Practice Questions
Gov contract requires your computers to adhere to MAC and multi level security. What should you do to remain compliant?
Use a trusted OS (a trusted OS uses a secured OS kernel that supports MAC)
Which cloud computing concept is BEST described as focusing on the replacement of applications and programs on a customer's workstation with cloud-based resources?
SAAS
Should you degauss or hard drive shred?
""Hard drive degaussing erases all of your information using a magnetic field but leaves small amounts of data behind. However, hard drive shredding completely destroys the drive and is considerably less expensive."
Separation of duties?
"it's a security principle that prevents any SINGLE person or entity from controlling ALL the functions of A CRITICAL or sensitive process"
Lisa needs to calculate the total ALE for a group of servers used in the network. During the past two years, five of the servers failed. The hardware cost to replace each server is $3,500, and the downtime has resulted in $2,500 of additional losses. What is the ALE? A. $7,000 B. $10,000 C. $15,000 D. $30,000
$15,000 SLE= $6k ($3,500 to repair/replace and $2,500 for each outage). ARO= 2.5 (5 failures in 2 years or 5/2) ALE= $6k+2.5
A security administrator is tasked with calculating the total ALE on servers. In a two year period of time, a company has to replace five servers. Each server replacement has cost the company $4,000 with downtime costing $3,000. Which of the following is the ALE for the company?
$17500
RTO? RPO? MTTF? MTTR? MTBF?
(Recovery Time Objective) is the expected maximum time you need to recover your IT infrastructure. RPO (Recovery Point Objective) is a measurement of the maximum data to lose. MTTF (mean time to failure) is the average life of a non-repairable/expendable item (its availability). MTTR (mean time to repair) measures how long it will take to get a failed device running again. MTBF (mean time between failures) is the average time elapsed between failures of a repairable item (its reliability).
RAID 5?
-Disk striping with parity (fault tolerant) - Minimum of three stripe disks are required with one disk's worth of space being used for parity information. However, the parity information is distributed across all the disks. RAID-5 can recover from a sing disk failure. -Great for email archive
What are the message digest algorithms?
-HMAC -RIPEMD Both hashing functions.
RAID 1?
-Mirroring because the same data is written to two disks so that the two disks have identical data. -This is a fault tolerant solution that halves the storage space. -Minimum of two disks are used in mirroring and does not use parity. -RAID-1 can be used where fault tolerance is required over performance -Great for authentication server.
RAID 6?
-fault tolerant solution that uses dual parity and striping. -A minimum of four disks are required for RAID-6. Dual parity allows RAID-6 to recover from the simultaneous failure of up to two disks. Critical data should be stored on a RAID-6 system.
A forensic investigator has run into difficulty recovering usable files from a SAN drive. Which of the following SAN features might have caused the problem?
. Deduplication essentially removes redundancy to improve functionality. So you might have saved a file 2 that is essentially the same as file 1, so file 2 is not saved and therefore unable to be recovered even though it was a usable file.
Issues of Symmetric Encryption?
1) is really only good for confidentiality 2) Symmetric encryption creates challenges distributing a single shared key 3) Does not scale well
RADIUS uses ports...
1812 is for authentication, and port 1813 for accounting. In this scenario they are using RADIUS for accounting, therefore it is port 1813.
"Authentication through EAP-TLS certificates" indicates ...
802.1x "A large-scale wireless network", "use of an AAA server(=RADIUS)", and "use of the most secure encryption protocol" indicates WPA2-Enterprise WPA2-PSK does not require a RADIUS server
A company researched the root cause of a recent vulnerability in its software. It was determined that the vulnerability was the result of two updates made in the last release. Each update alone would not have resulted in the vulnerability.In order to prevent similar situations in the future, the company should improve which of the following? A. Change management procedures B. Job rotation policies C. Incident response management D. Least privilege access controls
A
A web developer improves client access to the company's REST API. Authentication needs to be tokenized but not expose the client's password.Which of the following methods would BEST meet the developer's requirements? A. SAML B. LDAP C. OAuth D. Shibboleth
A
An organization wants to implement a solution that allows for automated logical controls for network defense. An engineer plans to select an appropriate network security component, which automates response actions based on security threats to the network. Which of the following would be MOST appropriate based on the engineer's requirements? A. NIPS B. HIDS C. Web proxy D. Elastic load balancer E. NAC
A
Using a one-time code that has been texted to a smartphone is an example of: A. something you have. B. something you know. C. something you do. D. something you are.
A
Which of the following BEST explains why sandboxing is a best practice for testing software from an untrusted vendor prior to an enterprise deployment? A. It allows the software to run in an unconstrained environment with full network access. B. It eliminates the possibility of privilege escalation attacks against the local VM host. C. It facilitates the analysis of possible malware by allowing it to run until resources are exhausted. D. It restricts the access of the software to a contained logical space and limits possible damage.
A
Which of the following differentiates a collision attack from a rainbow table attack? A. A rainbow table attack performs a hash lookup B. A rainbow table attack uses the hash as a password C. In a collision attack, the hash and the input data are equivalent D. In a collision attack, the same input results in different hashes
A
Which of the following is a technical preventive control? A. Two-factor authentication B. DVR-supported cameras C. Acceptable-use MOTD D. Syslog server
A
While investigating a virus infection, a security analyst discovered the following on an employee laptop:✑ Multiple folders containing a large number of newly released movies and music files✑ Proprietary company data✑ A large amount of PHI data✑ Unapproved FTP software✑ Documents that appear to belong to a competitorWhich of the following should the analyst do FIRST? A. Contact the legal and compliance department for guidance B. Delete the files, remove the FTP software, and notify management C. Back up the files and return the device to the user D. Wipe and reimage the device
A
An attachment that was emailed to finance employees contained an embedded message. The security administrator investigates and finds the intent was to conceal the embedded information from public view. Which of the following BEST describes this type of message? A. Obfuscation B. Stenography C. Diffusion D. BCRYPT
A (Stenography is hiding an image, obfuscation is hiding a message)
Which of the following methods minimizes the system interaction when gathering information to conduct a vulnerability assessment of a router? A. Download the configuration B. Run a credentialed scan. C. Conduct the assessmenet during downtime D. Change the routing to bypass the router.
A (gathering info stage)
After discovering the /etc/shadow file had been rewritten, a security administrator noticed an application insecurely creating files in / tmp.Which of the following vulnerabilities has MOST likely been exploited? A. Privilege escalation B. Resource exhaustion C. Memory leak D. Pointer dereference
A /etc/shadow is the giveaway
While performing surveillance activities, an attacker determines that an organization is using 802.1X to secure LAN access.Which of the following attack mechanisms can the attacker utilize to bypass the identified network security? A. MAC spoofing B. Pharming C. Xmas attack D. ARP poisoning
A A - 802.1X MAC spoofing cannot be prevented directly - MAC spoofing attack is where the intruder sniffs the network for valid MAC addresses and attempts to act as one of the valid MAC addresses.
Given the following requirements:✑ Help to ensure non-repudiation✑ Capture motion in various formatsWhich of the following physical controls BEST matches the above descriptions? A. Camera B. Mantrap C. Security guard D. Motion sensor
A A motion sensor cannot provide non repudiation
Which of the following differentiates ARP poisoning from a MAC spoofing attack? A. ARP poisoning uses unsolicited ARP replies. B. ARP poisoning overflows a switch's CAM table. C. MAC spoofing uses DHCPOFFER/DHCPACK packets. D. MAC spoofing can be performed across multiple routers.
A A vulnerability with ARP is that it is very trusting. It will believe any ARP reply packet. Attackers can easily create ARP reply packets with spoofed or bogus MAC addresses, and poison the ARP cache on systems in the network. Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide (p. 306). Kindle Edition.
A company is performing an analysis of which corporate units are most likely to cause revenue loss in the event the unit is unable to operate. Which of the following is an element of the BIA that this action is addressing? A. Critical system inventory B. Single point of failure C. Continuity of operations D. Mission-essential functions
A A. "A company is performing an analysis" A business impact analysis (BIA) is an important part of a BCP. It helps an organization identify critical systems and components that are essential to the organization's success. These critical systems support mission-essential functions. Corporate units = devices Services = mission critical functions
Which of the following are MOST susceptible to birthday attacks? A. Hashed passwords B. Digital certificates C. Encryption passwords D. One time passwords
A A. The birthday attack is used to create hash collisions. Just like matching any birthday is easier, finding any input that creates a colliding hash with any other input is easier due to the birthday attack.
A user needs to transmit confidential information to a third party.Which of the following should be used to encrypt the message? A. AES B. SHA-2 C. SSL D. RSA
A AES is one of the the most advanced encryption protocols available - good for encrypting large amounts of data. Not B. SHA-2 is a hashing algorithm. Not C. SSL is deprecated. Not D. RSA is a public-key system mostly used for agreeing on relatively short session keys rather than encrypting large amounts of data.
A security analyst receives a notification from the IDS after working hours, indicating a spike in network traffic. Which of the following BEST describes this type ofIDS? A. Anomaly-based B. Stateful C. Host-based D. Signature-based
A Anomaly-based detection is the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations.
Which of the following strategies helps reduce risk if a rollback is needed when upgrading a critical system platform? A. Non-persistent configuration B. Continuous monitoring C. Firmware updates D. Fault tolerance
A Answer is 'A' (Non Persistence) as the exam objectives state the following: • Non-persistence - Snapshots - Revert to known state - Rollback to known configuration - Live boot media
The exploitation of a buffer-overrun vulnerability in an application will MOST likely lead to: A. arbitrary code execution. B. resource exhaustion. C. exposure of authentication credentials. D. dereferencing of memory pointers.
A Buffer overflow often ends with data corruption, application crash or remote code execution.
An administrator intends to configure an IPSec solution that provides ESP with integrity protection, but not confidentiality protection.Which of the following AES modes of operation would meet this integrity-only requirement? A. HMAC B. PCBC C. CBC D. GCM E. CFB
A HMAC is integrity and non repudation. AES is encryption; it is meant to maintain confidentiality. Encryption does not maintain integrity by itself: an attacker who can access encrypted data can modify the bytes, thereby impacting the cleartext data (though the encryption makes the task a bit harder for the attacker, it is not as infeasible as is often assumed). To get integrity, you need a MAC, and HMAC is a nice MAC algorithm. In many situations where encryption is mandated, integrity must also be maintained, so, as a general rule, AES "alone" is not sufficient.
Which of the following is being used when a malicious actor searches various social media websites to find information about a company's system administrators and help desk staff? A. Passive reconnaissance B. Initial exploitation C. Vulnerability scanning D. Social engineering
A Key is social media websites
A security technician has been given the task of preserving emails that are potentially involved in a dispute between a company and a contractor.Which of the following BEST describes this forensic concept? A. Legal hold B. Chain of custody C. Order of volatility D. Data acquisition
A Key word is dispute. Court proceedings etc usually point to a legal hold
Which of the following explains why vendors publish MD5 values when they provide software patches for their customers to download over the Internet? A. The recipient can verify integrity of the software patch. B. The recipient can verify the authenticity of the site used to download the patch. C. The recipient can request future updates to the software using the published MD5 value. D. The recipient can successfully activate the new software patch.
A Message Digest 5 (MD5) is a common hashing algorithm that produces a 128-bit hash. You can verify integrity with hashing. Hashing is an algorithm performed on data such as a file or message to produce a number called a hash (sometimes called a checksum). The hash is used to verify that data is not modified, tampered with, or corrupted. In other words, you can verify the data has maintained integrity.
Which of the following enables sniffing attacks against a switched network? A. ARP poisoning B. IGMP snooping C. IP spoofing D. SYN flooding
A On a Switched Network = ARP Poisoning. On a Routed Network = IP Spoofing. . It's the path of arp spoofing. By using this technique you can fool your target machines to send data through your attacking machine and then you can sniff it on your attacking machine. ...
An organization wants to utilize a common, Internet-based third-party provider for authorization and authentication. The provider uses a technology based onOAuth 2.0 to provide required services. To which of the following technologies is the provider referring? A. Open ID Connect B. SAML C. XACML D. LDAP
A OpenID Connect is built on the OAuth 2.0 protocol and uses an additional JSON Web Token (JWT), called an ID token, to standardize areas that OAuth 2.0 leaves up to choice, such as scopes and endpoint discovery. It is specifically focused on user authentication and is widely used to enable user logins on consumer websites and mobile apps. SAML is independent of OAuth, relying on an exchange of messages to authenticate in XML SAML format, as opposed to JWT. It is more commonly used to help enterprise users sign in to multiple applications using a single login. OpenID Connect is an authentication layer on top of OAuth 2.0, an authorization framework. The standard is controlled by the OpenID Foundation
A security administrator must implement a wireless encryption system to secure mobile devices' communication. Some users have mobile devices which only support 56-bit encryption. Which of the following wireless encryption methods should be implemented? A. RC4 B. AES C. MD5 D. TKIP
A RC4 is popular with wireless and WEP/WPA encryption. It is a streaming cipher that works with key sizes between 40 and 2048 bits, and it is used in SSL and TLS.
A customer calls a technician and needs to remotely connect to a web server to change some code manually. The technician needs to configure the user's machine with protocols to connect to the Unix web server, which is behind a firewall. Which of the following protocols does the technician MOST likely need to configure? A. SSH B. SFTP C. HTTPS D. SNMP
A SSH used for general purpose connects
Question #126Topic 2 A company wishes to move all of its services and applications to a cloud provider but wants to maintain full control of the deployment, access, and provisions of its services to its users.Which of the following BEST represents the required cloud deployment model? A. SaaS B. IaaS C. MaaS D. Hybrid E. Private
A Services and Applications (not full infrastructure)
A company is performing an analysis of the corporate enterprise network with the intent of identifying any one system, person, function, or service that, when neutralized, will cause or cascade disproportionate damage to the company's revenue, referrals, and reputation.Which of the following an element of the BIA that this action is addressing? A. Identification of critical systems B. Single point of failure C. Value assessment D. Risk register
A if BIA is involved it's always regarding mission critical systems.
