Information Security Fundamentals, Ch. 1 -5.10
Which option is a secure doorway that can be used in coordination with a mantrap to allow easy egress from a secured environment while actively preventing re-entrance through the exit portal?
Turnstiles
prevents users from visiting restricted web sites
URL content filtering
what is the greatest threat to the confidentiality of data in most secure organizations?
USB devices
Tailgating
Unauthenticated entry in to a secure building by following an authenticated person through an authentication checkpoint where the perpetrator enters without the authenticated person's consent.
Piggybacking
Unauthenticated entry into a secure building by following a consenting authenticated person through an authentication checkpoint.
Domain hijacking
Unlike the other DNS attacks listed here, which use stolen DNS data to redirect unwitting users. Domain hijacking is when an attacker gains access to to the domain control panel itself. They reconfigure the domain name to point toward another web server. This allows attackers to trick users into thinking they're at a legitimate website, when they're really at a dummy site created by the attacker.
When a new security plan is distributed, why is it important to destroy all copies of the old version?
When an updated version of a security plan is produced, the most crucial activity to prevent is public release of older versions of the document. Even an out of date plan can provide sufficient information to attackers to perform serious security intrusions. When the security plan is updated, users should be made aware of the changes, the document should be distributed internally to appropriate parties, and all old versions should be destroyed.
crime suspects
When carrying out the investigation, it is important to determine the Method of operation (MO) of each suspect. Defining a persons motive helps the investigators to develop an understanding of who may have been capable of the crime.A suspect's method of operation has 3 purposes: to assist in escaping, to ensure the crime's success, and to protect the attackers identity.
When would choosing to do nothing about an identified risk be acceptable?
When the cost of protecting the asset is greater than the potential loss.
The following lists types of networks found in your security zones:
Wireless, guest, honeynet, ad hoc
(5) simplicity (general defense strategy)
security measures should provide protection, but not be so complex that you do not understand and use them
which security principle prevents any one administrator from having sufficient access to compromise the security of the overall IT solution?
separation of duties
you want to make sure that any reimbursement checks issued by your company cannot be issued by a single person. which security principle should you implement to accomplish this goal?
separation of duties
Which of the following is defined as a contract which prescribes the technical support or business parameters that a provider will bestow its client?
service level agreement
In which phase of the system life cycle is software testing performed?
software development and coding and installation
asset
something that has value to an individual or an organization
5 categories of multifactor authentication include
something you are, such as biometric information(finger print or retina scan)
What challenges does a security professional face?
sophisticated attacks, proliferation of attack software, attack scale and velocity
principle of least privilege, method of controlling access include: explicit allow
specifically identifies users or groups who have access. is a moderate form of access control in which privilege has been granted to a subject
preparing a computer to perform additional tasks in the attack
staging
(2) principle of least privilege (general defense strategy)
states that users or groups are given only the access they need to do their job and nothing more. When assigning privileges, be aware that it is often easier to give a user more access when they need it than to take away privileges that have already been granted.
which is the cryptography mechanism that hides secret communications with various forms of data?
steganography
users and administrators
the people who use the software and the people who manage it
threat agent
the person or entity that carries out a threat
principle of least privilege
the practice of granting each user or group of users only the access necessary to do their job or perform their official duties
access recertification
the process of continually reviewing a user's permissions and privileges to make sure they have the correct level of access
authorization
the process of determining whether or not an authenticated user has permission to carry out a specific task or access a system resource.system administrators decide and then configure the permission scope for users and groups
(2)social engineering (general attack strategy)
the process of manipulating others to give you sensitive information such as: intimidation, sympathy
authentication
the process of proving an identity
accounting
the process of tracking the actions of an authenticated user, including access to files and other user activities on the system
cipher/algorithm
the process or formula used to convert a message or otherwise hide its meaning
mutual authentication
the process whereby two communicating entities authenticate each other before exchanging data, it requires not only the server to authenticate the user, but the user to authenticate the server. more secure than traditional one-way authentication
key space
the range of the possible values that can be used to construct a key. generally speaking, the longer the key space, the stronger the cryptosystem
plaintext
the readable form of an encrypted message. information that will eventually be input into an encryption algorithm
Loss
the real damage to an asset that reduces its confidentiality, integrity, or availability.
need-to-know
the restriction of data that is highly sensitive and is usually referenced in government and military context
cryptography
the science and study of concealing information
What would you use to validate the bandwidth on your network and identify when the bandwidth is significantly below what it should be?
throughput tester
what is the goal of network monitoring?
to keep track of conditions on the network, identify situations that might signal potential problems, and locate areas of your network that might need to be upgraded or modified. as you monitor your network, look for your top talkers and listeners
what are some legitimate uses for cyptanalysis?
to measure and validate the strength of a cryptosystem. can also be done to violate the confidentiality and/or integrity of a cryptosystem
What is a service level agreement?
A guarantee of a specific level of service
Vishing
A social engineering attack that exploits voice-over-IP telephone services to gain access to an individuals personal and financial information, including their government ID number, bank account numbers, or credit card numbers.
Near Field Communication (NFC)
A set of standards that allows smartphones and similar devices to communicate by touching them together or bringing them close to each other.
Denial of Service (DoS)
A single attacker flooding a target system with traffic or requests or by exploiting a system or software flaw.
Proxy server
A type of firewall that stands as an intermediary between clients requesting resources from other servers.
Prototype
A type of iterative development that was made to combat the weaknesses of waterfall-based models.
Tunneling
A type of network protocol that encrypts IP packet contents and encapsulates them for routing through a public network.
Data loss prevention
A type of software that protects sensitive data from being exposed.
targeted attack
A type of threat in which actors actively pursue and compromise a target entity's infrastructure while maintaining anonymity
What is a countermeasure?
A way to mitigate a potential risk. Reduce the risk of a threat agent by being able to exploit a vulnerability
Web filter
A web content filter that prevents users from visiting restricted websites
Web threat filter
A web filter that prevents users from visiting websites with known malicious content.
Secure Sockets Layer (SSL)
A well-established protocol to secure traffic generated by other IP protocols, such as HTTP, FTP, and email.
Wireless Access Point (WAP)
A wireless hub that broadcasts information and data over radio waves.
Wi-Fi Protected Access 2 (WPA2)
A wireless security specification intended to replace both WEP and WPA that adheres to the 80211i specifications and resolves the weaknesses inherent in WEP.
Service Level Agreement (SLA)
An agreement between a customer and provider that guarantees the quality of a network service provider's care to a subscriber.
(6) create a backdoor (general attack strategy)
An alternative method of accessing an application or operating system for troubleshooting.
All-in-one security appliance
An appliance that combine many security functions into a single device.
Asset classification
An asset prioritization method that identifies the appropriate value and protection levels by grouping similar assets and comparing the valuation of different classifications.
Sensitivity vs. risk
An asset prioritization method that uses a chart to qualify the value of an asset based on sensitivity and risk.
Delphi
An asset prioritization method that uses an anonymous survey to determine the value of an asset. Anonymity promotes honest responses.
Comparative
An asset prioritization that uses a ranking based on an arbitrary scale that is compatible with the organization's industry. the valuation is still qualitative, but consistency in valuation with other organization's in the industry adds credibility.
Distributed Denial of Service (DDoS)
An attack in which multiple attackers or attack devices either coordinate the flooding of a target system with traffic or exploit a system or software flaw.
SYN flood
An attack that exploits the TCP three-way handshake
LAND
An attack that floods the victim's system with packets that have forged headers with the victim's address as the source and destination address.
Man-in-the-middle attack
An attack that intercepts information passing between two communication partners.
Teardrop
An attack that manipulates the UDP fragment number and location.
Fraggle
An attack that sends a large amount of UDP packets directed to broadcast addresses and aimed at port 7 (echo) and port 19 (chrgen--character generation) with spoofed source addresses.
Session-based attack
An attack that takes over the TCP/IP session or captures information that can be used at a later date.
Replay attack
An attack that uses a protocol analyzer or sniffer to capture authentication information going from the client to the server and then uses this information to connect at a later time and pretend to be the client.
Christmas (Xmas) Tree
An attack that uses an IP packet with every option turned on for the protocol being used.
ARP Spoofing or ARP poisoning
An attack that uses spoofed ARP messages to associate a different MAC address with an IP address.
IP spoofing
An attack where IP address information is changed within a packet to amplify or redirect responses to a victim.
null session
An attack where a connection is made using a blank username and password that is used to discover information about the system.
Domain hijacking
An attack where an attacker gains access to the domain control panel itself and the domain name to point toward another web server.
DNS poisoning
An attack where malicious or misleading data that incorrectly maps hostnames and IP addresses is sent to a name server.
Domain Name Kiting
An attack where spammers exploit domain registration by taking advantage of the five-day grace period for a newly registered domain name.
MAC spoofing
An attack where that MAC address of a valid host currently in the MAC address table of a switch is spoofed so that frames are redirected to the attacker.
opportunistic attack
An attack where the threat actor is almost always trying to make money as fast as possible and with minimal effort
security incident
An event or series of events that are a result of a security policy violation that have adverse effects on a company's ability to proceed with normal business.
Port address transation
An extension of NAT that associates a port number with a request from a private host.
TCP/IP (Session) hijacking
An extension of a man-in-the-middle attack where the attacker steals an open and active communication session from a legitimate user.
live analysis
An incident investigation that examines an active (running) computer system to analyze the live network connection, memory contents, and running programs
dead analysis
An incident investigation that examines data at rest, such as analyzing hard drive contents
big data analysis
An incident investigation that identifies anomalies that led up to the security incident by examining all types of data used in the organization, including text, audio, video, and log files
You are investigating the use of website and URL content filtering to prevent users from visiting certain Web sites. Which benefits are the result of implementing this technology in your organization? (Choose two)
An increase in bandwidth availability
Which of the following is the best protection against security violations?
Defense in-depth
(3) variety (general defense strategy)
Defensive layers should have a variety and be diverse; implementing multiple layers of the exact same defense does not provide adequate strength against attacks
The acceptable use agreement might set expectations for user privacy when using company resources. Privacy is the right of individuals to keep personal information from unauthorized exposure or disclosure. In a business environment, businesses might need to be able to monitor and record actions taken by employees. Such monitoring might be viewed as a violation of individual privacy. To protect against legal issues:
Define the types of actions and communications that will be monitored. For instance, its typical for a business to reserve the right to monitor all activities performed on company computers, even if those activities might be of a personal nature. Clearly communicate all monitoring activities. Users should know that monitoring is being performed. Apply monitoring to all employees. Targeting specific employees could be grounds for discrimination. Comply with all legal requirements for privacy. For example, personal medical information is protected and cannot be shared without prior authorization.
Prior planning helps people know what to do when a security incident occurs, incident response plans should:
Define what is considered an incident, identify who should handle the response to the incident; this person is designated as first responder. Describe what action should be taken when an incident is detected. Provide a detailed outline of steps to be taken to handle an incident both efficiently and effectively, while mitigating its effects. Explain how and to whom an incident should be reported Explain when management should be notified of the incident and also outline ways to ensure that management is well informed. Be legally reviewed and approved. Be fully supported by senior management and administration with appropriate funding and resources such as camera equipment, forensic equipment, redundant storage, standby systems, and backup services
Security Policy
Defines the overall security goals and processes for an organization. To be effective, the security policy must be: Planned. Good security is the result of good planning, Maintained. A good security plan must be constantly evaluated and modified as needs change. Used. The most common failure of a security policy is the lack of user awareness. The most effective way of improving security is through user awareness.
Sample data retention rules could include the following:
Delete email messages after 90 days. Keep tax-related information for 7 years, this timeframe should be defined by the applicable taxation authority. For example, The United States Internal Revenue Service requires tax information to be retained for 7 years. Keep employees records for 4 years after an employer leaves the organization. Keep integral research,design, or patent documents for 25 years. Keep contracts with vendors and partners for 5 years after a contract has ended. Delete employee files after 1 year.
To determine the value of the company assets, an anonymous survey was used to collect the opinions of all senior and mid-level managers. Which asset valuation method was used?
Delphi method
Due care and due diligence are also called the prudent man rule
Demonstrates that management has taken reasonable actions to ensure safety standards according to accepted best practices. The ability to demonstrate due care and due diligence protects the organization and its staff from accusations of negligence or incompetence in security-related issues.
Which of the following is not an appropriate response to a risk discovered during a risk analysis?
Denial
Which attack form either exploits a software flaw or floods a system with traffic in order to prevent legitimate activities or transactions from occurring?
Denial of service attack
Which of the following can be used to stop piggybacking at a front entrance where employees should swipe smart cards to gain entry?
Deploy a mantrap
System design
Identifies the:
virus scanners
Identify infected content and dispose of it. They are often coupled with email scanners.
Termination policies and procedures
Identify processes to be implemented when terminating employees. For example, the termination policy might specify that: Network access and user accounts are disabled immediately, Exit interviews are conducted, Employees are escorted at all times following termination, all company property is returned, appropriate documents are signed
uses for packet sniffer
Identify the types of traffic on a network
Which of the following is not a form of social engineering?
Impersonating a user by logging on with stolen credentials
Which of the following measures will NOT improve physical security in the data center?
Implement a checkout policy
Which security-related recommendations should you make to this client?
Implement a hardware checkout policy
How should you do this?
Implement a mobile endpoint management (MEM) solution.
Which actions should you take? (select 2)
Implement storage segmentation, enable device encryption
End of life
Implementation of disposal. Disposal includes:
Physical access logs
Implemented by the guards of a facility and require everyone gaining access to the facility to sign in.
Application aware proxy
Improves application performance
Which of the following is NOT a benefit of NAT?
Improving the throughput rate of traffic
Documents how the networks will be connected
Interconnection Security Agreement (ISA)
How does an intruder carry out a replay attack?
Intruders do not need to decrypt the intercepted packet. They can simply forward the packet to an application or service and gain access to the victim's resources or data.
Operations and maintenance
Involve the following actions:
Which of the following is the most important thing to do to prevent console access to the router?
Keep the router in a locked room
In which phase of the system life cycle is security integrated into the product?
Product initiation
object-oriented programming (OOP)
Programming based on the organization of objects rather than actions that uses pre-assembled programming code in a self-contained module that encapsulates a segment of data and ots processing instructions. A block of programming code can be used in any number or different programs once it is written. This method of development revolutionized computer program development.
Identify the choke points on the network
Protect Your Network
Segregate and isolate networks
Protect Your Network
Besides protecting a computer from under voltage, a typical UPS also performs which two actions.
Protects from other voltages and conditions the power signal
Configuration management policy
Provides a structured approach to securing company assets and making changes. Configuration management: Establishes hardware, software, and infrastructure configurations that are to be deployed universally throughout the corporation. Tracks and documents significant changes to the infrastructure. Assesses the risk of implementing new processes, hardware, or software. Ensures that proper testing and approval processes are followed before changes are allowed.
