Security+ SY0-601

What are rainbow tables?

-- provides precomputed values for cryptographic hashes. -- commonly used for cracking passwords stored on a system in hashed form.

Transmission Control Protocol (TCP)

-A connection-oriented protocol -Uses a three way handshake

public certificate in P7B format with what extension

.cer

private certificate in P12 format with what extension

.pfx

What is the difference bw RAID5 and RAID6

5 has a single parity and can lose one disk, 6 has double parity and can lose 2 disks

Describe how a managed switch with 802.1x works

802.1x authenticates users and devices connecting to a switch. Normally, the user or device has a server to authenticate them without the need to disable ports on the switch. An unauthorized user is prevented from using the port as they have no certificate

If i dont have NIDS on my network, which device can passively monitor network traffic

A NIPS can passively monitor on the network as it can fulfill the functionality of a NIDS if there is no NIDS on your network

What type of attack is a man in the middle attack using an SSL3.0 browser that uses a CBC

A POODLE attack is a MITM attack and uses Cipher Block Chaining

What is an RAT

A Remote Access Trojan is a trojan that sends out the users username and password to an external source so that a remote session can be created

What type of device can be used to automate the collection of log files across many different devices

A SIEM server can correlate log files from many devices and notify you of potential attacks

Three different groups of workers are in an open plan office and they are all connected to the same physical switch. What can be done to isolate them from each other

A VLAN can be used for departmental isolation on the same switch

Type 1 hypervisor

A bare metal hypervisor in which you install directly on the server's hardware.

What is the fastest attack that can crack any password

A brute force attack

What needs to be installed on the endpoint if you are using EAP-TLS for wireless authentication

A certificate on the endpoint as TLS needs x509 certificate

Security as a Service (SECaaS)

A cloud model in which all security services are delivered from the cloud to the enterprise. It provides identity management

SMTP (Simple Mail Transfer Protocol)

A communications protocol that enables sending email from a client to a server or between servers.

What are the two reasons why a computer might not receive an ip address from a DHCP server

A computer might not receive an IP address from a DHCP server due to resource exhaustion or network connectivity

DNS Cache

A database on a computer that stores information about IP addresses and their associated host names. It can exist on clients as well as on name servers.

What network device should you use to manage a high volume of web traffic

A load balancer because it sends the requests to the least utilized node that is healthy

Explain Man-in-the-Middle attacks.

A man-in-the-middle attack is an active interception of data on a network. The attacker can inject code in either direction. This can be facilitated by ARP poisoning, spoofing, etc.

How do 802.1x and port security differ? which one gives me more functionality

A managed switch uses 802.1x which authenticates the device but does not disable the port when port security merely disables the port. 802.1x provides more functionality

Why would I make a risk assessment for one of my main suppliers?

A manufacturer company would carry out a supply chain risk assessment because they need a reputable supplier of raw materials so that they can manufacture goods

What is the difference bw an MOU and an MOA

A memorandum of understanding is a formal agreement bw two parties, but it is not legally binding, whereas a memorandum of agreement is similar, but is legally binding

If a network admin wants to set up a VPN, what is the most secure protocol that they can use

A network admin could use AES as the strongest protocol for an L2TP/IPSec VPN as it can use 256 bit

If an network admin wanted to collect the statuses and reports of network devices, what secure protocol could they use

A network admin could use SMTP v3 to securely collect the status and reports from network devices

How does spear phishing differ from a phishing attack?

A phishing attack that has been sent to a group of users

Post Office Protocol (POP)

A protocol that resides on an incoming mail server. The current version is POP3.

Internet Message Access Protocol (IMAP)

A protocol used to retrieve email messages. IMAP is similar to POP3, but with some advanced features. The main difference between the two is that IMAP generally leaves the email on the mail server.

What is inherent risk?

A raw risk before it has been mitigated

How does a reply attack differ from a man-in-the-middle attack?

A reply attack is similar to a MITM attack, except the intercepted packet is replayed at a later date

What type of virus attacks the Windows/System32 folder on Windows, or the Bash shell on Linux

A rootkit virus

Which network device connects two network together

A router and it works at Layer 3 of the OSI reference model

What is the difference between a signature and an anomaly based NIDS

A signature based NIDS works off a known database of variants An anomaly based one starts with the database and can learn about new patterns or threats

host-based intrusion detection system (HIDS)

A software-based application that runs on a local host computer that can detect an attack as it occurs.

Privileged Access Management (PAM)

A solution that stores the privileged account in a bastion domain to help protect them from an attack

What type of internal device connects users on the same network

A switch, normally in a star topology

What type of virus inserts .dll into either the SysWOW64 or System32 folder

A trojan inserts a .dll into either the SysWOW64 or System 32 folder

What is a vulnerability in relation to risk management

A weakness that an attacker can exploit

I am trying to use the internet but my wireless session keeps crashing—what type of attack is this?

A wireless disassociation attack is where the attacker prevents the victim from connection to the WAP

What type of virus replicates itself and uses either ports 4444 or 5000

A worm

Microsoft RADIUS

AAA server using UDP port 1812 - non proprietary

Accounting

AAA server where they log the details of when someone logs in and out; used for billing purposes. logged into SQL database. uses UDP port 1813

What type of attack is a local attack and how can I prevent that attack

ARP attack by using IPSec

If a user installs pirate software on their corporate laptop, which policy have they violated

Acceptable Use Policy (AUP)

What type of HTTP status code lets you know you have made a successful connection to a web server

An HTTP status code of 200 ok lets you know that a successful connection has been made

What is the purpose of an ISA

An Interconnection Security Agreement (ISA) states how connections should be made between two business partners. They decide on what type of connection and how to secure it; for example, they may use a VPN to communicate.

What type of firewall can act as an intrusion prevention device, a statefull firewall, and can inspect encrypted SSL and HTTPS packets

An NGFW by carrying out deep packet filtering

Someone at work has suffered a cardiac arrest and the first aid delegate takes out a defibrillator that gives instructions of the steps to take. What had been built into the device to give these instructions?