A systems engineer is configuring a wireless network. The network must not require installation of third-party software. Mutual authentication of the client and the server must be used. The company has an internal PKI. Which of the following configurations should the engineer choose? A. EAP-TLS B. EAP-TTLS C. EAP-FAST D. EAP-MD5 E. PEAP
A mutual authentication of client and server; EAP TTLS only requires authentication of server!
A security administrator examines a network session to a compromised database server with a packet analyzer. Within the session there is a repeated series of the hex character 90 (x90).Which of the following attack types has occurred? A. Buffer overflow B. Cross-site scripting C. XML injection D. SQL injection
A Buffer Overflow
Users are attempting to access a company's website but are transparently redirected to another websites. The users confirm the URL is correct. Which of the following would BEST prevent this issue in the futue? A. DNSSEC B. HTTPS C. IPSec D. TLS/SSL
A DNSSEC Unsecured DNS responses can be forgeries that can redirect traffic destined for trusted services to malicious sites. Internet users can be protected from attacks like this by deploying DNSSEC
IAAS PAAS SAAS
A Infrastructure as a Service (IaaS) allows your business to have complete, scalable control over the management and customization of your infrastructure - Your business maintains control over operating systems, storage, and deployed applications. The three cloud service models are: IaaS (Infrastructure-as-a-Service): Cloud computing infrastructure - servers, databases, etc. - that a cloud provider manages. Companies can build their own applications on IaaS instead of maintaining their applications' backends themselves. PaaS (Platform-as-a-Service): One level up from IaaS, PaaS includes development tools, infrastructure, and other support for building applications. SaaS (Software-as-a-Service): Fully built cloud applications.
Which of the following is synonymous with a server's certificate? A. Public key B. CRL C. Private key D. Recovery agent
A Public! A public key certificate (also known as a digital certificate or identity certificate) is an electronic document used to prove ownership of a public key.
Your organization has recently been the target of a spearphishing campaign. You have identified the website associated with the link in the spearphishing emails and want to block it. Which of the following techniques would be the MOST effective in this situation?
A URL filter can be used to block a website based on its website address or universal resource locator (URL). This is not a containment technique, but a blocking and filtering technique. Quarantine would be used against an infected machine, and it would not be effective against trying to block access to a given website across the entire organization. An application blacklist is used to prevent an application from running, so this cannot be used to block a single malicious or suspicious website or URL.
Dion Training has contracted a software development firm to create a bulk file upload utility for its website. During a requirements planning meeting, the developers asked what type of encryption is required for the project. After some discussion, Jason decides that the file upload tool should use a cipher that is capable of encrypting 8 bits of data at a time before transmitting the files from the web developer's workstation to the webserver. What of the following should be selected to meet this security requirement?
A block cipher is used to encrypt multiple bits at a time prior to moving to the next set of data. Block ciphers generally have a fixed-length block (8-bit, 16-bit, 32-bit, 64-bit, etc.). Stream ciphers encrypt a single bit at a time during its encryption process. Hashing algorithms would not meet the requirement because the data would be encrypted using a one-way hash algorithm and be unusable once on the webserver. A cyclic redundancy check (CRC) is an error-detecting code commonly used in digital networks and storage devices to detect accidental changes to raw data. Blocks of data entering these systems get a short check value attached, based on the remainder of a polynomial division of their contents.
A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output: -=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=- 10.1.1.1 - - [10/Jan/2020:13:23:51 +0000] "POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT " 10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] "GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1" 200 941 "-" "USERAGENT" 10.1.1.1 - - [10/Jan/2020:16:12:31 +0000] "POST /vpns/portal/scripts/newbm.pl HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT" -=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=- What type of attack was most likely being attempted by the attacker?
A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various user's passwords by attempting a compromised password against multiple user accounts.
FRR? FAR? CER?
A false rejection rate (FRR) is a Type I error in biometrics. Incorrect Answers: This also equates to a false negative. A false acceptance rate (FAR) is a Type II error and referred to sometimes as a false positivve. The crossover error rate (CER) is the point where the FRR and FAR are equal.
Your organization has recently suffered a data breach due to a server being exploited. As a part of the remediation efforts, the company wants to ensure that the default administrator password on each of the 1250 workstations on the network is changed. What is the easiest way to perform this password change requirement?
A group policy is used to manage Windows systems in a Windows network domain environment by means of a Group Policy Object (GPO). GPO's include a number of settings related to credentials, such as password complexity requirements, password history, password length, account lockout settings. You can force a reset of the default administrator account password by using a group policy update.
HSM?
A hardware security module (HSM) is a dedicated crypto processor that is specifically designed for the protection of the crypto key lifecycle. Hardware security modules act as trust anchors that protect the cryptographic infrastructure of some of the most security-conscious organizations in the world by securely managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device.
By itself, a hardware security token is a ____ authentication -1 time -multi factor
A hardware security token like the one displayed creates a one-time use password by presenting the user with a random string of numbers that changes every 30-60 seconds. When used by itself, it is considered a one-time password authentication method. If combined with a username and password, it would become a multi-factor authentication scheme.
Your organization has decided to implement a biometric oslution for authentication. One of the goals is to ensure that the biometric system is highly accurate. Which of the following provides the best indication of accuracy with the biometric system?
A lower crossover error rate (CER) indicates a more accurate biometric system. The false acceptance rate (FAR) and false rejection rate (FRR) vary based on the sensitivity of the system and don't indicate accuracy themselves. A higher CER indicates less accuracy.
Replay Attack?
A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a masquerade attack by IP packet substitution. This is one of the lower tier versions of a "Man-in-the-middle attack".
A technician suspects that a system has been compromised. The technician reviews the following log entry:WARNING- hash mismatch: C:\Window\SysWOW64\user32.dllWARNING- hash mismatch: C:\Window\SysWOW64\kernel32.dllBased solely ono the above information, which of the following types of malware is MOST likely installed on the system? A. Rootkit B. Ransomware C. Trojan D. Backdoor
A rootkit WARNING- hash mismatch: C:\Window\SysWOW64\user32.dll WARNING- hash mismatch: C:\Window\SysWOW64\kernel32.dll any time windows/ios comes in place is malware of rootkit (any OS level)
The exhibit shows that all the computers on the network are being 'pinged'?
A smurf attack is a type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends PING requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker's victim. All the hosts receiving the PING request reply to this victim's address instead of the real sender's address. A single attacker sending hundreds or thousands of these PING messages per second can fill the victim's T-1 (or even T-3) line with ping replies, bring the entire Internet service to its knees. A Ping of Death is one large icmp packet over 65k, a Smurf attack is many small icmp packets hitting the computer.
Which of the following technologies employ the use of SAML? (Select two.) A. Single sign-on B. Federation C. LDAP D. Secure token E. RADIUS
A& B SAML passes authorization credentials so makes sense that it is A and B. RADIUS and LDAP are protocols and provide authentication.
A company is executing a strategy to encrypt and sign all proprietary data in transit. The company recently deployed PKI services to support this strategy.Which of the following protocols supports the strategy and employs certificates generated by the PKI? (Choose three.) A. S/MIME B. TLS C. SFTP D. SAML E. SIP F. IPSec G. Kerberos
A, B, C ABC - "To encrypt and sign all proprietary data in transit" and "employs certificates generated by the PKI" A. S/MIME yes S/MIME uses PKI to provide authentication and encryption of email. B. TLS yes TLS has several encryption and encoding standards, some support PKI. C. SFTP yes SSH in SFTP uses public key cryptography D. SAML no not data in transit E. SIP no not data in trans F. IPSec no no PKI G. Kerberos no no PKI
Which of the following are used to substantially increase the computation time required to crack a password? (Choose two.) A. BCRYPT B. Substitution cipher C. ECDHE D. PBKDF2 E. Diffie-Hellman
A, D (key stretching)
A user is unable to open a file that has a grayed-out icon with a lock. The user receives a pop-up message indicating that payment must be sent in Bitcoin to unlock the file. Later in the day, other users in the organization lose the ability to open files on the server.Which of the following has MOST likely occurred? (Choose three.) A. Crypto-malware B. Adware C. Botnet attack D. Virus E. Ransomware F. Backdoor G. DDoS attack Hide Solution
A, D, E
A security auditor is performing a vulnerability scan to find out if mobile applications used in the organization are secure. The auditor discovers that one application has been accessed remotely with no legitimate account credentials. After investigating, it seems the application has allowed some users to bypass authentication of that application. Which of the following types of malware allow such a compromise to take place? (Choose two.) A. RAT B. Ransomware C. Worm D. Trojan E. Backdoor
A, E Remote Access Trojan is considered as a backdoor as well A backdoor is a malware type that negates normal authentication procedures to access a system. Worms can sometimes carry viruses.
Which of the following BEST describes the type of attack that is occurring? (Select TWO). We have a legit bank web site and a hacker bank web site. The hacker has a laptop connected to the network. The hacker is redirecting bank web site users to the hacker bank web site instead of the legit bank web site. This can be done using two methods: A. DNS spoofing B. Man-in-the-middle C. Backdoor D. Replay E. ARP attack F. Spear phishing G. Xmas attack
A, E A: DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver's cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker's computer (or any other computer). A domain name system server translates a human-readable domain name (such as example.com) into a numerical IP address that is used to route communications between nodes. Normally if the server doesn't know a requested translation it will ask another server, and the process continues recursively. To increase performance, a server will typically remember (cache) these translations for a certain amount of time, so that, if it receives another request for the same translation, it can reply without having to ask the other server again. When a DNS server has received a false translation and caches it for performance optimization, it is considered poisoned, and it supplies the false data to clients. If a DNS server is poisoned, it may return an incorrect IP address, diverting traffic to another computer (in this case, the hacker bank web site server). E: Address Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer's ARP cache with a forged ARP request and reply packets. This modifies the layer -Ethernet MAC address into the hacker's known MAC address to monitor it. Because the ARP replies are forged, the target computer unintentionally sends the frames to the hacker's computer first instead of sending it to the original destination. As a result, both the user's data and privacy are compromised. An effective ARP poisoning attempt is undetectable to the user. ARP poisoning is also known as ARP cache poisoning or ARP poison routing (APR). ****Logical (IP)---> Physical (MAC)
A security analyst is hardening a large-scale wireless network. The primary requirements are the following:✑ Must use authentication through EAP-TLS certificates✑ Must use an AAA server✑ Must use the most secure encryption protocolGiven these requirements, which of the following should the analyst implement and recommend? (Select TWO.) A. 802.1X B. 802.3 C. LDAP D. TKIP E. CCMP F. WPA2-PSK
A, F (AES /WPA2 comes with CCMP by default) 802.1X network is different from home networks in one major way; it has an authentication server called a RADIUS Server.
A security engineer is configuring a system that requires the X.509 certificate information to be pasted into a form field in Base64 encoded format to import it into the system. Which of the following certificate formats should the engineer use to obtain the information in the required format? A. PFX B. PEM C. DER D. CER
A. PFX (PKCS#12 archive file) B. PEM (ASCII Base 64) C. DER (binary DER encoded) D. CER (alternate form of .crt; run an MS CryptoAPI command)
Phishing? Whaling? Vishing? Spim? Social engineering?
A: Phishing is the act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.Phishing email will direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers, that the legitimate organization already has. The website, however, is bogus and set up only to steal the information the user enters on the page.B: Whaling is a specific kind of malicious hacking within the more general category of phishing, which involves hunting for data that can be used by the hacker. In general, phishing efforts are focused on collecting personal data about users. In whaling, the targets are high-ranking bankers, executives or others in powerful positions or job titles. Hackers who engage in whaling often describe these efforts as "reeling in a big fish," applying a familiar metaphor to the process of scouring technologies for loopholes and opportunities for data theft. Those who are engaged in whaling may, for example, hack into specific networks where these powerful individuals work or store sensitive data. They may also set up keylogging or other malware on a work station associated with one of these executives. There are many ways that hackers can pursue whaling, leading C-level or top-level executives in business and government to stay vigilant about the possibility of cyber threats.C: Vishing is the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft. The scammer usually pretends to be a legitimate business, and fools the victim into thinking he or she will profit.D: SPIM is a term sometimes used to refer to spam over IM (Instant Messaging). It's also called just spam, instant spam, or IM marketing. No matter what the name, it consists of unwanted messages transmitted through some form of instant messaging service, which can include Short Message Service (SMS)E: Social engineering is a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is one of the greatest threats that organizations today encounter. A social engineer runs what used to be called a "con game." For example, a person using social engineering to break into a computer network might try to gain the confidence of an authorized user and get them to reveal information that compromises the network's security. Social engineers often rely on the natural helpfulness of people as well as on their weaknesses. They might, for example, call the authorized employee with some kind of urgent problem that requires immediate network access. Appealing to vanity, appealing to authority, appealing to greed, and old-fashioned eavesdropping are other typical social engineering techniques.
Which of the following are considered symmetric encryption algorithms? MD5 3DES SHA RSA AES
AES and 3DES are considered encryption standards and use symmetric algorithms. Incorrect Answers: SHA and MD5 are hashing algorithms, and RSA is an asymmetric algorithm.
DES vs AES
AES> DES
ARP Poisoning, Brute force, and DNS poisoning?
ARP--> hacker alters ARP cache in order to redirect communication to a particular IP address to the wrong MAC address. Popular with wireless networks. Brute force--> Hacker calculates all potential passwords DNS Poisoning--> attackers poisons DNS cache so DNS server gives out wrong IP address. Buffer overflow--> too much data is sent to an application or service causing the data to go beyond the buffer area/memory and as a result the hacker gets administrative access to the system.
How to prevent attackers from using ARP requests?
Adding static ARP entries into the cache is one method of mitigating ARP cache poisoning attacks. This method prevents attackers from using ARP requests and replies as the devices in the network will rely on the local cache instead.
ARP? RARP? DNS? DHCP?
Address Resolution Protocol (ARP) resolves IP addresses to MAC addresses. Incorrect Answers: RARP, the Reverse Address Resolution Protocol, resolves MAC addresses to IP addresses' the exact opposite of ARP. DNS, the Domain Name System, resolves fully qualified domain names (FQDN) to IP addresses. DHCP, the Dynamic Host Configuration Protocol, dynamically issues IP addressing information to hosts.
Asymetric vs symmetric?
