Security + review questions #2
Which of the following answers lists a /27 subnet mask? 255.255.255.0 255.255.255.128 255.255.255.128 255.255.255.128
255.255.255.128
Which of these best describes 3DES? Used in WPA2 Three times more complex than DES Has been replaced due to a cryptographic vulnerability A FIPScompliant standard
A FIPScompliant standard
Security personnel confiscated a user's workstation after a security incident. Administrators removed the hard drive for forensic analysis, but left it unattended for several hours before capturing an image. What could prevent the company from taking the employee to court over this incident? A hard drive analysis was not complete. An order of volatility was not maintained. Witnesses were not identified. A chain of custody was not maintained.
A chain of custody was not maintained. A chain of custody was not maintained because the hard drive was left unattended for several hours before capturing an image. Witnesses were not mentioned, but are not needed if the chain of custody was maintained. The order of volatility does not apply here, but the hard drive is not volatile. Analysis would occur after capturing an image, but there isn't any indication it wasn't done or wasn't complete. See "Exploring Operational Security"
In which of these cases would you be most likely to use key escrow? A database needs to be archived Longterm storage of public data Information needs to be encrypted in transit A thirdparty needs access to encrypted information Instant recovery of encrypted data
A thirdparty needs access to encrypted information
Which answer properly describes the purpose of the CA role in Public Key Infrastructure? A) To issue a public certificate for a private key B) To sign key escrow lists to CRLs C) To issue and signs all root certs D) To verify keys for authenticity
A) To issue a public certificate for a private key A system administrator will create a private key and use this key to create a Certificate Signing Request (CSR). The CSR will be sent to a Certificate Authority (CA) which will issue a public certificate for the administrator to use.
A security expert is attempting to identify the number of failures a web server has in a year. Which of the following is the expert MOST likely identifying? SLE MTTR ALE MTTF
ALE Annualized loss expectancy (ALE) is part of a quantitative risk assessment and is the most likely answer of those given. It is calculated by multiplying the single loss expectancy times the annualized rate of occurrence (ARO). Mean time to recover (MTTR) and mean time to failure (MTTF) do not identify the number of failures in a year.
Lisa recently completed an external security audit for an organization. She discovered that Otto left the organization to become a school bus driver, but his account was not disabled. Which of the following did the organization fail to implement? Routine account audits User rights and permissions review Account management processes Change management procedures
Account management processes Account management processes include disabling and/or deleting accounts that are no longer needed. If this process was followed, Otto's account would be either disabled or deleted. Routine account audits would discover the original problem (not disabling or deleting the account). However, the question isn't specific about when the user left. For example, if the user left last week, a monthly audit scheduled for next week would discover the problem. Because of this, routine audits isn't the best answer based on how this question is worded.
Which of the following components pose a risk of unintended downloading and execution of malware on a PC? (Select 2 answers) Tracking cookies Browser plugins ActiveX controls Polymorphic malware Keylogger
ActiveX controls Browser plugins
Which of these would best describe a clientside attack? A server configuration file is modified An application API vulnerability is exploited A DDoS overwhelms a service The administrator credentials are brute forced Unsolicited email messages are received
An application API vulnerability is exploited
Which part of the AAA framework incorporates the time-of-day restrictions requirement? Authentication Non-repudiation Accounting Authorization
Authorization
An attacker attempted to compromise a web form by inserting the following input into the username field: admin)(|(password=*)) Which of the following types of attacks was attempted? A) Command injection B) SQL injection C) LDAP injection D) XSS
C) LDAP injection
Which of the following standard protocols utilizes the 802.11i standard? A) WEP B) WEP2 C) WPA2 D) PNAC
C) WPA2
Personnel within your organization turned off the HR data server for over six hours to perform a test. Which of the following is the MOST likely purpose of this? Succession planning BIA Tabletop exercises COOP
COOP The most likely reason for personnel to turn off a server for testing is to test elements of continuity of operations planning (COOP). This helps determine if the organization can continue to operate despite the outage. A business impact analysis (BIA) is performed before creating business continuity plans, not to test them Succession planning identifies a chain of command during a disaster. Tabletop exercises are discussionbased exercises and do not include manipulating any systems.
A forensic expert is preparing to analyze a hard drive. Which of the following should the expert do FIRST? Create a chainofcustody document. Capture an image. Identify the order of volatility. Take a screenshot.
Capture an image. Before analyzing a hard drive, a forensic expert should capture an image of the hard drive and then analyze the image. This protects it from accidental modifications and preserves it as usable evidence. The order of volatility identifies what data is most volatile (such as cache) and what is least volatile (such as hard drives).
