Test 1, Test 2

Which two activities commonly result from hacker-controlled botnets consisting of many infected computers?

-DDOS -SPAM

What are Blowfish and RC4?

-Blowfish and RC4 are both symmetric algorithms. -Symmetric algorithms use the same key for encryption and decryption.

Which of the following are considered benefits of server virtualization?

-Efficient application of software updates -Centralized data storage. -Because virtualized servers could be running on the same physical host, patch deployment is efficient. Virtualized servers often use shared disk storage, thus centralizing data and making backups quicker and easier.

You would like to ensure that an authentication server is always available. Two authentication servers are clustered together with the authentication data stored on shared disk storage. What must be done to eliminate any single points of failure?

-Enable a second NIC in each cluster node. -Configure the shared disk storage with RAID 1. -A second NIC (network interface card) ensures that network communication continues if one NIC fails. With RAID level 1, also called disk mirroring, data written to one disk is also written to a second disk for safety.

A technician connects to an Internet SMTP host using the telnet command and issues the following commands: ``` Helo smtp1.acme.ca Mail from:[email protected] Rcpt to:[email protected] Data:Subject:Linux versus Windows Hi Bill. Please take note that open source software is set to achieve world dominance. Thanks. - The Pres ``` How can these two users prevent this type of attack?

-Exchange public keys. -Digitally sign e-mails using private keys. -A private key is used by the sender to generate a unique signature for an e-mail message. The recipient uses the related sender public key to verify the validity of the signature. Spoofed SMTP messages cannot have a valid digital signature, since hackers will not have access to the sender's private key.

Which of the following statements regarding capturing wireless network traffic with a packet sniffer are true?

-Most wireless routers behave as hubs do; all wireless clients exist in a single collision domain. -Wireless router administrative credentials sent over HTTP are vulnerable. -Most wireless routers do not isolate wireless client connections; this means once you have connected to the wireless network and begun a network capture, you will see all wireless client traffic. Newer wireless routers support isolation mode, which behaves much like an Ethernet switch (each port is its own collision domain). Most wireless routers use HTTP to transmit administrative credentials. Capturing this traffic means the credentials can easily be learned; HTTPS should be configured so that administrative credentials are encrypted.

You are installing a wireless router on the first floor of a commercial building. What should you do to minimize the possibility of Wi-Fi users connecting from the street?

-Place the wireless router in the center of the building. -Disable DHCP on the wireless router. -Placing the wireless router in the center of the building reduces the signal strength outside of the building. Disabling DHCP (Dynamic Host Configuration Protocol) means connecting clients must manually configure an appropriate IP address, subnet mask, default gateway, and DNS server.

Which items would be found in an IP header?

-Source IP address. -TTL value -Among other fields, the IP header in a packet contains the source IP address and the TTL (time-to-live) value. The TTL value on newer Windows operating systems (such as 7, 8, and 10) is normally set to 128. This value determines how many routers (hops) the packet can travel though before being discarded.

What is a Business impact analysis?

A business impact analysis identifies how personnel, data systems, clients, and revenue will be affected if a threat is realized.

Your manager asks you to identify the amount of time and personnel required to address a worm virus infection on the corporate WAN. You estimate it would take six technicians two days to remove the infection, at a total cost of $2800. Which type of analysis would this dollar figure best relate to?

A business impact analysis studies the impact (financial in this case) that an incident presents to a business.

What is HIDS?

A host-based intrusion detection system (HIDS) does not analyze all network traffic, it analyzes and alerts upon suspicious host-specific activity.

What is HIPS?

A host-based intrusion prevention system (HIPS) can detect and stop suspicious activity at the host level, but not at the network.

What term describes a trusted third party possessing decryption keys?

A key escrow holds decryption keys in trust and is not related to the company, institution, or government agency that issued the keys. The keys can be used in the event of a catastrophe or because of legal requirements.

What is NIDS?

A network-based intrusion detection system (NIDS) can detect network attacks but will only generate alerts; it won't take action against suspicious traffic. Using a separate network interface for managing a NIDS/NIPS device is called out-of-band management and is considered a secure practice.