Asymmetric is slower and requires more resources. Symmetric is good for basically just confidentiality. Take single bit or fixed block of bits and perform crypto process. Like RC4 stream cipher, encrypts bit by bit. But most symmetric do NOT encrypt bit by bit. Usually like block by block, every 128 bit blocks and rotate (mode of operation). ECB should not be used if encrypting more than 1 block of data at one time with the same key. GCM can perform authentication and encryption. ECB and CBC allows encryption of multiple blocks of data in one cycle.
A network administrator is brute forcing accounts through a web interface. Which of the following would provide the BEST defense from an account password being discovered? A. Password history B. Account lockout C. Account expiration D. Password complexity
B
Which of the following allows an application to securely authenticate a user by receiving credentials from a web domain?
SAML
OBJ-3.7: Platform as a Service (PaaS) provides the end-user with a development environment without all the hassle of configuring and installing it themselves. If you want to develop a customized or specialized program, PaaS helps reduce the development time and overall costs by providing a ready to use platform.
Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization's supply chain. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences.
A new intern in the purchasing department requires read access to shared documents. Permissions are normally controlled through a group called "Purchasing", however, the purchasing group permissions allow write access.Which of the following would be the BEST course of action? A. Modify all the shared files with read only permissions for the intern. B. Create a new group that has only read permissions for the files. C. Remove all permissions for the shared files. D. Add the intern to the "Purchasing" group.
B
Datacenter employees have been battling alarms in a datacenter that has been experiencing hotter than normal temperatures. The server racks are designed so all 48 rack units are in use, and servers are installed in any manner in which the technician can get them installed.Which of the following practices would BEST alleviate the heat issues and keep costs low? A. Utilize exhaust fans. B. Use hot and cold aisles. C. Airgap the racks. D. Use a secondary AC unit. Hide Solution
B
To get the most accurate results on the security posture of a system, which of the following actions should the security analyst do prior to scanning? A. Log all users out of the system B. Patch the scanner C. Reboot the target host D. Update the web plugins
B
Two users need to send each other emails over unsecured channels. The system should support the principle of non-repudiation. Which of the following should be used to sign the user's certificates? A. RA B. CA C. CRL D. CSR
B
The firewall administrator is adding a new certificate for the company's remote access solution. The solution requires that the uploaded file contain the entire certificate chain for the certificate to load properly. The administrator loads the company certificate and the root CA certificate into the file. The file upload is rejected.Which of the following is required to complete the certificate chain? A. Certificate revocation list B. Intermediate authority C. Recovery agent D. Root of trust
B An intermediate CA certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. ... The Intermediate CA (Certificate Authority) supplies the necessary chaining to a trusted root in an SSL connection and acts as a link for trust.
A security analyst is specifying requirements for a wireless network. The analyst must explain the security features provided by various architecture choices.Which of the following is provided by PEAP, EAP-TLS, and EAP-TTLS? A. Key rotation B. Mutual authentication C. Secure hashing D. Certificate pinning
B EAP is an authorization framework that provides general guidance for authentication methods. Variations include PEAP, EAP-TLS,EAP-TTLS,EAP-FAST.
An auditor has identified an access control system that can incorrectly accept an access attempt from an unauthorized user. Which of the following authentication systems has the auditor reviewed? A. Password-based B. Biometric-based C. Location-based D. Certificate-based
B False acceptance. This is when a biometric system incorrectly identifies an unauthorized user as an authorized user. The false acceptance rate (FAR, also known as a false match rate) identifies the percentage of times false acceptance occurs."
A consultant has been tasked to assess a client's network. The client reports frequent network outages. Upon viewing the spanning tree configuration, the consultant notices that an old and law performing edge switch on the network has been elected to be the root bridge.Which of the following explains this scenario? A. The switch also serves as the DHCP server B. The switch has the lowest MAC address C. The switch has spanning tree loop protection enabled D. The switch has the fastest uplink port
B If there is a tie between two switches having the same priority value, then the switch with the lowest MAC address becomes the Root Bridge." When comparing two bridge IDs, the priority portions are compared first and the MAC addresses are compared only if the priorities are equal. The switch with the lowest priority of all the switches will be the root; if there is a tie, then the switch with the lowest priority and lowest MAC address will be the root. For example, if switches A (MAC = 0200.0000.1111) and B (MAC = 0200.0000.2222) both have a priority of 32768 then switch A will be selected as the root bridge
Your IT security director asks you to configure packet encryption for your internal network. She expresses concerns about how existing packet-filtering firewall rules might affect this encrypted traffic. How would you respond to her concerns? A) Encrypted packets will not be affected by existing packet-filtering firewall rules. B) Encrypted packet headers could prevent outbound traffic from leaving the internal network. C) Encrypted packet payloads will prevent outbound traffic from leaving the internal network. D) Inbound encrypted traffic will be blocked by the firewall.
B Packet headers include addressing info such as IP and port addresses. These are used to get a packet to its destination. Packet filtering firewalls allow or deny traffic based on IP or port addresses. If, for example, packets headers containing port addresses are encrypted, packet filtering firewalls may block traffic when perhaps it should be allowed.
An office recently completed digitizing all its paper records. Joe, the data custodian, has been tasked with the disposal of the paper files, which include:✑ Intellectual property✑ Payroll records✑ Financial information✑ Drug screening resultsWhich of the following is the BEST way to dispose of these items? A. Schredding B. Pulping C. Deidentifying D. Recycling
B Pulping is shredding it REALLY fine and mixing it. Basically making new paper from it. Shredding is thorough, but can still be undone. You can't unpulp paper.
Joe, a security administrator, needs to extend the organization's remote access functionality to be used by staff while travelling. Joe needs to maintain separate access control functionalities for internal, external, and VOIP services. Which of the following represents the BEST access technology for Joe to use? A. RADIUS B. TACACS+ C. Diameter D. Kerberos
B RADIUS supports both auth and authz but in a single packet which is Accept-access TACACS+ separates that into different packets.
A penetration tester is crawling a target website that is available to the public. Which of the following represents the actions the penetration tester is performing? A. URL hijacking B. Reconnaissance C. White box testing D. Escalation of privilege
B Passive Reconnaissance collects information about a targeted system, network, or organization using open-source intelligence. This includes viewing social media sources about the target, news reports, and even the organization's web site.
Which of the following strategies should a systems architect use to minimize availability risks due to insufficient storage capacity? A. High availability B. Scalability C. Distributive allocation D. Load balancing
B SCALABILITY - ability of a system to increase the workload on its current hardware resources (scale up); ELASTICITY - ability of a system to increase the workload on its current and additional (dynamically added on demand) hardware resources (scale out); Elasticity is strongly related to deployed-on-cloud applications Consider a web server that can serve 100 clients per minute, but if more than 100 clients connect at a time, performance degrades. You need to either scale up or scale out to serve more clients. You scale the server up by adding additional resources, such as processors and memory, and you scale out by adding additional servers in a load balancer. ...
A systems administrator has finished configuring firewall ACL to allow access to a new web answer. PERMIT TCP from: ANY to: 192.168.1.10:80PERMIT TCP from: ANY to: 192.168.1.10:443 DENY TCP from: ANY to: ANY -The security administrator confirms form the following packet capture that there is network traffic from the internet to the web server:TCP 10.23.243.2:2000->192.168.1.10:80 POST/defaultsTCP 172.16.4.100:1934->192.168.1.10:80 GET/session.aspx?user_1_sessionid= a12ad8741d8f7e7ac723847aa8231a The companys internal auditor issues a security finding and requests that immediate action be taken. With which of the following is the auditor MOST concerned? A. Misconfigured firewall B. Clear text credentials C. Implicit deny D. Default configuration
B See it's coming from port 80 (HTTP) clear text; should come from 443.
A security administrator is creating a risk assessment with regard to how to harden internal communications in transit between servers.Which of the following should the administrator recommend in the report? A. Configure IPSec in transport mode. B. Configure server-based PKI certificates. C. Configure the GRE tunnel. D. Configure a site-to-site tunnel.
B Server-base PKIcertificates perform encryption on data-in-transit to assure data confidentiality
An administrator discovers the following log entry on a server:Nov 12 2013 00:23:45 httpd[2342]: GET/app2/prod/proc/process.php?input=change;cd%20../../../etc;cat%20shadowWhich of the following attacks is being attempted? A. Command injection B. Password attack C. Buffer overflow D. Cross-site scripting
B The attacker ran the command in order to GET (download) the Password Hash that is stored in that specific directory which will be cracked later, most likely offline.
A security analyst has received the following alert snippet from the HIDS appliance:Given the above logs, which of the following is the cause of the attack? (xmas attack) A. The TCP ports on destination are all open B. FIN, URG, and PSH flags are set in the packet header C. TCP MSS is configured improperly D. There is improper Layer 2 segmentation
B Xmas scans derive their name from the set of flags that are turned on within a packet. These scans are designed to manipulate the PSH, URG and FIN flags of the TCP header
Which of the following needs to be performed during a forensics investigation to ensure the data contained in a drive image has not been compromised? A. Follow the proper chain of custody procedures. B. Compare the image hash to the original hash. C. Ensure a legal hold has been placed on the image. D. Verify the time offset on the image file.
B You would create the drive image, then verify its accuracy by comparing the hash values of the original to the image, then place a legal hold on the image if the hash vales are equal.
A security administrator suspects a MITM attack aimed at impersonating the default gateway is underway. Which of the following tools should the administrator use to detect this attack? (Select two.) A. Ping B. Ipconfig C. Tracert D. Netstat E. Dig F. Nslookup
B & C Step-1 = Identify your Default gateway IP address (> ipconfig) Step-2 = Execute tracert command to identify how many hops it needs to reach Default Gateway. (By default it should take only 1 hop.) ( > tracert 192.168.0.1) Try on CMD, if you get more than 1 hop, your network is intruded
A security analyst is hardening a server with the directory services role installed. The analyst must ensure LDAP traffic cannot be monitored or sniffed and maintains compatibility with LDAP clients. Which of the following should the analyst implement to meet these requirements? (Select two.) A. Generate an X.509-compliant certificate that is signed by a trusted CA. B. Install and configure an SSH tunnel on the LDAP server. C. Ensure port 389 is open between the clients and the servers using the communication. D. Ensure port 636 is open between the clients and the servers using the communication. E. Remote the LDAP directory service role from the server.
B & D
A security analyst is hardening an authentication server. One of the primary requirements is to ensure there is mutual authentication and delegation. Given these requirements, which of the following technologies should the analyst recommend and configure? A. LDAP services B. Kerberos services C. NTLM services D. CHAP services
B (bc of mutual authentication)
In an effort to reduce data storage requirements, some company devices to hash every file and eliminate duplicates. The data processing routines are time sensitive so the hashing algorithm is fast and supported on a wide range of systems.Which of the following algorithms is BEST suited for this purpose? A. MD5 B. SHA C. RIPEMD D. AES
B (eliminate duplicates)
Which of the following application attacks is used to gain access to SEH? A. Cookie stealing B. Buffer overflow C. Directory traversal D. XML injection
B Buffer Overflow Buffer overflow protection is used to detect the most common buffer overflows by checking that the stack has not been altered when a function returns. If it has been altered, the program exits with a segmentation fault. Microsoft's implementation of Data Execution Prevention (DEP) mode explicitly protects the pointer to the Structured Exception Handler (SEH) from being overwritten. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.
Which of the following use the SSH protocol? A. Stelnet B. SCP C. SNMP D. FTPS E. SSL F. SFTP
B and F SFTP - SSH being used in FTP FTPS - FTP plus SSL
A security administrator is configuring a RADIUS server for wireless authentication. The configuration must ensure client credentials are encrypted end-to-end between the client and the authenticator.Which of the following protocols should be configured on the RADIUS server? (Choose two.) A. PAP B. MSCHAP C. PEAP D. NTLM E. SAML
B, C With PEAP-MSCHAPv2, the user must enter their credentials to be sent to the RADIUS Server that verifies the credentials and authenticates them for network access.
Which of the following is the main difference an XSS vulnerability and a CSRF vulnerability? (2) A. XSS needs the attacker to be authenticated to the trusted server. B. XSS does not need the victim to be authenticated to the trusted server. C. CSRF needs the victim to be authenticated to the trusted server. D. CSRF does not need the victim to be authenticated to the trusted server. E. CSRF does not need the attacker to be authenticated to the trusted server.
BC "Fundamental difference is that CSRF (Cross-site Request forgery) happens in authenticated sessions when the server trusts the user/browser, while XSS (Cross-Site scripting) doesn't need an authenticated session and can be exploited when the vulnerable website doesn't do the basics of validating or escaping input."
What is a bollard?
Barricades that can block vehicles.
The Chief Information Security Officer (CISO) is asking for ways to protect against zero-day exploits. The CISO is concerned that an unrecognized threat could compromise corporate data and result in regulatory fines as well as poor corporate publicity. The network is mostly flat, with split staff/guest wireless functionality. Which of the following equipment MUST be deployed to guard against unknown threats?
Behavior-based IPS with a communication link to a cloud-based vulnerability and threat feed
Bluebugging? Bluejacking? Bluesnarfing?
Bluebugging, the most serious of the various Bluetooth attacks, involves an attacker attempting to take control of or use a Bluetooth-enabled cell phone to place calls. Bluejacking is the act of sending unsolicited messages or files to a Bluetooth device. Bluesnarfing is a more serious attack than Bluejacking and involves unauthorized access to information on a Bluetooth-enabled device.
You wish to send an encrypted message to Bob. Which of the following is used to encrypt a message sent to Bob in a PKI environment?
Bob's public key is used to encrypt a message for him. Bob would then decrypt the message with his private key.
Asymmetric: If Alice wants to send an encrypted message to Bob, what does she need?
Bob's public key. Then it can be decrypted with Bobs private key. Alice is the sender; encrypts with the senders private key, and decrypt with the senders public key. Anyone holding the sender's public key can decrypt and only sender can encrypt.
During a routine vulnerability assessment, the following command was successful: echo "vrfy 'perl -e 'print "hi" x 500 ' ' " | nc www.company.com 25Which of the following vulnerabilities is being exploited?