An SoC gives instruction on the steps to take when using a defibrillator; however if it detects a pulse, it will not send a charge

Security Assertion Markup Language (SAML)

An XML-based standard used to exchange authentication and authorization information. (used with federated services)

What is the only way to prevent a brute force attack

An account locked with a low value

What is a watering hole attack?

An attack infects a website that a certain group of people visit regularly.

VM Escape

An attack that allows an attacker to access the host system from within a virtual machine. The primary protection is to keep hosts and guests up to date with current patches.

How does an attacker carry out password spraying

An attacker works out what standard naming convention a company is using and then they obtain the names of employees from the internet. then they try common passwords against those accounts

What is the purpose of an exit interview

An exit interview is to find out the reason why the employee has decided to leave; it may be the management style or other factors in the company. The information from an exit interview may help the employer improve terms and conditions and therefore have a higher retention rate.

Pass the Hash Attack

An exploit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.

What is the purpose of an incident response plan

An incident response plan is written for a particular incident and lays out how it should be tackled and the key personnel required.

OpenID Connect

An open source standard used for identification on the Internet. It is typically used with OAuth and it allows clients to verify the identity of end users without managing their credentials.

How can we calculate the ALE

Annual Loss Expectancy is calculated by multiplying the SLE by the ARO (# of losses per year). If I lose six laptops a year worth 1000 each. ALE would be 6000

Why would a company run an annual security awareness training program

Annual Security awareness training advises employees of the risk of using email the internet and posting info on social media websites. It also informs employees of any new risks posed since the last training

What is a gray box pen tester given?

At least one piece of information; normally they get limited information

Who uses AIS and what is its distribution

Automated Indicator Sharing was invented by the US federal government to exchange info about cyber attacks from the state down to the local level

a PEM certificate is in what format

Base64

What type of server would both an SIEM server and a Microsoft domain controller benefit from having installed on a network

Both a SIEM server and a microsoft domain controller using Kerberos authentication are dependent on a NTP server to keep the clock times on the hosts up to date. Otherwise, the SIEM server cannot put events into chronological order and Kerberos clients cannot log in

What is the downside to using two load balancers in an active/active mode

Both of the load balancers are working close to capacity and if one of these load balancers fail, then the users would find that the traffic is slower

For what type of attack would I use the strcpy tool

Buffer overflow attack

What is the driving force of a BIA

Business Impact Analysis is just money; It looks at the financial impact following an event. The loss of earnings, the cost of purchasing new equipment, and regulatory fines are calculated

What are the three portions of a distinguished name and the order that they come in

CN, OU, DC

If BitLocker is checking upon boot up that the software has not been tampered with, what is this known as

Checking the integrity of the software as it is being loaded is known as attestation

What are the three components of CIA

Confidentiality, Integrity, Availability

What is the purpose of code signing

Confirms the application's source of origin Validates the application's integrity

What type of threat actor would demand payment from you or threaten to publish customer information that you hold on social media

Criminal Syndicates would threaten you and demand payment as they are financially driven

What type of attack is a multiple SYN flood attack on a well known website that takes it down

DDoS

Which protocol can i use to prevent DNS poisoning

DNSSEC, which produces RRSIG records

What happens when a users private key becomes corrupt

DRA recovers the data by obtaining a copy of the private key from the key escrow

What type of system is susceptible to a birthday attack

Digital Signatures

Why would a company use two different vendors for their broadband

Diversity, so that if one vendor had a disaster, the other would keep providing the broadband

What type of attack would I use shimming or refactoring for

Driver manipulation attack

What is an embedded electronic system? Give 2 examples

Embedded electronic systems have software embedded into the hardware; some use SoC. Examples are microwave ovens, gaming console, etc.

How can I prevent a pass-the-hash attack?

Enabling Kerberos or disabling NTLM

When I go to a restaurant, how can I protect myself against card cloning

Ensure that the server does not disappear with your card; make sure it is always visible to you

NTP

Ensures that the clock times of all computers/ servers are synced

A company has a leak in the roof, and before it can be repaired, theres heavy rain, resulting in 6 laptops being water damaged. What type of disaster is this

Environmental threat

At what stage of incident response procedures would you reduce the services running on a computer on a domain controller that is infected with malware

Eradication where we remove viruses and reduce the services being used, it should be isolated

What is the difference bw fat, and thin wireless controllers

FAT wireless controller is standalone and it has its own setting and DHCP addresses configured locally Thin wireless controller pushes out the setting to multiple WAPs

What protocol is used to transfer large files remotely

FTPS because it uses two ports: 989/990

Type II in biometric authentication

Failure Acceptance Rate, people that are not permitted to access your network are given access

What type of attack is distributing fake software

Fake software that will not install is a hoax. An email alert telling you to delete a system file as it is a virus is also a hoax.

User Datagram Protocol (UDP)

Faster but less reliable because it is connectionless

FTP

File Transfer Protocol

The Hosts File

Flat file where entries are manually inserted and read from top to bottom

when would you use a private CA

For internal use only

What is the purpose of GDPR

GDPR was developed by the EU to protect an individuals right to privacy

What is tailgating

Gaining unauthorized access to restricted areas by following another person

why would an engineer carry out a site survey prior to installing a wireless network

He would ensure that the WAPs are place where there is no interference.

HVAC

Heating, Ventilation and Air Conditioning

Network Address Translation (NAT)

Hides the internal network from those on the external network

What is home automation?

Home automation is where you can control temperature, lighting, entertainment systems, alarm systems, and many appliances.

What type of IPS protects VMs from attack

Host Based IPS (HIPS)

HTTP

HyperText Transfer Protocol - the protocol used for transmitting web pages over the Internet

What modes would you use a L2TP/IPSec tunnel over the internet and then internally?

