sy0 501 cram

Which of the following attacks uses a JavaScript image tag in an e-mail?

Cross-site scripting (XSS) can be initiated on web forms or through e-mail. It often uses JavaScript to accomplish its means. SQL injection is when code (SQL based) is inserted into forms or databases. Cross-site request forgery (XSRF) is when a user's browser sends unauthorized commands to a website, without the user's consent. Directory traversal is when an attacker attempts to gain access to higher directories in an OS. A null pointer dereference is a memory dereference that can result in a memory fault error

To mitigate risks when users access company e-mail with their smartphone, what security policy should be implemented?

A password should be set on the phone, and the phone should lock after a set period of time. When the user wants to use the phone again, the user should be prompted for a password. Disabling the data connection altogether would make access to e-mail impossible on the smartphone. Smartphone encryption of data is possible, but it could use a lot of processing power that may make it unfeasible.Whether the smartphone is used only for company use is up to the policies of the company

In an attempt to collect information about a user's activities, which of the following will be used by spyware?

A tracking cookie will be used, or misused, by spyware in an attempt to access a user's activities. Tracking cookies are also known as browser cookies or HTTP cookies, or simply cookies. Shopping carts take advantage of cookies to keep the shopping cart reliable

Which of the following is not an example of malicious software?

A web browser (for example, Internet Explorer) is the only one listed that is not an example of malicious software. Although a browser can be compromised in a variety of ways by malicious software, the application itself is not the malware.

Which of these is a true statement concerning active interception?

Active interception normally includes a computer placed between the sender and the receiver to capture information. All other statements concerning active interception are false. If a person overhears a conversation it can be considered eavesdropping. When a person looks through files it could be normal or malicious.When a person hardens an operating system, that person is making it more secure.We discuss these concepts as we progress through the book

What key combination should be used to close a pop-up window?

Alt+F4 is the key combination that is used to close an active window. Sometimes it is okay to click the X, but malware creators are getting smarter all the time; the X could be a ruse.

Which of the following will allow the triggering of a security alert because of a tracking cookie?

Anti-spyware can be used to trigger security alerts in case a user's web browser accesses a web page that includes a tracking cookie. Anti-spam software can possibly trigger alerts when an e-mail appears to be spam (or simply move it to a junk folder automatically). Firewalls can be configured to send alerts to security administrators, but usually they concern an IP address that attempted to gain access to the network

Which of the following concepts can ease administration but can be the victim of a malicious attack?

Backdoors were originally created to ease administration. However, attackers quickly found that they could use these backdoors for a malicious attack.

A smartphone has been lost. You need to ensure 100% that no data can be retrieved from it. What should you do?

If the device has been lost and you need to be 100% sure that data cannot be retrieved from it, then you should remotely sanitize (or remotely "wipe") the device.This removes all data to the point where it cannot be reconstructed by normal means.GPS tracking might find the device, but as time is spent tracking and acquiring the device, the data could be stolen. Encryption is a good idea, but over time encryption can be deciphered. Screen locks can be easily circumvented.

How can you train a user to easily determine whether a web page has a valid security certificate? (Select the best answer.)

In general, the user should click the padlock in the browser; this will show the certificate information. Often, the address bar will have different colors as the background; for example, green usually means that the certificate is valid, whereas red or pink indicates a problem. Or, you might have to click the name of the website listed in the address bar just before where it says HTTPS to find out the validity of the certificate. Contacting the webmaster and calling the ISP are time-consuming, not easily done, and not something that an end user should do. Although HTTPS:// can tell a person that the browser is now using Hypertext Transfer Protocol Secure, it does not necessarily determine whether the certificate is valid.

You check the application log of your web server and see that someone attempted unsuccessfully to enter the text below into an HTML form field. Which attack was attempted? test; etc/passwd

In this case a command was entered, and the attacker was attempting to gain access to the password file within the /etc directory. If the attacker tried to inject code, he would not use commands, but rather PHP, ASP, or another language. SQL injections are usually run on databases, not web servers' HTML forms. Buffer overflows have to do with memory and how applications utilize it

Which of the following is a common symptom of spyware?

Pop-up windows are common to spyware. The rest of the answers are more common symptoms of viruses.

Which protocol can be used to secure the e-mail login from an Outlook client using POP3 and SMTP?

SPA (Secure Password Authentication) is a Microsoft protocol used to authenticate e-mail clients. S/MIME and PGP can be used to secure the actual e-mail transmissions

When it comes to information security, what is the I in CIA?

The I in CIA stands for integrity. The acronym CIA stands for confidentiality,integrity, and availability. Accountability is also a core principle of information security.