Which of the following is used on a wireless network to identify the network name?
SSID
DoS attacks that exploit the TCP protocol include:
SYN flood, LAND, and Christmas (xmas) tree
What is an example of vulnerable business processes?
Shipping companies working in the Belgian port of Antwerp were hacked by drug traffickers. They were able to modify the movement and location of containers, making it possible to move and retrieve drugs.
WEP
Short initialization vector makes key vulnerable
Response time frames
Short term (triage) actions focus on stopping the attack, mitigating its effects, and restoring basic functionality.
Acceptable use
Should define personal use and after-hours use. Irresponsible, illegal, or malicious use of the device could leave an organization liable for damages if such use is not prohibited by a policy.
A malicious user in your organization was able to use the Trinity Rescue Kit to change the password on a department manager's computer in the finance department. The user was able to copy data containing bank account information and social security numbers. The user then destroyed the data by resetting the computer. The department manager was at lunch at the time and had enabled the lock screen to require a password to gain access to the computer. What additional measure should the manager have taken to prevent data theft?
The computer should have been kept in a physically secure location.
Enforcement server (ES)
The connection point for NAP clients that forwards a client's SoH to the NAP server for validation before granting network access.
Screening router
The router that is most external to your network and closest to the internet.
Tracking expenses
Track man hours and expenses for each incident, this may be necessary to calculate a total damage estimation and possibly restitution
Purchasing insurance is what type of response to risk?
Transference
What is the primary use of tunneling?
Supporting private traffic through a public communication medium
What encryption method is used by WPA for wireless networks?
TKIP
incident response
The action taken to deal with an incident, both during and after the incident
Dissovable
The agent is downloaded or a temporary connection is established. It is removed once the user is done with it. The user will have to download or connect to the agent again if needed.
Agentless
The agent is on the domain controller. When the user logs into the domain, it then authenticates with the network.
Permanent
The agent resides on a device permanently. This is the most convenient agent since it does not have to be renewed and can always run on the device. It is also known as a persistent agent.
Accessing each suspect's MO can lead to discoveries that may be indicative of:
The amount of planning necessary for the crime to be executed.
policies
rules an organization implements to protect information
emergency escape plans
safety
which type of media preparation is sufficient for media that will be reused in different security contexts within your organization?
sanitization
tracert
(TRACE RouTe) command displays the IP route to a destination host or node. In Linux and Mac OS, the command is traceroute
WiMAX is an implementation of which IEEE committee?
802.16
Which of the following specifications identify security that can be added to wireless networks? (Select two)
802.1x
Manageable Network Plan
A process created by the National Security Agency (NSA) to assist in making a network manageable, defensible, and secure.
Ways a surge or spike can be caused:
Can be caused by a lightening strike, a power plant coming online or going off-line, or even equipment inside the facility.
Reverse proxies
Can be used for caching and authentication
Forward proxies
Can be used to filter web content, but can also be used to mark a user's identity for anonymity. This can make it difficult for attackers to target users or an organization.
Camera types include:
*A bullet camera, which has a built-in lens and is long and round in shape. Most bullet cameras can be used indoors and outdoors.
In a phishing attack:
*A fraudulent message that appears to be legitimate is sent to a target.
During a man-in-the-middle attack:
*An attacker inserts himself in the communication flow between the client and server. The client is fooled into authenticating to the attacker.
When you inform an employee that they are being terminated, what is the most important activity?
Disabling their network access
Which of the following allows for easy exit of an area in the event of an emergency, but prevents entry?
Double-entry door, turnstile
Keep in mind the following when creating the disaster recovery and business continuity plans:
*A good plan documents all important decisions before the disaster strikes. When a disaster occurs, staff members simply need to follow the documented procedures.
Two types of scans are common during technical reconnaissance:
*A horizontal scan is a scan of an entire network.
Specific door types include:
*A mantrap, which is a specialized entrance with two doors that create a security buffer zone between two areas.
Be aware of the following facts when using a portable fire extinguisher:
*A pin is inserted in the handle of most fire extinguishers to prevent the extinguisher from being accidentally triggered. Remove the pin to use the fire extinguisher.
This can be used to bypass:
*A wireless access point with MAC filtering on a wireless network
Checkout policies should include the following details:
*Acceptable use is limited to business-specific activities on the device.
This allows spammers to:
*Acquire domains and never pay for the registration of domain names by unregistering a domain name just before the grace period is up and then immediately re-registering the domain name.
arp
(Address Resolution Protocol) command is usually to display and modify the ARP table entries on the local host. The ARP table maps internet IP addresses with physical MAC addresses.
ipconfig
(Internet Protocol CONFIGuration) command is used to display a host's current TCP/IP configuration values and to refresh DHCP and DNS settings. In Linux and MAC OS, the command is ifconfig, however the newer ip command has more features and will eventually replace ifconfig
netstat
(NETwork STATistics) command displays statistical information describing TCP network connections, routing tables, network interfaces, and network protocols. This utility is mostly obsolete in LInux, but still included in many distributions. In Linux, netstat has been superseded by the ss and ip commands
nslookup
(Name Server LOOKUP) command will query a DNS to obtain the IP address for a given domain name, or to obtain a domain name for a given IP address. In Linux, the dig command gives similar information
nmap
(Network MaPper) utility is a network security scanner that is commonly used to scan a system to determine which TCP ports are open
ping
(Packet INternet Groper) command can be used to verify network connectivity between two hosts or nodes. It can also be use to test network latency
Social engineering techniques used against employees are as follows:
*Authority: an attacker either lies about having authority or uses their high status in a company to force victims to perform actions or give information that exceeds their authorization level.
The following table lists various U.S. fire classes and the appropriate suppressant type:
*Class A- Fuel type: Wood, paper, cloth, plastics, Suppressant type: Water or soda acid
Computer systems are sensitive to environmental conditions. Environmental controls that can be implemented to protect computer systems include:
*Cool temperatures to protect hardware from being damaged by overheating.
The first measure in physically securing a building is to secure the perimeter and restrict access to only secure entry points. Methods for securing the perimeter are explained in the following list:
*Fences provide an environmental barrier that prevents easy access to the facility.
A fixed system is part of a building and typically combines fire detectors with fire-suppression technology:
*Fire detectors detect rapid changes in temperature or smoke.
In a teardrop attack:
*Fragmented UDP packets with overlapping offsets are sent.
Fire requires 4 components:
*Fuel such as wood, paper, or petroleum.
A well-maintained heating, ventilating, and air conditioning (HVAC) system is important for employee comfort and the protection of equipment.
*HVAC controls the temperature and humidity of a building.
IP spoofing can be used to:
*Hide the origin of the attack by spoofing the source address.
A BCP:
*Identifies and prioritizes critical functions.
Business Impact Analysis (BIA) focuses on the impact losses will have on the organization. A BIA:
*Identifies threats and can affect processes/assets
(Network Architecture) Identifies the following steps to protect your network:
*Identify and document each user on the network and the information the user has access to
Recommendations for water and gas focus mainly on the ability to turn them off in the event of a broken pipe, fire, or other type of emergency. These recommendations are:
*Identify the location of a master shut off valve
Social engineering is an attack that exploits human nature by convincing someone to reveal information or perform an activity. Examples include:
*Impersonating support staff or management, either in person or over the phone.
Countermeasures for preventing spoofing are as follows:
*Implement firewall and router filters to prevent spoofed packets from crossing into or out of your private secured network.Filters will drop any packet suspected of being spoofed.
The goal of a DoS attack is to make a service or device unavailable to respond to legitimate requests. Attackers may choose to overload the CPU, disk subsystem, memory, or network:
*In a DoS attack, a single attacker directs an attack against a single target, sending packets directly to the target.
In a DNS poisoning attack:
*Incorrect DNS data is introduced into the cache of a primary DNS server.
Succession planning:
*Increases the availability of experienced and capable employees that are prepared to assume specific roles as they become available.
The best countermeasures for preventing reconnaissance on your system are to:
*Install antivirus applications
Countermeasures for DoS and DDoS attacks include implementing:
*Intrusion detection systems (IDS) or intrusion protection systems (IPS).
In addition to specific automated attacks, spamming (sending unwanted email messages) can become a form of DoS attacks because:
*It consumes bandwidth that is used by legitimate traffic.
To physically secure a network, some measures should be taken, including the following:
*Keep equipment containing sensitive company or client data locked in a safe.
This file can be used to improve security and reduce bandwidth usage by:
*Mapping known malicious sites to the loopback address of 127.0.0.1 to prevent browsers from displaying the malicious sites.
Sources can include:
*Microwave ovens
Common causes of EMI are:
*Motors
In a null session:
*Older Microsoft systems used null sessions between computers. Attackers can use this vulnerability to log on and discover information about the system, such as a list of user names or shared folders.
The data center is where most of the network devices and cable are stored. To keep them safe, follow these good practices:
*Only allow physical access to employees who strictly need to get in the data center.
This can be accomplished by:
*Performing direct queries on DNS servers (using a tool such as nslookup) to request individual records.
Physical access controls can be implemented inside the facility:
*Physical controls may include key fobs, swipe cards, or badges
Door locks only allow access to people with the proper key. Lock types are explained in the following list:
*Pick-resistant locks with restricted key duplication are the most secure key lock. It is important to note that all traditional key locks are vulnerable to lock-picking(shimming).
The Disaster Recovery Plan (DRP) identifies short term actions necessary to stop the incident and restore critical functions so the organization can continue to operate. The DRP is a subset of the BCP, and is the plan for IT-related recovery and continuity. A disaster recovery plan should include:
*Plans for resumption of applications, data, hardware, communications, and other IT infrastructure in case of disaster.
3 factors to keep in mind with physical security:
*Prevention- making the location less tempting to break into
When designing physical security, implement a layered defense system. A layered defense system is one in which controls are implemented at each layer to ensure that defeating one level of security does not allow an attacker subsequent access. Using multiple types of security controls within the same layer further enhances security. Tips for implementing a multi-layered defense system include:
*Protect entry points with a card to access system (or some other type of control) as well as a security camera.
Examples of this stage include:
*Putting a sniffer on the wire.
Waterfall planning-there are a few variations of the names of its phases, but it is mainly a sequence of events:
*Requirements- the requirements are gathered from the client, user, or stakeholder.
Offboarding- When the relationship in the third party ends, you need to ensure that all of the doors that were open between organizations during the onboarding phase are closed. Consider the following:
*Reset or disable any VPN, firewall, router, or switch configurations that allowed access to your network from the third party network.
Important aspects of physical security:
*Restricting physical access to facilities and computer systems
Active scanning can include:
*Social engineering
These are important facts you should know about DNS:
*Standard DNS is configured with one primary DNS server that maintains a read/write copy of all the computer names and IP addresses registered in DNS for the domain.
Methods to shield computer systems include:
*Surrounding a server room with a faraday cage to protect a system from RFI.
In a ping flood:
*The attack succeeds only if the attacker has more bandwidth than the victim.
SYN flood exploits the TCP three-way handshake as follows:
*The attacker floods a victim site with SYN packets.
A smurf attack requires an attacker system, an amplification network, and a victim computer or network:
*The attacker sends ICMP packets to an amplification network or broadcast address. The packets spoof the source address to be the target's.
In the ping of death:
*The attacker sends one or more very large IMCP packet (larger than 65, 536 bytes) directly to the victim.
During a TCP/IP (Session) hijacking:
*The attacker takes over the session and cuts off the original source device.
In a LAND attack:
*The packet's have the same source and destination address (the victim's). The packets also have the same source and destination port.
The most effective countermeasure for social engineering is employee awareness training on how to recognize social engineering schemes and how to respond appropriately. Specific countermeasures include:
*Train employees to secure information by:
Spoofing attacks:
*Use modified source and/or destination addresses in packets.
Recommendations for HVAC systems include:
*Use positive pressure systems, they protect the air quality in the facility by causing air to be forced out through doors, windows, and other openings. Negative pressure systems draw air in, potentially bringing in airborne particles such as dust, smoke from a fire, or contamination from a chemical leak. Positive pressure systems are more energy effective.
Extinguishing agents used to suppress fires include:
*Water to remove the heat. Water can cause damage to computer equipment, but it is harmless to people.
Be aware of the following facts regarding responding to fire emergencies:
*When a fire occurs, the first action is to ensure the safety of the people and evacuate the area.
Christmas (Xmas) Tree attack, (also known as a Christmas tree scan, nastygram, kamikaze, or lamp test segment) uses an IP packet with every option turned on for the protocol being used. Christmas tree packets can be used to conduct reconnaissance by scanning for open ports. They can also be used to execute a DoS attack if sent in large numbers:
*When sent to a target host, the TCP header of a Christmas tree packet has the flags FIN, URG, and PSH set. By default, closed ports on the host are required to reply with a TCP connection rest flag (RST). Open ports must ignore the packets, informing the attacker which ports are open.
When collecting forensic data, follow the order of volatility. Gather the most volatile data first and leave more persistent data for later. The following list ranks data from most to least volatile:
1.) Contents of the processor's cache and data registers
What are the change control process steps?
1.) Identify the need for a change and submit it for approval.
Analyzing data-analyze data in order from most volatile to least volatile:
1.) Registers and caches
ARP spoofing can be used to perform a man-in-the-middle attack as follows:
1.) When an ARP request is sent by a client for the MAC address of a device, such as the default gateway router, the attacker's system responds to the ARP request with the MAC address of the attacker's system.
A business continuity plan identifies actions required to restore the business to normal operation. It is designed to ensure that critical business functions (CBF) can be performed when operations are disrupted. Development of a BCP would include the following steps:
1.)Analysis
Under the direction of senior management, security professionals establish specific policies and plans related to the organization's security implementation. In addition to protecting company assets and employees' personal information,these plans and policies safeguard the organization from liability and exposure. Plans and policies are the most effective if the following steps are implemented in their execution:
1.)Assess the risk
Physical security should deploy in the following sequence. If a step in the sequence fails, the next step should implement itself automatically.
1.)Deter initial access attempts
Analyzing network traffic may include:
1.)Identifying suspicious network sessions and packets
In the prototype model, a small segment of the code is prototyped, then tested and refined using 4 steps:
1.)definition of initial concept
What are the 7 layers in layered security?
1.)policies, procedures, and awareness 2.)physical 3.)perimeter 4.)network 5.)host 6.)application 7.)data
Properly documenting and executing the change control process is essential for change to be effective and seamless. The general steps that should be considered are:
1.)recognize a need
Which of the following is not one of the IP address ranges defined in RFC 1918 that are commonly used bahind a NAT server?
169.254.0.0 - 169.254.255.255
What is the Single Loss Expectancy (SLE)?
300
What is the recommended humidity level for server rooms?
50%
You want to use CCTV to increase the physical security of your building. Which of the following camera types would offer the sharpest image at the greatest distance under the lowest lighting conditions?