Buffer Overflow (500)
An analyst is reviewing a simple program for potential security vulnerabilities before being deployed to a Windows server. Given the following code: strcpy (random_user_input_bar) Which of the following vulnerabilities is present?
Buffer overflow because (strcpy) is an indicator
BPA vs BCP?
Business Process Analysis (BPA) is an analysis and modelling of business processes for improvement. (BCP) is the process involved in creating a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.
A web application is configured to target browsers and allow access to bank accounts to siphon money to a foreign account. This is an example of which of the following attacks? A. SQL injection B. Header manipulation C. Cross-site scripting D. Flash cookie exploitation
C
An organization electronically processes sensitive data within a controlled facility. The Chief Information Security Officer (CISO) wants to limit emissions from emanating from the facility. Which of the following mitigates this risk? A. Upgrading facility cabling to a higher standard of protected cabling to reduce the likelihood of emission spillage B. Hardening the facility through the use of secure cabinetry to block emissions C. Hardening the facility with a Faraday cage to contain emissions produced from data processing D. Employing security guards to ensure unauthorized personnel remain outside of the facility
C
When designing a web based client server application with single application server and database cluster backend, input validation should be performed: A. On the client B. Using database stored procedures C. On the application server D. Using HTTPS
C
Which of the following development models entails several iterative and incremental software development methodologies such as Scrum? A. Spiral B. Waterfall C. Agile D. Rapid
C
Which of the following uses tokens between the identity provider and the service provider to authenticate and authorize users to resources? A. RADIUS B. SSH C. OAuth D. MSCHAP
C
A security administrator needs to configure remote access to a file share so it can only be accessed between the hours of 9:00 a.m. and 5:00 p.m. Files in the share can only be accessed by members of the same department as the data owner. Users should only be able to create files with approved extensions, which may differ by department. Which of the following access controls would be the MOST appropriate for this situation? A. RBAC B. MAC C. ABAC D. DAC
C "An example of ABAC would be allowing only users who are type=employees and have department=HR to access the HR/Payroll system and only during business hours within the same timezone as the company." Based on what you said, business hours (time-of-day) would be the key to looking at this, and time hours were mentioned in the question.
An administrator is replacing a wireless router. The configuration of the old wireless router was not documented before it stopped functioning. The equipment connecting to the wireless network uses older legacy equipment that was manufactured prior to the release of the 802.11i standard. Which of the following configuration options should the administrator select for the new wireless router? A. WPA+CCMP B. WPA2+CCMP C. WPA+TKIP D. WPA2+TKIP
C (WPA TKIP is able to connect with older legacy equipment!)
A company is deploying a file-sharing protocol access a network and needs to select a protocol for authenticating clients. Management requests that the service be configured in the most secure way possible. The protocol must also be capable of mutual authentication, and support SSO and smart card logons. Which of the following would BEST accomplish this task? A. Store credentials in LDAP B. Use NTLM authentication C. Implement Kerberos D. Use MSCHAP authentication
C **mutual authentication** This is done automatically with a Windows client joined to the domain, login credentials are sent to the Domain Controller (any of them), and if the LDAP user is correct, the controller automatically provides the TGT along with other tickets needed for file sharing to the client.
A security engineer wants to add SSL to the public web server. Which of the following would be the FIRST step to implement the SSL certificate? A. Download the web certificate B. Install the intermediate certificate C. Generate a CSR D. Encrypt the private key
C A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for an SSL ..
An organization's Chief Executive Officer (CEO) directs a newly hired computer technician to install an OS on the CEO's personal laptop. The technician performs the installation, and a software audit later in the month indicates a violation of the EULA occurred as a result. Which of the following would address this violation going forward? A. Security configuration baseline B. Separation of duties C. AUP D. NDA
C Abbreviations are difficult for people who are not native English speakers AUP: acceptable user policy EULA: end user license agreement keywords: newly hired computer technician! AUP is a document that outlines a set of rules. An AUP clearly states what the user (or a newly hired technician) is and is not allowed to do with these resources. It is a simple set of rules that defines how the computer equipment and network can be used (or in this case , should be configured). It could be a small document that every new employee (or technician) needs to read and to sign of.
A penetration tester harvests potential usernames from a social networking site. The penetration tester then uses social engineering to attempt to obtain associated passwords to gain unauthorized access to shares on a network server.Which of the following methods is the penetration tester MOST likely using? A. Escalation of privilege B. SQL injection C. Active reconnaissance D. Proxy server
C At the beginning its passive stage (Social Networking sites) then became active (Social Engineering), so its active reconnaissance.
A systems administrator is configuring a new network switch for TACACS+ management and authentication.Which of the following must be configured to provide authentication between the switch and the TACACS+ server? A. 802.1X B. SSH C. Shared secret D. SNMPv3 E. CHAP
C C. This key helps to improve security, and must match the encryption key used in your TACACS+ server application. In some applications, the term "secret key" or "secret" may be used instead of "encryption key".
During a lessons learned meeting regarding a previous incident, the security team receives a follow-up action item with the following requirements:✑ Allow authentication from within the United States anytime✑ Allow authentication if the user is accessing email or a shared file system✑ Do not allow authentication if the AV program is two days out of date✑ Do not allow authentication if the location of the device is in two specific countriesGiven the requirements, which of the following mobile deployment authentication types is being utilized? A. Geofencing authentication B. Two-factor authentication C. Context-aware authentication D. Biometric authentication
C Context-aware security is the use of situational information (such as identity, geolocation, time of day or type of endpoint device) to improve information security decisions. Context-aware authentication is extra power added to the authenticating tool that enables it to look at the context of the entity authentication. The context may include the user name, the MAC address of the device they're using to connect, what resources they are attempting to access, time of day, even their location. Context-aware authentication software holds the promise of making authentication with mobile devices much easier and more secure.
A security engineer implements multiple technical measures to secure an enterprise network. The engineer also works with the Chief Information Officer (CIO) to implement policies to govern user behavior.Which of the following strategies is the security engineer executing? A. Baselining B. Mandatory access control C. Control diversity D. System hardening
C Control diversity is the use of different security control types, such as technical controls, administrative controls, and physical controls. -Technical security controls : firewalls, intrusion detection systems (IDSs), and proxy servers . -Physical security controls : provide extra protection for the server room or other areas where these devices are located. -Administrative controls : vulnerability assessments and penetration tests can help verify that these controls are working as expected.
Which of the following can be implemented in hardware or software to protect a web server from cross-site scripting attacks? A. Intrusion Detection System B. Flood Guard Protection C. Web Application Firewall D. URL Content Filter
C Cross-site scripting (XSS) is a form of malicious code-injection attack on a web server in which an attacker injects code into the content sent to website visitors. XSS can be mitigated by implementing patch management on the web server, using firewalls, and auditing for suspicious activity.
A web application is configured to target browsers and allow access to bank accounts to siphon money to a foreign account.This is an example of which of the following attacks? A. SQL injection B. Header manipulation C. Cross-site scripting D. Flash cookie exploitation
C Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Key word "application." XSS is a client-side attack via a web browser. CSRF is a website attack via authenticated users.
A bank uses a wireless network to transmit credit card purchases to a billing system.Which of the following would be MOST appropriate to protect credit card information from being accessed by unauthorized individuals outside of the premises? A. Air gap B. Infrared detection C. Faraday cage D. Protected distributions
C Faraday cages can be as little as a device, or as big as a room or an entire building; in this case they want to isolate the whole building so that the internal wireless signals cannot be captured from outside (the billing system is obviously inside the bank itself). Faraday cage is an expensive solution (but we are talking of a bank!) but it's definitely the correct answer.
Which of the following uses tokens between the identity provider and the service provider to authenticate and authorize users to resources? A. RADIUS B. SSH C. OAuth D. MSCHAP
C OAuth uses authorization tokens to prove an identity between consumers and service providers. OAuth provides a simpler mobile experience, while SAML is geared towards enterprise security. In simple language, OAuth (Open Authorization) is an open standard for token-based authentication and authorization on the Internet. OAuth, which is pronounced "oh-auth," allows an end user's account information to be used by third-party services, such as Facebook, without exposing the user's password.
A security administrator must implement a system to ensure that invalid certificates are not used by a custom developed application. The system must be able to check the validity of certificates even when internet access is unavailable.Which of the following MUST be implemented to support this requirement? A. CSR B. OCSP C. CRL D. SSH
C OCSP - online check. OCSP Service return good, revoked, unknown status CRL - offline check. Download list file to check
A security engineer is configuring a wireless network that must support mutual authentication of the wireless client and the authentication server before users provide credentials. The wireless network must also support authentication with usernames and passwords. Which of the following authentication protocols MUST the security engineer select? A. EAP-FAST B. EAP-TLS C. PEAP D. EAP
C PEAP - Client(User) authenticates via user name and password - Server authenticates via CA. EAP-TLS authentication is automatic no user involvement needed.
An attacker captures the encrypted communication between two parties for a week, but is unable to decrypt the messages. The attacker then compromises the session key during one exchange and successfully compromises a single message. The attacker plans to use this key to decrypt previously captured and future communications, but is unable to.This is because the encryption scheme in use adheres to: A. Asymmetric encryption B. Out-of-band key exchange C. Perfect forward secrecy D. Secure key escrow
C Perfect forward secrecy means that a piece of an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised, it exposes only a small portion of the user's sensitive data
Although a web enabled application appears to only allow letters in the comment field of a web form, malicious user was able to carry a SQL injection attack by sending special characters through the web comment field.Which of the following has the application programmer failed to implement? A. Revision control system B. Client side exception handling C. Server side validation D. Server hardening
C Server-side validation is enough to have a successful and secure form validation. For better user experience, however, you might consider using client-side validation. This type of validation is done on the client using script languages such as JavaScript. By using script languages user's input can be validated as they type. This means a more responsive, visually rich validation. With client-side validation, form never gets submitted if validation fails. Validation is being handled in JavaScript methods that you create (or within frameworks/plugins) and users get immediate feedback if validation fails. Main drawback of client-side validation is that it relies on JavaScript. If users turn JavaScript off, they can easily bypass the validation. This is why validation should always be implemented on both the client and server. https://www.smashingmagazine.com/2009/07/web-form-validation-best-practices-and-tutorials/
Which of the following attack types BEST describes a client-side attack that is used to manipulate an HTML iframe with JavaScript code via a web browser? A. Buffer overflow B. MITM C. XSS D. SQLi
C The main difference between a SQL and XSS injection attack is that SQL injection attacks are used to steal information from databases whereas XSS attacks are used to redirect users to websites where attackers can steal data from them. SQL injection is data-base focused whereas XSS is geared towards attacking end users.
Joe, a backup administrator, wants to implement a solution that will reduce the restoration time of physical servers. Which of the following is the BEST method forJoe to use? A. Differential B. Incremental C. Full D. Snapshots
C focus on the fact that it is asking about the TIME. Restoring physical servers. Using either a differential or incremental would still require a full backup first which is more time consuming than just full restore.
Which of the following types of security testing is the MOST cost-effective approach used to analyze existing code and identity areas that require patching? A. Black box B. Gray box C. White box D. Red team E. Blue team
C the goal may be to exploit vulnerabilities versus trying to gain information about the system, so a full white box test can save time and money and enable the tester to focus on that important part of the assessment. ...
An organization's file server has been virtualized to reduce costs. Which of the following types of backups would be MOST appropriate for the particular file server? A. Snapshot B. Full C. Incremental D. Differential
C • Full backup. A full (or normal backup) backs up all the selected data. • Differential backup. This backs up all the data that has changed or is different since the last full backup. • Incremental backup. This backs up all the data that has changed since the last full or incremental backup. • Snapshots. A snapshot backup captures the data at a point in time. It is sometimes referred to as an image backup
A security analyst is assessing a small company's internal servers against recommended security practices. Which of the following should the analyst do to conduct the assessment? (Choose two.) A. Compare configurations against platform benchmarks B. Confirm adherence to the company's industry-specific regulations C. Review the company's current security baseline D. Verify alignment with policy related to regulatory compliance E. Run an exploitation framework to confirm vulnerabilities
C & E
Which of the following is commonly used for federated identity management across multiple organizations?
SAML
Which of the following are considered among the BEST indicators that a received message is a hoax? (Choose two.) A. Minimal use of uppercase letters in the message B. Warnings of monetary loss to the receiver C. No valid digital signature from a known security organization D. Claims of possible damage to computer hardware E. Embedded URLs
C & E
A security administrator has installed a new KDC for the corporate environment. Which of the following authentication protocols is the security administrator planning to implement across the organization? A. LDAP B. RADIUS C. Kerberos D. XTACACS
C (Kerberos) The fundamental component of a Kerberos solution is the key distribution centre (KDC), which is responsible for verifying the identity of principles and granting and controlling access within a network environment through the use of secure cryptographic keys and tickets.
In Kerberos, the Ticket Granting Ticket (TGT) is used for which of the following? A. Identification B. Authorization C. Authentication D. Multifactor authentication
C Authentication
Ann is the data owner of financial records for a company. She has requested that she have the ability to assign read and write privileges to her folders. The network administrator is tasked with setting up the initial access control system and handing Ann's administrative capabilities. Which of the following systems should be deployed? A. Role-based B. Mandatory C. Discretionary D. Rule-based
C Discretionary In a Discretionary Access Control (DAC) model, network users have some fl exibility regarding how information is accessed. This model allows users to share information dynamically with other users. Discretionary access control (DAC) allows access to be granted or restricted by an object's owner based on user identity and on the discretion of the object owner. In this question, Ann has requested that she have the ability to assign read and write privileges to her folders. Read and write access to Ann's files will be granted by Ann at her discretion. Therefore, this is an example of Discretionary Access Control.
