202final
3 solutions to prevent insider threats
1. limit data to need to know, trainings, least privelege
Please distinguish between vulnerability, threat, and control
A threat is a potential to do harm. A vulnerability is a means by which a threat agent can cause harm. A control is a protective measure that prevents a threat agent from exercising a vulnerability
. ____________________ is to verify the integrity of the file and provide non-repudiation.
Digital Signatures
A user complains that his system is no longer able to access the Walmart.com site. Instead, his browser goes to a different site. After investigation, you notice the following entries in the user's hosts file: 127.0.0.1 localhost 72.23.231.233 walmart.com What is the BEST explanation for this situation? a. Pharming attack b. Whaling attack c. Session hijacking d. Phishing attack
a
An organization requested bids for a contract and asked companies to submit their bids via email. After winning the bid, Acme realized it could not meet the requirements of the contract. Acme instead stated that it never submitted the bid. Which of the following would provide proof to the organization that Acme did submit the bid? a. Digital signature b. Integrity c. Decryption d. Encryption
a
Homer is able to connect to his company's wireless network with his smartphone but not with his laptop computer. Which of the following is the MOST likely reason for this disparity? a. His company's network has a MAC address filter in place. b. His company's network has enabled SSID broadcast. c. His company's network has enabled WEP. d. His company's network has enabled WPA2 Enterprise
a
Jemar recently received an email thanking him for a purchase that he did not make. He asked an administrator about it and the administrator noticed a pop-up window, which included the following code: <body onload="document.getElementByID('myform').submit()"> <form id="myForm"action="gcgapremium.com/purchase.php"method="post" <input name="Buy Now" value="Buy Now"/> </form> </body> Which of the following is the MOST likely explanation? a. XSRF (cross-site request forgery) b. Buffer overflow c. SQL injection d. ARP spoofing
a
The CEO of Kelly's company recently fell victim to an attack. The attackers sent the CEO an email informing him that his company was being sued and he needed to view a subpoena at a court website. When visiting the website, malicious code was downloaded onto the CEO's computer. What type of attack took place? a. Spear phishing b. Pharming c. Adware d. Command injection
a
The security manager at your company recently updated the security policy. One of the changes requires two-factor authentication. Which of the following will meet this requirement? a. Hardware token and PIN b. Finger print and retina scan c. Password and PIN d. PIN and security questions
a
Thieves recently rammed a truck through the entrance of your company's main building. During the chaos, their partners proceeded to steal a significant amount of IT equipment. Which of the following choices can you use to prevent this from happening again? a. Bollards b. Guards c. CCTV d. Mantrap
a
To avoid the nefarious use of cloud computing, which of the following is the BEST safeguard? a. Rigorous registration process b. Paid service c. OAuth d. Firewall
a
Which group is the most likely target of a social engineering attack? a. Receptionists and administrative assistants b. Information security response team c. Internal auditors d. Independent contractors
a
You are troubleshooting an intermittent connectivity issue with a web server. After examining the logs, you identify repeated connection attempts from various IP addresses. You realize theses connection attempts are overloading the server, preventing it from responding to other connections. Which of the following is MOST likely occurring? a. DDoS attack b. DoS attack c. Amplification attack d. IP spoofing attack
a
You maintain a training lab with 18 computers. You have enough rights and permissions on these machines so that you can configure them as needed for classes. However, you do not have the rights to add them to your organization's domain. Which of the following choices BEST describes this example? a. Least privilege b. Need to know c. User-based privileges d. BYOU
a
step 3 of zig zag a. ACK b. SYN c. FIN d. RST
a
Session Hijacking is the process in which a user's or organization's cloud account credentials are stolen and exploited by an unauthorized attacker (fthen)
account hijacking
What is the difference between MAC spoofing and ARP spoofing?
