Systems and Application Security
You just received an e-mail from someone stating he has managed to access all your files and get screenshots from your camera. Which of the following is the attacker most likely using? A. RAT B. Trojan horse C. Ransomware D. Keylogger
A. A RAT (remote access Trojan) can give an attacker full control of a target machine, including the ability to record keystrokes, access all files, use the camera to take screenshots, and install files.
A friend of yours had her mobile phone stolen. Which of these actions would you recommend next? A. Remote wipe B. Remote lock C. MDM D. Encrypt the phone
A. If a phone is stolen, you can report the theft to the police. However, if there's no immediate threat to human life, the odds of someone recovering that phone are very slim, unless the perpetrator is caught and the phone has not yet been sold to another party. When a device is stolen, it is more crucial to protect the data present on the owner's phone (e.g., stored credit cards) than hope to recover the device. Commonly, the best course of action would be to remotely wipe all data on the phone so that no third party can use it without the owner's knowledge.
Which of these types of hardware would most commonly be virtualized to ensure the business reduces the related cost of physical equipment? A. Server B. Firewall C. Router D. VLAN
A. Most companies have multiple servers within their environment in order to support a variety of tasks, like e-mail, DHCP, Active Directory, FTP, database, web, authentication, and licensing. Due to the cost of those devices and the effort required to maintain them, they tend to be virtualized quite often, as that significantly limits the associated cost and at the same time makes administration and troubleshooting easier. It also offers smaller downtimes because if a virtual server is damaged, it can be reconstituted from an image in a relatively short time. Whereas if a physical machine is experiencing issues, a technician would need to go to the data center to troubleshoot and possibly replace faulty hardware, which can take several hours at best.
Which of the following provides the least benefit against phishing e-mails? A. Install spam filters on all web servers. B. Users shouldn't open unsolicited e-mail attachments. C. Scan all e-mails for viruses. D. Maintain phishing campaign awareness.
A. No e-mail accounts would be configured on a web server because that device should only be serving client web requests. Hence, there's no real benefit of having spam filters installed on it.
A newly formed company wants to use cloud computing in order to save budget on hardware and administration. Which of the following responsibility models would be most appropriate for that purpose? A. PaaS B. Private cloud C. Public cloud D. IaaS
A. The only two responsibility-related models that are mentioned as possible answers are PaaS and IaaS. The question mentions that the company is newly formed and needs to reserve hardware and administration budget, hence it would make sense to choose the model that would offload as many functions as possible to the cloud provider, which is PaaS (Platform as a Service). In PaaS, the cloud provider would be tasked with providing the necessary hardware, OS, and associated applications.
Which of these types of attackers would most likely create and use a zero-day exploit? A. APT B. Insider threat C. Script kiddie D. Social engineering
A. The term APT (advanced persistent threat) refers to individuals or, most commonly, groups of attackers who aim to compromise target networks or devices and stay undetected for long periods while persistency is maintained. They are usually politically motivated and often use very sophisticated attack mechanisms, including zero-day exploits, as they possess the manpower and technical skillset to create them.
How can you best protect against VM escape? A. Patch the hypervisor software. B. Patch the guest OS. C. Use a next-generation firewall on the host. D. Use a host antivirus.
A. VM escape is a type of exploit that can take place when an attacker manages to break out of the context of a virtual machine and interact directly with the host. This is made possible due to a potential vulnerability within the hypervisor (the software that provisions the guest OS and controls how that interacts with the host). In order to ensure the risk is mitigated as much as possible, the hypervisor should always run the most up-to-date versions with the latest patches so that attackers can't use any known exploits to perform VM escape.
Which of these terms is unrelated to virtualization? A. Host B. VPN C. Hypervisor D. Guest
B. A VPN (virtual private network) uses the word "virtual" in its title but has nothing to do with virtualization (i.e., using a virtual server). A VPN facilitates the creation of a secure connection over an insecure network (i.e., the Internet). It is called "virtual," as there's no actual physical tunnel between two remote ends, but because of the VPN's operation (providing enhanced security with encryption support), it's like building an isolated path between those devices for the duration of the session.
A pharmaceutical company was made aware that a competitor is developing a new drug that will result in massive business loss. The lead scientist requires in-depth information about this drug and wants to identify someone who can covertly obtain data from the competitor. Which of these attackers would most likely be able to perform this task? A. Script kiddie B. Commercial hacker C. Hacktivist D. Nation-state actor
B. A commercial hacker is someone who is usually hired to target a particular organization with a very distinct goal. Common goals include data theft, industrial espionage or sabotage, and data alteration or destruction.