Virtualized browsers can protect the OS that they are installed within from which of the following?

The beauty of a virtualized browser is that regardless of whether a virus or other malware damages it, the underlying operating system will remain unharmed. The virtual browser can be deleted and a new one can be created; or if the old virtual browser was backed up before the malware attack, it can be restored. This concept applies to entire virtual operating systems as well, if configured properly.

As part of your user awareness training, you recommend that users remove which of the following when they finish accessing the Internet?

The best answer is cookies, which can be used for authentication and session tracking and can be read as plain text. They can be used by spyware and can track people without their permission. It is also wise to delete temporary Internet files as opposed to temporary files

You are the network administrator for a small organization without much in the way of security policies. While analyzing your servers' performance you find various chain messages have been received by the company. Which type of security control should you implement to fix the problem?

The chain messages are e-mails (similar to the archaic chain letter) that are being spammed on the network. Therefore, anti-spam security controls need to be implemented. This would be a type of preventive control. Antivirus programs find and quarantine viruses, worms, and Trojans, but unless they are part of an AV suite of software, they will not check e-mail. Anti-spyware tools will attempt to prevent spyware from being installed on the computer. Host-based firewalls block attacks from coming through specific ports, but will not catch spam messages. However, a HIDS (host-based intrusion detection system) could possibly detect spam, and a HIPS (host-based intrusion prevention system) might even prevent or quarantine it.

Which of the following defines the difference between a Trojan horse and a worm?(Select the best answer.)

The primary difference between a Trojan horse and a worm is that worms will self-replicate without any user intervention; Trojan horses do not self-replicate.

Your manager wants you to implement a type of intrusion detection system (IDS) thatcan be matched to certain types of traffic patterns. What kind of IDS is this?

When using an IDS, particular types of traffic patterns refer to signature-based IDS.

Tom sends out many e-mails containing secure information to other companies. What concept should be implemented to prove that Tom did indeed send the e-mails?

You should use non-repudiation to prevent Tom from denying that he sent the e-mails.

Which type of attack uses more than one computer?

A DDoS, or distributed denial-of-service, attack uses multiple computers to make its attack, usually perpetuated on a server. None of the other answers use multiple computers.

You are tasked with implementing a solution that encrypts the CEO's laptop.However, you are not allowed to purchase additional hardware or software. Which of the following solutions should you implement?

A TPM, or trusted platform module, is a chip that resides on the motherboard of the laptop. It generates cryptographic keys that allow the entire disk to be encrypted,as in full disk encryption (FDE). Hardware security modules (HSMs) and USB encryption require additional hardware. A host-based intrusion detection system requires either additional software or hardware.

One of your co-workers complains of very slow system performance and says that a lot of antivirus messages are being displayed. The user admits to recently installing pirated software and downloading and installing an illegal keygen to activate the software. What type of malware has affected the user's computer?

A Trojan was probably installed (unknown to the user) as part of the keygen package. Illegal downloads often contain malware of this nature. At this point, the computer is compromised. Not only is it infected, but malicious individuals might be able to remotely access it.

Which of the following types of malware appears to the user as legitimate but actually enables unauthorized access to the user's computer?

A Trojan, or a Trojan horse, appears to be legitimate and looks like it'll perform desirable functions, but in reality is designed to enable unauthorized access to the user's computer

A group of compromised computers that have software installed by a worm or Trojan is known as which of the following?

A botnet is a group of compromised computers, usually working together, with malware that was installed by a worm or a Trojan horse. An individual computer within a botnet is referred to as a zombie (among other things). A virus is code that can infect a computer's files. A rootkit is a type of software designed to gain administrator-level access to a system.

An attacker takes advantage of a vulnerability in programming that allows the attacker to copy more than 16 bytes to a standard 16-byte variable. Which attack is being initiated?

A buffer overflow can be initiated when a string variable is not programmedcorrectly—for example, if the variable allows for more than the standard amount of bytes. Directory traversal is when an attacker uses commands and code to access unauthorized parent directories. Command injection is when commands and command syntax are entered into an application or OS. XSS or cross-site scripting is when code is injected into a website form to obtain information and unauthorized access. Zero day attacks are ones that are not known to hardware/software manufacturers when they are launched

An organization hires you to test an application that you have limited knowledge of.You are given a login to the application but do not have access to source code. What type of test are you running? test; etc/passwd

A gray-box test is when you are given limited information about the system you are testing. Black-box testers are not given logins, source code, or anything else,though they may know the functionality of the system. White-box testers are given logins, source code, documentation, and more. SDLC stands for software development life cycle, of which these types of tests are just a part

What is a malicious attack that executes at the same time every week?