A technician confiscated an employee's computer after management learned the employee had unauthorized material on his system. Later, a security expert captured a forensic image of the system disk. However, the security expert reported the computer was left unattended for several hours before he captured the image. Which of the following is a potential issue if this incident goes to court? Time offset Order of volatility Chain of custody Lack of metrics
Chain of custody Chain of custody is the primary issue here because the computer was left unattended for several hours. It's difficult to prove that the data collected is the same data that was on the employee's computer when it was confiscated. Data captured from a disk is not volatile so is not an issue in this scenario. The time offset refers to logged times and is not related to this question. Metrics are measurement tools, such as those used to measure the success of a security awareness program.
What type of virtualization allows a computer's operating system kernel to run multiple isolated instances of a guest virtual machine? Hypervisor virtualization Container virtualization Full virtualization Jailbreaking virtualization
Container virtualization Container-based virtualization (also called operating system virtualization) uses the same kernel of the host computer. It is often used to run isolated applications or services within a virtual environment. Virtual machines (VMs) using hypervisor virtualization or full virtualization have their own kernels. They do not use the computer's operating system kernel. While jails are used as a specific type of container virtualization, jailbreaking is completely different. Jailbreaking refers to the process of removing software restrictions from mobile devices and is primarily associated with Apple iOS systems.
Which of the following is an example of multifactor authentication? A) Username and Password B) Credit card and PIN C) Fingerprint and Retina scan D) Password and PIN
D) Credit card and PIN The three types of authentication are something you KNOW, something you HAVE, and something you ARE. A multifactor authentication uses 2 or more of these factors. A credit card is something you HAVE while a PIN is something you know.
An access control method based on the identity of subjects and/or groups to which they belong is called: HMAC DAC MAC RBAC
DAC
Your organization is working on its business continuity plan. Management wants to ensure that documents provide detailed information on what technicians should do after an outage. Specifically, they want to list the systems to restore and the order in which to restore them. What document includes this information? HVAC DRP BIA Succession plan
DRP The disaster recovery plan (DRP) typically includes a hierarchical list of critical systems that identifies what to restore and in what order. Heating, ventilation, and air conditioning (HVAC) is not a document. The business impact analysis (BIA) identifies critical systems and components but does not include recovery methods or procedures. Succession planning refers to people, not systems, and it clarifies who can make decisions during a disaster.
An organization requested bids for a contract and asked companies to submit their bids via email. After winning the bid, Acme realized it couldn't meet the requirements of the contract. Acme instead stated that it never submitted the bid. Which of the following would provide proof to the organization that Acme did submit the bid? Integrity Digital signature Encryption Repudiation
Digital signature If Acme submitted the bid via email using a digital signature, it would provide proof that the bid was submitted by Acme. Digital signatures provide verification of who sent a message, nonrepudiation preventing them from denying it, and integrity verifying the message wasn't modified. Integrity verifies the message wasn't modified. Repudiation isn't a valid security concept. Encryption protects the confidentiality of data, but it doesn't verify who sent it or provide nonrepudiation. See "Understanding Cryptography"
Maggie recently learned about a vulnerability related to the underlying TLS library on the company's ecommerce web server. When exploited, it allows an attacker to access the memory on the web server. She patched the vulnerability. What else should she do? (Select TWO.) Update the CRL Add a WAF. Force users to change their password during the next logon. Install a new private key on the server. Change the order of the cipher library.
Force users to change their password during the next logon. Install a new private key on the server. You should either force (or encourage) users to change their passwords and replace the private key on the server. You replace the private key by replacing the certificate (installing a new certificate and removing the old certificate). This scenario indicates attackers may have exploited the vulnerability in the server. If successful, they may have gained access to confidential data, such as the private key in the server's certificate and/or user passwords. A certificate authority (CA) updates the certificate revocation list (CRL). A Web Application Firewall (WAF) protects a web server from attacks, but it won't protect against previous exploits. Changing the order of use for the cipher library, will affect future use, but it won't protect against past attacks.
Your organization is preparing to deploy a webbased application, which will accept user input. Which of the following will test the reliability of this application to maintain availability and data integrity? Input validation Error handling Secure coding Fuzzing
Fuzzing Fuzzing can test the application's ability to maintain availability and data integrity for some scenarios. Fuzzing sends random data to an application to verify the random data doesn't crash the application or expose the system to a data breach. Secure coding practices such as input validation and error and exceptionhandling techniques protect applications, but do not test them.