A security administrator is reviewing the following PowerShell script referenced in the Task Scheduler on a database server: ..... if($members- not contains "John Doe") Which of the following did the security administrator discover? · A. Ransomeware · B. Backdoor · C. Logic bomb · D. Trojan
C Logic Bomb (bc "if"_
An organization has hired a new remote workforce. Many new employees are reporting that they are unable to access the shared network resources while traveling. They need to be able to travel to and from different locations on a weekly basis. Shared offices are retained at the headquarters location. The remote workforce will have identical file and system access requirements, and must also be able to log in to the headquarters location remotely. Which of the followingBEST represent how the remote employees should have been set up initially? (Choose two.) A. User-based access control B. Shared accounts C. Group-based access control D. Mapped drives E. Individual accounts F. Location-based policies
C, E The remote workforce will have identical file and system access requirements= C. Group-based access control Must also be able to log in to the headquarters location remotely = E. Individual accounts
Which of the following AES modes of operation provide authentication? (Select two.) A. CCM B. CBC C. GCM D. DSA E. CFB
CCM and GCM
What is a code review?
Code review is the foundation of software assessment programs. During a code review, also known as a peer review, developers other than the one who wrote the code review it for defects. Code reviews may result in approval of an application's move into a production environment or they may send the code back to the original developer with recommendations for rework of issues detected during the review. During a code review, you're looking for common vulnerabilities such as input validation, bounds checking, memory allocation and usage, embedded passwords, weak encryption, use of static ports and protocols that may be unsecure, and so forth. The goal of a code review is to detect vulnerabilities before the application goes into production
Which type of intrusion detection system identifies suspicious activity by monitoring log files on the system?
Correct Answer: A host-based intrusion detection system (HIDS) monitors local system activity and logs for indications of an attack. Correct Answers: A NIDS is a network-based intrusion detection system and does not monitor host log files. A NIPS is a network-based intrusion prevention system and works on the network instead of the host. An ACL is an access control list and is used to allow or deny traffic through a router or grant/deny permissions to resources.
DHE
Create a shard key over an insecure medium in a secure fashion using temporary key to enable perfect forward secrecy.
When accessing a popular website, a user receives a warming that the certificate for the website is not valid. Upon investigation, it was noted that the certificate is not revoked and the website is working fine for other users.Which of the following is the MOST likely cause for this? A. The certificate is corrupted on the server. B. The certificate was deleted from the local cache. C. The user needs to restart the machine. D. The system date on the user's device is out of sync.
D X.509 is indeed dependant upon date/time settings
A company is planning to build an internal website that allows for access to outside contracts and partners. A majority of the content will only be to internal employees with the option to share.Which of the following concepts is MOST appropriate? A. VPN B. Proxy C. DMZ D. Extranet
D Extranet - an intranet that can be partially accessed by authorized outside users, enabling businesses to exchange information over the Internet securely.
An incident response analyst at a large corporation is reviewing proxy data log. The analyst believes a malware infection may have occurred. Upon further review, the analyst determines the computer responsible for the suspicious network traffic is used by the Chief Executive Officer (CEO).Which of the following is the best NEXT step for the analyst to take? A. Call the CEO directly to ensure awareness of the event B. Run a malware scan on the CEO's workstation C. Reimage the CEO's workstation D. Disconnect the CEO's workstation from the network
D (containment...after Identification)
A company wants to implement a wireless network with the following requirements:✑ All wireless users will have a unique credential.✑ User certificates will not be required for authentication.✑ The company's AAA infrastructure must be utilized.✑ Local hosts should not store authentication tokens.Which of the following should be used in the design to meet the requirements? A. EAP-TLS B. WPS C. PSK D. PEAP
D 1-The company's AAA infrastructure must be utilized: RADIUS, TACACS+, and Diameter are all authentication, authorization, and accounting (AAA) protocols. (Darril Gibson's Get Certified Get Ahead p. 357). ... 802.1X is interoperable with a number of remote access services and protocols, such as RADIUS and TACACS+, as well as centralized authentication databases such as Active Directory. ... 802.1X can use several different types of authentication protocols, such as EAP, EAP-TLS, EAP-TTLS, PEAP, LEAP, and EAP-FAST. ... (Mike Meyers' CompTIA Security+ p. 331) 2-User certificates will not be required for authentication: ... EAP-TLS requires both a server-side certificate and a client-side certificate (client-side certificates are rarely used on Web pages, but the TLS protocol certainly supports their use). ... PEAP is similar to EAP-TLS and requires a digital certificate on the server side of a connection to create a secure TLS tunnel. ...
Students at a residence hall are reporting Internet connectivity issues. The university's network administrator configured the residence hall's network to provide public IP addresses to all connected devices, but many student devices are receiving private IP addresses due to rogue devices. The network administrator verifies the residence hall's network is correctly configured and contacts the security administrator for help. Which of the following configurations should the security administrator suggest for implementation? A. Router ACLs B. BPDU guard C. Flood guard D. DHCP snooping
D DHCP snooping is a layer 2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable. The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients.
Which of the following outcomes is a result of proper error-handling procedures in secure code? A. Execution continues with no notice or logging of the error condition. B. Minor fault conditions result in the system stopping to preserve state. C. The program runs through to completion with no detectable impact or output. D. All fault conditions are logged and do not result in a program crash.
D Detailed information should be logged. Detailed information on the errors typically includes debugging information. By logging this information, it makes it easier for developers to identify what caused the error and how to resolve it.
In determining when it may be necessary to perform a credentialed scan against a system instead of a non-credentialed scan, which of the following requirements is MOST likely to influence this decision? A. The scanner must be able to enumerate the host OS of devices scanned. B. The scanner must be able to footprint the network. C. The scanner must be able to check for open ports with listening services. D. The scanner must be able to audit file system permissions
D If you are doing a credentialed scan (a host scan), then there is less load on the network and presumably you get better information back such a registry scan information and file attribute information.
A systems administrator is installing a new server in a large datacenter. Which of the following BEST describes the importance of properly positioning servers in the rack to maintain availability? A. To allow for visibility of the servers' status indicators B. To adhere to cable management standards C. To maximize the fire suppression system's efficiency D. To provide consistent air flow
D Maintain hot and cold aisles
Joe, a user, wants to send Ann, another user, a confidential document electronically. Which of the following should Joe do to ensure the document is protected from eavesdropping? A. Encrypt it with Joe's private key B. Encrypt it with Joe's public key C. Encrypt it with Ann's private key D. Encrypt it with Ann's public key
D The document is confidential and is to be read by Ann only. Since Ann is the only person who knows her private key, any message or document encrypted with Ann's public key ensures that only be decrypted by Ann.
A call center company wants to implement a domain policy primarily for its shift workers. The call center has large groups with different user roles. Management wants to monitor group performance. Which of the following is the BEST solution for the company to implement? A. Reduced failed logon attempts B. Mandatory password changes C. Increased account lockout time D. Time-of-day restrictions
D (Group performance within certain amount of time)
Which of the following cryptography algorithms will produce a fixed-length, irreversible output? A. AES B. 3DES C. RSA D. MD5
D (MD5: MD5 is a cryptographic hashing function, which by definition means that it is only computed in one direction and it is not possible to "reverse" it back to its original form) hashing takes an input and produces a unique message digest(as its output). This is irreversible. MD5, Sha-1, Sha-2 Sha3 are all Hashing Algorithms AES, 3DES, and RSA are all encryptions
An administrator implements SELinux on a production web server. After implementing this, the web server no longer serves up files from users' home directories. To rectify this, the administrator creates a new policy as the root user. This is an example of which of the following? (Select TWO). A. Enforcing SELinux in the OS kernel is role-based access control B. Enforcing SELinux in the OS kernel is rule-based access control C. The policy added by the root user is mandatory access control D. Enforcing SELinux in the OS kernel is mandatory access control E. The policy added by the root user is role-based access control F. The policy added by the root user is rule-based access control
D, F Enforcing SELinux in the OS kernel is mandatory access control. SELinux is Security Enhanced Linux which is a locked down version of the OS kernel. Mandatory Access Control (MAC) is a relatively inflexible method for how information access is permitted. In a MAC environment, all access capabilities are predefined. Users can't share information unless their rights to share it are established by administrators. Consequently, administrators must make any changes that need to be made to such rights. This process enforces a rigid model of security. However, it is also considered the most secure security model. The policy added by the root user is rule-based access control. The administrator has defined a policy that states that users folders should be served by the web server. Rule-Based Access Control (RBAC) uses the settings in preconfigured security policies to make all decisions
DER? PEM? PFX/PKCS?
DER >>> Stores single certificates, certificate chains, or private keys. Uses either a .der or .cer extension. PEM >>> It may contain single certificates, certificate chains, or private keys. Comes in a number of different file extensions: .pem, .crt, .cer, and .key. PFX/PKCS#12 >>> It may contain single certificates, certificate chains, or private keys, although in most cases it is used to store public/private key pairs. Fully encrypt all the data in the file and require a password to open them. Uses the extension .pfx or .p12.
A system administrator is configuring a site-to-site VPN tunnel.Which of the following should be configured on the VPN concentrator during the IKE phase? A. RIPEMD B. ECDHE C. Diffie-Hellman D. HTTPS
DH Internet Key Exchange (IKE) Internet Key Exchange (IKE) is the protocol used to set up a secure, authenticated communications channel between two parties. ... In phase 1, IKE creates an authenticated, secure channel between the two IKE peers. This is done using the Diffie-Hellman key agreement protocol.
DHCP exhaustion?
DHCP exhaustion is a Layer 2 attack that also implements a DoS. An attacker sends a flood of DHCP request packets to the DHCP server, each requesting an IP address for a random MAC address. Eventually, the DHCP server runs out of available IP addresses and stops issuing DHCP bindings.
DNS Spoofing vs ARP Poisoning?
DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver's cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker's computer (or any other computer). A domain name system server translates a human-readable domain name (such as example.com) into a numerical IP address that is used to route communications between nodes. Normally if the server doesn't know a requested translation it will ask another server, and the process continues recursively. To increase performance, a server will typically remember (cache) these translations for a certain amount of time, so that, if it receives another request for the same translation, it can reply without having to ask the other server again. When a DNS server has received a false translation and caches it for performance optimization, it is considered poisoned, and it supplies the false data to clients. If a DNS server is poisoned, it may return an incorrect IP address, diverting traffic to another computer (in this case, the hacker bank web site server). E: Address Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer's ARP cache with a forged ARP request and reply packets. This modifies the layer -Ethernet MAC address into the hacker's known MAC address to monitor it. Because the ARP replies are forged, the target computer unintentionally sends the frames to the hacker's computer first instead of sending it to the original destination. As a result, both the user's data and privacy are compromised. An effective ARP poisoning attempt is undetectable to the user. ARP poisoning is also known as ARP cache poisoning or ARP poison routing (APR).
During a security audit, you discovered that customer service employees have been sending unencrypted confidential information to their personal email accounts via email. What technology could you employ to detect these occurrences in the future and send an automated alert to the security team?
Data loss prevention (DLP) software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in-use, in-motion, and at-rest. This can be configured to detect and alert on future occurrences of this issue. Secure Socket Layer (SSL) is a distraction in this question since the questions asked about information being sent unencrypted. The connection between the client and the email server could be encrypted using SSL, but the information is still be sent to an employee's personal email account, and this equates to a loss of control over the confidential data by the company. Mobile Device Management (MDM) software is used for the configuration and securing of mobile devices like smartphones and tablets. Unified Threat Management (UTM) is a device that combines the functions of a firewall, anti-malware solution, and IDS into a single piece of hardware. Some UTM's may provide the functionality of a DLP, but the answer of a DLP is a better answer to this question.
Your company recently suffered a small data breach that was caused by an employee emailing themselves a copy of the current customer's names, account numbers, and credit card limits. You are determined that something like this shall never happen again. Which of the following logical security concepts should you implement to prevent a trusted insider from stealing your corporate data?
Data loss prevention software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use (endpoint actions), in transit (network traffic), and at rest (data storage). Since the user was an authorized user (employee), changing your password policy, reconfiguring the firewall, or setting up a MDM solution would not solve this problem. Instead, a DLP solution must be implemented.
An email recipient is unable to open a message encrypted through PKI that was sent from another organization. Which of the following does the recipient need to decrypt the message? A. The sender's private key B. The recipient's private key C. The recipient's public key D. The CA's root certificate E. The sender's public key F. An updated CRL
E
EAP TLS vs EAP TTLS?
EAP TLS: Extensible Authentication Protocol-Transport Layer Security. An extension of EAP sometimes used with 802.1II. 11155 is one of the most secure EAP standards and is widely implemented. it requires certificates on the 802.1): server and on the clients. EAP TTLS: Extensible Authentication Hotocol-Tunneled Transport Layer Security. An extension of EA? sometimes used with 802.1x. it auows systems to use some older authentication methods such as PAP within a 11.5 tunnel. It requires a certificate on the 802.1): server but not on the clients.
An analyst wants to implement a more secure wireless authentication for office access points. Which of the following technologies allows for encrypted authentication of wireless clients over TLS? A. PEAP B. EAP C. WPA2 D. RADIUS
EAP by itself is only an authentication framework. PEAP (Protected Extensible Authentication Protocol) fully encapsulates EAP and is designed to work within a TLS (Transport Layer Security) tunnel that may be encrypted but is authenticated. The primary motivation behind the creation of PEAP was to help correct the deficiencies discovered within EAP since that protocol assumes that the communications channel is protected. As a result, when EAP messages are able to be discovered in the "clear" they do not provide the protection that was assumed when the protocol was originally authored. PEAP, EAP-TTLS, and EAP-TLS "protect" inner EAP authentication within SSL/TLS sessions.
EAP TLS uses...
EAP-TLS uses Client-Side (endpoints in this question) Certificates. These certificates can then be removed, thus having no requirement for certificates. EAP Transport Layer Security (EAP-TLS) was for years the primary EAP variation used on high-security wireless networks. As the name implies, EAP-TLS uses the same TLS protocol used on secure Web pages. EAP-TLS requires both a server-side certificate and a client-side certificate (client-side certificates are rarely used on Web pages, but the TLS protocol certainly supports their use). Client-side certificates are an administrative headache because every laptop, smartphone, tablet, or printer on the network must have a unique certificate. Losing a device requires disassociating the missing device's certificate to ensure security. If you want the ultimate in 802.11 authentication security, however, EAP-TLS is the way to go. ...