A logic bomb is a malicious attack that executes at a specific time. Viruses normally execute when a user inadvertently runs them. Worms can self-replicate at will. Ransomware is a type of malware that restricts access to files (or entire systems) and demands a ransom be paid.

Which of the following should you implement to fix a single security issue on the computer?

A patch can fix a single security issue on a computer. A service pack addresses many issues and rewrites many files on a computer; it may be overkill to use a service pack when only a patch is necessary. Also, only older Windows operating systems (for example, Windows 7 and Windows Server 2008 R2 and previous) use service packs. You might obtain the patch from a support website. A baseline can measure a server or a network and obtain averages of usage.

Which of the following individuals uses code with little knowledge of how it works?

A script kiddie uses code and probably doesn't understand how it works and what the repercussions will be. Other actors such as hackers, hacktivists, insiders,and so on will usually have a higher level of sophistication when it comes to technology. An advanced persistent threat (APT) is a group of technical processes or the entity that implements those processes. An APT is just that—advanced—and is on the other side of the spectrum from the script kiddie.

When is a system completely secure?

A system can never truly be completely secure. The scales are always tipping back and forth; a hacker develops a way to break into a system, then an administrator finds a way to block that attack, and then the hacker looks for an alternative method.It goes on and on; be ready to wage the eternal battle!

Dan is a network administrator. One day he notices that his DHCP server is flooded with information. He analyzes it and finds that the information is coming from more than 50 computers on the network. Which of the following is the most likely reason?

A worm is most likely the reason that the server is being bombarded with information by the clients; perhaps it is perpetuated by a botnet. Because worms self-replicate, the damage can quickly become critical

You are developing a security plan for your organization. Which of the following is an example of a physical control?

An ID card is an example of a physical security control. Passwords and encryption are examples of technical controls. A disaster recovery plan (DRP) is anexample of an administrative control.

Which of the following types of viruses hides its code to mask itself?

An armored virus attempts to make disassembly difficult for an anti-virus software program. It thwarts attempts at code examination. Stealth viruses attempt to avoid detection by antivirus software altogether. Polymorphic viruses change every time they run. Worms are not viruses.

Which of the following does the A in CIA stand for when it comes to IT security?(Select the best answer.)

Availability is what the A in CIA stands for, as in "the availability of data."Together the acronym stands for confidentiality, integrity, and availability. Although accountability is important and is often included as a fourth component of the CIA triad, it is not the best answer. Assessment and auditing are both important concepts when checking for vulnerabilities and reviewing and logging, but they are not considered to be part of the CIA triad.

Which of the following would be considered detrimental effects of a virus hoax?(Select the two best answers.)

Because a virus can affect many users, technical support resources can beconsumed by an increase in user phone calls. This can be detrimental to the company because all companies have a limited number of technical support personnel.Another detrimental effect is that unwitting users may be tricked into changing some of their computer system configurations. The key term in the question is "virus hoax."The technical support team might also be inundated by support e-mails from users, but not to the point where the e-mail server capacity is consumed. If the e-mail server is consumed by message traffic, that would be a detrimental effect caused by the person who sent the virus and by the virus itself but not necessarily by the hoax.Although users may be at risk for identity theft, it is not one of the most detrimental effects of the virus hoax.

Which of the following are Bluetooth threats? (Select the two best answers.)

Bluesnarfing and bluejacking are the names of a couple of Bluetooth threats. Another attack could be aimed at a Bluetooth device's discovery mode. To date there is no such thing as blue bearding, and a distributed denial-of-service attack uses multiple computers to attack one host.

You have analyzed what you expect to be malicious code. The results show that JavaScript is being utilized to send random data to a separate service on the same computer. What attack has occurred?

Buffer overflows can be initiated by sending random data to other services on a computer. While JavaScript is commonly used in XSS attacks, it can also be used to create a buffer overflow. DoS stands for denial-of-service, which is when a computer sends many packets to a server or other important system in the hope of making that system fail. SQL and LDAP injection do not use JavaScript.

What are the two ways in which you can stop employees from using USB flashdrives? (Select the two best answers.)

By disabling all USB devices in the BIOS, a user cannot use his flashdrive. Also, the user cannot use the device if you disable the USB root hub within the operating system. RBAC, which stands for role-based access control, defines access to networks by the person's role in the organization (we will cover this more later in the book). MAC filtering is a method of filtering out computers when they attempt to access the network (using the MAC addresses of those computers).