Which of these would restrict mobile device camera use in the office but allow it outside of the building? TLS MDM policies MD5 Hashes Geofencing Key escrow
Geofencing
Which of the following authentication protocols offer(s) countermeasures against replay attacks? (Select all that apply) IPsec MPLS PAP Kerberos CHAP
IPsec Kerberos CHAP
You have built a publicfacing application that needs additional hardware resources at certain times of the year. Which of these cloud models would be the best fit? Hybrid cloud IaaS Private cloud PaaS SaaS
IaaS
Which of these would be most commonly associated with a protocol analyzer? Filter ingress and egress traffic by port number or application type Identify the sequence number of a traffic flow Identify a known vulnerability traversing the network Restrict access to websites based on category or individual URL Validate the input of a browserbased application
Identify the sequence number of a traffic flow
Which of these would be the best use of a protocol analyzer? Provide content filtering for URLs Reverseengineer a virus executable Provide realtime protection against known malware Forward knowngood traffic across subnets Identify the source of a DoS attack
Identify the source of a DoS attack
An organization is planning to implement an internal PKI for smart cards. Which of the following should the organization do FIRST? Identify a recovery agent. Generate key pairs. Install a CA. Generate a certificate.
Install a CA. A Public Key Infrastructure (PKI) requires a certification authority (CA), so a CA should be installed first. Smart cards require certificates and would be issued by the CA. After installing the CA, you can generate key pairs to be used with certificates issued by the CA. A recovery agent can be identified, but it isn't required to be done as a first step for a CA. See "Understanding Cryptography"
You are tasked with configuring authentication services settings on computers in your network. You are entering shared secrets on different servers. Which of the following services are you MOST likely configuring? (Select TWO.) TACACS LDAP RADIUS Kerberos
LDAP RADIUS Remote Authentication Dial-in User Server (RADIUS) servers use shared secrets. You can configure them to interact with Lightweight Directory Access Protocol (LDAP) based systems by entering the same shared secret on both a RADIUS server and an LDAP server. A shared secret is basically just an identical password on both systems. Kerberos uses tickets for authentication, not shared secrets. Terminal Access Controller Access-Control System (TACACS) is a legacy authentication service, and rarely used today. TACACS+ is a newer protocol and it does use a pre-shared key, sometimes referred to as a shared secret. For example, you can configure TACACS+ systems to interact with LDAP systems with a shared secret. Objective: 5.1 Compare and contrast the function and purpose of authentication services.
Administrators in your organization are planning to implement a wireless network. Management has mandated that they use a RADIUS server and implement a secure wireless authentication method. Which of the following should they use? WPA2PSK AES WPAPSK LEAP
LEAP Enterprise mode implements 802.1x as a Remote Authentication DialIn User Service (RADIUS) server and Lightweight Extensible Authentication Protocol (LEAP) can secure the authentication channel. LEAP is a Cisco proprietary protocol, but other EAP variations can also be used, such as Protected EAP (PEAP), EAPTransport Layer Security (EAPTLS), and EAP Tunneled TLS (EAPTTLS). WiFi Protected Access (WPA) and WPA2 using a preshared key (PSK) do not use RADIUS. Many security protocols use Advanced Encryption Standard (AES), but AES by itself does not use RADIUS. See "Securing Your Network"
What is the critical vulnerability associated with WPS? Limited number of initialization vector (IV) values Maninthemiddle Cryptographic vulnerability Denial of Service Limited passphrase length
Limited passphrase length
Developers recently configured a new service on ServerA and network administrators modified firewall rules to access the service. The service is accessed via the default HTTPS port. Testing shows the service works when accessed from internal systems. However, it does not work when accessed from the Internet. A protocol analyzer shows that Which of the following is MOST likely configured incorrectly? Network ACLs 802.1x The service on ServerA ServerA
Network ACLs The most likely problem of the given answers is that network access control lists (ACLs) are configured incorrectly. This could be the border firewall rules being configured incorrectly (even though the scenario states that network administrators modified the firewall rules). It could also be due to incorrectly configured ACLs on routers or firewalls that aren't at the border, but are within the path from the Internet to ServerA. The service is operating when accessed from internal clients, so it isn't likely that it is the problem. 802.1x is used for authentication and port security, but the scenario doesn't indicate 802.1x is in use. The server is operating when accessed from internal clients, so it isn't likely that it is the problem.
