Sec+ 1-8
Evaluate each of the following algorithms, and select which is susceptible to a Man-in-the-Middle Attack (MITM) when a public key value is substituted and sent to each party. D-H ElGamal ECC RSA
D-H (Diffie-Hellman) Vulnerability on key agreements rather than key exchanges.
All certificates use ___________, which converts certificate information into binary. PEM DER Base64 ASCII
DER
Which of the following certificate formats is used to store a binary reprsentation of a digital certificate?
DER 0-1: stupid people say DER
What ciphers can be selected to enabled Perfect Forward Secrecy?
DHE & ECDHE
Where should an administrator place an internet-facing host on the network? DMZ Bastion host Extranet Private network
DMZ
What term is used to describe the state of data stored on the flash drive of a smartphone?
Data at rest
Data exists in several states, each requiring different security considerations. Evaluate the following items and select which data state would include financial information stored in databases. Data in use Data in transit Data in motion Data at rest
Data at rest Data at rest—this state means that the data is in some sort of persistent storage media. Data in transit (or data in motion)—this is the state when data is transmitted over a network. Data in use—this is the state when data is present in volatile memory, such as system RAM or CPU registers and cache.
A store kiosk is equipped with a credit card scanner and temporarily stores the account information while performing the transaction. What best describes the data state? Data in Motion Data at Rest Data in Transit Data in Use
Data in Use
Data exists in several states, each requiring different security considerations. Evaluate the following items and select which data state presents the greatest encryption challenge. Data in use Data in transit Data in motion Data at rest
Data in use Data in transit/motion is when moving over network Data at rest (storage) easy to encrypt (think portable encrypted hard drive)
What are the two general purposes that logs serve? (Choose two) Keeping a complete record of each and every action that takes place on a network Detecting intrusions or attempted intrusions Monitoring activity in real time to create alerts Accounting for all actions that have been performed by users
Detecting intrusions or attempted intrusions Accounting for all actions that have been performed by users
What kind of control may not physically/logically restrict unauthorized access, but psychologically discourages attackers? Deterrent Preventative Corrective Compensating
Deterrent
What is DHE?
Diffie Hellman Encryption
In order to prevent patterns from being easy to identify in ciphertext, which two properties must be exhibited? (Choose 2) Diffusion Confusion Transposition Cipher One-time Pad
Diffusion Confusion A one-time pad is a cryptographic key that is the same length as what is being encrypted, and used only once. A transposition cipher is a cipher where all units stay the same in plaintext and ciphertext, but their order is changed according to some mechanism.
Which of the following utilizes both symmetric and asymmetric encryption? Digital Certificate Digital Signature Digital Evidence Digital Envelope
Digital Envelope
Alice encrypts the message using a secret-key cipher such as AES or Blowfish. The secret key itself is encrypted, using public key cryptography, with Bob's public key, then attached to the encrypted message and sent to Bob. Bob uses his private key to decrypt the secret key and uses the secret key to decrypt the message. What is this method of secret key delivery referred to as? Key Inception Digital Envelopes Confusion Key Delivery
Digital Envelopes
Which of the following utilizes both symmetric and asymmetric encryption? Digital envelope Digital certificate Digital evidence Digital signature
Digital envelope- key exchange Uses Symmetric for speed, asymmetric for conv
Active Directory is a database stored on one or more servers called ______.
Domain Controllers
Incident management relies heavily on efficient allocation of resources. Which of the following factors should the IT manager consider in order to effectively triage remediation efforts? (Choose THREE) Planning time Downtime Detection time Recovery time
Downtime Detection time Recovery time
Which authentication framework supports smart cards?
EAP and 802.1X
Evaluate how each of the following algorithms work and select which adapts the Diffie-Hellman protocol to use for encryption and digital signing rather than simply as a mechanism for agreeing to a shared secret. ECC ElGamal RSA ECDHE
ElGamal ECC - another type of trapdoor function used to generate public/private key pairs. ECDHE - provides a Perfect Forward Secrecy (PFS) mechanism for Transport Layer Security (TLS). RSA - widely deployed as a solution for creating digital signatures and key exchange.
What is ECC?
Ellipctic Curve Cryptography Uses curves to encrypt data.Asymmetric
The X.509 standard defines the fields (information) that must be present in a digital certificate. Which of the following is NOT a required field? Extensions Endorsement key Public key Version
Endorsement key
The X.509 standard defines the fields (information) that must be present in a digital certificate. Which of the following is NOT a required field? Serial Number Issuer Name Endorsement key Version
Endorsement key
Which of the following are examples of password policies that can be applied? (Choose two) Enforce password history Complexity requirements Password recovery Preconfigured passwords
Enforce password history Complexity requirements
What is a checksum?