arp spoofing involves the sending of arp packets with the mac address. mac spoofing just uses the fake mac address
Symmetric encryption uses two different keys: public key (to encipher) and private key (to decipher). (fthen)
asymmetric encryption
____________________ ensures authorized users — persons or computer systems — can access (or use) information without interference or obstruction, and in the required format
availability
A small business owner modified his wireless router with the following settings: PERMIT 1A:2B:3C:4D:5E:6F DENY 6F:5E:4D:3C:2B:1A After saving the settings, an employee reports that he cannot access the wireless network anymore. What is the MOST likely reason that the employee cannot access the network? a. IP address filtering b. MAC address filtering c. DNS filtering d. URL filtering
b
A(n) ____ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time. a. Denial-of-service b. Distributed denial-of-service c. Virus d. Spam
b
An application on one of your database servers has crashed several times recently. Examining detailed debugging logs, you discover that just prior to crashing, the database application is receiving a long series of characters (more data into the database application's memory than it can handle). What is MOST likely occurring? a. XSRF b. Buffer overflow c. HTML injection d. DNS poisoning
b
During troubleshooting, Chris uses the nslookup command to check the IP address of a host he is attempting to connect to. The IP he sees in the response is not the IP that should resolve when the lookup is done. What type of attack has likely been conducted? a. ARP spoofing b. DNS cache poisoning c. Eavesdropping d. SSL hijacking
b
Homer wants to use digital signatures for his emails and realized he needs a certificate. Which of the following will issue Homer a certificate? a. IT department b. CA (Certificate Authority) c. Email service company d. Recovery agent
b
In what type of attack does the attacker send unauthorized commands directly to a database? a. XSS (cross-site scripting) b. SQL injection c. XSRF (cross-site request forgery) d. Database dumping
b
Joe wants to send a secure email to Marge so he decides to encrypt it. Joe wants to ensure that Marge can verify that he sent it. Which of the following does Marge need to verify the certificate that Joe used in this process in valid? a. The CA (Certificate Authority)'s private key b. The CA's public key c. Marge's public key d. Marge's private key
b
Of the following malware types, which one is MOST likely to monitor a user's computer? a. Trojan b. Spyware c. Ransomwares d. Adware
b
Terry is troubleshooting a network that is experiencing high traffic congestion issues. Which device, if present on the network, should be replaced to alleviate these issues? a. Firewall b. Hub c. Switch d. Router
b
Which list presents the layers of the OSI model in the correct order? a. Presentation, Application, Session, Transport, Network, Data Link, Physical b. Application, Presentation, Session, Transport, Network, Data Link, Physical c. Presentation, Application, Session, Transport, Data Link, Network, Physical d. Application, Presentation, Session, Network, Transport, Data Link, Physical
b
Which of the following terms describes the process of making and using codes to secure the transmission of information? a. Algorithm b. Cryptography c. Steganography d. Philosophy
b
Which of the following choices BEST describes the organizational trigger in insider threats (TWO)? a. High level of physical access controls b. High level of time pressure c. High level of security training d. High availability and easy of acquiring information
b and d
A code review of a web application discovered that the application is not performing boundary checking. What should the web developer add to this application to resolve this issue? a. XSRF b. XSS c. Input validation d. Antivirus software
c
A network administrator is attempting to identify all traffic on an internal network. Which of the following tools in the BEST choice? a. Black box test b. Penetration test c. Protocol analyzer d. Baseline review
c
A security auditor discovered that several employees in the accounting department can print and sign checks. In her final report, she recommended restricting the number of people who can print checks and the number of people who can sign them. She also recommended that no one should be authorized to print and sign checks. What policy is she recommending? a. Role-based access control b. BYOU c. Separation of duties d. Job rotation
c