Which of these attacks allows an attacker access to forbidden file system locations and often targets a system's password file? A. XSS B. Directory traversal C. Buffer overflow D. CSRF
B. A directory traversal attack is a type of web attack in which an attacker tries to access forbidden file system parts, that is, on a web server. The attacker would most commonly target the password file so user credentials can be harvested, but the term is used to describe access to any directory where access is not allowed.
What is the best method to protect against shoulder surfing? A. Clean desktop B. Privacy filter C. User education D. Screensaver
B. A privacy filter (also known as a visual filter) can be quite effective against any shoulder surfing attack. When such a filter is used, the visible area of the screen is limited to only the person placed directly in front of the monitor. This can be extremely beneficial for people who travel a lot and tend to work in crowded places (i.e., train stations, buses, and airports).
If you want to ensure a system is protected against a user who might execute a malicious application from a USB disk, which of these scan types would you choose? A. On-demand B. Real-time C. Scheduled D. Signature-based
B. A real-time scan is appropriate for continuous system protection. The antivirus will be able to inspect any application that the user attempts to execute (including the ones run from external media, like portable applications) and constantly monitor activity for malicious indicators.
One of the employees at your company is accessing social media websites. As the information security officer, you have been tasked with forming an appropriate document that prohibits that behavior. Which of the following would be best for that purpose? A. Security policy B. AUP C. Allowed application policy D. Related guideline
B. An AUP (acceptable use policy) would be the most appropriate document to specify what actions are permitted or not allowed for corporate network users. An AUP document is something that all company employees have to adhere to. As such, including a statement about social media access not being allowed throughout the organization is something that all corporate employees will need to abide by.
Your company requires data to be labeled appropriately so it can be placed in different cloud servers, depending on its importance. How would you classify data relating to company employees? A. Confidential B. Private C. Sensitive D. Public
B. Any data relating to company staff would be classified as private since it's only intended to be used internally, and any intentional or unintentional release of the information would cause a very negative impact to the company.
Which of these cloud operation models would be better for easy storage and access, for a European company that needs to be in full control of sensitive data as well as conform with GDPR? A. Public cloud B. Private cloud C. Community cloud D. Hybrid cloud
B. Since the company wants to maintain easy storage and access but also needs to conform with GDPR, the best option would be to use a private cloud. This will provide ease of storage (and associated administration) while the organization will have full control of all sensitive data, which will be residing in the company's private cloud instance. Of course, since GDPR conformity is a prerequisite, the instance can be located in any European company branch.
Which of these attacks would most probably be used by a remote attacker who wants to steal sensitive files from a CEO's machine? A. XSS B. Trojan C. ARP spoofing SQL injection
B. There are various categories of Trojans, like downloaders (created for downloading additional malicious files to a target machine), remote access Trojans (aiming to provide the attacker full control of a machine), backdoor Trojans (which will create a backdoor to a system so the attacker can gain remote access), and infostealer Trojans (which perform information theft from the machine they infect). An infostealer Trojan would be the best option for an attacker who wants to acquire sensitive data from a CEO's machine.
A new company employee received an e-mail containing a Google Drive URL, which is supposedly used for exchanging data with the company's clients. When he tries to browse to it and log in, his browser presents him with a security warning stating that the connection to that site is not secure. Which term describes this attack more accurately? A. Pharming B. Phishing C. Social network attack D. Vishing
B. This is a typical example of a phishing e-mail being used to obtain user credentials. The employee received what was supposedly a standard e-mail invitation to the company's Google Drive location to which he would probably log in using his corporate credentials, thus passing that to an attacker. There are two things that companies need to address to avoid this. One thing is to ensure employees get adequate training to distinguish illegitimate e-mails, and the second thing is to be cognizant of security warnings. If one is not certain what the reason for the displayed message is, it's best to reach out to the IT team than to just proceed with the activity.
Which of the following can't be provided by a TPM? A. Boot protection B. Encryption key storage C. Remote wiping D. Device identification
C. A TPM (Trusted Platform Module) can't provide device remote wiping, which is a feature commonly supported by MDM (mobile device management) solutions.
Which of the following is not characteristic of a worm? A. Spreads over the network B. Consumes bandwidth C. Requires human intervention D. May bring a system to a halt
C. A worm doesn't require any human intervention in order to execute and propagate. It has the ability to self-replicate to other machines and infect multiple hosts within a network. Note that a virus requires human intervention in order to be able to run.
