Security Plus - Infotec Quizzes

Which of the following technologies would be MOST appropriate to utilize when testing a new software patch before a company-wide deployment? 1. Cloud computing 2. Application control 3. Redundancy 4. Virtualization

4. Virtualization Virtualization offers the flexibility of quickly and easily making backups of entire virtual systems, and quickly recovering the virtual system when errors occur. Furthermore, malicious code compromises of virtual systems rarely affect the host system, which allows for safer testing and experimentation.

Which of the following is the summary of loss for a given year?

ALE

A company wants to host a publicity available server that performs the following functions: Evaluates MX record lookup Can perform authenticated requests for A and AAA records Uses RRSIG What should the company use to fulfill the above requirements?

DNSSEC - The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP). DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types like A, AAAA, MX, CNAME, etc. By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and wasn't altered in route, opposed to a fake record injected in a man-in-the-middle attack. To facilitate signature validation, DNSSEC adds a few new DNS record types: RRSIG - Contains a cryptographic signature DNSKEY - Contains a public signing key DS - Contains the hash of a DNSKEY record NSEC and NSEC3 - For explicit denial-of-existence of a DNS record CDNSKEY and CDS - For a child zone requesting updates to DS record(s) in the parent zone.

A Security Officer on a military base needs to encrypt several smart phones that will be going into the field. What encryption solutions should be deployed in this situation?

Elliptic curve

An information system owner has supplied a new requirement to the development team that calls for increased non-repudiation within the application. After undergoing several audits, the owner determined that current levels of non-repudiation were insufficient. What capability would be MOST appropriate to consider implementing in response to the new requirement?

Digital signatures - A valid digital signature gives a recipient reason to believe that the message was created by a known sender (authentication), that the sender cannot deny having sent the message (non-repudiation), and that the message was not altered in transit (integrity). Digital signatures employ asymmetric cryptography.

For the business using the product, ___ concerns include disposing of the existing product responsibly, transitioning to a different product and ensuring that disruption will be minimal. Product lifecycle management (PLM) is a systematic approach to managing the series of changes a product goes through, from its design and development to its ultimate retirement or disposal. PLM software can be used to automate the management of product-related data and integrate the data with other business processes such as enterprise resource planning (ERP) and manufacturing execution systems (MES).

EOL

Ann a security analyst is monitoring the IDS console and noticed multiple connections from an internal host to a suspicious call back domain. What tool would aid her to decipher the network traffic?

NETSTAT - The netstat command (short for "network statistics") is used to display protocol statistics and current TCP/IP network connections. It is used to find a large amount of information about the state of the connection into the device including, but not limited to which ports are open for incoming connections, which ports are actively in use, the current state of existing connections, in-depth protocol statistics, and many other useful pieces of information.

___ is a diagnostic tool for NetBIOS over TCP/IP. It is included in several versions of Microsoft Windows. Its primary design is to help troubleshoot NetBIOS name resolution problems. You can run ___ from the command prompt to view NetBIOS over TCP/IP statistics on the computer and determine the status of connections formed to the machine.

Nbtstat - nbtstat -n shows the NetBIOS local names of the host that have been registered on the system.

The risk of ___ is the information being sent to the printer can be captured encrypted. Unencrypted print data are a weakness in every IT security environment because without encryption, all printing protocols transmit print data as (more or less) readable, clear text.

PCL The printer command languages PCL (Printer Control Language) and Postscript are page-description protocols that include the document information in clear text in addition to control and command characters. Reading a text transmitted in ASCII format is even simpler.

A security analyst has been asked to perform a review of an organization's software development lifecycle. The analyst reports that the lifecycle does not contain a phase in which team members evaluate and provide critical feedback of another developer's code. What assessment techniques is BEST described in the analyst's report?

Peer review

A company is deploying a new VoIP phone system. They require 99.999% uptime for their phone service and are concerned about their existing data network interfering with the VoIP phone system. The core switches in the existing data network are almost fully saturated. What will provide the best performance and availability for both the VoIP traffic, as well as the traffic on the existing data network?

Put the VoIP network into a different VLAN than the existing data network. - One of the best strategies for a company looking to host both data and VoIP traffic on the same network is VLAN segmentation. Moving your VoIP traffic onto a VLAN can bring you numerous benefits, both to your voice systems, as well as to your network at large. The immediate benefit that comes from virtually segmenting your VoIP is also one of the best: you are likely to see a boost in overall call quality, because the VoIP packets do not have to compete with data packets for priority. VoIP is much less tolerant of dropped packets than data services, and even low levels of latency can turn into significant delays or echoing when VoIP is used. Putting VoIP on its own VLAN lets you give it highest priority in the network, while allowing more fault-tolerant data processes to take the back seat. Likewise, your Quality-of-Service and Voice Quality Monitoring services will be able to do a more effective job, and usually with less overhead on the server. Since they are dealing with a less-congested network, they do not have to filter through data packets to optimize the VoIP traffic.

___ is used to create a secure channel between a local and remote computer. While ___ is commonly used for secure terminal access and file transfers, it can also be used to create a secure tunnel between computers for forwarding other network connections that are not normally encrypted. ___ tunnels are also useful for allowing outside access to internal network resources.

Secure Shell, or SSH, Let us look at a concrete example of how to set up an SSH Tunnel. You are the IT technician at your office and need to connect to a client through an SSH server to perform work using RDP, but it is protected by a company firewall. You need to get through the firewall in order to perform your work. The solution is to create an SSH Tunnel in Remote Desktop Manager to carry the RDP communication.

___ typically refers to media file transfer to a mobile device via USB, Bluetooth, WiFi or by writing to a memory card for insertion into the mobile device. Whith Android apps, it also means installing an application package in APK format onto an Android device.

Sideloading

___ A data steward or data custodian handles the routine tasks

Steward/custodian. For example, a data custodian would ensure data is backed up in accordance with a backup policy. The custodian would also ensure that backup tapes are properly labeled to match the classification of the data and stored in a location that provides adequate protection for the classification of the data. Data owners typically delegate tasks to the data custodian.

A ___ is a passive splitting mechanism installed between a 'device of interest' and the network. ___ transmit both the send and receive data streams simultaneously on separate dedicated channels, ensuring all data arrives at the monitoring device in real time.

TAP (Test Access Point) Most enterprise switches copy the activity of one or more ports through a Switch Port Analyzer (SPAN) port, also known as a mirror port. An analysis device can then be attached to the SPAN port to access network traffic. When deciding whether to use a TAP or SPAN to port scan the two primary factors that will affect your decision are the type of analysis and amount of bandwidth. A TAP is ideal when analysis requires seeing all the traffic, including physical-layer errors. A TAP is required if network utilization is moderate to heavy. An Aggregator TAP can be used as an effective compromise between a TAP and SPAN port, delivering some of the advantages of a TAP and none of the disadvantages of a SPAN port.

Before an infection was detected, several of the infected devices attempted to access a URL that was similar to the company name but with two letters transported. What BEST describes the attack vector used to infect the devices?

Typo squatting - Typosquatting, also known as URL hijacking, is a form of cybersquatting (sitting on sites under someone else's brand or copyright) that targets Internet users who incorrectly type a website address into their web browser (e.g., "Gooogle.com" instead of "Google.com").

A name that includes an object's entire path to the root of the LDAP namespace is called its ___, or DN. An example DN for a user named T Jones whose object is stored in the cn=Users container in a domain named Company.com would be cn=TJones,cn=Users,dc=Company,dc=com.

distinguished name

A security administrator must implement a system to ensure that invalid certificates are not used by a custom developed application. The system must be able to check the validity of certificates even when internet access is unavailable. What MUST be implemented to support this requirement?

CRL - A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted.

A security administrator has been asked to implement a VPN that will support remote access over IPSEC. Which of the following is an encryption algorithm that would meet this requirement? 1. UDP 2. PKI 3. AES 4. MD5

3. AES - IPsec is a framework of open standards developed by the IETF. It provides security for the transmission of sensitive information over unprotected networks such as the Internet. IPsec acts at the network layer, protecting and authenticating IP packets between participating IPsec devices ("peers"), such as routers. Cisco no longer recommends using DES, 3DES, MD5 (including HMAC variant), and Diffie-Hellman (DH) groups 1, 2 and 5; instead, you should use AES, SHA and DH Groups 14 or higher. L2TP/IPsec using the AES cipher has no major known vulnerabilities, and if properly implemented may still be secure. Advanced Encryption Standard is a cryptographic algorithm that protects sensitive, unclassified information. AES is a privacy transform for IPsec and IKE and has been developed to replace DES. AES is designed to be more secure than DES. AES offers a larger key size, while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key. AES has a variable key length—the algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key. By far the most common ciphers that you will likely encounter with regards to VPNs are Blowfish and AES. In addition to this, RSA is used to encrypt and decrypt a cipher's keys, and SHA-1 or SHA-2 is used as the hash function to authenticate data.

Joe is exchanging encrypted email with another party. Joe encrypts the initial email with a key. When Joe receives a response, he is unable to decrypt the response with the same key he used initially. What would explain the situation?

Asymmetric encryption is being used - Asymmetric Encryption is a form of encryption where keys come in pairs. What one key encrypts, only the other can decrypt. Frequently (but not necessarily), the keys are interchangeable, in the sense that if key A encrypts a message, then B can decrypt it, and if key B encrypts a message, then key A can decrypt it. While common, this property is not essential to asymmetric encryption. Asymmetric Encryption, known as Public Key Cryptography, since users typically create a matching key pair, and make one public while keeping the other secret. Users can "sign" messages by encrypting them with their private keys. This is effective since any message recipient can verify that the user's public key can decrypt the message, and thus prove that the user's secret key was used to encrypt it. If the user's secret key is, in fact, secret, then it follows that the user, and not some impostor, really sent the message. Users can send secret messages by encrypting a message with the recipient's public key. In this case, only the intended recipient can decrypt the message, since only that user should have access to the required secret key.

A security administrator receives notice that a third-party certificate authority has been compromised, and new certificates will need to be issued. What should the administrator submit to receive a new certificate?

CSR - A Certificate Signing Request or CSR is a specially formatted encrypted message sent from a Secure Sockets Layer (SSL) digital certificate applicant to a certificate authority (CA). The CSR validates the information the CA requires to issue a certificate. In a public key infrastructure (PKI) system, which enables secure data sharing among validated parties on the Internet, a CSR must be created before ordering and purchasing an SSL certificate. Applicants must first generate a key pair -- a private key, which will be used to decrypt ciphertext and create digital signatures, and a public key to encrypt plaintext and verify digital certificates. Note that both the key pair and CSR must be created on the server on which the SSL certificate will be used; this is imperative to ensure the integrity of the key pair and PKI in general.

___ attack specifically impact data availability?

DDoS - A distributed denial-of-service (DDoS) attack is an attack in which multiple compromised computer systems attack a target, such as a server, website or other network resource, and cause a denial of service for users of the targeted resource. The flood of incoming messages, connection requests or malformed packets to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems.

The security administrator has noticed cars parking just outside of the building fence line. Which of the following security measures can the administrator use to help protect the company's WiFi network against war driving? (Select TWO) 1. Adjust power level controls 2. Create a honeynet 3. Reduce beacon rate 4. Implement a warning banner 5. Change antenna placement 6. Add false SSIDs

1. Adjust power level controls 5. Change antenna placement Wardriving refers to hackers driving around with laptops or mobile devices connected to high-powered antennas, scanning for unlocked (i.e., no password needed for access) or poorly protected networks. Configuring a wireless network requires a combination of power settings, antenna choice, and antenna location. A feature that can really help you with security in your wireless access point configuration, you may have controls over how much power you put out on the wireless access point. Ideally, you would set this to go as low as you possibly can and still have people communicating. That way you are not sending your signal out to the parking lot where other people may be able to hear what is going on your wireless network. Along those same lines, it really does make a difference where you put the antenna for your wireless access point, especially if you need to overlap different parts of the organization. You may have a big floor. Moreover, it may not be possible to put a single wireless access point in the middle and try to see if everybody can hear that access point. So this is where you may want to adjust power levels, adjust where your different antennas are being placed, and maybe even change the type of antenna you're using, maybe not to be an omnidirectional antenna. Maybe choose one that only looks in different directions to send its signal and receive its signal. There are many options out there. You can check with your manufacturer of your wireless access point and see what types of antennas are available for the particular model that you have.

Which of the following should identify critical systems and components? 1. BCP 2. ITCP 3. BPA 4. MOU

1. BCP A business continuity plan (BCP) is a document that consists of the critical information an organization needs to continue operating during an unplanned event. The BCP should state the essential functions of the business, identify which systems and processes must be sustained, and detail how to maintain them. It should take into account any possible business disruption.

A security analyst is investigating a security breach. Upon inspection of the audit and access logs, the analyst notices the host was accessed and the /etc/passwd file was modified with a new entry for username "gotcha" and user ID of 0. Which of the following are the MOST likely attack vector and tool the analyst should use to determine if the attack is still ongoing? (Select TWO) 1. Backdoor 2. Ping 3. Keylogger 4. Netstat 5. Logic bomb 6. Tracert

1. Backdoor 4. Netstat A backdoor is a malware type that negates normal authentication procedures to access a system. As a result, remote access is granted to resources within an application, such as databases and file servers, giving perpetrators the ability to remotely issue system commands and update malware. Netstat, the TCP/IP networking utility, has a simple set of options and identifies a computer's listening ports, along with incoming and outgoing network connections. This data can be very helpful if you are trying to resolve a malware issue or diagnose a security problem. Another reason I find Netstat such a useful tool is that it can be found on almost any computer by default, from Unix and Linux machines through to Windows and Macs. The fact you do not have to install and run a separate diagnostic tool can be a lifesaver when dealing with a client's PC or a quarantined machine. Every open port on your computer is an entry point that can be exploited to gain covert access. Therefore, if you need to know what connections a machine has to the internet and what services may be open and running, Netstat can quickly tell you.

A company has a data system with definitions for "Private" and "Public". The company's security policy outlines how data should be protected based on type. The company recently added the data type "Proprietary". Which of the following is the MOST likely reason the company added this data type? 1. Better data classification 2. Reduced cost 3. Expanded authority of the privacy officer 4. More searchable data

1. Better data classification Classification of commercial or nongovernment organizations does not have a set standard. The classification used is dependent on the overall sensitivity of the data and the levels of confidentiality desired. Additionally, a nongovernment organization might consider the integrity and availability of the data in its classification model.

A security administrator receives an alert from a third-party vendor that indicates a certificate that was installed in the browser has been hijacked at the root of a small public CA. The security administrator knows there are at least four different browsers in use on more than a thousand computers in the domain worldwide. Which of the following solutions would be BEST for the security administrator to implement to most efficiently assist with this issue? 1. CRL 2. ACL 3. PKI 4. SSL

1. CRL A CRL is a Certificate Revocation List. When any certificate is issued, it has a validity period, which is defined by the Certification Authority. Usually this is one or two years. Any time a certificate is presented as part of an authentication dialog, the current time should be checked against the validity period. A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. CRLs are a type of blacklist and are used by various endpoints, including Web browsers, to verify whether a certificate is valid and trustworthy. Digital certificates are used in the encryption process to secure communications, most often by using the TLS/SSL protocol. The certificate, which is signed by the issuing Certificate Authority, also provides proof of the identity of the certificate owner.

Which of the following delineates why it is important to perform egress filtering and monitoring on Internet connected security zones of interfaces on a firewall? 1. Outbound traffic could be communicating to known botnet sources 2. To rebalance the amount of outbound traffic and inbound traffic 3. Egress traffic is more important than ingress traffic for malware prevention 4. To prevent DDoS attacks originating from external network

1. Outbound traffic could be communicating to known botnet sources.

A system's administrator has finished configuring firewall AGL to allow access to a new web answer. PERMIT TCP from: ANY to: 192.168.1.10:80 PERMIT TCP from: ANY to: 192.168.1.10:443 DENY TCP from: ANY to: ANY The security administrator confirms form the following packet capture that there is network traffic from the internet to the web server: TCP 10.23.243.2:2000->192.168.1.10:80 POST/default's TCP 172.16.4.100: 1934->192.168.1.10:80 GET/session.aspx? user 1 sessionid= a12ad8741d8f7e7ac723847aa8231a The company's internal auditor issues a security finding and requests that immediate action be taken. With which of the following is the auditor MOST concerned? 1. Clear text credentials 2. Default configuration 3. Misconfigured firewall 4. Implicit deny

1. Clear text credentials The biggest security issue with such traffic is the human-readable and understandable format it is in, even sensitive information as user credentials. Clear-text traffic can be easily understood by human beings without any additional processing, as we will see under this section. Many common protocols in our networks communicate in such a manner.

Which of the following techniques can bypass a user or computer's web browser privacy settings? (Select Two) 1. Cross-site scripting 2. Locally shared objects 3. LDAP injection 4. Session hijacking 5. SQL Injection

1. Cross-site scripting 4. Session hijacking Session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session-sometimes also called a session key - to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server Cross-Site Scripting, often referred to as XSS, is vulnerability in a website that permits an attacker to leverage the trust relationship that you have with that site. Cross-site scripting, a security exploit in which the attacker inserts malicious client-side code into webpages.

Which of the following would allow for the QUICKEST restoration of a server into a warm recovery site in a case in which server data mirroring is not enabled? 1. Differential backup 2. Full backup 3. Snapshot 4. Incremental backup

1. Differential backup A differential backup is a type of backup that copies all the data that has changed since the last full backup. For example, if a full backup is done on Sunday, Monday's differential backup backs up all the files changed or added since Sunday's full backup.

A system administrator is configuring a site-to-site VPN tunnel. Which of the following should be configured on the VPN concentrator during the IKE phase? 1. Diffie-Hellman 2. HTTPS 3. ECDHE 4. RIPEMD

1. Diffie-Hellman IKE is a key management protocol standard that is used in conjunction with the IPsec standard. IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IPsec can be configured without IKE, but IKE enhances IPsec by providing additional features, flexibility, and ease of configuration for the IPsec standard. IKE is a hybrid protocol that implements the Oakley key exchange and Schema key exchange inside the Internet Security Association Key Management Protocol (ISAKMP) framework. Diffie-Hellman is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecure communications channel. Diffie-Hellman is used within IKE to establish session keys.

The SSID broadcast for a wireless router has been disabled but a network administrator notices that unauthorized users are accessing the wireless network. The administer has determined that attackers are still able to detect the presence of the wireless network despite the fact the SSID has been disabled. Which of the following would further obscure the presence of the wireless network? 1. Disable responses to a broadcast probe request 2. Upgrade the encryption to WPA or WPA2 3. Create a non-zero length SSID for the wireless router 4. Reroute wireless users to a honeypot

1. Disable responses to a broadcast probe request In order to make the discovery and selection of an AP easier, a Service Set Identifier (SSID) is assigned to it, which is human readable name for the network with a maximum length of 32 characters. Generally, AP devices have a unique SSID assigned to them at manufacturing time, but many users customize them for their convenience. A user, who desires to connect to a network, needs to select the SSID from the list of nearby networks and provide the corresponding password to establish a secure connection. To reduce user burden when re-connecting to known AP, devices typically cache credentials and SSIDs and scan for nearby APs. If a known AP is discovered, the device re-connects automatically to it. Although APs periodically announce their SSID and it is possible to scan them passively, the preferred way for scanning is active scanning by the client using WIFI probe request frames. A probe request is essentially a broadcast question: "Is AP with SSID xxxx listening? Please respond". These probe requests are sent out in bursts, one for every saved AP SSID, usually once every 60 seconds. Between the bursts the radio can be turned off, which saves power. Whenever an AP receives a probe request with its assigned SSID, it responds with a probe response frame and connection is initiated. The simplest and most secure option to obscure the presence of the wireless network of course is manually switch off WIFI when it is not used. Finding and disabling the option to automatically connect to WIFI networks should have similar effect. The option to not scan or automatically reconnect to known APs may not be present or may be ineffective disabling probe requests. In these cases it may be necessary to disable option to remember network for sensitive networks, to not use the device in places where monitoring is probable, and to manually switch off WIFI whenever possible.

Given the log output: Max 15 00:15:23.431 CRT: #SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: msmith] [Source: 10.0.12.45] [localport: 23] at 00:15:23:431 CET Sun Mar 15 2015 Which of the following should the network administrator do to protect data security? 1. Disable telnet and enable SSH 2. Configure port security for logons 3. Disable password and enable RSA authentication 4. Configure an AAA server

1. Disable telnet and enable SSH - Telnet protocol enables users to remotely connect to Cisco devices and it is enabled by default on most Cisco device. However, it is not very secure to enable Telnet (TCP port 23) on your Cisco device as the login information and commands are sent in clear text and can be easily hacked. It is recommended to use SSH (TCP port 22) for remote access as this gives you secure, encrypted connection to your Cisco device.