IPSec in tunnel mode is used across the internet or external networks, and IPSec in transport mode is used bw hosts internally

Describe how IPSec tunnel mode works

IPSec in tunnel mode is used with an L2TP/IPSec VPN session where both the AH and ESP are encrypted

What can we do to slow down a brute force attack

If account lockout is not available, the best way to slow down a brute-force attack is to make the password length longer or to salt passwords.

If I wanted to back up data to a backup device but at the same time prevent someone from deleting the data, what device do I need to use?

If data is backed up to a Write Once Read Many (WORM) drive, the data cannot be deleted or altered

If i receive an alert that server1 has a virus and i inspect the server and there are no viruses what is this known as

If one of the monitoring systems reports a virus and you manually check and find no virus, this is known as a false positive

If the CRL is going slow, what should I implement?

If the CRL is going slow, an OCSP is used as it provides faster validation.

What would be the benefit to first line support if the company were to adopt CYOD instead of BYOD

If they adopt BYOD, they might have to support hundreds of different devices, but if they adopt CYOD, there would be a limited number of devices to make support easier

What would happen if the last process of the incident response process was not carried out

If we do not carry out lessons learned, the incident may reoccur. Lessons learned is a detective control where we try to identify and address any weaknesses

Name two methods for preventing the replay attack

Input validation and stored procedures (best one)

What category of device are my smart TV and wearable tech

IoT devices

ACK Packet

It acknowledges both kinds of packets and then the data is sent

DHCP

It allocates IP addresses dynamically to computers

Why would I use the scanless tool

It allows anonymous port scanning so that it cannot be traced back to you

What is the benefit of using the Docker tool to protect your registry

It allows you to isolate applications into separate space called containers. The registry can now be isolated in a separate containers, making it more secure

What is the purpose of SSAE

It assists CPA in carrying out the auditing of SOC reports

What is the purpose of a captive portal for a wireless network

It can ask you to agree to an AUP and provide additional validation, such as your email address or facebook or google account details

What is the benefit of network card teaming

It can help load balance the network traffic and provide redundancy if one card fails

Explain the port mirror process and name another device that could be used for the same process

It can make a copy of the data going to the port and divert it to another device for analysis. A tap is another device that can be used for the same purpose. However, a tap is more expensive

SNMP (Simple Network Management Protocol)

It can monitor the status of network devices and provide reports if required

What two things can a wifi Analyzer perform

It can troubleshoot wireless connectivity and discover the SSID inside a packet going to the WAP

what is the purpose of a router

It connects external networks and routes IP packets

Cloud region

It consists of multiple physical location called zones; data can be spread across multiple zones for redundancy

What are the two main reasons why I would receive an APIPA address of 169.254.1.1

It could be resource exhaustion where the DHCP server has run out of IP addresses or it could be network connectivity bw the client and the DHCP server

What is a SOC type 2 report and what is its distribution

It deals with the effectiveness of the control and has limited access as it provides a detailed report about a company

What is the purpose of a network access control? Name the two agents that it uses

It ensures that devices connecting to your network are fully patched. There are two agents: one that is permanent and another that is dissolvable that is for single use

What is the purpose of job rotation

It ensures that employees work in all departments so that if someone leaves at short notice or is ill, cover can be provided. It also ensures that any fraud or theft can be detected.

What is the benefit of introducing a separation of duties in the finance department

It ensures that nobody in the department carried out both parts of a transaction

What is the purpose of using HSTS

It ensures that the web browser only accepts secure connections and prevents XSS

What is the purpose of a privacy notice

It gives consent for data only to be collected and used for one specific purpose

What does the linux permission 764 do

It gives owner read, write, and execute access, the group read and write access, and other users access

What is the purpose of SFlow

It gives you clear visibility of network traffic patterns and can identify malicious traffic

What is the benefit of an HTML 5 VPN

It has no infrastructure to be set up as it uses certificates for encryption

What are the two portions of an IPSec packet

It has the authenticated header that uses either SHA1 or MD5 and an Encapsulated Payload (ESP) that uses DES, 3DES, or AES.

What is the purpose of IOCs

It informs members of their It security community of IP addresses, hashes, or URLs where they have discovered newly released malware

What is an integer overflow attack

It inserts a number larger than what is allowed.

What type of attack is a man in the middle attack

It is a Tojan that intercepts your session bw your browser and the internet; it obtains financial transactions

What is the purpose of a screened subnet and what type of web server is located there

It is a boundary layer that hosts an extranet server; it is sometimes known as the extranet zone. It used to be called the DMZ

What is the purpose of an endpoint protection and response solution

It is a centralized console that continuously monitors the computer and makes automatic alerting when a threat has been detected. It uses machine learning

What is a botnet

It is a group of computers that have been infected so that they can be used to carry out malicious acts without the real attacker being identified; Used for DDoS attack

What is the purpose of SoC

It is a low-power integrated chip that integrates all of the components of a computer or electronic system. An example would be the controller for a defibrillator. Think of it as an operating system stored on a small chip.

What is the purpose of a keylogger

It is a piece of software that could run from a USB flash drive plugged into the back of a computer, which then records all the keystrokes being used. It can capture sensitive data that is typed in, such as bank account details and passwords.

Why would a cybersecurity team change the SSD hard drives in the company's laptop to an Opal drive

It is a self encrypting drive where the encryption keys are stored on the hard drive controller and are therefore immune to a cold boot attack and are compatible with all operating systems. They do not have vulnerabilities of software based encryption. As a hardware solution, they outperform software solutions

What is the MITRE ATT&CK framework used for

It is a spreadsheet that shows groups of adversaries, which can be drilled down to see the attack methods and tools used by them

What type of service is spotify

It is a subcription service where the user pays a monthly fee; it is a pay per use model

Why would someone use Angry IP

It is an IP scanner that would scan an IP range to determine hosts that are active or inactive

What type of IP address 2001:123A:0000:ABC0:00AB:0DCS:0023 and how can we simplify it

It is an IP version 6 address and you can simplify it by changing the leading zeros to 2001:123A::ABC0:AB:DCS:23

What is an on-path attack?