Which of these would not commonly be used as a firewall rule tuple? IP address UDP port number Time of day Operating system TCP port number
Operating system
Your company has recently standardized servers using imaging technologies. However, a recent security audit verified that some servers were immune to known OS vulnerabilities, whereas other systems were not immune to the same vulnerabilities. Which of the following would reduce these vulnerabilities? Sandboxing Baselines Patch management Snapshots
Patch management Patch management procedures ensure operating systems (OS) are kept up to date with current patches. Patches ensure systems are immune to known vulnerabilities, but none of the other answers protects systems from these known vulnerabilities. Sandboxing isolates systems for testing. Snapshots record the state of a virtual machine at a moment in time. Baselines identify the starting point for systems. See "Securing Hosts and Data"
A continuity of operations plan for an organization includes the use of a warm site. The BCP coordinator wants to verify that the organization's backup data center is prepared to implement the warm site if necessary. Which of the following is the BEST choice to meet this need? Perform a review of the disaster recovery plan. Perform a disaster recovery exercise. Perform a test restore. Ask the managers of the backup data center.
Perform a disaster recovery exercise. The best way to test elements of a business continuity plan (BCP) or disaster recovery plan (DRP) is to test the plan by performing a disaster recovery exercise. Asking managers if they are ready and reviewing the plan are both helpful, but not as effective as an exercise. Performing a test restore verifies the backup capabilities, but not necessarily the steps required when implementing a warm site. See "Preparing for Business Continuity"
Which of the following are used to create a digital signature? Symmetric key Shared secret Public key Private key Stream cipher
Private key
Personnel in an organization are sharing their access codes to cipher locks with unauthorized personnel. As a result, unauthorized personnel are accessing restricted areas of the building. What is the BEST response to reduce this risk? Implement a technical control. Implement an AUP. Implement a management control. Provide security training to personnel.
Provide security training to personnel. The best response of those listed is to provide training to personnel on the importance of keeping access codes private. Management controls include policies and assessments, but they won't necessarily focus on sharing access codes. Technical controls won't do any good if personnel are bypassing them, which is the case in this scenario. If an acceptable use policy (AUP) isn't implemented, it would be a good idea to implement one. However, it addresses usage of systems, and not necessarily cipher access codes.
With asymmetric cryptography, which key is used to encrypt? Hybrid Public Ephemeral Session Private
Public
Your company recently began allowing workers to telecommute from home one or more days a week. However, your company doesn't currently have a remote access solution. They want to implement an AAA solution that supports different vendors. Which of the following is the BEST choice? SAML TACACS+ RADIUS Circumference
RADIUS Remote Authentication DialIn User Service (RADIUS) is an authentication, authorization, and accounting (AAA) protocol and is the best choice. TACACS+ is proprietary to Cisco, so it won't support different vendor solutions. Diameter is preferable to RADIUS, but there is no such thing as a Circumference protocol. SAML is an SSO solution used with webbased applications. See "Mastering Security Basics"
Which of the following stores data in relational tables with individual records? SMB RAID NoSQL RDBMS IPS
RDBMS
Which of these would be the most common use of Group Policy controls? Schedule a daily antivirus signature download Require smart card for authentication Specify browser SSL encryption algorithms Block unwanted URL access
Require smart card for authentication
Which of these would be the best example of obtaining data in use? Upgrading an operating system across the network Capturing data inside of Ethernet frames Retrieving credit card numbers from memory Copying a SQL database from one drive to another Retrieving files from a stored disk image
Retrieving credit card numbers from memory
In which of the following would you be most likely to use LDAP? Router authentication Protocol analysis Asymmetric encryption Static routing Secure data removal
Router authentication
Which of these would provide a way to transfer files securely between endpoint devices? SSH SMTP HTTP FTP SCP
SCP
Which of the following is the MOST likely negative result if administrators do not implement access controls correctly on an encrypted USB hard drive? Drives can be geotagged. Security controls can be bypassed. Data can be corrupted. Data is not encrypted.
Security controls can be bypassed. If access controls are not implemented correctly, an attacker might be able to bypass them and access the data. The incorrect implementation of the access controls won't corrupt the data. Files such as pictures posted on social media can be geotagged, but this is unrelated to a hard drive. The scenario says the drive is encrypted, so the data is encrypted.