A security analyst has set up a network tap to monitor network traffic for vulnerabilities. Which of the following techniques would BEST describe the approach the analyst has taken? 1. Port scanning 2. Compliance scanning 3. Credentialed scanning 4. Passive vulnerability scanning

1. Port scanning

Joe a website administrator believes he owns the intellectual property for a company invention and has been replacing image files on the company's public facing website in the DMZ. Joe is using steganography to hide stolen data. Which of the following controls can be implemented to mitigate this type of inside threat? 1. File integrity monitoring 2. Access controls 3. Digital signatures 4. Change management 5. Stateful inspection firewall

1. File integrity monitoring FIM technologies typically work with one of the following approaches: 1. Baseline comparison, wherein one or more file attributes will be captured or calculated and stored as a baseline that can be compared against at some future time. This can be as simple as the time and date of the file, however, since this data can be easily spoofed; a more trustworthy approach is typically used. This may include periodically assessing the cryptographic checksum for a monitored file, (e.g. using the MD5 or SHA-2 hashing algorithm) and then comparing the result to the previously calculated checksum. 2. Real-time change notification, which is typically implemented within or as an extension to the kernel of the operating system that will flag when a file is accessed or modified. Regardless of approach, the end result is the same-to identify and alert you to any changes (creation, modification or deletion) to a monitored file or directory.

Joe, a technician, is working remotely with his company provided laptop at the coffee shop near his home. Joe is concerned that another patron of the coffee shop may be trying to access his laptop. Which of the following is an appropriate control to use to prevent the other patron from accessing Joe's laptop directly? 1. Host-based firewall 2. Current antivirus definitions 3. Latest OS updates 4. full-disk encryption

1. Host-based firewall A host-based firewall is a piece of firewall software that runs on an individual computer or device connected to a network. These types of firewalls are a granular way to protect the individual hosts from viruses and malware, and to control the spread of these harmful infections throughout the network.

The data backup window has expanded into the morning hours and has begun to affect production users. The main bottleneck in the process is the time it takes to replicate the backups to separate severs at the offsite data center. Which of the following uses of deduplication could be implemented to reduce the backup window? 1. Implement deduplication on the storage array to reduce the amount of drive space needed 2. Implement deduplication at the network level between the two locations 3. Implement deduplication on the server storage to reduce the data backed up 4. Implement deduplication on both the local and remote servers

1. Implement deduplication on the storage array to reduce the amount of drive space needed Data deduplication is a data compression technique in which redundant or repeated copies of data are removed from a system. It is implemented in data backup and network data mechanisms and enables the storage of one unique instance of data within a database or information system (IS). Data deduplication is also known as intelligent compression, single instance storage, and commonality factoring or data reduction. Data deduplication works by analyzing and comparing incoming data segments with previously stored data. If data is already present, data deduplication algorithms discard the new data and create a reference. For example, if a document file is backed up with changes, the previous file and applied changes are added to the data segment. However, if there is no difference, the newer data file is discarded, and a reference is created. Similarly, a data deduplication algorithm scans outgoing data on a network connection to check for duplicates, which are removed to increase data transfer speed. Question

A security analyst accesses corporate web pages and inputs random data in the forms. The response received includes the type of database used and SQL commands that the database accepts. Which of the following should the security analyst use to prevent this vulnerability? 1. Input validation 2. Error handling 3. Application fuzzing 4. Pointer dereference

1. Input validation Input validation, also known as data validation, is the proper testing of any input supplied by a user or application. Input validation prevents improperly formed data from entering an information system.

A security analyst is hardening a server with the directory services role installed. The analyst must ensure LDAP traffic cannot be monitored or sniffed and maintains compatibility with LDAP clients. Which of the following should the analyst implement to meet these requirements? (Select two.) 1. Install and configure an SSH tunnel on the LDAP server. 2. Ensure port 636 is open between the clients and the servers using the communication. 3. Generate an X.509-compliant certificate that is signed by a trusted CA. 4. Remote the LDAP directory service role from the server. 5. Ensure port 389 is open between the clients and the servers using the communication.

1. Install and configure an SSH tunnel on the LDAP server. 2. Ensure port 636 is open between the clients and the servers using the communication. The requirement is that only TLS connections will be supported by this server. The strategy adopted is to drop the listens for normal LDAP URL traffic (port 389) leaving only LDAPS URL (port 636) listens and to introduce a couple of basic rules to force secured simple binding and prevent anonymous binding. Finally, port forwarding can be used to set up SSH tunneling for communications between the client and the server or between the client and the firewall/gateway over the Internet, in which case the firewall and server need to be able to connect to each other on the same LAN.

A security administrator suspects that data on a server has been exfiltrated as a result of unauthorized remote access. Which of the following would assist the administrator in confirming the suspicions? (Select TWO) 1. Log analysis 2. File integrity monitoring 3. Networking access control 4. Host firewall rules 5. DLP alerts

1. Log analysis 5. DLP alerts

Joe a computer forensic technician responds to an active compromise of a database server. Joe first collects information in memory, then collects network traffic and finally conducts an image of the hard drive. Which of the following procedures did Joe follow? 1. Order of volatility 2. Chain of custody 3. Incident isolation 4. Recovery procedure

1. Order of volatility

Which of the following use the SSH protocol? (Select two) 1. SFTP 2. SSL 3. SNMP 4. FTPS 5. Telnet 6. SCP

1. SFTP 6. SCP SSH, also known as Secure Socket Shell is a network protocol that provides administrators with a secure way to access a remote computer. SSH also refers to the suite of utilities that implement the protocol. Secure Shell provides strong authentication and secure encrypted data communications between two computers connecting over an insecure network such as the Internet. SSH is widely used by network administrators for managing systems and applications remotely, allowing them to log in to another computer over a network, execute commands and move files from one computer to another. SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding TCP ports and X11 Unix connections; it can transfer files using the associated SSH file transfer (SFTP) or secure copy (SCP) protocols.

Which of the following should be used to implement voice encryption? 1. SRTP 2. VDSL 3. SSLv3 4. VoIP

1. SRTP Voice encryption (SRTP) The Secure Real Time Transport Protocol (SRTP) is based on the Real Time Transport Protocol (RTP). SRTP is used for example in internet telephony Voice over IP (VoIP), in order to guarantee an eavesdrop-secure transfer of telephone data between multiple conversation participants.

A manager wants to distribute a report to several other managers within the company. Some of them reside in remote locations that are not connected to the domain but have a local server. Because there is sensitive data within the report and the size of the report is beyond the limit of the email attachment size, emailing the report is not an option. Which of the following protocols should be implemented to distribute the report securely? (Select three.) 1. SSH 2. SNMPv3 3. SRTP 4. LDAPS 5. FTPS 6. HTTPS 7. S/MIME

1. SSH 5. FTPS 6. HTTPS Security in FTP is provided by employing SSL/TLS protocol for channel encryption. The secured version of FTP is called FTPS. In UNIX systems another security standard has grown. It is the SSH family of protocols. The primary function of SSH was to secure remote shell access to UNIX systems. Later SSH was extended with file transfer protocol - first SCP, then SFTP. HTTPS is a secure version of HTTP (using SSL), and inherits the limitations (and the advantages) of HTTP.

An application developer is designing an application involving secure transports from one service to another that will pass over port 80 for a request. Which of the following secure protocols is the developer MOST likely to use? 1. SSL 2. LDAPS 3. FTPS 4. SFTP

1. SSL - SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.

A manager suspects that an IT employee with elevated database access may be knowingly modifying financial transactions for the benefit of a competitor. Which of the following practices should the manager implement to validate the concern? 1. Separation of duties 2. Background checks 3. Security awareness training 4. Mandatory vacations

1. Separation of duties Separation of duties (also known as segregation of Duties) is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error.

A systems administrator is attempting to recover from a catastrophic failure in the datacenter. To recover the domain controller, the systems administrator needs to provide the domain administrator credentials. Which of the following account types is the systems administrator using? 1. Service account 2. User account 3. Shared account 4. Guest account

1. Service account A domain user account enables the service to take full advantage of the service security features of Windows and Microsoft Active Directory Domain Services. The service has whatever local and network access is granted to the account, or to any groups of which the account is a member.

A security administrator needs an external vendor to correct an urgent issue with an organization's physical access control system (PACS). The PACS does not currently have internet access because it is running a legacy operation system. Which of the following methods should the security administrator select that best balances security and efficiency? 1. Set up a web conference on the administrator's PC; then remotely connect to the PACS 2. Set up VPN concentrator for the vendor and restrict access to the PACS using desktop sharing 3. Have the external vendor come onsite and provide access to the PACS directly 4. Temporarily permit outbound internet access for the PACS so desktop sharing can be set up

1. Set up a web conference on the administrator's PC; then remotely connect to the PACS A VPN concentrator is a type of networking device that provides secure creation of VPN connections and delivery of messages between VPN nodes. It is a type of router device, built specifically for creating and managing VPN communication infrastructures like the external vendor correcting an urgent issue with the organizations physical access control system.

Which of the following technologies employ the use of SAML? (Select two.) 1. Single sign-on 2. RADIUS 3. Secure token 4. Federation 5. LDAP

1. Single sign-on 4. Federation The Security Assertion Markup Language (SAML) is an open standard for sharing security information about identity, authentication and authorization across different systems. SAML is implemented with the Extensible Markup Language (XML) standard for sharing data, and SAML provides a framework for implementing single sign-on (SSO) and other federated identity systems.

A software developer wants to ensure that the application is verifying that a key is valid before establishing SSL connections with random remote hosts on the Internet. Which of the following should be used in the code? (Select TWO.) 1. Software code private key 2. Remote server public key 3. OCSP 4. SSL symmetric encryption key 5. Escrowed keys

1. Software code private key 3. OCSP Code signing is the method of using a certificate-based (private key) digital signature to sign executable and scripts in order to verify the author's identity and ensure that the code has not been changed or corrupted since it was signed by the author. This helps users and other software to determine whether the software can be trusted. The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 (public key) digital certificate.

A workstation puts out a network request to locate another system. Joe, a hacker on the network, responds before the real system does, and he tricks the workstation into communicating with him. Which of the following BEST describes what occurred? 1. The hacker exploited weak switch configuration. 2. The hacker used a race condition 3. The hacker used a pass-the-hash attack

1. The hacker exploited weak switch configuration. Attacks on switches are easier to perpetrate than you might think. Easy to find and download from the Internet, these tools show people how to exploit badly configured networks and physical weaknesses in the LAN, making it depressingly easy for them to launch a devastating VLAN or switch attack. VLANs are implemented at layer 2 of the OSI network model. The majority of layer 2 (data link layer) attacks exploit the inability of a switch to track an attacker, because the switch has no inherent mechanism to detect that an attack is occurring. This weakness means that this same attacker can perform malicious acts against the network path, altering the path and exploiting the change without detection. Despite the scale and variety of switch and VLAN threats - and their potentially devastating impact on networks - they can all be effectively mitigated through the combination of good network management practices, effective network design and the application of advanced security products. Switches and VLANs can be secure, and organizations should not be perturbed from deploying them because of the threats; rather they should deploy them wisely to mitigate the threats.

A user of the wireless network is unable to gain access to the network. The symptoms are: 1.) Unable to connect to both internal and Internet resources 2.) The wireless icon shows connectivity but has no network access The wireless network is WPA2 Enterprise and users must be a member of the wireless security group to authenticate. Which of the following is the MOST likely cause of the connectivity issues? 1. The wireless signal is not strong enough 2. The DHCP scope is full 3. The user's laptop only supports WPA and WEP 4. A remote DDoS attack against the RADIUS server is taking place 5. The dynamic encryption key did not update while the user was offline

1. The wireless signal is not strong enough - : Browsing slowing to a crawl, the inability to stream, dropped Wi-Fi signals, wireless dead zones—every one of these problems is maddening in a world where getting online has become, for some, as necessary as breathing. Well, maybe not that critical, but important. Distance is the most obvious problem—there is a certain optimal range that the wireless signal can travel. If the network has to cover an area larger than the router is capable of transmitting to, or if there are lots of corners to go around and walls to penetrate, performance will take a hit. Interference is also a big issue, especially for those who live in densely populated areas. Signals from other wireless networks and electronics can impact speeds, as can physical obstructions, such as walls. Many phone systems and other wireless devices can also interfere with signals. If your router has an internal antenna, adding an external one would be a good idea, as the latter tends to send a stronger signal. Many router manufacturers sell omnidirectional antennas, which send a signal to all directions, or directional ones, which send a signal in one specific direction. Most built-in antennas tend to be omnidirectional, so if you are buying an external one, it should be marked "high-gain" to actually make a difference. A directional antenna tends to be a better option, since odds are that you are not experiencing weak spots in your network in every direction. Point your external antenna in the direction of your weak spot, and it will broadcast the signal accordingly.

The chief security officer (CSO) has issued a new policy that requires that all internal websites be configured for HTTPS traffic only. The network administrator has been tasked to update all internal sites without incurring additional costs. Which of the following is the best solution for the network administrator to secure each internal website? 1. Use a self-signed certificate on each internal server 2. Use certificates signed by a public ca 3. Use a signing certificate as a wild card certificate 4. Use certificates signed by the company CA

1. Use a self-signed certificate on each internal server -- An SSL certificate is a means to bind a cryptographic key to company's details. When used properly, it ensures web customers that the site they are visiting does, in fact, belong to you. SSL certificates also helps to enable secure http (HTTPS) on your website, thereby securing transactions of various sorts. For most businesses, these SSL certificates are purchased from companies like VeriSign, Symantec, and Network Solutions. Purchasing an SSL certificate is not the only means of acquiring such a file. For those not in the know, there is always the self-signed certificate. Simply put, the self-signed SSL certificate is created in house. Technically, Self Sign SSL Certificate means a certificate, which is signed by the same individual whose identity it certifies. It means that the private key is signed by the owner of the certificate him/herself (not by trusted Certificate Authority). A self-signed certificate is free of cost, thereby encourages website owners to secure their website. If you have a website that has limited pages and limited users, then self-sign SSL certificate can be a good option for you.

A security analyst wishes to increase the security of an FTP server. Currently, all traffic to the FTP server is unencrypted. Users connecting to the FTP server use a variety of modern FTP client software. The security analyst wants to keep the same port and protocol, while also still allowing unencrypted connections. Which of the following would BEST accomplish these goals? 1. Use explicit FTPS for connections. 2. Require the SFTP protocol to connect to the file server. 3. Use SSH tunneling to encrypt the FTP traffic. 4. Use implicit TLS on the FTP server.

1. Use explicit FTPS for connections. When an FTPS client is operating in "explicit" mode, the client itself is supposed to request certain security-related information from the server that it is communicating with before a file transfer can begin. When a connection is first established, the client itself will request certain encryption information that should be in place on the server level. Encryption more or less "scrambles" information while in transit, making sure that even if data is intercepted it will still not be accessible to someone without the appropriate key. With explicit mode, one of two things can happen if the client itself is not set up to make this security request: the server can either allow the client program to continue to operate in a natively insecure fashion (i.e. standard FTP), or the connection can be refused until security-related adjustments are made. Explicit mode essentially gives you options regarding how, where and why your files can be transferred at any given time. Thankfully, FTP Today offers site administrators the ability to require and enforce the use of explicit FTPS on port 21 and to deny the use of FTP on that same standard port. FTPS (Explicit) - tcp port 21 (command) + passive ports (data) - This was added to FTP to all the client to negotiate encryption for the FTP communication. FTPS(E) functions the same as FTP except it negotiates an SSL or TLS connection when the client asks for it, prior to authentication.

Joe, the security administrator, sees this in a vulnerability scan report: "The server 10.1.2.232 is running Apache 2.2.20 which may be vulnerable to a mod_cgi exploit." Joe verifies that the mod_cgi module is not enabled on 10.1.2.232. This message is an example of: 1. a false positive. 2. a threat. 3. a false negative. 4. a risk.

1. a false positive. When you think you have a specific vulnerability in your program but in fact, you do not it is referred to as a False Positive. Many security scanners such as Nessus scan an application (or service/daemon) and attempt to find vulnerability in it. Sometimes the signatures make mistakes and report a vulnerability that may not exist. False positive are not limited to scanners they also affect Web Application Firewalls (WAF) and NIDS/HIDS/NIPS/HIPS. These monitoring products may report an attack attempt but sometimes confuse the data it received with valid information.

A security analyst is testing both Windows and Linux systems for unauthorized DNS zone transfers within a LAN on comptia.org from example.org. Which of the following commands should the security analyst use? (Select two.) 1. dig -axfr [email protected] 2. ifconfig eth0 down ifconfig eth0 up dhclient renew 3. nslookup comptia.org set type=ANY ls-d example.org 4. nslookup comptia.org set type=MX example.org 5. ipconfig/flushDNS 6. [email protected] comptia.org

1. dig -axfr [email protected] 3. nslookup comptia.org set type=ANY ls-d example.org nslookup is a network administration command-line tool available for many computer operating systems for querying the Domain Name System (DNS) to obtain domain name or IP address mapping or for any other specific DNS record. When invoked without argument, nslookup will display the name server it uses, and enter interactive mode. At the `>' prompt, you may type any domain name it should query for. By default, it asks for class A records, those containing the IP-address relating to the domain name. You may change this type by issuing "set type=type'', where type is one of the resource record names or ANY. ls -d shows information about a symbolic link or directory, rather than about the link's target or listing the contents of a directory. A zone transfer from an external IP address is used as part of an attacker's reconnaissance phase. Usually a zone transfer is a normal operation between primary and secondary DNS servers in order to synchronize the records for a domain. This is typically not something you want to be externally accessible. If an attacker can gather all your DNS records, they can use those to select targets for exploitation. The dig command will be executed as follows to attempt the zone transfer. Dig -axfr comptia.org @example.org

A security administrator is creating a subnet on one of the corporate firewall interfaces to use as a DMZ which is expected to accommodate at most 14 physical hosts. Which of the following subnets would BEST meet the requirements? 1. 192.168.1.50 255.255.25.240 2. 192.168.0.16/28 3. 192.168.0.16 255.25.255.248 4. 192.168.2.32/27

2. 192.168.0.16/28 - IP Address: 192.168.0.16 Netmask: 255.255.255.240 Wildcard Mask: 0.0.0.15 CIDR Notation: /28 Network Address: 192.168.0.16 Usable Host Range: 192.168.0.17 - 192.168.0.30 Broadcast Address: 192.168.0.31 Binary Netmask: 11111111.11111111.11111111.11110000 Total number of hosts: 16 Number of usable hosts: 14 IP Class: C (192.0.0.0 - 223.255.255.255)

An employee uses RDP to connect back to the office network. If RDP is misconfigured, which of the following security exposures would this lead to? 1. Result in an attacker being able to phish the employee's username and password. 2. A man in the middle attack could occur, resulting the employee's username and password being captured. 3. A social engineering attack could occur, resulting in the employee's password being extracted. 4. A virus on the administrator's desktop would be able to sniff the administrator's username and password.

2. A man in the middle attack could occur, resulting the employee's username and password being captured. Microsoft Terminal Services uses the RDP (Remote Desktop Protocol). In this default configuration, an attacker could perform man-in-the-middle (MiTM) attacks to obtain the username and password, in addition to logging the keystrokes sent to the systems being managed. You will have to apply the following scenarios to your environment and come to your own conclusions on how to deploy (or not deploy) RDP as the remote access solution for your systems: Attackers able to perform a MiTM attack will steal credentials and have the ability to log keystrokes Attackers able to send packets to the RDP port (3389) can execute denial of service attacks If attackers already have, or develop, a working exploit, it would allow them to control the target system Exposed services, depending on configuration, are vulnerable to brute-force password attacks

An organization is comparing and contrasting migration from its standard desktop configuration to the newest version of the platform. Before this can happen, the Chief Information Security Officer (CISO) voices the need to evaluate the functionality of the newer desktop platform to ensure interoperability with existing software in use by the organization. In which of the following principles of architecture and design is the CISO engaging? 1. Waterfalling 2. Change management 3. Dynamic analysis 4. Baselining

2. Change Management The goal of the change management process is to ensure that standardized methods and procedures are used for efficient and prompt handling of all changes, in order to minimize the impact of change-related incidents upon service quality, and consequently improve the day-to-day operations of the organization.

A new mobile application is being developed in-house. Security reviews did not pick up any major flaws, however vulnerability scanning results show fundamental issues at the very end of the project cycle. Which of the following security activities should also have been performed to discover vulnerabilities earlier in the lifecycle? 1. Architecture review 2. Code review 3. Risk assessment 4. Protocol Analysis

2. Code review Code review is systematic examination (sometimes referred to as peer review) of computer source code. It is intended to find mistakes overlooked in the initial development phase, improving the overall quality of software.