Security administrators attempted corrective action after a phishing attack. Users are still experiencing trouble logging in, as well as an increase in account lockouts. Users' email contacts are complaining of an increase in spam and social networking requests. Due to the large number of affected accounts, remediation must be accomplished quickly.Which of the following actions should be taken FIRST? (Select TWO) A. Disable the compromised accounts B. Update WAF rules to block social networks C. Remove the compromised accounts with all AD groups D. Change the compromised accounts' passwords E. Disable the open relay on the email server F. Enable sender policy framework
EF Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. n a Small Business Server environment, you may have to prevent your Microsoft Exchange Server-based server from being used as an open relay SMTP server for unsolicited commercial e-mail messages, or spam.You may also have to clean up the Exchange server's SMTP queues to delete the unsolicited commercial e- mail messages.If your Exchange server is being used as an open SMTP relay, you may experience one or more of the following symptoms:The Exchange server cannot deliver outbound SMTP mail to a growing list of e-mail domains.Internet browsing is slow from the server and from local area network (LAN) clients.Free disk space on the Exchange server in the location of the Exchange information store databases or the Exchange information store transaction logs is reduced more rapidly than you expect.The Microsoft Exchange information store databases spontaneously dismount. You may be able to manually mount the stores by using Exchange SystemManager, but the stores may dismount on their own after they run for a short time. For more information, click the following article number to view the article in theMicrosoft Knowledge Base.
Consider the following scenario. The asset value of your company's primary servers is $2 million. Tornados are not common but estimated 1 every 60 years. SLE?
EF= 1 AV=2 million SLE= 2 million
Scalability vs elasticity?
Elasticity - Scales up when resources contention is high and scales down when resrouces are no longer needed. For example, imagine one VM has increased traffic. You can increase the amount of processing power and memory used by this server relatively easily. Similarly, it's relatively easy to decrease the resources when the load decreases. -Helps against DOS and lack of redundancy Scalability - refers more to the ability of the server architecture to be only scaled up as more applications are implemented and more server resources are needed * Since it is talking just about spikes, you wouldn't want to dedicate full infrastructure for spikes for an application when you provide elasticity to the application and save the money.
What encryption tech is used with small wireless devices?
Elliptic curve cryptography (ECC) is an encryption technology commonly used with small wireless devices.
Fail safe vs fail secure?
Fail-safe means that a device will not endanger lives or property when it fails. Fail-secure, also called fail-closed, means that access or data will not fall into the wrong hands in a security failure. Sometimes the approaches suggest opposite solutions. For example, if a building catches fire, fail-safe systems would unlock doors to ensure quick escape and allow firefighters inside, while fail-secure would lock doors to prevent unauthorized access to the building. (https://en.wikipedia.org/wiki/Fail-safe)
Wildcard Cert?
HTTP certificates typically are issued to specific URLs. For example, my company has one certificate for the www.totalsem.com Web site and a second certificate for our portal, hub.totalsem.com. We purchased the two certificates at different times and from different CAs (Figure 8-29). Wildcard certificates apply to a whole domain, rather than a specific URL. If we purchased a wildcard certificate for totalsem.com, every subdomain we create will use that certificate. This sounds great, right? We would need to purchase a single certificate to secure www.totalsem.com and hub.totalsem.com, two subdomains of totalsem.com. .
What is header manipulation?
Header manipulation is the insertion of malicious data, which has not been validated, into a HTTP response header. HTTP headers are control information passed from web clients to web servers on HTTP requests, and from web servers to web clients on HTTP responses. Each header normally consists of a single line of ASCII text with a name and a value.
A company is evaluating cloud providers to reduce the cost of its internal IT operations. The company's aging systems are unable to keep up with customer demand. Which of the following cloud models will the company MOST likely select? what is PAAS and CASB? SAAS and IAAS?
IAAS (bc aging systems) PaaS is a set of services aimed at developers that helps them develop and test apps without having to worry about the underlying infrastructure. A cloud access security broker (CASB) provides visibility, data security with Data Loss Prevention (DLP), and threat protection so you can safely use cloud apps. SAAS imply involves hosting software in the cloud (like Salesforce.com) so it doesn't take up on-premises resources. Infrastructure as a Service (IaaS) provides virtual machines or storage from a provider on demand with elastic scalability.
In an effort to improve the security of the Dion Training corporate network, a security administrator wants to update the configuration of their wireless network to have IPSec built into the protocol by default. Additionally, the security administrator would like for NAT to no longer be required for extending the number of IP addresses available. What protocol should the administrator implement on the wireless network to achieve their goals?
IPv6 includes IPSec built into the protocol by default. Additionally, IPv6 also provides an extended IP address range for networks, which eliminates the need for using NAT. IPv4 does not include IPSec or extended IP address ranges by default. WPA2 is the most modern and secure version of wireless encryption for WiFi networks, but it doesn't include IPSec or extended IP address ranges by default. WEP is an older version of wireless encryption for WiFi networks and doesn't provide these features by default, either.
Persistence vs escalation of privilege?
If the compromise is introduced at a different time than the attack, then it is said to involve persistence . An example of persistence would be an employee having his or her laptop infected at a hotel while traveling for business and the company's network not being compromised until the employee is back in the offi ce a week later and connected to the company's network. One weakness a good penetration test looks for is escalation of privilege— that is, a hole created when code is executed with higher privileges than those of the user running it. By breaking out of the executing code, users are left with higher privileges than they should have.
After attempting to harden a web server, a security analyst needs to determine if an application remains vulnerable to SQL injection attacks.Which of the following would BEST assist the analyst in making this determination?
Input testing, or fuzzing, is one of the most important tests done dynamically. Fuzzing means to enter unexpected data into the Web app's input fields to see how the app reacts. Fuzzing can use simple random data (sometimes called monkey fuzzing) or it can use intentionally dangerous injection commands, such as entering \[drop table]:user into a last name field. ... (Mike Meyers' CompTIA Security+ p. 448) ... A fuzzer is a program which injects automatically semi-random data into a program/stack and detect bugs. ... (https://owasp.org/www-community/Fuzzing)
You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636. The security scanning software recommends that you remediate this by changing user authentication to port to 636 wherever technically possible. What should you do?
LDAP can be run on either port 389 or port 636. Port 389 is the standard port for LDAP but typically runs unencrypted LDAP services over this port. Instead, you should change all devices and servers that can technically support the change to port 636, since LDAP services over port 636 are encrypted by default.
MDM?
Mobile device management is an industry term for the administration of mobile devices, such as smartphones, tablet computers and laptops. MDM is usually implemented with the use of a third party product that has management features for particular vendors of mobile devices
OS hardening?
Making an operating system more secure. It often requires numerous actions such as configuring system and network components properly, deleting unused files and applying the latest patches. The purpose of system hardening is to eliminate as many security risks as possible. This is typically done by removing all non-essential software programs and utilities from the computer.
MTTF?
Mean time to failure (MTTF) is a maintenance metric that measures the average amount of time a non-repairable asset operates before it fails. Because MTTF is relevant only for assets and equipment that cannot or should not be repaired, MTTF can also be thought of as the average lifespan of an asset. just Foucus one the last three word which is the key word of the question.
Which of the following is the LEAST secure hashing algorithm? A. SHA1 B. RIPEMD C. MD5 D. DES
Message Digest 5 (MD5) is a common hashing algorithm that produces a 128-bithash. Hashes are commonly shown in hexadecimal format instead of a stream of 1s and 0s. For example, an MD5 hash is displayed as 32 hexadecimal characters instead of 128 bits SHA-1 is an updated version that creates 160-bit hashes. This is similar to the MD5 hash except that it creates 160-bit hashes instead of 128-bit hashes
Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across a large number of devices?
Microsoft's Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. It allows an administrator to create a policy and deploy it across a large number of devices in the domain or network. Patch management, host intrusion prevention systems (HIPS), and anti-malware software are different types of host security controls, but only GPOs have the ability to configure settings across multiple Windows devices efficiently.
When users connect to the wireless network, management wants them to receive a message asking them to agree to the terms of use before being granted wireless network access. What network service could be used to perform this goal?
NAC Network access control (NAC) can be used to enforce logon or connection banners that will require users to agree to terms of use before being allowed to connect to the network. NAC is a software or network appliance that can verify that connecting computers are allowed to access the network. This can be done by checking PKI certs, checking that antivirus software is installed and updated, etc.
You received an incident response report that indicates a piece of malware was introduced into the company's network through a remote workstation that was connected to the company's servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again?
NAC OBJ-2.1: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), the user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company's networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a type of network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issue. MAC Filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of the email.
NAT translation?
NAT client sees NAT router as default gateway. Beyond that, it does not detect that for outbound packets its source IP address is being changed to that of the NATS router's public interface. To internet hosts, the traffic appears to come from NAT router's public interface (which is really does). There is no indication of IP address translation. NAT is transparent to clients and internet hosts.
You have been asked to assist with an investigation into a malicious user's activities. Unfortunately, your organization did not have full packet capture available for the time period of the suspected activities. Instead, you have received netflow data that contains statistics and information about the network traffic during that time period. Which of the following best represents the type of data you can obtain from this netflow data to support the investigation?
Netflow is a flow analysis tool. Netflow does not capture the full packet capture of data as it crosses the network sensor but instead captures metadata and statistics about the network traffic. This metadata can be used to highlight trends and patterns in the traffic generated by the malicious user, such as the volume of data sent and received. This could be used to indicate data exfiltration if a large amount of data was sent in a short period of time. File contents and email messages could be retrieved from a full packet capture, but unfortunately, that was not provided in this scenario. Application logs are stored locally on a host or on a centralized server, but again those would not be captured in the netflow data.
What authorizes through tokens? How do they authenticate? What is an authentication service that does not tokenize?
OAUTH authorizes through tokens and does not authenticate at all. The user usually authenticates via OpenID. SAML is an authentication service that does not tokenize.
Which of the following attacks would most likely be used to create an inadvertent disclosure of information from an organization's database?
OBJ-1.2: A SQL injection poses the most direct and more impactful threat to an organization's database. A SQL injection could allow the attacker to execute remote commands on the database server and lead to the disclosure of sensitive information. A buffer overflow attack attempts to overwrite the memory buffer in order to send additional data into adjacent memory locations. A buffer overflow attack might target a database server, but it isn't intended to cause a disclosure of information directly. Instead, a buffer overflow attack may be used to gain initial access to a server and allow for the running of other malicious code. A denial of service targets the availability of the information by attempting to take the server offline. A cross-site scripting attack typically is focused against the user, not the server or database. Continue Retake test
A cybersecurity analyst in your company notices that an attacker is trying to crack the WPS pin associated with a wireless printer. The device logs show that the attacker tried 00000000, 00000001, 00000002, and continued to increment by 1 number each time until they found the correct PIN of 13252342. Which of the following type of password cracking was being performed by the attacker?
OBJ-1.2: A brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. If it is larger, then it will take more time, but there is a better probability of success. In a traditional brute-force attack, the passcode or password is incrementally increased by one letter/number each time until the right passcode/password is found.
An attacker is using the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only name servers?
OBJ-2.2: The "set type=ns" tells nslookup to only report information on name servers. If you used "set type=mx" instead, you would receive information only about mail exchange servers.
What process is used to conduct an inventory of critical systems, components, and devices within an organization?
OBJ-2.3: An asset management process takes inventory of and tracks all the organization's critical systems, components, devices, and other objects of value. It also involves collecting and analyzing information about these assets so that personnel can make more informed changes or otherwise work with assets to achieve business goals. There are many software suites and associated hardware solutions available for tracking and managing assets (or inventory).
A security analyst is conducting a log review of the company's web server and found two suspicious entries: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- [12Jun2020 10:07:23] "GET /logon.php?user=test'+oR+7>1%20—HTTP/1.1" 200 5825 [12Jun2020 10:10:03] "GET /logon.php?user=admin';%20—HTT{/1.1" 200 5845 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The analyst contacts the web developer and asks for a copy of the source code to the logon.php script. The script is as followings: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= php include('../../config/db_connect.php'); $user = $_GET['user']; $pass = $_GET['pass']; $sql = "SELECT * FROM USERS WHERE username = '$user' AND password = '$pass'"; $result = MySQL_query($sql) or die ("couldn't execute query"); if (MySQL_num_rows($result) !=0 ) echo 'Authentication granted!'; else echo 'Authentication failed!'; ?> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Based on source code analysis, which type of vulnerability is this web server vulnerable to?
OBJ-1.2: Based on the log entries, it appears the attack was successful in conducting a SQL injection. Notice the escape character (') used in the log. In the script, a connection to the MySQL database is being used, which could be exploited since no input validation is being performed. Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. SQL injection is a specific type of command injection. LDAP injection is a code injection technique used to exploit web applications that could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores. Directory traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory.
You are analyzing the SIEM for your company's ecommerce server when you notice the following URL in the logs of your SIEM: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- https://www.diontraining.com/add_to_cart.php?itemId=5"+perItemPrice="0.00"+quantity="100"+/><item+id="5&quantity=0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on this line, what type of attack do you expect has been attempted?
OBJ-1.2: This is an example of a XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of an application, and XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server's XML structure. The original XML structure would be: <addToCart> <item id="5" perItemPrice="50.00" quantity="1" /> </addToCart>. By using the URL above, this would be modified to the following: <addToCart> <item id="5" perItemPrice="0.00" quantity="10" /> <item id="5" perItemPrice="50.00" quantity="0" /> </addToCart>. The result would be that a new line was added to the XML document that could be processed by the server. This line would allow 10 of the product at $0.00 to be added to the shopping cart, while 0 of the product at $50.00 is added to the cart. This defeats the integrity of the e-commerce store's add to cart functionality through this XML injection. A SQL injection occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. A session hijacking attacks consists of the exploitation of the web session control mechanism, which is normally managed for a session token. The real key to answering this question is identifying the XML structured code being entered as part of the URL, which is shown by the bracketed data.
You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacons behavior on the network?
OBJ-1.4: The beacon's protocol is not typically a means of identifying a malware beacon. A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely. Other factors like the beacon's persistence (if it remains after a reboot of the system) and the beacon's interval (how much time elapses between beaconing)are much better indicators for fingerprinting a malicious beacon. The removal of known traffic by the script can also minimize the amount of data the cybersecurity analyst needs to analyze, therefore making it easier to detect the malicious beacon without wasting their time reviewing non-malicious traffic.