It is an interception attack, for example, a replay or a man in the middle attack

what is the purpose of a switch

It is an internal device connecting computers being used in the same location

What is the purpose of a UPS

It is basically a battery that is a standby device that that when the computer power fails, it kicks in.

As part of application development, when would you apply quality assurance

It is completed during the staging environment where users test the new application with real data

How does an attacker carry out credential harvesting

It is done by a phishing attack where you are warned that you have been hacked, and it gives you a link to the website to resolve it; that way, when they try to login, they collect your details

What is the purpose of an incident response exercise

It is for carrying out the incident response plan and planning for any shortfalls

What is bluejacking

It is hijacking someones bluetooth phone so that you can take control of it and send text messages

What is dead code and how should it be treated

It is never used, but could introduce errors into the program life cycle; it should be removed.

What is the purpose of a web app firewall and where it is normally placed

It is normally installed on a web server as its job is to protect web applications from attack

What is the first stage in risk assessment

It is risk assessment is identifying and classifying an asset. How the asset is treated, accessed, or scored is based on the classification.

What is the purpose of obfuscation

It is taking code and making it obscure so that, if it is stolen, it will not be understood. XOE and ROT13 could be used for this

What is the WAP master password, and how would you protect it

It is the admin password, and it should be encrypted to protect it

Why do we use fingerprinting

It is the deep analysis of a host

What is the purpose of a jump server

It is to allow a remote SSH session to a device or a VM in a screened subnet or the cloud

what is the purpose of a vpn

It is to create a tunnel across unsafe networks from home or a hotel to the workplace.

Why would a company introduce a clean desk policy

It is to ensure that no document containing company data is left unattended overnight.

How does a logic bomb virus work

It is triggered off by an event; for example, a Fourth of July logic bomb would activate when the date on the computer was July 4.

What is implicit deny and which 2 devices does it affect

It is used by both the firewall and the router. If there is no allow rule they get the last rule which is deny all.

What is the purpose of BPA

It is used by companies in a joint venture and it lays out each party's contribution, their rights and responsibilities, how decisions are made, and who makes them.

When would someone use the Harvester tool

It is used to collect the email addresses of a particular domain from search engines such as Google

Explain a phishing attack

It is when a user receives an email asking them to fill in a form requesting their bank details.

What is multiparty risk

It is when someone wins a contract and subcontracts to a third party who could sabotage your systems

What is bluesnarfing?

It is when steal someones contracts from their bluetooth phone

What is the main problem with a race condition when using an application

It is when two threads of an application access the same data

Explain how port security works

It is where a port on a switch is disabled to prevent someone from using a particular wall jack

How is pretexting used in an attack

It is where an attacker manufactures a scenario such as saying there is suspicious activity on their account, and they ask you to confirm your account details so they can steal them

What is tokenization and why is it stronger than encryption

It is where data is replaced by a stateless token and the actual data is held in a vault by a payment provider

Explain input validation and name three types of attacks that this could prevent

It is where data that is in the correct format is validated prior to being inserted into the system. SQL injection, buffer overflow, and integrity overflow are prevented using this

What is a zero-trust network and where is it likely to be used

It is where nothing is trusted., and every user or device must prove their identity before accessing the network. This would be used in the cloud

What is domain hijacking

It is where someone tries to register your domain, access your hosted control panel, and set up a website that is similar to yours

What is an inline NIPS

It is where the incoming traffic passes through and is screened by the NIPS.

What is the purpose of risk transference

It is where the risk is medium to high and you wish to offload the risk to a third party, for example, insuring your car.

Why is operational tech vulnerable to attack

It is where we have removed CCTV standalone systems that were airgapped and we now use a fully integrated solution that is fully connected, leaving them vulnerable

What is an impact assessment

It is where you evaluate the risk of collecting big data and and what tools can be used to mitigate the risk of holding so much data

What is a pivot

It is where you gain access to a network, so that you can launch an attack on a secondary system

What type of attack is session hijacking

It is where your cookies are stolen so that someone can pretend to be you.

Which is the purpose of web caching on a proxy server

It keeps copies of the web pages locally, ensuring faster access to the web pages and preventing the need to open a session to the internet

What is the purpose of a risk register

It lays out all of the risks that a company faces; each risk will have a risk owner who specializes in that area as well as the risk treatment.

What is the purpose of a measured boot

It logs information about the firmware and application and stores this log in the TPM chips. This can be used to check the health status of the host and antimalware can check during the boot process that the software is trustworthy

How does East-West traffic operate

It moves laterally between servers within a data center

Describe how a fileless virus operates

It piggybacks itself onto a legitimate application, and they both launch together. Using malwarebytes would alert you of both launching at the same time

LRS

It replicates 3 copies of your data to a single physical location; this is the cheapest option

SYN/ACK packet

It says what the next packet will be

Which VPN session type would you use on a site-to-site VPN?

It should be used in always-on mode as opposed to dial-on-demand

Type 2 hypervisor

It sits on top of an operating system

Why is tokenization deemed more secure than encryption

It takes sensitive data, such as credit card number, and replaces it with random data, so that it cannot be reversed. Encryption can be reversed

What is a whaling attack

It targets a CEO or a high-level executive in a company.

How does AI tainting help attackers

It uses ML to teach the machine to think like a human and detect attacks. If it is tainted, it will ignore attacks by the attackers

Secrets management

It uses a vault to store keys, passwords, tokens, and SSH keys used for privilege accounts. It uses RSA 2048 bit-key to protect access keys

What is the purpose of the ISO standard 27701

It was developed as a standard as an extension of 27001/27002 to be used for privacy information management

How does the shadow IT threat actor operate and what type of attack could benefit from their actions

It would connect their own computers to your network without your consent and could lead to pivoting

How can I prevent a replay attack in a microsoft environment

Kerberos authentication uses USN and timestamps and can prevent a replay attack, as the USN packets and the timestamps need to be successful

Which secure protocol can be used to prevent a pass-the-hash attack

Kerberos prevents this attack and Kerberos uses AD which stores the passwords in an encrypted database

Most secure tunneling protocol

L2TP/IPSec

What is the most secure VPN tunneling protocol

L2TP/IPSec because it uses AES encryption for the ESP

A system admin is managing a directory service using a protocol that uses TCP port 389. What protocol are they using and which protocol can be used to carry out the same task securely

LDAP uses TCP port 389 and is used to manage directory services. It can be replaced by LDAPS TCP port 636, which is more secure

What is the purpose of MTBF

Mean Time Between Failure (MTBF) is the measurement of the reliability of a system.