A security administrator returning from a short vacation receives an account lock-out message when attempting to log into the computer. After getting the account unlocked the security administrator immediately notices a large amount of email alerts pertaining to several different user accounts being locked out during the past three days. The security administrator uses system logs to determine that the lock-outs were due to a brute force attack on all accounts that has been previously logged into that machine. Which of the following can be implemented to reduce the likelihood of this attack going undetected? 1. Account lockout policies 2. Continuous monitoring 3. User access reviews 4. Password complexity rules

2. Continuous monitoring Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization's financial and operational environment. The financial and operational environment consists of people, processes, and systems working together to support efficient and effective operations. Continuous monitoring is one part of a six-step process in the NIST Risk Management Framework (RMF), from NIST publication 800-53. Continuous monitoring is an essential step for organizations to identify and measure the security implications for planned and unexpected changes to hardware, software, and firmware and to assess vulnerabilities in a dynamic threat space.

An organization has hired a penetration tester to test the security of its ten web servers. The penetration tester is able to gain rooUadministrative access in several servers by exploiting vulnerabilities associated with the implementation of SMTP, POP, DNS, FTP, Telnet, and IMAP. Which of the following recommendations should the penetration tester provide to the organization to better protect their web servers in the future? 1. Use a honeypot 2. Disable unnecessary services 3. Implement transport layer security 4. Increase application event logging

2. Disable unnecessary services Close the ports and disable the services and protocols that are not needed. This should be done on both the server side and the client side. Any services or protocols that do not have a business need are unnecessary and must be disabled.

A network administrator wants to ensure that users do not connect any unauthorized devices to the company network. Each desk needs to connect a VoIP phone and computer. Which of the following is the BEST way to accomplish this? 1. Enable and configure port channels 2. Enforce authentication for network devices 3. Configure the phones on one VLAN, and computers on another 4. Make users sign an Acceptable use Agreement

2. Enforce authentication for network devices The best cyber security comes in layers, making it difficult or frustrating for an intruder to fight through each line of defense to break into the network and gain access to data. One of the front-line defenses should be network access control (NAC) and its ability to restrict network access to devices and users that are authorized and authenticated. The emphasis of NAC is the access control - who or what has authorized permission to access the network. This includes both users and devices. The NAC network intercepts the connection requests, which are then authenticated against a designated identity and access management system. Access is either accepted or denied based on a pre-determined set of parameters and policies that are programmed into the system.

An administrator is testing the collision resistance of different hashing algorithms. Which of the following is the strongest collision resistance test? 1. Find a common hash between two specific messages 2. Find two identical messages with different hashes 3. Find two identical messages with the same hash 4. Find a common hash between a specific message and a random message

2. Find two identical messages with different hashes - Collision resistance is a property of cryptographic hash functions. A hash function is collision resistant if it is hard to find two inputs that hash to the same output. Cryptographic hash functions are usually designed to be collision resistant. Strong and weak collision resistance are not the same even though they seem similar, there is a subtle difference between strong and weak collision resistance. Weak collision resistance is bound to a particular input, whereas strong collision resistance applies to any two arbitrary inputs.

A mobile device user is concerned about geographic positioning information being included in messages sent between users on a popular social network platform. The user turns off the functionality in the application, but wants to ensure the application cannot re-enable the setting without the knowledge of the user. Which of the following mobile device capabilities should the user disable to achieve the stated goal? 1. Location based services 2. GEO-Tagging 3. Application control 4. Device access control

2. GEO-Tagging Geotagging is the addition of geographical information, usually in the form of latitude and longitude coordinates, to Web sites, images, videos, smartphone transmissions, and various other data types and sources. Sometimes geotagging includes place names such as street addresses, towns, postal zip codes, or telephone area codes. Less often, altitude data may be given as well.

An administrator thinks the UNIX systems may be compromised, but a review of system log files provides no useful information. After discussing the situation with the security team, the administrator suspects that the attacker may be altering the log files and removing evidence of intrusion activity. Which of the following actions will help detect attacker attempts to further alter log files? 1. Set the bash_history log file to "read only" 2. Implement remote syslog 3. Enable verbose system logging 4. Change the permissions on the user's home directory

2. Implement remote syslog Syslog is used on a variety of server/devices to give system information to the system administrator. Syslog is a standard for computer data logging. It allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. Syslog can be used for computer system management and security auditing as well as generalized informational, analysis, and debugging messages. It is supported by a wide variety of devices (like printers and routers) and receivers across multiple platforms. Because of this, syslog can be used to integrate log data from many different types of systems into a central repository. If you have your routers, firewalls, switches, Linux servers and/or other hardware pointing to a secured centralized syslog server, when someone does attempt to attack one of the above devices log files can be safely off-site in a secure location. If syslog files are kept on the device this gives an attacker the ability to clean up their tracks.

Technicians working with servers hosted at the company's datacenter are increasingly complaining of electric shocks when touching metal items which have been linked to hard drive failures. Which of the following should be implemented to correct this issue? 1. Utilize better hot/cold aisle configurations 2. Increase humidity in the room 3. Decrease the room temperature 4. Implement EMI shielding

2. Increase humidity in the room Monitoring humidity is equally important than temperature and often omitted. Did you know that the relative humidity (rH) in server rooms and data centers should be between 40% and 60% rH. In addition, dry will result in the buildup of static electricity on the systems. Too humid and corrosion will start slowly damaging your equipment resulting in permanent equipment failures.

Which of the following precautions MINIMIZES the risk from network attacks directed at multifunction printers, as well as the impact on functionality at the same time? 1. Installing a software-based IPS on all devices 2. Isolating the systems using VLANs 3. Enabling full disk encryption 4. Implementing a unique user PIN access functions

2. Isolating the systems using VLANs

Which of the following is the LEAST secure hashing algorithm? 1. SHA1 2. MD5 3. DES 4. RIPEMD

2. MD5 - The MD5 hash function was originally designed for use as a secure cryptographic hash algorithm for authenticating digital signatures. MD5 has been deprecated for uses other than as a non-cryptographic checksum to verify data integrity and detect unintentional data corruption.

A security engineer is configuring a wireless network that must support mutual authentication of the wireless client and the authentication server before users provide credentials. The wireless network must also support authentication with usernames and passwords. Which of the following authentication protocols MUST the security engineer select? 1. EAP 2. PEAP 3. EAP-TLS 4. EAP-FAST

2. PEAP The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security {TLS) tunnel. PEAP provides a transport layer security structure where it is needed within EAP. It uses a public-key encryption certificate for this purpose. Server-side public-key certificates authenticate servers. The use of dedicated keys is part of an elaborate security authentication model for these kinds of network traffic setups. PEAP also involves subtypes for specific security protocols WPA and WPA2.

While performing a penetration test, the technicians want their efforts to go unnoticed for as long as possible while they gather useful data about the network they are assessing. Which of the following would be the BEST choice for the technicians? 1. Banner Grabbing 2. Packet sniffer 3. Offline password cracker 4. Vulnerability scanner

2. Packet sniffer Penetration testing allows the pinpointing of vulnerabilities on a network and provides identification of suspicious packets moving across the network. Being able to Identify routine network traffic is also valuable because it provides a look at how a normal network environment operates, making it easier to identify anomalies and vulnerabilities. During packet capture using a packet sniffer, a data packet that is moving over a computer network is intercepted. After the packet is captured, it is analyzed to diagnose and solve any problems - most likely security problems - that exist on the network.

When performing data acquisition on a workstation, which of the following should be captured based on memory volatility? (Select two.) 1. USB-attached hard disk 2. RAM 3. Mounted network storage 4. ROM 5. Swap/pagefile

2. RAM 5. Swap/pagefile Order of volatility of digital evidence 1.CPU, cache and register content 2.Routing table, ARP cache, process table, kernel statistics 3.Memory (RAM) 4.Temporary file system I swap space 5.Data on hard disk 6.Remotely logged data 7.Data contained on archival media

An organization has determined it can tolerate a maximum of three hours of downtime. Which of the following has been specified? 1. MTBF 2. RTO 3. RPO 4. MTTR

2. RTO The recovery time objective (RTO) is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.

An information security analyst needs to work with an employee who can answer questions about how data for a specific system is used in the business. The analyst should seek out an employee who has the role of: 1. steward 2. owner 3. privacy officer 4. systems administrator

2. owner Data ownership is the act of having legal rights and complete control over a single piece or set of data elements. It defines and provides information about the rightful owner of data assets and the acquisition, use and distribution policy implemented by the data owner.

When generating a request for a new x.509 certificate for securing a website, which of the following is the MOST appropriate hashing algorithm? 1. MD5 2. SHA 3. HMAC 4. RC4

2. SHA - : In public key infrastructure (PKI) systems, a certificate-signing request (CSR) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. It usually contains the public key for which the certificate should be issued, identifying information (such as a domain name) and integrity protection (e.g., a digital signature). The most common format for CSRs is the Public Key Cryptography Standard (PKCS #10) specification. Before creating a CSR, the applicant first generates a key pair, keeping the private key secret. The CSR contains information identifying the applicant (such as a distinguished name in the case of an X.509 certificate) which must be signed using the applicant's private key. The CSR also contains the public key chosen by the applicant. The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority, and the certificate authority may contact the applicant for further information. When it comes to enrolling for a SSL/TLS server certificate from a CA there comes, standards set by the CA Forum and Various RFC's from the IETF (Internet Engineering Task Force). Some of these standards include not accepting or issuing certificate with anything less than 2048 bits and no SHA1/MD5 Algorithms. As of now, you should be generating your CSR using SHA-2 instead of the default SHA-1 hash.

In an effort to reduce data storage requirements, some company devices need to hash every file and eliminate duplicates. The data processing routines are time sensitive so the hashing algorithm is fast and supported on a wide range of systems. Which of the following algorithms is BEST suited for this purpose? 1. AES 2. SHA 3. MD5 4. RIPEMD

2. SHA - Within the family of secure hash algorithms, there are several instances of these tools that were set up to facilitate better digital security. The first one, SHA-0, was developed in 1993. Like its successor, SHA-1, SHA-0 features 16-bit hashing. The next secure hash algorithm, SHA-2, involves a set of two functions with 256-bit and 512-bit technologies, respectively. There is also a top-level secure hash algorithm known as SHA-3 or "Keccak" that developed from a crowd-sourcing contest to see who could design another new algorithm for cybersecurity. All of these secure hash algorithms are part of new encryption standards to keep sensitive data safe and prevent different types of attacks. Although some of these were developed by agencies like the National Security Agency, and some by independent developers, all of them are related to the general functions of hash encryption that shields data in certain database and network scenarios, helping to evolve cybersecurity in the digital age.

During a third-party audit, it is determined that a member of the firewall team can request, approve, and implement a new rule-set on the firewall. Which of the following will the audit team most likely recommend during the audit out brief? 1. Least privilege for the firewall team 2. Separation of duties policy for the firewall team 3. Mandatory access control for the firewall team 4. Discretionary access control for the firewall team

2. Separation of duties policy for the firewall team Separation of duties (is a key concept of internal controls and is the most difficult and sometimes the most costly one to achieve. This objective is achieved by disseminating the tasks and associated privileges for a specific security process among multiple people.

Although a web enabled application appears to only allow letters in the comment field of a web form, malicious user was able to carry a SQL injection attack by sending special characters through the web comment field. Which of the following has the application programmer failed to implement? 1. Revision control system 2. Server side validation 3. Server hardening 4. Client side exception handling

2. Server side validation Validations can be performed on the server side or on the client side (web browser). The user input validation take place on the Server Side during a post back session is called Server Side Validation and the user input validation take place on the Client Side (web browser) is called Client Side Validation. Client Side Validation does not require a post back. If the user request requires server resources to validate the user input, you should use Server Side Validation. If the user request does not require any server resources to validate the input, you can use Client Side Validation. In the Server Side Validation, the input submitted by the user is being sent to the server and validated using one of server side scripting languages such as ASP.Net, PHP etc. After the validation process on the Server Side, the feedback is sent back to the client by a new dynamically generated web page. It is better to validate user input on Server Side because you can protect against the malicious users, who can easily bypass your Client Side scripting language and submit dangerous input to the server.

Which of the following can be used to control specific commands that can be executed on a network infrastructure device? 1. Kerberos 2. TACACS+ 3. SAML 4. LDAP

2. TACACS+ Terminal Access Controller Access Control System (TACACS) is a security protocol that provides centralized validation of users who are attempting to gain access to a router or network access servers (NAS). TACACS+, a more recent version of the original TACACS protocol, provides separate authentication, authorization, and accounting (AAA) services.

Which of the following is the GREATEST risk to a company by allowing employees to physically bring their personal smartphones to work? 1. Company cannot automate patch management on personally-owned devices. 2. Taking pictures of proprietary information and equipment in restricted areas. 3. Increases the attack surface by having more target devices on the company's campus 4. Installing soft token software to connect to the company's wireless network.

2. Taking pictures of proprietary information and equipment in restricted areas. The biggest reason why businesses are weary of implementing a BYOD strategy is that it can potentially leave the company's system vulnerable to data breaches. Personal devices are not part of your business's IT infrastructure, which means that these devices are not protected by company firewalls and systems. There is also a chance that an employee will take work with them or use the camera to take pictures of proprietary information where they are not using the same encrypted servers that your company is using, leaving your system vulnerable to inherent security risks.

The computer resource center issued smartphones to all first-level and above managers. The managers have the ability to install mobile tools. Which of the following tools should be implemented to control the types of tools the managers install? 1. Segmentation manager 2. Download manager 3. Application manager 4. Content manager

3. Application manager An application manager (app manager) is programming for overseeing the installation, patching and updating and perhaps access of software applications. An application manager can be used to monitor a software application's performance and alert administrators if there is a problem.

Which of the following types of cloud infrastructures would allow several organizations with similar structures and interests to realize the benefits of shared storage and resources? 1. Public 2. Hybrid 3. Community 4. Private

3. Community A community cloud in computing is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally. This is controlled and used by a group of organizations that have shared interest. The costs are spread over fewer users than a public cloud (but more than a private cloud), so only some of the cost savings potential of cloud computing are realized.

To reduce disk consumption, an organization's legal department has recently approved a new policy setting the data retention period for sent email at six months. Which of the following is the BEST way to ensure this goal is met? 1. Migrate the relevant emails into an "Archived" folder. 2. Implement automatic disk compression on email servers. 3. Create a daily encrypted backup of the relevant emails. 4. Configure the email server to delete the relevant e-mails

3. Create a daily encrypted backup of the relevant emails. It's a crucial practice to encrypt backups properly. This means two things: a good encryption algorithm and then proper key management. All data at rest must be encrypted. With virtualized storage, data in motion between the servers and appliances also needs encrypting. That's because man-in-the-middle attacks in the virtualized model should be expected. Best practice, then, is to encrypt at source the data that you are storing, and make sure you encrypt backups.

After a routine audit, a company discovers that engineering documents have been leaving the network on a particular port. The company must allow outbound traffic on this port, as it has a legitimate business use. Blocking the port would cause an outage. Which of the following technology controls should the company implement? 1. ACL 2. NAC 3. DLP 4. Web proxy

3. DLP Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.

An organization wants to conduct secure transactions of large data files. Before encrypting and exchanging the data files, the organization wants to ensure a secure exchange of keys. Which of the following algorithms is appropriate for securing the key exchange? 1. DES 2. 3DES 3. Diffie-Hellman 4. DSA 5. Blowfish

3. Diffie-Hellman - The Diffie-Hellmann key exchange is a secure method for exchanging cryptographic keys. This method allows two parties, which have no prior knowledge of each other to establish a shared, secret key, even over an insecure channel. The key exchange was invented by Whitfield Diffie and Martin Hellmann in 1976 as the first practical method for establishing a shared secret code over an open communications channel. The general idea of the Diffie-Hellmann key exchange involves two parties exchanging numbers and doing simple calculations in order to get a common number, which serves as the secret key. Both parties may not know beforehand what the final secret number is, but after some calculations, both are left with a value that only they know about which they can use for various purposes like identification and as a secret key for other cryptographic methods.

An organization is trying to decide which type of access control is most appropriate for the network. The current access control approach is too complex and requires significant overhead. Management would like to simplify the access control and provide user with the ability to determine what permissions should be applied to files, document, and directories. The access control method that BEST satisfies these objectives is: 1. Role-based access control 2. Rule-based access control 3. Discretionary access control 4. Mandatory access control

3. Discretionary access control A means of restricting access to objects (e.g., files, data entities) based on the identity and need-to-know of subjects (e.g., users, processes) and/or groups to which the object belongs. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).

A penetration tester finds that a company's login credentials for the email client were client being sent in clear text. Which of the following should be done to provide encrypted logins to the email server? 1. Enable IPSec and configure SMTP. 2. Enable SSH and LDAP credentials. 3. Enable an SSL certificate for IMAP services. 4. Enable MIME services and POP3.

3. Enable an SSL certificate for IMAP services. In computing, the Internet Message Access Protocol (IMAP) is an Internet standard protocol used by e-mail clients to retrieve e-mail messages from a mail server over a TCP/IP connection. IMAP was designed with the goal of permitting complete management of an email box by multiple email clients, therefore clients generally leave messages on the server until the user explicitly deletes them. An IMAP server typically listens on port number 143. IMAP over SSL (IMAPS) is assigned the port number 993.

Due to regulatory requirements, a security analyst must implement full drive encryption on a Windows file server. Which of the following should the analyst implement on the system to BEST meet this requirement? (Choose two.) 1. Enable and configure EFS on the file system. 2. Ensure the hardware supports VT-X, and enable it in the BIOS. 3. Ensure the hardware supports TPM, and enable it in the BIOS. 4. Enable and configure Bitlocker on the drives.

3. Ensure the hardware supports TPM, and enable it in the BIOS. 4. Enable and configure Bitlocker on the drives. With this sealed key and software, such as Bitlocker Drive Encryption, you can implement full disk encryption on data until specific hardware or software conditions are met Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to any other component, software, process, or user.

A global gaming console manufacturer is launching a new gaming platform to its customers. Which of the following controls reduces the risk created by malicious gaming customers attempting to circumvent control by way of modifying consoles? (Select TWO) 1. Vulnerability scanning 2. Application firewalls 3. Firmware version control 4. Manual software upgrades 5. Network Segmentation 6. Automatic updates

3. Firmware version control 6. Automatic updates Version control systems are a category of software tools that help a software team manage changes to source code over time. Version control software keeps track of every modification to the code in a special kind of database. If a mistake is made, developers can turn back the clock and compare earlier versions of the code to help fix the mistake while minimizing disruption to all team members. The system software updates may sometimes update the system's firmware, but this is not common for most updates.

While reviewing the monthly internet usage it is noted that there is a large spike in traffic classified as "unknown" and does not appear to be within the bounds of the organizations Acceptable Use Policy. Which of the following tool or technology would work BEST for obtaining more information on this traffic? 1. Increased spam filtering 2. Firewall logs 3. IDS logs 4. Protocol analyzer

3. IDS logs An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources, and uses alarm-filtering techniques to distinguish malicious activity from false alarms. Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are among the most sophisticated network security devices in use today. They inspect network packets and block suspicious ones, as well as alert administrators about attack attempts. These systems' logs contain valuable network threat information about attack types, devices being targeted, and more. You should monitor these logs and extract the information they provide in order to keep your network secure.

A security administrator suspects a MITM attack aimed at impersonating the default gateway is underway. Which of the following tools should the administrator use to detect this attack? (Select two.) 1. Dig 2. Netstat 3. Ipconfig 4. Tracert 5. Nslookup 6. Ping

3. Ipconfig 4. Tracert In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One of the classic hacks is the Man in the Middle attack. In this attack, the hacker places themselves between the client and the server and thereby has access to all the traffic between the two. In general, when an attacker wants to place themselves between a client and server, they will need to spoof the ARP of the two systems. This is not the only method to conduct an MiTM attack, but it is probably the most common on Local Area Network (LAN). We can use simple commands like ipconfig and tracert to help in detection of the packets used in the attack.

A user has attempted to access data at a higher classification level than the user's account is currently authorized to access. Which of the following access control models has been applied to this user's account? 1. ABAC 2. DAC 3. MAC 4. RBAC

3. MAC The correct answer is MAC. Each user account on the system also has classification and category properties from the same set of properties applied to the resource objects. When a user attempts to access a resource under Mandatory Access Control the operating system checks the user's classification and categories and compares them to the properties of the object's security label. If the user's credentials match the MAC security label properties of the object access is allowed.