A telecommuting employee calls into his organization's IT help-desk and asks the help-desk professional to reset his password. Which of the following choices is the BEST choice for what the help-desk professional should do before resetting the password? a. Verify the user's name b. Disable the user's account c. Verify the user's identity d. Enable the user's account
c
An attack that causes a service to fail by exhausting all of a system's resources is what type of attack? a. Worms b. Viruses c. Denial of service attack d. Trojan horses
c
In which type of attack does the attacker attempt to get users' encrypted data by failing the certificate validation process? a. DDoS attack b. Sniffing c. SSL hijacking d. IP spoofing attack
c
Looking at logs for an online web application, you see that someone has entered the following phrase into several queries: 'or '1'='1'-- Which of the following is the MOST likely explanation for this? a. Buffer overflow b. XSS (cross-site scripting) c. SQL injection d. Domain hijacking
c
Malicious users inject malicious code or software in Adobe PDF and MS office and upload it to the cloud service. Customers who download the Adobe PDF and the MS office will also execute the malwares. Which of the following choices BEST describes this example? a. Account hijacking b. Session hijacking c. Nefarious use of cloud computing d. SQL injection
c
Of the following choices, which one is a cloud computing option model that the vendor provides access to a computer, but customers must manage the system, including keeping it up to data with current patches? a. Platform as a Service b. Software as a Service c. Infrastructure as a Service d. Private
c
Rachel at ABC corp. stores her public key where it can be accessed. Alex at XYZ corp. retrieves it and uses it to encrypt his session (symmetric) key. He sends it to Rachel, who decrypts Alex's session key with her private key, and then uses Alex's session key for short-term private communications. What is MOST likely occurring? a. Symmetric encryption b. Asymmetric encryption c. Hybrid encryption d. Hashing
c
Sean wants to ensure that other people cannot view data on his mobile device if he leaves it unattended. What should he implement? a. Encryption b. Cable lock c. Screen lock d. Remote wiping
c
Users in your organization have reported receiving a similar email from the same sender. The email included a link, but after recent training on emerging threats, all the users chose not to click the link. Security investigators determined the link was malicious and was designed to download ransomeware. Which of the following BEST describes the email? a. Phishing b. Spam c. Spear phishing d. Vishing
c
What type of malicious software masquerades as legitimate software to entice the user to run it? a. Virus b. Worm c. Trojan horse d. Rootkit
c
Which important protocol is responsible for providing human-readable addresses instead of numerical IP addresses? a. TCP b. IP c. DNS d. ARP
c
While creating a web application, a developer adds code to limit data provided by users. The code prevents users from entering special characters. Which of the following attacks will this code MOST likely prevent? a. Man-in-the-Middle b. Phishing c. XSS (cross-site scripting) d. Domain hijacking
c
Your organization hosts a web site and the web site accesses a database server in the internal network. ACLs (access control list) on firewalls prevent any connections to the database sever except from the web server. Database fields hosting customer data are encrypted an all data in transit between the web site server and the database several are encrypted. Which of the following represents the GREATEST risk to the data on the server? a. Theft of the database server b. HTML injection c. SQL injection d. Sniffing
c
his hard drive would be formatted. What does this indicate? a. Armored virus b. Backdoor c. Ransomwares d. Trojan
c
jane and Carl work in an organization that includes a PKI (public key). Carl needs to send a message to Jane. What does Carl use in this process? a. Carl's public key b. Carl's private key c. Jane's public key d. Jane's private key
c
5 physical secutrity controls
camera, man trap, key cards, cable lock, screen lock
____________________ validate the identity of the owner of the public key.
certificate authorities
____________________ attacks leverage the fact that users are often logged into multiple sites at the same time and use one site to trick the browser into sending malicious requests to another site without the users' knowledge.
cross site forgery (XSRF or CSRF)
____________________ attacks occur when an attacker embeds malicious scripts without permission in a third-party website that are later run by innocent visitors to that site.