You have run a vulnerability scan and received the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- CVE-2011-3389 QID 42366 - SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side vulnerability Check with: openssl s_client -connect login.diontraining.com:443 - tls -cipher "AES:CAMELLISA:SEED:3DES:DES" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following categories should this be classified as?
OBJ-1.6: This vulnerability should be categories as a web application cryptographic vulnerability. This is shown by the weak SSLv3.0/TLSv1.0 protocol being used in cipher block chaining (CBC) mode. Specifically, the use of the 3DES and DES algorithms during negotiation is a significant vulnerability. A stronger protocol should be used, such as forcing the use of AES.
A firewall administrator has configured a new DMZ to allow public systems to be segmented from the organization's internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (DMZ) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ in order for the Chief Security Officer to be able to work from his home office after hours. The CSO's home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall?
OBJ-2.1: Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ, so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for the Remote Desktop Protocol. Combining these three facts, only "permit 143.27.43.32 161.212.71.14 RDP 3389" could be correct.
A cybersecurity analyst is attempting to classify network traffic within an organization. The analyst runs the tcpdump command and receives the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- $ tcpdump -n -i eth0 15:01:35.170763 IP 10.0.19.121.52497 > 11.154.12.121.ssh: P 105:157(52) ack 18060 win 16549 15:01:35.170776 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 23988:24136(148) ack 157 win 113 15:01:35.170894 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 24136:24380(244) ack 157 win 113 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following statements is true based on this output?
OBJ-2.2: This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) is running an SSH server over port 22. This is based on the first line of the output. The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497. There is not evidence of an attack against either the server or the client based on this output since we can only see the headers and not the content being sent between the client and server.
Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should be able to obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if a Dion Training employee uses the same Ethernet port in the conference room, they should be able to access Dion Training's secure internal network. Which of the following technologies would allow you to configure this port and support both requirements?
OBJ-2.1: Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted Dion Training assets, and provide them with access to the secure internal network. NAC could also determine which are unknown machines (assumed to be those of CompTIA employees), and provide them with direct internet access only by placing them onto a guest network or VLAN. While MAC filtering could be used to allow or deny access to the network, it cannot by itself control which set of network resources could be utilized from a single ethernet port. A security information and event management (SIEM) system provides real-time analysis of security alerts generated by applications and network hardware. An access control list could define what ports, protocols, or IP addresses the ethernet port could be utilized, but it would be unable to distinguish between a Dion Training employee's laptop and a CompTIA employee's laptop like a NAC implementation could.
You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and causes an impact on the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why?
OBJ-2.1: The syslog server is a centralized log management solution. By looking through the logs on the syslog server, the technician could determine which service failed on which server, since all the logs are retained on the syslog server from all of the network devices and servers. Network mapping is conducted using active and passive scanning techniques and could assist in determining which server was offline, but not what caused the interruption. Firewall logs would only assist in determining why the network connectivity between a host and destination may have been disrupted. A network intrusion detection system (NIDS) is used to detect hacking activities, denial of service attacks, and port scans on a computer network. It is unlikely to provide the details needed to identify why the network service was interrupted.
You are reviewing the logs in your IDS and see that there were entries showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred?
OBJ-2.2: Based on the description provided, this is most likely a port scan. Using a tool like nmap, an attacker can create a SYN scan across every port in a range against the desired target. A port scan or SYN scan may trigger an alert in your IDS. While scanners support more stealthy scans, default scans may connect to each port sequentially. The other options are incorrect because a remote host will typically connect to only a single port associated with a service, a SYN flood normally sends many SYNs to a single system but doesn't send them to unused ports, and a UDP probe will not send SYN packets.
Which of the following Wireshark filters should be applied to a packet capture to detect applications that are sending passwords in cleartext to a REST API located at 10.1.2.3?
OBJ-2.2: Filtering the available PCAP with just the http "post" methods would display any data sent when accessing a REST API, regardless of the destination IP. Filtering the available PCAP with just the desired IP address would show all traffic to that host (10.1.2.3). By combining both of these, you can minimize the data displayed to only show things posted to the API located at 10.1.2.3. The ip.proto=tcp filter would display all TCP traffic on a network, regardless of the port, IP address, or protocol being used. It would simply produce too much information to analyze.
What type of weakness is John the Ripper used to test during a technical assessment?
OBJ-2.2: John the Ripper is a free, open-source password cracking software tool. It is utilized to test the strength of passwords during a technical assessment. John the Ripper supports both dictionary and brute force attacks.
Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Time: Jun 12, 2020 09:24:12 Port:20 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:14 Port:21 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:16 Port:22 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:18 Port:23 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:20 Port:25 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:22 Port:80 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:24 Port:135 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:26 Port:443 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:26 Port:445 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What type of activity occurred based on the output above?
OBJ-2.2: Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The source of the scan is 10.10.3.2, and the destination of the scan is 10.10.3.6, making "Port scan targeting 10.10.3.6" the correct choice. IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor.
A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that is going to be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst?
OBJ-2.2: Since the server being scanned is running an Apache server, and this indicates it is a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn't contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.
You have recently been hired as a security analyst at Dion Training. On your first day, your supervisor begins to explain the way their network is configured, showing you the physical and logical placement of each firewall, IDS sensor, host-based IPS installations, the networked spam filter, and the DMZ. What best describes how these various devices are placed into the network for the highest level of security?
OBJ-3.1: Defense in depth is the concept of layering various network appliances and configurations to create a more secure and defensible architecture. Dion Training appears to be using various host-based and network-based devices to help ensure there are multiple layers of security in the network.
A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data?
OBJ-3.2: The organization should enable sampling of the data collected. Sampling can help them to capture network flows that could be useful without collecting everything passing through the sensor. This reduces the bottleneck of 2 Gbps and still provide useful information. Quality of Service (QoS) is a set of technologies that work on a network to guarantee its ability to run high-priority applications and traffic dependably, but that does not help in this situation. Compressing NetFlow data helps save disk space, but it does not increase the capacity of the bottleneck of 2 Gbps during collection. Enabling full packet capture would take even more resources to process and store, as well as not minimizing the bottleneck of 2 Gbps during collection.
Windows file servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows file server to expose sensitive files, databases, and passwords?
OBJ-3.3: Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become a victim of the exploit, and the data contained on the server can become compromised. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user's workstation, not a server. CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. SQL injection is the placement of malicious code in SQL statements, via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers.
The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant's security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems?
OBJ-3.5: Since this question is focused on the ICS/SCADA network, the best solution would be to implement an Intrusion Prevention System on the network. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict rules in the IPS to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won't prevent an issue and therefore isn't the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested prior to conducting any patches. Often, patches will break ICS/SCADA functionality. Anti-virus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.
You work as a cybersecurity analyst at a software development firm. The software developers have begun implementing commercial and open source libraries into their codebase so that they can minimize the time it takes to develop and release a new application. Which of the following should be your biggest concern as a cybersecurity analyst?
OBJ-3.6: Any security flaws present in a commercial or open-source library will also be present in the developed application. A library is vulnerable, just as any other application or code might be. There are both known (discovered) and unknown vulnerabilities that could exist in the libraries being integrated into the project. Therefore, the software development team needs to ensure that they are monitoring the applicable libraries for additional CVEs that might be uncovered at a later date, that they have plans for how to distribute appropriate patches to their customers and a plan for integrating subsequent updates into their own codebase. Open-source libraries are not more vulnerable or insecure than commercial available or in-house developed libraries. In fact, most open-source software is more secure because it is widely analyzed and reviewed by programmers all around the world. While ensuring the most up to date versions of the libraries is a valid concern, as a cybersecurity analyst, you should be more concerned with current security flaws in the library so you can conduct risk management and implement controls to mitigate these vulnerabilities, and determine the method for continuing updates and patch support.
DeepScan supports data-flow analysis and understands the execution flow of a program. It allows you to see possible security flaws without executing the code. Which of the following types of tools would DeepScan be classified as?
OBJ-3.6: DeepScan is an example of a static code analysis tool. It inspects the code for possible errors and issues without actually running the code. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program through the use of a fuzzer. A decompiler is a computer program that takes an executable file as input and attempts to create a high-level source file that can be recompiled successfully. Fault injection is a testing technique that aids in understanding how a system behaves when stressed in unusual ways. A fuzzer, decompiler, and fault injector are all dynamic analysis tools because they require the program being tested to be run in order to be analyzed.
You want to play computer-based video games from anywhere in the world using your laptop or tablet. You heard about a new product called a Shadow PC that is a virtualized Windows 10 Home gaming PC in the cloud. Which of the following best describes this type of service?
OBJ-3.7: Desktop as a Service (DaaS) provides a full virtualized desktop environment from within a cloud-based service. This is also known as VDI (Virtualized Desktop Infrastructure) and is coming in large enterprise businesses that are focused on increasing their security and minimizing their operational expenses. Shadow PC (shadow.tech) provides a version of DaaS for home users who want to have a gaming PC without all the upfront costs.
You want to create a website for your new technical support business. You decide to purchase an on-demand cloud-based server and install Linux, Apache, and WordPress on it to run your website. Which of the following best describes which type of service you have just purchased?
OBJ-3.7: Infrastructure as a Service (Iaas) is focused on moving your servers and computers into the cloud. If you purchase a server in the cloud and then install and manage the operating system and software on it, this is Iaas.
Which cloud computing concept is BEST described as focusing on replacing the hardware and software required when creating and testing new applications and programs from a customer's environment with cloud-based resources?
OBJ-3.7: Platform as a Service (PaaS) provides the end-user with a development environment without all the hassle of configuring and installing it themselves. If you want to develop a customized or specialized program, PaaS helps reduce the development time and overall costs by providing a ready to use platform.
Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor?
OBJ-3.7: Virtual machine escape vulnerabilities are the most severe issue that may exist in a virtualized environment. In this attack, the attacker has access to a single virtual host and then leverages that access to intrude on the resources assigned to different virtual machines. Data remnant is the residual representation of digital data that remains even after attempts have been made to remove or erase the data. Virtualization sprawl is a phenomenon that occurs when the number of virtual machines on a network reaches a point where the administrator can no longer manage them effectively. Virtual machine migration is the task of moving a virtual machine from one physical hardware environment to another.
Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services?
OBJ-4.2: TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but it was not developed by Cisco. Kerberos is an open-source network authentication protocol designed by Matte Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services.
An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. Which of the following challenges do you now have to overcome as part of the recovery and remediation efforts?
OBJ-5.5: Due to the deletion of the VM disk image, you will now have to conduct file carving or other data recovery techniques to recover and remediate the virtualized server. If the server's host uses a proprietary file system, such as VMFS on ESXi, this can further limit support by data recovery tools. The attacker may have widely-fragmented the image across the host file system when they deleted the disk image. VM instances are most useful when they are elastic (meaning they optimally spin up when needed) and then destroyed without preserving any local data when security has performed the task, but this can lead to the potential of lost system logs. To prevent this, most VMs also save their logs to an external syslog server or file. Virtual machine file formats are image-based and written to a mass storage device. Depending on the configuration and VM state, security must merge any checkpoints to the main image, using a hypervisor tool, not recovery from an old snapshot, and then roll forward. It is possible to load VM data into a memory analysis tool, such as Volatility, although the file formats used by some hypervisors require conversion first, or it may not support the analysis tool.
Which of the following cryptographic algorithms is classified as symmetric? -RSA -ECC -Blowfish -PGP
OBJ-6.2: Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products. ECC, PGP, and RSA are all asymmetric algorithms.
Which of the following hashing algorithms results in a 128-bit fixed output?
OBJ-6.2: MD-5 creates a 128-bit fixed output. SHA-1 creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. RIPEMD creates a 160-bit fixed output.
Which of the following hashing algorithms results in a 160-bit fixed output? -RIPEMD -SHA2 -NTLM -MD5
OBJ-6.2: RIPEMD creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.
Users connecting to an SSID appear to be unable to authenticate to the captive portal. Which of the following is the MOST likely cause of the issue?
OBJ-6.3: Captive portals usually rely on 802.1x, and 802.1x uses RADIUS for authentication.
Your home network is configured with a long, strong, and complex pre-shared key for its WPA2 encryption. You noticed that your wireless network has been running slow, so you checked the list of "connected clients" and see that "Bob's Laptop" is connected to it. Bob lives downstairs and is the maintenance man for your apartment building. You know that you never gave Bob your password, but somehow he has figured out how to connect to your wireless network. Which of the following actions should you take to prevent anyone from connecting to your wireless network without the WPA2 password?
OBJ-6.3: WPS was created to ease the setup and configuration of new wireless devices by allowing the router to automatically configure them after a short eight-digit PIN was entered. Unfortunately, WPS is vulnerable to a brute-force attack and is easily compromised. Therefore, WPS should be disabled on all wireless networks. If Bob was able to enter your apartment and press the WPS button, he could have configured his laptop to use your wireless network without your WPA2 password.
A highly complex password policy has made it nearly impossible to crack account passwords. Which of the following might a hacker still be able to perform? A. Pass-the-hash attack B. ARP poisoning attack C. Birthday attack D. Brute force attack
Pass the Hash (associated with NTLM and Lanman) A highly complex password won't matter if you can gain access to the hash and crack the hash instead (assuming it's not salted which this makes no mention of)
An XML-based standard used to exchange authentication and authorization information between different parties. provides SSO for web- based applications.
SAML—Security Assertion Markup Language.
Attackers have been using revoked certificates for MITM attacks to steal credentials from employees of Company.com.Which of the following options should Company.com implement to mitigate these attacks?
OCSP stapling is a method for quickly and safely determining whether or not an SSL certificate is valid. It allows a web server to provide information on the validity of its own certificates rather than having to request the information from the certificate's vendor.
OSCP stapling
OCSP stapling is a method for quickly and safely determining whether or not an SSL certificate is valid. It allows a web server to provide information on the validity of its own certificates rather than having to request the information from the certificate's vendor.
OSCP stapling and cert pinning?