What information can be established from an MTTR

Mean Time to Repair is the average time to takes to repair the system, but in the exam, it could be seen as the time to repair a system and not the average time

What is the passive device that sits on your internal network

NIDS

What is a wireless shortrange payment type

Near field communication

What type of device hides the internal network from hackers on the internet

Network Address Translator (NAT)

Which type of IPS is placed behind the firewall as an additional layer of security?

Network based IPS (NIPS)

Would you go to your online banking if you are in a hotel that uses Open Authentication

No because it is not secure

how to identify a certificate

OID

What is data masking

Obscuring data such that it cannot identify a specific person, but remains practically useful.

What type of threat intelligence does the Malware Information Sharing Project provide

Open Source Intelligence (OSINT)

What is the purpose of a SOAR system playbook

Playbooks contain a set of rules to enable the SOAR to take preventative action as an event occurs

Why would a cybersecurity team use the MITRE ATT&CK Framework

Prepare your business against different adversaries. Can see which tactics and techniques they use. take mitigation steps to avoid attacks

What is the purpose of DHCP snooping

Prevent rogue DHCP servers from operating openly on your network

What RAID model has a minimum of three disks? How many disks can it afford to lose?

RAID 5; one

What RAID models has a minimum of four disks

RAID 6

What types of records are created by DNSSEC

RRSIG records for each DNS host and a DNSKEY record used to sign the KSK or ZSK

What is crypto-malware?

Ransomware where the victims hard drive is encrypted and held to ransom; it could also have popups

What is the relationship bw the RPO and the RTO

Recovery Point Object is the acceptable downtime that a company can suffer without causing damage to the company, whereas the Recovery Time Object is the time it takes for the company to return to an operational state - this should be within the RPO

What are the rules of behavior

Rules of behavior are how people should conduct themselves at work to prevent discrimination or bullying.

Telnet

Runs remote commands on devices such as routers but it is in plain text

Which protocol can be used to digitally sign an email between 2 people

S/MIME

What is the purpose of a SCADA system

SCADA systems are industrial control systems used in the refining of uranium, oil, or gas.

What type of network is used by a virtual network so that the route requests are forwarded to a controller

SDN is used in a virtual environment when the routing requests are forwarded to a controller

Which protocol allows a user to put a Skype session on hold, speak to another person, and then come back to the first caller

SIP

What type of attack uses the phase 1=1

SQL injection attack

Which protocol can be used to secure video conferencing

SRTP

If an IT admin uses Telnet to run remote commands on a router, which secure protocol can it be replaced with

SSH

How can I store passwords to prevent a dictionary attack?

Salting password inserts a random value dictionary does not contain random characters

What would happen if i tried to sell my car and sent an email about it to everyone who worked in my company using my Gmail account

Sending an email out to everyone who works in your company using your gmail account is a violation of the AUP and could lead to disciplinary action

During a disaster recovery exercise, the IRP team is given a scenario to respond to. What type of exercise are they likely to carry out

Simulation

When using WPA3-Personal, what replaces the preshared key

Simultaneous Authentication of Equals (SAE) as it is more secure as the password is never transmitted and it is immune to offline attacks

What is the purpose of SLE and how it is calculated

Single Loss Expectancy is the cost of the loss of one item; if I lose a tablet worth 1000, the SLE is 1000

What type of attack is it if I receive an email from my comp CEO, telling me to complete the form attacked by clicking on a link in the email

Social Engineering Authority Attack

One of my bosses asks me to give them information that one of my peers gave them last week. I am not too sure, but I give them the information. What type of attack is this?

Social engineering consensus attack, where the person being attacked wants to be accepted by their peers

One of the junior members of the IT team installs more copies of a piece of software than are allowed by the licenses that the company has purchased. What have they just carried out

Software licensing compliance violation

If I install a freeware program that analyzes my computer and then finds 40,000 exploits and asks me to purchase the full version, what type of attack is this

Subtle form of ransomeware

What type of attack is it if I am in a ATM queue and someone has their phone to one side so that they can film the transaction

Subtle shoulder surfing attack

Cisco TACACS+

TCP Port 49

DNS (Domain Name System)

The Internet's system for converting alphabetic names into numeric IP addresses.

TFTP (Trivial File Transfer Protocol)

The UDP version of a file transfer; not as secure as the files are transferred

if two companies rented offices on the same floor of a building, what could the building admin implement to isolate them from each other

The building admin would normally have companies located in the same physical location connected to the switches. They could provide departmental isolation by using VLANs

What type of file is created when your computer suffers a blue screen of death

The contents of memory are saved in a dump file and this can be used to investigate the event

Say I use the nbtstat -an command and the output shows me the following: IAN <00> IAN <20> What naming convention is used and what format is being shown

The format is NETBIOS, where the name is up to 15 characters long with a service identifier. In this example, the host is called Ian; <00> indicates the workstation service and <20> indicates the server service

If a process does not suffer buffer overflow, but fails within a specified period of time and this causes the process to fail, what method am i using

The real time operating system (RTOS) process data as it comes in without any buffer delays. The process will fail if it is not carried out within a certain period of time

SYN Packet

The sending host informs the receiving host of the number of its next packet

what is the purpose of STP

The spanning tree protocol prevents switches from looping, which slows the switch down

What is the perfect way to set up error handling in an IT system

The user to get generic information but for the log files to include a full description of the error

Why would an auditor look for single items that could cause the failure of whole computer systems

They are measuring BIA as the most important factor to avoid is a single point of failure

If a company suffered a data breach, what would be the impact if one of their customers suffered identity fraud

They are most likely going to be sued by the customer

What should the help desk do when an incident has just been reported?