Which of the following exclusively refers to an illegal operation being present? A. Botnet B. Backdoor C. Adware D. None of the above
C. Adware displays advertisements about a variety of products. The author either gains money by individuals viewing the ads or by enticing people to click a link, box, banner, or other advertisement element. As such, it is never considered something that a user would authorize as being installed, especially since some adware applications are known to have keylogging and spyware capabilities.
You have submitted a suspicious file for analysis to an AV vendor, but they are experiencing difficulties in understanding the malware's operation. Based on this fact, what type of malware is most likely present? A. Polymorphic virus B. Worm C. Armored virus D. Boot sector virus
C. An armored virus is specifically developed to thwart reverse-engineering attempts. Common techniques include several layers of code obfuscation, use of encryption, and adding code sections that don't serve any real purpose but are just present to create confusion about what the real operation is.
Your company is mainly using Windows and Apple devices and has recently implemented spam filtering and web proxy filtering and installed endpoint antivirus software on all devices. Which of the following presents the greatest risk to the company? A. AV with no update for the last month B. Unpatched RHEL 6.0 OS C. Fully patched Windows Vista OS D. Phishing e-mails
C. Finding a machine running Windows Vista in a company actively using Windows presents a major risk, as that operating system's support ended in April 2017. That means that although it has been fully patched, no patches or security updates have been released from April 2017 onwards, leaving that host vulnerable to any exploits that have been released since then.
Which of the following would be most crucial to investigate and address as soon as possible when attempting to harden a corporate e-mail server that also acts as a DNS server? A. Open TCP port 53 B. OS license expiring soon C. Open TCP port 80 D. Open UDP port 161
C. Having TCP port 80 open indicates that there's possibly a web server running on the machine (assuming it's using the default port). However, this machine is classified as an e-mail and DNS server, not a web server, so there wouldn't be any reason for having TCP port 80 open. As such, this would need to be further investigated (possibly verify with the IT team if there's any reason for that port to be open) to ensure any risk is mitigated accordingly.
Which of the following statements regarding Java applets is incorrect? A. Require JRE to be present so they can run. B. They're commonly used in web applications. C. They execute at the server. D. Work on various operating systems.
C. Java applets are interactive components of a web page (i.e., buttons, text) that are executed on the client's web browser and use a VM (commonly known as JVM, or Java Virtual Machine) for execution. A typical example is capturing a user's mouse input so the program can manipulate it afterwards.
Your company is thinking of migrating to a cloud model for a variety of services. However, security is of paramount importance, so all responsibility for OS and application security should reside with your company. Which of these cloud models would be more suitable? A. PaaS B. SaaS C. IaaS D. DaaS
C. Since the company wants to remain responsible for its own security while using a cloud model of choice, the best option is to select a model in which the client has the greatest degree of control, which is IaaS (Infrastructure as a Service). In that model, the cloud provider is responsible for providing the hardware (i.e., servers, storage, networking) and the client is responsible for everything else (i.e., operating system and application installation and associated security).
Which of the following would provide an attacker with high-level system permissions and often appear as a legitimate process? A. Logic bomb B. Trojan horse C. Rootkit D. Macro virus
C. The term rootkit is used to describe any application that acquires elevated operating system access and tries to hide its presence by a variety of methods (i.e., injecting itself into benign processes, appearing as a valid system application or process, intercepting OS API calls, or hiding in unallocated space).
Which of these tasks would you avoid performing on a corporate host's virtual machine? A. Run another OS. B. Develop and test applications. C. Reverse-engineer malware. D. Host a file server.
C. Virtual machines can be used to perform a variety of tasks, and several individuals do use them for reverse engineering. However, that is not recommended to be performed on the corporate network. If you intend to use a virtual machine to analyze malware, that should be done in an air-gap environment, with no possibility of communicating with the corporate network. Also, you need to consider the fact that some types of malware don't run on virtual environments, as they have the ability to detect them and stay dormant. Finally, another consideration would be to ensure your host system is adequately protected from common attacks and exploits (i.e., VM escape, insecure configuration of hypervisor and guest OS).
Your company wants to develop a new application that will be distributed in a preconfigured VM (containing the application running on a Linux OS). Which of these terms best describes this? A. Host B. Guest C. Virtual appliance D. Hypervisor
C. Your company aims to provide an easy way of delivering the application to its clients for use in a virtual environment. Hence, the application will be installed on a virtual machine running Linux, which will be ready for distribution to any client. That way, any client can obtain this preconfigured virtual machine, install it on their host operating system, and start using it. A virtual appliance is a VM with a preconfigured OS and one available application.