A company is currently using the following configuration: IAS server with certificate-based EAP-PEAP and MSCHAP Unencrypted authentication via PAP A security administrator needs to configure a new wireless setup with the following configurations: PAP authentication method PEAP and EAP provide two-factor authentication Which of the following forms of authentication are being used? (Select two.) 1. PEAP- MSCHAP 2. EAP 3. MSCHAP 4. EAP-PEAP 5. PAP 6. PEAP

3. MSCHAP 5. PAP

Which of the following would enhance the security of accessing data stored in the cloud? (Select TWO) 1. Predefined challenge questions 2. block level encryption 3. Multifactor authentication 4. Hashing 5. Transport encryption 6. SAML authentication

3. Multifactor authentication 6. SAML authentication Implementing multifactor authentication provides basic authentication for cloud organization members. By enabling multifactor authentication, cloud administrators limit the likelihood that a member's cloud account could be compromised. To add additional authentication measures, cloud administrators can also enable SAML single sign-on (SSO) so that organization members must use single sign-on to access an organization. If both multifactor authentication and SAML SSO are enabled, organization members must do the following: • Use multifactor authentication to log in to their cloud account • Use single sign-on to access the cloud • Use an authorized token for API or cloud provider access and use single sign-on to authorize the token

A software development company needs to share information between two remote servers, using encryption to protect it. A programmer suggests developing a new encryption protocol, arguing that using an unknown protocol with secure, existing cryptographic algorithm libraries will provide strong encryption without being susceptible to attacks on other known protocols. Which of the following summarizes the BEST response to the programmer's proposal? 1. The obscurity value of unproven protocols against attacks often outweighs the potential for introducing new vulnerabilities. 2. The newly developed protocol will only be as secure as the underlying cryptographic algorithms used. 3. New protocols often introduce unexpected vulnerabilities, even when developed with otherwise secure and tested algorithm libraries. 4. A programmer should have specialized training in protocol development before attempting to design a new encryption protocol.

3. New protocols often introduce unexpected vulnerabilities, even when developed with otherwise secure and tested algorithm libraries. - Vulnerability is a weakness in a system that can be exploited to negatively affect confidentiality, integrity, and/or availability. Vulnerabilities can be categorized in many ways. No system is 100% secure every system has vulnerabilities. At any given time, a system may not have any known software flaws, but security configuration issues, encryption protocols and software feature misuse vulnerabilities are always present. Misuse vulnerabilities are inherent in software features because each feature must be based on trust assumptions—and those assumptions can be broken, albeit involving significant cost and effort in some cases. Security and encryption configuration issues are also unavoidable for two reasons. First, many configuration settings increase security at the expense of reducing functionality, so using the most secure settings could make the software useless or unusable. Second, many security settings have both positive and negative consequences for security. An example is the number of consecutive failed authentication attempts to permit before locking out a user account. Setting this to 1 would be the most secure setting against password guessing attacks, but it would also cause legitimate users to be locked out after mistyping a password once, and it would also permit attackers to perform denial-of-service attacks against users more easily by generating a single failed login attempt for each user account.

A system administrator wants to implement an internal communication system that will allow employees to send encrypted messages to each other. The system must also support non- repudiation. Which of the following implements all these requirements? 1. Blowfish 2. SHA 3. PGP 4. Bcrypt

3. PGP Pretty Good Privacy (PGP) is a methodology used for encrypting and decrypting digital files and communications over the Internet. It was released with the BassOmatic symmetric key algorithm but later replaced by the International Data Encryption Algorithm (IDEA) to circumvent certain BassOmatic flaws. Created by Phil Zimmerman in 1991, PGP was initially designed for email security. PGP works on the public key cryptography mechanism, where users encrypt and decrypt data using their respective public and private keys. PGP uses a symmetric encryption key to encrypt messages, and a public key is used with each sent and received message. First, the receiver must use its private key to decrypt the key and then decrypt the message through the decrypted symmetric key. PGP also provides data/file integrity services by digitally signing messages, allowing receivers to learn whether or not message confidentiality is compromised. PGP is also used to

A network technician is setting up a segmented network that will utilize a separate ISP to provide wireless access to the public area for a company. Which of the following wireless security methods should the technician implement to provide basic accountability for access to the public network? 1. Wi-Fi Protected setup 2. Pre-shared key 3. Enterprise 4. Captive portal

4. Captive portal A captive portal is a Web page that the user of a public-access network is obliged to view and interact with before access is granted. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hot spots for Internet users. The captive portal feature is a software implementation that blocks clients from accessing the network until user verification has been established. You can set up verification to allow access for both guests and authenticated users. Authenticated users must be validated against a database of authorized captive portal users before access is granted.

A security analyst wants to harden the company's VoIP PBX. The analyst is worried that credentials may be intercepted and compromised when IP phones authenticate with the PBX. Which of the following would best prevent this from occurring? 1. Place the phones and PBX in their own VLAN. 2. Implement SRTP between the phones and the PBX. 3. Require SIPS on connections to the PBX . 4. Restrict the phone connections to the PBX.

3. Require SIPS on connections to the PBX . In Voice over IP telephony, two standard protocols are used. SIP (Session Initiation Protocol port 5060) creates the connection from peer to peer (e.g. phone to phone or phone to phone system). Let's say it sets the switches for the audio stream. Once the connection is established, the RTP (Real time Transport Protocol) is used to transport the audio or video data. A big security issue of standard SIP/RTP connections is that SIP messages and RTP streams can be intercepted and read/listened to by everyone with basic network technology knowledge. Due to this, it is recommended to use plain SIP/RTP only in local area networks (LAN) and not via the public internet. To overcome the security flaws of SIP and RTP and safely make secure calls via the internet, encrypted versions of both protocols have been developed. SIPS (port 5061 ), which stands for SIP Secure, is SIP, extended with TLS (Transport Layer Security). With this TLS, a secure connection between IP PBX and VoIP telephone can be established using a handshake approach. SRTP encodes the voice into encrypted IP packages and transport those via the internet from the transmitter (IP phone system) to the receiver (IP phone or softphone), once SIPS has initiated a secure connection. To allow the receiver to decrypt the packages, a key is sent via SIPS, while the connection is initiated in the previous step.

Which of the following cryptographic algorithms is irreversible? 1. DES 2. RC4 3. SHA-256 4. AES

3. SHA-256 - A cryptographic hash function is a special class of hash function that has certain properties which make it suitable for use in cryptography. It is a mathematical algorithm that maps data of arbitrary size to a bit string of a fixed size (a hash) and is designed to be a one-way function, that is, a function which is infeasible to invert.

An organization's primary datacenter is experiencing a two-day outage due to an HVAC malfunction. The node located in the datacenter has lost power and is no longer operational, impacting the ability of all users to connect to the alternate datacenter. Which of the following BIA concepts BEST represents the risk described in this scenario? 1. MTBF 2. RTO 3. SPoF 4. MTTR

3. SPoF A single point of failure (SPoF) is a potential risk posed by a flaw in the design, implementation or configuration of a circuit or system in which one fault or malfunction causes an entire system to stop operating

A security administrator needs to implement a system that detects possible intrusions based upon a vendor provided list. Which of the following BEST describes this type of IDS? 1. Behavior-based 2. Heuristic 3. Signature based 4. Anomaly-based

3. Signature based Most intrusion detection systems (IDS) are what are known as signature-based. This means that they operate in much the same way as a virus scanner, by searching for a known identity- or signature - for each specific intrusion event. In addition, while signature-based IDS is very efficient at sniffing out known signatures of attack it does just like anti-virus software depend on receiving regular signature updates in order to keep in touch with variations in hacker technique. In other words, signature-based IDS are only as good as its database of stored signatures.

A security analyst is working on a project that requires the implementation of a stream cipher. Which of the following should the analyst use? 1. Elliptic curve 2. Hash function 3. Symmetric algorithm 4. Public key cryptography

3. Symmetric algorithm - Secure file transfer protocols generally employ a combination of symmetric and asymmetric encryption to preserve the confidentiality of data while in transit. Symmetric key encryption is a type of encryption that makes use of a single key for both the encryption and decryption process. A stream cipher is an encryption algorithm that encrypts 1 bit or byte of plaintext at a time. It uses an infinite stream of pseudorandom bits as the key. For a stream cipher implementation to remain secure, its pseudorandom generator should be unpredictable and the key should never be reused. Stream ciphers are designed to approximate an idealized cipher, known as the One-Time Pad. The One-Time Pad, which is supposed to employ a purely random key, can potentially achieve "perfect secrecy". That is, it is supposed to be fully immune to brute force attacks. The problem with the one-time pad is that, in order to create such a cipher, its key should be as long as or even longer than the plaintext. In other words, if you have 500-Megabyte video file that you would like to encrypt, you would need a key that is at least 4 Gigabits long. Clearly, while Top Secret information or matters of national security may warrant the use of a one-time pad, such a cipher would just be too impractical for day-to-day public use. The key of a stream cipher is no longer as long as the original message. Hence, it can no longer guarantee "perfect secrecy". However, it can still achieve a strong level of security.

A security administrator is configuring a new network segment, which contains devices that will be accessed by external users, such as web and FTP server. Which of the following represents the MOST secure way to configure the new network segment? 1. The segment should be placed in the existing internal VLAN to allow internal traffic only. 2. The segment should be placed on an extranet, and the firewall rules should be configured to allow both internal and external traffic. 3. The segment should be placed on a separate VLAN, and the firewall rules should be configured to allow external traffic.

3. The segment should be placed on a separate VLAN, and the firewall rules should be configured to allow external traffic. A network segment is a portion of a computer network that is separated from the rest of the network by a device such as a repeater, hub, bridge, switch or router. Each segment can contain one or multiple computers or other hosts. The type of segmentation differs according to the type of device used. Firewall and VLANs provide a route to partition the network into smaller zones, assuming you have defined and are enforcing a ruleset which controls the communication paths. A sound security policy entails segmenting the network into multiple zones with varying security requirements and enforcing a rigorous policy of what is allowed to move from zone to zone.

A consultant has been tasked to assess a client's network. The client reports frequent network outages. Upon viewing the spanning tree configuration, the consultant notices that an old and slow performing edge switch on the network has been elected to be the root bridge. Which of the following explains this scenario? 1. The switch has spanning tree loop protection enabled 2. The switch has the fastest uplink port 3. The switch has the lowest MAC address 4. The switch also serves as the DHCP server

3. The switch has the lowest MAC address - In STP all switches send BPDUs (Bridge Protocol Data Unit) which contain a priority and the BID (Bridge ID). The BID is 8 bytes long. 6 bytes is used for the MAC address of the bridge. 12 bits is used to indicate the VLAN, this is called extended system ID. 4 bits are used to set the priority. Lower priority means it is preferred compared to a higher. The priority is set in multiples of 4096. If there is a tie in priority then the lowest MAC address will determine which bridge becomes the root. The Root bridge (switch) is a special bridge at the top of the Spanning Tree (inverted tree). The branches (Ethernet connections) are then branched out from the root switch, connecting to other switches in the Local Area Network (LAN). All Bridges (Switches) are assigned a numerical value called bridge priority. A loop-free network in spanning-tree topologies is supported through the exchange of a special type of frame called bridge protocol data unit (BPDU). Peer STP applications running on the switch interfaces use BPDUs to communicate. Ultimately, the exchange of BPDUs determines which interfaces block traffic (preventing loops) and which interfaces become root ports and forward traffic. However, a blocking interface can transition to the forwarding state in error if the interface stops receiving BPDUs from its designated port on the segment. Such a transition error can occur when there is a hardware error on the switch or software configuration error between the switch and its neighbor. When loop protection is enabled, the spanning-tree topology detects root ports and blocked ports and makes sure both keep receiving BPDUs. If a loop-protection-enabled interface stops receiving BPDUs from its designated port, it reacts as it would react to a problem with the physical connection on this interface. It does not transition the interface to a forwarding state, but instead transitions it to a loop-inconsistent state. The interface recovers and then it transitions back to the spanning-tree blocking state as soon as it receives a BPDU.

Six months into development, the core team assigned to implement a new internal piece of software must convene to discuss a new requirement with the stake holders. A stakeholder identified a missing feature critical to the organization, which must be implemented. The team needs to validate the feasibility of the newly introduced requirement and ensure it does not introduce new vulnerabilities to the software and other applications that will integrate with it. Which of the following BEST describes the current software development phase? 1. The system design phase of the SDLC 2. The system integration phase of the SDLC 3. The system analysis phase of SDLC 4. The system development phase of the SDLC

3. The system analysis phase of SDLC A systems development life cycle (SDLC) is composed of a number of clearly defined and distinct work phases, which are used by systems engineers, and systems developers to plan for, design, build, test, and deliver information systems.

A help desk is troubleshooting user reports that the corporate website is presenting untrusted certificate errors to employees and customers when they visit the website. Which of the following is the MOST likely cause of this error, provided the certificate has not expired? 1. The root CA has revoked the certificate of the intermediate CA 2. The certificate was self signed, and the CA was not imported by employees or customers 3. The valid period for the certificate has passed, and a new certificate has not been issued 4. The key escrow server has blocked the certificate from being validated

3. The valid period for the certificate has passed, and a new certificate has not been issued - The following warnings are presented by web browsers when you access a site that has a security certificate installed (for SSL/TLS data encryption) that cannot be verified by the browser. "The security certificate presented by this website was not issued by a trusted certificate authority." "www.example.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown." or "www.example.com uses an invalid security certificate. The certificate is not trusted because it is self-signed." Browsers are made with a built-in list of trusted certificate providers. For some sites, the certificate provider is not on that list. If this is the case, the browser will warn you that the Certificate Authority (CA) who issued the certificate is not trusted. This issue can also occur if the site has a self-signed certificate. While this warning is generic for Internet Explorer, Firefox will distinguish between a certificate issued by the server itself (a self-signed certificate) and another type of untrusted certificate. If you certificate is no longer valid, you must renew your certificate.

Which of the following are the MAIN reasons why a systems administrator would install security patches in a staging environment before the patches are applied to the production server? (Select two.) 1. To verify the appropriate patch is being installed 2. To ensure users are trained on new functionality 3. To allow users to test functionality 4. To prevent server availability issues 5. To generate a new baseline hash after patching

3. To allow users to test functionality 4. To prevent server availability issues A sandbox is a testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in the context of software development including Web development and revision control. A stage or staging environment is an environment for testing that exactly resembles the production environment. For example, in most software development organizations, there are multiple environments for development coding and QA testing on the way to a production release.

A technician needs to implement a system which will properly authenticate users by their username and password only when the users are logging in from a computer in the office building. Any attempt to authenticate from a location other than the office building should be rejected. Which of the following MUST the technician implement? 1. Single factor authentication 2. Biometric authentication 3. Transitive authentication 4. Dual factor authentication

3. Transitive authentication The phrase transitive authentication means that the client authenticates once, and when he requests subsequent services, the servers are aware of and believe in the prior authentication. Generally the initial authentication takes work; at the very least it requires typing a password, showing biometric data, or insertion of a possession key. Users greatly resist authentication if it is frequent, and several services do not work at all unless the user can authenticate to them transitively. Transitive trust is a two-way relationship automatically created between parent and child domains in a Microsoft Active Directory forest. When a new domain is created, it shares resources with its parent domain by default, enabling an authenticated user to access resources in both the child and parent. In an Active Directory transitive trust relationship, if domain A trusts domain B and domain B trusts domain C, then domain A trusts domain C.

A security analyst wishes to increase the security of an FTP server. Currently, all trails to the FTP server are unencrypted. Users connecting to the FTP server use a variety of modern FTP client software. The security analyst wants to keep the same port and protocol, while also still allowing unencrypted connections. Which of the following would BEST accomplish these goals? 1. Use implicit TLS on the FTP server. 2. Use SSH tunneling to encrypt the FTP trafic 3. Use explicit FTPS for the connections 4. Require the SFTP protocol to connect to the file server.

3. Use explicit FTPS for the connections Explicit FTPS is the newer method of FTPS transfer and has generally overtaken implicit FTPS use, with the exception of legacy systems. When explicit FTPS is used, a traditional FTP connection is established on the same standard port as FTP. Once the connection is made (before login), a secure SSL connection is established via port 21. Today, explicit FTPS (also FTPES) is supported by the majority of FTP servers since it is an approved, standard way of protecting data. With explicit FTPS, before a transfer can begin, the client will request encryption information to determine what portions of the data is protected. If the client has not set up these security requests, one of two things occurs - either the connection is declined, or the transfer is made insecurely using the basic FTP protocol. Explicit FTPS inherently provides users with flexibility regarding how files are sent. Therefore, you could choose to send data unencrypted, but protect your user credentials, or you could protect all information sent in a transfer. The client can decide how secure they want file transfers to be. The server can also disallow insecure requests, thereby forcing the client to use FTPS and not FTP.

Which of the following is an important step to take BEFORE moving any installation packages from a test environment to production? 1. Update the secure baseline 2. Roll back changes in the test environment 3. Verify the hashes of files 4. Archive and compress the files

3. Verify the hashes of files File integrity can be compromised, usually referred to as the file becoming corrupted. A file can become corrupted by a variety of ways: faulty storage media, errors in transmission, write errors during copying or moving, software bugs, and so on. Hash-based verification ensures that a file has not been corrupted by comparing the file's hash value to a previously calculated value. If these values match, the file is presumed to be unmodified. Due to the nature of hash functions, hash collisions may result in false positives, but the likelihood of collisions is often negligible with random corruption.

Which of the following attack types BEST describes a client-side attack that is used to manipulate an HTML iframe with JavaScript code via a web browser? 1. SQL injection 2. Buffer overflow 3. xss 4. MITM

3. xss An attack on this class of vulnerabilities occurs when an attacker injects malicious code into a web application in an attempt to gain access to unauthorized information. In such instances, the victim is unaware that their information is being transferred from a site that he/she trusts to another site controlled by the attacker.

A company would like to prevent the use of a known set of applications from being used on company computers. Which of the following should the security administrator implement? 1. Anti-malware 2. Application hardening 3. Disable removable media 4. Blacklisting 5. Whitelisting

4. Blacklisting A blacklist is list of items, such as usernames or IP addresses, that are denied access to a certain system or protocol. When a blacklist is used for access control, all entities are allowed access, except those listed in the blacklist. The opposite of a blacklist is a whitelist, which denies access to all items, except those included in the list.

Which of the following is the appropriate network structure used to protect servers and services that must be provided to external clients without completely eliminating access for internal users? 1. NAC 2. VLAN 3. Subnet 4. DMZ

4. DMZ In computer networks, a DMZ (demilitarized zone), also sometimes known as a perimeter network or a screened subnetwork, is a physical or logical subnet that separates an internal local area network (LAN) from other untrusted networks, usually the internet. External-facing servers, resources and services are located in the DMZ. Therefore, they are accessible from the internet, but the rest of the internal LAN remains unreachable. This provides an additional layer of security to the LAN as it restricts the ability of hackers to directly access internal servers and data via the internet. Any service provided to users on the public internet should be placed in the DMZ network. Some of the most common of these services include web servers and proxy servers, as well as servers for email, domain name system (DNS), File Transfer Protocol (FTP) and voice over IP (VoIP).

Two users need to securely share encrypted files via email. Company policy prohibits users from sharing credentials or exchanging encryption keys. Which of the following can be implemented to enable users to share encrypted data while abiding by company policies? 1. Hashing 2. Key escrow 3. Digital signatures 4. Digital Signatures

4. Digital Signatures. Digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document. The digital equivalent of a handwritten signature or stamped seal, a digital signature offers security that is far more inherent and it is intended to solve the problem of tampering and impersonation in digital communications. Digital signatures can provide the added assurances of evidence of origin, identity and status of an electronic document, transaction or message and can acknowledge informed consent by the signer.

A security administrator wants to implement a company-wide policy to empower data owners to manage and enforce access control rules on various resources. Which of the following should be implemented? 1. Mandatory access control 2. Rule-based access control 3. Ro1e based access control 4. Discretionary access control

4. Discretionary access control Discretionary access control (DAC) is a type of security access control that grants or restricts object access via an access policy determined by an object's owner group and/or subjects. DAC mechanism controls are defined by user identification with supplied credentials during authentication, such as username and password. DACs are discretionary because the subject (owner) can transfer authenticated objects or information access to other users. In other words, the owner determines object access privileges.

The availability of a system has been labeled as the highest priority. Which of the following should be focused on the MOST to ensure the objective? 1. File integrity checking 2. Full-disk encryption 3. Authentication 4. HVAC

4. HVAC Data center environmental control is a constructive generic framework for maintaining temperature, humidity, and other physical qualities of air within a specific range in order to allow the equipment housed in a data center to perform optimally throughout its lifespan.

A security administrator has been assigned to review the security posture of the standard corporate system image for virtual machines. The security administrator conducts a thorough review of the system logs, installation procedures, and network configuration of the VM image. Upon reviewing the access logs and user accounts, the security administrator determines that several accounts will not be used in production. Which of the following would correct the deficiencies? 1. Disable remote login 2. Disabling services 3. Mandatory access controls 4. Host hardening

4. Host hardening It is also a good idea to perform host hardening and restrict virtual machine data access.

A security administrator is evaluating three different services: radius, diameter, and Kerberos. Which of the following is a feature that is UNIQUE to Kerberos? 1. It provides single sign-on capability 2. It provides authentication services 3. It uses XML for cross-platform interoperability 4. It uses tickets to identify authenticated users

4. It uses tickets to identify authenticated users An authentication ticket, also known as a ticket-granting ticket (TGT), is a small amount of encrypted data that is issued by a server in the Kerberos authentication model to begin the authentication process. When the client receives an authentication ticket, the client sends the ticket back to the server along with additional information verifying the client's identity. The server then issues a service ticket and a session key (which includes a form of password), completing the authorization process for that session. In the Kerberos model, all tickets are time-stamped and have limited lifetimes. This minimizes the danger that hackers will be able to steal or crack the encrypted data and use it to compromise the system. Ideally, no authentication ticket remains valid for longer than the time an expert hacker would need to crack the encryption. Authentication tickets are session-specific, further improving the security of the system by ensuring that no authentication ticket remains valid after a given session is complete.