500 resolution, 50mm, 0.5 LUX
What is the annual loss expectancy?
75
Succession Planning
A process for identifying and developing internal people with the potential to fill key positions within the organization at some point in the future.
California Database Security Breach Act of 2003
A California State Law that specifies that any agency, person, government, entity, or company that does business in the state of California must inform California residents within 48 hours if a database breach or other security breach occurs in which personal information has been stolen or is believed to have been stolen.
Government requirements- government organizations may have very specific reporting requirements. The US federal government uses these incident report requirements for different levels of incidents:
A Category 1 event occurs when an individual gains unauthorized access to a federal system and should be reported within one hour of detection.
Ping of death
A DoS attack that uses the ping program to send oversized ICMP packets.
closed circuit television (CCTV)
A TV system which signals are not publicly distributed but are monitored, primarily for surveillance and security purposes.
Gramm-Leach-Bliley Act
A US federal law designed to protect private information held at financial institutions.
Patriot Act of 2001
A US federal law that gives law enforcement the authority to request information from organizations to detect and suppress terrorism.
Children's Online Privacy Protection Act of 1988 (COPPA)
A US federal law that requires organizations that provide online services designed for children below the age of 13 to obtain parental consent prior to collecting a child's personal information.
Sarbanes-Oxley Act of 2002
A US federal law that requires publicly traded companies to adhere to very stringent reporting requirements and implement strong controls on electronic financial reporting systems. A key aspect of the law is the requirement for retaining copies of business records, including email, for a specified period of time.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
A US federal law that specifies all organizations must protect the health information that they obtain.
Waterfall planning
A development model sequential in its layout, with phases that contain a series of instructions that must be executed and documented before the next phase can begin. The most commonly used model, though it may not always be optimal for large and complex projects.
Demilitarized Zone (DMZ)
A buffer network (or subnet) that is located between a private network and an untrusted network (such as the intranet). Typically contains publicly accessible resources, such as Web, FTP, or email servers.
Network Access Protection (NAP)
A collection of components that allow administrators to regulate network access or communication based on a computer's compliance with health requirement policies.
Bot net
A collection of multiple zombies or bots.
blackout
A complete electrical power failure.
Wired Equivalent Privacy (WEP)
A component of the 802.11 specification that was intended to provide wireless connections with the same security as wired connections.
NAP clent
A computer running NAP-aware software that prevents it from accessing the network if it is not in compliance with system health requirements.
How can an asset have both a tangible and intangible value?
A computer that functions as a server has a tangible value associated with the replacement cost of the hardware. Intangible assets include the data on the computer, the value of the role that the computer performs within the organization, and what the computer's information is worth to a competitor or an attacker.
Backup storage
A copy of data that is archived and can be used to restore data.
Ad hoc
A decentralized network that allows connections without a traditional base station router, which allows users to connect two or more devices directly to each other for a specific purpose.
Agile
A development model that breaks development into smaller time frames called sprints.
Extreme programming
A development model that values simplicity, feedback, courage, and communications, and brings the entire team of developers, managers, and customers together so that the adequate feedback and evaluation can be provided. This model usually works quickly, but the end product tends to be fragmented.
Clean room
A development model used for high-quality software where all levels development are tested for bugs and defects with the goal of finding problems before they can mature. The goal of this method is that the application will be bug-free at the time of release.
ad hoc
A development model where qualified developers are given a project without a consistent team, funding, or schedule. The outcome of the product lies solely in the hands of the developer, rather than an organization. Ad hoc should be a last alternative when choosing a development method.
Firewall
A device or software running on a device that inspects network traffic and allows or blocks traffic based on a set of rules.
redundant power source
A device that ensure constant power, such as a backup generator or power from a secondary source.
Application-aware devices
A device that has the ability to analyze and manage network traffic based on the application-layer protocol that created it.
line conditioner
A device that improves the quality of electric power by providing filters to remove noise, temporary voltage regulation, and surge protection.
uninterruptible power supply (UPS)
A device that protects against under-voltage conditions of short duration.
surge protector
A device that protects against voltage spikes that damage components.
Screened host gateway
A device that resides within the DMZ, requiring users to authenticate in order to access resources within the DMZ or the intranet.
Wireless interface
A device within a wireless client, such as a laptop or smartphone, that users radio signals to connect to a wireless access point.
Code Escrow Agreement
A document that specifies the storage and conditions of release of source code. For example, a code escrow agreement could specify that you obtain the source code from a vendor if the vendor went out of business.
Point-to-Point Tunneling Protocol (PPTP)
A early tunneling protocol developed by Microsoft.
Spam filter
A email filter that prevents irrelevant or inappropriate email sent to sent to a large number of recipients (spam)
Data center
A facility composed of networked computers and storage that businesses or other organizations use to organize, process, store, and disseminate large amounts of data.
Which of the following describes a man-in-the-middle attack?
A false server intercepts communications from a client by impersonating the intended server.
Duel-homed gateway
A firewall device that typically has three network interfaces: one connected to the internet, one connected to the public subnet, and one connected to the private network.
Application firewall
A firewall that is typically installed on a workstation and used to protect a single device and is also known as a host-based firewall.
Network firewall
A firewall that is used to regulate traffic in and out of an entire network.
Stateless firewall
A firewall that makes decisions about what traffic to allow based on virtual circuits of sessions and is also known as a circuit-level proxy or circuit-level gateware.
Stateful firewall
A firewall that makes decisions about what traffic to allow by examining information in IP packet headers.
transient
A fluctuation caused by line noise or disturbance.
Smurf
A form of DDoS attack that spoofs the source address in ICMP packets.
Code of Ethics
A set of rules or standards that help individuals to act ethically in various situations.
Network cable lock
A lock that secures an Ethernet cable so that it isn't easily disconnected.
Lockout or Screen Lock
A lockout (or screen lock) disables the ability to use the device after a short period of inactivity. The correct password or PIN unlocks the device.
Social Engineering
A malicious attempt to fraudulently acquire sensitive information that is usually accomplished using impersonations.
Countermeasure
A means of mitigating the potential risk. A countermeasure reduces the risk of a threat agent being able to exploit a vulnerability.
Example of improper error handling:
A message that says Access denied lets an attacker know that a file exists, while a message that reads File Not Found does not
Computer-aided software engineering (CASE)
A method of using computers to help with the systematic analysis, development, design, and implementation of software. It has grown to include visual programming and object-oriented programming. This model facilitates the overall security and development of applications and is best for complex, large-scale projects.
Structured programming
A method used by programmers that uses layering , modularity, and segmenting to allow for optimal control over coherence, security, accuracy, and comprehensibility. One of the most widely used development models.
Network Address Translation (NAT)
A method used by routers to translate multiple private IP addresses into a single registered IP address.
Spiral
A mix of the waterfall model and the prototype model in which a prototype is developed and tested using the waterfall method. Considerations for improvements are implemented from the center outward, like a spiral. Additionally, the spiral method includes risk assessment, during this, developers evaluate whether the development should continue.
fault
A momentary power outage that can have a variety of sources.
Service Set Identifier (SSID)
A name associated with a wireless network that makes it easier for users to connect to it.
demilitarized zone
A network that contains publicly accessible resources and is located between the private network and an untrusted network (such as the internet) and is protected by a firewall.
Wireless networks
A network that does not require a physical connection.
Guest
A network that grants only internet access for guest users and has a firewall to regulate that access.
Screen filter
A panel or filter that is placed over a display to make it difficult or impossible for someone to see the screen without being directly in front of the display.
which of the following accurately describes what a protocol analyzer is used for?
A passive device that is used to copy frames and allow you to view frame contents. Also a device that does not allow you to capture, modify, and re-transmit frames(to perform an attack)
wireless antennae
A physical device that broadcasts and receives radio signals and can be mounted externally to or embedded within a wireless device.
Business Continuity Plan
A plan for recovering critical functions after a catastrophic disaster or extended disruption.
Disaster Recovery Plan (DRP)
A plan for resumption of applications, data access, hardware, communications, and other IT infrastructure in case of disaster.
Acceptable Use Policy (AUP)
A policy that defines how users should use the information and network resources in an organization.
Password Policy
A policy that detail the requirements for passwords used in an organization.
Checkout policy
A policy that ensures that hardware doesn't leave an organization's premises without a manager's approval.
User Management Policy
A policy that identify actions to follow when employees status changes to ensure the security of the system, including hiring new employees, promoting and transferring employees, and terminating employees.
Privacy Policy
A policy that outlines how the organization will secure private information for employees, clients, and customers.
Change management and configuration management policy
A policy that regulate changes to policies, practices, and equipment that could impact the security of your IT infrastructure.
Authorized Access Policy (AAP)
A policy that specifies access controls that are employed on a network. This policy specifies who is allowed to access the various systems of the organization.
User Education and Awareness Policy
A policy with provisions for user education and awareness training.
damage assessment
A preliminary onsite evaluation of damage or loss caused by a security incident
Intranet zone
A private network (LAN) that employs internet information services for internal use only. For example, your company network might include web servers and email servers that are used by company employees.
Extranet
A privately-controlled network distinct from but located between the internet and a private LAN. Often used to grant resource access to business partners, suppliers, and even customers outside of the organization.
Reporting system
A procedure to immediately report the loss of a device will enable the device to be disabled quickly and reduce the chance of confidential information being compromised.
Remote wipe
A procedure to remotely clear specific, sensitive data on a mobile device. This task is also useful if you are assigning the device to another user or after multiple incorrect password or PIN entries.
Protected cable distribution
A protected distribution system (PDS) encases network cabling within a carrier. This enables data to be securely transferred directly between two high-security areas through an area of lower security. 3 different types of PDS are most frequently implemented:
Transport Layer Security (TLS)
A protocol that evolved from SSL and provides privacy and data integrity between two communicating applications.
Internet
A public network that includes all publicly available web servers, FTP servers, and other services. Is public because access is largely open to everyone.
Guideline
A recommendation that is used when a specific standard or procedure does not exist. Are considered non-compulsory and flexible.
sag or dip
A reduction in voltage in electrical power that last for a short period of time.
brownout
A reduction in voltage that lasts longer than a few seconds.
Virtual Private Network (VPN)
A remote access connection that uses encryption to securely send data over an untrusted network.
Statement of Health (SoH)
A report generated by the NAP client that contains the client configurations for health requirements.
regulation
A requirement published by a government or other licensing body that must be followed. While you are not responsible for writing regulations, you are responsible for knowing which regulations apply to your organization and making sure that those regulations are understood and adhered to. Policies are often written in response to regulations.
Intangible asset
A resource that has value and may be saleable even though it is not physical or material. Intangible assets are typically more challenging to identify and evaluate.
Asset
A resource that has value to an organization.
Networking closet
A room that encloses telecommunications network systems and devices.
NAP server
A server that is responsible for keeping track of health requirements and verifying that clients meet those requirements before gaining access.
Internet protocol security (IPsec)
A set of protocols that provides security for Internet Protocol that can be used in conjunction with L2TP or by itself as a VPN solution.
Remediation server
A set of resources that a non-compliant computer can access on a limited-access network that help non-compliant clients become compliant.
Email hoax
A social engineering attack that prey's on email recipients who are fearful and will believe most information if it is presented in a professional manner. Victims of these attacks fail to double-check the information or instructions with a reputable third-party antivirus software vendor before implementing the recommendations. Usually, these hoax messages instruct the reader to delete key system files or download Trojan viruses.
Phishing
A social engineering attack that usually involves sending emails that are purported to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
Watering hole
A social engineering attack where the victim is a group like an organization, an industry, or a region and where the attacker guesses or observes which websites the group uses and infects one or more of them with malware. Eventually, a member of the targeted group becomes infected with the malware.
Spear phishing
A social engineering technique that targets specific individuals within a company to gain access to information that will allow the attacker to gain commercial advantage to commit fraud. Frequently involves sending seemingly genuine emails to all employees or members of specific teams.
Whaling
A spear phishing attack targeted that targets senior executives and high-profile victims. It is like spear phishing, but only targets upper-level management.
Honeynet
A special zone or network created to trap potential attackers. Have vulnerabilities that lure attacks so that you can track their actions. Honeypots can generate extremely useful security information.
Baseline
A standard that dictates the settings and security mechanisms that must be imposed on a system in order to comply with required security standards. Are mandatory standards with which all systems must comply.
cyber criminal
A subcategory of hacker threat agents that are willing to take more risks and use extreme tactics for financial gain
Screened subnet
A subnet protected by two firewalls, an external firewall connected to the internet and an internal firewall connected to a private network.
surge or spike
A sudden rise in voltage in electrical power.
Which of the following is the least effective power loss protection for computer systems?
A surge protector is useless in the event of power loss.
cost-benefit analysis
A systematic approach to calculating and comparing the benefits and costs of a course of action in a given situation.
Software Development Life Cycle (SDLC)
A systematic, seven-phase method for design, development, and change management used for software development and the implementation of system and security projects.
TEMPEST
A technology involving the monitoring (and shielding) of devices that emit electromagnetic radiation (EMR) in a manner that can be used to reconstruct intelligible data.
competitor
A threat agent that carries out attacks on behalf of an organization and targets competing companies
nation state
A threat agent that is a sovereign who may wage an all-out war on a target and have significant resources and money at their disposal
insider
A threat agent who has authorized access to an organization and either intentionally or unintentionally carries out an attack
internal threat
A threat from authorized individuals (insiders) that exploit their inherent privileges to carry out an attack
external threat
A threat from individuals or groups that attack a network from the outside and seeks to gain unauthorized access to data
persistent threat
A threat that seeks to gain access to a network and remain undetected
non-persistent threat
A threat where the only concern is getting into a system and stealing information and is usually a one-time event where the attacker is not concerned if their presence is noticed
Layer 2 Forwarding (L2F)
A tunneling protocol developed by Cisco to establish virtual private network connections over the internet.
A SYN attack or SYN flood exploits or alters which element of the TCP three-way handshake?
ACK
Which of the following does a router acting as a firewall use to control which packets are forwarded or dropped?
ACL
Intimidation
An active social engineering technique that usually involves an attacker impersonating a manager or director to frighten lower-level employees to gain information.
Which of the following are typically used for encrypting data on a wireless network? (select two)
AES
You need to configure a wireless network. You want to use WPA2 Enterprise. Which of the following components will be part of your design? select two
AES encryption
Which of the following attacks tries to associate an incorrect MAC address with a known IP address?
ARP poisoning
What are the office locations where access badge readers would be most appropriate?
Access badge readers are typically implemented at building entrances to control access to a facility. Also server rooms
reconnaissance
Actions taken to gather information for an attack.
What do user management policies identify?
Actions that must take place when employee status changes. The administrator of a network for an organization needs to be aware of new employees, employee advancements and transfers, and terminated employees to ensure the security of the system. All these activities could result in changes to: network access, equipment configuration, software configuration
Critical Business Functions (CBF)
Activities that are vital to your organization's survival and the resumption of business operation's.
