CompTIA Security+ SY0-501 Certification Practice Exam
What is the recommended humidity level for server rooms?
50% EXPLANATION Keep humidity between 40 and 60 percent to prevent electrostatic discharge (ESD). EDS causes electrical charges that can damage computer components.
After an intrusion has occurred and the intruder has been removed from the system, which of the following is the best next step or action to take?
Back up all logs and audits regarding the incident EXPLANATION The first step after an intrusion is to retain the documentation about the incident. Making backups of the logs and audits will ensure that future investigations will have sufficient information regarding the incident. If you were unable to discover the identity of the perpetrator or means of attack, future review of the evidence or comparison with other incidents may reveal important details or patterns. After audit trails are secured, then repairing damage, deploying new countermeasures, and updating the security policy are reasonable activities to perform.
You want to connect a laptop computer running Windows to a wireless network. The wireless network uses multiple access points and WPA2-Personal. You want to use the strongest authentication and encryption possible. SSID broadcast has been disabled. What should you do?
Configure the connection with a pre-shared key and AES encryption. EXPLANATION To connect to the wireless network using WPA2-Personal, you will need to use a pre-shared key for authentication. AES encryption is supported by WPA2 and is the strongest encryption method. WPA and WPA2 designations that include Personal or PSK use a pre-shared key for authentication. Methods that include Enterprise use a RADIUS server for authentication and 802.1x authentication with usernames and passwords.
What type of password is maryhadalittlelamb?
Pass phrase EXPLANATION A pass phrase is a password based on a phrase, such as maryhadalittlelamb. Cognitive passwords are passwords that relate to things that people know, such as a mother's maiden name or the name of a pet. A static password is created by a user and overseen by an administrator. Composition passwords are created by the system and are usually two or more unrelated words divided by symbols on the keyboard.
Which form of alternate site is the cheapest, but may not allow an organization to recover before reaching their maximum tolerable downtime?
Reciprocal agreement EXPLANATION A reciprocal agreement is a contract between two organizations that states in the event of a disaster they will aid each other by sharing their IT processing capabilities. Reciprocal agreements have no initial cost related to them. However, most organizations can barely support their own IT needs, much less the needs of an entire second organization. A hot site, warm site, and service bureau contracts are all costly alternatives, but offer reasonable if not reliable assurance of recovery in the event of a disaster.
Which of the following tools allow for remote management of servers? (Select two.)
Telnet SSH EXPLANATION Both Telnet and SSH are tools for remote server management. POP3 is for retrieving email from a remote server, and FTP is for transferring files.
You have implemented account lockout with a clipping level of 4. What will be the effect of this setting?
The account will be locked after four incorrect attempts. EXPLANATION The clipping level specifies the number of incorrect attempts that will trigger account lockout. In this example, four incorrect passwords would lock the user account. Account lockout duration specifies how long the account remains locked. Incorrect login attempts are typically cleared after a successful login or after a predetermined time passes. The salt value is a random value that ensures that hashes of the same password result in different hashes.
What chage command should you use to set the password for jsmith to expire after 60 days and give a warning 10 days before it expires? (Tip: Enter the command as if at the command prompt.)
chage -M 60 -W 10 jsmith EXPLANATION chage -M 60 -W 10 jsmith sets the password for jsmith to expire after 60 days and gives a warning 10 days before it expires. Use chage to set user passwords to expire. Be aware of the following options: · -M sets the maximum number of days before the password expires. · -W sets the number of days before the password expires that a warning message displays. · -m sets the minimum number of days that must pass after a password has been changed before a user can change the password again. Note: Look in the /etc/shadow file to see current limits for users.
Which of the following are denial of service attacks? (Select two.)
Fraggle Smurf EXPLANATION Smurf and Fraggle attacks are both denial of service attacks. A smurf attack spoofs the source address in ICMP packets and sends the ICMP packets to an amplification network (bounce site). The bounce site responds to the victim site with thousands of messages that he did not send. A Fraggle attack is similar to a Smurf attack, but uses UDP packets directed to port 7 (echo) and port 19 (chargen - character generation). A salami attack is not a denial of service attack. A salami attack is when a small amount of information, data, or valuables are taken over a period of time. The result is to construct or obtain data or property of great value. A common example of a salami attack is to deposit the fractions of cents from an accounting program into a numbered account. Eventually, the fraction deposits total a significant sum. Hijacking is an attack directed at authentication. Hijacking is stealing an open and active communication session from a legitimate user (an extension of a man-in-the-middle attack). The attacker takes over the session and cuts off the original source device.
