funneling this traffic up to a firewall and then back to a server creates a performance bottleneck.
You take an incident report from a user trying to access a REPORT.docx file on a SharePoint site. The file has been replaced by a REPORT.docx.QUARANTINE.txt file containing a policy violation notice. What is the most likely cause?
This is typical of data loss prevention (DLP) policy replacing a file involved in a policy violation with a tombstone file.
Where would you expect to find "hot and cold" aisles and what is their purpose?
This layout is used in a data center or large server room. The layout is the best way to maintain a stable temperature and reduce loss of availability due to thermal problems.
In a rule-based access control model, can a subject negotiate with the data owner for access privileges? Why or why not?
This sort of negotiation would not be permitted under rule-based access control; this is a feature of discretionary access control.
Following a loss of critical IP exfiltrated from the local network to a public cloud storage network, you decide to implement a type of outbound filtering system. Which technology is most suitable for implementing the filter?
This task is suited to the data loss prevention (DLP), which can block the transfer of tagged content over authorized channels.
Why might enforcement policies be used to prevent USB tethering when a smartphone is brought to the workplace?
This would allow a PC or laptop to connect to the internet via the smartphone's cellular data connection. This could be used to evade network security mechanisms, such as data loss prevention or content filtering.
What type of cloud solution would be used to implement a SAN?
This would usually be described as Infrastructure as a Service (IaaS).
You are reviewing access logs on a web server and notice repeated requests for URLs containing the strings %3C and %3E. Is this an event that should be investigated further, and why?
Those strings represent percent encoding for HTML tag delimiters (< and >). This could be an XSS attempt to inject a script, so it should be investigated.
Why might a company invest in device control software that prevents the use of recording devices within company premises?
To hinder physical reconnaissance and espionage.
Which information resource is required to complete usage auditing?
Usage events must be recorded in a log. Choosing which events to log will be guided by an audit policy.
You are planning a security awareness program for a manufacturer. Is a pamphlet likely to be sufficient in terms of resources?
Using a diversity of training techniques will boost engagement and retention. Practical tasks, such as phishing simulations, will give attendees more direct experience. Workshops or computer-based training will make it easier to assess whether the training has been completed.
How can DLL injection be exploited to hide the presence of malware?
Various OS functions allow one process to manipulate another and force it to load a dynamic link library (DLL). This means that the malware code can be migrated from one process to another, evading detection.
You are preparing some notes on diversity strategies for cybersecurity resilience for the executive team. You have prepared sections on technologies, crypto, and controls so far. What other topic do you need to cover?
Vendor diversity.
What feature is essential for managing code iterations within the provisioning and deprovisioning process?
Version control is an ID system for each iteration of a software product.
How does VDI work as a mobile deployment model?
Virtual desktop infrastructure (VDI) allows a client device to access a VM. In this scenario, the mobile device is the client device. Corporate data is stored and processed on the VM so there is less chance of it being compromised, even though the client device itself is not fully managed.
What is a persistent XSS attack?
Where the attacker inserts malicious code into the back-end database used to serve content to the trusted site.
What is an amplification attack?
Where the attackers spoofs the victim's IP in requests to several reflecting servers (often DNS or NTP servers). The attacker crafts the request so that the reflecting servers respond to the victim's IP with a large message, overwhelming the victim's bandwidth.
Recently, attackers were able to compromise the account of a user whose employment had been terminated a week earlier. They used this account to access a network share and delete important files. What account vulnerability enabled this attack?
While it is possible that lax password requirements and incorrect privileges may have contributed to the account compromise, the most glaring problem is that the terminated employee's account wasn't disabled. Since the account was no longer being used, it should not have been left active for a malicious user to exploit.
If you suspect a process is being used for data exfiltration but the process is not identified as malware by A-V software, what types of analysis tolls will be most useful?
You can use a sandbox with monitoring tools to see which files the process interacts with and a network monitor to see if it opens (or tries to open) a connection with a remote host.
You are writing a shell script to display the last 5 lines of a log file at /var/log/audit in a dashboard. What is the Linux command to do this?
tail /var/log/audit -n 5
You are developing a secure web application. What sort of certificate should you request to show that you are the publisher of a program?
A code signing certificate. Certificates are issued for specific purposes. A certificate issued for one purpose should not be reused for other functions.