What should you do?
Add a separate A/C unit in the server room.
Vulnerability evaluation
After identifying possible sources of threats, the next step is to evaluate common vulnerabilities to identify weaknesses that can be exploited. Vulnerabilities include:
Personal Identification Number (PIN)
All devices should be accessible only after a PIN has been entered or another authentication method has been activated.
Collection and identification
All evidence must be properly marked as evidence at the time it is found. Any identifying characteristics of the evidence must also be recorded at this time. If at all possible, evidence should be placed in a plastic bag or clean storage container and properly marked. A chain of custody document should be started at this time.
Presentation in court
All evidence needs to have been submitted to the court and deemed admissible before it is presented during trial. Continue to maintain proper handling procedures and document the chain of custody during all stages of the trial.
Return to owner
All evidence should be returned to the original owner after the case is completely settled, with the exception of some types of evidence, such as drugs or drug paraphernalia. It is important to note that some trials can take several years to be completely resolved, possibly resulting in the evidence not being returned during its usable lifetime.
In data retention, make sure to review:
All the different types of information used in your organization and develop a policy that defines how long different types of data are retained and destroyed when the retention period is past. Record this information in a clearly written policy.Having a written policy and ensuring everyone in the organization follows it protects you from accusations of destroying evidence. Adhering to your data retention and destruction policy protects you and your organization. Never allow selective or arbitrary information destruction, it might make it appear that you are trying to hide evidence and could expose you to potential criminal charges.
You are the office manager of a small financial credit business. Your company handles personal, financial information for clients seeking small loans over the Internet. You are aware of your obligation to secure clients records, but budget is an issue. Which item would provide the best security for this situation?
All-in-one security appliance
Crime scene evidence: preservation of the crime scene and evidence is critical:
Allow only authorized personnel trained in incident response to touch compromised systems.
Which of the following best describes the ping of death?
An ICMP packet that is larger than 65, 536 bytes
Which of the following describes how access lists can be used to improve network security?
An access list filters traffic based on the IP header or destination IP address, protocol, or socket numbers.
Milestone
An action or event marking a significant change when implementing a manageable network plan.
Scarcity
An active social engineering technique that attempts to make people believe that if they don't act quickly, they will miss out on an item, opportunity, or experience.
Urgency
An active social engineering technique that attempts to make people believe they must act quickly to avoid imminent damage or suffering.
Authority
An active social engineering technique that involves the impersonation of legal, organizational, and social authorities.
Consensus
An active social engineering technique that leverages peoples' willingness to perform an act if others have already performed the act.
Familiarity
An active social engineering technique that leverages peoples' willingness to perform an act requested by someone they are familiar with.
script kiddie
An individual who carries out an attack by using scripts or programs written by more advanced hackers. Typically lack the skills and sophistication of legitimate hackers. Usually motivated by the chance to impress their friends or garner attention in the hacking community.
Layer 2 Tunneling Protocol (L2TP)
An open standard for secure multi-protocol routing.
When a malicious user captures authentication traffic and replays it against the network later, what is the security problem you are most concerned about?
An unauthorized user gaining access to sensitive resources
Application aware IDS
Analyzes network packets to detect malicious payloads targeted at application-layer services
Accepting the risk:
And choosing to do nothing. For ex. You might decide that the cost associated with a threat is acceptable or that the cost of protecting the asset from the threat is unacceptable. In this case, you would plan for how to recover from that threat, but not implement any measures to avoid it.
Which of the following statements is true regarding risk analysis?
Annualized Rate of Occurrence (ARO) identifies how often the successful threat attack will occur in a single year.
What is the average number of times that a specific risk is likely to be realized in a single year?
Annualized rate of occurrence
uses for logs
By default, some logging is enabled and performed automatically. to gather information, you can usually enable more extensive logging.
After an intrusion has occurred and the intruder has been removed from the system, which of the following is the best next step or action to take?
Back up all logs and audits regarding the incident
Which of the following is an important aspect of evidence gathering?
Backing up all log files and audit trails
which of the following is the best countermeasure against man-in-the-middle attacks?
IPsec
In business continuity planning, what is the primary focus of the Scope?
Business processes
Which of the following firewall types can be a proxy between servers and clients? (select two)
Application layer firewall
You provide Internet access for a local school. You want to control Internet access based on user, and prevent access to specific URLs. Which type of firewall should you install?
Application level
organized crime
Attacks carried out by organized crime groups can last several months and are very well funded and extremely sophisticated. A common tactic used is a targeted phishing campaign. Once access is gained, the group will either steal data and threaten to release it or use ransomware to hold data hostage.
vulnerable business processes
Attacks on business processes have recently come into focus. Attackers target a business's unique processes and machines and manipulate them for personal benefit. When they identify a weakness, they can alter a process to help them achieve their aims.
What are the most common network traffic packets captured and used in a replay attack?
Authentication
The receptionist received a phone call from an individual claiming to be a partner in a high-level project and requesting sensitive information. The individual is engaging in which type of social engineering attack?
Authority
Prevents outside attempts to access confidential information
Anti phishing software
Bastion or Sacrificial Host
Any host that is exposed to attack and that has been hardened or fortified against those attacks.
hacktivist
Any individual whose attacks are politically motivated. Instead of seeking financial gain, hacktivists are looking to defame, shed light on, or cripple an organization or government.
hacker
Any threat agent who uses their technical knowledge to bypass security, exploit a vulnerability, and gain access to protected information
How often should change control be implemented?
Any time a production system is altered.
Employee and visitor safety:
As you implement physical security, be sure to keep the safety of employees and visitors in mind. Consider the importance of the following actions:
Seeking investigative help
Assess the situation to determine whether you have the expertise to conduct further investigations, or whether you need to call in additional help.
Asset classification
Asset classification is used to identify the appropriate value and protection levels. Asset classification can expedite the valuation process by grouping similar assets and comparing the valuation of different classifications. Asset classification:
Asset identification includes the following processes:
Asset identification identifies the organization's resources, asset valuation determines the worth of that resource to the organization. This is important because it establishes the level of protection appropriate for each asset.
A brownout is generally caused:
At the utility company during times of high power usage. The ANSI standard defines a brownout as an 8% drop between the power source and the voltage meter or a 3.5% drop between the voltage meter and the wall outlet.
The media
Avoid all contact with media or outside influences in any way. Interact only with the first responder and any other professional groups assigned to the investigation. Only designated personnel should be authorized to contact the media.
What is the primary countermeasure to social engineering?
Awareness
Which of the following controls is an example of a physical control access method?
Locks on doors
Which of the following terms describes a network device that is exposed to attacks and has been hardened against those attacks?
Bastion or sacrificial host
Asset tracking and inventory control
Because mobile devices are not tied to a physical location, asset tracking and inventory control are very important.
What are some possible motives for an insider threat actor?
Becoming disgruntled with an employee, being bribed by a competitor, seeking a personal financial gain
Taking photographs
Before touching the computer, document and photograph the entire scene of the crime including the current state of the computer screen. A traditional camera is preferred over a digital camera to avoid charges that an image was digitally altered.
When duplicating a drive for forensic investigative purposes, which of the following copying methods is most appropriate?
Bit-level cloning
Creates an agreement with a vendor to provide services on an ongoing basis
Blanket Purchase Order (BPO)
Specifies a preset discounted pricing structure
Blanket Purchase Order(BPO)
A file server with data is consider which of the following asset types?
Both tangible and intangible
An attacker is conducting passive reconnaissance on a targeted company. Which of the following could he be doing?
Browsing the organization's website
What are the office locations where surveillance cameras would be most appropriate?
Building entrances and server room
You are the security administrator for a small business. The floor plan for your organization is shown in the figure below. You've hired a third-party security consultant to review your organization's security measures. She has discovered multiple instances where unauthorized individuals have gained access to your facility, even to very sensitive areas. She recommends that you implement mantraps to prevent this from happening in the future. Click on the office location where a mantrap would be most appropriate.
By implementing a mantrap at the lobby entrance, two doors must be unlocked in sequence for an individual to gain access to this facility. A mantrap allows both doors to lock, detaining a suspicious individual between doors.
Transferring (or assigning) risk:
By purchasing insurance to protect the asset. When the incident occurs, the cost of replacing or repairing the asset is covered by insurance. When deciding to transfer the risk, be sure to compare the cost of insurance with the ALE. Purchase the insurance only if it costs less than the ALE.
Which of the following fire extinguisher suppressant types is best used for electrical fires that might result when working with computer components?
Carbon dioxide (CO2)
A Sensitivity vs. Risk chart can be use to quantify the value when:
Categories are designated with assigned quantitative value.
Encryption
Causes data, such as the content of an email, to be unintelligible except to those who have the proper key to encrypt it.
You have been asked to draft a document related to evidence gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court. What type of document is this?
Chain of custody
What is the most important element related to evidence in addition to the evidence itself?
Chain of custody document
The four components of operational security that help establish defense in depth:
Change control, employee management, security awareness, physical security
You plan to implement a new security device on your network. Which of the following policies outlines the process you should follow before implementing that device?
Change management
Uses for a protocol analyzer
Check for specific protocols on the network, such as STMP, DNS, POP3, and ICMP
Physical security is the protection of assets from physical threats. Physical security procedures include the following:
Choosing a secure site and securing the facility, protecting both data and equipment from theft, destruction, or compromise, implementing environmental and safety measures to protect personnel and the facility, disposing of sensitive material that is no longer needed.
You want to install a firewall that can reject packets that are not part of an active session. Which type of firewall should you use?
Circuit-level
Which of the following fire extinguisher types is best used for the electrical fires that might result when working with computer components?
Class C
A Service legal agreement defines the relationship and contractual responsibilities of providers and service recipients. Which of the following characteristics are most important when designing an SLA?
Clear and detailed descriptions of penalties if the level of service is not provided, Detailed provider responsibilities for all continuity and disaster recovery mechanisms.
How does IPsec NAP enforcement differ from other NAP enforcement methods?
Clients must be issued a valid certificate before a connection to the private notwork is allowed.
When designing a firewall, what is the recommended approach for opening and closing ports?
Close all ports; open only ports required by applications inside the DMZ.
A BCP or DRP plan evolves over time, what is the most important task to perform when rolling out a new version of the plan?
Collect and destroy all old plan copies.
Which of the following describes what the attacker is doing?
Collecting electronic emissions
As a victim of a Smurf attack, what protection measure is the most effective during the attack?
Communicate with your upstream provider
In a NAP system, what is the function of the System Health Validator?
Compare the statement of health submitted by the client to the health requirements.
Under the direction of senior management, security professionals establish specific policies and plans related to the organization's security implementation. The purpose of these plans and policies is twofold: they protect the organization's assets and protect the organization from liability and exposure. Security planning must include:
Complying with legal and regulatory compliance issues, Demonstrating ethical practices, practicing due care in the development of security policy and procedures. Due care means that security has been examined and reasonable security measures have been put in place. Due care eliminates an organization's burden of negligence in case of a security breach. Practicing due diligence by ensuring that approved security measures have been implemented and continue to be effective. Implementing due process by adhering to laws regarding evidence and fairness to protect individuals' rights. Due process ensures that any party charged with a crime is fully aware of the charges held against them and has the opportunity to fully defend themselves.
Zombie or Bot
Computers controlled by the zombie master or bot (short for robot) herder in a DDoS attack.
The code of ethic requires that everyone associated with the security policy:
Conduct themselves in accordance with the highest standards of moral, ethical, and legal behavior. Not commit or be a party to any unlawful or unethical act that may negatively affect their professional reputation or the reputation of their profession. Appropriately report activity related to the profession that they believe to be unlawful and cooperate with resulting investigations.
What are the 3 main goals of the CIA of security?
Confidentiality, integrity, and availability
You have hired 10 new temporary workers who will be with the company for 3 months. You want to make sure that these users can only log on during regular business hours. What should you do?
Configure account expiration in the user accounts
Which of the following is NOT a good solution to this problem?
Configure all data transmissions to be encrypted.
Which key steps should you take when implementing this configuration? (select two)
Configure the VPN connection to use IPsec
what should you do?
Configure the connection to use WPA2 Enterprise
You want to connect a laptop computer running Windows to a wireless network. The wireless network uses multiple access points and WPA2-Personal. You want to use the strongest authentication and cryption possible. SSIS broadcast has been disabled. What should you do?
Configure the connection with a pre-shared key and AES encryption.
What must you configure to see all of the network traffic?
Configure the network interface to use promiscuous mode
Storage segmentation
Consider segmenting personal data from organizational data on mobile devices.
Onboarding phase of the relationship:
Consider the following issues and formulate a plan to address them:
The police should be notified in the following order:
Contact the local police first
You have recently discovered that a network attack has compromised your database server. In the process, customer credit card numbers might have been taken by an attacker. You have stopped the attack and put measures in place to prevent the same incident from occurring in the future. What else might you be legally required to do?
Contact your customers to let them know about the security breach.
Which of the following prevents access based on website ratings and classifications?
Content filter
Which security-related recommendations should you make to this client? (Select two.)
Control access to the work area with locking doors and card readers, Relocate the switch to the locked server closet.
Implement the Principle Of Least Privilege
Control your network
How can a criminal investigator ensure the integrity of a removable media device found while collecting evidence?
Create a checksum using a hashtag algorithm
Which of the following steps can be used to isolate these departments?
Create a separate VLAN for each department
Requirement for job rotation:
Cross-trains individuals and rotates users between positions on a regular basis. Job rotation helps to catch irregularities that could arise when one person is unsupervised over an area of responsibility.
Role based security awareness training which should be tailored for the role of employees:
Data owner, system administrator, system owner, user, privileged user, executive user
Which of the following is NOT a protection against session hijacking?
DHCP reservations
Of the following security zones, which one can serve as a buffer network between a private secured network and the untrusted internet?
DMZ
Which type of attack has likely occurred?
DNS poisoning
Software development and coding
Development and coding involves 3 main actions, each of which should be performed by individual groups :
You are about to enter your office building through a back entrance. A man dressed as a plumber asks you to let him in so he can fix the restroom. What should you do?
Direct him to the front entrance and instruct him to check in with the receptionist.
Not all evidence is admissible in a court of law. For evidence to be admissible, it must be:
Directly related to the crime, collected fairly and lawfully, reliable, used for intended purposes only, recognized or acknowledged by either the witness, prosecutor, or defendant, marked correctly
During a site survey, you found a rogue wireless access point on your network. Which of the following actions should you take first to protect your network while still preserving evidence?
Disconnect the access point from the network
Which of the following is a common social engineering attack?
Distributing hoax virus information emails
When conducting a forensic investigation, and assuming that the attack has been stopped, which of the following actions should you perform first?