Users in the Sales department perform many of their daily tasks, such as emailing and creating sales presentations, on their personal tablets. The chief information officer worries that one of these users might also use their tablet to steal sensitive information on the organization's network. Your job is to implement a solution that can prevent insiders from accessing sensitive information stored on the organization's network from their personal devices while giving them access to the internet. Which of the following should you implement?
A guest wireless network that is isolated from your organization's production network EXPLANATION A guest wireless network that is isolated from your organization's production network allows user-owned devices to gain internet access, but quarantines them from sensitive information on your organization's production network. A mobile device management infrastructure, such as Microsoft Intune, can be used to wipe data from a device that has been lost or stolen. A network access control solution can remediate devices before allowing them to connect to your network. An acceptable use policy can be used to define what kind of data is allowed and prohibited on personally-owned devices.
Which of the following is the strongest form of multi-factor authentication?
A password, a biometric scan, and a token device EXPLANATION A password, a biometric scan, and a token device together are the strongest form of multi-factor authentication listed here. Multifactor authentication is any combination of two or more of the same or different authentication factors. The three common authentication factor types are Something You Know (such as a password), Something You Have (such as a smart card or a token device), and Something You Are (such as a biometric quality, like a fingerprint). The other three options are all weaker forms of multi-factor authentication. A password and a biometric scan is a multi-factor authentication system, but it is also an example of two-factor authentication. Two-factor authentication is any combination of two or more different authentication factors. Two passwords is an example of multi-factor authentication, but since it uses two of the same type of factors, it is not a true two-factor authentication method.
Which of the following advantages can single sign-on (SSO) provide? (Select two.)
Access to all authorized resources with a single instance of authentication The elimination of multiple user accounts and passwords for each individual EXPLANATION A properly designed single sign-on (SSO) system can reduce human error and system administration time by providing access to all authorized resources with a single instance of authentication through a single set of user credentials. Enhanced password complexity is not a direct function of SSO, although enhanced security may be achieved by eliminating multiple credentials for individual authentication and enforcing password complexity policies. SSO is not a replacement for sound security policies or properly configured systems. Implementation of an SSO system can be challenging, as all systems and applications must be capable of utilizing a common method of authentication.
You have a shared folder named Reports. Members of the Managers group have been given write access to the shared folder. Mark Mangum is a member of the Managers group. He needs access to the files in the Reports folder, but should not have any access to the Confidential.xls file. What should you do?
Add Mark Mangum to the ACL for the Confidential.xls file with Deny permissions. EXPLANATION To prevent Mark from accessing one file, edit the ACL for that file, add his user account to the ACL, and configure Deny permissions. The Deny permission configured on the file override the Write permissions granted to the folder through the group. Removing Mark from the group would prevent access to the entire folder, not just to the one file. Configuring Deny permissions to the folder for Mark would also prevent access to the entire folder.
While browsing the internet, you notice that the browser displays ads that are targeted towards recent keyword searches you have performed. What is this an example of?
Adware EXPLANATION Adware monitors actions that denote personal preferences, then sends pop-ups and ads that match those preferences. Adware: · Is usually passive · Is privacy-invasive software · Is installed on your machine by visiting a particular website or running an application · Is usually more annoying than harmful A logic bomb is designed to execute only under predefined conditions and lays dormant until the predefined condition is met. A worm is a self-replicating virus. A zombie is a computer that is infected with malware that allows remote software updates and control by a command and control center called a zombie master.
You want to allow e-commerce websites that you visit to keep track of your browsing history for shopping carts and other information, but want to prevent that information from being tracked by sites linked to the sites you explicitly visit. How should you configure the browser settings?
Allow first party cookies, but block third-party cookies EXPLANATION Cookies are text files that are stored on a computer to save information about your preferences, browser settings, and webpage preferences. First party cookies are cookies used by the site you are visiting; third party cookies are cookies placed by sites linked to the site you are visiting. For example, banner ads on a website might place cookies on your machine to identify ads you have already seen or ads you have clicked on. ActiveX and Java are executable programs that run in the browser. While they could be written to track user history, they would typically use cookies for storing that information. Cross-site scripting (XSS) is an attack that injects scripts into webpages. When the user views the webpage, the malicious scripts run, allowing the attacker to capture information or perform other actions. Phishing uses links that appear legitimate, but are directed to false websites for the purpose of installing malware or gathering information from users.