How can cryptography support high resiliency?
A complex system might have to support many inputs from devices installed to potentially unsecure locations. Such a system is resilient if compromise of a small part of the system is prevented from allowing compromise of the whole system. Cryptography assists this goal by ensuring the authentication and integrity of messages delivered over the control system.
If a company wants to ensure that it is following best practice in choosing security controls, what kind of resource would provide guidance?
A cybersecurity framework and/or benchmark and secure configuration guides.
You have configured a network vulnerability scanner for an engineering company. When running a scan, multiple sensors within an embedded systems network became unresponsive, causing a production shutdown. What alternative method of vulnerability scanning should be used for the embedded systems network?
A fully non-intrusive solution should be adopted, such as sniffing traffic using a network tap or mirror port. Using the network traffic to detect vulnerabilities rather than actively probing each device will not cause system stability issues (though there is greater risk of false positive and false negative results).
You are providing consultancy to a firm to help them implement smart card authentication to premises network and cloud services. What are the main advantages of using an HSM over server-based key and certificate management services?
A hardware security module (HSM) is optimized for this role and so present a smaller attack surface. It is designed to be tamper-evident to mitigate against insider threat risks. It is also likely to have a better implementation of a random number generator, improving the security properties of key material.
What is the process of digitally signing a message?
A hashing function is used to create a message digest. The digest is then signed using the sender's public key and cannot be modified by any other agency. The recipient can calculate his or her own digest of the message and compare it to the signed hash to validate that the message has not been altered.
Why might a PIN be a particularly weak type of "something you know" authentication?
A long personal identification number (PIN) is difficult for users to remember, but a short PIN is easy to crack. A PIN can only be used safely where the number of sequential authentication attempts can be strictly limited.
What is EAPoL?
A network access server that support 802.1X port-based access control can enable a port but allow only the transfer of extensible authentication protocol over LAN (EAPoL) traffic. This allows the supplicant and authentication server to perform the authentication process, with the network access server acting as a pass-thru.
How does OTP protect against password guessing or sniffing attacks?
A one-time password mechanism generates a token that is valid only for a short period (usually 60 seconds), before it changes again.
You are assisting a customer with implementing data loss prevention (DLP) software. Of the two products left in consideration, one supports steganalysis of image data, but the other does not. What is the risk of omitting this ability?
A threat actor could conceal information within an image file and use that to bypass the DLP system. One thing to note is that attackers could find other ways to implement covertexts (audio or video, for instance) or abuse protocol coding. There are many things that steganalysis needs to be able to scan for. You might also note that steganography is not only a data exfiltration risk. It can also be used to smuggle malicious code into a host system.
A website owner wants to evaluate whether the site security mitigates risks from criminal syndicates, assuming no risk of insider threat. What type of penetration testing engagement will most closely simulate this adversary capability and resources?
A threat actor has no privileged information about the website configuration or security controls. This is simulated in a black box (or blind) pen test engagement.
What is a zone transfer and which reconnaissance tools can be used to test whether a server will allow one?
A zone transfer is where a domain name server (DNS) allows a client to request all the name records for a domain. nslookup (Windows) and dig (principally Linux) can be used to test whether this query is allowed. You could also mention the dnsenum tool, which will check for zone transfers along with other enumeration tests on DNS infrastructure.
How is a fingerprint reader typically implemented as hardware?
As a capacitive cell.
What is the difference between authorization and authentication?
Authorization means granting the account that has been configured for the user on the computer system the right to make use of a resource. Authorization manages the privileges granted on the resource. Authentication protects the validity of the user account by testing that the person accessing that account is who he says he is.
You are assessing whether to join AIS. What is AIS and what protocol should your SIEM support in order to connect to AIS servers?
Automated Indicator Sharing (AIS) is a service offered by the Department of Homeland Security (DHS) for participating in threat intelligence sharing. AIS uses the Trusted Automated eXchange of Indicator Information (TAXII) protocol as a means of transmitting CTI data between servers and clients.
You are advising a customer on backup and disaster recovery solutions. The customer is confused between data breaches and data loss and whether the backup solution will protect against both. What explanation can you give?
