SYO-501 Set C
After an audit, it was discovered that an account was not disabled in a timely manner after an employee has departed from the organization. Which of the following did the organization fail to properly implement? A. Routine account audits B. Account management processes C. Change management processes D. User rights and permission reviews
Answer: A
Users in the HR department were recently informed that they need to implement a user training and awareness program which is tailored to their department. Which of the following types of training would be the MOST appropriate for this department? A. Handing PII B. Risk mitigation C. Input validation D. Hashing
Answer: A
Which of the following would a security administrator implement in order to identify a problem between two applications that are not communicating properly? A. Protocol analyzer B. Baseline report C. Risk assessment D. Vulnerability scan
Answer: A Explanation: A Protocol Analyzer is a hardware device or more commonly a software program used to capture. network data communications sent between devices on a network. Capturing and analyzing the packets sent between applications on systems that are not communicating properly could help determine the cause of the issue. Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).
Which of the following is an example of multifactor authentication? A. Credit card and PIN B. Username and password C. Password and PIN D. Fingerprint and retina scan
Answer: A Explanation: A credit card is a memory card that functions a type of two-factor authentication. The card is something you have, and its PIN is something you know. Multifactor authentication requires a user to provide two or more different types of authentication factors to prove their identity.
Which of the following is an example of a false positive? A. Anti-virus identifies a benign application as malware. B. A biometric iris scanner rejects an authorized user wearing a new contact lens. C. A user account is locked out after the user mistypes the password too many times. D. The IDS does not identify a buffer overflow.
Answer: A Explanation: A false positive is an error in some evaluation process in which a condition tested for is mistakenly found to have been detected. In spam filters, for example, a false positive is a legitimate message mistakenly marked as UBE -unsolicited bulk email, as junk email is more formally known. Messages that are determined to be spam — whether correctly or incorrectly — may be rejected by a server or client-side spam filter and returned to the sender as bounce e-mail. One problem with many spam filtering tools is that if they are configured stringently enough to be effective, there is a fairly high chance of getting false positives. The risk of accidentally blocking an important message has been enough to deter many companies from implementing any anti-spam measures at all. False positives are also common in security systems. A host intrusion prevention system (HIPS), for example, looks for anomalies, such as deviations in bandwidth, protocols and ports. When activity varies outside of an acceptable range - for example, a remote application attempting to open a normally closed port — an intrusion may be in progress. However, an anomaly, such as a sudden spike in bandwidth use, does not guarantee an actual attack, so this approach amounts to an educated guess and the chance for false positives can be high. False positives contrast with false negatives, which are results indicating mistakenly that some condition tested for is absent.
Peter, the system administrator, is reviewing his disaster recovery plans. He wishes to limit the downtime in the event of a disaster, but does not have the budget approval to implement or maintain an offsite location that ensures 99.99% availability. Which of the following would be Peter's BEST option? A. Use hardware already at an offsite location and configure it to be quickly utilized. B. Move the servers and data to another part of the company's main campus from the server room. C. Retain data back-ups on the main campus and establish redundant servers in a virtual environment. D. Move the data back-ups to the offsite location, but retain the hardware on the main campus for redundancy.
Answer: A Explanation: A warm site provides some of the capabilities of a hot site, but it requires the customer to do more work to become operational. Warm sites provide computer systems and compatible media capabilities. If a warm site is used, administrators and other staff will need to install and configure systems to resume operations. For most organizations, a warm site could be a remote office, a leased facility, or another organization with which yours has a reciprocal agreement. Warm sites may be for your exclusive use, but they don't have to be. A warm site requires more advanced planning, testing, and access to media for system recovery. Warm sites represent a compromise between a hot site, which is very expensive, and a cold site, which isn't preconfigured.
Which of the following is characterized by an attacker attempting to map out an organization's staff hierarchy in order to send targeted emails? A. Whaling B. Impersonation C. Privilege escalation D. Spear phishing
Answer: A Explanation: A whaling attack is targeted at company executives. Mapping out an organization's staff hierarchy to determine who the people at the top are is also part of a whaling attack. Whaling is a specific kind of malicious hacking within the more general category of phishing, which involves hunting for data that can be used by the hacker. In general, phishing efforts are focused on collecting personal data about users. In whaling, the targets are high-ranking bankers, executives or others in powerful positions or job titles. Hackers who engage in whaling often describe these efforts as "reeling in a big fish," applying a familiar metaphor to the process of scouring technologies for loopholes and opportunities for data theft. Those who are engaged in whaling may, for example, hack into specific networks where these powerful individuals work or store sensitive data. They may also set up keylogging or other malware on a work station associated with one of these executives. There are many ways that hackers can pursue whaling, leading C-level or top-level executives in business and government to stay vigilant about the possibility of cyber threats.
Which of the following services are used to support authentication services for several local devices from a central location without the use of tokens? A. TACACS+ B. Smartcards C. Biometrics D. Kerberos
Answer: A Explanation: ACACS allows a client to accept a username and password and send a query to a TACACS authentication server. It would determine whether to accept or deny the authentication request and send a response back. The TIP would then allow access or not based upon the response, not tokens.
A team of firewall administrators have access to a `master password list' containing service account passwords. Which of the following BEST protects the master password list? A. File encryption B. Password hashing C. USB encryption D. Full disk encryption
Answer: A Explanation: File encryption can be used to protect the contents of individual files. It uses randomly generated symmetric encryption keys for the file and stores the key in an encrypted form using the user's public key on the encrypted file.
Which of the following concepts describes the use of a one way transformation in order to validate the integrity of a program? A. Hashing B. Key escrow C. Non-repudiation D. Steganography
Answer: A Explanation: Hashing refers to the hash algorithms used in cryptography. It is used to store data, such as hash tables and its main characteristics are: It must be one-way - it is not reversible. Variable-length input produces fixed-length output - whether you have two characters or 2 million, the hash size is the same. The algorithm must have few or no collisions - in hashing two different inputs does not give the same output.
Peter, the information security manager, is tasked with calculating risk and selecting controls to protect a new system. He has identified people, environmental conditions, and events that could affect the new system. Which of the following does he need to estimate NEXT in order to complete his risk calculations? A. Vulnerabilities B. Risk C. Likelihood D. Threats
Answer: A Explanation: In this question, the security administrator has identified people, environmental conditions, and events that could affect the new system. The next step of the risk assessment is to determine the vulnerabilities of the system itself. Risk assessment deals with the threats, vulnerabilities, and impacts of a loss of information-processing capabilities or a loss of information itself. A vulnerability is a weakness that could be exploited by a threat. Each risk that can be identified should be outlined, described, and evaluated for the likelihood of it occurring. The key here is to think outside the box. Conventional threats and risks are often too limited when considering risk assessment. The key components of a risk-assessment process are outlined here: Risks to Which the Organization Is Exposed: This component allows you to develop scenarios that can help you evaluate how to deal with these risks if they occur. An operating system, server, or application may have known risks in certain environments. You should create a plan for how your organization will best deal with these risks and the best way to respond. Risks That Need Addressing: The risk-assessment component also allows an organization to provide a reality check on which risks are real and which are unlikely. This process helps an organization focus on its resources as well as on the risks that are most likely to occur. For example, industrial espionage and theft are likely, but the risk of a hurricane damaging the server room in Indiana is very low. Therefore, more resources should be allocated to prevent espionage or theft as opposed to the latter possibility.