What is NIDS?

A network-based intrusion detection system (NIDS) is not a TCP/IP protocol; it is a software or hardware solution that can be configured to detect abnormal and suspicious activity and can log or send notifications about this activity.

What is NIPS?

A network-based intrusion prevention system (NIPS) detects and attempts to stop network attacks because it operates at the network level and aims at filtering all network traffic that passes through it, with the goal of blocking suspicious patterns.

What is NIPS?

A network-based intrusion prevention system (NIPS) goes beyond the functionality of a NIDS by having the ability to stop suspicious activity, such as by dynamically blocking excessive network traffic from one or more hosts.

Your disaster recovery plan requires the quickest possible data restoration from backup tape. Which strategy should you employ?

Daily full backup

Which of the following best describes security fuzzing?

Application fuzzing refers to the process of submitting sample data to test software.

What can be used to prevent malicious e-mail file attachments from being opened by users?

Antivirus software running on user computers can detect infected file attachments sent via e-mail.

What is Non-Repudiation

Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the information.

Challenge Handshake Authentication Protocol

Challenge Handshake Authentication Protocol (CHAP) uses a shared secret (such as user credentials) known by both ends of a connection. Credentials entered by a user are hashed and sent to a server that also hashes the shared secret. If both parties calculate the same hash, then authentication succeeds.

What is GSM?

GSM is a wireless cell phone standard.

An organic food retail chain is adding six new stores within the next month. Each retail store outlet will accept cash, debit, and credit card payments. To satisfy the board of directors, the IT staff is asked to provide a solution that will ensure data transfers to unauthorized locations can be monitored and/or blocked. What kind of solutions should the IT staff investigate?

Data loss prevention (DLP) ensures that private data stays private. This can be done with deep packet inspection such as data (e-mail messages, attachments) leaving an intranet or entering or leaving the cloud, data copied to media, data sent to printers, and so on.

You need to implement a solution that can help prevent sensitive data from being leaked out of the company via e-mail, texting, file copying, and social media file sharing. What type of solution should you consider?

Data loss prevention (DLP) solutions can be implemented to limit data leakage outside of the organization. This could be achieved with embedded watermarks on photos and videos and the limited ability to send e-mail file attachments only to users within the organization.

What is Data sovereignty?

Data sovereignty refers to applicable laws and regulations based on the physical location of digital data.

Which of the following are block ciphers?

ES (Advanced Encryption Standard) and Blowfish are block ciphers, which encrypt data in blocks at a time versus bits or bytes at a time.

A Linux administrator enables hardware disk encryption for data drives used by a Linux server. The operating system disk is physically located in the Linux server but the data drives exist on a SAN (storage area network). Which of the following statements is true?

Encryption protects data confidentially. Only authorized parties possessing the correct decryption keys can access encrypted data.

Chris, a network technician, identifies a way to gain remote administrative access to a Linux host without knowing administrative credentials. What has Chris discovered?

Exploit

What is Job Rotation?

Exposing users to various roles is referred to as job rotation. This is considered an administrative security control.

When on a Windows server what does a group policy enable you to do?

Group Policy enables the centralized configuration of operating system settings.

A technician is researching new rack mount servers to determine the maximum BTU value of all servers in the server room. Which related item should the technician consider?

HVAC (heating, ventilation, air conditioning) must be considered when discussing server BTUs (British thermal units). BTUs measure thermal energy (heat), and your server room air conditioning must be able to displace the BTUs generated by your computing equipment; otherwise, the server room will be much too warm for your equipment.

Which item offloads the cryptographic processing responsibilities of a host computer?

Hardware Security Module (HSM)

With which term is nonrepudiation most closely associated?

Hashing feeds data into a one-way algorithm, which results in a unique value that can be recomputed and compared against the original in the future. Digitally signing a message encrypts the message hash with a private key. Because the private key is held only by the owner, the owner cannot deny having signed the message; this is also referred to as nonrepudiation.