When a malicious user captures authentication traffic and replays it against the network later, what is the security problem you are most concerned about?
An unauthorized user gaining access to sensitive resources EXPLANATION When a malicious user captures authentication traffic and replays it against the network later, the security problem you are most concerned about is an unauthorized user gaining access to sensitive resources. Once a replay attack has been successful, the attacker has the same access to the system as the user from whom the authentication traffic was captured.
Match the application-aware network device on the right with the appropriate description on the left. Each description may be used once, more than once, or not at all.
Application-aware proxy: Improves application performance Application-aware firewall: Enforces security rules based on the application that is generating network traffic instead of the traditional port and protocol Application-aware IDS: Analyzes network packets to detect malicious payloads targeted at application-layer services EXPLANATION An application-aware device has the ability to analyze and manage network traffic based on the application-layer protocol that created it. Examples include the following: · An application-aware firewall can enforce security rules based on the application that is generating network traffic instead of the traditional port and protocol. · An application-aware IDS or IPS can analyze network packets to detect malicious payloads targeted at application-layer services (such as a web server). · An application-aware proxy manages traffic based on the application-layer protocol(s) it supports, such as FTP or HTTP. This allows an application-aware proxy to prevent the application client from performing undesirable actions. It can also improve application performance. For example, an HTTP proxy can be configured to cache frequently-accessed web pages. A network access control (NAC) solution defines security measures that must be in place for a computer requesting access to the network.
Which of the following is the term for the process of validating a subject's identity?
Authentication EXPLANATION Authentication is the process of validating a subject's identity. It includes the identification process, the user providing input to prove identity, and the system accepting that input as valid. Authorization is granting or denying a subject's access to an object based on the level of permissions or the actions allowed on the object. Identification identifies the subject. Examples include a user name or a user ID number. Auditing is maintaining a record of a subject's activity within the information system.
What is the most common attack waged against Web servers?
Buffer overflow EXPLANATION The most common attack waged against Web servers is buffer overflow attacks. Web servers are notorious for being unprotected against a wide range of buffer overflow vulnerabilities. A buffer overflow occurs when software code receives too much input than it was designed to handle and when the programmer of that code failed to include input validation checks. When a buffer overflow occurs, the extra data is pushed into the execution stack and processed with security context of the system itself. In other words, a buffer overflow attack often allows the attacker to perform any operation on a system. Brute force attacks are typically waged against logon prompts or stolen copies of a security accounts database. Data diddling is usually waged against production machines. Birthday attacks are used against hashing algorithms and thus used in many password and logon attack mechanisms.
If your organization relies on high-end customized software developed by an external company, what security precaution should be implemented to protect yourself against the software developer going out of business?
Code escrow EXPLANATION Code escrow should be implemented. Code escrow is a storage facility hosted by a trusted third party that ensures access to the mission-critical code even if the development company goes out of business. An SLA is a guarantee of a specific level of service from a vendor. Outsourcing is what is already occurring by using code developed by an external entity. Biometric access controls are not applicable to this situation.
Which of the following is a recovery site that may have electricity connected, but there are no servers installed and no high-speed data lines present?
Cold site EXPLANATION A cold site is a recovery site that may have electricity connected, but there are no servers installed and no high-speed data lines present. A cold site does not offer an adequate route to recovery for most organizations. A hot site is a real-time full mirror of the primary site. It is fully functional and ready for immediate use 24/7. A warm site is partially configured and may require days or weeks to bring up to production level. A reciprocal agreement is not a form of recovery site; instead, it is a non-enforceable agreement between two companies to assist each other in the event of a disaster.
An attacker is using an eavesdropping technique called Van Eck phreaking on a networking closet. Which of the following describes what the attacker is doing?
Collecting electronic emissions EXPLANATION Attackers who collect electronic emissions coming from your networking closet are using an eavesdropping technique called Van Eck phreaking. A Faraday cage can be used to prevent this type of attack.
Need to know access is required to access which types of resources?
Compartmentalized resources EXPLANATION Need to know access is required to retrieve compartmentalized resources. Within any classification level of a MAC environment, data can be compartmentalized and requires the additional access control clearance of need to know for access clearance. Need to know is not specifically limited to or required by either high- or low-security resources. In a MAC environment, there is no concept of ownership.
You have a small network of devices connected using a switch. You want to capture the traffic that is sent from Host A to Host B. On Host C, you install a packet sniffer that captures network traffic. After running the packet sniffer, you cannot find any captured packets between Host A and Host B. What should you do?