Ann, a sales manager, successfully connected her company-issued smartphone to the wireless network in her office without supplying a username/password combination. Upon disconnecting from the wireless network, she attempted to connect her personal tablet computer to the same wireless network and could not connect. Which of the following is MOST likely the reason? A. The company wireless is using a MAC filter. B. The company wireless has SSID broadcast disabled. C. The company wireless is using WEP. D. The company wireless is using WPA2.
Answer: A Explanation: MAC filtering allows you to include or exclude computers and devices based on their MAC address.
The Chief Technology Officer (CTO) wants to improve security surrounding storage of customer passwords. The company currently stores passwords as SHA hashes. Which of the following can the CTO implement requiring the LEAST change to existing systems? A. Smart cards B. TOTP C. Key stretching D. Asymmetric keys
Answer: A Explanation: Smart cards usually come in two forms. The most common takes the form of a rectangular piece of plastic with an embedded microchip. The second is as a USB token. It contains a built in processor and has the ability to securely store and process information. A "contact" smart card communicates with a PC using a smart card reader whereas a "contactless" card sends encrypted information via radio waves to the PC. Typical scenarios in which smart cards are used include interactive logon, e-mail signing, e-mail decryption and remote access authentication. However, smart cards are programmable and can contain programs and data for many different applications. For example smart cards may be used to store medical histories for use in emergencies, to make electronic cash payments or to verify the identity of a customer to an e-retailer. Microsoft provides two device independent APIs to insulate application developers from differences between current and future implementations: CryptoAPI and Microsoft Win32® SCard APIs. The Cryptography API contains functions that allow applications to encrypt or digitally sign data in a flexible manner, while providing protection for the user's sensitive private key data. All cryptographic operations are performed by independent modules known as cryptographic service providers (CSPs). There are many different cryptographic algorithms and even when implementing the same algorithm there are many choices to make about key sizes and padding for example. For this reason, CSPs are grouped into types, in which each supported CryptoAPI function, by default, performs in a way particular to that type. For example, CSPs in the PROV_DSS provider type support DSS Signatures and MD5 and SHA hashing.
Peter, a technician at the local power plant, notices that several turbines had ramp up in cycles during the week. Further investigation by the system engineering team determined that a timed .exe file had been uploaded to the system control console during a visit by international contractors. Which of the following actions should Peter recommend? A. Create a VLAN for the SCADA B. Enable PKI for the Main Frame C. Implement patch management D. Implement stronger WPA2 Wireless
Answer: A Explanation: VLANs are used for traffic management. VLANs can be used to isolate traffic between network segments. This can be accomplished by not defining a route between different VLANs or by specifying a deny filter between certain VLANs (or certain members of a VLAN). Any network segment that doesn't need to communicate with another in order to accomplish a work task/function shouldn't be able to do so.
Mike, a security professional, is tasked with actively verifying the strength of the security controls on a company's live modem pool. Which of the following activities is MOST appropriate? A. War dialing B. War chalking C. War driving D. Bluesnarfing
Answer: A Explanation: War dialing is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers, Bulletin board systems and fax machines. Hackers use the resulting lists for various purposes: hobbyists for exploration, and crackers - malicious hackers who specialize in computer security - for guessing user accounts (by capturing voicemail greetings), or locating modems that might provide an entry-point into computer or other electronic systems. It may also be used by security personnel, for example, to detect unauthorized devices, such as modems or faxes, on a company's telephone network.
Which of the following would MOST likely involve GPS? A. Wardriving B. Protocol analyzer C. Replay attack D. WPS attack
Answer: A Explanation: War driving, also called access point mapping, is the act of locating and possibly exploiting connections to wireless local area networks while driving around a city or elsewhere. To do war driving, you need a vehicle, a computer (which can be a laptop), a wireless Ethernet card set to work in promiscuous mode, and some kind of an antenna which can be mounted on top of or positioned inside the car. A GPS (Global Positioning System) system can be used to accurately map your location while detecting the wireless networks.
Emily, a security administrator, is noticing a slow down in the wireless network response. Emily launches a wireless sniffer and sees a large number of ARP packets being sent to the AP. Which of the following type of attacks is underway? A. IV attack B. Interference C. Blue jacking D. Packet sniffing
Answer: A Explanation:In this question, it's likely that someone it trying to crack the wireless network security. An initialization vector is a random number used in combination with a secret key as a means to encrypt data. This number is sometimes referred to as a nonce, or "number occurring once," as an encryption program uses it only once per session. An initialization vector is used to avoid repetition during the data encryption process, making it impossible for hackers who use dictionary attack to decrypt the exchanged encrypted message by discovering a pattern. This is known as an IV attack. A particular binary sequence may be repeated more than once in a message, and the more it appears, the more the encryption method is discoverable. For example if a one-letter word exists in a message, it may be either "a" or "I" but it can't be "e" because the word "e" is non-sensical in English, while "a" has a meaning and "I" has a meaning. Repeating the words and letters makes it possible for software to apply a dictionary and discover the binary sequence corresponding to each letter. Using an initialization vector changes the binary sequence corresponding to each letter, enabling the letter "a" to be represented by a particular sequence in the first instance, and then represented by a completely different binary sequence in the second instance. WEP (Wireless Equivalent Privacy) is vulnerable to an IV attack. Because RC4 is a stream cipher, the same traffic key must never be used twice. The purpose of an IV, which is transmitted as plain text, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. The way the IV was used also opened WEP to a related key attack. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5000 packets.
A program displays: ERROR: this program has caught an exception and will now terminate. Which of the following is MOST likely accomplished by the program's behavior? A. Operating system's integrity is maintained B. Program's availability is maintained C. Operating system's scalability is maintained D. User's confidentiality is maintained
Answer: A Explanation:The purpose of error handling is to maintain the security and integrity of the system. Integrity is compromised when unauthorized modification occurs.
Ann, the system administrator, is installing an extremely critical system that can support ZERO downtime. Which of the following BEST describes the type of system Ann is installing? A. High availability B. Clustered C. RAID D. Load balanced
Answer: A Explanation: High Availability is he term used to refer to a system that has been secured and set up/configured in such a way so as to be online, active and able to respond and thus have zero downtime as a result.