Backup solution mitigate risks from data loss, where files or information are deleted, corrupted, or otherwise destroyed. Backup does not mitigate risks from data breach, where confidential or private data is stolen (exfiltrated) and made public or sold for criminal profit. Mitigating risks of data breach requires effective secure processing, authorization, and authentication security controls.
Considering that cryptographic hashing is one-way and the digest cannot be reversed, what makes hashing a useful security technique?
Because two parties can hash the same data and compare checksums to see if they match, hashing can be used for data verification in a variety of situations, including password authentication. Hashes of passwords, rather than the password plaintext, can be stored securely or exchanged for authentication. A hash of a file or a hash code in an electronic message can be verified by both parties.
A small company that you provide security consulting support to has resisted investing in an event management and threat intelligence platform. The CEO has become concerned about an APT risk known to target supply chains within the company's industry sector and wants you to scan their systems for any sign that they have been targeted already. What are the additional challenges of meeting this request, given the lack of investment?
Collecting network traffic and log data from multiple sources and then analyzing it manually will require many hours of analyst time. The use of threat feeds and intelligence fusion to automate parts of this analysis effort would enable a much swifter response.
Is Cuckoo a type of malware or security product?
Cuckoo is a security product designed to analyze malware as it runs in an isolated sandbox environment.
Why does Diffie-Hellman underpin perfect forward security?
Diffie-Hellman allows the sender and recipient to derive the same value (the session key) from some other pre-agreed values. Some of these are exchanged, and some kept private, but there is no way for a snooper to work out the secret just from the publicly exchanged values. This means session keys can be created without relying on the server's private key, and that it is easy to generate ephemeral keys that are different for each session.
A business is expanding rapidly and the owner is worried about tensions between its established IT and programming divisions. What type of security business unit or function could help to resolve these issues?
Development and Operations (DevOps) is a cultural shift within an organization to encourage more collaboration between developers and system administrators. DevOps embeds the security functions within these teams as well.
What are the properties of a public/private key pair?
Each key can reverse the cryptographic operation performed by its pair, but cannot reverse an operation performed by itself. The private key must be kept secret by the owner, but the public key is designed to be widely distributed. The private key cannot be determined from the public key, given a sufficient key size.
What mechanism informs clients about suspended or revoked keys?
Either a published certificate revocation list (CRL) or an Online certificate status protocol (OCSP) responder.
Your company manages marketing data and private information for many high-profile clients. You are hosting an open day for potential employees. With the possibility of social engineering attacks in mind, what precautions should employees take when the guests are being shown around the office?
Employees should specifically be wary of shoulder surfing attempts to observe passwords and the like.
What is the relevance of entropy to cryptographic functions?
Entropy is a measure of how disordered something is. A disordered ciphertext is desirable, because remaining features of order from the plaintext make the ciphertext vulnerable to analysis. Identical plaintexts need to be initialized with random or counter values when encrypted by the same key, and the cryptosystem needs a source of randomness to generate strong keys.
Apart from cost, what would you consider to be the major considerations for evaluating a biometric recognition technology?
Error rates (false acceptance and false rejection), throughput, and whether users will accept the technology or reject it as too intrusive or threatening to privacy.
You are advising a customer about encryption for data backup security and the key escrow services that you offer. How should you explain the risks of key escrow and potential mitigations?
Escrow refers to archiving the key used to encrypt the customer's backups with your company as a third party. The risk is that an insider attack from your company may be able to decrypt the data backups. This risk can be mitigated by requiring M-of-N access to the escrow key, reducing the risk of a rogue administrator.
True or false? Cryptography is about keeping things secret so they cannot be used as the basis of a non-repudiation system.
False - the usages are not exclusive. There are different types of cryptography and some can be used for non-repudiation. The principle is that if an encryption method (cipher and key) is known only to one person, that person cannot then deny having composed a message. This depends on the algorithm design allowing recipients to decrypt the message but not encrypt it.
A vulnerability scan reports that a CVE associated CentOS Linux is present on a host, but you have established that the host is not running CentOS. What type of scanning error is this?
False Positive.
True or false? Nation state actors primarily only pose a risk to other states.
False. Nation state actors have targeted commercial interests for theft, espionage, and extortion.
True or false? In order to create a service ticket, Kerberos passes the user's password to the target application server for authentication.
False. Only the KDC verifies the user credential. The ticket granting service (TGS) sends the user's account details (SID) to the target application for authorization (allocation of permissions), not authentication.