Which of the following is an advantage of implementing individual file encryption on a hard drive that already uses whole disk encryption?

By implementing individual file encryption (such as EFS) on files that are stored on a disk encrypted with whole disk encryption, the files will remain encrypted(through EFS) even if they are copied to a separate drive that does not use whole disk encryption. However, running two types of encryption will usually increase processing overhead, not reduce it. NTFS permissions aren't relevant here; however,if files are copied to an external drive, those files by default lose their NTFS permissions and inherit new permissions from the parent folder on the new drive.We'll discuss NTFS permissions more in Chapter 11. We shouldn't call this double encryption—rather, the files are encrypted twice separately. The bit strength is not cumulative in this example, but there are two layers of encryption, which is an example of defense in depth and security layering

What are two ways to secure a Microsoft-based web browser? (Select the two best answers.)

By increasing the Internet zone security level to High, you employ the maximum safeguards for that zone. ActiveX controls can be used for malicious purposes; disabling them makes it so that they do not show up in the browser.Disabling a pop-up blocker and adding malicious sites to the Trusted Sites zone would make a Microsoft-based web browser (such as Internet Explorer) less secure

Virtualization technology is often implemented as operating systems and applications that run in software. Often, it is implemented as a virtual machine. Of the following, which can be a security benefit when using virtualization?

By using a virtual machine (which is one example of a virtual instance), any ill effects can be compartmentalized to that particular virtual machine, usually without any ill effects to the main operating system on the computer. Patching a computer does not automatically patch virtual machines existing on the computer. Other virtual machines can be compromised, especially if nothing is done about the problem.Finally, virtual machines can definitely be affected by hacking techniques. Be sure to secure them!

Whitelisting, blacklisting, and closing open relays are all mitigation techniques addressing what kind of threat?

Closing open relays, whitelisting, and blacklisting are all mitigation techniques that address spam. Spam e-mail is a serious problem for all companies and must be filtered as much as possible.

In information security, what are the three main goals? (Select the three bestanswers.)

Confidentiality, integrity, and availability (known as CIA, the CIA triad, and the security triangle) are the three main goals when it comes to information security. Another goal within information security is accountability.

Which of the following encompasses application patch management?

Configuration management encompasses application patch management and other ways of hardening an OS or application. Policy management is considered separate because it can be used to harden or soften a system; plus, it is best done at a server— affecting many systems at once. Fuzzing (or fuzz testing) is the act of providing random data to a computer program, testing it in an automated fashion. Virtualization is the term used to refer to any virtual computing platform.

What are two ways to secure the computer within the BIOS? (Select the two best answers.)

Configuring a supervisor password in the BIOS disallows any other user to enter the BIOS and make changes. Setting the hard drive first in the BIOS boot order disables any other devices from being booted off, including floppy drives,optical drives, and USB flash drives. BIOS shadowing doesn't have anything to do with computer security, and although flashing the BIOS may include some security updates, it's not the best answer.

You are the security administrator for your organization. You want to ensure the confidentiality of data on mobile devices. What is the best solution?

Device encryption is the best solution listed to protect the confidentiality of data.By encrypting the data, it makes it much more difficult for a malicious person tomake use of the data. Screen locks are a good idea but are much easier to get past than encryption. Antivirus software will not stop an attacker from getting to the data once the mobile device has been stolen. Remote sanitization (remote wipe) doesn't keep the data confidential; it removes it altogether! While this could be considered a type of confidentiality, it would only be so if a good backup plan was instituted.Regardless, the best answer with confidentiality in mind is encryption. For example,if the device was simply lost, and was later found, it could be reused (as long as it wasn't tampered with). But if the device was sanitized, it would have to be reloaded and reconfigured before being used again.

How do most network-based viruses spread?

E-mail is the number one reason why network-based viruses spread. All a person needs to do is double-click the attachment within the e-mail, and the virus will do its thing, which is most likely to spread through the user's address book. Removable media such as optical discs and USB flash drives can spread viruses but are not nearly as common as e-mail. A virus can also spread if it was incorporated into a link within an instant message, or as an attachment to the IM. This is definitely something to protect against, but not quite as common as e-mail-based viruses,especially in larger organizations' networks.

Which of the following is the greatest risk when it comes to removable storage?

For removable storage, the confidentiality of data is the greatest risk because removable storage can easily be removed from the building and shared with others.Although the other factors of the CIA triad are important, any theft of removable storage can destroy the confidentiality of data, and that makes it the greatest risk.