OCSP, or the Online Certificate Status Protocol, and how it's used to check to see if any certificates may have been revoked. This means that the device that holds the certificate will also be the one to provide status of any revocation. This information is gathered directly from the device that holds the certificate rather than going all the way back to the certificate authority. Certificate pinning is when an application has hard-coded the server's certificate into the application itself. The application will then communicate to the server, receive a copy of the certificate, and then compare that certificate to the one that has been hard-coded into the application.
What is the first thing you see when you view a certificate?
OID
Which of the following would a security specialist be able to determine upon examination of a server's certificate?
OID (In the federal government PKI they are used to uniquely identify each of the four policies and cryptographic algorithms supported)
SAML vs OATH
One open method for authentication and authorization is SAML- that's the Security Assertion Markup Language- where you can authenticate through a third party to provide access to local resources. A good example of this is Shibboleth, which is an open source software that implements SAML to be able to have this single sign on capability. Unfortunately, SAML was never designed for mobile applications, and so you don't often see SAML being used in our modern mobile networks. OAuth is a protocol that provides resource authorisation. It was created by Twitter, Google, and other very large technology companies. It usually is combined with OpenID Connect which handles the single sign on, and then OAuth determines what type of resources should a person have access to. You often see OAuth used with Twitter, Google, Facebook, and many other organizations.
MIRROR BACKUP: data backed up: backup time is: restore time is: Storage space is:
Only new/modified files or folders are backed up backup time is fastest restoration time is fastest storage space is highest
Examples of Federated Identity Management (FIM)?
OpenID and OAuth, as well as Shibboleth, which is based on OASIS SAML.
Which of the following are used to increase the computing time it takes to brute force a password using an offline attack? (Select TWO)
PBKDF2 and bcrypt (dictionary and brute-force attacks are then less effective)
Password storage: If you see changes in the hashes of passwords stored in each..what does this tell you? -In /etc/passwd file -in /etc/iptables/iptables-save -in /boot/initrd.img file
Passwords stored in the /etc/passwd file often change especially with new accounts and password changes. This is normal and the reason for the hash of the file to change frequently. The /etc/iptables/iptables-save is the firewall rules file and does not often change. The screen capture at the following illustrates no change to the firewall file as seen with a consistent hash value (does not change). The /boot/initrd.img file is the bootloader and should NOT change very often. At the bottom, you can seen the bootloader first changed on 1/1/2017 at 3:30 with a 7813xxx hash file is listed as the correct answer. This could be indicative of a compromised loader with possibly malicious code.
A systems administrator wants to generate a self-signed certificate for an internal website.Which of the following steps should the systems administrator complete prior to installing the certificate on the server?
Private key on internal server
An organization has an account management policy that defines parameters around each type of account. The policy specifies different security attributes, such as longevity, usage auditing, password complexity, and identity proofing. The goal of the account management policy is to ensure the highest level of security while providing the greatest availability without compromising data integrity for users. Which of the following account types should the policy specify for service technicians from corporate partners? A. Guest account B. User account C. Shared account D. Privileged user account E. Default account F. Service account
Privileged User Accounts are named credentials that have been granted administrative privileges on one or more systems. This is typically one of the most common forms of privileged account access granted on an enterprise network, allowing users to have administrative rights on, for example, their local desktops or across the systems they manage. Do we want to give them admin privileges?
Radius?
RADIUS (remote authentication dial-in user service) server uses a protocol called 802.1X, which governs the sequence of authentication-related messages that go between the user's device, the wireless access point (AP), and the RADIUS server.
Why should someone be concerned for multithreaded applications?
Race conditions
What does RSTP do
Rapid STP prevents switching loop problems and should be enabled on the switches. A flood guard on a switch helps prevent a MAC flood attack.
Role based access control? DAC? MAC?
Role-based Access Control is basically based on a user's job description. When a user is assigned a specific role in an environment, that user's access to objects is granted based on the required tasks of that role. Whereas Discretionary access control (DAC) allows access to be granted or restricted by an object's owner based on user identity and on the discretion of the object owner. It does not rely on job function. Mandatory Access Control allows access to be granted or restricted based on the rules of classification. It does not rely on job function
SHA1? MD5? 3DES and AES256?
SHA-1 (secure hashing algorithm) generates a 160-bit hash. MD5 is a hashing algorithm that generates a 128-bit hash, which is weaker than SHA-1. 3DES and AES-256 are symmetric encryption algorithms, not hashing algorithms.
SQL injection? XXS? SML? Directory traversal?
SQL injection is a common attack on databases through a web-based form, where the attacker injects SQL commands into the form input. Incorrect Answers: Cross-site scripting allows client-side scripts to be run on a web site. XML injection is an attack that injects faulty or malicious XML code into an XML statement. Directory traversal is the ability to search a web server?s directories and files.
Which of the following is a best practice that should be followed when scheduling vulnerability scans of an organization's data center?
Schedule during low activity OBJ-1.5: For the best results, the scans should be scheduled during periods of low activity. This will help to reduce the negative impact of scanning on business operations. The other three options all carry a higher risk of causing disruptions to the network or its business operations.
Hilda needs a cost-effective backup solution that would allow for the restoration of data within a 24 hour RPO. The disaster recovery plan requires that backups occur during a specific timeframe each week, and then the backups should be transported to an off-site facility for storage. What strategy should Hilda choose to BEST meet these requirements?
Since the RPO must be within 24 hours, either daily or hourly backups must be conducted. Since the requirement is for backups to be conducted at a specific time each week, hourly snapshots would not meet this requirement and are not easily transported since they are being conducted as a disk-to-disk backup. Replication to a hot site environment also doesn't allow for transportation of the data to an off-site facility for storage, and replication would continuously occur throughout the day. Therefore, a daily incremental backup should be conducted, since it will require the least amount of time to conduct, the tapes could be easily transported for storage and restored incrementally from tape since the last full backup was conducted.
You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank's cybersecurity program?
The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information. The Health Insurance Portability and Accountability Act (HIPPA) is a US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Sarbanes-Oxley (SOX) is a United States federal law that set new or expanded requirements for all US public company boards, management, and public accounting firms. The Family Educational Rights and Privacy Act (FERPA) of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.
A cybersecurity analyst is working at a college that wants to increase the security of its network by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must be able to scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally-managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements?
Since the college wants to ensure there is a centrally-managed enterprise console, using an active scanning engine installed on the enterprise console would best meet these requirements. Then, the college's cybersecurity analysts could perform scans on any devices that are connected to the network using the active scanning engine at the desired intervals. Agent-based scanning would be ineffective since the college cannot force the installation of the agents onto each of the personally owned devices brought in by the students or faculty. A cloud-based or server-based engine may be useful, but it won't address the centrally-managed requirement. Passive scanning is less intrusive but is subject to a high number of false positives.
You have been investigating how a malicious actor was able to exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that the web server's BIOS had been modified by the installation of a rootkit. After you remove the rootkit and reflash the BIOS to a known good image, what should you do in order to prevent the malicious actor from affecting the BIOS again?
Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used. The TPM can also be invoked to compare hashes of key system state data (boot firmware, boot loader, and OS kernel) to ensure they have not been tampered with by a rootkit. The other options are all good security practices, but they only apply once you have already booted into the operating system. This makes them ineffective against boot sector or rootkit attacks.
How to protect against phishing?
Spam filter on mail gateways. Phishing attacks are delivered as malicious spam. Spam filters on mail gateways (email servers) detect and filter spam before it ever gets to users. Some networks route email through another device first to filter out spam. If users never receive a malicious email, there isn't any chance of them clicking on a malicious link in that email. ... (Darril Gibson's Get Certified Get Ahead p. 462)
RAID 0?
Striping -Improved disk performance (not fault tolerance) -Requires minimum of 2 disks -Great for media streaming server
When working with asymmetric encryption, which of the following is used to encrypt a message sent from Bob to Sue?
Sue's public key is used to encrypt a message from Bob to Sue, as only Sue's private key can decrypt it.
What tool can be used as an exploitation framework during your penetration tests?
The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Nessus is a very popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can be used to perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
What is a SAN?
The Subject Alternative Name field lets you specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single SSL Certificate.
A member of the admins group reports being unable to modify the "changes" file on a server.The permissions on the file are as follows:Permissions User Group File --rwxrw-r--+ Admins Admins changesBased on the output above, which of the following BEST explains why the user is unable to modify the "changes" file?
The file permissions according to the file system access control list (FACL) are rw-rw-r-. The first 'rw-' are the file owner permissions (read and write). The second 'rw-' are the group permissions (read and write) for the group that has been assigned the file. The third 'r-' is the All Users permissions; in this case read only. To enable Ann to access the file, we should add Ann to the group that has been assigned to the file.
What is used for non repudiation?
The private key, when used for nonrepudiation, is used to encrypt text that anyone who possesses the public key can decrypt. This assures that only the person owning the private key could have encrypted it, ensuring that he or she is the one who performed the action.
Regarding IPSec Mode, why is tunnel > transport?
Tunnel mode encrypts the entire ip packet used in the internal network and is the mode used with VPNs transmitted over the internet, the IP address used is encrypted in the internal network and not isible to anyone who intercepts the traffic.
CYOD vs COPE
Under the CYOD model, the phones are employee owned, and employee controlled, and there is nothing which forces the employee to replace their phone. Under the COPE model, the company retains full control over security, and phone replacements
Why is vendor diversity important?
Vendor Diversity is done to acheive defense-in-depth (layered security). makes a system more resilient by providing layers of protection. Think about a castle, with its moat, walls, and even keep.
What is compatible with backward legacy WEP
WPA uses Temporal Key Integrity Protocol (TKIP) for generating encryption keys. ... TKIP, combined with an improved implementation of the same RC4 stream cipher that WEP uses, provides WPA encryption. TKIP enables backward-compatibility with legacy WEP, uses 128-bit keys, and uses a 48-bit initialization vector.
INCREMENTAL BACKUP: data backed up: backup time is: restore time is: Storage space is:
only new/modified files or folders are backed up backup time is fast restoration time is moderate storage space is lowest
A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation?
While the network scope given in the contract documents will define what will be tested, the rules of engagement defines how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money. A service level agreement contains the operating procedures and standards for a service contract. An acceptable use policy is a policy that governs employees' use of company equipment and internet services.
Wild card certs?
Wildcard certificates would be like *.google.com. This would then be valid for ALL subdomains such as ftp.google.com, mail.google.com, etc. You cannot elect to omit select servers. The certificate will always include ALL of them.
IAAS?
With IaaS, the vendor provides (also rents) the hardware platform or data center, and the company installs and manages its own operating systems and application systems. The vendor simply provides access to the data center and maintains that access. An example of this is a company hosting all its web servers with a third party that provides everything. With IaaS, customers can benefit from the dynamic allocation of additional resources in times of high activity, while those same resources are scaled back when not needed, which saves money.
IT security personnel respond to the repeated misuse of an authenticated user's session cookie on an e commerce web site. The affected user reports he occasionally uses the site but not for the transactions in question. The security personnel decides to reduce the amount of time an authentication cookie is valid. What type of attack?
XSS
Asymetric
You should use asymmetric key for symmetric encryption. Very slow though- bad for big data. Encrypt with public key. Use private key to decrypt! Goal--> determines which key is used for encryption and decryption.
MPLS
a routing technique in telecommunications networks that directs data from one node to the next based on short path labels rather than long network addresses, thus avoiding complex lookups in a routing table and speeding traffic flows. The labels identify virtual links (paths) between distant nodes rather than endpoints. MPLS can encapsulate packets of various network protocols, hence the "multiprotocol" reference on its name. MPLS supports a range of access technologies, including T1/E1, ATM, Frame Relay, and DSL.
A security consultant is setting up a new electronic messaging platform and wants to ensure the platform supports message integrity validation.Which of the following protocols should the consultant recommend? A. S/MIME B. DNSSEC C. RADIUS D. 802.11x
a standard for public key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFC 3369, 3370, 3850 and 3851
FULL BACKUP: data backed up: backup time is: restore time is: Storage space is:
all data backed up backup time is slowest restoration time is fast storage space is high
DIFFERENTIAL BACKUP: data backed up: backup time is: restore time is: Storage space is:
all data since last full is backed up back up time is moderate restoration time is fast storage space is moderate
TACACS encrypts .... RADIUS encrypts...
all information between the client and server, whereas only encrypts the passwords.
Both Brute Force and Dictionary attacks require ... Pass the Hash & Rainbow Tables bypass ....
attacker to attempt login and are subject to account lockouts normal clear text login procedures and work directly with the hashed credentials.
Security Broker (CASB) gives you ...
both visibility into your entire cloud stack and the security automation tool your IT team needs.
Netstat? Tracert? Nslookup? Ping?
checking if there are active connections) shows entire path to given address can it connect to DNS server and you can enter in DNS command given address reachable (sends ICMP echo requests packets to host and waits for ICMP response called pong)
Input validation is...?
defensive technique intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain.
context-aware authentication?
extra power added to the authenticating tool that enables it to look at the context of the entity authentication. The context may include the user name, the MAC address of the device they're using to connect, what resources they are attempting to access, time of day, even their location. Context-aware authentication software holds the promise of making authentication with mobile devices much easier and more secure.
How should the hot and cold aisle be situated in the server room?
hot aisle/cold aisle data center design involves lining up server racks in alternating rows with cold air intakes facing one way and hot air exhausts facing the other.
DHCP snooping?
is a layer 2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable. The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients.
Virtualization?
used to host one or more operating systems in the memory of a single host computer and allows multiple operating systems to run simultaneously on the same hardware, reducing costs. Virtualization offers the flexibility of quickly and easily making backups of entire virtual systems, and quickly recovering the virtual system when errors occur. Furthermore, malicious code compromises of virtual systems rarely affect the host system, which allows for safer testing and experimentation.
Null Pointer Dereference?
vulnerability in memory that usually causes the applications to crash or a denial of service is a NULL Pointer dereference. This is where the programmer is dereferencing a portion of memory that's being used by that application, except in this case there's nothing at that memory address to dereference and the application crashes.
After a user reports stow computer performance, a systems administrator detects a suspicious file, which was installed as part of a freeware software package. The systems administrator reviews the output below: established.winserver.exe
winserver.exe is an old file and trojans have adopted it now. Just remember whenever there is a mention of winserver, use RAT.