Configure port mirroring EXPLANATION You need to configure port mirroring on the switch. In a network that uses a switch, network traffic is sent through the switch to only the destination device. In this scenario, Host C will only receive broadcast traffic and traffic addressed to its own MAC address. With port mirroring, all frames sent to all other switch ports will be forwarded on the mirrored port. Alternatively, you could put Host C on the same switch port as either Host A or Host B using a hub. All devices connected to the hub will be able to see the traffic sent to all other devices connected to the hub. Changing the MAC address on Host C would cause a conflict with duplicate addresses being used. Setting the default gateway would not affect the path of packets on the LAN. The default gateway is only used for traffic that goes outside of the current subnet.
You are the network administrator for a city library. Throughout the library are several groups of computers that provide public access to the Internet. Supervision of these computers has been difficult. You've had problems with patrons bringing personal laptops into the library and disconnecting the network cables from the library computers to connect their laptops to the Internet. The library computers are in groups of four. Each group of four computers is connected to a hub that is connected to the library network through an access port on a switch. You want to restrict access to the network so only the library computers are permitted connectivity to the Internet. What can you do?
Configure port security on the switch. EXPLANATION Configuring port security on the switch can restrict access so that only specific MAC addresses can connect to the configured switch port. This would prevent the laptop computers from being permitted connectivity. Placing each library computer on its own access port would have no effect. VLANs are used to group broadcast traffic and do not restrict connectivity of devices as needed in this scenario.
You have decided to implement a remote access solution that uses multiple remote access servers. You want to implement RADIUS to centralize remote access authentication and authorization. Which of the following would be a required part of your configuration?
Configure the remote access servers as RADIUS clients. EXPLANATION When configuring a RADIUS solution, configure a single server as a RADIUS server. Then configure all remote access servers as RADIUS clients. Certificate-based authentication can be used with a RADIUS solution, but is not a requirement.
Use of which of the following is a possible violation of privacy?
Cookies EXPLANATION Use of cookies is a possible violation of privacy. Cookies can be used to record information about your computer system, your web surfing habits, and much more. Secured environments should restrict the use of cookies on all web browsers and other internet service utilities. The use of Java, VPNs, and FTP do not usually represent privacy violations.
Which of the following reduce the risk of a threat agent being able to exploit a vulnerability?
Countermeasures EXPLANATION A countermeasure is a means of mitigating potential risk. Countermeasures reduce the risk of a threat agent being able to exploit a vulnerability. An appropriate countermeasure: · Must provide a security solution to an identified problem · Should not depend on secrecy · Must be testable and verifiable · Must provide uniform or consistent protection for all assets and users · Should be independent of other safeguards · Should require minimal human intervention · Should be tamper-proof · Should have overrides and fail-safe defaults
You want to store your computer-generated audit logs in case they are needed in the future for examination or to be used as evidence in the event of a security incident. Which method can you use to ensure that the logs you put in storage have not been altered when you go to use them in the future?
Create a hash of each log. EXPLANATION Use a hash to verify that the contents of a log have not been altered. When you go to analyze the logs, take another hash and compare the new hash to the original hash. If the hashes match, then the logs have not been altered. Storing logs offsite makes them harder to access and alter, and prevents a disaster at your main location from destroying the logs. Encrypting the logs protects the log confidentiality, but does not prevent them from being altered nor can it prove that the logs have not been altered. Creating two copies of the logs ensures that a single disaster will not destroy the logs. Comparing both logs to make sure they match does not guarantee that someone didn't alter both copies. In addition, if a disaster destroys one copy of the logs, you would not have a way to verify that the copy that remains has not been altered.
Which of the following is not a protection against session hijacking?
DHCP reservations EXPLANATION DHCP reservations are not a protection against session hijacking. If a valid MAC address can be discovered, then an IP address is handed out freely to the spoofed client by the DHCP server. Packet sequencing and time stamps prevent session hijacking by disallowing packets that are out of order or have expired. Anti-IP spoofing checks the identity of the host before allowing communication to occur, even if the IP address is known.
Which of the following is the best protection against security violations?
Defense in-depth EXPLANATION Defense in-depth is the best protection against security violations. Monolithic security and fortress mentality are both poor security perspectives, as they rely upon a single protection mechanism. Bottom-up decision-making is a poor security process, as it does not firmly establish responsibility, management control, or standards enforcement. Ultimately, such a process will lead to chaos rather than security.