A security administrator looking through IDS logs notices the following entry: (where [email protected] and passwd= 'or 1==1') Which of the following attacks had the administrator discovered? A. SQL injection B. XML injection C. Cross-site script D. Header manipulation
Answer: A Explanation: The code in the question is an example of a SQL Injection attack. The code '1==1' will always provide a value of true. This can be included in statement designed to return all rows in a SQL table. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
In order to maintain oversight of a third party service provider, the company is going to implement a Governance, Risk, and Compliance (GRC) system. This system is promising to provide overall security posture coverage. Which of the following is the MOST important activity that should be considered? A. Continuous security monitoring B. Baseline configuration and host hardening C. Service Level Agreement (SLA) monitoring D. Security alerting and trending
Answer: A Explanation: The company is investing in a Governance, Risk, and Compliance (GRC) system to provide overall security posture coverage. This is great for testing the security posture. However, to be effective and ensure the company always has a good security posture, you need to monitor the security continuously. Once a baseline security configuration is documented, it is critical to monitor it to see that this baseline is maintained or exceeded. A popular phrase among personal trainers is "that which gets measured gets improved." Well, in network security, "that which gets monitored gets secure." Continuous monitoring means exactly that: ongoing monitoring. This may involve regular measurements of network traffic levels, routine evaluations for regulatory compliance, and checks of network security device configurations.
Which of the following is used to verify data integrity? A. SHA B. 3DES C. AES D. RSA
Answer: A Explanation:SHA stands for "secure hash algorithm". SHA-1 is the most widely used of the existing SHA hash functions, and is employed in several widely used applications and protocols including TLS and SSL, PGP, SSH, S/MIME, and IPsec. It is used to ensure data integrity. Note: A hash value (or simply hash), also called a message digest, is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value. Hashes play a role in security systems where they're used to ensure that transmitted messages have not been tampered with. The sender generates a hash of the message, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. If they're the same, there is a very high probability that the message was transmitted intact. This is how hashing is used to ensure data integrity.
A company's legacy server requires administration using Telnet. Which of the following protocols could be used to secure communication by offering encryption at a lower OSI layer? (Select TWO). A. IPv6 B. SFTP C. IPSec D. SSH E. IPv4
Answer: A,C Explanation: Telnet supports IPv6 connections. IPv6 is the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPsec is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec is a compulsory component for IPv6. IPsec operates at Layer 3 of the OSI model, whereas Telnet operates at Layer 7.
An auditing team has found that passwords do not meet best business practices. Which of the following will MOST increase the security of the passwords? (Select TWO). A. Password Complexity B. Password Expiration C. Password Age D. Password Length E. Password History
Answer: A,D Explanation: Passwords should have the strength to avoid discovery through attack, but it should also be easy enough for the user to remember. The length and complexity of a password combined are vital factors in defining a password's strength.
A system administrator is notified by a staff member that their laptop has been lost. The laptop contains the user's digital certificate. Which of the following will help resolve the issue? (Select TWO). A. Revoke the digital certificate B. Mark the key as private and import it C. Restore the certificate using a CRL D. Issue a new digital certificate E. Restore the certificate using a recovery agent
Answer: A,D Explanation: The user's certificate must be revoked to ensure that the stolen computer cannot access resources the user has had access to. To grant the user access to the resources he must be issued a new certificate.
During a routine audit a web server is flagged for allowing the use of weak ciphers. Which of the following should be disabled to mitigate this risk? (Select TWO). A. SSL 1.0 B. RC4 C. SSL 3.0 D. AES E. DES F. TLS 1.0
Answer: A,E Explanation: TLS 1.0 and SSL 1.0 both have known vulnerabilities and have been replaced by later versions. Any systems running these ciphers should have them disabled. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product, message authentication Netscape developed the original SSL protocol. Version 1.0 was never publicly released because of serious security flaws in the protocol; version 2.0, released in February 1995, "contained a number of security flaws which ultimately led to the design of SSL version 3.0". TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As stated in the RFC, "the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0". TLS 1.0 does include a means by which a TLS implementation can downgrade the connection to SSL 3.0, thus weakening security. TLS 1.1 and then TLS 1.2 were created to replace TLS 1.0.
An administrator has concerns regarding the company's server rooms Proximity badge readers were installed, but it is discovered this is not preventing unapproved personnel from tailgating into these area. Which of the following would BEST address this concern? A. Replace proximity readers with turn0based key locks B. Install man-traps at each restricted area entrance C. Configure alarms to alert security when the areas are accessed D. Install monitoring cameras at each entrance
Answer: B
An administrator wants to establish a WiFi network using a high gain directional antenna with a narrow radiation pattern to connect two buildings separated by a very long distance. Which of the following antennas would be BEST for this situation? A. Dipole B. Yagi C. Sector D. Omni
Answer: B Explanation: A Yagi-Uda antenna, commonly known simply as a Yagi antenna, is a directional antenna consisting of multiple parallel dipole elements in a line, usually made of metal rods. It consists of a single driven element connected to the transmitter or receiver with a transmission line, and additional parasitic elements: a so-called reflector and one or more directors. The reflector element is slightly longer than the driven dipole, whereas the directors are a little shorter. This design achieves a very substantial increase in the antenna's directionality and gain compared to a simple dipole.
Ann, the security administrator, wishes to implement multifactor security. Which of the following should be implemented in order to compliment password usage and smart cards? A. Hard tokens B. Fingerprint readers C. Swipe badge readers D. Passphrases
Answer: B Explanation: A multifactor authentication method uses two or more processes for logon. A twofactor method might use smart cards and biometrics for logon. For obvious reasons, the two or more factors employed should not be from the same category.
A security technician wishes to gather and analyze all Web traffic during a particular time period. Which of the following represents the BEST approach to gathering the required data? A. Configure a VPN concentrator to log all traffic destined for ports 80 and 443. B. Configure a proxy server to log all traffic destined for ports 80 and 443. C. Configure a switch to log all traffic destined for ports 80 and 443. D. Configure a NIDS to log all traffic destined for ports 80 and 443.
Answer: B Explanation: A proxy server is in essence a device that acts on behalf of others and in security terms all internal user interaction with the Internet should be controlled through a proxy server. This makes a proxy server the best tool to gather the required data.
Which of the following should be used when a business needs a block cipher with minimal key size for internal encryption? A. AES B. Blowfish C. RC5 D. 3DES
Answer: B Explanation: Blowfish is an encryption system invented by a team led by Bruce Schneier that performs a 64-bit block cipher at very fast speeds. It is a symmetric block cipher that can use variable-length keys (from 32 bits to 448 bits).