Document what's on the screen
To ensure that evidence is admissible in court, you must be able to provide its chain of custody:
Documents the integrity of the evidence by providing a record of every person it has come in contact with and under what conditions the contact occurred. Without a chain of custody document, there is no way to prove who might have had access to the evidence, meaning that the evidence could have been altered after discovery.Failure to provide a valid chain of custody could make the evidence worthless in court.
Improper certificate and key management
Due to the proliferation and complexity of digital certificates used for identity and encryption, many organizations find it difficult to manage their certificates and cipher keys. Expiring certificates are a leading cause of system downtime. To better manage their certificates, organizations should track when certificates expire, their issuing CA, and their encryption key strength
Ongoing operations
During this phase, observe the following:
You want to connect your small company network to the Internet. Your ISP provides you with a single IP address that is to be shared between all hosts on your private network. You do not want external hosts to be able to initiate connection to internal hosts. What type of NAT should you implement?
Dynamic
Which of the following statements about ESD is NOT correct?
ESD is much more likely to occur when the relative humidity is above 50%.
Which IPSec subprotocol provides data encryption?
ESP
Which step is required to configure a NAP on a Remote Desktop (RD) Gateway server?
Edit the properties for the server and select Request clients to send a statement of health.
Common threat vectors include:
Email attachments, web pages with embedded scripts, browser pop-ups, social manipulation, poor programming practices, unpatched operating systems and applications, outdated security mechanisms and encryption, breached physical security, unused applications and services on a system, enabled USB ports
Which of the following is NOT a benefit of physical security?
Employee passwords are stronger
In addition to Authentication Header (AH), IPSec is comprised of what other service?
Encapsulating Security payload (ESP)
Which of the following features is supplied by WPA2 on a wireless network?
Encryption
Application aware firewall
Enforces security rules based on the application that is generating network traffic instead of the traditional port and protocol.
your company is preparing to enter into a partner relationship with another organization. It will be necessary for the information systems used by each organization to connect and integrate with each other. Which of the following is of primary importance as you take steps to enter into this partner relationship?
Ensure that the integration process maintains the security of each organizations network.
Encryption
Ensures data confidentiality on the device. Voice encryption (on mobile phones) ensures data confidentiality during transit.
Control your network (User access)
Ensures network security, but restricts user access:
Map Your Network
Ensures that you are aware of all the components of the network and that you know where the physical devices are.
Confidentiality
Ensuring that data is not disclosed to unintended persons
Piggyback
Entering a secure building by following an authorized employee through a secure door without providing identification, the authorized employee does consent to being followed.
Tailgating
Entering a secure building by following an authorized employee through a secure door without providing identification, the authorized employee does not consent to being followed.
Environmental monitoring
Environmental conditions have a substantial impact on the reliability and life span of IT equipment. Environmental monitoring should be implemented in server rooms and data centers to ensure the proper function of environmental controls. The goal of environmental monitoring is to maintain environmental conditions and keep them as stable as possible.
Which of the following are solutions that address physical security?
Escort visitors at all times
Dumpster diving is a low-tech means of gathering information that may be useful in gaining unauthorized access, or as a starting point for more advanced attacks. How can a company reduce the risk associated with dumpster diving?
Establish and enforce a document destruction policy
Manage your network part I (Patch Management)
Establishes an update management process for all software on your network.
Change control should be used to oversee and manage changes over what aspect of an organization?
Every aspect
Preservation and Analysis
Evidence analysis should be made by trained specialists only. Thorough examination and documentation of each piece of evidence is crucial. The International Organization on Computer Evidence (IOCE) sets the standards concerning preservation and analysis of computer evidence. According to the IOCE, preservation and analysis of all computer data must comply with the following rules:
Transportation and processing
Evidence needs to be protected during all stages of transportation. Take all necessary measures to ensure that transported evidence is in the same condition when it arrives at the court room as it was when it left the lab or investigation site. Materials should be packaged to prevent damage, and the transportation method should ensure the appropriate environmental requirements for the evidence (such as heating, air conditioning, or humidity requirements).
Corraborative Evidence
Evidence or information that supports another fact or detail
hearsay evidence
Evidence that is obtained from a source other than personal, firsthand knowledge
How can a code of escrow agreement provide security for an organization?
Ex: A a code escrow agreement could specify that you obtain the source code from a vendor if the vendor went out of business.
What is the goal of a TCP/IP hijacking attack?
Executing commands or accessing resources on a system the attacker does not otherwise have authorization to access
What is the primary benefit of CCTV?
Expand the area visible by security guards.
Which of the following is a privately controlled portion of a network that is accessible to some specific external entities?
Extranet
Which of the following is likely to be located in a DMZ?
FTP server
Virus hoax
False reports about non-existent viruses that often claim to do impossible things recipients to take drastic action, like shutting down their network.
Security awareness is designed to:
Familiarize employees with the security policy, communicate standards, procedures, and baselines that apply to an employer's job, facilitate employee ownership and recognition of security responsibilities, establish reporting procedures for suspected security violations, Follow up and gather training metrics to validate:employee compliance, the organizations security posture
Security awareness and training is designed to:
Familiarize employees with the security policy, communicate standards, procedures, and baselines that apply to the employee's job, facilitate employee ownership and recognition of security responsibilities, establish reporting procedures for suspected security violations.
Physical access controls
Fences, turnstiles, keypads, and other devices that control access to a facility
Which of the following are characteristics of a circuit-level gateway? (select two)
Filter based on sessions, stateful
When using a protocol analyzer, you can filter the frames so that you see only the frames with information of interest:
Filters can be configured to show only frames or packets to or from specific addresses or frames that include specific protocol types.
Which of the following are functions of gateway email spam blockers? (Select two)
Filters messages containing specific content
The Gramm-Leach Bliley Act (GLBA) requires all banks and financial institutions to implement the following:
Financial privacy rule- requires banks and financial institutions to alert customers to their policies and practices in disclosing customer information. Safeguards rule- requires banks and financial institutions to develop a written information security plan detailing how they can plan to protect electronic and paper files containing personally identifiable financial information. Pretexting protection- requires banks and financial institutions to train their staff how to recognize social engineering exploits.
Which of the following is the best device to deploy to protect your private network from a public untrusted network?
Firewall
After you have analyzed an attack and gathered evidence, be aware that some states require you to notify individuals if their personal information might have been compromised
For ex, If an incident involves the exposure of credit card numbers, identifying information(such as social security numbers), or medical information, you might be legally obligated to notify potential victims and take measures to help protect their information from additional attacks
log files
For some investigations, you might need to review archived log files or data in backups to look for additional evidence. Be sure to design your backup strategy with not only recovery but also investigation and evidence preservation in mind.
Which of the following are denial of service attacks?
Fraggle, smurf
DoS attacks that exploit the UDP protocol include:
Fraggle, teardrop
Privacy policy outlines how personally identifiable information (PLL) can be used and how it is protected from disclosure. PLL items could include:
Full name, address, telephone number, driver's license, national identification number, credit card numbers, email address
Most, mobile device management (MDM) systems can be configured to track the physical location of enrolled mobile devices. Arrange the location technology on the left in order of accuracy on the right, from most accurate to least accurate
GPS, Wi-fi triangulation, Cell phone tower triangulation, IP address resolution
Active scanning
Gathering data by making contact with a system.
Passive Reconnaissance
Gathering data without directly affecting the target.
Performing a organizational reconnaissance could include:
Gathering information by utilizing internet-based resources such as:
Active social engineering
Gathering information or gaining access to secure areas through direct interaction with user's.
Passive social engineering
Gathering information or gaining access to secure ares by taking advantage of peoples' unintentional actions.
Which 5 methodologies can be used to defend your network?
General defense methodologies: layering, principle of least privilege, variety, randomness, simplicity
Physical security can protect a network from misuses of equipment by untrained employees or contractors. It can also prevent the network from:
Hackers, competitors, and terrorists walking in off the street and changing equipment configurations. Can also protect resources from natural disasters, such as floods, fires, storms, and earthquakes. Depending on your particular network design customer, physical security should be installed to protect core routers, demarcation points, cabling, modems, servers, hosts, backup storage, and so on. Because physical security is such an obvious requirement, it is easy to forget to plan for it, but it should never be overlooked or considered less important than other security mechanisms.
Which of the following fire extinguisher types poses a safety risk to users in the area? (Select two)
Halon and CO2
Which method can be used to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive collected as evidence?
Hashing
(Device Accessibility)
Helps to ensure that all of the devices on your network can be easily accessed while still maintaining the device's security. Accessibility includes physical access as well as remote access. Important considerations include:
Radio Frequency Interference
High-frequency radio waves that disrupts the radio signals in wireless communication systems.
You need to implement a wireless network link between two buildings on a college campus. A wired network has already been implemented within each building. the buildings are 100 meters apart. What type of wireless antenna should you use on each side of the link? select two
High-gain
Organizational Security Policy
High-level overview of the corporate security program.
When the TCP/IP session state is manipulated so that a third party is able to insert alternate packets into the communication stream, what type of attack has occurred?
Hijacking
Human resource policies related to security might include the following:
Hiring policies identify processes to follow before hiring. For example, the policy might specify that pre-employment screening include: employment, reference, and education history checks, drug screening, a background investigation or credit rating check
You have been given a laptop to use for work. You connect the laptop to your company network, use it from home, and use it while traveling. You want to protect the laptop from Internet-based attacks. Which solution should you use?
Host based firewall
Hidden files
In addition to looking for obvious evidence on computer systems(such as saved files), use special forensic tools to check for deleted files, files hidden in slack (empty) space, or data hidden in normal files through the use of steganography.
What is the primary purpose of imposing software life cycle management concepts?
Increase the quality of software
Assets come in many forms, some of these are:
Information assets, such as files or databases that contain valuable information. Infrastructure assets or physical devices, such as routers,firewalls, bridges, and servers. Support services for the information services.
open-source intelligence
Information that is readily available to the public and doesn't require any type of malicious activity to obtain
Which of the following is the most effective protection against IP packet spoofing on a private network?
Ingress and egress filters
You would like to control Internet access based on users, time of day, and Web sites visited. How can you do this?
Install a proxy server. Allow Internet access only through the proxy server.
Functional design
Involves the following actions:
Project initiation
Involves the following actions:
Software installation and implementation
Involves the following actions:
The organizational security policy includes:
Is usually written by the security professionals, but must be wholly supported and endorsed by senior management. Identifies roles and responsibilities to support and maintain the elements of the security program. Identifies what is acceptable and unacceptable regarding security management. Identifies the rules and responsibilities of the enforcement of the policy.
Unused features
Just as with a desktop or server system, you should disable or uninstall unused features on mobile devices. Unused features or services can expose threat vectors into the device.
Working with law enforcement
Keep in mind that it may be a crime not to report an incident to the proper authorities. Be aware that once you contact police, the investigation is completely out of your control. The decision to contact the police should be made solely by senior management.
what is the best defense against script kiddie attacks?
Keep systems up to date and use standard security practices
Which of the following is not an acceptable countermeasure to strengthen a cryptosystem?
Keep the cryptosystem a secret
Which VPN protocol typically employs IPSec as its data encryption mechanism?
L2TP
PPTP (Point to Point Tunneling Protocol) is quickly becoming obsolete because of what VPN protocol?
L2TP (Layer 2 Tunneling Protocol)
A SYN packet is received by a server. The SYN packet has the exact same address for both the sender and receiver addresses, which is the address of the server. This is an example of what type of attack?
Land attack
When a SYN flood is altered so that the SYN packets are spoofed in order to define the source and destination address as a single victim IP address, the attack is now called what?
Land attack
(5) escalate privileges (general attack strategy)
One of the primary objectives of an attacker and can be achieved by configuring additional (escalated) rights to do more than just breaching the system
What happens when a security incident is identified?
Legal counsel will often anticipate a government audit and possible litigation as a result of the investigation. Internal counsel will generate a legal hold, which notifies the organization to preserve all relevant information. A legal hold will often require changes in the way system data is backed up, stored, and archived.
Risk deference
Letting threat agents know the consequences they face if they choose to attack the asset. This could include posting warnings on login pages to indicate prosecution policies.
eavesdropping
Listening to a conversation between employees discussing sensitive topics.
The chain of custody is used for what purpose?
Listing people coming into contact with evidence
Shoulder surfing
Looking over the shoulder of someone working on a computer to view usernames, passwords, or account numbers.
Hearsay evidence is generally not admissible in court, it is obtained from a source other than personal, firsthand knowledge. Computer generated records and other business records cannot be proven accurate and reliable and, therefore are considered hearsay evidence. However, there are exceptions for record such as audit trails, audit trail reports, and incident reports that are:
Made during the regular course of business and authenticated by witnesses familiar with their use.
What is the primary goal of business continuity planning?
Maintaining business operations with reduced or restricted infrastructure capabilities or resources
Disasters
Major events that have significant impact on an organization. Can disrupt production, damage assets, and compromise security. Ex. Tornadoes, hurricanes, and floods
You manage the network for your company. You have recently discovered information on a computer hard drive that might indicate evidence of illegal activity. You want to perform forensic activities on the disk to see what kind of information it contains. What should you do first?
Make a bit-level copy of the disk
You walk by the server room and notice a fire has started. What should you do first?
Make sure everyone has cleared the area.
Prevention
Making a location less tempting to break into
Common session-based attack methods:
Man-in-the middle, TCP/IP (Session) hijacking, HTTP (Session hijacking, replay attack, and null session
Capturing packets as they travel from one host to another with the intent of altering the contents of the packets is a form of which attack type?
Man-in-the-middle attack
Establish a baseline for all systems
Manage Your Network
Establish an update management process
Manage Your Network
Create a list of all devices
Map Your Network
Create a list of all protocols being used on the network
Map your network
Static NAT
Maps an internal IP address to a static port assignment or even to a specific public IP address.
An attacker convinces personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access
Masquerading
first responder information
May be a dedicated member of the security response team, has the following goals: Contain the damage (or incident) as much as possible, do not damage any evidence. Initiates an escalation procedure to ensure that the right people are informed and the right people are brought on the incident sight. Initiates the documentation of the incident. Should have access to documentation for all aspects of the affected system. should maintain a thumb drive with commonly used tools and utilities.
Internet connectivity
May not be possible through the standard network connection. A web enabled smart phone or tablet device that will allow internet access for sending notification emails and accessing information for problem resolution should be available
Examples of OSINT:
Media(newspapers, magazines, advertisements,
Summarizes which party is responsible for performing specific tasks
Memorandum of Understanding(MOU)
Example of transitive trust
Microsoft Active Directory, which allows authenticated users to access resources in different domains as long as the parent domain is trusted
When recovery is being performed due to a disaster, which services are to be stabilized first?
Mission critical
Request process
Mobile devices will usually contain confidential information, thereby creating a security risk for an organization. To control the risk, an organization should control who is issued a device and what information is put on the device.
Which of the following network devices or services prevents the use of IPSec in most cases?
NAT
A broken water pipe that floods the reception area would be considered which type of threat?