In a high-security environment, what is the most important concern when removable media is no longer needed?
Destruction EXPLANATION The most important concern is the destruction of the media. In a high-security environment, removable media is not reused. After the media is no longer needed, it must be destroyed. Labeling is important, but it is important before removable media is put into use, not after. Re-use and purging are not secure activities in a high-security environment. Re-using media can result in confidentiality compromise. Purging is rarely sufficient to fully remove data.
What is the purpose of audit trails?
Detect security-violating events EXPLANATION The purpose of audit trails is to detect security-violating events or actions. Auditing itself is used to prevent security breaches and audit trails are a detective control. Neither auditing nor audit trails correct problems or restore systems to normal operations. That is done by the IT staff that inspects the contents of audit trails and creates a solution that is then implemented into the environment via the security policy.
When securing a newly deployed server, which of the following rules of thumb should be followed?
Determine unneeded services and their dependencies before altering the system EXPLANATION The best rule of thumb when securing a system is to determine the unneeded services and their dependencies before altering the system. If you don't perform the research before altering the system, you may inadvertently disable an essential service or fail to disable a service with significant vulnerabilities. Altering a system without researching, performing a change and test method, or even blindly disabling all services of a specific type are not reliable means to improve security on a system.
Which of the following best describes Bluesnarfing?
EXPLANATION Bluesnarfing is the use of a Bluetooth connection to gain unauthorized access to an existing Bluetooth connection between phones, desktops, laptops, or PDAs. Bluesnarfing allows access to view the calendar, emails, text messages, and contact lists. Many Bluetooth devices have built-in features to prevent bluesnarfing, but it is still a known vulnerability. Bluejacking is a rather harmless practice that entails an unknown sender sending business cards anonymously to a Bluetooth recipient within a distance of 10-100 meters, depending on the class of the Bluetooth device. The business cards usually include a flirtatious message so the attacker to see a visual reaction from the recipient. Multiple messages are sent to the device if the attacker thinks there is a chance they will be added as a contact. Bluetooth devices are not susceptible to bluejacking if they are set to non-discoverable mode. Bluebugging gives an attacker access to all mobile phone commands that use Bluetooth technology, such as initiating phone calls, sending and receiving messages, eavesdropping, and reading and writing phone book contacts. Only highly-skilled individuals can perform bluebugging.
Which of the following are disadvantages to server virtualization?
EXPLANATION Virtualization allows a single physical machine (known as the host operating system) to run multiple virtual machines (known as the guest operating systems). The virtual machines appear to be self-contained and autonomous systems. Disadvantages of virtualization include: · An attack on the host machine could compromise all guest machines operating on that host. · A bottleneck or failure of any hardware component that is shared between multiple guests, such as a failure in a disk subsystem, could affect multiple virtual machines. · While administration is centralized, virtualization is a newer technology and requires new skills, and managing virtual servers could add complexity. A compromise of a guest system is typically limited to that system only because each virtual machine is kept partitioned from other guest machines. System isolation, if configured, is an advantage of virtualization. Isolation is typically used for testing purposes and prevents unreliable applications from interfering with other systems. Virtual systems do not need to be isolated; they can be configured to have full network access to other virtual machines or other network devices. An advantage of virtualization is reduced hardware costs.
In addition to Authentication Header (AH), IPSec is comprised of what other service?
Encapsulating Security Payload (ESP) EXPLANATION IPSec is comprised of two services. One service is named Authentication Header (AH), and the other named Encapsulating Security Payload (ESP). AH is used primarily for authenticating the two communication partners of an IPSec link. ESP is used primarily to encrypt and secure the data transferred between IPSec partners. IPSec employs ISAKMP for encryption key management.
Which of the following is a secure alternative to FTP that uses SSL for encryption?
FTPS EXPLANATION FTP Secure (FTPS) adds SSL or TLS to FTP to secure login credentials and encrypt data transfers. FTPS requires a server certificate. Secure Shell File Transfer Protocol (SFTP) is a file transfer protocol that uses Secure Shell (SSHv2) to secure data transfers. SFTP is not FTP that uses SSH, but rather a secure transfer protocol that is different from FTP. Secure Copy Protocol (SCP) uses the Secure Shell protocol (SSHv1) to secure file transfers and login credentials. Remote Copy Protocol (RCP) is an unsecured protocol for file transfer.