True or false? An account requiring a password, PIN, and smart card is an example of three-factor authentication?
False. Three factor authentication also includes a biometric, behavioral, or location based element. The password and PIN elements are the same factor (something you know).
You suspect that the rogue host is modifying traffic before forwarding it, with the side effect of increasing network latency. Which tool could you use to measure latency on traffic routed from this subnet?
From a windows host, the pathping tool can be used to measure latency along a route.
What type of bulk encryption cipher mode of operation offers the best security?
Generally, counter modes implementing Authenticated Encryption with Additional Data (AEAD). Specific examples include AES-GCM and ChaCha20-poly1305.
What mechanism does HPKP implement?
HTTP Public Key Pinning (HPKP) ensures that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate by submitting one or more public keys to an HTTP browser via an HTTP header.
For which types of system will a cipher suite that exhibits high latency be problematic?
High latency is not desirable in any system, really, but it will affect real time protocols that exchange voice or video most. In network communications, latency makes the initial protocol handshake longer, meaning delay for users and possible application timeout issues.
Why should an internet service provider (ISP) be informed before pen testing on a hosted website takes place?
ISPs monitor their networks for suspicious traffic and may block the test attempts. The pen test may also involve equipment owned and operated by the ISP.
Your CEO calls to request market research data immediately be forwarded to her personal email address. You recognize her voice, but a proper request form has not been filled out and use of third-party email is prohibited. She states that she would normally fill out the form and should not be an exception, but she urgently needs the data to prepare for a round table at a conference she is attending. What type of social engineering techniques could this use, or is it a false alarm?
If social engineering, this is spear phishing (the attack uses specific details) over a voice channel (vishing). It is possible that it uses deep fake technology for voice mimicry. The use of a sophisticated attack for a relatively low-value data asset seems unlikely, however. A fairly safe approach would be to contact the CEO back on a known mobile number.
You are agreeing to a proposal to run a series of team-based exercises to test security controls under different scenarios. You propose using purple-team testing, but the contracting company is only familiar with the concept of red and blue teams. What is the advantage of running a purple team exercise?
In a red versus blue team, there is no contact between the teams, and no opportunity to collaborate on improving security controls. In a purple team exercise, there is regular contact and knowledge sharing between the teams throughout the progression of the exercise.
Which part of a simple cryptographic system must be kept secret - the cipher, ciphertext, or the key?
In cryptography, the security of the message is guaranteed by the security of the key. The system does not depending on hiding the algorithm or the message (security by obscurity).
How does a subject go about obtaining a certificate from a CA?
In most cases, the subject generates a key pair then adds the public key along with subject information and certificate type in a certificate signing request (CSR) and submits it to the CA. If the CA accepts the request, it generates a certificate with the appropriate key usage and validity, signs it, and transmits it to the subject.
Which type of eye recognition is easier to perform: retinal or iris scanning?
Iris scans are simpler.
You have implemented a secure web gateway that blocks access to a social networking site. How would you categorize this type of security control?
It is a technical type of control (implemented in software) and acts as a preventative measure.
You are investigating a business email compromise incident (BEC). The email account of a developer has been accessed remotely over webmail. Investigating the developer's workstation finds no indication of a malicious process, but you do locate an unknown USB extension device attached to one of the rear ports. Is this the most likely attack vector, and what type of malware would it implement?
It is likely that the USB device implements a hardware-based keylogger. This would not necessarily require any malware to be installed or leave any trace in the file system.
What are the potential consequences if a company loses control of a private key?
It puts both data confidentiality / identification and authentication systems at risk. Depending on the key usage, the key may be used to decrypt data with authorization. The key could also be used to impersonate a user or computer account.
Which network access control framework supports smart cards?
Local logon providers, such as Kerberos, support smart cards, but this is not network access control as the device has already been allowed on the network. The IEEE 802.1X framework means that network access servers (switches, access points, and VPN gateways) can accept extensible authentication protocols (EAP) credentials, but block any other type of network access. They act as a pass-thru for an authentication server, which stores and validates the credentials. Some EAP types support smart card or machine authentication.
What type of organizational security assessment is performed using Nessus?
Nessus is an automated network vulnerability scanner that checks for software vulnerabilities and missing patches.