Company policy requires the use of passphrases instead of passwords. Which of the following technical controls MUST be in place in order to promote the use of passphrases? 1. Complexity 2. Reuse 3. History 4. Length

4. Length The National Institute of Science and Technology (NIST) released new standards for password security in the final version of Special Publication 600-83. Specifically, NIST refers to new password security guidelines in the document SP 800-638: Authentication & Lifecycle Management (PDF). Federal agencies and contractors use NIST's standards as guidelines on how to secure digital identities. New NIST guidelines recommend using long and complex passphrases instead of seemingly complex passwords. A passphrase is a "memorized secret" consisting of a sequence of words or other text used to authenticate their identity. It is longer than a password for added security.

A network administrator is attempting to troubleshoot an issue regarding certificates on a secure website. During the troubleshooting process, the network administrator notices that the web gateway proxy on the local network has signed all of the certificates on the local machine. Which of the following describes the type of attack the proxy has been legitimately programmed to perform? 1. Transitive access 2. Replay 3. Spoofing 4. Man-in-the-middle

4. Man-in-the-middle A man-in-the-middle (MITM) proxy is an SSL-capable proxy that works as man-in-the-middle for HTTP and HTTPS communication. A very good interactive tool allows for monitoring, modifying and replaying of HTTP/HTTPS traffic that goes through it. When using an HTTPS proxy server, there is very little difference in how the server functions from a HTTP server. It is set up between the internal network and the internet. All requests to any website, including HTTP or HTTPS sites go through the intermediate server, the proxy, and appear to the website to originate from the server. This protects the interior IP addresses in a network. Not only does this limit the information that hackers can obtain about the interior network, but it also allows the network IT administrator to control access to specific sites and to more effectively manage the use of resources.

Multiple organizations operating in the same vertical wants to provide seamless wireless access for their employees as they visit the other organizations. Which of the following should be implemented if all the organizations use the native 802.1 x client on their mobile devices? 1. Shibboleth 2. OAuth 3. SAML 4. RADIUS federation 5. OpenlD connect

4. RADIUS federation Even extremely decentralized groups can develop a scalable, secure wireless network infrastructure using 802.1X and RADIUS. The only additional components needed in addition to those required for standard 802.1X is a trust relationship between RADIUS servers and a core to manage trust relationships and routing of authentication requests. The resulting collection of loosely associated networks is often called a federation. Federated networks are composed of several member networks that share some level of trust, but member networks retain their own administrative control. Each member network is constructed and run separately.

Which of the following is commonly used for federated identity management across multiple organizations? 1. LDAP 2. Active Directory 3. Kerberos 4. SAML

4. SAML The Security Assertion Markup Language (SAML) is an open standard for sharing security information about identity, authentication and authorization across different systems. SAML is implemented with the Extensible Markup Language (XML) standard for sharing data, and SAML provides a framework for implementing single sign-on (SSO) and other federated identity systems.

Joe, a security administrator, needs to extend the organization's remote access functionality to be used by staff while traveling. Joe needs to maintain separate access control functionalities for internal, external, and VOiP services. Which of the following represents the BEST access technology for Joe to use? 1. Diameter 2. RADIUS 3. Kerberos 4. TACACS+

4. TACACS+ TACACS+ (Terminal Access Controller Access Control System) is an older authentication protocol common to UNIX networks that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system. In spite of its name, TACACS+ is an entirely new protocol. TACACS+ and RADIUS have generally replaced the earlier protocols in more recently built or updated networks. TACACS+ uses the Transmission Control Protocol (TCP) and RADIUS uses the User Datagram Protocol (UDP). Some administrators recommend using TACACS+ because TCP is seen as a more reliable protocol. Whereas RADIUS combines authentication and authorization in a user profile, TACACS+ separates the two operations.

An incident responder receives a call from a user who reports a computer is exhibiting symptoms consistent with a malware infection. Which of the following steps should the responder perform NEXT? 1. Request the user capture and provide a screenshot or recording of the symptoms. 2. Ask the user to back up files for later recovery. 3. Capture and document necessary information to assist in the response. 4. Use a remote desktop client to collect and analyze the malware in real time.

4. Use a remote desktop client to collect and analyze the malware in real time. - The incident response team should work quickly to analyze and validate each incident, following a pre-defined process and documenting each step taken. When the team believes that an incident has occurred, the team should rapidly perform an initial analysis to determine the incident's scope, such as which networks, systems, or applications are affected; who or what originated the incident; and how the incident is occurring (e.g., what tools or attack methods are being used, what vulnerabilities are being exploited). The initial analysis should provide enough information for the team to prioritize subsequent activities, such as containment of the incident and deeper analysis of the effects of the incident.

An administrator intends to configure an IPSec solution that provides ESP with integrity protection, but not confidentiality protection. Which of the following AES modes of operation would meet this integrity-only requirement? 1. CFB 2. PCBC 3. CBC 4. GCM 5. HMAC

5. HMAC - Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. It provides origin authenticity through source authentication, data integrity through hash functions (HMAC) and confidentiality through encryption protection for IP packets. ESP operates directly on top of IP, using IP protocol number 50.

A website administrator has received an alert from an application designed to check the integrity of the company's website. The alert indicated that the hash value for a particular MPEG file has changed. Upon further investigation, the media appears to be the same as it was before the alert. Which of the following methods has MOST likely been used? 1. Covert timing 2. Man in the middle 3. Cryptography 4. Time of check/time of use 5. Steganography

5. Steganography - Steganography is data hidden within data. Steganography is an encryption technique that can be used along with cryptography as an extra-secure method in which to protect data. Steganography techniques can be applied to images, a video file or an audio file. Typically, however, steganography is written in characters including hash marking, but its usage within images is also common. At any rate, steganography protects from pirating copyrighted materials as well as aiding in unauthorized viewing.

An organization wishes to provide better security for its name resolution services. Which of the following technologies BEST supports the deployment of DNSSEC at the organization? 1. TPM 2. SSL 3. LDAP 4. PKI 5. TLS

5. TLS - TLS/SSL encryption is currently based on certificates issued by certificate authorities (CAs). Within the last few years, a number of CA providers suffered serious security breaches, allowing the issuance of certificates for well-known domains to those who don't own those domains. Trusting a large number of CAs might be a problem because any breached CA could issue a certificate for any domain name. DNS-based Authentication of Named Entities (DANE) is a protocol to allow X.509 certificates, commonly used for Transport Layer Security (TLS), to be bound to DNS names using Domain Name System Security Extensions (DNSSEC). DANE enables the administrator of a domain name to certify the keys used in that domain's TLS clients or servers by storing them in the Domain Name System (DNS). DANE needs the DNS records to be signed with DNSSEC for its security model to work.

A company is planning to encrypt the files in several sensitive directories of a file server with a symmetric key. Which of the following could be used? 1. NTLMv2 2. RSA 3. Diffie-Helman 4. RIPEMD 5. TwoFish

5. TwoFish - Twofish is a symmetric encryption algorithm based on an earlier algorithm, Blowfish, and was a finalist for a NIST Advanced Encryption Standard (AES) algorithm to replace the DES algorithm. (NIST eventually selected the Rijndael algorithm for AES.) Like Blowfish, Twofish uses block ciphering. Twofish uses a single key of any length up to 256 bits and is said to be efficient both for software that runs in smaller processors such as those in smart cards and for embedding in hardware. It allows implementers to trade off encryption speed, key setup time, and code size to balance performance. Designed by Bruce Schneier's Counterpane Systems, Twofish is unpatented, license-free, and freely available for use.

A technician must configure a firewall to block external DNS traffic from entering a network. What ports should they block on the firewall?

53 (TCP/UDP) : Security practitioners for decades have advised people to limit DNS queries against their DNS servers to only use UDP port 53. The reality is that DNS queries can also use TCP port 53 if UDP port 53 is not accepted. Now with the impending deployment of DNSSEC and the eventual addition of IPv6 we will need to allow our firewalls for forward both TCP and UDP port 53 packets. Furthermore, most organizations have also used firewalls to block TCP port 53 to and from their DNS servers and the Internet. This is double-protection in case the DNS server accidentally allowed transfers. Configuring your DNS servers to permit zone transfers to only legitimate DNS servers has always been and continues to be a best practice. However, the practice of denying TCP port 53 to and from DNS servers is starting to cause some problems. There are two good reasons that we would want to allow both TCP and UDP port 53 connections to our DNS servers. One is DNSSEC and the second is IPv6.

A chief Financial Officer (CFO) has asked the Chief Information Officer (CISO) to provide responses to a recent audit report detailing deficiencies in the organization security controls. The CFO would like to know ways in which the organization can improve its authorization controls. Given the request by the CFO, which of the following controls should the CISO focus on in the report? (Select Three) 1. One time passwords 2. Biometric Systems 3. Hardware Tokens 4. Multifactor authentication 5. password compexity policy 6. seperation of duties 7. least privelege 8. single sign-on 9 Role-based permissions

6. seperation of duties 7. least privelege 9 Role-based permissions key word is authorization

A wireless network uses a RADIUS server that is connected to an authenticator, which in turn connects to a supplicant. What authentication architecture in use?

802.1x 802.1 X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN. The term 'supplicant' is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP protocols. In some cases, the authentication server software may be running on the authenticator hardware.

___ is a process used to help business units understand the impact of a disruptive event. This phase includes the execution of a vulnerability assessment Business Continuity Plan Development.

Business Impact Assessment - A BIA Business impact analysis and risk assessment are two important steps in a business continuity plan. A BIA often takes place prior to a risk assessment. The BIA focuses on the effects or consequences of the interruption to critical business functions and attempts to quantify the financial and non-financial costs associated with a disaster. The business impact assessment looks at the parts of the organization that are most crucial. A BIA can serve as a starting point for a disaster recovery strategy and examine recovery time objectives (RTOs) and recovery point objectives (RPOs), and resources and materials needed for business continuance.

A technician is configuring a wireless guest network. After applying the most recent changes the technician finds the new devices can no longer find the wireless network by name but existing devices are still able to use the wireless network. Which of the following security measures did the technician MOST likely implement to cause this Scenario? 1. Beacon interval was decreased 2. Reduction of WAP signal output power 3. Deactivation of SSID broadcast 4. Implementation of MAC filtering 5. Activation of 802.1X with RADIUS

Deactivation of SSID broadcast A Service Set Identifier (SSID) is the wireless network name broadcast by a wireless router. When a wireless device searches the area for wireless networks it will detect the SSID to be able to associate with the router. SSID Broadcast is enabled by default however; you may also choose to disable it. The simple reason SSID broadcasting is used in the first place is to make it easy for clients to see and connect to the network. Otherwise, they have to know the name beforehand and set up a manual connection to it. However, with the SSID enabled, not only do your neighbors see your network any time they browse for nearby Wi-Fi, it makes it easier for potential hackers to see that you have a wireless network within range.

A security administrator wants to configure a company's wireless network in a way that will prevent wireless clients from broadcasting the company's SSID. What should be configured on the company's access points?

Disable SSID broadcast - Most broadband routers and other wireless access points (APs) automatically transmit their network name (SSID) into the open air every few seconds. You can choose to disable this feature on your Wi-Fi network but before you do, be aware of the pros and cons. The simple reason SSID broadcasting is used in the first place is to make it easy for clients to see and connect to the network. Otherwise, they have to know the name beforehand and set up a manual connection to it. However, with the SSID enabled, not only do your neighbors see your network any time they browse for nearby Wi-Fi, it makes it easier for potential hackers to see that you have a wireless network within range. Similarly, while it is technically a better decision to keep your SSID hidden away, it is not a foolproof security measure. A hacker with the right tools and enough time, can sniff out the traffic coming from your network, find the SSID and continue on their hacking way. Knowing your network's name brings hackers one-step closer to a successful intrusion, just like how an unlocked door paves the way for an attacker.

Active Directory ___ provides a means for managing online identities and providing single sign-on capabilities. This is becoming important because of the transition being made from running applications on-premises to running applications in the cloud. When applications are run on-premises, access rights to them can be granted to Active Directory objects (users and groups). Once users log into Active Directory they are recognized regardless of which servers they are connecting to access applications and other resources.

Federation Services

The administrator installs database software to encrypt each field as it is written to disk. What describes the encrypted data?

In-use - Just like matter, data exists in three states: in motion, at rest and in use. In order to secure enterprise data, it must be protected throughout its entire lifecycle: in all three states. If the data in use is not encrypted (i.e., while being processed), it is exposed and therefore, vulnerable. Data in use is more vulnerable than data at rest because, by definition, it must be accessible to those who need it. Of course, the more people and devices that have access to the data, the greater the risk that it will end up in the wrong hands at some point. The keys to securing data in use are to control access as tightly as possible and to incorporate some type of authentication to ensure that users are not hiding behind stolen identities. Data in use is data that is not just being stored passively on a hard drive or external storage media. This data is being processed by one or more applications. This is data currently in the process of being generated, updated, appended, or erased. It also includes data being viewed by users accessing it through various endpoints. Data in use is susceptible to different kinds of threats depending on where it is in the system and who is able to use it. The most vulnerable point for data in use is at the endpoints where users are able to access and interact with it.

A security administrator is trying to encrypt communication. For what reasons should administrator take advantage of the Subject Alternative Name (SAN) attribute of a certificate?

It provides extended site validation - An Extended Validation SSL Certificate (also known as EV SSL for short) is the highest form of SSL Certificate on the market. While all levels of SSL - Extended Validation (EV), Organization Validated (OV), and Domain Validated (DV) - provide encryption and data integrity, they vary in terms of how much identity verification is involved and how the certificates display in browsers. The Subject Alternative Name field lets you specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single SSL Certificate, such as a Multi-Domain (SAN) or Extend Validation Multi-Domain Certificate.

The firewall administrator is adding a new certificate for the company's remote access solution. The solution requires that the uploaded file contain the entire certificate chain for the certificate to load properly. The administrator loads the company certificate and the root CA certificate into the file. The file upload is rejected. What is required to complete the certificate chain?

Intermediate authority - An intermediate certification authority (CA) is a CA that is subordinate to the root CA by one or more levels and typically issues certificates to other CAs in the public key infrastructure (PKI) hierarchy. A Root CA is a Certificate Authority that owns one or more trusted roots. That means that they have roots in the trust stores of the major browsers. Intermediate CAs are Certificate Authorities that issue off an intermediate root. They do not have roots in the browser's trust stores, instead their intermediate roots chain back to a trusted third-party root. This is sometimes called cross signing. Now, here is where it can get a little confusing. As we discussed earlier, CAs do not issue directly from their roots. They add layers of security by issuing intermediates and then signing certificates with those. This helps to minimize and compartmentalize damage in the event of a miss-issuance or security event. Rather than revoke the root certificate and literally every certificate that it signed by extension, you just revoke the intermediate, which only causes the group of certificates issued off that intermediate to get distrusted.

Key data roles within an organization are responsible for protecting data. The ___ has overall responsibility for the protection of the data. A ____ routine tasks to protect data. A _____ is an executive responsible for ensuring the organization complies with relevant laws.

Key data roles within an organization are responsible for protecting data. The owner has overall responsibility for the protection of the data. A steward or custodian handles routine tasks to protect data. A privacy officer is an executive responsible for ensuring the organization complies with relevant laws.

The process of applying a salt and cryptographic hash to a password then repeating the process many times is known as what?

Key stretching - : Key stretching is the practice of converting a password to a longer and more random key for cryptographic purposes such as encryption. This is generally recognized as making encryption stronger as it ensures that the encryption itself is reasonably hard. The process of converting a password into a key is accomplished by a type of algorithm known as a key derivation function that may include adding salt with the password to make the key more difficult to guess.

An attacker captures the encrypted communication between two parties for a week, but is unable to decrypt the messages. The attacker then compromises the session key during one exchange and successfully compromises a single message. The attacker plans to use this key to decrypt previously captured and future communications, but is unable to. This is because the encryption scheme in use adheres to:

Perfect forward secrecy - : Perfect Forward Secrecy is a feature of specific key agreement protocols that gives assurances your session keys will not be compromised even if the private key of the server is compromised. By generating a unique session key for every session a user initiates, even the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key. Perfect Forward Secrecy represents a huge step forwards in protecting data on the transport layer.

What security controls does an iris scanner provide?

Physical - In reality, biometrics refers to protecting network and physical security through physical and behavioral biometric techniques. The physical biometric techniques include fingerprinting, hand and finger geometry, facial recognition, iris and retinal scanning, and vascular pattern recognition.

Which of the following allows an application to securely authenticate a user by receiving credentials from a web domain? 1. RADIUS 2. SAML 3. TACACS+ 4. Kerberos

Security Assertion Markup Language (SAML) is an XML-based framework for authentication and authorization between two entities: a Service Provider (SP) and an Identity Provider (ldP). The Service Provider agrees to trust the Identity Provider to authenticate users. In return, the Identity provider generates an authentication assertion, which indicates that a user has been authenticated. SAML is a standard single sign-on (SSO) format.

A security technician would like to obscure sensitive data within a file so that it can be transferred without causing suspicion. What technology would BEST be suited to accomplish this?

Steganography - Steganography is the hiding of a secret message within an ordinary message and the extraction of it at its destination. Steganography takes cryptography a step farther by hiding an encrypted message so that no one suspects it exists. Ideally, anyone scanning your data will fail to know it contains encrypted data. In modern digital steganography, data is first encrypted by the usual means and then inserted, using a special algorithm, into redundant (that is, provided but unneeded) data that is part of a particular file format such as a JPEG image. Think of all the bits that represent the same color pixels repeated in a row. By applying the encrypted data to this redundant data in some random or non-conspicuous way, the result will be data that appears to have the "noise" patterns of regular, non-encrypted data. A trademark or other identifying symbol hidden in software code is sometimes known as a watermark.

Network administrators modify a standard Access Control List (ACL) by adding lines. Each new entry you add to the Access Control List (ACL) appears at the bottom of the list. Remember, the way in which access control lists work is ____

TOP DOWN. So, when the firewall received a packet on that interface it will logically go through the access control list entries or "ACEs" from the top down until it finds a match and will then action what the first matched rule defines whether it be permit or deny.

A company has three divisions, each with its own networks and services. The company decides to make its secure web portal accessible to all employees utilizing their existing usernames and passwords. The security administrator has elected to use SAML to support authentication. In this scenario, what will occur when users try to authenticate to the portal?

The portal will function as an identity provider and issue an authentication assertion Security Assertion Markup Language (SAML, pronounced sam-el) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

What network vulnerability scan indicators BEST validates a successful, active scan?

The scan results identify the hostname and IP address.

A company determines that it is prohibitively expensive to become compliant with new credit card regulations. Instead, the company decides to purchase insurance to cover the cost of any potential loss. The company is ___

Transferring the risk - Risk Transference refers to the shifting of the burden of loss for a risk to another party through legislation, contract, insurance or other means.

What method would verify that a threat does exist and security controls can easily be bypassed without actively testing an application?

Vulnerability scan - Vulnerability scanning is an inspection of the potential points of exploit on a computer or network to identify security holes. A vulnerability scan detects and classifies system weaknesses in computers, networks and communications equipment and predicts the effectiveness of countermeasures without actively testing the application.

A ___ cloud is a combination of two or more public, private, and/or community clouds.

hybrid

Mandatory Access Control (MAC) is a set of security policies constrained according to system classification, configuration and authentication. MAC policy management and settings are established in one secure network and limited to ___

system administrators.

When collecting data for a forensic analysis, you should collect it from the most volatile to the least volatile. The order of volatility is ___

cache memory, regular RAM, swap or paging file, hard drive data, logs stored on remote systems, and archived media.

A security analyst is diagnosing an incident in which a system was compromised from an external IP address. The socket identified on the firewall was traced to 207.46.130.0:6666. What command should the security analyst use to determine if the compromised system still has an active connection?

netstat - xplanation: In computing, netstat (network statistics) is a command-line network utility tool that displays network connections for the Transmission Control Protocol (both incoming and outgoing), routing tables, and a number of network interface (network interface controller or software-defined network interface) and network protocol statistics. It is available on Unix-like operating systems including macOS, Linux, Solaris, and BSD, and is available on Windows NT-based operating systems including Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10. It is used for finding problems in the network and to determine the amount of traffic on the network as a performance measurement. Netstat provides statistics for the following: Proto - The name of the protocol (TCP or UDP). Local Address - The IP address of the local computer and the port number (called a socket) being used. The name of the local computer that corresponds to the IP address and the name of the port is shown unless the -n parameter is specified. An asterisk (*) is shown for the host if the server is listening on all interfaces. If the port is not yet established, the port number is shown as an asterisk. Foreign Address - The IP address and port number of the remote computer to which the socket is connected. The names that corresponds to the IP address and the port are shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*). State - Indicates the state of a TCP connection. The possible states are as follows: CLOSE_WAIT, CLOSED, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, LISTEN, SYN_RECEIVED, SYN_SEND, and TIME_WAIT. For more information about the states of a TCP connection, see RFC 793.