Google Cloud, Amazon Web Services, and Microsoft Azure are some of the most widely used cloud storage solutions for enterprises. Which of the following factors prompt companies to take advantage of cloud storage? (Select two.)
Growing demand for storage Need to bring costs down EXPLANATION Some of the most widely used cloud storage for enterprises are Google Cloud, Amazon Web Services, and Microsoft Azure. Because of the growing demand for storage and desire to bring costs down, many companies have been taking advantage of cloud storage.
Which of the following devices is computer software, firmware, or hardware that creates and runs virtual machines?
Hypervisor EXPLANATION A hypervisor is computer software, firmware, or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine. Each virtual machine is called a guest machine. The hypervisor provides the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems.
An access control list (ACL) contains a list of users and allowed permissions. What is it called if the ACL automatically prevents access to anyone who is not on the list?
Implicit deny EXPLANATION With implicit deny, users or groups that are not specifically given access to a resource are denied access. Implicit deny means that there is an assumed or unstated deny that prevents access to anyone not explicitly on the list. Explicit deny identifies users or objects that are not granted access. Explicit allow specifically identifies the objects that are allowed access. Implicit allow is a policy that allows access unless it is explicitly denied (this ACL type is rarely used).
What is the most common failure of a security policy in an environment?
Lack of user awareness EXPLANATION The most common failure of a security policy in an environment is the lack of user awareness. If users are not aware of the policies to follow or procedures to comply with, they will not know how to perform their work tasks securely. When an organization makes an effort to produce a security policy, improperly outlined procedures are rarely a problem. This issue is usually discovered and corrected early in the security policy development process. Overlooking critical assets is not a common problem. During the asset identification stage of risk analysis and security policy development, every asset of an organization is examined for importance. A security policy is not complete unless it assigns specific tasks and responsibilities to roles and individuals within the organization.
When a SYN flood is altered so that the SYN packets are spoofed in order to define the source and destination address as a single victim IP address, the attack is now called what?
Land attack EXPLANATION A land attack is a SYN flood where the source and destination address of the SYN packets are both defined as the victim's IP address. A fraggle attack uses UDP packets, not SYN packets from TCP. An impersonation attack is not usually a protocol attack; it is simply taking on an authorized identity in order to gain entry into a secured environment. An analytic attack is an attack on the algorithm of a cryptography system.
Which of the following networking devices or services prevents the use of IPSec in most cases?
NAT EXPLANATION Typically, IPSec cannot be used when static IP addresses are not used by both communication partners. NAT proxy performs network address translation on all communications. For this reason, the IP address seen for a system outside of the proxied network is not that system's real IP address. This prevents the use of IPSec. IPSec can be deployed without problems with the presence of firewalls, routers, and switches. However, in the case of firewalls, you will need to configure special access ports to allow IPSec traffic to pass.
You manage a small network at work. Users use workstations connected to your network. No portable computers are allowed. As part of your security plan, you would like to implement scanning of e-mails for all users. You want to scan the e-mails and prevent any e-mails with malicious attachments from being received by users. Your solution should minimize administration, allowing you to centrally manage the scan settings. Which solution should you use?
Network based firewall EXPLANATION A network-based firewall inspects traffic as it flows between networks. For example, you can install a network-based firewall on the edge of your private network that connects to the Internet and scans all incoming e-mail. Scanning e-mail as it arrives at your e-mail server allows you to centralize management and stop malicious e-mails before they arrive at client computers. A demilitarized zone (DMZ), also called a screened subnet, is a buffer network (or subnet) that sits between the private network and an untrusted network (such as the Internet). SMTP is an e-mail protocol used by e-mail servers for sending mail.
You have a web server that will be used for secure transactions for customers who access your company's website over the internet. The web server requires a certificate to support SSL. Which method would you use to get a certificate for the server?
Obtain a certificate from a public PKI EXPLANATION Computers must trust the CA that issues a certificate. For computers that are used on the internet and accessible to public users, obtain a certificate from a public CA such as VeriSign. By default, most computers trust well-known public CAs. Use a private PKI to issue certificates to computers and users within your own organization. You configure computers to trust your own PKI, so certificates issued by your internal CAs are automatically trusted. A certificate generated by a server is called a self-signed certificate. A self-signed certificate provides no proof of identity because any other server can claim to be that server just by issuing itself a certificate.
Users in your organization receive email messages informing them that suspicious activity has been detected on their bank accounts. They are directed to click a link in the email to verify their online banking user name and password. The URL in the link is in the .ru top-level DNS domain. What kind of attack has occurred?