A user maintains a list of commonly used passwords in a file located deep within the computer's directory structure. Is this secure password management?
No, this is security by obscurity. The file could probably be easily discovered using search tools.
What term is used to describe the property of a secure network where a sender cannot deny having sent a message?
Non-Repudiation.
What is the process of ensuring accounts are only created for valid users, only assigned the appropriate privileges, and that the account credentials are known only to the valid user?
OnBoarding.
As a security solutions provider, you are compiling a checklist for your customers to assess potential weak configuration vulnerabilities, based on CompTIA Security+ Syllabus. From the headings you have added so far, which is missing and what vulnerability does it relate to? Default settings, Unsecured root accounts, Open ports and services, Unsecure protocols, Weak encryption, errors.
Open permissions refers to misconfigured access rights for data folders, network file shares, and cloud storage.
What tools are used for OSINT?
Open-Source Intelligence is a reconnaissance activity to gather information about the target from any public source. The basic tool is web searches/queries plus sites that scan/scrape/monitor vulnerabilities in internet-facing services and devices. There are also specialist OSINT tools, such as theHarvester, the aggregate data from queries for different resources.
In what scenario would PAP be considered a secure authentication method?
PAP is a legacy protocol that cannot be considered secure because it transmits plain text ASCII passwords and has no cryptographic protection. The only way to ensure the security of PAP is to ensure that the endpoints established a secure tunnel (using IPSec, for instance).
What type of certificate format can be used if you want to transfer your private key and certificate from one Windows host computer to another?
PKCS #12 / .PFX / .P12.
What steps should be taken to enroll a new employee on a domain network?
Perform checks to confirm the users identity, issue authentication credentials securely, assign appropriate permissions / privileges to the account, and ensure accounting mechanisms to audit the user's activity.
In the context of penetration testing, what is persistence?
Persistence refers to the tester's ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor.
A firewall appliance intercepts a packet that violates policy. It automatically updates its Access Control List to block all further packets from the source IP. What TWO functions is the security control performing?
Preventive and Corrective.
You are assisting with writing an attack surface assessment report for a small company. Following the CompTIA syllabus, which two potential attack vectors have been omitted from the following headings in the report? Direct access, email, remote and wireless, web and social media, cloud.
Removable media and supply chain.
Which three types of threat actor are most likely to have high levels of funding?
State actors, criminal syndicates, and competitors.
What does it mean if a certificate extension attribute is marked as critical?
That the application processing the certificate must be able to interpret the extension correctly. Otherwise, it should reject the certificate.
If a security control is described as operational and compensating, what can you determine about its nature and function?
That the control is enforced by a person rather than a technical system, and that the control has been developed to replicate the functionality of a primary control, as required by security standard.
You are consulting with a company about a new approach to authenticating users. You suggest there could be cost savings and better support for multifactor authentication (MFA) if your employees create accounts with a cloud provider. That allows the company's staff to focus on authorizations and privilege management. What type of service is the cloud vendor performing?
The cloud vendor is acting as the identity provider.
Which property of a plaintext password is most effective at defeating a brute force attack?
The length of the password. If the password does not have any complexity (if it is just two words from the dictionary, for example), it may still be vulnerable to a dictionary-based attack. A long password may still be vulnerable if the output space is small or the mechanism used to hash the password is faulty (LM hashes being one example).
What is the main weakness of a hierarchical trust model?
The structure depends on the integrity of the root CA.
What extension field is used with a web server certificate to support the identification of the server by multiple specific subdomain labels?
The subject alternative name (SAN) field. A wildcard certificate will match any subdomain level.
What cryptographic information is stored in a digital certificate?
The subject's public key and the algorithms used for encryption and hashing. The certificate also stores a digital signature from the issuing CA, establishing a chain of trust.
You are developing new detection rules for a network security scanner. Which tool will be of use in testing whether the rules match a malicious traffic sample successfully?
The tcpreplay tool can be used to stream captured traffic from a file to a monitored network interface.
What term relates to assessment techniques that avoid alerting threat actors?
This can be referred to as maneuver.
What type of operation is being performed by the following command: openssl req -nodes -new -newkey rsa:2048 -out my.csr -keyout mykey.pem?
This generates a new RSA key pair plus a certificate signing request.