Natural
Change control
Necessary any time a production system is altered. This includes modifications of existing applications, implementation of new applications, removal of old applications, and upgrading or patching software. Change control management is very similar to application development in its processes. A few things to remember about change control are:
If an organization shows sufficient due care, which burden is eliminated in the event of a security breach?
Negligence
Which solution should you use?
Network Access Control (NAC)
Your organization's security policy requires you to restrict network access to allow only clients that have their firewall enabled. Which of the following is a collection of components that would allow you to meet this requirement?
Network Access Protection
You manage a small network at work. Users use workstations connected to your network. No portable computers are allowed. As part of your security plan, you would like to implement scanning of e-mails for all users. You want to scan the e-mails and prevent any e-mails with malicious attachments from being received by users. Your solution should minimize administration, allowing you to centrally manage the scan settings. Which solution should you use?
Network based firewall
Your company has a connection to the Internet that allows users to access the Internet. You also have a Web server and an e-mail server that you want to make available to Internet users. You want to create a DMZ for these two servers. Which type of device should you use to create the DMZ?
Network-based firewall
When is a BCP or DRP design and development actually completed?
Never complete, as they need constant improvement and updates.
electro-magnetic interference
Noise between the hot wire and the ground or neutral wires in a electrical power circuit that disrupts the signals in data cables.
Which type of active scan turns off all flags in a TCP header?
Null
The Children's Online Privacy Protection Act (COPPA) requires online services or websites designed for children under the age of 13 to:
Obtain parental consent prior to the collection, use, disclosure, or display of a child's personal information. Allow children's participation without the need to disclose more personal information than is reasonably necessary to participate.
Disable VPN configurations that allow partner access to your network.
Offboarding
Reporting findings
Once the analysis is complete, the findings are reported, the report should be well written with the assistance of an attorney. Specifically, the report must be self-contained and describe the incident, the response, and the findings. Be sure to include a section relating the lessons learned from the incident and how they should influence your organization's security posture. You should also include the hours and expenses involved in responding to the incident
Defense in depth
One of the best ways to implement operational security, is the premise that no single layer is completely effective in securing the information. The most secure system has many layers of security, eliminating single points of failure.
Damage assessment
One of your first steps should be to perform an initial damage assessment. Notify senior management of the damage and determine who should respond to and investigate the incident. Carefully consider whether or not you should use in-house-skills to accomplish a full investigation of the crime. Using in-house-skills can help the company maintain greater control over the crime scene and the investigation. Outside professional support might be necessary for certain cases but usually involves a lack of privacy and added expense.
Which of the following is not an example of a physical barrier access control mechanism?
One-time passwords
The USA Patriot Act mandates:
Organizations to provide information, including records and documents, to law enforcement agencies under the authority of a valid court order, subpoena, or other authorized agency.
Resource Allocation Policy
Outlines how resources are allocated. Resources could include: staffing, technology, budgets
You want to use CCTV to increase your physical security. You want to be able to remotely control the camera position. Which camera type should you choose?
PTZ
Which of the following is a firewall function?
Packet filtering
improperly configured accounts
Password length and complexity policies help prevent attackers from gaining unauthorized access. But there are other account configurations that can increase security. Attackers know the default domain, service, and device accounts, their default passwords, and the default privileges assigned to them. If these accounts are left enabled and unchanged, they can be an entry point for adversaries. Accounts should be configured with the least amount of permissions and privileges needed to perform their duties. It is better to give privileges later than remove privileges after a security problem has occurred
What is the weakest point in an organization's security infrastructure?
People
You have discovered a computer that is connected to your network that was used for an attack. You have disconnected the computer from the network to isolate it from the network and stop the attack. What should you do next?
Perform a memory dump
What kind of exploit has been used in this scenario? (Choose two)
Pharming and DNS poisoning
An attacker pretending to be from a trusted organization sends an email asking users to access a website to verify personal information
Phishing
Which of the following attacks tricks victims into providing confidential information (such as identity information or login credentials) through emails or websites that impersonate an online entity that the victim trusts?
Phishing
Perimeter barriers
Physical security devices and procedures that protects the outer boundary of a facility.
You have recently been hired as the new network administrator for a startup company. The company' network was implemented prior to your arrival. One of the first tasks you need to complete in your new position is to develop a Manageable Network Plan for the network. You have already completed the first and second milestones where documentation procedures were identified and the network was mapped. You are now working on the third milestone where you must identify ways to protect the network. Which tasks should you complete as a part of this milestone?
Physically secure high value systems, Identify and document each user on the network
DoS attacks that use the IMCP protocol include:
Ping flood, ping of death, and smurf
Which of the following measures are the best way to secure your networking equipment from unauthorized physical access? (Select two. Each measure is part of a complete solution.)
Place your networking equipment in a room that requires key card and entry, place your networking equipment in a locked cage
Human Resources (HR) Policy
Policy used by HR that defines hiring and termination processes, job rotation requirements, and personal time off procedures.
Security zone
Portions of the network or system that have specific security concerns or requirements.
Which of the following should you implement?
Positive pressure system
AC power
Power systems can help keep electrical service constant. The following types of protection are available to improve and protect your equipment for AC power issues:
Employee management reduces asset vulnerability from emplyees by implementing processes that include the following:
Pre-employment processing, employee agreement documents, employee monitoring, termination procedures
You have a small network that uses multiple access points. The network uses WPA and broadcasts the SSID. WPA2 is not supported by the wireless access points. You want to connect a laptop computer to the wireless network. Which of the following parameters will you need to configure on the laptop? (select two)
Pre-shared key
Incident response process
Preparation- a detailed incident response plan must be in place long before a security incident occurs.
Gateway email spam filters
Prevent spam emails from reaching your network, servers, and computers. Spam filters can be configured to block specific senders, emails containing threats (such as false links), and emails containing specific content.
Hardware locks
Prevent theft of computers or components:
Manage you network part II (Baseline Management)
Provides rules for establishing a baseline for all systems:
How can an organization help prevent social engineering attacks?
Publish and enforce clearly written security policies and educate employees on the risks and countermeasures.
How should you place devices on the network to best protect the servers? (select two)
Put the server inside the DMZ
Remove insecure protocols
Reach Your Network
Make sure that remote access connections are secure
Reach your network
Which of the following best describes the concept of due care or due diligence?
Reasonable precautions based on industry best practices are utilized and documented.
The incident handling plan should be known to all members of the company in leadership positions. At least one member of every department should be trained to recognize abnormal activities, suspicious behavior, unauthorized code activity, and irregular patterns in employee conduct. In addition, employees should be trained to report security incidents or suspicious activity immediately to the proper company staff members or directly to the first responder. What actions should take place when an incident occurs?
Recognize and declare the event, preserve any evidence that may be used in an investigation, contact the first responder
The main methods used to attack DNS servers are:
Reconnaissance, DNS poisoning, domain name kiting, domain hijacking
What is the general attack strategy?
Reconnaissance, social engineering, technical, breach, escalate privileges, create a backdoor, stage, and exploit
Other benefits of implementing a data retention and destruction policy include:
Reduced cost of discovery requests in the event of legal action. Responding to discovery requests can be time-consuming and costly. If old material has been destroyed, discovery costs are minimized. Reduced exposure during discovery Minimizing the amount of electronic material an organization keeps reduces the amount of information that could expose an organization to potential litigation. Reduced hardware and software requirements for storing old data.
Business Continuity ensures that critical business functions are available to customers, suppliers, regulators, and other entities that must have access to those functions. Business continuity:
Refers to activities performed daily to maintain service, consistency, and recover-ability.
Impersonation
Refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access. The attacker usually poses as a member of senior management.
Infrastructure
Refers to the systems that support the site. Infrastructure includes AC power, heating, ventilation and air conditioning systems (HVAC), gas and water. Of these systems, AC power can present the greatest challenge on a day-to-day basis.
Change control
Regulates changes to policies and practices that could impact security. The primary purpose is to prevent unchecked change that cold introduce reductions in security. Change control must be a formal, fully documented process.
You have a company network with a single switch. All devices connect to the network through the switch. You want to control which devices will be able to connect to your network. For devices that do not have the latest operating system patches, you want to prevent access to all network devices except for a special server that holds the patches that the computers need to download. Which of the following components will be part of your solution? (Select two.)
Remediation servers and 802.1x
A smart phone was lost at the airport. There is no way to recover the device. Which of the following will ensure data confidentiality on the device?
Remote wipe
Restoring devices
Repair any damage created by the incident and restore services only after the above procedure are complete
Requirement for mandatory vacations:
Requires employees to take vacations of specified length. These vacations can be used to audit actions taken by the employees and provide a passage of time where problems caused by misconduct could become evident.
Organizational reconnaissance
Researching a company in order to find critical details.
Your company has developed and implemented countermeasures for the greatest risks to their assets. However, there is still some risk left. What is the remaining risk called?
Residual risk
Distributive allocation
Responds to the risk by spreading it through redundancy and high availability techniques such as clustering, load balancing, and redundant storage arrays.
Which content filtering option would you choose?
Restrict content based on content categories
Data analysis utilities
SANS Investigative Forensic Tool Kit
Saving memory contents- save the contents of memory by taking one of the following actions:
Save and extract the page file
Anti-phishing software
Scans content to identify and dispose of phishing attempts, preventing outside attempts to access confidential information
Attackers attempts to make the person believe that if they don't act quickly, they will miss out on an item, opportunity, or experience
Scarcity
Which of the following mobile device security considerations disables the ability to use the device after a short period of inactivity?
Screen lock
Security policies need not to be created in a bubble. There are security frameworks, best practices, ans secure configuration guides that can help when creating secure architectures and systems:
Security professionals have created industry-standard frameworks which describe the activities that will achieve specific security outcomes. In addition, security reference architectures can be used as templates when building a secure environment. In some cases, such as when creating government systems, a security framework or reference architecture may be mandated by government regulations. These frameworks and architectures can be customized for specific industries or may be customized for a specific nation. They can be generalized for organizations with international interests. Benchmark and secure configuration guides can be used to harden computers, networks, and vendor-specific devices. There are general purpose guides that are platform specific or vendor specific. For example, there are secure configuration guides to harden web servers, operating systems, application servers, and network infrastructure devices.
Defines how disputes will be managed
Service level agreement (SLA)
Specifies exactly which services will be performed by each party
Service level agreement(SLA)
Keep in mind the following recommendations for SLA's:
Should define, in sufficient detail, any penalties incurred if the level service is not maintained. In the information security realm, it is also vital that the provider's role in disaster recovery operations and continuity planning is clearly defined. Industry standard templates are frequently used as a starting point for SLA design, but must be tailored to be the specific project or relationship to be effective. If you depend on an SLA for mission-critical code, you should consider a code escrow arrangement.Code escrow is a storage facility hosted by a trusted third party which will ensure access to the mission critical code even if the development company, the company with whom you have the SLA, goes out of business.
You have a set of DVD-RW discs that have been used to archive files for your latest development project. You need to dispose of the discs. Which of the following methods should you use to best prevent extracting data from the discs?
Shred the disks
Measuring risks quantitatively requires identifying the following components:
Single loss Expectancy (SLE)- is the amount of loss expected for any single successful threat attack on any given asset. This is a monetary value that describes how much the incident will cost in terms of lost asset value.
Which of the following is a form of denial of service attack that uses spoofed ICMP packets to flood a victim with echo requests using a bounce/ amplification network?
Smurf
Release
Software should always be released to a librarian for disposition into production. Installations and routine operations of the application are performed. Security requirements should be included in proposals and contracts. The following list explains the application vulnerability life cycle, the chain of events that happen following the release of an application.
Mobile device management
Software that allows IT administrators to control, secure, and enforce policies on smartphones, tablets, and other endpoints.
Network Access Control (NAC)
Software that controls access to the network by not allowing computers to access network resources unless they meet certain predefined security requirements.
Anti-phishing software
Software that scans content to identify and dispose of phishing attempts.
Internet content filter
Software used to monitor and restrict content delivered across the web to an end user.
crippling systems
Some attacks seek to cripple their targets network or infrastructure. For an ex, an attack could target a city's power grid or water system
obtaining information
Some attacks seek to obtain sensitive information, such as government secrets. These attacks usually target organizations that have government contracts or the governments systems themselves. Attacks motivated by information gathering are considered a type of APT, as the goal is to remain in the system undetected.
Collecting data-Do not turn off the computer until the necessary evidence has been collected:
Some data might be lost when the computer is turned off
Co-mingling data
Sometimes evidence is found on a corporate system that is not otherwise violated. Evidential data should be extracted from the corporate system with great care to maintain its integrity and also the safety of the corporate system.
What is modified in the most common form of spoofing on a typical IP packet?
Source address
An attacker gathers personal information about the target individual in an organization
Spear Phishing
Attackers send emails with specific information about the victim that ask them to verify personal information or send money
Spear phishing
A router on the border of your network detects a packet with a source address that is from an internal client but the packet was received on the Internet-facing interface. This is an example of what form of attack?
Spoofing
Which type of activity changes or falsifies information in order to mislead or re-direct traffic?
Spoofing
(7) stage (general attack strategy)
Staging a computer involves preparing it to perform additional attacks in the attack, such as installing software designed to attack other systems. This is an optional step.
Which of the following are characteristics of a packet filtering firewall? (select two)
Stateless, filters IP address and port
Which method of NAT translation should you implement for these 5 servers?
Static
What should you use to allow access?
Static NAT
What is the method that allows for optimal control over coherence, security, accuracy, and comprehensibility?
Structured programming
A VPN is used primarily for what purpose?
Support secured communications over an untrusted network
You are a database administrator and the first responder for database attacks. You have decided to test one part of your current Business Continuity Plan (BCP) with two other database professionals. Which type of BCP test is this considered?
Tabletop exercise
After you have identified the risks and their associated costs, you can determine how best to respond to the risk. Responses include:
Taking measures to reduce (or mitigate) the likelihood of the threat by deploying security controls or other protections. When deploying countermeasures, the annual cost of the countermeasures should not exceed the ALE. If it does, you're paying more to protect the asset than it is worth. Security control types include: management, operational, technical.
Which of the following is the main difference between a DoS attack and a DDoS attack?
The DDoS attack uses zombie computers.
a packet sniffer is typically run on one device with the intent of capturing frames for all other devices on a subnet. using a packet sniffer in this way requires the following configuration changes:
The NIC must be configured in promiscuous mode. by default, a NIC will only accept frames addressed to itself. Normally, packet sniffer software will configure the NIC in promiscuous mode(p-mode) in p mode, the NIC will process every frame it sees.
Acceptable use
The acceptable use policy (AUP) identifies the employees rights to use the company property such as internet access and computer equipment for personal use.
Security
The degree of protection against danger, damage, loss, and criminal activity
Which of the following are not reasons to remote wipe a mobile device?