A security administrator develops a web page and limits input into the fields on the web page as well as filters special characters in output. The administrator is trying to prevent which of the following attacks? A. Spoofing B. XSS C. Fuzzing D. Pharming
Answer: B Explanation: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely. Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site. When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. By validating user input and preventing special characters, we can prevent the injection of client-side scripting code.
Which of the following technologies uses multiple devices to share work? A. Switching B. Load balancing C. RAID D. VPN concentrator
Answer: B Explanation: Load balancing is a way of providing high availability by splitting the workload across multiple computers.
Peter, an IT Administrator, needs to secure his server room. Which of the following mitigation methods would provide the MOST physical protection? A. Sign in and sign out logs B. Mantrap C. Video surveillance D. HVAC
Answer: B Explanation: Mantraps are designed to contain an unauthorized, potentially hostile person/individual physically until authorities arrive. Mantraps are typically manufactured with bulletproof glass, high-strength doors, and locks and to allow the minimal amount of individuals depending on its size. Some mantraps even include scales that will weigh the person. The doors are designed in such a way as to open only when the mantrap is occupied or empty and not in-between. This means that the backdoor must first close before the front door will open. Mantraps are in most cases also combined with guards. This is the most physical protection any one measure will provide.
A Chief Information Security Officer (CISO) is tasked with outsourcing the analysis of security logs. These will need to still be reviewed on a regular basis to ensure the security of the company has not been breached. Which of the following cloud service options would support this requirement? A. SaaS B. MaaS C. IaaS D. PaaS
Answer: B Explanation: Monitoring-as-a-service (MaaS) is a cloud delivery model that falls under anything as a service (XaaS). MaaS allows for the deployment of monitoring functionalities for several other services and applications within the cloud.
An administrator is looking to implement a security device which will be able to not only detect network intrusions at the organization level, but help defend against them as well. Which of the following is being described here? A. NIDS B. NIPS C. HIPS D. HIDS
Answer: B Explanation: Network-based intrusion prevention system (NIPS) monitors the entire network for suspicious traffic by analyzing protocol activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it
A security technician is attempting to improve the overall security posture of an internal mail server. Which of the following actions would BEST accomplish this goal? A. Monitoring event logs daily B. Disabling unnecessary services C. Deploying a content filter on the network D. Deploy an IDS on the network
Answer: B Explanation: One of the most basic practices for reducing the attack surface of a specific host is to disable unnecessary services. Services running on a host, especially network services provide an avenue through which the system can be attacked. If a service is not being used, disable it.
All of the following are valid cryptographic hash functions EXCEPT: A. RIPEMD. B. RC4. C. SHA-512. D. MD4.
Answer: B Explanation: RC4 is not a hash function. RC4 is popular with wireless and WEP/WPA encryption.
The Chief Technical Officer (CTO) has been informed of a potential fraud committed by a database administrator performing several other job functions within the company. Which of the following is the BEST method to prevent such activities in the future? A. Job rotation B. Separation of duties C. Mandatory Vacations D. Least Privilege
Answer: B Explanation: Separation of duties means that users are granted only the permissions they need to do their work and no more. More so it means that you are employing best practices. The segregation of duties and separation of environments is a way to reduce the likelihood of misuse of systems or information. A separation of duties policy is designed to reduce the risk of fraud and to prevent other losses in an organization.
Which of the following authentication services should be replaced with a more secure alternative? A. RADIUS B. TACACS C. TACACS+ D. XTACACS
Answer: B Explanation: Terminal Access Controller Access-Control System (TACACS) is less secure than XTACACS, which is a proprietary extension of TACACS, and less secure than TACACS+, which replaced TACACS and XTACACS.
After a new firewall has been installed, devices cannot obtain a new IP address. Which of the following ports should Matt, the security administrator, open on the firewall? A. 25 B. 68 C. 80 D. 443
Answer: B Explanation: The Dynamic Host Configuration Protocol (DHCP) is a standardized network protocol used on Internet Protocol (IP) networks for distributing IP addresses for interfaces and services. DHCP makes use of port 68.
In intrusion detection system vernacular, which account is responsible for setting the security policy for an organization? A. Supervisor B. Administrator C. Root D. Director
Answer: B Explanation: The administrator is the person responsible for setting the security policy for an organization and is responsible for making decisions about the deployment and configuration of the IDS.
The security administrator installed a newly generated SSL certificate onto the company web server. Due to a misconfiguration of the website, a downloadable file containing one of the pieces of the key was available to the public. It was verified that the disclosure did not require a reissue of the certificate. Which of the following was MOST likely compromised? A. The file containing the recovery agent's keys. B. The file containing the public key. C. The file containing the private key. D. The file containing the server's encrypted passwords.
Answer: B Explanation: The public key can be made available to everyone. There is no need to reissue the certificate.
Which of the following would Peter, a security administrator, MOST likely implement in order to allow employees to have secure remote access to certain internal network services such as file servers? A. Packet filtering firewall B. VPN gateway C. Switch D. Router
Answer: B Explanation: VPNs are usually employed to allow remote access users to connect to and access the network, and offer connectivity between two or more private networks or LANs. A VPN gateway (VPN router) is a connection point that connects two LANs via a nonsecure network such as the Internet.
Users at a company report that a popular news website keeps taking them to a web page with derogatory content. This is an example of which of the following? A. Evil twin B. DNS poisoning C. Vishing D. Session hijacking
Answer: B Explanation: DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver's cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker's computer (or any other computer). A domain name system server translates a human-readable domain name (such as example.com) into a numerical IP address that is used to route communications between nodes. Normally if the server doesn't know a requested translation it will ask another server, and the process continues recursively. To increase performance, a server will typically remember (cache) these translations for a certain amount of time, so that, if it receives another request for the same translation, it can reply without having to ask the other server again. When a DNS server has received a false translation and caches it for performance optimization, it is considered poisoned, and it supplies the false data to clients. If a DNS server is poisoned, it may return an incorrect IP address, diverting traffic to another computer (in this case, the server hosting the web page with derogatory content).
Matt, a security analyst, needs to implement encryption for company data and also prevent theft of company data. Where and how should Matt meet this requirement? A. Matt should implement access control lists and turn on EFS. B. Matt should implement DLP and encrypt the company database. C. Matt should install Truecrypt and encrypt the company server. D. Matt should install TPMs and encrypt the company database.
Answer: B Explanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. Encryption is used to protect data.
A systems engineer has been presented with storage performance and redundancy requirements for a new system to be built for the company. The storage solution must be designed to support the highest performance and must also be able to support more than one drive failure. Which of the following should the engineer choose to meet these requirements? A. A mirrored striped array with parity B. A mirrored mirror array C. A striped array D. A striped array with parity
Answer: B Explanation: Mirroring means the data written to one drive is exactly duplicated to a second drive in real time. Disk mirroring is also known as RAID 1 and the data is intact in a RAID 1 array if either one of the two drives fails. After the failed drive is replaced with a new drive, you remirror the data from the good drive to the new drive to re-create the array.