You have implemented a security technique where an automated system generates random input data to test an application. What have you put into practice

Fuzzing (or fuzz testing) is when a person, or more commonly an automated system, enters random data into a form or application in an effort to test it. XSRF(cross-site request forgery, also abbreviated as CSRF) is an exploit of a website where unauthorized commands are issued from a trusted user. Hardening is the act of securing an operating system or application. Input validation is when forms and other web pages are checked to make sure that they will filter inputted data properly, and is used in conjunction with fuzzing

Which of the following is a concern based on a user taking pictures with a smartphone?

Geotagging is a concern based on a user taking pictures with a mobile devicesuch as a smartphone. This is because the act of geotagging utilizes GPS, which can give away the location of the user. Application whitelisting is when there is an approved list of applications for use by mobile devices. Usually implemented as a policy, if the mobile device attempts to open an app that is not on the list, the process will fail, or the system will ask for proof of administrative identity. BYOD stands for bring your own device, a technological concept where organizations allow employees to bring their personal mobile devices to work and use them for work purposes. MDM stands for mobile device management, a system that enables a security administrator to configure, update, and secure multiple mobile devices from a central location

Heaps and stacks can be affected by which of the following attacks?

Heaps and stacks are data structures that can be affected by buffer overflows.Value types are stored in a stack, whereas reference types are stored in a heap. An ethical coder will try to keep these running efficiently. An unethical coder will attempt to use a buffer overflow to affect heaps and stacks, which in turn could affect the application in question or the operating system. The buffer overflow might be initiated by certain inputs and can be prevented by bounds checking

What are some of the drawbacks to using a HIDS instead of a NIDS on a server?(Select the two best answers.)

Host-based intrusion detection systems (HIDSs) run within the operating system of a computer. Because of this, they can slow a computer's performance. Most HIDS do not detect network attacks well (if at all). However, a HIDS can detect operating system attacks and will usually have a high level of detection for those attacks

During an audit of your servers, you have noticed that most servers have large amounts of free disk space and have low memory utilization. Which of the following statements will be correct if you migrate some of the servers to a virtual environment?

If you migrate some of these low-resource servers to a virtual environment (a very smart thing to do), you could end up spending more on licensing, but less on hardware, due to the very nature of virtualization. In fact, the goal is to have the gains of hardware savings outweigh the losses of licensing. Load balancing and clustering deals with an OS utilizing the hardware of multiple servers. This will not be the case when you go virtual, nor would it have been the case anyway, because clustering and load balancing is used in environments where the server is very resource-intensive. Baselining, unfortunately, will remain the same; you should analyze all of your servers regularly, whether they are physical or virtual. These particular servers should not encounter latency or lowered throughput because they are low-resource servers in the first place. If, however, you considered placing into a virtual environment a Windows Server that supports 5,000 users, you should definitely expect latency.

Which of the following best describes a protective countermeasure for SQL injection?

Input validation is extremely important when it comes to secure programming. To prevent SQL injection attacks, be sure that the developers have thoroughly tested theweb page by validating user input. An IDS can help to detect network attacks, but is not going to help prevent SQL injection. Eliminating XSS vulnerabilities might just happen to help with all types of code injection, but you can't be sure. You should validate inputs specifically for each attack. A firewall may stop some network-based attacks, but not coded attacks

To code applications in a secure manner, what is the best practice to use?

Input validation is the best practice to use when coding applications. This is important when creating web applications or web pages that require information to be inputted by the user.

What's the best way to prevent SQL injection attacks on web applications?

Input validation is the best way to prevent SQL injection attacks on web servers and database servers (or combinations of the two). Host-based firewalls aid in preventing network attacks but not necessarily coded attacks of this type. HTTPS pages initiate a secure transfer of data, but they don't necessarily lock out attackers who plan on using SQL injection. Updating the web server is a good idea, but will have little if any effect on the forms that are written by the web programmer

Which of the following types of scanners can locate a rootkit on a computer?

Malware scanners can locate rootkits and other types of malware. These types of scanners are often found in anti-malware software from manufacturers such as McAfee, Symantec, and so on. Adware scanners (often free) can scan for only adware. Always have some kind of anti-malware software running on live client computers

You are the security administrator for your organization and have just completed a routine server audit. You did not notice any abnormal activity. However, another network security analyst finds connections to unauthorized ports from outside the organization's network. Using security tools, the analyst finds hidden processes that are running on the server. Which of the following has most likely been installed on the server?