The device is inactive for a period of time
What happens if a change control unintentionally diminishes security?
The effective change control process includes a rollback. A rollback makes it possible to revert the system back to the state it was in before the change was put into effect.
Which statement best describes IPsec when used in tunnel mode?
The entire packet, including headers, is encapsulated.
Room security
The first line of defense in protecting computer systems is to control access to the location where the computers are located:
first responder
The first person on the scene after a security incident has occurred
Business Impact Analysis (BIA)
The identification and prioritization of BCF's, a calculation of a timeframe for recovering them, and estimation of the tangible and intangible act on the organization.
Detection
The identification of intrusion, missing assets, and the extent of any damage
Wi-Fi Protected Access (WPA)
The implementation name for wireless security based on initial 802.11i drafts and was intended as an intermediate measure to take the place of WEP while a fully secured system (802.11i) was prepared.
Zombie Master or Bot Herder
The lead computer in a DDoS attack.
Zombie Master or Bot Herder
The lead computer in a bot net.
Risk
The likelihood of a vulnerability being exploited. Reducing the vulnerability or minimizing the threat agent reduces the risk.
Threat probablility
The likelihood that a particular threat will occur that exploits a specific vulnerability.
threat vector
The likelihood that a particular threat will occur that exploits a specific vulnerability.
example of a load tester
The load tester might simulate a large number of client connections to a website,simulate test file downloads for an FTP site, or simulate large volumes of email.Use a load tester to make sure that a system has sufficient capacity for expected loads. a load tester can even estimate failure points where the load is more than the system can handle
Service Level Agreement (SLA) often include descriptions for the following:
The mean time between failures (MTFB) identifies the average lifetime of a system or component. Components should be replaced about the time that the MTFB is reached. The eman time to repair (MTTR) identifies the average amount of time necessary to repair a failed component or to restore operations.
Best evidence includes original, authentic objects, as an exception to this rule, copies can be submitted for the following reasons:
The original was lost in a fire, flood, or other natural disaster.
(4)breach (general attack strategy)
The penetration of system defenses, achieved through information gathered by reconnaissance to penetrate the system defenses and gain unauthorized access.
onboarding
The period when a third-party relationship is initiated
Offboarding
The period when a third-party relationship is terminated
Residual risk
The portion of risk that remains after the implementation of a countermeasure. This almost always occurs.
Risk assessment
The practice of determining which threats identifies are relevant and pressing to the organization and then attaching a potential cost that can be expected if the identified threat occurs.
Internal address
The private IP address that is translated to an external IP address by NAT.
Internal network
The private network where devices use private IP addresses to communicate with each other.
decryption
The process of converting data from ciphertext to plaintext. Also referred to as deciphering.
reconnaissance
The process of gathering information about an organization prior to an attack.
(1)Reconnaissance (general attack strategy)
The process of gathering information about an organization, including: system hardware information, network configuration, individual user information
dumpster diving
The process of looking in the trash for sensitive information that has not been properly disposed of.
Physical Security
The protection of corporate assets from threats such as theft or damage.
External address
The public IP address that NAT uses to communicate with the external network.
External network
The public network that a NAT device connects to with a single public IP address.
Recovery
The review of the physical security procedures, repairing any damage, and hardening the physical security against future problems.
Password policy includes:
The same password should never be used for different systems. Accounts should be disabled or locked out after a specified amount of failed login attempts. Passwords should never contain words, slang, or acronyms. Users should be required to change their passwords within a certain time frame and use a rotation policy. A strong password policy should be enforced. Strong passwords: Contain multiple character types(uppercase, lowercase, numbers, and symbols). Are a minimum length of eight characters or more. Use no part of a username or email address.
Fraggle is a variation of:
The smurf attack using UDP instead of ICMP to perpetrate an attack when firewall filters block ICMP messages.
Document your network
The step in which you create the documentation for your network:
Procedure
The step-by-step process that outlines how to implement a specific action. The design of a procedure is guided by goals defined in a policy, but go beyond the policy by identifying specific steps that are to be implemented. The use of consistent procedures ensures that the goals defined in policy are met and that the actions of mulitple administrators are consistent.
heating, ventilation, and air conditioning (HVAC)
The system used to provide heating and cooling services to buildings.
You suspect that an Xmas tree attack is occurring on a system. Which of the following could result if you do not stop the attack? (Select two)
The system will be unavailable to respond to legitimate requests.
economic espoinage
The theft of trade secrets or propriety information. Could be used to benefit a foreign government. When this happens, you need to work closely with the FBI and other government agencies to gather intelligence and counterintelligence. Your company can implement policies and procedures to combat foreign threats and better protect company secrets. With active logging in place within your system, forensic evidence can be obtained from access logs that have been enabled for firewalls, databases, applications, and other systems
Time offset
The time offset is the difference in system time that the machines use to compare to the actual time. You should record the time offset for each machine involved with the incident to ensure accurate and sequential date and stamps for collected data
Which of the following best defines Single Loss Expectancy?
The total monetary loss associated with a single occurrence of a threat.
storage
The utmost care must be taken to store and preserve evidence. For ex, a hard disk should be stored in an antistatic bag that is then sealed and placed in a cardboard box with foam lining.
Exposure
The vulnerability of losses from a threat agent.
Network cable locks
There are different types of Ethernet cable locks, where the cable is locked into place so the Ethernet cable will not be easily disconnected. Some other products are electrical plug locks and outlet port locks. Another option is called a Protection Distribution System (PDS). This is a metal cabinet that locks away all the cables that need to be secured. These cabinets are widely used by telecommunication companies. Laptops can also be kept in the PDS systems with security cable locks that can be opened by a key or code.
command line tools
There are several command line tools that can help you determine the condition of your network. Depending on the operating system, these command may vary in their format, but operate in a similar manner.
ICMP notification
This feature can silently block the sending of ICMP notifications. Some protocols may require these notifications.
UDP flood
This feature helps prevent UDP flood attacks by metering the number of simultaneous, active UDP connections from a single computer on the internal network.
Block ping to WAN
This feature helps prevent attackers from discovering your network through ICMP Echo (ping) requests.
ICMP flood detect rate
This feature monitors non-ping ICMP packets. Too many will cause the firewall to determine that a ICMP flood is occurring and trigger the appropriate response.
Fragmented packets
This feature will block the sending of fragmented IP packets.
TCP flood
This feature will drop all invalid TCP packets. This protects your network from SYN flood attacks.
Stealth mode
This feature will prevent the response to port scans from the WAN. This protects against port floods.
When you develop a manageable network plan, what should you keep in mind as you prepare to document your network?
This means establishing the process you will use to document your network.
When conducting a risk assessment, how is the Annualized Rate of Occurrence calculated?
Through historical data provided by insurance companies and crime statistics.
Hot and cold aisles
To ensure proper cooling, make sure server rooms have separate ducting or cooling systems from the rest of the building. The use of hot and cold aisles within the server rooms is an effective method for reducing the temperature of server rooms. A cold aisle is created by having the front of the equipment face toward the center of the aisle. Hot aisles have the back of the equipment face the aisle. Air from the cooling system is forced into the cool aisles from underneath and exhausted through the hot aisles overhead. Typically, cold aisles face air conditioner output ducts and hot aisles face air conditioner return ducts.
SYN flood detect rate
To help prevent SYN floods, this feature monitors the rate of SYN packets during a configuration time period. Too many SYN packets will cause the firewall to determine that a SYN flood is occurring and to trigger the appropriate response.
Echo storm detect rate
To help prevent ping floods, this feature monitors the rate of echo pings during a configuration time period. Too many pings will cause the firewall to determine that a ping flood is occurring and to trigger the appropriate response.
What is the primary purpose of source code of Escrow?
To obtain change rights over software after the vendor goes out of business.
What is the goal of security management?
To preserve the confidentiality, integrity, and availability of all critical and valuable assets. Senior management is responsible for security management. Senior management defines the corporate security posture or tone (the organization's outlook and approach to security) and provides funding for the security program.
Analyzing hard disks-clone or image hard disks
To protect or ensure the integrity of collected digital evidence, create a checksum using a bit-level hashing algorithm. In the future, the same hashing algorithm can be used to create another checksum. If the two checksums are identical, this proves that the media was not altered (and that is an exact copy of the original)
Weak cipher suites and implementations
To secure data begin transferred across external paths, TLS/SSL makes use of one or more cipher suites. Old and outdated cipher suites, especially those with documented vulnerabilities, can allow attackers access to secret data. Weak encryption keys are more likely to fail brute force attacks.
Which of the following are true Wi-Fi Protected Access 2 (WPA2)? (select two)
Upgrading from a network using WEP typically requires installing new hardware.
How do you prevent a replay attack?
Use a secure authentication method, such as Kerberos, the Kerberos protocol embeds additional data, such as the client's timestamp into network packets.
Which of the following is a valid security measure to protect email from viruses?
Use blockers on email gateways
Your company has five salesman who work out of the office and frequently leave their laptops laying on their desks in their cubicles. You are concerned that someone might walk by and take one of these laptops. Which of the following is the best protection to implement to address your concerns?
Use cable locks to chain the laptops to the desks
You have a company network that is connected to the Internet. You want all users to have Internet access, but need to protect your private network and users. You also need to make a Web server publicly available to Internet users. Which solution should you use?
Use firewalls to create a DMZ. Place the web server inside the DMZ, and the private network behind the DMZ.
What to do after creating your written data retention policy?
Use information classification labels to identify which retention policy rule is to be applied to specific data. using classfication labels allows you to use software tools to automate the data retention and destruction process. All information should be destroyed before being disposed of. Simpy deleting files can leave sensitive information behind.
WPA2
Uses AES for encryption
WPA2
Uses CBC-MAC for data integrity
WPA2
Uses CCMP for key rotation
WEP
Uses RC4 for encryption
WPA
Uses TKIP for encryption
Technical Reconnaissance
Using electronic means to scan systems to collect configuration and security data.
What is the best countermeasure for someone attempting to view your network traffic?
VPN
Which solution should you implement?
VPN concentrator
What is an action that must take place during the release stage of the SDLC?
Vendors develop and release patches in response to exploited vulnerabilities that have been discovered.
You have just received a generic-looking email that is addressed as coming from the administrator of your company. The email says that as part of a system upgrade, you are to go to a website and enter your username and password at a new website so you can manage your email and spam using the new service. What should you do?
Verify that the email was sent by the administrator and that this new service is legitimate.
You've just received an e-mail message that indicates a new serious malicious code threat is ravaging across the Internet. The message contains detailed information about the threat, its source code, and the damage it can inflict. The message states that you can easily detect whether or not you have already been a victim of this threat by the presence of the three files in \Windows\System32 folder. As a countermeasure, the message suggests that you delete these three files from your system to prevent further spread of the threat. What should your first action based on this message be?
Verify the information on well-known malicious code threat management web sites
What is the best definition of a security incident?
Violation of security policy
An attacker uses a telephone to convince target individuals to reveal their credit card information
Vishing
Which of the following offers the weakest form of encryption for an 802.11 wireless network?
WEP
Which of the following wireless security methods uses a common shared key configured on the wireless access point and all wireless clients?
WEP, WPA Personal, and WPA2 Personal
An attacker gathers personal information about the target individual, who is a CEO
Whaling
In which of the following situations would you most likely implement a demilitarized zone?
You want to protect a public web server from attack
transitive trust
a hierarchical two-way trust relationship between parent and child entities
which of the following is an example of vulnerability?
a misconfigured server
Tangible asset
a physical item such as a computer, storage device, or document. Such items are typically purchased. The valuation of these assets can be easily determined by the cost of replacing the item.
exploit
a procedure, a piece of software, or a sequence of commands that takes advantage of a vulnerability to actually carry out an attack
HTTP (Session) hijacking
a real-time attack in which the attacker hijacks a legitimate user's cookies and uses the cookies to take over the HTTP session.
logs
a record of events that have occurred on a system. log capabilities are built into operating systems, services, and applications. log entries are generated in response to changes in configuration, system state, or network conditions
multifactor authentication
a requirement of more than one method of authentication from independent categories of credentials to verify the user's identity
what is layered security?
a security approach that combines multiple security controls and defenses to create a cumulative effect
layered security model
a security approach that defines seven layers of security
Ping flood
a simple DoS attack where the attacker overwhelms the victim with ICMP Echo Request (ping) packets
protocol analyzer
a special type of packet sniffer that captures transmitted frames and analyzes the traffic that exists on the network along with the source and destination of that traffic
network monitoring
a systematic effort to detect slow or failing network components
(3)technical (general attack strategy)
a technical approach is using software or utilities to find vulnerabilities in a system (porch scan, ping sweep)
job rotation
a technique where users are cross-trained in multiple job positions
Examples of algorithms
a transposition cipher(also called an anagram), which changes the position of characters in the plaintext message
which of the following is an example of an internal threat?
a user accidentally deletes the new product designs
packet sniffer
a utility that captures or records frames transmitted on a network
throughput tester
a utility that measures the amount of data that can be transferred through a network or processed by a device (such as the amount of data that can be retrieved from a disk in a specific period of time)
load tester
a utility that tests a network by simulating a load on a server or service
key
a variable in a cipher used to encrypt or decrypt a message. should be kept secret
Which of the following is an example of a strong password?
a8bT11$yi
protected cable distribution
alarmed carrier
defense-in-depth
an access control principle that implements multiple access control methods instead on relying on a single method. multiple defenses make it harder to bypass the security measures
vulnerability
an opening or weakness in the system
Physical access control
anti-passback system
threat
anything that has the potential to cause the loss of an asset
includes authentication and authorization, user management, and group policies
application
Data retention policies also typically describe procedures for:
archiving information, destroying information when the retention limit is reached, handling information involved in litigation
Internal threats
are intentional or accidental acts by employees, including:
External threats
are those events originating outside of the organization that typically focus on compromising the organization's information assets. Examples are hackers, fraud perpetrators, and viruses.
Natural events
are those events that may reasonably be expected to occur over time. Examples are a fire or a broken water pipe.
What are the key components of risk management?
asset, threat, threat agent, vulnerability, exploit
availability
ensuring that a system is up so that data is available when needed
integrity
ensuring that data is not modified or tampered with
perimeter barrier
barricades
door locks
biometric authentication
penetrating system defenses to gain unauthorized access
breaching
Sources of sags or dips:
chained power strips, faulty wiring, sudden power draws, (such as when equipment is first turned on), and large inductive sources, such as an electrical motor.
need to know access is required to access what type of resources?
compartmentalized resources
top talkers
computers that send the most data, either from your network or into your network.