Ensure validity of data Checking hash of file for steganography.
Apart from cost, what would you consider to be the major considerations for evaluating a biometric recognition technology?
Error rates, throughput, intrusiveness level
What roles does out-of-band messaging play in incident response?
Establish a secure channel for responders to communicate
Which of the following is NOT a responsibility of a CA? Manage the servers that store and administer the certificates. Ensure the validity of certificates and the identity of those applying for them. Perform key and certificate lifecycle management. Establish a web of trust between a user and other users who are providing verification for their certificate.
Establish a web of trust between a user and other users who are providing verification for their certificate.
What is the term for a tool comprised of a database of exploit code, each targeting a particular CVE (Common Vulnerabilities and Exposures)? Vulnerability scanner Remote Access Trojan Wireless cracker Exploitation framework
Exploitation framework
T/F: The "First Responder" is whoever reports an incident tot he CIRT.
F - First respond: member of CIRT taking charge of a reported incident (First IT person) on scene - have backup person)
T/F A revoked key can be re-enabled.
False
True or false: AAA servers are typically hosted on network access devices such as routers or switches due to the high volume of accounts these devices need to authorize on a regular basis.
False The whole purpose of AAA servers is so that network access devices do not have credentials stored on them, as it is a very vulnerable place to store such information. The AAA server is placed in the internal network, and the network access devices send credentials to that server to be verified against the stored database credentials.
T/F Ensuring affected parties are notified/provided with meant to remediate their systems is in the Lessons Learned phase.
False In Containment phase
True or false? In order to create a service ticket, Kerberos passes the user's password to the target application server for authentication.
False -> KDC vervies user credential, ticket sends SID to target app
A vulnerability scan reports that a CVE associated with CentOS Linux is present on a host, but you have established that the host is not even running CentOS. What type of scanning error event is this? False positive False negative Oversight False alarm
False positive
Consider biometric methods that are used to authenticate a user. Knowing that errors are possible, which of the following would most likely result in a security breach? False positive False negative A low Crossover-Error-Rate (CER) A low throughput
False positive- This is the False Acceptance Rate (FAR). False Rejection Rate (FRR) -> false negative legitimate user is not recognized The Crossover Error Rate (CER) is the point at which FRR equals FAR. A lower CER indicates more efficient and reliable authentication.
What is a false positive and false negative?
False positive- vulnerability not actually present False negative - fails to identify vulnerability (WORSE)
T/F: An account requiring a password, PIN, and smart card is an example of 3-factor authentication. False, this is just 2
False,
T/F: Vulnerability Scanners are implemented solely as software.
False, can be hardware and/or software
T/F Cryptography is about keeping things secret so they can't be used as the basis of non-repudiation system.
False, this describes obscurity
T/F: it is important to publish all security alerts to all members of staff.
False- due to need to know
T/F: TACACS+ uses UDP communications, making it faster and better suited for end user device authentication.
False: TCP
True or false? Nation state actors primarily only pose a risk to other states.
False—nation state actors have targeted commercial interests for theft, espionage, and blackmail.
Mark is a web user and wants to use both Google AppsTM and Twitter. Luckily, Mark discovers that if he provides his Google credentials, he can also simultaneously be logged into Twitter. This is because Google and Twitter have established a Federated network for authentication and authorization.
Federated
The detailed analysis of services on a particular host is often called _____________________. Network mapping Fingerprinting Topology discovery Footprinting
Fingerprinting Topology discovery (or "footprinting") is the part of the discovery phase where the attacker or pen tester starts to identify the structure of the target network. Network mapping is performed with a tool that performs host discovery and identifies how the hosts are connected together on the network.
What is the difference between footprinting and fingerprinting?
Fingerprinting is single host discovery footprinting is multiple host discovery
Which of the following could represent an insider threat? (Choose two) Former employee Contractor Customer White box hacker
Former employee Contractor
What block cipher mode are competitive in speed?
GCM, CTM
What methods can be used to implement location-based authentication?
GPS, WIFI, IP geolocation
How does OTP protect against password guessing or sniffing attacks?
Generates tokens that is valid only for a short period of time, also one time
What is the purpose of using the ping and arp tools together?
Get IP & MAC (ARP) address, test connection between them
What are great OSINT tools?