A ___ is an executive position within an organization. This person is primarily responsible for ensuring that the organization is complying with relevant laws.

privacy officer - This person is primarily responsible for ensuring that the organization is complying with relevant laws. For example, if the organization handles any PHI, the privacy officer ensures the organization complies with HIPAA. If SOX applies to the organization, the privacy officer ensures that the organization is complying with SOX.

A senior incident response manager receives a call about some external IPs communicating with internal computers during off hours. What types of malware is MOST likely causing this issue?

A botnet is a collection of internet-connected devices, which may include PCs, servers, mobile devices and internet of things devices that are infected and controlled by a common type of malware. Users are often unaware of a botnet infecting their system. Infected devices are controlled remotely by threat actors, often cybercriminals, and are used for specific functions, so the malicious operations stay hidden to the user. Botnets are commonly used to send email spam, engage in click fraud campaigns and generate malicious traffic for distributed denial-of-service attacks.

Which of the following differentiates a collision attack from a rainbow table attack? 1. A rainbow table attack uses the hash as a password 2. In a collision attack, the hash and the input data are equivalent 3. A rainbow table attack performs a hash lookup 4. In a collision attack, the same input results in different hashes

A rainbow table attack performs a hash lookup - A rainbow table is a listing of all possible plaintext permutations of encrypted passwords specific to a given hash algorithm. Rainbow tables are often used by password cracking software for network security attacks. All computer systems that require password-based authentication store databases of passwords associated with user accounts, typically encrypted rather than plaintext as a security measure. Once an attacker gains access to a system's password database, the password cracker compares the rainbow table's precompiled list of potential hashes to hashed passwords in the database. The rainbow table associates plaintext possibilities with each of those hashes, which the attacker can then exploit to access the network as an authenticated user.

Joe notices there are several user accounts on the local network generating spam with embedded malicious code. What technical control should Joe put in place to BEST reduce these incidents?

Account lockout - Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user who is attempting to determine an account password by trial and error. Windows domain controllers keep track of logon attempts, and domain controllers can be configured to respond to this type of potential attack by disabling the account for a preset period of time. Account Lockout Policy settings control the threshold for this response and the actions to be taken after the threshold is reached. The Account Lockout Policy settings can be configured in the following location in the Group Policy Management Console: Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

___ send transmissions to the network's nodes, examining the responses they receive to evaluate whether a specific node represents a weak point within the network.

Active scanners - A network administrator can also use an active scanner to simulate an attack on the network, uncovering weaknesses a potential hacker would spot, or examine a node following an attack to determine how a hacker breached security. Active scanners can take action to autonomously resolve security issues, such as blocking a potentially dangerous IP address.

Adhering to a layered security approach, a controlled access facility employs security guards who verify the authorization of all personnel entering the facility. What term BEST describes the security control being employed?

Administrative - An administrative control is one that comes down through policies, procedures, and guidelines. An example of an administrative control is the escalation procedure to be used in the event of a break-in; who is notified first, who is called second, and so on. Another example of an administrative control is the list of steps to be followed when a key employee is terminated: disable their account, change the server password, and so forth. Administrative controls are the policies that determine how personnel enter the facility, security guards authorizing your access and how the parking spaces will be allocated. Individuals wanting to park on campus are grouped together and segmented based on position, status, and so on. Each segment is issued a different color parking sticker and available spots are identified by that color.

What encryption methods does PKI typically use to securely protect keys?

Asymmetric - Asymmetric cryptography, also known as public key cryptography, uses public and private keys to encrypt and decrypt data. The keys are simply large numbers that have been paired together but are not identical (asymmetric). One key in the pair can be shared with everyone; it is called the public key. The other key in the pair is kept secret; it is called the private key. Either of the keys can be used to encrypt a message; the opposite key from the one used to encrypt the message is used for decryption. For asymmetric encryption to deliver confidentiality, integrity, authenticity and non-repudiation, users and systems need to be certain that a public key is authentic, that it belongs to the person or entity claimed and that it has not been tampered with or replaced by a malicious third party. There is no perfect solution to this public key authentication problem. A public key infrastructure (PKI), where trusted certificate authorities certify ownership of key pairs and certificates, is the most common approach, but encryption products based on the Pretty Good Privacy (PGP) model (including OpenPGP), rely on a decentralized authentication model called a web of trust, which relies on individual endorsements of the link between user and public key.

An external contractor, who has not been given information about the software or network architecture, is conducting a penetration test. What BEST describes the test being performed?

Black box - a black box testing assignment, the penetration tester is placed in the role of the average hacker, with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black box penetration test determines the vulnerabilities in a system that is exploitable from outside the network.

A high-security defense installation recently begun utilizing large guard dogs that bark very loudly and excitedly at the slightest provocation. What types of controls does this BEST describe?

Deterrent - Deterrent controls are intended to discourage potential attackers and send the message that it is better not to attack, but even if you decide to attack we are able to defend ourselves. Examples of deterrent controls include notices of monitoring and logging, guard dogs, as well as the visible practice of sound information security management.

A security analyst is performing a quantitative risk analysis. The risk analysis should show the potential monetary loss each time a threat or event occurs. Given this requirement, what two concepts would assist the analyst in determining this value?

EF and AV - Quantitative analysis is about assigning monetary values to risk components. The value of the asset (AV) is assessed first—$100,000, for example. Let's discuss the single loss expectancy (SLE). It contains information about the potential loss when a threat occurs (expressed in monetary values). It is calculated as follows: SLE = AV x EF, where EF is exposure factor.

What are MOST susceptible to birthday attacks?

Hashed passwords - Birthday attack is a cryptanalytic technique. Birthday attacks can be used to find collisions in a cryptographic hash function. For instance, suppose we have a hash function which, when supplied with a random input, returns one of k equally likely values. By repeatedly evaluating the function on 1.2 √k different inputs, it is likely we will find some pair of inputs that produce the same output (a collision). Birthday attacks are a class of brute-force techniques used in an attempt to solve a class of cryptographic hashed password function problems. These methods take advantage of functions which, when supplied with a random input, return one of k equally likely values. By repeatedly evaluating the function for different inputs, the same output is obtained after about 1.2k√2 evaluations.

A supervisor in your organization was demoted on Friday afternoon. The supervisor had the ability to modify the contents of a confidential database, as well as other managerial permissions. On Monday morning, the database administrator reported that log files indicated that several records were missing from the database. What risk mitigation strategies should have been implemented when the supervisor was demoted?

Monthly user rights reviews -

An auditor is reviewing the following output from a password-cracking tool: User:1: Password1 User2: Recovery! User3: Alaskan10 User4: 4Private User5: PerForMance2 What methods did the author MOST likely use?

Hybrid - A hybrid attack is a blend of both a dictionary attack method as well as brute force attack. This means that while a dictionary attack method would include a wordlist of passwords, the brute-force attack would be applied to each possible password in that list. Hybrid password guessing attacks assume that network administrators push users to make their passwords at least slightly different from a word that appears in a dictionary. Hybrid guessing rules vary from tool to tool, but most mix uppercase and lowercase characters, add numbers at the end of the password, spell the password backward or slightly misspell it, and include characters such as @!# in the mix. Both John the Ripper and Cain & Abel can do hybrid guessing.

An attacker wearing a building maintenance uniform approached a company's receptionist asking for access to a secure area. The receptionist asks for identification, a building access badge and checks the company's list approved maintenance personnel prior to granting physical access to the secure are. The controls used by the receptionist are in place to prevent what types of attacks?

Impersonation - Impersonation is one of several social engineering tools used to gain access to a system or network in order to commit fraud, industrial espionage or identity theft. Impersonation differs from other forms of social engineering because it occurs in person, rather than over the phone or through email.

___ would MOST likely appear in an uncredentialed vulnerability scan?

Inactive local accounts - Most vulnerability management solutions offer two kinds of vulnerability assessments: credentialed and non-credentialed (also known as authenticated and unauthenticated scans). Non-credentialed scans are very useful tools that provide a quick view of vulnerabilities by only looking at network services exposed by the host. Unfortunately, these scans can't provide deeper insight into application and operating system vulnerabilities not exposed to the network, or those vulnerabilities that are potentially covered up by a firewall that sits between the scanner and the host. This could provide false hope that your system is safe, while in reality, those vulnerabilities are frequently targeted by attackers that have gained credentialed access, so they aren't an accurate indicator of security risk.

The IT department needs to prevent users from installing untested applications. What would provide the BEST solution?

Least privilege - The Principle of Least Privilege states that a subject should be given only those privileges needed for it to complete its task. Only the minimum necessary rights should be assigned to a subject that requests access to a resource and should be in effect for the shortest duration necessary (remember to relinquish privileges). Granting permissions to a user beyond the scope of the necessary rights of an action can allow that user to obtain or change information in unwanted ways. Therefore, careful delegation of access rights can limit attackers from damaging a system.

What BEST describes an attack where communications between two parties are intercepted and forwarded to each party with neither party being aware of the interception and potential modification to the communications?

Man-in-the-middle - A man-in-the-middle (MITM) attack is a form of eavesdropping where communication between two users is monitored and modified by an unauthorized party. Generally, the attacker actively eavesdrops by intercepting a public key message exchange and retransmits the message while replacing the requested key with his own. In the process, the two original parties appear to communicate normally. The message sender does not recognize that the receiver is an unknown attacker trying to access or modify the message before retransmitting to the receiver. Thus, the attacker controls the entire communication.

Refer to the following code: Public Class rainbow { Public static void main (String [] args) { object blue = null; blue.hashcode (); } } What vulnerabilities would occur if this is executed?

Missing null check A program can dereference a null pointer because it does not check the return value of a function that might return null. Just about every serious attack on a software system begins with the violation of a programmer's assumptions. After the attack, the programmer's assumptions seem flimsy and poorly founded, but before an attack many programmers would defend their assumptions well past the end of their lunch break. Two dubious assumptions that are easy to spot in code are "this function call can never fail" and "it doesn't matter if this function call fails". When a programmer ignores the return value from a function, they implicitly state that they are operating under one of these assumptions. As a programmer I recognize this as likely being C++ That means it's not C (NullPointerException) because that exact phrasing is from Java. So it has to be D. However, this isn't really a missing null check... this is someone doing nothing except setting something to null then trying to use it. It's not a vulnerability as much as a deliberate two lines of code designed to crash. For example, this is a pointer: *pointer And this a reference: &ref So there is none of these in the code, so it must be MissingNullCheck

While performing surveillance activities, an attacker determines that an organization is using 802.1X to secure LAN access. What attack mechanisms can the attacker utilize to bypass the identified network security?

MAC spoofing - Every device that is connected to a network possesses a worldwide, unique, and physical identification number: the Media Access Control address or MAC for short. This burned-in address is virtually etched to the hardware by the manufacturer. Users are not able to change or rewrite the MAC address. Nevertheless, it is possible to mask it on the software side. This masking is what is referred to as MAC spoofing. MAC addresses: distinct hardware addresses identify network interface controllers (NIC) such as LAN cards or WLAN adapters, and are used to identify devices in local networks. Every MAC address includes 48 bits, or 6 bytes, and is arranged in the following pattern: 00:81:41:fe:ad:7e. The first 24 bits are the manufacturer code assigned by the Institute of Electrical and Electronics Engineers (IEEE), and the following 24 bits are the device number defined by the manufacturer. Spoofing: in the network terminology, spoofing refers to the various methods, which can be used to manipulate the fundamental address system in computer networks. Hackers use this method of attack to conceal their own identity and imitate another. Other than MAC addresses, other popular targets for spoofing attacks are the internet protocol (IP), domain name system (DNS), and address resolution via Address Resolution Protocol (ARP). Basically, spoofing is a resolution strategy for troubleshooting - but in most cases, it is used for the infiltration of foreign systems and illegal network activities instead. There are tools to bypass 802.1x Network Access Control (NAC) on a wired LAN. These threat agents will help you locate any non-802.1x configurable hosts on your subnet, and spoof their MAC address so that you appear authenticated to the switch.

A supervisor in your organization was demoted on Friday afternoon. The supervisor had the ability to modify the contents of a confidential database, as well as other managerial permissions. On Monday morning, the database administrator reported that log files indicated that several records were missing from the database. What risk mitigation strategies should have been implemented when the supervisor was demoted?

Monthly user rights reviews - Taking regular inventories of your users and their needs helps keep information, and your company, safe and secure. The measures we use to implement authorization policies are called user access controls, user permissions or user privileges. User access control is commonly used in the Windows operating system, router or firewall documentation, but user privilege or user permission is more common to Linux documentation. When you define an authorization policy, you define individual or sets of users, applications or processes that can perform actions on a resource such as a database. You can be very granular with an authorization policy. You can control actions - whether individuals or groups of individuals can read, create or modify (write), delete - on individual database entries, or even individual elements (fields) of a database entry. Without a doubt, user access reviews constitute one of the main ways in which a company can protect its information assets. Whether guarding against anger or accidents, user access controls how much freedom employees have to the organization's data. Program access and information access need to be restricted based on employee role within the company to effectively determine the safety of those assets. From top management down the organizational chain, everyone needs to work to create a culture of security.

What types of keys is found in a key escrow?

Private - Key escrow is a cryptographic key exchange process in which a key (private) is held in escrow, or stored, by a third party. A key that is lost or compromised by its original user(s) may be used to decrypt encrypted material, allowing restoration of the original material to its unencrypted state.

What describes the exploitation of an interactive process to access otherwise restricted areas of the OS?

Privilege escalation - Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

What specifically describes the exploitation of an interactive process to access otherwise restricted areas of the OS?

Privilege escalation - Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

An attacker uses a network sniffer to capture the packets of a transaction that adds $20 to a gift card. The attacker then user a function of the sniffer to push those packets back onto the network again, adding another $20 to the gift card. This can be done many times. What describes this type of attack?

Replay attack - A replay attack is a category of network attack in which an attacker detects a data transmission and fraudulently has it delayed or repeated. The delay or repeat of the data transmission is carried out by the sender or by the malicious entity, which intercepts the data and retransmits it. In other words, a replay attack is an attack on the security protocol using replays of data transmission from a different sender into the intended into receiving system, thereby fooling the participants into believing they have successfully completed the data transmission. Replay attacks help attackers to gain access to a network, gain information which would not have been easily accessible or complete a duplicate transaction.

___is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error.

Separation of duties (also known as Segregation of Duties)

A penetration testing is preparing for a client engagement in which the tester must provide data that proves and validates the scanning tools' results. What is the best method for collecting this information?

Set up the scanning system's firewall to permit and log all outbound connections - Firewall configuration testing remains an acquired skill, effectively performed by firewall experts, auditors or security professionals with this special expertise. Because many egress traffic-handling policies will be source address dependent, you can achieve some confidence that your configuration satisfies your policies by logging intensely, running address and port scanning tools, and confirming that your allow/deny results are what you expect. Rigorous logging of denied outbound connections could help identify culprits that are either ignorant or defiant of your AUP, as well as provide early warning of infections. Where possible, cause potentially dangerous denied outbound packets to trigger notification for further investigation. In the process of filtering Internet traffic, all firewalls have some type of logging feature that documents how the firewall handled various types of traffic. These logs can provide valuable information like source and destination IP addresses, port numbers, and protocols. You can also use the Windows Firewall log file to monitor TCP and UDP connections and packets that are blocked by the firewall. To help and identify malicious activity with firewall scanning feature you can check if any malicious activity is occurring within your network or not, although you must remember it does not provide the information needed to track down the source of the activity.

What occurs when the security of a web application relies on JavaScript for input validation?

The integrity of the data is at risk. - Avoid placing the validation procedures only on the client side. All input should be validated server side. Client-side validation is executed by the client and can be easily bypassed. Client-side validation is a major design problem when it appears in web applications. It places trust in the browser, an entity that should never be trusted. If your application accepts input from the client, always validate for length, range and type on the server. Client-side validation should only be used to improve user experience, never for security purposes. A client-side input validation check can improve application performance by catching malformed input on the client and, therefore, saving a roundtrip to the server. However, client side validation can be easily bypassed and should never be used for security purposes. Always use server-side validation to protect your application from malicious attacks. Never trust the browser. Because the browser is running on the user's machine, it can be fully controlled by the user. Therefore, any client-side validation code can be controlled and bypassed by an attacker. Use JavaScript only to enhance your pages. JavaScript is useful for enhancing your application's presentation. However, it has no mechanism to protect the integrity of its code. Do not rely on JavaScript to enforce security decisions.

In determining when it may be necessary to perform a credentialed scan against a system instead of a noncredentialed scan, what requirements is MOST likely to influence this decision?

The scanner must be able to audit file system permissions - Credentialed scans are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that cannot be seen from the network. Credentialed scanning, and more specifically, the Policy Compliance plugins, allow customized auditing of operating systems, applications, databases, file content — nearly all aspects of configuration that impacts security. Nessus offers baseline files for a variety of operating systems, applications, standards, and policies.

A black hat hacker is enumerating a network and wants to remain convert during the process. The hacker initiates a vulnerability scan. Given the task at hand the requirement of being convert, what BEST indicates that the vulnerability scan meets these requirements?

The vulnerability scanner is performing in network sniffer mode. - Vulnerability scanning is a security technique used to identify security weaknesses in a computer system. Vulnerability scanning can be used by individuals or network administrators for security purposes, or it can be used by hackers attempting to gain unauthorized access to computer systems. There are two approaches to vulnerability scanning, authenticated and unauthenticated scans. In the unauthenticated method, the tester performs the scan as an intruder would, without trusted access to the network. Such a scan reveals vulnerabilities that can be accessed without logging into the network. In an authenticated scan, the tester logs in as a network user, revealing the vulnerabilities that are accessible to a trusted user, or an intruder that has gained access as a trusted user.

A company recently replaced its unsecure email server with a cloud-based email and collaboration solution that is managed and insured by a third party. What actions did the company take regarding risks related to its email and collaboration services?

Transference - Transference is a risk management strategy that is not used very often and tends to be more common in projects where there are several parties. Essentially, you transfer the impact and management of the risk to someone else. For example, if you have a third party contracted to write your software code, you could transfer the risk that there will be errors in the code over to them. They will then be responsible for managing this risk, perhaps through additional training. Normally transference arrangements are written up into project contracts. Insurance is another good example. If you are transporting equipment as part of your project and the van is in an accident, the insurance company will be liable for providing new equipment to replace any that was damaged. The project team acknowledges that the accident might happen, but they will not be responsible for dealing with sourcing replacement kit, moving it to the right location or paying for it as that is now the responsibility of the insurance company.

Anne, the Chief Executive Officer (CEO), has reported that she is getting multiple telephone calls from someone claiming to be from the helpdesk. The caller is asking to verify her network authentication Credentials because her computer is broadcasting across the network. This is MOST likely what types of attacks?

Vishing - Vishing is the illegal access of data via voice over Internet Protocol (VoIP). Vishing is IP telephony's version of phishing and uses voice messages to steal identities and financial resources. The term is a combination of "voice" and "phishing." Vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies. Vishing is used in order to induce individuals to reveal personal information, such as bank details and credit card numbers.

During a recent audit, it was discovered that many services and desktops were missing security patches. What BEST describes the assessment that was performed to discover this issue?

Vulnerability scan - Vulnerability scanning is an inspection of the potential points of exploit on a computer or network to identify security holes. A vulnerability scan detects and classifies system weaknesses in computers, networks and communications equipment and predicts the effectiveness of countermeasures.

Users report the following message appears when browsing to the company's secure site: This website cannot be trusted. Which of the following actions should a security analyst take to resolve these messages? (Select two.) 1. Ensure the certificate has a .pfx extension on the server. 2. Have users clear their browsing history and relaunch the session. 3. Install the updated private key on the web server. 4. Verify the certificate has not expired on the server. 5. Update the root certificate into the client computer certificate store.

4. Verify the certificate has not expired on the server. 5. Update the root certificate into the client computer certificate store. An internet browser will state that a website certificate is untrusted if that certificate has not been signed by a trusted Certificate Authority. In order for a browser to accept a certificate, it must be able to link it to a 'trusted root certificate'. Trusted root certificates are embedded into popular browsers such as Internet Explorer, Firefox, and Chrome. These root certificates are used as trust 'anchors' to verify the legitimacy of all website certificates that the browser encounters. If a browser encounters a certificate that is not signed by one of these roots, then it will state it is untrusted and visitors will see an error message like "This website cannot be trusted". Most trusted root certificates in a browser are owned by an accredited Certificate Authority (CA). When a CA signs the certificate of a website, it is effectively 'linking' that website's certificate to one of their trusted roots in the browser certificate store. For security reasons, most CA's do not sign end-entity/website certificates directly from the root, but will instead use an 'intermediate certificate' to create a 'chain of trust' to the root. In this system, the root certificate will sign the intermediate and the intermediate is used to sign the certificates of individual websites. 'Untrusted' errors, therefore, are usually caused for one of two reasons: Site uses a self-signed certificate and verify that the certificate has not expired on the server. Intermediate certificate(s) not installed and the website administrator has not correctly installed all intermediate certificates on their webserver.