Phishing EXPLANATION A phishing scam uses an email pretending to be from a trusted organization and asks you to verify personal information or send money. In a phishing attack: · A fraudulent message (which appears to be legitimate) is sent to a target. · The message requests that the target visit a fraudulent website (which also appears to be legitimate). Graphics, links, and web pages look almost identical to legitimate requests from legitimate websites. · The fraudulent website requests that the victim provide sensitive information, such as an account number and password. An SMTP relay is an email server that accepts mail and forwards it to other mail servers. In a buffer overflow attack, a program, while writing data to a memory buffer, overruns the buffer's boundary and writes data in adjacent memory addresses.
Which of the following recommendations should you follow when placing access points to provide wireless access for users within your company building?
Place access points above where most clients are. EXPLANATION When placing wireless access points: · Devices often get better reception from access points that are above or below. · If possible, place access points high up to avoid interference problems caused by going through building foundations. · For security reasons, do not place APs near outside walls. The signal will extend outside beyond the walls. Placing the AP in the center of the building decreases the range of the signals available outside of the building. · When using multiple access points, place access points evenly throughout the area, taking care to minimize the overlap of the broadcast area while ensuring adequate coverage for all areas.
What form of access control is based on job descriptions?
Role-based access control (RBAC) EXPLANATION RBAC is based on job descriptions. DAC is based on identity. MAC is based on rules. LBAC is based on geography or logical designations.
Which access control model manages rights and permissions based on job descriptions and responsibilities?
Role-based access control (RBAC) EXPLANATION Role-based access control (RBAC) is the access control model that manages rights and permissions based on job descriptions. RBAC focuses on job descriptions or work tasks instead of employing user accounts to define access. RBAC is best suited for environments that have a high rate of employee turnover. By defining access based on roles rather than individuals, administration is simplified when granting a new person access to common activities. DAC is based on user accounts. MAC is based on security labels, classifications, or clearances. TBAC is based on work tasks.
You have a website that accepts input from users for creating customer accounts. Input on the form is passed to a database server where the user account information is stored. An attacker is able to insert database commands in the input fields and have those commands execute on the server. Which type of attack has occurred?
SQL injection EXPLANATION A SQL injection attack occurs when an attacker includes database commands within user data input fields on a form, and those commands subsequently execute on the server. The injection attack succeeds if the server does not properly validate the input to restrict entry of characters that could end and begin a database command. SQL injection attacks are prevented by proper programming methods that prevent commands from occurring within form data or that filter data to prevent such attacks. A buffer overflow occurs when the operating system or an application does not properly enforce boundaries for how much and what type of data can be inputted. Hackers submit data beyond the size reserved for the data in the memory buffer, and the extra data overwrites adjacent memory locations. The extra data sent by the attacker could include executable code that might then be able to execute in privileged mode. Cross-site scripting (XSS) is an attack that injects scripts into Web pages. When the user views the Web page, the malicious scripts run allowing the attacker to capture information or perform other actions. A DLL injection attack occurs when a program is forced to load a dynamic-link library (DLL). This DLL then executes under the security context of the running application, and executes malicious code included with the injected DLL.
Which type of media preparation is sufficient for media that will be reused in a different security contexts within your organization?
Sanitization EXPLANATION Sanitize media that will be reused in a different security context. Sanitization is the process of cleaning a device by having all data remnants removed. Sanitization is necessary because deleting, overwriting, and reformatting does not remove all data remnants, even when performed multiple times. Formatting is typically sufficient for media that will be reused within the same security context. Destroy media that has reached the end of its useful lifetime.
You want to make sure that any reimbursement checks issued by your company cannot be issued by a single person. Which security principle should you implement to accomplish this goal?
Separation of duties EXPLANATION Separation of duties is the policy of requiring more than one person participate in completing a task. It helps prevent insider attacks because no one person has end-to-end control, and no one person is irreplaceable. Job rotation is a technique where users are cross-trained in multiple job positions and responsibilities are regularly rotated between personnel. Job rotation is used for training purposes, but also allows for oversight of past transactions. As jobs rotate, personnel in new positions have the chance to review actions taken by others in that same position and catch security problems. A requirement for mandatory vacations requires employees to take vacations of specified length. These vacations can be used to audit actions taken by the employee and provide a passage of time where problems caused by misconduct could become evident. The principle of least privilege states that users or groups are given only the access they need to do their job and nothing more. With implicit deny, users or groups that are not specifically given access to a resource are denied access.