Most likely, a rootkit was installed. These can evade many routine scans, so there is no fault here. It's just that more in-depth analysis was required to find the rootkit.The hidden processes are the main indicator of the rootkit. Spam is simply harassment by e-mail (and other messaging systems), to put it nicely. Backdoors are programmed ways to bypass security of an operating system. A logic bomb is code that defines when a particular type of malware will execute. Ransomware is when a computer is operationally held hostage; files are not retrievable by the user (because they have been encrypted) until a ransom is paid. It's important to run in-depth scans periodically. They can be time consuming, but they can uncover many threats and vulnerabilities that would otherwise go unnoticed.

Which of the following is not an advantage of NTFS over FAT32?

NTFS and FAT32 support the same number of file formats, so this is not an advantage of NTFS. However, NTFS supports file encryption, larger file sizes, and larger volumes, making it more advantageous in general in comparison to FAT32, and is capable of higher levels of security, most especially down to the file level.

What is the best (most secure) file system to use in Windows?

NTFS is the most secure file system for use with today's Windows. FAT and FAT32 are older file systems, and DFS is the distributed file system used in more advanced networking.

Which of the following would most likely be considered for DLP?

Of the answers listed, the USB mass storage device would be the most likely asset to be considered for data loss prevention (DLP). It's the only device listed in the answers that should have any real organizational data! A proxy server temporarily caches such data as HTTP and FTP. A print server forwards printed documents to the correct printer (again the data is usually held temporarily). An application server contains programs, but usually doesn't store organizational data files. It's the devices and computers that store actual company data files that we are primarily concerned with

One of your users was not being careful when browsing the Internet. The user was redirected to a warez site where a number of pop-ups appeared. After clicking one pop-up by accident, a drive-by download of unwanted software occurred. What does the download most likely contain?

Of the answers listed, the download most likely contains spyware. It could contain other types of malware as well, such as viruses, Trojans, worms, and so on.The rest of the answers are types of network attacks and methods of accessing the computer to drop a malware payload. A DDoS is a distributed denial-of-service attack, which uses many computers to attack a single target. Smurf is an example of a DDoS. We'll talk more about these in Chapter 7. Backdoors are vulnerabilities in code that can allow a hacker (or even the programmer) administrative access to an operating system. Logic bombs are ways of delivering malware; they are based on timing.

In Windows, which of the following commands will not show the version number?

Of the answers listed, the only one that will not show the version number is wf.msc. That brings up the Windows Firewall with Advanced Security. All of theother answers will display the version number in Windows

Which of the following should occur first when developing software?

Of the listed answers, secure code review should happen first in the SDLC. Itshould be followed by fuzzing and penetration testing, in that order. Patch management is a recurring theme until the software meets the end of its life cycle

An administrator wants to reduce the size of the attack surface of a Windows Server.Which of the following is the best answer to accomplish this?

Often, operating system manufacturers such as Microsoft refer to the attack surface as all the services that run on the operating system. By conducting an analysis of which services are necessary and which are unnecessary, an administrator can find out which ones need to be disabled, thereby reducing the attack surface.Updates, service packs, antivirus software, and network intrusion detection systems(NIDSs) are good tools to use to secure an individual computer and the network but do not help to reduce the size of the attack surface of the operating system.

Which of the following is one example of verifying new software changes on a test system?

Patch management is an example of verifying any new changes in software on a test system (or live systems for that matter). Verifying the changes (testing) is the second step of the standard patch management strategy. Application hardening might include updating systems, patching them, and so on, but to be accurate, this question is looking for that particular second step of patch management. Virtualization is the creating of logical OS images within a working operating system. HIDS stands for host-based intrusion detection system, which attempts to detect malicious activity on a computer.

A smartphone is an easy target for theft. Which of the following are the best methods to protect the confidential data on the device? (Select the two best answers.)

Remote wipe and encryption are the best methods to protect a stolen device's confidential or sensitive information. GPS can help to locate a device, but it can also be a security vulnerability in general; this will depend on the scenario in which the mobile device is used. Passwords should never be e-mailed and should not be associated with e-mail. Tethering is when a mobile device is connected to another computer (usually via USB) so that the other computer can share Internet access, or other similar sharing functionality in one direction or the other. This is great as far as functionality goes, but more often than not can be a security vulnerability. Screen locks are a decent method of reducing the chance of login by the average person, but they are not much of a deterrent for the persistent attacker.

Where would you turn off file sharing in Windows?

The Network and Sharing Center is where you can disable file sharing in Windows. It can be accessed indirectly from the Control Panel as well. By disabling file sharing, you disallow any (normal) connections to data on the computer. This can be very useful for computers with confidential information, such as an executive's laptop or a developer's computer

Which of the following needs to be backed up on a domain controller to recover Active Directory?