They identify the incident response plan required and the key personnel that need to be notified

How does an attacker use a malicious USB drive

They leave it inside a company where it can be found. There is only one shortcut, so when the finder puts it into a computer to try and find the owner, they click on the only visible file and get infected. The attacker can now control the computer

How does an invoice attack work

They obtain a legitimate invoice and sends the company reminders that it needs to be paid, but they substitute the bank details with their own

What is the motivation of script kiddie

They want to be on national news and TV as they seek fame

When a developer wants to analyze code when it is running, what type of code analyzer will they use

They will use dynamic code analysis so they can use fuzzing to test the code

Why would you use STIX/TAXII

They work together so that Cyber Threat Intelligence can be distributed over HTTP

What do hackers that use tools from the dark web use to remain anonymous

They would use Tor software, The Onion Router, which has thousands of relays to prevent detection

What is the most secure version of wireless

This is WAP3 as it has AES encryption up to 256 bit, whereas WPA2 only uses 128 bit encryption

Why would someone use the website www.virustotal.com

This is a code repository that holds info about malware signatures and code

Your company has carried out a tabletop exercise followed by a walk through. What type of plan has just been carried out

This is an example of a functional recovery plan

If someone brought their own laptop to be used at work, apart from an on-boarding policy, what other policy should be introduced?

This is called BYOD and this is covered by two policies: the onboarding policy and the Acceptable Use Policy. The AUP lays out how the laptop can be used

open source intelligence

This is legal intelligence that is obtained from the public domain

What is the purpose of Capture the Flag exercises

This is training for both red and blue teams where they capture a flag when they achieve each level of training. When they have completed all levels they are fit to become full blown red or blue team members.

What is load balancing persistence or affinity

This is where the host is sent to the same server for the session

What happens during the containment phase of the disaster recovery process

This is where we isolate or quarantine an infected machine

What happens during the recovery phase of the disaster recovery phase

This is where we put infected machines back online, restore data or reimage desktops

What happens during the eradication phase of the disaster recovery process

This is where we remove malware and turn off services that we do not need

What is IP theft?

This is where your intellectual property has been stolen, like copyright

What mode is an L2TP/IPSec VPN if it encrypts both the header and the payload

This would be IPSec in tunnel mode and would be used externally

What type of hacker might participate in a bug bounty program

This would be a gray hat hacker as he is provided with limited info

What is the purpose of mandatory vacations

To ensure that an employee takes at least five days of holiday and someone provides cover for them; this also ensures that fraud or theft can be detected.

What is certificate pinning used for

To prevent a CA from being compromised and fraudulent certificates being issued

Why should you place your first WAP on channel 1, your second WAP on channel 11 and your third on channel 6

To prevent interference by overlapping the wireless channels

What is the purpose of using SE Android

To segment business data and prevent application outside of the Knox container from accessing resources inside the container

Which protocol protects data in transit

Transport Layer Security (TLS)

What can be installed on a node of a SAN to provide redundancy

Two Host Bus Adaptors on each node will give two separate paths to them

If i misspell a website but I still get there, what type of attack is this

Typosquatting

What is needed for a secure boot - UEFI or BIOS

UEFI is a modern version of BIOS and is needed for secure boot

COPOA

UK law to seek data stored overseas and give their law enforcement faster access to evidence held by providers

The CLOUD Act

US law so that they could obtain evidence from other countries for the purpose of FBI

Name three different categories of incident

Unauthorized access, loss of computers or data, loss of availability, malware attack, DDoS attack, power failure, Natural Disasters, Cybersecurity incidents

What is the firewall that does content filtering, URL filtering, and malware inspection

Unified Threat Management provides value for money

What is a UAV? Give two examples.

Unmanned aerial vehicles are drones or small model aircraft that can be sent to areas where manned aircraft cannot go. They can be fitted with a camera to record events or take aerial phots; ex. determine the spread of forest fire

What three things should I do to protect the data stored on my smartphone

Use screen logs, strong passwords, and use FDE to protect the data at rest

If I am an Android developer, what can I obtain from the internet to help me make an application and get it to market quickly?

Using a third party library will help a developer obtain code from the internet to help make an application and get it to market quickly. There are many for Android and Javascript

How can I prevent an attack by a rogue WAP

Using an 802.1x authentication switch can prevent an attack by a rogue WAP, as the device needs to authenticate itself to attach to the switch.

What type of authentication is the most prone to errors

Using passwords for authentication is more prone to errors as certs and smart cards dont tend to have many errors

How can I prevent a SQL injection attack other than input validation

Using stored procedures

Give an example of embedded systems that can be used with vehicles

Vehicles that are either self parking or self driving

What two groups of ppl might use a guest wireless network

Visitors and employees on their lunch breaks

What is the weakest version of wireless encryption

WEP bc it only has 40 bit encryption

What is the most secure version of WPA2

WPA2-CCMP as it uses AES encryption that is 128 bits

If a friend comes to visit me in my house and asks for the wireless password, what am I giving them

We are giving them the Pre-Shared Key (PSK)

What is the purpose of secure cookies

We can set the secure flag on a website to ensure that cookies are only downloaded when there is a secure HTTPS session

What is the purpose of risk avoidance

When a risk is deemed too dangerous or high risk and could end in loss of life or financial loss, we would treat the risk with risk avoidance and avoid the activity

What is the purpose of the security team controlling the HVAC in a data center

When a security team controls the HVAC in a data center, they can ensure that the temp is regulated and the servers remain available. They also know which rooms are occupied based on the use of air conditioning and electricity

What is the authentication protocol that uses tickets and prevents replay attacks

When using Kerberos authentication, a TGT session is established, where the user obtains an encrypted ticket. Kerberos uses USN and timestamps to prevent replay attacks.