What can be done to harden a public e-commerce web server, assuming default ports are being used?

Install a PKI certificate and enable TLS Do not use an administrative account to run the web server. You can enable TLS and install a PKI certificate on a web server. Web servers run with a user account, and this should be a limited account with limited system privileges in case the web server is compromised by an attacker.

File hashing addresses which security concern?

Integrity

What is Internet Control Message Protocol?

Internet Control Message Protocol (ICMP) reports on network congestion and reachability. Utilities such as ping and tracert use ICMP as their transport mechanism.

What is IGMP?

Internet Group Message Protocol (IGMP) uses multicasting to transmit data to groups of stations that are registered with the correct multicast IP address.

What are Jumbo Frames?

Jumbo frames are oversized Ethernet packets (larger than 1514 bytes) designed to transmit more data in a single transmission. This increases performance but not security.

Which authentication protocol grants tickets to authenticated entities, which are then used to access network resources?

Kerberos is an authentication protocol that grants tickets to authenticated entities. The tickets are presented to various network resources to prove the identity of the requestor. Microsoft Active Directory uses the Kerberos protocol.

Your company must have the ability to examine outbound Internet traffic to ensure that attempts to access inappropriate web sites are blocked. What should you configure?

Layer 7 (Application) of the OSI model refers to application-specific functionality, such as a web browser connecting to a specific URL.

What is Legal hold?

Legal hold is a preservation order sometimes issued during e-discovery to ensure that potential evidence is immutable, meaning that it cannot be modified.

Identify two benefits of server virtualization.

Less hardware and physical space are required to host virtual servers than physical servers.

What is LDAP?

Lightweight Directory Access Protocol (LDAP) is a standard authentication data source using TCP port 389 for clear-text transmissions and TCP port 636 for encrypted transmissions. Common directory services such as Microsoft Active Directory and Sun ONE Directory Server are all LDAP-compliant.

While having lunch in an urban center, you decide to connect to an unencrypted WLAN you notice while scanning for wireless networks with your smartphone. The WLAN signal is available at full strength. When you attempt to connect, after a timeout period, the connection is unsuccessful. You can connect to other Wi-Fi networks. What could be causing this?

MAC (Media Access Control) filtering controls access to the WLAN via a list of allowed MAC addresses. MAC addresses are unique 48-bit addresses burned into all network cards, for example, 00-26-B9-C5-2A-F1.

What do Mandatory vacations enable?

Mandatory vacations enable different employees to fill a job role, which will expose any improper activity in the job role if any exists.

Which security principle enables the discovery of potentially inappropriate or fraudulent activity committed by employees?

Mandatory vacations enable the potential discovery of irregularities in a job role by whoever fills that role while an employee is on vacation. The new person can audit previous activities or compile associated reports that uncover fraudulent activity.

Does the Ping command use TCP or UDP

No

What is Computer authentication using PKI?

Public Key Infrastructure (PKI) certificates from a trusted source is configured on the two computers. Network traffic from hosts not using a trusted PKI certificate could then be ignored.

Which key is used to encrypt a file in a PKI environment?

Public keys are most often used to encrypt user files directly or to generate file encryption keys that are then used to encrypt files. The mathematically related private key is used to decrypt user files. The keys can be stored in a directory (such as Microsoft Active Directory), in a protected file on a disk, or on a smart card. Storing private keys in unprotected files, such as those without password protection, is considered a poor key management practice.

What is RSA?

RSA is an asymmetric encryption algorithm. A mathematically related public and private key pair is used to secure communications; data is encrypted with the public key and decrypted with the private key. The public key can safely be distributed by any party wanting to encrypt data for the key owner; however, the private key must be accessible only by the owner.

In crafting your Disaster Recovery Plan (DRP), you outline the procedure in which PKI user-encrypted files for damaged user accounts can be decrypted. Which statement regarding this plan is correct?

Restore user private keys from backup is correct. In a PKI environment, users have a pair of mathematically related keys that can be stored in a certificate file, in a directory service, on a smart card, and so on. Private keys are used to decrypt files; the public key is used to encrypt.