You are comparing different encryption methods. Which method includes a storage root key? TPM HSM NTFS VSAN
TPM A Trusted Platform Module (TPM) includes a storage root key. The TPM generates this key when a user activates the TPM. A hardware security module (HSM) uses RSA keys, but not a storage root key. NT File System (NTFS) supports encryption with Encrypting File System (EFS). A virtual storage area network (VSAN) is a virtualization technique, and it doesn't provide encryption
Which of these would be the best example of a qualitative risk? An Internet outage would lose $4,000 US per minute The fine for not storing data in encrypted form is $10,000 US per incident The ERP software won't receive updates because the annual maintenance fee has not been paid Upgrading the firewalls to support new encryption types is not in the budget The help desk staff is not properly trained on the new ERP software
The help desk staff is not properly trained on the new ERP software
Which of these would be common to embedded firmware updates? Updates are automated Update schedule occurs frequently Updates may require a hardware replacement Updates can be slipstreamed
Updates may require a hardware replacement
Lisa has recently transferred from the HR department to payroll. While browsing file shares, Lisa notices she can access the HR files related to her new coworkers. Which of the following could prevent this scenario from occurring? Continuous monitoring Separation of duties User access reviews Group based privileges
User access reviews User access reviews are a type of audit and can verify the principle of least privilege is followed. This includes ensuring users have the ability to access only the resources they need to perform their job. Group based privileges assign privileges to groups or roles but just using groups won't prevent this scenario. Continuous security monitoring includes monitoring all relevant security controls, but isn't the best choice for this specific scenario. Separation of duties is a principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process and is unrelated to this scenario.
Which of these can effectively prevent session hijacking? Fulldisk encryption Using strong passwords VPN connection Visiting knowngood web sites Clearing the cache before and after browser sessions
VPN connection
A network administrator needs to ensure the company's network is protected against smurf attacks. What should the network administrator do? Use salting techniques. Verify border routers block directed broadcasts. Install flood guards. Ensure protocols use timestamps and sequence numbers
Verify border routers block directed broadcasts. Smurf attacks are blocked by preventing routers from passing directed broadcasts, especially border routers with direct access to the Internet. Flood guards protect against SYN (synchronize) flood attacks. Salting techniques add additional characters to passwords to thwart brute force attack Timestamps and sequence numbers are useful to protect against replay attacks, but not smurf attacks.
In which of these would you be most likely to use a TPM? Shielding against electromagnetic interference Verifying a digital signature Preserving evidence of a security incident Storing sensitive data in the cloud Protecting data on a wireless network
Verifying a digital signature
Which of the following would be most likely filtered by an IPS? Spam Windows virus Windows OS exploit MitM attack URL hijack
Windows OS exploit
A penetration tester has successfully exploited a vulnerability against your organization giving him access to the following data: User, password, login-date, cookie-id Homer, canipass, 2016-09-01 11:12, 286755fad04869ca523320acce0dc6a4 Bart, passican, 2016-09-01 11:15, 8edd7261c353c87a113269cd37635c68 Marge, icanpass, 2016-09-01 11:19, 26887fbd90ac0340e29ad62470270401 What type of attack does this represent? XSS XML injection SQL injection Session hijacking
XSS Cross-site scripting (XSS) is the best choice of the available answers. You can see that the penetration tester is looking at cookies because the header includes 'cookie-id' and successful cross-site scripting (XSS) attacks allow attackers to capture user information such as cookies. Note that it is a poor programming practice to store user passwords within a cookie. However, poor programming practices is probably the reason why the pen tester was able to exploit an XSS vulnerability. A SQL injection attack uses a SQL statement, and typically includes a phrase such as or 1 = 1. An XML injection attack would include XML markup data, with XML tags within the < and > symbols. A session hijacking attack uses a cookie to take over a session. However, it's more than just the text within a cookie. See Chapter 6 of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide for more information on attacks, including cross-site scripting attacks.
Which of these data storage systems is most volatile? Archival media ARP cache Temporary file system Network topology Remote monitoring data
arp cache
An organization recently updated the security policy. One change is a requirement for all internal web servers to only support HTTPS traffic. However, the organization does not have funds to pay for this. Which of the following is the BEST solution? Create one wildcard certificate for all the web servers Create self-signed certificates for the web servers Create a public CA and issue certificates from it Create certificates signed by the organization's CA
create certificates signed by the organization's CA The best solution is to use certificates signed by the organization's certificate authority (CA). This ensures connections use Hypertext Transfer Protocol Secure (HTTPS) instead of HTTP. Even if the organization doesn't have an internal CA, it is possible to create one on an existing server without incurring any additional costs. Self-signed certificates is a possible option. However, they aren't validated by a CA so they aren't the best option. A wildcard certificate is used for a single domain with multiple subdomains. It is not used for multiple web servers unless they all share the same domain name, but the scenario doesn't indicate the web servers share the same domain name. You would not create a public CA to support internal private servers. While it is feasible to purchase certificates from a public CA, that would cost money but the scenario indicates money isn't available.
Which of these ports would you configure in your firewall to allow mail traffic? tcp/25 tcp/143 tcp/3389 tcp/53 tcp/22 tcp/80
tcp/143