Digital signatures are used for ensuring which of the following items? (Select TWO). A. Confidentiality B. Integrity C. Non-Repudiation D. Availability E. Algorithm strength
Answer: B,C Explanation: A digital signature is similar in function to a standard signature on a document. It validates the integrity of the message and the sender. The message is encrypted using the encryption system, and a second piece of information, the digital signature, is added to the message. Nonrepudiation prevents one party from denying actions that they carried out and in the electronic world nonrepudiation measures can be a two-key cryptographic system and the involvement of a third party to verify the validity. This respected third party 'vouches' for the individuals in the two-key system. Thus non-repudiation also impacts on integrity.
The public key is used to perform which of the following? (Select THREE). A. Validate the CRL B. Validate the identity of an email sender C. Encrypt messages D. Perform key recovery E. Decrypt messages F. Perform key escrow
Answer: B,C,E Explanation: B: The sender uses the private key to create a digital signature. The message is, in effect, signed with the private key. The sender then sends the message to the receiver. The receiver uses the public key attached to the message to validate the digital signature. If the values match, the receiver knows the message is authentic. C: The sender uses the public key to encrypt a message, and the receiver uses the private key to decrypt the message. E: You encrypt data with the private key and decrypt with the public key, though the opposite is much more frequent. Public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic protocols based on algorithms that require two separate keys, one of which is secret (or private) and one of which is public. Although different, the two parts of this key pair are mathematically linked.
A security engineer is given new application extensions each month that need to be secured prior to implementation. They do not want the new extensions to invalidate or interfere with existing application security. Additionally, the engineer wants to ensure that the new requirements are approved by the appropriate personnel. Which of the following should be in place to meet these two goals? (Select TWO). A. Patch Audit Policy B. Change Control Policy C. Incident Management Policy D. Regression Testing Policy E. Escalation Policy F. Application Audit Policy
Answer: B,D Explanation: A backout (regression testing) is a reversion from a change that had negative consequences. It could be, for example, that everything was working fi ne until you installed a service pack on a production machine, and then services that were normally available were no longer accessible. The backout, in this instance, would revert the system to the state that it was in before the service pack was applied. Backout plans can include uninstalling service packs, hotfi xes, and patches, but they can also include reversing a migration and using previous firmware. A key component to creating such a plan is identifying what events will trigger your implementing the backout. A change control policy refers to the structured approach that is followed to secure a company's assets in the event of changes occurring.
Which of the following are restricted to 64-bit block sizes? (Select TWO). A. PGP B. DES C. AES256 D. RSA E. 3DES F. AES
Answer: B,E Explanation:B: The Data Encryption Standard (DES) has been used since the mid-1970s. It was the primary standard used in government and industry until it was replaced by AES. It's based on a 56-bit key and has several modes that offer security and integrity. It is now considered insecure because of the small key size. E: Triple-DES (3DES) is a technological upgrade of DES. 3DES is still used, even though AES is the preferred choice for government applications. 3DES is considerably harder to break than many other systems, and it's more secure than DES. It increases the key length to 168 bits (using three 56-bit DES keys).
An organization processes credit card transactions and is concerned that an employee may intentionally email credit card numbers to external email addresses. This company should consider which of the following technologies? A. IDS B. Firewalls C. DLP D. IPS
Answer: C Explanation: A Data Loss Prevention technology is aimed at detecting and preventing unauthorized access to, use of, or transmission of sensitive information such as credit card details.
A forensic analyst is reviewing electronic evidence after a robbery. Security cameras installed at the site were facing the wrong direction to capture the incident. The analyst ensures the cameras are turned to face the proper direction. Which of the following types of controls is being used? A. Detective B. Deterrent C. Corrective D. Preventive
Answer: C Explanation: A corrective control would be any corrective action taken to correct any existing control that were faulty or wrongly installed - as in this case the cameras were already there, it just had to be adjusted to perform its function as intended.
Which of the following devices would be the MOST efficient way to filter external websites for staff on an internal network? A. Protocol analyzer B. Switch C. Proxy D. Router
Answer: C Explanation: A proxy is a device that acts on behalf of other devices. All internal user communications with the Internet could be controlled through a proxy server, which can be configured to automatically filter out or block certain sites and content. It can also cache often-accessed sites to improve performance.
When performing the daily review of the system vulnerability scans of the network Peter, the administrator, noticed several security related vulnerabilities with an assigned vulnerability identification number. Peter researches the assigned vulnerability identification number from the vendor website. Peter proceeds with applying the recommended solution for identified vulnerability. Which of the following is the type of vulnerability described? A. Network based B. IDS C. Signature based D. Host based
Answer: C Explanation: A signature-based monitoring or detection method relies on a database of signatures or patterns of known malicious or unwanted activity. The strength of a signature-based system is that it can quickly and accurately detect any event from its database of signatures.
Identifying a list of all approved software on a system is a step in which of the following practices? A. Passively testing security controls B. Application hardening C. Host software baselining D. Client-side targeting
Answer: C Explanation: Application baseline defines the level or standard of security that will be implemented and maintained for the application. It may include requirements of hardware components, operating system versions, patch levels, installed applications and their configurations, and available ports and services. Systems can be compared to the baseline to ensure that the required level of security is being maintained.
Several employees submit the same phishing email to the administrator. The administrator finds that the links in the email are not being blocked by the company's security device. Which of the following might the administrator do in the short term to prevent the emails from being received? A. Configure an ACL B. Implement a URL filter C. Add the domain to a block list D. Enable TLS on the mail server
Answer: C Explanation: Blocking e-mail is the same as preventing the receipt of those e-mails and this is done by applying a filter. But the filter must be configured to block it. Thus you should add that specific domain from where the e-mails are being sent to the list of addresses that is to be blocked.
Which of the following are examples of detective controls? A. Biometrics, motion sensors and mantraps. B. Audit, firewall, anti-virus and biometrics. C. Motion sensors, intruder alarm and audit. D. Intruder alarm, mantraps and firewall.
Answer: C Explanation: Detective controls are those that operate afterward so as to discover that has happened. Detective controls include security guards, motion detectors, recording and reviewing of events captured by security cameras or CCTV, job rotation, mandatory vacations, audit trails, honeypots or honeynets, IDSs, violation reports, supervision and reviews of users, and incident investigations.