ZRS

Where 3 copies of the data are replicated to three separate zones within your region

Cleanup phase

Where the systems are returned back to the original state

How do I access a wireless network if I use WPS and what type of attack is it vulnerable against

With WPS, you push the button to connect to the wireless network, it is susceptible to a brute force attack as it has a password stored on a device

What is a certificate known as:

X509 Certificate

What does a CA sign

X509 certificates

What type of attack uses HTML tags with JavaScript

XSS uses HTML tags with JavaScript.

How can i tell whether my laptop fails to get an IP address from a DHCP server

You cannot get an IP address from a DHCP server, you would receive a 169.254.x.x IP address. This is known as APIPA. This could be caused by network connectivity or resource exhaustion

How can we keep company data separate from personal data on a cell phone that is being used as a BYOD device so that offboarding is easy to achieve

You could segment the data using storage segmentation or containerization

If I am staying in a hotel and their wifi is not working, how can i get access to the internet

You could use your phone as a hotspot

How can i prevent someone from accessing a medical centers network by plugging their laptop into a port in the waiting room

You should enable port security, where you turn the port off the switch. This will prevent further use of the wall jack

If my cell phone has been lost or stolen, what should be done using MDM

You should remote wipe it

How can i prevent someone from plugging a rogue access point to my network

You would enable 802.1x on the switch itself. 802.1x ensures that the device is authenticated before being able to use the port

What type of exploit has no patches and cannot be detected by NIDS or NIPS

Zero-day virus

hybrid cloud

a computer is using a mixture of on-prem and the cloud

DNS Server

a computer or a group of computers that maintain a database to enable a computer to know the IP address of a URL

what is an air gap

a computer or device has no physical connections such as wifi or ethernet cable

what does a PGP use

a trust model known as a web of trust

What is an evil twin?

a wireless access point with the same SSID as the legitimate access point

how to prevent brute force attacks

account lockdown with low value

what are corrective controls?

actions you take to recover from an incident

What are the four key elements of the Diamond Model of Intrusion Analysis framework

adversary, capabilities, infrastructure, and victims

FAR

allows unauthorized user access

Elasticity

allows you to increase and decrease cloud resources as you need them

What happens in the IKE phase of a VPN session?

an IPSec session, Diffie Hellman using UDP Port 500 sets up a secure session before the data is transferred.

privilege account

an account with administrative rights

What is social engineering

an attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords

password vault

application that stores passwords using AES-256 encryption and it is only as secure as the master key

what is stage C of cloud forensic process

ascertain the type of tech behind the cloud

Dynamic KBA

asks you details about your account that are not previously stored questions

DH

asymmetric technique that creates a secure tunnel

account recertification

audit of user accounts and permissions that is usually carried out by an auditor

federated services

authentication method that can be used by two third parties; it uses SAML and extended attributes

When can I use curl or nmap

banner grabbing

Name two tools that can be used for key stretching

bcrypt and PBKDF2

Two key stretching algorithms

brypt and PBKDF2

when would you use a public CA

business to business activities

SIEM System

carry out activity monitoring and notify the administrative of any changes to user accounts

Name three types of mobile device connection methods

cellular, wireless, bluetooth

Unified Threat Management (UTM)

comprehensive security management tool that combines multiple security tools, including firewalls, virtual private networks, intrusion detection systems, and web content filtering and anti-spam software

VPN solution

creates secure connection from remote location to your corporate network

What are the four stages of the information life cycle

creation, use, retention, and disposal

What tools can I use as a sandbox to analyze files for malware

cuckoo

SaaS (Software as a Service)

customer application written by a vendor and you cannot migrate it

researching an incident requires what?

detective controls where all of the evidence is gathered

what do you do when when somebody leaves the company

disable their account and reset the password

How can an attacker find the DNS records from your domain

dnsenum tool

data at rest on usb flash drive

done via full disk encryption

AES-256

encrypt a military mobile telephone

what is ECC used for

encrypt data on a smartphone as it is small and fast and uses the DH handshake

symmetric encryption

encrypt large amounts of data as it uses one key

streams

encrypt one bit at a time

CASB

ensures policies between on-prem and cloud are enforced

Salting a password

ensures that duplicate passwords are never stored and makes things more difficult for attacks by increasing the key size

perfect forward secrecy

ensures that there is no link bw the servers private key and the session key. if vpn servers key is compromised, it cannot decrypt the session

Hashing

ensures the integrity of data; sha-1 and md5

session key

ensures the security of communications bw a computer and a server or a computer and another computer

DHE and ECDHE

ephemeral keys that are short lived, one time keys

What types of disks does a SAN use

fast disks, such as SSDs

Where will a diskless virtual host access its storage?

from an SAN

Diskless virtual host

get its disk space from an SAN

Credential vulnerability

has the most permissions; has the ability to audit, scan documents, check account information, check certificates, provide accurate information

What provides data integrity where it is measured before and after accessing the data

hashing

If i want to find out what attack methods a potential hacker is using, what do i need to set up

honeypot

two types of name resolution

hostname revolution = most common NETBIOS = legacy name resolution that is rarely used

What is an example of cloud storage available to a personal user

iCloud, google drive, microsoft, onedrive, or dropbox

What type of attack could involve dressing up as a police officer

impersonation attack

Name three different roles required to deal with an incident

incident response manager: a top level manager takes charge security analyst: provides tech support for the incident IT auditor: checks that the company is compliant Risk analyst: Evaluates all aspects of risk HR: Sometimes, employees are involved in the incident Legal: Gives advice and makes decisions on legal issues public relations: Deals with the press to reduce the impact on the companys reputation

LDAP (Lightweight Directory Access Protocol)

insecure version that creates, stores, manages objects in directory services

what is the best way to control entry into a data center

install a mantrap

Infrastructure as a Service (IaaS)

install the operating systems and patch the machines. The CSP provides bare-metal computers

fog computing

intermediary between the device and the cloud; allows data to be processed closer to the device; reduces latency and cost

what is the purpose of the VPN concentrator

is to set up the secure session for a VPN.