Recently several employees were victims of a phishing email that appeared to originate from the company president. The email claimed the employees would be disciplined if they did not click on a malicious link in the message. What principles of social engineering made this attack successful?

Authority - Authority can be construed to mean many different things. Within the context of Social Engineering, there are different types of Authority. Authority and power are separate but related concepts. While power is the possession of control, authority or influence over others, authority refers to the right to exercise that power. Authority is used within Social Engineering in order to gain access to property or information. Different types of Authority can be used, including: Legal, Organizational and Social.

An organization needs to implement a large PKI. Network engineers are concerned that repeated transmission of the OCSP will impact network performance. What should the security analyst recommend is lieu of an OCSP?

CRL - A certificate revocation list (CRL) is a list of subscribers paired with certificate status where each end user's certificate is listed as valid, revoked or expired. A properly configured list indicates the reason for a revoked certificate along with the dates for which each certificate is valid.

As part of the SDLC, a third party is hired to perform a penetration test. The third party will have access to the source code, integration tests, and network diagrams. What BEST describes the assessment being performed?

White box - White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing).

What attack types is being carried out where a target is being sent unsolicited messages via Bluetooth?

Bluejacking - Bluejacking is a hacking method that allows an individual to send anonymous messages to Bluetooth-enabled devices within a certain radius. First, the hacker scans his surroundings with a Bluetooth-enabled device, searching for other devices. The hacker then sends an unsolicited message to the detected devices.

What is the proper way to quantify the total monetary damage resulting from an exploited vulnerability?

Calculate the ALE - Before you can really manage risk, you must know what is most valuable to the organization. You need to put a value on the organization's assets. You might be thinking that by value, we are discussing dollar amounts. That is one way to assess value, called quantitative assessment. You also have the choice to perform a qualitative assessment. If you choose to perform a qualitative assessment, you will not be dealing with dollar amounts because this is usually scenario driven. Quantitative assessment deals with numbers and dollar amounts. It attempts to assign a cost (monetary value) to the elements of risk assessment and to the assets and threats of a risk analysis. Determine annual loss expectancy (ALE) of the quantitative assessment seeks to combine the potential loss and rate per year to determine the magnitude of the risk. This is expressed as annual loss expectancy (ALE). ALE is calculated as follows: Annualized loss expectancy (ALE) x Single loss expectancy (SLE) = Annualized rate of occurrence (ARO)

A ___ is a very well known attack that is designed to send a very specifically crafted TCP packet to a device on the network. This constructing of the packet is one that turns on a bunch of flags. There is some space set up in the TCP header, called flags. These flags all are turned on or turned off, depending on what the packet is doing. In the case of a ___ , were turning on the Urgent (URG), the Push (PSH), and the Finish (FIN) flags.

Christmas Tree Attack (XMAS)

A penetration tester is crawling a target website that is available to the public. The actions the penetration tester is performing= ___?

Reconnaissance - it is the first stage of a hacking process. During this stage, the attacker collects as much information as possible about the target from publicly available sources. Most common sources used are search engines, social networks & technical forums. It's during this stage the attacker identifies low hanging fruits and the weak spots of the target. The information collected in the reconnaissance stage is used in further stages to tailor attacks against a particular weak spot of the organization.

What penetration testing concepts is being used when an attacker uses public Internet databases to enumerate and learn more about a target?

Reconnaissance - reconnaissance denotes the work of information gathering before any real attacks are planned. The idea is to collect as much interesting information as possible about the target. To achieve this, many different publicly available sources of information are used. The extracted information will often already allow a detailed insight into the affected systems.

What BEST describes a network-based attack that can allow an attacker to take full control of a vulnerable host?

Remote exploit - A remote exploit is a malicious action that targets one or a network of computers. The remote attack does not affect the computer the attacker is using. Instead, the attacker will find vulnerable points in a computer or network's security software to access the machine or system. The main reasons for remote attacks are to view or steal data illegally, introduce viruses or other malicious software to another computer or network or system, and cause damage to the targeted computer or network.

What works by implanting software on systems but delays execution until a specific set of conditions is met?

Logic bomb - A logic bomb is a malicious program timed to cause harm at a certain point in time, but is inactive up until that point. A set trigger, such as a preprogrammed date and time, activates a logic bomb. Once activated, a logic bomb implements a malicious code that causes harm to a computer. A logic bomb's application programming points may also include other variables such that the bomb is launched after a specific number of database entries. However, computer security experts believe that certain gaps of action may launch a logic bomb as well, and that these types of logic bombs may actually cause the greatest harm. A logic bomb may be implemented by someone trying to sabotage a database when they are fairly certain they will not be present to experience the effects, such as full database deletion. In these instances, logic bombs are programmed to exact revenge or sabotage work. A logic bomb is also known as slag code or malicious logic.

A technician has installed new vulnerability scanner software on a server that is joined to the company domain. The vulnerability scanner is able to provide visibility over the patch posture of all company's clients. What is being used?

Credentialed scan - What was installed was a "vulnerability scanner" to check the "posture" of all company's clients. Whenever the word "posture" is mentioned in a question for this exam, the answer is invariably a "passive scan". Yet, Both can be used to find the patch posture.

A web application is configured to target browsers and allow access to bank accounts to siphon money to a foreign account. This is an example of what attack?

Cross-site scripting - Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page

Having adequate lighting on the outside of a building is an example of what security controls?

Deterrent - Security lighting is another effective form of deterrence. Intruders are less likely to enter well-lit areas for fear of being seen. Doors, gates, and other entrances, in particular, should be well lit to allow close observation of people entering and exiting. When lighting the grounds of a facility, widely distributed low-intensity lighting is generally superior to small patches of high-intensity lighting, because the latter can have a tendency to create blind spots for security personnel and CCTV cameras. It is important to place lighting in a manner that makes it difficult to tamper with (e.g. suspending lights from tall poles), and to ensure that there is a backup power supply so that security lights will not go out if the electricity is cut off.

Joe, a user, wants to send Ann, another user, a confidential document electronically. What should Joe do to ensure the document is protected from eavesdropping

Encrypt it with Ann's public key - PKI stands for Public Key Infrastructure. PKI has lots of different uses, but it is used primarily for encrypting and / or signing data. Encrypting data refers to scrambling it in a way that makes it unreadable except to authorized persons. PKI is based on a mechanism called a digital certificate. Digital certificates are sometimes also referred to as X.509 certificates or simply as certificates. From an operational perspective, PKI is an encryption approach where a pair of cryptographic keys -- one public and one private -- are used to encrypt and decrypt data. A user can give someone their public key, which that sender uses to encrypt data. The owner then uses their private key to decrypt the data.

Which of the following would a security specialist be able to determine upon examination of a server's certificate? 1. OID 2. CA public key 3. CSR 4. Server private key

1. OID - OIDs are like the Internet domain name space: organizations that need such an identifier may have a root OID assigned to them. They can thus create their own sub OIDs much like they can create subdomains. A very large and standardized set of OIDs already exists. In computing, object identifiers or OIDs are an identifier mechanism standardized by the International Telecommunications Union (ITU) and ISO/IEC for naming any object, concept, or "thing" with a globally unambiguous persistent name. An OID corresponds to a node in the "OID tree" or hierarchy, which is formally defined using the ITU's OID standard, X.660. The root of the tree contains the following three arcs:

A portable data storage device has been determined to have malicious firmware. Which of the following is the BEST course of action to ensure data confidentiality? 1. Perform virus scan in the device 2. Physically destroy the device 3. Format the device 4. Re-image the device

1. Perform virus scan in the device - Correctly setting up and running an antivirus scan on your computer is one of the best starting defenses for keeping your system free of malicious software and firmware. In these days of widespread malware — email viruses and dubious websites that can infect your computer — a strong defense begins with selecting an antivirus solution for your computer and understanding how to get the most out of it.

What 2 characteristics differentiate a rainbow table attack from a brute force attack?

1. Rainbow tables must include precomputed hashes. 2. Rainbow table attacks bypass maximum failed login restrictions. The notion that hackers sit at a computer using the same login screens we all use to try to access our accounts is the first myth we need to correct. Often times, they are using an "offline" attack, combined with automation and breached data, to break passwords on specific sites. Since the attack is offline, meaning they have acquired enough cryptographic information to attempt to break passwords, they aren't subject to the password lockout protection. It gets a bit complicated, but they can just set their computers to compare the specially encoded information against known passwords in what are called "rainbow tables," which allow them to find matches. A brute force attack is primarily used against the encryption algorithm itself (you can also use this against passwords but there you use dictionary attacks most time). A rainbow table is used to attack a hashed password in reverse. That means I have a table with possible hashes and look up a matching password.

An in-house penetration tester is using a packet capture device to listen in on network communications. This is an example of:

Exploiting the switch - Packet sniffing in a non-switched environment is a well understood technology. Once in this mode, all network traffic (irrespective of its destination) that reaches the network card can be accessed by an application (such as a packet sniffing program). Exploiting the switch is all about the "man-in-the-middle". Sniffing traffic in a switched environment is achieved by setting up a "man-in-the-middle" attack. The attacker uses a variety of techniques to force network traffic to/ from the victim to go to the attacker's machine. When this occurs, the attacker can inspect (or even modify) the victim's network traffic. There are a large number of techniques that permit sniffing in a switched environment. Common techniques include ARP spoofing, MAC flooding, MAC duplicating, ICMP redirection, DHCP spoofing and port stealing.

A technician suspects that a system has been compromised. The technician reviews the following log entry: WARNING- hash mismatch: C:\Window\SysWOW64\user32.dll WARNING- hash mismatch: C:\Window\SysWOW64\kernel32.dll Based solely ono the above information, which of the following types of malware is MOST likely installed on the system? 1. Rootkit 2. Backdoor 3. Ransomware 4. Trojan

1. Rootkit - A rootkit is a program or, more often, a collection of software tools that gives a threat actor remote access to and control over a computer or other system. While there have been legitimate uses for this type of software, such as to provide remote end-user support, most rootkits open a backdoor on victim systems to introduce malicious software, such as viruses, ransomware, keylogger programs or other types of malware, or to use the system for further network security attacks. Rootkits often attempt to prevent detection of malicious software by endpoint antivirus software. user32.dll is a module that contains Windows API functions related the Windows user interface (Window handling, basic UI functions, and so forth). user32.dll is a system process that is needed for your PC to work properly. It should not be removed. kernel32.dll is the most important Microsoft Windows Kernel. Functionality addressing most of windows functions are linked to this kernel DLL in some way. The Kernel32.dll file is a 32-bit dynamic link library file used in Windows 95,98 and Me. The Kernel32.dll file handles memory management, input/output operations and interrupts. When you start Windows, Kernel32.dll is loaded into a protected memory space so that other programs do not take it over. kernel32.dll is a system process that is needed for your PC to work properly. It should not be removed.

An attack that is using interference as its main attack to impede network traffic is which of the following? 1. Using a similar wireless configuration of a nearby network 2. Introducing too much data to a targets memory allocation 3. Inundating a target system with SYN requests 4. Utilizing a previously unknown security flaw against the target

1. Using a similar wireless configuration of a nearby network - Wireless interference means disruption of one's network. This is a very big challenge especially owing to the fact that wireless signals will always be disrupted. Such interference can be created by a Bluetooth headset, a microwave oven, a cordless phone or using a similar wireless configuration of a nearby network. This makes transmission and receiving of wireless signals very difficult. Wireless interference can also be caused by causing service degradation to make sure that one denies complete access to a particular service. Jamming can also be used in conjunction with an evil twin.

A security analyst is hardening a web server, which should allow a secure certificate-based session using the organization's PKI infrastructure. The web server should also utilize the latest security techniques and standards. Given this set of requirements, which of the following techniques should the analyst implement to BEST meet these requirements? (Select two.) 1. Install a certificate signed by a public CA. 2. Enable and configure TLS on the server. 3. Implement a CRL using an authorized CA. 4. Install an X- 509-compliant certificate. 5. Configure the web server to use a host header.

2. Enable and configure TLS on the server. 4. Install an X- 509-compliant certificate. An X.509 certificate is a digital certificate that uses the widely accepted international X.509 public key infrastructure (PKI) standard to verify that a public key belongs to the user, computer or service identity contained within the certificate. Many of the certificates that people refer to as Secure Sockets Layer (SSL) certificates are in fact X.509 TLS certificates. In cryptography, X.509 is a standard that defines the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS.

An auditor is reviewing the following output from a password-cracking tool: User:1: Password1 User2: Recovery! User3: Alaskan10 User4: 4Private User5: PerForMance2 What methods did the author MOST likely use? 1. Rainbow Table 2. Hybrid 3. Brute Force 4 Dictionary

2. Hybrid - A hybrid attack is a blend of both a dictionary attack method as well as brute force attack. This means that while a dictionary attack method would include a wordlist of passwords, the brute-force attack would be applied to each possible password in that list. Hybrid password guessing attacks assume that network administrators push users to make their passwords at least slightly different from a word that appears in a dictionary. Hybrid guessing rules vary from tool to tool, but most mix uppercase and lowercase characters, add numbers at the end of the password, spell the password backward or slightly misspell it, and include characters such as @!# in the mix. Both John the Ripper and Cain & Abel can do hybrid guessing.

Which of the following explains why vendors publish MD5 values when they provide software patches for their customers to download over the Internet? 1. The recipient can verify the authenticity of the site used to download the patch. 2. The recipient can verify integrity of the software patch. 3. The recipient can successfully activate the new software patch. 4. The recipient can request future updates to the software using the published MD5 value.

2. The recipient can verify integrity of the software patch. - The MD5 hashing algorithm is a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length digest value to be used for authenticating the original message. In commercial usage, many software vendors publish the MD5 hash value when releasing software patches so customers can verify the software's integrity after download.

Ann. An employee in the payroll department, has contacted the help desk citing multiple issues with her device, including: Slow performance Word documents, PDFs, and images no longer opening A pop-up Ann states the issues began after she opened an invoice that a vendor emailed to her. Upon opening the invoice, she had to click several security warnings to view it in her word processor. With which of the following is the device MOST likely infected? 1. Crypt-malware 2. Spyware 3. Backdoor 4. Rootkit

3. Backdoor A backdoor is a means to access a computer system or encrypted data that bypasses the system's customary security mechanisms. A developer may create a backdoor so that an application or operating system can be accessed for troubleshooting or other purposes. However, attackers often use backdoors that they detect or install themselves as part of an exploit. In some cases, a worm or virus is designed to take advantage of a backdoor created by an earlier attack. Whether installed as an administrative tool, a means of attack or as a mechanism allowing the government to access encrypted data, a backdoor is a security risk because there are always threat actors looking for any vulnerability to exploit.

A company's user lockout policy is enabled after five unsuccessful login attempts. The help desk notices a user is repeatedly locked out over the course of a workweek. Upon contacting the user, the help desk discovers the user is on vacation and does not have network access. Which of the following types of attacks are MOST likely occurring? (Select two.) 1. Replay 2. Pass the Hash 3. Dictionary 4. Brute Force 5 Rainbow Tables

3. Dictionary 4. Brute Force A brute force attack means probing the complete keyspace on the algorithm. A dictionary attack means that you probe only passwords/keys from a dictionary (which does not contain the complete keyspace). The term "brute force" means to overpower the defense through repetition. In the case of password hacking, brute forcing involves dictionary software that recombines English dictionary words with thousands of varying combinations. Brute force dictionaries always start with simple letters "a", "aa", "aaa", and then eventually move to full words like "dog", "doggie", "doggy". These brute force dictionaries can make 50 to 1000 attempts per minute. Given several hours or days, these dictionary tools will overcome any password. The secret is to make it take days to crack your password.

A computer on a company network was infected with a zero-day exploit after an employee accidently opened an email that contained malicious content. The employee recognized the email as malicious and was attempting to delete it, but accidently opened it. What should be done to prevent this scenario from occurring again in the future? 1. Install host-based firewalls on all computers that have an email client installed 2. Set the email program default to open messages in plain text Correct Answer 3. Install end-point protection on all computers that access web email 4. Create new email spam filters to delete all messages from that sender

3. Install end-point protection on all computers that access web email - Endpoint protection is a term often used interchangeably with endpoint security. Endpoint protection is often used to describe security solutions that address endpoint security issues, securing and protecting endpoints against zero-day exploits, attacks, and inadvertent data leakage resulting from human error. Targeted attacks and advanced persistent threats cannot be prevented through anti-virus solutions alone, making endpoint protection a necessary component of full-spectrum security solutions capable of securing data for the worlds' leading enterprises. Endpoint protection solutions provide centrally managed security solutions that protect endpoints such as servers, workstations, and mobile devices used to connect to enterprise networks.

Which of the following AES modes of operation provide authentication? (Select two.) 1. DSA 2. CFB 3. CBC 4. GCM 5. CCM

4. GCM 5. CCM Any given block cipher can be used in different modes of operation. AES uses CCM (Counter with CBC-MAC) Message authentication (via CBC-MAC) is done on the plaintext not the ciphertext. (This is generally not a desirable feature). On the encrypt operation, the encryption and MAC could happen in parallel, but generally do not (typically because there is just one AES engine in a chip, just one AES thread at a time, etc.). Similar statement is true for decrypt. In addition, AES supports GCM (Galois Counter Mode) Message authentication (via GMAC/GHASH) is done on the ciphertext. (This is desirable most of the time). Note that in most implementations, the authentication check and decryption happen in parallel for performance reasons. GCM should be considered superior to CCM for most applications that require authenticated encryption. Because of the authentication that happens, GCM is not susceptible to the bit flipping and other attacks that can be mounted against counter mode or other stream modes. There are some nuances that should be noted before using GCM that involve maximum size of the encrypted message and the MAC size.

Which of the following cryptography algorithms will produce a fixed-length, irreversible output? 1. RSA 2. 3DES 3. AES 4. MD5

4. MD5 - A cryptographic hash function is a special class of hash function that has certain properties which make it suitable for use in cryptography. It is a mathematical algorithm that maps data of arbitrary size to a bit string of a fixed size (a hash) and is designed to be a one-way function, that is, a function which is infeasible to invert.

A security auditor is putting together a report for the Chief Executive Officer (CEO) on personnel security and its impact on the security posture of the whole organization. Which of the following would be the MOST important factor to consider when it comes to personnel security? 1. Phishing through social media 2. Hacktivist 3. Privilege escalation 4. Corporate espionage 5. Insider threats

5. Insider threats - An Insider Threat is the potential for an individual who has or had authorized access to an organization's assets to use their access, maliciously or unintentionally, to act in a way that could negatively affect the organization. An insider threat is most simply defined as a security threat that originates from within the organization being attacked or targeted, often an employee or officer of an organization or enterprise. An insider threat does not have to be a present employee or stakeholder, but can also be a former employee, board member, or anyone who at one time had access to proprietary or confidential information from within an organization or entity.

A product manager is concerned abo managut continuing operations at a facility located in a region undergoing significant political unrest. After consulting with senior management, a decision is made to suspend operations at the facility until the situation stabilizes. What risk mgmt strategyBEST describes management's response?

Avoidance - Risk avoidance is the elimination of hazards, activities and exposures that can negatively affect an organization's assets. Whereas risk management aims to control the damages and financial consequences of threatening events, risk avoidance seeks to avoid compromising events entirely. While the complete elimination of all risk is rarely possible, a risk avoidance strategy is designed to deflect as many threats as possible in order to avoid the costly and disruptive consequences of a damaging event. A risk avoidance methodology attempts to minimize vulnerabilities, which can pose a threat. Risk avoidance and mitigation can be achieved through policy and procedure, training and education and technology implementations.

___ return data concerning potential security risks that allow IT personnel to view the network the way a potential hacker might, clearly seeing the potential avenues for denial of service attacks or gaining information through packet sniffing

Vulnerability scanners - Vulnerability scanners often prioritize the weaknesses they discover, assigning different values to represent the potential damage a hacker could cause within a network by exploiting a specific weakness. This allows network administrators to prioritize repair work by indicating which nodes present the greatest security risks.

Ann. An employee in the payroll department, has contacted the help desk citing multiple issues with her device, including: Slow performance Word documents, PDFs, and images no longer opening A pop-up Ann states the issues began after she opened an invoice that a vendor emailed to her. Upon opening the invoice, she had to click several security warnings to view it in her word processor. Wat is the device MOST likely infected?