A purchasing manager is browsing a list of products on a vendors website when a window opens claiming that anti-malware software has detected several thousand files on his computer that are infected with viruses. Instructions in the official-looking window indicate the user should click a link to install software that will remove these infections. What type of social engineering attempt is this, or is it a false alarm?
This is a social engineering attempt utilizing a watering hole attack and/or "malvertising."
You receive an email with a screenshot showing a command prompt at one of your application servers. The email suggests you engage the hacker for a day's consultancy to patch the vulnerability. How should you categorize this threat?
This is either gray-hat (semi-authorized) hacking or black hat (non-authorized) hacking. If the request for compensation via consultancy is an extortion threat (if refused, the hacker sells the exploit on the dark web), then the motivation is purely financial gain and can be categorized as black hat. If consultancy is refused and the hacker takes no further action, it can be classified as gray hat.
The help desk takes a call and the caller states that she cannot connect to the e-commerce website to check her order status. She would also like a user name and password. The user gives a valid customer company name but is not listed as a contact in the customer database. The user does not know the correct company code or customer ID. Is this likely to be a social engineering attempt, or a false alarm?
This is likely to be a social engineering attempt. The help desk should not give out any information or add an account without confirming the callers identity.
You are troubleshooting a user's workstation. At the computer, an app window displays on the screen claiming that all of your files are encrypted. The app window demands that you make an anonymous payment if you ever want to recover your data. What type of malware has infected the computer?
This is some type of ransomware, but it will take more investigation whether it is actually crypto-malware or not.
What type of tool could you use to fingerprint the host acting as the default gateway?
This requires a tool that performs fingerprinting - service and version detection - by examining responses to network probes and comparing them to known responses from common platforms. Nmap is very widely used for this task, or you could use hping or Netcat.
True or false? Perfect forward secrecy (PFS) ensures that a compromise of a server's private key will not also put copies of traffic sent to that server in the past at risk of decryption.
True. PFS ensures that ephemeral keys are used to encrypt each session. These keys are destroyed after use.
True or false? When implementing smart card logon, the user's private key is stored on the smart card.
True. The smart card implements a cryptoprocessor for secure generation and storage of key and certificate material.
You suspect that a rogue host is acting as the default gateway for a subnet in a spoofing attack. What command-line tools can you use from a Windows client PC in the same subnet to check the interface properties of the default gateway?
Use ipconfig to check the IP addresses of the default gateway and the DHCP server. Use arp to check the MAC addresses associated with those IP addresses and investigate possible spoofing. You could also use the route command to verify the properties of the default route.
You have received an urgent threat advisory and need to configure a network vulnerability scan to check for the presence of a related CVE on your network. What configuration check should you make in the vulnerability scanning software before running the scan?
Verify that the vulnerability feed/plug-in/test has been updated with the specific CVE that you need to test for.
You are recommending different anti-virus products to the CEO of a small travel services firm. The CEO is confused because they had heard that Trojans represent the biggest threat to computer security these days. What explanation can you give?
While antivirus remains a popular marketing description, all current security products worthy of consideration will try to provide protection against a full range of malware and potentially unwanted programs and threats.
You are advising a business owner on security for a PC running Windows XP. The PC runs process management software that the owner cannot run on Windows 10. What are the risks arising from this, and how can they be mitigated?
Windows XP is a legacy platform that is no longer receiving security updates. This means that patch management cannot be used to reduce risks from software vulnerabilities. The workstation should be isolated from other systems to reduce the risk of compromise.
A user's computer is performing extremely slowly. Upon investigation, you find that a process named n0tepad.exe is utilizing the CPU at rates of 80 - 90%. This is accompanied by continual small disk reads and writes to a temporary folder. Should you suspect malware infection and is any particular class indicated?
Yes, this is malware as the process name is trying to masquerade as a legitimate process. It is not possible to conclusively determine the type without more investigation, but you might initially suspect a crypto-miner / crypto-jacker.
What methods can be used to implement location based authentication?
You can query the location service running on a device or geolocation by IP. You could use location with the network, based on switch port, wireless network name, virtual LAN (VLAN), or IP subnet.
You are investigating a Linux server that is the source of suspicious network traffic. At a terminal on the server, which tool could you use to check which process is using a given TCP port?
You can use the netstat command to do this.