Vendors typically ship software applications with security settings disabled by default to ensure a wide range of interoperability with other applications and devices. A security administrator should perform which of the following before deploying new software? A. Application white listing B. Network penetration testing C. Application hardening D. Input fuzzing testing
Answer: C Explanation: Hardening is the process of securing a system by reducing its surface of vulnerability. Reducing the surface of vulnerability typically includes removing unnecessary functions and features, removing unnecessary usernames or logins and disabling unnecessary services.
Which of the following security devices can be replicated on a Linux based computer using IP tables to inspect and properly handle network based traffic? A. Sniffer B. Router C. Firewall D. Switch
Answer: C Explanation: Ip tables are a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores.
An administrator finds that non-production servers are being frequently compromised, production servers are rebooting at unplanned times and kernel versions are several releases behind the version with all current security fixes. Which of the following should the administrator implement? A. Snapshots B. Sandboxing C. Patch management D. Intrusion detection system
Answer: C Explanation: Patch management is the process of maintaining the latest source code for applications and operating systems by applying the latest vendor updates. This helps protect a systems from newly discovered attacks and vulnerabilities.
Peter needs to open ports on the firewall to allow for secure transmission of files. Which of the following ports should be opened on the firewall? A. TCP 23 B. UDP 69 C. TCP 22 D. TCP 21
Answer: C Explanation: SSH uses TCP port 22. All protocols encrypted by SSH, including SFTP, SHTTP, SCP, SExec, and slogin, also use TCP port 22. Secure Copy Protocol (SCP) is a secure file-transfer facility based on SSH and Remote Copy Protocol (RCP). Secure FTP (SFTP) is a secured alternative to standard File Transfer Protocol (FTP).
A security administrator wants to check user password complexity. Which of the following is the BEST tool to use? A. Password history B. Password logging C. Password cracker D. Password hashing
Answer: C Explanation: The most important countermeasure against password crackers is to use long, complex passwords, which are changed regularly. Password-cracking tools compare hashes from potential passwords with the hashes stored in the accounts database. Each potential password is hashed, and that hash value is compared with the accounts database. If a match is found, the password-cracker tool has discovered a password for a user account.
Which of the following defines a business goal for system restoration and acceptable data loss? A. MTTR B. MTBF C. RPO D. Warm site
Answer: C Explanation: The recovery point objective (RPO) defines the point at which the system needs to be restored. This could be where the system was two days before it crashed (whip out the old backup tapes) or five minutes before it crashed (requiring complete redundancy). This is an essential business goal insofar as system restoration and acceptable data loss is concerned.
All executive officers have changed their monitor location so it cannot be easily viewed when passing by their offices. Which of the following attacks does this action remediate? A. Dumpster Diving B. Impersonation C. Shoulder Surfing D. Whaling
Answer: C Explanation: Viewing confidential information on someone's monitor is known as shoulder surfing. By moving their monitors so they cannot be seen, the executives are preventing users passing by 'shoulder surfing'. Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.
While setting up a secure wireless corporate network, which of the following should Peter, an administrator, avoid implementing? A. EAP-TLS B. PEAP C. WEP D. WPA
Answer: C Explanation: WEP is one of the more vulnerable security protocols. The only time to use WEP is when you must have compatibility with older devices that do not support new encryption.
A security administrator discovered that all communication over the company's encrypted wireless network is being captured by savvy employees with a wireless sniffing tool and is then being decrypted in an attempt to steal other employee's credentials. Which of the following technology is MOST likely in use on the company's wireless? A. WPA with TKIP B. VPN over open wireless C. WEP128-PSK D. WPA2-Enterprise
Answer: C Explanation: WEP's major weakness is its use of static encryption keys. When you set up a router with a WEP encryption key, that one key is used by every device on your network to encrypt every packet that's transmitted. But the fact that packets are encrypted doesn't prevent them from being intercepted, and due to some esoteric technical flaws it's entirely possible for an eavesdropper to intercept enough WEP-encrypted packets to eventually deduce what the key is. This problem used to be something you could mitigate by periodically changing the WEP key (which is why routers generally allow you to store up to four keys). But few bother to do this because changing WEP keys is inconvenient and time-consuming because it has to be done not just on the router, but on every device that connects to it. As a result, most people just set up a single key and then continue using it ad infinitum. Even worse, for those that do change the WEP key, new research and developments reinforce how even changing WEP keys frequently is no longer sufficient to protect a WLAN. The process of 'cracking' a WEP key used to require that a malicious hacker intercept millions of packets plus spend a fair amount of time and computing power. Researchers in the computer science department of a German university recently demonstrated the capability to compromise a WEP-protected network very quickly. After spending less than a minute intercepting data (fewer than 100,000 packets in all) they were able to compromise a WEP key in just three seconds.
A supervisor in the human resources department has been given additional job duties in the accounting department. Part of their new duties will be to check the daily balance sheet calculations on spreadsheets that are restricted to the accounting group. In which of the following ways should the account be handled? A. The supervisor should be allowed to have access to the spreadsheet files, and their membership in the human resources group should be terminated. B. The supervisor should be removed from the human resources group and added to the accounting group. C. The supervisor should be added to the accounting group while maintaining their membership in the human resources group. D. The supervisor should only maintain membership in the human resources group.
Answer: C Explanation: You can assign permissions to access resources either to a user or a group. The most efficient way is to assign permissions to a group (group based privileges). By assigning the human resources supervisor's user account to the group means the supervisor will inherit the permissions of that group, and allow him to carry out the new duties. Because the new duties are being added to his normal duties, maintaining membership in the human resources group will allow the supervisor to continue performing his normal duties.
Company XYZ has encountered an increased amount of buffer overflow attacks. The programmer has been tasked to identify the issue and report any findings. Which of the following is the FIRST step of action recommended in this scenario? A. Baseline Reporting B. Capability Maturity Model C. Code Review D. Quality Assurance and Testing
Answer: C Explanation: A buffer overflow attack attacks a vulnerability caused by poor coding in an application. Reviewing the code of the application will enable you to identify code that is vulnerable to buffer overflow. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.
mily, an employee, tethers her smartphone to her work PC to bypass the corporate web security gateway while connected to the LAN. While Emily is out at lunch her PC is compromised via the tethered connection and corporate data is stolen. Which of the following would BEST prevent this from occurring again? A. Disable the wireless access and implement strict router ACLs. B. Reduce restrictions on the corporate web security gateway. C. Security policy and threat awareness training. D. Perform user rights and permissions reviews.
Answer: C Explanation: BYOD (In this case Emily's smart phone) involves the possibility of a personal device that is infected with malware introducing that malware to the network and security awareness training will address the issue of the company's security policy with regard to BYOD.