cross-site scripting (XSS)
8. Which of the following terms is used to describe the information used in conjunction with an algorithm to create the ciphertext from the plaintext or derive the plaintext from the ciphertext? a. Cipher b. Code c. Cleartext d. Key
d
A function converts data into a string of characters and the string of characters cannot be reversed to re-create the original data. What type of function is this? a. Symmetric encryption b. Asymmetric encryption c. Stream cipher d. Hashing
d
A war driver is capturing traffic from a wireless network. When an authorized client connects, the attacker is able to implement a brute force attack to discover the encryption key. What type of attack did this war driver use? a. WPS attack b. HTML injection c. Packet injection d. WPA cracking
d
Bart is in a break area outside the office. He told Lisa that he forgot his badge inside and asked Lisa to let him follow her when she goes back inside. What does this describe? a. Spear phishing b. Vishing c. Mantrap d. Tailgating
d
During a forensic investigation, Charles is able to determine the Media Access Control address of a system that was connected to a compromised network. Charles knows that MAC addresses are tied back to a manufacturer or vendor and are part of the fingerprint of the system. To which OSI layer does a MAC address belong? a. The application layer b. The session layer c. The physical layer d. The data link layer
d
HTTP, DNS, and SSL all occur at what layer of the TCP/IP model? a. Layer 1 b. Layer 2 c. Layer 3 d. Layer 4
d
In the well-known ____ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network. a. Zombie-in-the-middle b. Sniff-in-the-middle c. Server-in-the-middle d. Man-in-the-middle
d
Social engineers have launched several successful phone-based attacks against your organization resulting in several data leaks. Which of the following would be MOST effective at reducing the success of these attacks? a. Implement a BYOD (bring your own device) policy b. Update the an AUP (acceptable use policy) c. Implement a least privilege policy d. Implement a program to increase security awareness
d
What term is used to describe a cryptographic method that incorporates mathematical operations involving both a public key and a private key to encipher or decipher a message? a. Private-key encryption b. Symmetric encryption c. Advanced Encryption Standard (AES) d. Asymmetric encryption
d
What type of network device normally connects directly to endpoints and uses MAC-based filtering to limit traffic flows? a. Router b. Hub c. Access point d. Switch
d
Which of the following choices BEST describes the characteristics of malicious insider? a. High loyalty toward their organization b. High level of rationality c. High level of ethical values d. High level of compulsive behavior
d
Which of the following explanations is TCP/IP model? a. Developed by ISO (International organization for standardization) b. 7 layers c. Has presentation layer d. Protocol dependent
d
Which of the following functions does information security perform for an organization? a. Protects the organization's ability to function. b. Enables the safe operation of applications implemented on the organization's IT systems. c. Protects the data the organization collects and uses. d. All of the above.
d
Which of the following wireless security mechanisms is subject to a spoofing attack? a. WEP b. WPA c. WPA 2 Enterprise d. MAC address filtering
d
Which one of the following provides an authentication mechanism that would be appropriate for pairing with a password to achieve two factor authentication? a. Username b. PIN c. Security question d. Fingerprint scan
d
Which term describes an action that can damage or compromise an asset? a. Risk b. Vulnerability c. Countermeasure d. Threat
d
You are planning to deploy a WLAN and you want to ensure it is secure. Which of the following provides the BEST security? a. Implementing WPA b. Disabling SSID broadcast c. Enabling MAC filtering d. Implementing WPA2
d
Your organization maintains a separate wireless network for visitors in a conference room. However, you have recently noticed that people are connecting to this network even when there aren't any visitors in the conference room. You want to prevent theses connections, while maintaining easy access for visitors in the conference room. Which of the following is the BEST solutions? a. Disable SSID broadcasting b. Enable MAC filtering c. Use wireless jamming d. Reduce antenna power
d
You are reviewing security controls and their usefulness. You notice that account lockout policies are in place. Which of the following attacks will these policies thwart? (choose two) a. DNS poisoning b. Replay c. Buffer overflow d. Brute force e. Dictionary
d &e
Digital Certificates are the encrypted messages that can be mathematically proven to be authentic. (if f)
digital signature
A phishing attack "poisons" a domain name on a domain name server.
f
A worm is a self-contained program that has to trick users into running it
f
Hashing functions require the use of keys
f
Hypertext Transfer Protocol (HTTP) encrypts data transfers between secure browsers and secure web pages.
f
IP addresses are eight-byte addresses that uniquely identify every device on the network.
f
Insider attacks usually require the advance knowledge of network
f
Insider threat is always occurred by the insider who has malicious intention (e.g., fraud, unauthorized trading, and espionage).
f
MAC addresses are a unique identifier allotted to communication devices and are not changeable
f
The Transport Layer of the OSI Reference Model creates, maintains, and disconnects communications that take place between processes over the network.