Backdoor - A backdoor is a means to access a computer system or encrypted data that bypasses the system's customary security mechanisms. A developer may create a backdoor so that an application or operating system can be accessed for troubleshooting or other purposes. However, attackers often use backdoors that they detect or install themselves as part of an exploit. In some cases, a worm or virus is designed to take advantage of a backdoor created by an earlier attack. Whether installed as an administrative tool, a means of attack or as a mechanism allowing the government to access encrypted data, a backdoor is a security risk because there are always threat actors looking for any vulnerability to exploit.

A senior incident response manager receives a call about some external IPs communicating with internal computers during off hours. What types of malware is MOST likely causing this issue?

Botnet - A botnet is a collection of internet-connected devices, which may include PCs, servers, mobile devices and internet of things devices that are infected and controlled by a common type of malware. Users are often unaware of a botnet infecting their system. Infected devices are controlled remotely by threat actors, often cybercriminals, and are used for specific functions, so the malicious operations stay hidden to the user. Botnets are commonly used to send email spam, engage in click fraud campaigns and generate malicious traffic for distributed denial-of-service attacks.

An analyst is reviewing a simple program for potential security vulnerabilities before being deployed to a Windows server. Given the following code: void foo (char *bar) { char random_user_input [12]; strcpy (random_user_input,bar); } what vulnerability is present?

Buffer overflow - This is an example of a buffer overflow (stack overflow). The canonical method for exploiting a stack based buffer overflow is to overwrite the function return address with a pointer to attacker-controlled data (usually on the stack itself). This is illustrated with strcpy (random_user_input, bar) in the example. This code takes an argument from the command line and copies it to a local stack variable c. This works fine for command line arguments smaller than 12 characters. Any arguments larger than 11 characters long will result in corruption of the stack. (The maximum number of characters that is safe is one less than the size of the buffer here because in the C programming language strings are terminated by a zero-byte character. A twelve-character input thus requires thirteen bytes to store, the input followed by the sentinel zero byte. The zero byte then ends up overwriting a memory location that's one byte beyond the end of the buffer.) strcpy is potentially unsafe because it can lead to buffer overflow if you try to copy a string to a buffer that is not large enough to contain it. strcpy_s is "safer" because you have to explicitly specify the size of the target buffer, so the function will not overflow. Because strcpy does not check for sufficient space in strDestination before it copies strSource, it is a potential cause of buffer overruns. Therefore, we recommend that you use strcpy_s instead.

Two users need to send each other emails over unsecured channels. The system should support the principle of non-repudiation. What should be used to sign the user's certificates?

CA - cryptographic system that uses two keys, a public key known to everyone and a private key, the private key has full control to the key owner, and has to keep in secured environment. A unique element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to deduce the private key if you know the public key. Certificate Authority issued certificates to ensure the authenticity of the digital signatures. Certificates are similar to ID Document. When you want to identify a user in the system you check his certificate. This certificate issued in registration process once all require information filled in. In PKI world the CA uses the CA's certificate for authenticating user's identity.

An attacker compromises a public CA and issues unauthorized X.509 certificates for Company.com. In the future, Company.com wants to mitigate the impact of similar incidents. What would assist Company.com with its goal?

Certificate pinning - HTTP Public Key Pinning (HPKP) is an Internet security mechanism delivered via an HTTP header which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates. Contrary to a common belief, the technique does not pin certificates, but public keys. All server certificates contain the server's public key which can be used by the client to encrypt handshake messages being sent back to the server. The server has the corresponding private key and this is never disclosed to anyone, the private key can be used to decrypt a handshake message encrypted using the public key. All certificate pinning essentially relies on the following behavior: The client is pre-configured to know what server certificate it should expect. If the server certificate does not match the pre-configured server certificate then the client will prevent the session from taking place. The different types of certificate pinning vary in what is preconfigured on the client and how it is matched with the server certificate received during the SSL/TLS handshake.

A company researched the root cause of a recent vulnerability in its software. It was determined that the vulnerability was the result of two updates made in the last release. Each update alone would not have resulted in the vulnerability. In order to prevent similar situations in the future, the company should improve what?

Change management procedures - The Change Management process is designed to help control the life cycle of strategic, tactical, and operational changes to IT services through standardized procedures. The goal of Change Management is to control risk and minimize disruption to associated IT services and business operations. Change Management establishes standard procedures for managing change requests in an agile and efficient manner in an effort to minimize the risk and impact a change can have on business operations. According to ITIL, a Change is "the addition, modification or removal of any authorized, planned, or supported service or service component that could have an effect on IT services." Most often, a change is an event that has been approved by the change authority, is evaluated and implemented while minimizing risk, adjusts the status of a configuration item (CI), and adds value to the business and its customers.

What threat actors is MOST likely to steal a company's proprietary information to gain a market edge and reduce time to market?

Competitor - Proprietary information, also known as a trade secret, is information a company wishes to keep confidential. Proprietary information can include secret formulas, processes, and methods used in production. It can also include a company's business and marketing plans, salary structure, customer lists, contracts, and details of its computer systems. In some cases, the special knowledge and skills that an employee has learned on the job are considered to be a company's proprietary information. Companies may also develop security systems to protect their proprietary information from being stolen by foreign or domestic competitors. Business and industrial espionage is an ongoing activity that clandestinely seeks to obtain trade secrets by illegal methods. A corporate system for protecting proprietary information would include a comprehensive plan ranging from restricting employee access, to data protection, to securing phone lines and meeting rooms. In some cases, a chief information officer (CIO) would be responsible for implementing such a plan.

A vulnerability scanner that uses its running service's access level to better assess vulnerabilities across multiple assets within an organization is performing a ___

Credentialed scan - Credentialed scans are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that cannot be seen from the network.

A company's user lockout policy is enabled after five unsuccessful login attempts. The help desk notices a user is repeatedly locked out over the course of a workweek. Upon contacting the user, the help desk discovers the user is on vacation and does not have network access. What two types of attacks are MOST likely occurring?

Dictionary, Brute Force A brute force attack means probing the complete keyspace on the algorithm. A dictionary attack means that you probe only passwords/keys from a dictionary (which does not contain the complete keyspace). The term "brute force" means to overpower the defense through repetition. In the case of password hacking, brute forcing involves dictionary software that recombines English dictionary words with thousands of varying combinations. Brute force dictionaries always start with simple letters "a", "aa", "aaa", and then eventually move to full words like "dog", "doggie", "doggy". These brute force dictionaries can make 50 to 1000 attempts per minute. Given several hours or days, these dictionary tools will overcome any password. The secret is to make it take days to crack your password.

A company hires a consulting firm to crawl its Active Directory network with a non-domain account looking for unpatched systems. Actively taking control of systems is out of scope, as is the creation of new administrator accounts. For what will the company hire a consulting firm?

Vulnerability scanning - Vulnerability scanning is an inspection of the potential points of exploit on a computer or network to identify security holes. A vulnerability scan detects and classifies system weaknesses in computers, networks and communications equipment and predicts the effectiveness of countermeasures.

A malicious attacker has intercepted HTTP traffic and inserted an ASCII line that sets the referrer URL. What is the attacker most likely utilizing?

Header manipulation - Header manipulation is the insertion of malicious data, which has not been validated, into a HTTP response header. In HTTP networking, typically on the World Wide Web, referrer spoofing sends incorrect referrer information in an HTTP request in order to prevent a website from obtaining accurate data on the identity of the web page previously visited by the user. The HTTP_REFERER is data passed by the client. Any data passed by the client can be spoofed and/or forged. This includes HTTP_USER_AGENT. If you wrote the web browser, you are setting and sending the HTTP Referrer and User-Agent headers on the GET, POST, etc. Some websites check the Referrer field to make sure that the request came from a page that was created by that site. An attacker can bypass this by modifying the Referrer field to hide that the page came from another site

What best describes routine in which semicolons, dashes, quotes, and commas are removed from a string?

Input validation to protect against SQL injection. Explanation: SQL injection is one of the most common web attack mechanisms utilized by attackers to steal sensitive data from organizations. While SQL Injection can affect any data driven application that uses a SQL database, it is most often used to attack web sites. SQL Injection is a code injection technique that hackers can use to insert malicious SQL statements into input fields for execution by the underlying SQL database. This technique is made possible because of improper coding of vulnerable web applications. These flaws arise because entry fields made available for user input unexpectedly allow SQL statements to go through and query the database directly. The good news is that there actually is a lot that website owners can do to prevent SQL injection. Although there is no such thing as a 100 percent guarantee in network security, formidable obstacles can be placed in the path of SQL injection attempts. Employ comprehensive input validation. Websites must filter all user input. Ideally, user data should be filtered for context. For example, email addresses should be filtered to allow only the characters allowed in an e-mail address, phone numbers should be filtered to allow only the characters allowed in a phone number, and so on.

A security analyst receives an alert from a WAF with the following payload: var data= "<test test test>" ++ <../../../../../../etc/passwd>" What types of attacks is this?

JavaScript data insertion - HTML injection is a type of attack focused upon the way HTML content is generated and interpreted by browsers at client side. Otherwise, JavaScript is a widely used technology in dynamic web sites, so the use of techniques based on this, like injection, complements the nomenclature of 'code injection'. When developing web applications, it's very recommendable to follow the next considerations to prevent possible code injection. Do not rely on client-side JavaScript validation whenever possible; as shown, this is easily deceived using "in-line" injection. For example, suppose you have a shopping portal where you rely the price of each item at the client side. Don't store sensible data into cookies, because they can be easily modified by an attacker, as seen in the question. If you need to store data in cookies, store them with a hash signature generated with a server side key.

The Chief Technology Officer (CTO) of a company, Ann, is putting together a hardware budget for the next 10 years. She is asking for the average lifespan of each hardware device so that she is able to calculate when she will have to replace each device. What categorie BEST describes what she is looking for?

MTTF - Mean time to failure (MTTF) is the length of time a device or other product is expected to last in operation. MTTF is one of many ways to evaluate the reliability of pieces of hardware or other technology.

A security engineer is configuring a system that requires the X.509 certificate information to be pasted into a form field in Base64 encoded format to import it into the system. What certificate formats should the engineer use to obtain the information in the required format?

PEM - PEM (privacy enhanced mail)is a de facto file format for storing and sending cryptography keys, certificates, and other data, based on a set of 1993 IETF standards defining "privacy-enhanced mail." While the original standards were never broadly adopted, and were supplanted by PGP and S/MIME, the textual encoding they defined became very popular. The PEM format was eventually formalized by the IETF in RFC 7468. Many cryptography standards use ASN.1 to define their data structures, and Distinguished Encoding Rules (DER) to serialize those structures. Because DER produces binary output, it can be challenging to transmit the resulting files through systems, like electronic mail, that only support ASCII. The PEM format solves this problem by encoding the binary data using base64.

___ identify the active operating systems, applications and ports throughout a network, monitoring activity to determine the network's vulnerabilities.

Passive scanners - However, while passive scanners can provide information about weaknesses, they can't take action to resolve security problems. These scanners can check the current software and patch versions on networked devices, indicating which devices are using software that presents a potential gateway for hackers or Trojan attacks, and reference this information against public databases containing lists of current patches. A network administrator can set passive scanners to run continuously or to operate at specified intervals.

An administrator discovers the following log entry on a server: Nov 12 2013 00:23:45 httpd[2342]: GET /app2/prod/proc/process.php?input=change;cd%20../../../etc;cat%20shadow What attacks is being attempted?

Password attack - One of the first post exploitation activities when we have compromised a target is to obtain the passwords hashes in order to crack them offline. If we managed to crack the hashes then we might be able to escalate our privileges and to gain administrative access especially if we have cracked the administrator's hash. After gaining access to a root account, the next order of business is using that power to do something more significant. If the user passwords on the system can be obtained and cracked, an attacker can use them to pivot to other machines if the login is the same across systems. There are two tried-and-true password-cracking tools that can accomplish this: John the Ripper and Hashcat. A couple files of particular interest on Linux systems are the /etc/passwd and /etc/shadow files. The /etc/passwd file contains basic information about each user account on the system, including the root user, which has full administrative rights, system service accounts, and actual users. There are seven fields in each line of /etc/passwd. The /etc/shadow file contains the encrypted passwords of users on the system. While the /etc/passwd file is typically world-readable, the /etc/shadow is only readable by the root account. The shadow file also contains other information such as password expiration dates. As we know in UNIX systems, the password hashes are stored in the /etc/shadow location so we will run the command cat /etc/shadow in order to see them.

A security program manager wants to actively test the security posture of a system. The system is not yet in production and has no uptime requirement or active user base. What method will produce a report which shows vulnerabilities that were actually exploited?

Penetration testing - Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. A vulnerability scan is limited in that it does not attempt to exploit vulnerabilities to determine if network access can be gained. In addition, vulnerability scanning does not always readily identify or exploit poor security practices or detect "false positives" that are not exploitable in practice. On the other hand, penetration testing simulates what an attacker is able to do by exploiting flaws and configuration problems, as well as weak security practices or controls. Penetration testing is by nature more accurate than vulnerability scanning since it actually confirms that a suspected weakness is exploitable. For example, a penetration tester may look for poor security practices like the use of shared passwords, weak passwords, or the reuse of passwords that would not be found by an automated scan and then try to exploit any identified weaknesses.

Which types of attacks precedes the installation of a rootkit on a server?

Privilege escalation - Rootkits almost without exception run with superuser privileges, the full set of system privileges intended only for system administrators and system programmers so that they can readily perform virtually any task at will. In UNIX and Linux, this translates to root-level privileges; in Windows, this means Administrator- and SYSTEM-level privileges. Without superuser privileges, rootkits would not be very effective in accomplishing the malicious functions they support. It is important to realize, however, that attackers need to gain superuser-level access before installing and running rootkits. Rootkits are not exploit tools that raise the privilege level of those who install them. Attackers must thus first exploit one or more vulnerabilities independently of the functionality of any rootkit to gain superuser privileges on victim systems if they are going be able to install and run a rootkit on these systems. Additionally, the majority of rootkits are "persistent," whereas others are not. Persistent rootkits stay installed regardless of how many times the systems on which they are installed are booted. Non-persistent rootkits (also called "memory-resident" rootkits) reside only in memory; no file in the compromised system contains their code. They thus remain on a victim system only until the next time the system boots, at which time they are deleted.

What cryptographic attack would salting of passwords render ineffective?

Rainbow tables - A hash table is a large list of pre-computed hashes for commonly used passwords. For a password file without salts, an attacker can go through each entry and look up the hashed password in the hash table or rainbow table. Adding a cryptographic Salt to your password hashing function will help defend against the use of Rainbow Tables used to crack passwords in your application.

What cryptographic attacks would salting of passwords render ineffective?

Rainbow tables - A hash table is a large list of pre-computed hashes for commonly used passwords. For a password file without salts, an attacker can go through each entry and look up the hashed password in the hash table or rainbow table. Adding a cryptographic Salt to your password hashing function will help defend against the use of Rainbow Tables used to crack passwords in your application.

___ describes an important security advantage yielded by implementing vendor diversity?

Resiliency If you haven't thoroughly analyzed your vendor resiliency and potential supply chain interruptions, there may be a gaping hole in your business continuity plan no matter how thorough your internal team has been according to the PwC whitepaper, "Business continuity beyond company walls: When a crisis hits, will your vendors' resiliency match your own?" As the business world becomes more intertwined and dependent, it is essential for you to assess the resiliency of your vendors with these five steps in order to be sure you can count on your vendors when a crisis strikes. The reliance on third party vendors providing or supporting your business is continuing to grow. These external providers may help with improving efficiency, accelerating growth, and enabling operational transformation but are they just providing a service or are they reliable partners? Many regulations and contracts document the need for vendor resilience— the need for you to ensure the vendors provide for continuation of the business function in the event of problems affecting their operations, including degradations or interruptions resulting from natural disasters, human error, or intentional attacks. They may also stipulate their responsibility for backing up and otherwise protecting programs, data, and equipment, and for maintaining current and sound business resumption and contingency plans. You know what? When an incident happens your customers don't care if the problem was caused by you or your vendor! You are in a relationship with your vendor to provide a service. Treat your vendor like one of your own. This means to perform all the same evaluation processes you would use when reviewing your own recovery plans. Following the Business Continuity Management best practices.

Phishing emails frequently take advantage of high-profile catastrophes reported in the news. What principles BEST describes the weakness being exploited?

Social proof - Social proof is the influence that the actions and attitudes of the people around us (either in real life or online) have on our own behavior. The "proof" element is the idea that if other people are doing it (or saying it), it must be correct. The degree to which social proof affects us can be a result of the numbers of people seeming to promote something or the particular individuals involved. The actions and opinions of social influencers carry more weight with their colleagues, social network and the general public than is the case with most other individuals. Social media influence is most often associated with online marketing but can also refer to the way social networks and influencers affect the behavior of users in other areas, such as politics. Social proof can influence people to take actions and make decisions differently than they would if they had relied solely upon their own judgment. The undue influence of others can result in conformity and errors. Social proof is mob behavior and the lack of individual opinion sometimes referred to as herd mentality.

An employee receives an email, which appears to be from the Chief Executive Officer (CEO), asking for a report of security credentials for all users. What types of attack is MOST likely occurring?

Spear phishing - Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user's computer.

What vulnerability types would the type of hacker known as a script kiddie be MOST dangerous against?

Unpatched exploitable Internet-facing services - A script kiddie is a derogatory term used to refer to non-serious hackers who are believed to reject the ethical principals' held by professional hackers, which include the pursuit of knowledge, respect for skills, and a motive of self-education. Script kiddies shortcut most hacking methods in order to quickly gain their hacking skills. They don't put much thought or time into gaining computer knowledge, but educate themselves in a fast manner in order to learn only the bare minimum. Script kiddies may use hacking programs written by other hackers because they often lack the skills to write their own. Script kiddies attempt to attack unpatched exploitable Internet facing computer systems and networks, and vandalize websites. Although they are considered to be inexperienced and immature, script kiddies can inflict as much computer damage as professional hackers and can be subject to similar criminal charges as their older and more savvy counterparts.

In terms of encrypting data, what BEST describes a way to safeguard password data by adding random data to it in storage?

Using salt - In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" data, a password or passphrase. Salts are closely related to the concept of nonce. The primary function of salts is to defend against dictionary attacks or against its hashed equivalent, a pre-computed rainbow table attack. Salts are used to safeguard passwords in storage. Historically a password was stored in plaintext on a system, but over time additional safeguards developed to protect a user's password against being read from the system. A salt is one of those methods. A new salt is randomly generated for each password. In a typical setting, the salt and the password (or its version after Key stretching) are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. Hashing allows for later authentication without keeping and therefore risking the plaintext password in the event that the authentication data store is compromised. Since salts do not have to be memorized by humans they can make the size of the rainbow table required for a successful attack prohibitively large without placing a burden on the users. Since salts are different in each case, they also protect commonly used passwords, or those who use the same password on several sites, by making all salted hash instances for the same password different from each other.

A security administrator is tasked with conducting an assessment made to establish the baseline security posture of the corporate IT infrastructure. The assessment must report actual flaws and weaknesses in the infrastructure. Due to the expense of hiring outside consultants, the testing must be performed using in-house or cheaply available resource. There cannot be a possibility of any requirement being damaged in the test. What has the administrator been tasked to perform?

Vulnerability assessment - A vulnerability assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures and providing the organization doing the assessment with the necessary knowledge, awareness and risk background to understand the threats to its environment and react appropriately.

A security guard has informed the Chief Information Security Officer that a person with a tablet has been walking around the building. The guard also noticed strange white markings in different areas of the Parking lot. The person is attempting what types of attacks?

War chalking - War chalking refers to drawing symbols in public spaces to denote an open Wi-Fi wireless network in a public space. War chalking provides information about the type of wireless connection being used, which may be open node, closed node or wired equivalent privacy (WEP) node. This may attract hackers and make them aware of the Wi-Fi hot spot and its security. Hackers may use this information to attack the Wi-Fi network.

An attacker discovers a new vulnerability in an enterprise application. The attacker takes advantage of the vulnerability by developing new malware. After installing the malware, the attacker is provided with access to the infected machine. What is being described?

Zero-day exploit - zero-day vulnerability, at its core, is a flaw. It is an unknown exploit in the wild that exposes vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong. In fact, a zero-day exploit leaves no opportunity for detection at first. A zero-day attack happens once that flaw, or software/hardware vulnerability, is exploited and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability—hence "zero-day."

Malware that changes its binary pattern on specific dates at specific times to avoid detection is known as a (n):

polymorphic virus - Polymorphic viruses are complex file infectors that can create modified versions of its self to avoid detection yet retain the same basic routines after every infection. To vary their physical file makeup during each infection, polymorphic viruses encrypt their codes and use different encryption keys every time. Polymorphic viruses rely on mutation engines to alter their decryption routines every time they infect a machine. This way, traditional security solutions may not easily catch them because they do not use a static, unchanging code. The use of complex mutation engines that generate billions of decryption routines make them even more difficult to detect.