Which network component can commonly be configured as a NAT (network address translation) device?

Routers are OSI layer 3 (Network) devices that have at least two interfaces connecting to different networks. NAT normally runs on a router and can be configured to allow devices on an internal network with private TCP/IP addresses to gain access to a public network using the NAT router's public IP address.

A user would like to use FTP to transfer a file to an FTP server. Other users who download the same file from the FTP server must have a way to ensure that the file has not been tampered with. Which protocol can perform this function?

SHA-3 is a hashing algorithm used to calculate a unique hash value. Changes to the source data (the file transferred to the FTP [File Transfer Protocol] server in this case) would invalidate the unique hash value when it is calculated again.

What is SMTP?

SMTP (Simple Mail Transfer Protocol) transmits Internet e-mail messages to other SMTP hosts and can be configured to encrypt the transmission.

Which type of SOC report focuses on the efficacy of security controls required to meet trust principles?

SOC 2 Type 1 documents IT systems and business processes to ensure compliance with security trust requirements.

What is a SOC 2 Type 2 report?

SOC 2 Type 2 documents the operation efficacy of IT systems within a specified time frame.

What is SSL stripping?

SSL stripping is considered an HTTPS downgrade attack, whereby a malicious user intercepts user HTTPS requests. The attacker makes an HTTPS connection to the requested site, but the client connection to the attacker, unknown to the client, is still HTTP, thus is not encrypted.

What is Separation of duties?

Separation of duties prevents a single user from seeing a business process from beginning to end, which reduces the likelihood of fraud.

What is SNMP?

Simple Network Management Protocol (SNMP) is an industry standard for managing and monitoring printers, servers, workstations, routers, switches, IP phones, and so on. SNMP version 3 should be used because it provides encryption and integrity functionality.

What is Succession planning?

Succession planning is the process of grooming an employee to fill an important job role.

What is TLS?

TLS secures application-specific network traffic.

What is Session Initiation Protocol?

The Session Initiation Protocol (SIP) is used to establish and maintain network sessions related to voice and video, such as with VoIP.

You need to analyze a disk volume on a Linux server, but you do not want to modify the original file system in any way. Which Linux command should you use to create an exact copy of the disk volume for forensic analysis?

The Linux dd command can be used to create an exact copy of a disk volume, while leaving the original disk volume intact.

What is the Chain of custody?

The chain of custody requires the gathering of potential evidence to be done legally while ensuring the secure documentation and storage of that evidence.

What is Order of volatility?

The order of volatility describes the fragility of digital evidence and as a result the order in which it should be gathered. For example, acquiring the contents of a machine's RAM memory should be done before obtaining the data from its hard drive, because the RAM contents will be erased when the target machine is powered off.

Which Linux command can be used to capture network traffic?

The tcpdump command can be used to capture network traffic. Command line parameters control through which network interface capturing occurs and whether captured traffic is displayed on the screen or written to a file.

3DES, AES, and Blowfish

They are symmetric encryption algorithms. Symmetric encryption uses the same key for encryption and decryption.

List the order in how threats should be handled.

Threat Analysis -> ALE -> Risk Analysis -> Business Impact Analysis

Your NIDS alerts you of excessive network traffic spreading through each of your five VLANs. The problem seems to stem from malicious software that keeps replicating itself across the network. You react according to your incident response plan by turning off the affected switches. What caused the problem?

Worms are self-replicating malware that can consume network bandwidth, resulting in an unusable network. Virus scanners can detect known worm patterns. Inline network-based intrusion and detection systems (NIDs) examine network traffic as it traverses the network as opposed to stored captures (passive or offline).

A router is configured to allow outbound TCP ports 80, 443, and 25. You would like to use the Remote Desktop Protocol to access a server at another location. Which of the following statements is correct, assuming default ports are being used?

You will not be able to RDP to the external server because the router is implicitly denying RDP packets is correct. RDP (Remote Desktop Protocol) uses TCP port 3389, and this is implicitly denied because only ports 80, 443, and 25 allow traffic out.