Which of the following can be used on a smartphone to BEST protect against sensitive data loss if the device is stolen? (Select TWO). A. Tethering B. Screen lock PIN C. Remote wipe D. Email password E. GPS tracking F. Device encryption
Answer: C,F Explanation: C: Remote wipe is the process of deleting data on a device in the event that the device is stolen. This is performed over remote connections such as the mobile phone service or the internet connection and helps ensure that sensitive data is not accessed by unauthorized people. F: Device encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen.
A software developer utilizes cryptographic functions to generate codes that verify message integrity. Due to the nature if the data that is being sent back and forth from the client application to the server, the developer would like to change the cryptographic function to one that verities both authentication and message integrity. Which of the following algorithms should the software developer utilize? A. HMAC B. SHA C. Two Fish D. RIPEMD
Answer: D
A technician wants to secure communication to the corporate web portal, which is currently using HTTP. Which of the following is the FIRST step the technician should take? A. Send the server's public key to the CA B. Install the CA certificate on the server C. Import the certificate revocation list into the server D. Generate a certificate request from the server
Answer: D
Attempting to inject 50 alphanumeric key strokes including spaces into an application input field that only expects four alpha characters in considered which of the following attacks? A. XML injection B. Buffer overflow C. LDAP Injection D. SQL injection
Answer: D
When designing a corporate NAC solution, which of the following is the MOST relevant integration issue? A. Infrastructure time sync B. End user mobility C. 802.1X supplicant compatibility D. Network Latency E. Network Zoning
Answer: D
Which of the following would Matt, a security administrator, use to encrypt transmissions from an internal database to an internal server, keeping in mind that the encryption process must add as little latency to the process as possible? A. ECC B. RSA C. SHA D. 3DES
Answer: D Explanation: 3DES would be less secure compared to ECC, but 3DES would require less computational power. Triple-DES (3DES) is a technological upgrade of DES. 3DES is still used, even though AES is the preferred choice for government applications. 3DES is considerably harder to break than many other systems, and it's more secure than DES. It increases the key length to 168 bits (using three 56-bit DES keys).
Public key certificates and keys that are compromised or were issued fraudulently are listed on which of the following? A. PKI B. ACL C. CA D. CRL
Answer: D Explanation: A CRL is a locally stored record containing revoked certificates and revoked keys.
Which of the following offerings typically allows the customer to apply operating system patches? A. Software as a service B. Public Clouds C. Cloud Based Storage D. Infrastructure as a service
Answer: D Explanation: Cloud users install operating-system images and their application software on the cloud infrastructure to deploy their applications. In this model, the cloud user patches and maintains the operating systems and the application software.
A new network administrator is setting up a new file server for the company. Which of the following would be the BEST way to manage folder security? A. Assign users manually and perform regular user access reviews B. Allow read only access to all folders and require users to request permission C. Assign data owners to each folder and allow them to add individual users to each folder D. Create security groups for each folder and assign appropriate users to each group
Answer: D Explanation: Creating a security group for each folder and assigning necessary users to each group would only allow users belonging to the folder's security group access to the folder. It will make assigning folder privileges much easier, while also being more secure.
Ann, a security administrator, wishes to replace their RADIUS authentication with a more secure protocol, which can utilize EAP. Which of the following would BEST fit her objective? A. CHAP B. SAML C. Kerberos D. Diameter
Answer: D Explanation: Diameter is an authentication, authorization, and accounting protocol that replaces the RADIUS protocol. Diameter Applications extend the base protocol by including new commands and/or attributes, such as those for use of the Extensible Authentication Protocol (EAP).
Peter Has read and write access to his own home directory. Peter and Ann are collaborating on a project, and Peter would like to give Ann write access to one particular file in this home directory. Which of the following types of access control would this reflect? A. Role-based access control B. Rule-based access control C. Mandatory access control D. Discretionary access control
Answer: D Explanation: Discretionary access control (DAC) allows access to be granted or restricted by an object's owner based on user identity and on the discretion of the object owner.
Which of the following should be considered to mitigate data theft when using CAT5 wiring? A. CCTV B. Environmental monitoring C. Multimode fiber D. EMI shielding
Answer: D Explanation: EMI Shielding refers to the process of preventing electronic emissions from your computer systems from being used to gather intelligence and preventing outside electronic emissions from disrupting your information-processing abilities. Thus all wiring should be shielded to mitigate data theft.
A network administrator has purchased two devices that will act as failovers for each other. Which of the following concepts does this BEST illustrate? A. Authentication B. Integrity C. Confidentiality D. Availability
Answer: D Explanation: Failover refers to the process of reconstructing a system or switching over to other systems when a failure is detected. In the case of a server, the server switches to a redundant server when a fault is detected. This strategy allows service to continue uninterrupted until the primary server can be restored. In the case of a network, this means processing switches to another network path in the event of a network failure in the primary path. This means availability.
Which of the following file systems is from Microsoft and was included with their earliest operating systems? A. NTFS B. UFS C. MTFS D. FAT
Answer: D Explanation: File Allocation Table (FAT) is a file system created by Microsoft and used for its earliest DOS operating systems.
Which of the following would a security administrator use to verify the integrity of a file? A. Time stamp B. MAC times C. File descriptor D. Hash
Answer: D Explanation: Hashing refers to the hash algorithms used in cryptography. It is used to store data, such as hash tables and it is a one-way transformation in order to validate the integrity of data.
Ann has recently transferred from the payroll department to engineering. While browsing file shares, Ann notices she can access the payroll status and pay rates of her new coworkers. Which of the following could prevent this scenario from occurring? A. Credential management B. Continuous monitoring C. Separation of duties D. User access reviews
Answer: D Explanation: In addition to assigning user access properly, it is important to review that access periodically. Access review is a process to determine whether a user's access level is still appropriate. People's roles within an organization can change over time. It is important to review user accounts periodically and determine if they still require the access they currently have. An example of such a scenario would be a network administrator who was responsible for the domain controller but then moved over to administer the remote access servers. The administrator's access to the domain controller should now be terminated. This concept of access review is closely related to the concept of least privileges. It is important that users do not have "leftover" privileges from previous job roles.
An attacker attempted to compromise a web form by inserting the following input into the username field: admin)(|(password=*)) Which of the following types of attacks was attempted? A. SQL injection B. Cross-site scripting C. Command injection D. LDAP injection
Answer: D Explanation: LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection. In a page with a user search form, the following code is responsible to catch input value and generate a LDAP query that will be used in LDAP database. Insert the username The LDAP query is narrowed down for performance and the underlying code for this function might be the following: String ldapSearchQuery = "(cn=" + $userName + ")"; System.out.println(ldapSearchQuery); If the variable $userName is not validated, it could be possible accomplish LDAP injection, as follows: If a user puts "*" on box search, the system may return all the usernames on the LDAP base If a user puts "jonys) (| (password = * ) )", it will generate the code bellow revealing jonys' password ( cn = jonys ) ( | (password = * ) )
Matt, a systems security engineer, is determining which credential-type authentication to use within a planned 802.1x deployment. He is looking for a method that does not require a client certificate, has a server side certificate, and uses TLS tunnels for encryption. Which credential type authentication method BEST fits these requirements? A. EAP-TLS B. EAP-FAST C. PEAP-CHAP D. PEAP-MSCHAPv2
Answer: D Explanation: PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS or PEAP-TLS because user authentication is accomplished via password-base credentials (user name and password) rather than digital certificates or smart cards. Only servers running Network Policy Server (NPS) or PEAP-MS-CHAP v2 are required to have a certificate.