The System State needs to be backed up on a domain controller to recover the Active Directory database in the future. The System State includes user data and system files but does not include the entire operating system. If a server fails, the operating system would have to be reinstalled, and then the System State would need to be restored.

You are attempting to establish host-based security for your organization's workstations. Which of the following is the best way to do this?

The best way to establish host-based security for your organization's workstations is to implement GPOs (Group Policy objects). When done properly from a server, this can harden the operating systems in your network, and you can do it from a central location without having to configure each computer locally. It is the only answer that deals with the client operating systems. The other answers deal with database and web servers, and firewalls that protect the entire network

What is the deadliest risk of a virtual computer?

The biggest risk of running a virtual computer is that it will go offline immediately if the server that it is housed on fails. All other virtual computers on that particular server will also go offline immediately.

A user complains that they were browsing the Internet when the computer started acting erratically and crashed. You reboot the computer and notice that performance is very slow. In addition, after running a netstat command you notice literally hundreds of outbound connections to various websites, many of which are well-known sites. Which of the following has happened?

The computer is probably now part of a botnet. The reason the system is running slowly is probably due to the fact that there are hundreds of outbound connections to various websites. This is a solid sign of a computer that has become part of a botnet.Spyware, viruses, and rootkits might make the computer run slowly, but they will not create hundreds of outbound connections

A customer's SD card uses FAT32 as its file system. What file system can you upgrade it to when using the convert command?

The convert command is used to upgrade FAT and FAT32 volumes to the more secure NTFS without loss of data. HPFS is the High Performance File System developed by IBM and is not used by Windows. ext4 is the fourth extended file system used by Linux. NFS is the Network File System, something you would see in a storage area network.

A user receives an e-mail but the e-mail client software says that the digital signature is invalid and the sender of the e-mail cannot be verified. The would-be recipient is concerned about which of the following concepts?

The recipient should be concerned about the integrity of the message. If the e-mail client application cannot verify the digital signature of the sender of the e-mail,then there is a chance that the e-mail either was intercepted or is coming from aseparate dangerous source. Remember, integrity means the reliability of the data, andwhether or not it has been modified or compromised by a third party before arrivingat its final destination.

You are the security administrator for a multimedia development company. Users are constantly searching the Internet for media, information, graphics, and so on. You receive complaints from several users about unwanted windows appearing on their displays. What should you do?

The windows that are being displayed are most likely pop-ups. Standard pop-up blockers will prevent most of these. Antivirus software of itself does not have pop-up blocking technology but might be combined in a suite of anti-malware software that does have pop-up blocking capability. Screensavers won't affect the users' web sessions. Host-based firewalls are a good idea and will prevent attacks, but since a firewall will allow the connections that users make to websites, it cannot stop pop-ups

Cloud environments often reuse the same physical hardware (such as hard drives)for multiple customers. These hard drives are used and reused when customer virtual machines are created and deleted over time. What security concern does this bring up implications for?

There is a concern about data confidentiality with cloud computing because multiple customers are sharing physical hard drive space. A good portion of customers run their cloud-based systems in virtual machines. Some virtual machines could run on the very same hard drive (or very same array of hard drives). If one of the customers had the notion, he could attempt to break through the barriers between virtual machines, which if not secured properly, would not be very difficult to do.

Your organization's servers and applications are being audited. One of the IT auditors tests an application as an authenticated user. Which of the following testing methods is being used?

This would be an example of gray-box testing. The IT auditor is not an employee of the company (which is often a requirement for white-box testing) but rather an outside consultant. Being an outside consultant, the IT auditor should not be given confidential details of the system to be tested. However, the auditor was given a real login, so the auditor cannot be employing black-box testing. Penetration testing might be occurring in this scenario as well—this is when an auditor, or other security expert, tests servers' network connections for vulnerabilities. But the scenario only states that the auditor is testing an application

Which option enables you to hide the bootmgr file?

To hide bootmgr, you either need to click the radio button for Don't Show Hidden Files, Folders, or Drives or enable the Hide Protected Operating System Files checkbox.

You oversee compliance with financial regulations for credit card transactions. You need to block out certain ports on the individual computers that do these transactions. What should you implement to best achieve your goal?

To meet regulations, a properly configured host-based firewall will be required on the computers that will be transacting business by credit card over the Internet.All of the other answers—antivirus updates, NIDS, and HIPS—are good ideas to secure the system (and/or network), but they do not address the core issue of filtering ports, which is the primary purpose of the firewall. Also, a network-based firewall will often not be secure enough to meet regulations, thus the need for the extra layer of protection on the individual computers

To protect against malicious attacks, what should you think like?