Why are the roles and responsibilities of the IRP team important

it can make them more effective when a disaster happens

what does a CA have

it has a root certificate, which it uses to sign keys

What is the defense in depth model

it has multiple layers to protect data and resources

hash

it is one way and cannot be reversed

where do you store CA when not in use

keep it offline when it is not in use

first stage in encryption

key exchange

What is the last phase of the incident response process

lessons learned where we review why the incident was successful

rainbow tables

list of precomputed words showing their hash values. you will get rainbow tables for md5 and different rainbow tables for sha-1

obfuscation

make the source code look obscure so that if it is stolen, it cannot be understood. it masks the data and could use either XOR or ROT13 to obscure the data

POODLE

man in the middle attack on a downgraded SSL 3.0

what are the three control categories

managerial, operational, and physical

collision attack

match two hash values to obtain a password

Diameter

more modern server form of RADIUS that is TCP based and uses EAP

public cloud

multi tenant

smart card

multi-factor as the card is something you have, and inserting it into a card reader is something you do, and the PIN is something you know

CBC

needs all of the blocks of data to decrypt the data

certificate signing request

new certificate request

password history

number of passwords you can use before you can reuse your current password

HOTP

one time password that does not expire until it is used

Kerberos authentication protocol

only one that uses tickets; uses timestamps/updated sequence numbers to prevent replay attacks; does not use NLTM to prevent pass the hash attacks

examples of single-factor

password, pin, date of birth

community cloud

people from the same industry, such as a group of lawyers, design and share the cost of a bespoke application and its hosting, making it cost effective

encryption

plain text is taken and turned into a ciphertext

IEE802.1x

port based authentication that authenticates users and devices

What is the first phase of the incident response process and what happens there

preparation phase where the plan is already written in advance of any attack

DLP

prevents sensitive or PII information from being emailed out of a company or being stolen

What is least privilege

process of giving an employee the minimal permissions to perform their job

Ticket-Granting Ticket (TGT)

process where user logs in to a AD domain using kerberos authentication and receives a service ticket

data at rest

protected by FDE; stored on a database in background server so it needs database encryption

data in use

protected by full memory encryption

digital signature

provides both integrity and non-repudiation

FRR

rejects authorized user access

CSP

responsible for the hardware fails

key stretching

salts the password being stored so that duplicate passwords are never stored, and it also increases the length of keys the make things harder for brute force attack

data in transit

secured by using TLS, HTTPS, or L2TP/IPSec Tunnel

time-based one-time password (TOTP)

short life span of 30-60 seconds

CAC

similar to a smart card as it uses certificates, but it is used by the military and has a picture and the details of the user on the front, as well as their blood group and geneva convention category on the reverse side

code signing software

similar to hashing the software and ensuring the integrity of the software

private cloud

single tenet setup where you own the hardware

shibboleth

small, open source federation services protocol

What are used in conjunction with PIN

smart card, CAC card, or PIV card

What is the fastest backup solution

snapshot

What type of attack is it if a fireman arrives and then you let them into a server room to put out a fire

social engineering urgency attack

White box tester can access what

source code

key escrow

stores and manages private keys for third parties

AES

strongest encryption for L2TP/IPSec VPN tunnel

block ciphers

take blocks of data; will be used for large amounts of data

what does an architect build

the CA or intermediary authorities

distributive allocation

the load is spread evenly across a number of resources, ensuring no one resource is over utilized. ex. load balancer

major benefit of public cloud

there is no capital expenditure

what does a data owner do (dac)

they decide who has access to data

what does the data administrator do (mac)

they grant access to data

What does a data custodian do (mac)

they store and manage data

What is the most likely way an attack would gain control of an MFP

through its network interface

What is the purpose of MAC filtering

to allow or deny a connection based on the client's Media Access Control (MAC) address.

why are firewall rules designed

to mitigate risk and they are technical controls

how many accounts should system administrator have

two

What is a bridge trust model

two separate PKI entities want to set up cross-certification, the root CAs would set up a trust model between themselves

service account

type of administrative account that allows apps to have a higher level of privileges to run on desktop/server.

Certificate Authority

ultimate authority as it holds the master key (root key)

complex password uses three what

uppercase, lowercase, and non programming special characters

extended validation

used by financial institutions as it provides a much higher level of trust for X509; url background turns green

Hardware Security Module (HSM)

used by the key escrow as it securely stores and manages certificates

Subject Alternative Name (SAN)

used on multiple domains

wildcard certificate

used on multiple servers in same domain

Steganography

used to conceal data

Certificate Revocation List

used to determine whether a certificate is valid

encryption is used for what

used to protect data so that it cannot be reviewed or accessed

credential manager

used to store generic and windows 10 accounts. the user therefore does not have to remember the account details

Lightweight Directory Access Protocol (LDAP)

used to store objects in X500 format and search AD objects such as users, printers, groups, or computers

PAP authentication

uses a password in clear text; captured easily by a packet sniffer

What type of attack can include leaving a voicemail

vishing attack

DES

weakest encryption for L2TP/IPSec VPN tunnel

Certificate Stapling

where a web server uses an OCSP for faster certificate authentication, bypassing the CRL

What is rule-based access control

where the access is applied to the whole department

availability

where the data is available

Confidentiality

where the data is encrypted; preventing other people from viewing the data

integrity

where the data uses hashes

What benefit does WPA3 bring to IoT devices

wifi Easy Connect makes it very easy to connect IoT devices such as a smartphone by simply using a QR code

When using WPA3 wireless, what replaces WPA2-Open Authentication

wifi enhanced open is the WPA3 equivalent of Open Systems Authentication; it does not use a password and prevents easedropping

How close does an attacker need to be for an NFC attack

within 4 cm of a card

If a company has suffered several threats of company laptops, what could you use to prevent further threats

you could tag the laptops and set up geofencing to prevent thefts. RFID is another option

on-prem

you own the building and work solely from there

biometric authentication

you use part of your body or voice for authentication