A user copies files from her desktop computer to a USB flash device and puts the device in her pocket. Which of the following security risks is most pressing?
confidentiality
by definition, which security concept ensures that only authorized parties can access data?
confidentiality
smart phones with cameras and internet access pose a risk to which security concept?
confidentiality
cryptography is the science of converting data into a secret code to hide a message's meaning during transmission. cryptographic system's provide the following security services:
confidentiality: by ensuring that only authorized parties can access data
which of the following is not a valid concept to associate with integrity?
control access to resources to prevent unwanted access
which of the following is an example of privilege escalation?
creeping privileges
important facts to know about job rotation
cross trains staff in different functional areas in order to detect fraud, exchanges positions of two or more employees to allow for an oversights of past transactions, can be used for training purposes
configuring additional rights to do more than breach the system
escalating privileges
An access control list (ACL) contains a list of users and allowed permissions. What is it called if the ACL automatically prevents access to anyone not on the list?
implicit deny
includes cryptography and secure transmissions
data
Data Retention Policies
define how information in your possession is maintained and for how long. The key point to remember is that different types of data must be retained for different lengths of time based on legal and business requirements.
creeping privileges: what to do when the account is no longer needed
delete accounts that will no longer be used
for media that's reached the end of its useful life
destroy the media by:crushing(useful for CD's, and hard drives), incineration(for paper and many other types of media),acid dipping, shredding using an approved shredding process(straight-cut shredders offer little protection, cross-cut shredders provide greater security)
A blackout can have a variety of sources such as:
downed power lines or failed transformers
An attacker searches through an organization's trash looking for sensitive information
dumpster diving
legitimate uses for steganography
embedding still pictures in a video stream. the picture can only be viewed by stepping through the video frame by frame(playing the video in real time hides the image because the eye cannot see one single frame within the video)
safety
emergency lighting
security incidents include the following:
employee errors, unauthorized acts by employees, insider attacks, external intrusion attempts, virus and harmful code attacks, unethical gathering of competitive information
important facts about need-to-know
even if an individual is fully cleared, information is still not divulged to persons who simply don't need to know the information to perform their official duties, need to know discourages casual browsing of sensitive materials, in a classified environment, a clearance into a Top Secret compartment only allows access to certain information within that compartment. This is form of mandatory access control (MAC)
natural events
events that may reasonably be expected to occur over time, such as a fire, or a broken water pipe
external threats
events that originate outside the organization(hackers, fraud perpetrators, and viruses)
which of the following methods of access control will the access list use?
explicit allow, implicit deny
crashing systems
exploitation
stealing information
exploitation
perimeter barrier
exterior floodlight
network protocols
formal standards and policies comprised of rules, procedures, and formats that define communication between two or more devices over a network
prevents unwanted email from reaching your network
gateway email spam blockers
Which of the following is a recommendation to use when a specific standard or procedure does not exist?
guideline
Protective cable distribution
hardened carrier
includes OS hardening, patch management, malware, and password attacks
host
includes each individual workstation, laptop, and mobile device
host
top listeners
hosts that are receiving most of the data by streaming or downloading large amounts of data from the internet. it is important to know which computers are the big receivers and senders of information because it is a good way to tell if something is wrong on your network. an unauthorized system that is sending large amounts of data to locations outside of your network could be a sign of a data breach
Once assets have been identified and a valuation established, it is important to document procedures relating to these classifications and other security procedures. This documentation provides a guideline for what is to be protected and the following how-tos:
how to store the asset
principle of least privilege, method of controlling access include: explicit deny
identifies users or groups who are not allowed access. the strongest form of access control and overrules all other privileges granted
your organization is in the process of negotiating an Inoperability agreement (IA) with another organization. As a part of this agreement, the partner organization proposes that a federated trust fund be established between your domain and their domain. This configuration will allow users in their domain to access resources in your domain and vice versa. As a security administrator, which tasks should you complete during this phase?
identify how data will be shared, identify how data ownership will be determined
Use timestamps on all documents
prepare to document
improper error handling
improper handling of errors, especially by a website, can lead to other security problems. If an error message displays stack traces, database bumps, and error codes, an attacker can use this information to form a more customized offensive. Even error messages that give limited details can reveal important clues to the inner workings of a website.
improper input handling
improper input handling may be the chief security vulnerability in today's software applications and web pages. It involves the improper validation, sanitization, and filtering, as well as encoding and decoding input data. During application development, all inputs should be considered untrusted, especially external inputs that can be transferred in various formats.
important facts about identification
in the computer world, a user name is a form of identification, because anyone could pretend to be you, identification by itself is not very secure, to substantiate a persons identity, they need to provide some verification that they are who they say they are
physical security
includes all hardware and software necessary to secure data, such as firewalls and antivirus software
application
includes authentication, and authorization, user management, group policies, and web application security
host
includes each individual workstation, laptop, and mobile device. this layer includes log management, OS hardening, patch management and implementation, auditing, malware, and password attacks
physical
includes fences, door locks, mantraps, turnstiles, device locks, server cages, cameras, motion detectors, and environmental controls
perimeter
includes firewalls using ACLs and securing the wireless network
data
includes storing data properly, destroying data, classifying data, cryptography, and data transmission security
network
includes the installation and configuration of switches and routers, implementation of VLANS, penetration testing, and virtualization use
policies, procedures. and awareness
includes user education, manageable network plans, and employee onboarding and off-boarding procedures
cleartext
information that will not be encrypted
What type of threat actor do these steps guard against?
insider
internal threats
intentional or accidental acts by employees including: malicious acts such as theft, fraud, or sabotage,intentional or unintentional actions that destroy or alter data, disclosing sensitive information by snooping or espionage
(1) layering (general defense strategy)
involves implementing multiple security strategies to protect the same asset. Defense in depth or security in depth is the premise that no single layer is completely effective in securing the assets. The most secure system/network has many layers of security and eliminates single points of failure.
tcpdump
is a network sniffer and analyzer. It displays a description of packet contents on a network interface. This utility is packaged in most LInux and Mac OS distributions. tcpdump is not part of the Windows OS, but can be readily downloaded from the internet.
A Privacy Impact Assessment (PIA)
is a process that assists organizations in identifying and minimizing the privacy risks of new projects or policies.
A Privacy Threshold Assessment (PTA)
is a required document that serves as the official determination by the Department of Homeland Security (DHS) as to whether a department program or system has privacy implications and whether additional privacy compliance documentation is required, such as a Privacy Impact Assessment (PIA) and System of Records Notice (SORN). The PTA is built into departmental processes for technology investments and security. PTAs expire and must be reviewed and re-certified every three years. The purpose of a PTA is to:
Risk rejection (or denial)
is choosing not to respond to the risk even though the risk is not at an acceptable level. Risk rejection introduces the possibility of negligence and may lead to liability. This risk is not an appropriate response.
What do you need to be aware of when assigning privileges?
it is often easier to give a user more access when they need it than to take away privileges that have already been granted
which security principle are you implementing by periodically shifting accounting responsibilities?
job rotation
which of the following is a security approach that combines multiple security controls and defenses and is sometimes called defense in depth?
layered security
eliminating single points of failure
layering
implementing multiple security measures to protect the same asset
layering
Steganography
literally translated as 'concealed writing', the process of hiding data or a message so that only the sender or the recipient suspects that the hidden data exists. the message is in cleartext, not encrypted but merely hidden.
Which of the following tools would you use to simulate a large number of client connections to a website, test file downloads for an FTP site, or simulate large volumes of email?
load tester
transparent proxies
located between a user and and the internet, and can redirect requests without changing the request. These can be used for web filtering.
What is another name for a back door that was accidentally left in a product by the manufacturer?
maintenance hook
avoiding creeping privileges: during the life of the account
modify access rights as job roles and circumstances change
which authentication type requires you to prove your identity?
multifactor authentication
why is defense-in-depth important?
multiple defenses make it harder to bypass the security measures
The most organized, well funded, and dangerous threat actor
nation state
which of the following principles is implemented in a mandatory access control model to determine object access by classification level?
need to know
includes implementation of VLANS, penetration testing; and the utilization of virtualization
network
Which of the following utilities should you use?
nmap
by definition, which security concept uses the ability to prove that a sender sent an encrypted message?
non-repudiation
what are the two primary motives for a nation state attack?
obtaining information, crippling systems
creeping privileges
occurs when a user's job position changes and they are granted a new set of access privileges and their previous access privileges are not removed or modified, resulting in privilege escalation. as a result, the user accumulates privileges over time that are not necessary for their current work tasks. the principle of least privilege and separation of duties are countermeasures against creeping privileges
Disable the domain trust relationship between networks.
offboarding
how does a throughput tester work?
on a network, a throughput tester sends a specific amount of data through the network and measures the time it takes to transfer that data. This creates a measurement of the actual bandwidth of the network. use a throughput tester to validate the bandwidth on your network and identify when the bandwidth is significantly below what it should be. A throughput tester can help identify when a network is slow but will not give you sufficient information to identify why its slow
Compare your organizations security policies with the partners policies
onboarding
draft an ISA
onboarding
identify how privacy will be protected
onboarding
which of the following algorithms combines a random value with plain text to produce cipher text?
one-time pad
Communicate vulnerability assessment findings with the other party
ongoing operations
conduct regular security audits
ongoing operations
before carrying out an attack, what information will a threat actor typically gather?
open-source intelligence (OSINT)
Which of the following are true of a circuit proxy filter firewall? (select two)
operates at the session layer
for media intended for reuse in the same security environment
perform a cleaning by deleting or overwriting the data media.
for media intended for use in a different security environment
perform a drive wipe, purge, or sanitization by overwriting the media a minimum of 7 times with random data
includes firewalls using ACLs and securing the wireless network
perimeter
includes cameras, motion detectors, and even environmental controls
physical
includes fences, door locks, mantraps, turnstiles, device locks, and server cages
physical
Which of the following denial of service (DoS) attacks uses ICMP packets and is only successful if the victim has less bandwidth than the attacker?
ping flood
includes how to manage employee onboarding and off-boarding
policies, procedures, and awareness
includes user education and manageable network plans
policies, procedures, and awareness
The milestones to develop a manageable network plan are:
prepare to document, map your network, protect your network (network architecture), reach your network (network accessibility), control your network (user access), manage your network part I (patch management), manage your network part II (baseline management), document your network
what is the primary purpose of separation of duties?
prevent conflicts of interest
separation of duties is an example of which type of access control?
preventive
giving users or groups only the access they need to do their job and nothing more
principle of least privilege
you assign access permissions so that users can only access the resources required to accomplish their specific work tasks . which security principle are you complying with?
principle of least privilege
What do HIPAA guidelines protect?
privacy
encryption
process of using an algorithm or cipher to transform data from cleartext to ciphertext in order to protect the confidentiality, integrity, and authenticity of the message
Due to the level of sophistication and amount of funding, attacks from organized crime groups are extremely hard to protect against. Specific protections against organized crime threat actors include:
proper use security training, implementing email filtering systems, and proper securing and storing of data backups
What tool would you use?
protocol analyzer
How can countermeasures reduce the risk of a threat agent by being able to exploit a vulnerability?
provides a security solution to an identified problem, is not dependent on secrecy, is testable and verifiable, provides uniform or consistent protection for all assets and users, is independent of other safeguards, requires minimal human intervention, is tamper-proof, has overrides and fall-safe defaults
non-repudiation
providing the validation of a message's origin
What is the most effective way to improve or enforce security in any environment?
providing user-awareness training
the constant change in personal habits and passwords to prevent anticipated events and exploitation
randomness
gathering system hardware information
reconnaissance
important facts about separation of duties
system users should have the lowest level of rights and privileges necessary to perform their work and should only have them for the shortest length in time possible, to achieve separation of duties, a business can use the principle of split knowledge. this means that no single person can completely compromise the system, in cases of sensitive or high risk transactions, a business can use two man controls. this means two operators must review and approve each others work
(8)exploit (general attack strategy)
takes advantage of known vulnerabilities in software and systems. Types of exploitation include: stealing information, denying services, crashing systems, and modifying/altering information
In which of the following denial of service (DoS) attacks does the victim's system rebuild invalid UDP packets, causing the system to crash or reboot?
teardrop
While a protocol analyzer shows the traffic that exists on the network and the source and destination of that traffic, it does not:
tell you if the destination ports on a device are open unless you see traffic originating from that port. For ex, seeing traffic addressed to port 80 of a device does not automatically mean the firewall on that device is open or that the device is responding to traffic directed to that port
AAA
the abbreviation for authentication, authorization, and accounting
identification
the act of claiming an identification
separation of duties
the concept of dividing a single task's responsibilities so that it cannot be complete without multiple people, thereby reducing conflicts of interest and insider attacks
Provisioning
the configuration, deployment, and management of IT system resources, including mobile devices
(4) randomness (general defense strategy)
the constant change in personal habits and passwords to prevent anticipated events and exploitation.
ciphertext
the encrypted form of a message that makes it unreadable to all but those the message is intended for
Risk management
the forecasting and evaluation of financial risks together with the identification of procedures to avoid or minimize their impact.
interoperability agreement
the means through which organizations (public administrations or businesses) formalize cooperation with one another.
Cryptanalysis
the method of recovering original data that has been encrypted without having access to the key used in the encryption process
employees are the single greatest threat to network security. therefore, user education is very important. Look for ways to take the following actions:
train employees so that they know that employees are the primary targets in most attacks, ensure employees understand that phishing attacks are one of the most common attacks directed at employees, ensure that employees can identify email, instant messaging, download, and website attacks, enforce effective password policies including a policy that prohibits writing down passwords, train employees to identify both internal and external threats, ensure that employees are aware of the company's security policies
Which type of cipher changes the position of the characters in a plain text message?
transposition
SLA's can include guarantees for:
turn-around times, average response times, number of online users, system utilization rates, system uptimes, volume of transactions, production problems
when a cryptographic system is used to protect the data confidentiality, what actually takes place?
unauthorized users are prevented from viewing or accessing the resource
principle of least privilege, method of controlling access include: implicit deny
users or groups that are only given the access they need to do their job. is the weakest form of privilege control
diversifying layers of defense
variety
Which of the following CCTV camera types lets you adjust the distance that the camera can see (in other words, zoom in or out)?
varifocal
Your organization entered into an Interoperability agreement(IA) with another organization a year ago. As a part of this agreement, a federated trust was established between your domain and the partner domain.The partnership has been in the ongoing operations phase for almost nine months now. As a security administrator, which tasks should you complete during this phase?
verify compliance with the IA documents, conduct periodic vulnerability assessments
Identifies and disposes of infected content
virus blockers
Products produced by fire combustion include:
water, carbon dioxide (CO2), smoke, and heat.
Prevents visiting malicious websites
web threat filtering
to avoid creeping privileges
when an account is created, apply the appropriate access rights based on the job role as implemented in the access control system. use the principle of least privilege and grant only the minimum privileges required to perform the duties of the position
To protect against phishing:
• Check the actual link destination within e-mails to verify that they go to the correct URL and not a spoofed one.
There are two general risk assessment methods:
• Quantitative analysis assigns real numbers to the costs of damages and countermeasures. It also assigns concrete probability percentages to risk occurrence.