To protect against malicious attacks, think like a hacker. Then, protect and secure like a network security administrator.

Which statement best applies to the term Java applet?

To run Java applets, a web browser must have that option enabled. Java increases the usability of web-enabled systems, and Java is a programming language. It does not use digital signatures for authentication.

Which of the following should be implemented to harden an operating system?

Two ways to harden an operating system include installing the latest updates and installing Windows Defender. However, virtualization is a separate concept altogether; it can be used to create a compartmentalized OS, but needs to be secured and hardened just like any other OS. PHP scripts will generally not be used to harden an operating system. In fact, they can be vulnerabilities to websites and other applications.

You have been tasked with protecting an operating system from malicious software.What should you do? (Select the two best answers.)

Updating the host-based intrusion prevention system is important. Without the latest signatures, the HIPS will not be at its best when it comes to protecting against malware. Also, disabling unused services will reduce the attack surface of the OS, which in turn makes it more difficult for attacks to access the system and run malicious code. Disabling the data loss prevention (DLP) device would not aid the situation, and it would probably cause data leakage from the computer. Installing a perimeter firewall won't block malicious software from entering the individual computer. A personal firewall would better reduce the attack surface of the computer, but it is still not meant as an anti-malware tool. Updating the NIDS signatures will help the entire network, but might not help the individual computer. In this question,we want to focus in on the individual computer, not the network. In fact, given the scenario of the question, you do not even know if a network exists.

Eric wants to install an isolated operating system. What is the best tool to use?

Virtualization enables a person to install operating systems (or applications) in an isolated area of the computer's hard drive, separate from the computer's main operating system.

Which of the following is a security reason to implement virtualization in your network?

Virtualization of computer servers enables a network administrator to isolate the various network services and roles that a server may play. Analyzing network traffic would have to do more with assessing risk and vulnerability and monitoring and auditing. Adding network services at lower costs deals more with budgeting than with virtualization, although, virtualization can be less expensive. Centralizing patch management has to do with hardening the operating systems on the network scale

What is it known as when a web script runs in its own environment and does not interfere with other processes?

When a web script runs in its own environment for the express purpose of not interfering with other processes, it is known as running in a sandbox. Often, the sandbox will be used to create sample scripts before they are actually implemented.Quarantining is a method used to isolate viruses. A honey-net is a collection of servers used to attract attackers and isolate them in an area where they can do no damage. VPN is short for virtual private network, which enables the connection of two hosts from remote networks

Carl is the security administrator for a transportation company. Which of the following should he encrypt to protect the data on a smartphone? (Select the two best answers.)

When encrypting a smartphone, the security administrator should encrypt internal memory and any long-term storage such as removable media cards. The admin must remember that data can be stored on both. Public keys are already encrypted; it is part of their inherent nature. Smartphones don't necessarily use an MBR the way Windows computers do, but regardless, if the internal memory has been encrypted, any boot sector should be secured. Images based on steganography, by their very nature, are encrypted through obfuscation. It is different from typical data encryption, but it's a type of cryptography nonetheless.

Which type of malware does not require a user to execute a program to distribute the software?

Worms self-replicate and do not require a user to execute a program to distribute the software across networks. All the other answers do require user intervention.Stealth refers to a type of virus.

Many third-party programs have security settings disabled by default. What should you as the security administrator do before deploying new software

You should employ application hardening. This means updating the application,configuring strong passwords, applying policies if necessary, and in general,configuring the settings of the application securely. Network penetration testing is when a group of tools is used to see if a host has open ports or other vulnerabilities.Input validation is when the code of a form is checked to make sure it filters user input correctly. Application white listing is when only specific applications are allowed to be run, usually enforced by computer policy.

You have been given the task of scanning for viruses on a PC. What is the best of the following methods?

You should use a recovery environment. Most often, this would be the one built into Windows. Many manufacturers suggest using this, and more specifically SafeMode. However, it could also be a Linux rescue disc or flash drive. That's not a true dual-boot though. An actual dual-boot is when Windows and Linux are both installed to the hard drive. Command Prompt only is not enough, nor is it necessary for some virus scanning scenarios. Booting into Windows normally is tantamount to doing nothing. Remember to use a recovery environment when scanning for viruses.

Which of the following computer security threats can be updated automatically and remotely? (Select the best answer.)

Zombies (also known as zombie computers) are systems that have been compromised without the knowledge of the owner. A prerequisite is the computer must be connected to the Internet so that the hacker or malicious attack can make its way to the computer and be controlled remotely. Multiple zombies working in concert often form a botnet.