Which of the following is a form of denial of service attack that uses spoofed ICMP packets to flood a victim with echo requests using a bounce/amplification network?
Smurf EXPLANATION Smurf is a form of denial of service attack that uses spoofed ICMP packets to flood a victim with echo requests using a bounce/amplification network. Fingerprinting is the act of identifying an operating system or network service based upon its ICMP message quoting characteristics. A fraggle attack uses spoofed UDP packets to flood a victim with echo requests using a bounce network, which makes it similar to Smurf. Session hijacking is the act of taking over a login session from a legitimate client, impersonating the user and taking advantage of their established communication link.
Which of the following defines the crossover error rate for evaluating biometric systems?
The point where the number of false positives matches the number of false negatives in a biometric system. EXPLANATION The crossover error rate, or the equal error rate, is the point where the number of false positives matches the number of false negatives in a biometric system. A false negative (or Type I error) occurs when a person who should be allowed access is denied access. A false positive (or Type II error) occurs when a person who should be denied access is allowed access. The processing rate, or system throughput, identifies the number of subjects or authentication attempts that can be validated.
You've just received an email message explaining that a new and serious malicious code threat is ravaging across the internet. The message contains detailed information about the threat, its source code, and the damage it can inflict. The message states that you can easily detect whether or not you have already been a victim of this threat by the presence of three files in the \Windows\System32 folder. As a countermeasure, the message suggests that you delete these three files from your system. In response to this message, which action should you take first?
Verify the information on well-known malicious code threat management websites EXPLANATION The best first step to take after receiving an email message about a new malicious code threat is to verify the information it contains. You can easily verify information by visiting two or more well-known malicious code threat management websites. These sites can be your anti-virus vendor or a well-known and well-regarded internet security watch group. All too often, messages of this type are hoaxes. It is important not to fall prey to email hoaxes or spread them to others. Your first step should not be to follow any directions included in the email, especially deleting files. You should never forward email warnings until you have firmly established the authenticity and validity of such information. Even then, it is not your responsibility to inform anyone about such a threat except for the security personnel in your organization. Let those responsible for such activities, such as anti-virus vendors or your security team, inform the general public. Making a full backup is often a good idea, but it is not necessary in this instance.
You are concerned about sniffing attacks on your wireless network. Which of the following implementations offers the best countermeasure to sniffing?
WPA2 with AES EXPLANATION The best countermeasure to sniffing is to use some form of encryption. Wi-Fi Protected Access 2 (WPA2) uses Advanced Encryption Standard (AES) for strong encryption. Disabling the SSID broadcast provides some protection against war dialing. Users must know the SSID before they can see and connect to the wireless network. MAC address filtering can be used to prevent unauthorized connections to the wireless networks, but is susceptible to MAC address spoofing. Firewall filters help protect private networks from wireless clients and should be used when the access point is connected to both a public and a private network. WEP with shared secret authentication is not a recommended configuration, as the WEP key can be easily cracked through sniffing.
When would choosing to do nothing about an identified risk be acceptable?
When the cost of protecting the asset is greater than the potential loss EXPLANATION You might choose to accept a risk and do nothing if the cost associated with a threat is acceptable or if the cost of protecting the asset from the threat is unacceptable. For example, if the cost of protecting the asset is greater than the cost associated with the threat, you would decide to accept the potential loss rather than spend money to protect the asset. In this case, you would plan for how to recover from the threat, but not implement any measures to avoid it. An intangible asset is a resource that has value and may be saleable even though it is not physical or material. While assigning a value to intangible assets can be difficult, this does not mean that they cannot or should not be protected. The likely frequency of a threat occurring affects the annual loss expectancy, which also affects the comparison of the cost of countermeasures to the cost associated with a successful attack, but does not immediately rule out implementing countermeasures.
You have just downloaded a file. You create a hash of the file and compare it to the hash posted on the website. The two hashes match. What do you know about the file?
Your copy is the same as the copy posted on the website. EXPLANATION A hash is a function that takes a variable-length string (message) and compresses and transforms it into a fixed-length value. Hashes ensure the data integrity of files and messages in transit. The sender and the receiver use the same hashing algorithm on the original data. If the hashes match, then it is assumed that the data is unmodified. Hashes do not ensure confidentiality (in other words, hashes are not used to encrypt data). Non-repudiation proves the source of a file and is accomplished using digital signatures.