Which of the following provides hardware disk encryption and remote attestation? A. BYOD B. CYOD C. MDM D. TPM
D. A TPM (Trusted Platform Module) is a hardware module that provides hardware encryption to devices supporting it. It works by storing the cryptographic keys that the OS uses for data encryption and decryption. It also provides remote attestation, meaning it provides an authorized party (like an OS vendor) the ability to verify if any tampering has taken place on the machine.
In which of these categories would a penetration tester belong? A. White hacker B. Black hat C. Gray hat White hat
D. A penetration tester would be classified as a white hat, which is a term used to describe individuals who perform tests on systems to discover vulnerabilities and alert the system owners to mitigate any associated risks before attackers have a chance to exploit security gaps. Note that another term used is ethical hacker, and sometimes another term used for the process of penetration testing is ethical hacking.
Which of the following tries to disable or attack the AV software? A. Stealth virus B. Multipartite virus C. Polymorphic virus D. Retrovirus
D. A retrovirus is a type of virus that tries to attack a device's antivirus program. It may attempt to warn the victim that supposedly unsafe software has been found on the machine and then uninstall legitimate AV applications. Sometimes it has the ability to modify the virus signature database and corrupt or delete it altogether.
During a drive-by download attack, where would the attacker most likely host malware? A. Target machine B. Attacking machine C. Attacker's website D. Compromised third-party website
D. During a drive-by attack, an attacker will place malicious code that the victim needs to download and execute so an action takes place, that is, allow the attacker access to the victim's machine by opening a backdoor or making the target machine part of a botnet. The attacker will need to store the code somewhere that is easily accessible by a victim, so a common practice is to compromise third-party websites and store malicious code there and then redirect an unsuspecting victim to download and execute it.
Which of these types of data residing in a cloud server would be protected by HIPAA? A. Patient first name B. Last four digits of patient credit card C. Patient year of birth D. Healthcare provider
D. HIPAA (Health Insurance Portability and Accountability Act) relates to protection of PHI (protected health information), which is any information about an individual's health care, status, or related treatment provisioning. As such, an individual's healthcare provider is classified as PHI and should remain securely protected under HIPAA.
A cloud service can be accessed through a variety of operating systems. Which cloud characteristic does that relate to? A. Measured service B. Resource pooling C. Elasticity D. Broad network access
D. Having the ability to access a cloud service from a variety of operating systems is known as broad network access. Usually, this feature uses two main methods. One is making an application available via a web browser, which is seamless to any operating system being used, as the application runs over the client's web browser. Another method is to allow a user to download the related software locally to a machine. But most cloud providers that use this feature make clients available for a variety of platforms, like UNIX, Linux, Windows, Android, and macOS.
You browse to a website and receive a pop-up message stating your computer is vulnerable and in immediate need of a missing patch. Which of the following might be present on that website? A. PUA B. Spyware C. Virus D. Scareware
D. Scareware is a type of malware that prompts the user to install some type of security application, trying to entice an individual who visits a website where scareware is hosted by stating there's a missing update or patch or no antivirus present on the victim's machine. As soon as someone downloads and installs the application in question, various malicious tasks may start to take place, depending on what the goal of the scareware is (i.e., join the machine to a botnet or steal credentials).
Which of the following is the best option to ensure secure deletion of data stored on a public cloud? A. Use specialized software. B. Ask cloud provider to provide the hard disk. C. Use cloud provider's tool to securely delete data. D. Encrypt data prior to uploading and delete when no longer needed.
D. Since the data is stored on a public cloud, it is very difficult to be certain it has been fully removed since the hard disk is owned by a public cloud provider. As such, the best option is to ensure data is encrypted before being uploaded, using a strong encryption algorithm. Even if your attempt to remove it from the public cloud results in some being left behind, it will still be encrypted and won't be easily usable by any third party managing to get a copy of it.
Which of the following would prevent a zero-day exploit from running on your server? A. Signature-based AV B. Behavioral-based AV C. Network IPS D. None of the above
D. The key takeaway from this question is that no security tool can guarantee prevention of a zero-day exploit. The challenge with those type of exploits is that they are, by definition, new to the security vendor and the vendor is vulnerable to the related exploit. As such, none of the options are guaranteed to prevent a zero-day exploit.
Which of these statements regarding virtualization is inaccurate? A. Improved elasticity B. Easier migration C. Better resource management D. Less robust system restoration
D. Using a virtual machine offers more robust restoration (not less). That's because the process of restoring the virtual machine when something happens is very straightforward, since a previous snapshot can be used for restoration. Even if a machine goes down and needs to be rebuilt, that can be a matter of minutes or perhaps a few hours, while in the case of a physical server, it may even take days or at least several hours. That's especially true if a physical server malfunction requires a hardware replacement before restoration can start.