Which of the following can be used to mitigate risk if a mobile device is lost? A. Cable lock B. Transport encryption C. Voice encryption D. Strong passwords
Answer: D Explanation: Passwords are the most likely mechanism that can be used to mitigate risk when a mobile device is lost. A strong password would be more difficult to crack.
Which of the following represents a cryptographic solution where the encrypted stream cannot be captured by a sniffer without the integrity of the stream being compromised? A. Elliptic curve cryptography. B. Perfect forward secrecy. C. Steganography. D. Quantum cryptography.
Answer: D Explanation: Quantum cryptography is a cryptosystem that is completely secure against being compromised without knowledge of the sender or the receiver of the messages.
Symmetric encryption utilizes __________, while asymmetric encryption utilizes _________. A. Public keys, one time B. Shared keys, private keys C. Private keys, session keys D. Private keys, public keys
Answer: D Explanation: Symmetrical systems require the key to be private between the two parties. With asymmetric systems, each circuit has one key. In more detail: * Symmetric algorithms require both ends of an encrypted message to have the same key and processing algorithms. Symmetric algorithms generate a secret key that must be protected. A symmetric key, sometimes referred to as a secret key or private key, is a key that isn't disclosed to people who aren't authorized to use the encryption system. * Asymmetric algorithms use two keys to encrypt and decrypt data. These asymmetric keys are referred to as the public key and the private key. The sender uses the public key to encrypt a message, and the receiver uses the private key to decrypt the message; what one key does, the other one undoes.
Which of the following is an effective way to ensure the BEST temperature for all equipment within a datacenter? A. Fire suppression B. Raised floor implementation C. EMI shielding D. Hot or cool aisle containment
Answer: D Explanation: There are often multiple rows of servers located in racks in server rooms. The rows of servers are known as aisles, and they can be cooled as hot aisles and cold aisles. With a hot aisle, hot air outlets are used to cool the equipment, whereas with cold aisles, cold air intake is used to cool the equipment. Combining the two, you have cold air intake from below the aisle and hot air outtake above it, providing constant circulation. This is a more effective way of controlling temperature to safeguard your equipment in a data center.
Which of the following hardware based encryption devices is used as a part of multi-factor authentication to access a secured computing system? A. Database encryption B. USB encryption C. Whole disk encryption D. TPM
Answer: D Explanation: Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or certificates.
Which of the following BEST describes the weakness in WEP encryption? A. The initialization vector of WEP uses a crack-able RC4 encryption algorithm. Once enough packets are captured an XOR operation can be performed and the asymmetric keys can be derived. B. The WEP key is stored in plain text and split in portions across 224 packets of random data. Once enough packets are sniffed the IV portion of the packets can be removed leaving the plain text key. C. The WEP key has a weak MD4 hashing algorithm used. A simple rainbow table can be used to generate key possibilities due to MD4 collisions. D. The WEP key is stored with a very small pool of random numbers to make the cipher text. As the random numbers are often reused it becomes easy to derive the remaining WEP key.
Answer: D Explanation: WEP is based on RC4, but due to errors in design and implementation, WEP is weak in a number of areas, two of which are the use of a static common key and poor implementation of initiation vectors (IVs). When the WEP key is discovered, the attacker can join the network and then listen in on all other wireless client communications.
Although a vulnerability scan report shows no vulnerabilities have been discovered, a subsequent penetration test reveals vulnerabilities on the network. Which of the following has been reported by the vulnerability scan? A. Passive scan B. Active scan C. False positive D. False negative
Answer: D Explanation: With a false negative, you are not alerted to a situation when you should be alerted. A False negative is exactly the opposite of a false positive.
The security administrator needs to manage traffic on a layer 3 device to support FTP from a new remote site. Which of the following would need to be implemented? A. Implicit deny B. VLAN management C. Port security D. Access control lists
Answer: D Explanation:In the OSI model, IP addressing and IP routing are performed at layer 3 (the network layer). In this question we need to configure routing. When configuring routing, you specify which IP range (in this case, the IP subnet of the remote site) is allowed to route traffic through the router to the FTP server. Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted.
The information security technician wants to ensure security controls are deployed and functioning as intended to be able to maintain an appropriate security posture. Which of the following security techniques is MOST appropriate to do this? A. Log audits B. System hardening C. Use IPS/IDS D. Continuous security monitoring
Answer: D Explanation: A security baseline is the security setting of a system that is known to be secure. This is the initial security setting of a system. Once the baseline has been applied, it must be maintained or improved. Maintaining the security baseline requires continuous monitoring.
Ann is an employee in the accounting department and would like to work on files from her home computer. She recently heard about a new personal cloud storage service with an easy web interface. Before uploading her work related files into the cloud for access, which of the following is the MOST important security concern Ann should be aware of? A. Size of the files B. Availability of the files C. Accessibility of the files from her mobile device D. Sensitivity of the files
Answer: D Explanation: Cloud computing has privacy concerns, regulation compliance difficulties, use of open-/closedsource solutions, and adoption of open standards. It is also unsure whether cloud-based data is actually secured (or even securable).
Which of the following BEST explains the use of an HSM within the company servers? A. Thumb drives present a significant threat which is mitigated by HSM. B. Software encryption can perform multiple functions required by HSM. C. Data loss by removable media can be prevented with DLP. D. Hardware encryption is faster than software encryption.
Answer: D Explanation: Hardware Security Module (HSM) is a cryptoprocessor that can be used to enhance security. It provides a fast solution for the for large asymmetrical encryption calculations and is much faster than software-based cryptographic solutions.
Peter, the security engineer, would like to prevent wireless attacks on his network. Peter has implemented a security control to limit the connecting MAC addresses to a single port. Which of the following wireless attacks would this address? A. Interference B. Man-in-the-middle C. ARP poisoning D. Rogue access point
Answer: D Explanation: MAC filtering is typically used in wireless networks. In computer networking, MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network. MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists. In this question, a rogue access point would need to be able to connect to the network to provide access to network resources. If the MAC address of the rogue access point isn't allowed to connect to the network port, then the rogue access point will not be able to connect to the network.
