Chapter 1 & 2

Vulnerability

Is a weakness in a device system application or process that might allow an attack to take place.

Threat

Is an outside force that may exploit a vulnerability.

CVSS

Common Vulnerability Scoring System it is often used to help describe vulnerability using a numerical score.

WAF

Web Application Firewall are specialized firewalls designed to protect against web application attacks such as SQL injection and cross-site scripting.

Risk

is the combination of a threat and corresponding vulnerability.

802.1X

A port-based authentication protocol. Wireless can use 802.1X. For example, WPA2-Enterprise mode uses an 802.1X server (implemented as a RADIUS server) to add authentication.

During the reconnaissance stage of a penetration test, Cynthia needs to gather information about the target organization's network infrastructure without causing an IPS to alert the target to her information gathering. Which of the following is her best option? A. Perform a DNS brute-force attack. B. Useannmappingsweep. C. PerformaDNSzonetransfer. D. Useannmapstealthscan

A. While it may seem strange, a DNS brute-force attack that queries a list of IPs, common subdomains, or other lists of targets will often bypass intrusion detection and prevention systems that do not pay particular attention to DNS queries. Cynthia may even be able to find a DNS server that is not protected by the organization's IPS!

Angela is designing her organization's data center network and wants to establish a secure zone and a DMZ. If Angela wants to ensure that user accounts and traffic that manage systems in the DMZ are easily auditable and that all access can be logged while helping prevent negative impacts from compromised or infected workstations, which of the following solutions is Angela's best design option? A. Administrative virtual machines run on administrator workstations B. A jump host C. A bastion host D. Use ssh or RDP from administrative workstations

B. A jump host, or jump box, allows for easier logging of administrative access and can serve as an additional layer of protection between administrative workstations and the protected network. In this case, Angela's needs are best served by a jump host. Bastion hosts are fully exposed to attacks; administrative virtual machines can be useful but don't make central auditing quite as easy and may allow a compromised virtual machine host to be a problem. Finally, direct ssh or RDP requires auditing of all administrative workstations and could allow a compromised workstation to cause issues by allowing it to directly connect to the secure network.

Maria wants to deploy an anti-malware tool to detect zero-day malware. What type of detection method should she look for in her selected tool? A. Signature based B. Heuristic based C. Trendbased D. Availability based

B. Heuristic detection methods run the potential malware application and track what occurs. This can allow the anti-malware tool to determine whether the behaviors and actions of the program match those common to malware, even if the file does not match the fingerprint of known malware packages.

After filling out the scoping document for a penetration test, including details of what tools, techniques, and targets are included in the test, what is the next step that Jessica needs to take to conduct the test? A. Port scan the target systems. B. Getsign-offonthedocument. C. Begin passive fingerprinting. D. Notifylocallawenforcement.

B. While it may be tempting to start immediately after finishing scoping, Jessica's next step should be to ensure that she has appropriate sign- off and agreement to the scope, timing, and effort involved in the test.

Charles wants to use active discovery techniques as part of his reconnaissance efforts. Which of the following techniques fits his criteria? A. Google searching B. Using a Shodan search C. Using DNS reverse lookup D. QueryingaPGPkeyserver

C. DNS reverse lookup is an active technique. Google and Shodan are both search engines, while a PGP key server does not interact with the target site and is considered passive reconnaissance. If you're not immediately familiar with a technique or technology, you can often reduce the possible options. Here, ruling out a Google search or querying a PGP server are obviously not active techniques, and Shodan also says it is a search, making a DNS reverse lookup a good guess, even if you're not familiar with it.

Chris wants to prevent remote login attacks against the root account on a Linux system. What method will stop attacks like this while allowing normal users to use ssh? A. Addaniptablesruleblockingrootlogins. B. Add root to the sudoers group. C. Changesshd_configtodenyrootlogin. D. Add a network IPS rule to block root logins.

C. Fortunately, the sshd service has a configuration setting called PermitRootLogin. Setting it to no will accomplish Chris's goal.

A port scan of a remote system shows that port 3306 is open on a remote database server. What database is the server most likely running? A. Oracle B. Postgres C. MySQL D. Microsoft SQL

C. MySQL uses port 3306 as its default port. Oracle uses 1521, Postgres uses 5432, and Microsoft SQL uses 1433/1434.

Charleen is preparing to conduct a scheduled reconnaissance effort against a client site. Which of the following is not typically part of the rules of engagement that are agreed to with a client for a reconnaissance effort? A. Timing B. Scope C. Exploitation methods D. Authorization

C. Reconnaissance efforts do not include exploitation, and Charleen should not expect to need to include exploitation limitations in the rules of engagement. If she was conducting a full penetration test, she would need to make sure she fully understands any concerns or limitations her client has about exploitation of vulnerabilities.

Tiffany needs to assess the patch level of a Windows 2012 server and wants to use a freely available tool to check the system for security issues. Which of the following tools will provide the most detail about specific patches installed or missing from her machine? A. nmap B. Nessus C. MBSA D. Metasploit

C. The Microsoft Baseline Security Analyzer (MBSA) is a tool provided by Microsoft that can identify installed or missing patches as well as common security misconfigurations. Since it is run with administrative rights, it will provide a better view than normal nmap and Nessus scans and provides more detailed information about specific patches that are installed. Metasploit provides some limited scanning capabilities but is not the best tool for the situation.

Charles wants to provide additional security for his web application that currently stores passwords in plain text in a database. Which of the following options is his best option to prevent theft of the database from resulting in exposed passwords?

D. bcrypt is a strong password hashing algorithm that includes salts for the stored values. If Charles uses bcrypt, he will have made the best choice from the list, as both MD5 and SHA-1 are not as strong, even with a salt. Encrypting the database may seem like a good idea, but storing plain-text passwords means that an exploit that can read the database while it is decrypted will get plain-text passwords!

NAC

Network access control solutions help security professionals achieve two cybersecurity objectives: limiting network access to authorized individuals and ensuring that systems accessing the organizations network meet basic security requirement.

NGFW's

Next-Generation Firewalls incorporate even more information into their decision-making process, including contextual information about users application and business process.

RADIUS

Remote Authentication Dial-In User Service

In Band Vs. Out-of-band

This IPS is placed inline, so traffic will have to pass through it to make it to it's destination. This not only allows it to monitor traffic, but also block it. The other system simply monitors traffic that travels through the network by having a copy of the traffic sent to it. It can only notify and send alerts to the administrator.

Agent-based vs. agentless

This NAC solution requires the clients to have the software installed that allows the client to authenticate to the system and the NAC to determine the health of the system. The other NAC solution does not require the clients to have the software installed, instead the NAC checks performed by the authentication server as part of the logon process.