f
The main difference between a virus and a worm is that a virus does not need a host program to infect.
f
Threats are always malicious
f
Threats are always targeted
f
You should use easy-to-remember personal information to create secure passwords
f
In which type of attack does the attacker attempt to take over an existing connection between two systems? e. Man-in-the-middle attack f. URL hijacking g. Session hijacking h. Typosquatting
g
Confidentiality ensures that only those with the rights and privileges to modify information are able to do so. (fthen)
integrity
2 network attacks for each: interruption, modification, interception
interruption = DOS mod= DNS poision, ip spoofing interception= eavesdropping/sniffing, session hijacking, SSL hijacking
The spoofed ARP packets contain the attacker's ________________ and the target's ________________.
mac address/ ip address
____________________ enables a user to allow third-party application to access APIs on that user's behalf; for example, when Facebook asks a user if a new application can have access to his photos.
oauth
Please compare TCP/IP model with OSI model
osi protocol independent and has 7 layers whole tcp/ip is dependent and has 4 layers (-presentation, session, and physical)
5 factors for authentication
password, pin, retina scan, fingerprint, security question,
3 types of controls
procedural, technical, educational
Within the context of information security, ____________________ is the process of using interpersonal skills to convince people to reveal access credentials or other valuable information to the attacker
social engineering
IaaS (Infrastructure as a Service) gives the customer access to applications running in the cloud. (fthen)
software as a service
Distinguish between vulnerability, threat, and control
something wrong with system others can exploit, something that causes danger to the system, and a control is what you do to prevent the other 2
. ____________________ is a technique used to gain unauthorized access to computers, wherein the intruder sends messages to a computer that has an IP address that indicates that the messages are coming from a trusted host and not the actual source computer.
spoofing
. ARP (address resolution protocol) works for mapping an IP address to a MAC address.
t
A phishing email is a fake or bogus email intended to trick the recipient into clicking on an embedded URL link or opening an email attachment.
t
A successful denial of service (DoS) attack may create so much network congestion that authorized users cannot access network resources.
t
ARP spoofing attack "poisons" the ARP table mapping an IP address to a MAC address. (fthen)
t
An Application Program Interface (API) refers to tools for creating software applications.
t
An insider threat is occurred by a current or former employee, contractor or business partner who has or had authorized access to an organization's network systems, data or premises.
t
Attacks against confidentiality and privacy, data integrity, and availability of services are always malicious code can threaten businesses.
t
Cloud venders expose a set of software interface or APIs in which customers use to interact with cloud services
t
Cookies are designed for websites to remember stateful information (e.g., items added in the cart in Amazon.com. (fthen)
t
Cookies are inherently harmless
t
Fingerprints, palm prints and retina scans are types of biometrics
t
Hypertext Transfer Protocol (HTTP) is the communications protocol between web browsers and websites with data in clear text
t
PKI systems are based on public-key cryptosystems and include digital certificates and certificate authorities.
t
Popular cryptosystems use a hybrid combination of symmetric and asymmetric algorithms
t
Pure asymmetric key encryption is not widely used, except with digital certificates.
t
TCP/IP is a set of protocols that operates at both the Network and Transport layers of the OSI Reference Model.
t
The investigation phase of the Security Systems Development Life cycle (SecSDLC) begins with a directive from upper management.
t
The term "router" describes a device that connects two or more networks and selectively interchanges packets of data between them.
t
To be secure interfaces and APIs, strong authentication and access controls are required with encrypted transmission
t
Unlike viruses, worms do NOT require a host program in order to survive and replicate.
t
WAP (wireless access point) is the connection between a wired and wireless network
t
What is the difference between MAC spoofing and ARP spoofing?
t
____________________ is initiated by upper management with issue policy, procedures, and processes.
top down approach
. ____________________ is a technique used to gain unauthorized access to Wi-Fi wireless network by driving vehicle.
wardriving
WEP (Wired Equivalent Privacy) is the strongest encryption protocol for the wireless network. (fthen)
wpa2 (or 3)