Google Dorking Maltego Shoban Spiderfoot Recon ng
What allows you to set permissions for several users at the same time? Group-based access control Discretionary access control Group scopes AGDLP
Group-based access control
What is the purpose of a server certificate? Guarantee the validity of a browser plug-in or software application. Allow signing and encrypting email messages. Guarantee the identity of e-commerce sites and other websites that gather and store confidential information. Provide identification for the certificate authority.
Guarantee the identity of e-commerce sites and other websites that
What is the purpose of a server certificate? Allow signing and encrypting email messages. Guarantee the validity of a browser plug-in or software application. Provide identification for the certificate authority. Guarantee the identity of e-commerce sites and other websites that gather and store confidential information.
Guarantee the identity of e-commerce sites and other websites that gather and store confidential information.
Who needs to authorize and be notified when about to do a pentest? What should be done with this information?
HR 3rd Party supplies (ISP) Criminal Justice System DOCUMENT ALL AUTHORIZATIONS
Evaluate the differences between hardware and software-based key storage and select the true statement. In hardware-based storage, the key is stored on a server. Software-based storage and distribution is typically implemented using removable media or a smart card. HSM may be less susceptible to tampering and insider threats than software-based storage. In hardware-based storage, security is provided by the operating system Access Control List (ACL).
HSM may be less susceptible to tampering and insider threats than software-based storage.
Evaluate the differences between hardware and software-based key storage and select the true statement. In hardware-based storage, the key is stored on a server. Software-based storage and distribution is typically implemented using removable media or a smart card. In hardware-based storage, security is provided by the operating system Access Control List (ACL). HSM may be less susceptible to tampering and insider threats than software-based storage.
HSM may be less susceptible to tampering and insider threats than software-based storage.
Anonymous and WikiLeaks are examples of what kind of threat actors? Nation States Hacktivists Script kiddies n00bs
Hacktivists Nation States have more financial resources. ex. Russia/Israel
What is a dedicated appliance for generating and storing cryptographic keys? Key Escrow SIM Card Hardware Security Module (HSM) Repository
Hardware Security Module (HSM)
You're distributing a software app to clients and want to provide assurance that the file hasn't been modified. What control is appropriate for this?
Hashing
A pop-up claiming to have identified a security problem and offering a download for a tool to fix it is probably a: Phishing attack Watering hole attack Hoax RAT
Hoax
What is the difference between a honeypot and honeynet?
Honey pot- single host to attract attacker honeynet - network to attract attacker
When a backup system is brought into operation and the live system is frozen to preserve evidence of the attack. Containment Prevention Hot swap Investigation
Hot swap
What is frequency analysis?
How often certain values occur
Which of the following devices contain all of the ports in the same collision domain? Switch Bridge Hub Ad hoc network
Hub
what does netstat -r give you?
IP routing table
Why should ISP be informed before a pentest?
ISPs monitor so they may block attempts. May also involve ISP equipment.
What incident response stage falls after preparation? Containment, Eradication and recovery Lessons Learned Identification Followup
Identification
What steps should be taken to enroll a new employee on a domain network?
Identify spoof issue authentication credentials securely assign appropriate permissions
What is fingerprinting?
Identifying the device/app, OS, and version
____________ is the procedures and guidelines for dealing with security incidents. Incident response policy Business continuity plan Disaster recovery plan NIST
Incident response policy
What is an ISSO?
Information Systems Security Officer—an employee with responsibility for implementing, maintaining, and monitoring security policy.
Analyze and eliminate the item that is NOT an example of a reconnaissance technique. Initial exploitation Open Source Intelligence (OSINT) Social engineering Scanning
Initial exploitation
Analyze and eliminate the item that is NOT an example of a reconnaissance technique. Initial exploitation Scanning Open Source Intelligence (OSINT) Social engineering
Initial exploitation
An Identity and Account Management (IAM) system has four main processes. Which of the following is NOT one of the main processes? Accounting Identification Integrity Authentication
Integrity
One aspect of threat modeling is to identify potential threat actors and the risks associated with each one. When assessing the risk that any one type of threat actor poses to an organization, what are the critical factors to profile? (Select the best two) Education Socioeconomic status Intent Motivation
Intent Motivation
Analyze the techniques that are available to perform rogue machine detection and select the accurate statements. (Select two) Visual inspection of ports and switches will prevent rogue devices from accessing the network. Network mapping is an easy way to reveal the use of unauthorized protocols on the network or unusual traffic volume. Intrusion detection, as well as NAC security suites and appliances, can combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network. Wireless monitoring can reveal whether there are unauthorized access points.
Intrusion detection, as well as NAC security suites and appliances, can combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network. Wireless monitoring can reveal whether there are unauthorized access points.
Which type of eye recognition is easier to perform: retinal or iris scanning?
Iris Scan
What is an example of multifactor authentication? Username and password Retina Scan and Fingerprint Fob and Smartcard Iris Scan and PIN
Iris Scan and PIN
Biometric authentication methods have different error rates, with some methods being easier to fool than others. Which of the following methods is least likely to be tricked by an unauthorized user? Fingerprint scan Iris scan Facial recognition Voice recognition
Iris scan
The process of what a subject's credentials are recorded, issued and linked to a correct account. Issuance Impersonalization Authentication SSO
Issuance
The 24-bit prefix of a network interface's MAC address (known as the OUI or Organizationally Unique Identifier) can be significant to an attacker in what way? It identifies the manufacturer of the network adapter and thereby the manufacturer of an appliance, so an attacker can then target it with known exploits for devices from this manufacturer. It identifies the specific OS version that the device is running, allowing the attacker to search for exploits and vulnerabilties matching that specific software. It identifies what specific subnet the device is located on, allowing the attacker to map more of the network and infiltrate various subnets throughout the network. It identifies the network's whitelisted MAC address prefix range, allowing the attacker to recognize other devices on the network and possibly spoof a MAC address for themselves.
It identifies the manufacturer of the network adapter and thereby the manufacturer of an appliance, so an attacker can then target it with known exploits for devices from this manufacturer.
Which of the following represents a problem with symmetric encryption? Although the private key is used to encrypt the ciphertext, the public key cannot be used to decrypt it. It is difficult to maintain secure distribution and storage of the key. Symmetric encryption is slow, as a result of a lot of computing overhead. Although the public key is used to encrypt the ciphertext, the public key cannot be used to decrypt it.
It is difficult to maintain secure distribution and storage of the key.
Which of the following represents a problem with symmetric encryption? Symmetric encryption is slow, as a result of a lot of computing overhead. The keys are linked in a specific way, making it impossible to derive one from the other. Although the public key is used to encrypt the ciphertext, the public key cannot be used to decrypt it. It is difficult to maintain secure distribution and storage of the key.
It is difficult to maintain secure distribution and storage of the key.
If not managed properly, certificate and key management can represent a critical vulnerability. Assess the following statements about key management and select the true statements. (Choose 2) It is exponentially more difficult to ensure the key is not compromised with multiple backups of a private key. The same private key can securely encrypt and sign a document. If a key used for signing and encryption is compromised, it can be easily destroyed and a new key issued. If a private key or secret key is not backed up, the storage system represents a single point of failure.
It is exponentially more difficult to ensure the key is not compromised with multiple backups of a private key. If a private key or secret key is not backed up, the storage system represents a single point of failure. A key used for encryption cannot be destroyed so easily, as the data encrypted by it has to be recovered first. If the same private key is used for multiple purposes, and the key is compromised, then multiple uses of the key are threatened.
If not managed properly, certificate and key management can represent a critical vulnerability. Assess the following statements about key management and select the true statements. (Choose two) If a key used for signing and encryption is compromised, it can be easily destroyed with a new key issued. It is exponentially more difficult to ensure the key is not compromised with multiple backups of a private key. If a private key or secret key is not backed up, the storage system represents a single point of failure. The same private key can securely encrypt and sign a document.
It is exponentially more difficult to ensure the key is not compromised with multiple backups of a private key. If a private key or secret key is not backed up, the storage system represents a single point of failure.
What is transposition?
Jumble up order of pw
What implements a SSO that users do not need to re-authenticate for different resources? RADIUS Kerberos Mutual Authentication KDC
Kerberos
Which part of a simple cryptographic system bust be kept secret?
Key
Which part of a simple cryptographic system must be kept secret? Cipher Time Stamp Key Ciphertext
Key
What is key escrow & PGP?
Key escrow - refers to archieving a key with a third party PGP- Pretty Good Privacy -> popular open standard for encrypting email communication or file/desk encryption
Your company creates software that requires a database of stored encrypted passwords. What security control could you use to make the password database more resistant to brute force attacks?
Key stretching password storage library (bcrypt or pbkdf2
What is pass the hash?
Kind of like MITM, doens't even need to know password, just gets the hash and uses it. LM are very vulnerable
What 2 main classes of vulnerabilities do vulnerability scanners identify?
Lack of security controls Weak security system configuration
How can you mitigate Pass-the-Hash attacks?
Least privilege system
What is the purpose of ifconfig and what OS is it on?
Linux identify current network addressing config of a NIC
A company announces major layoffs in the near future are inevitable. Anticipating possible termination, a discontented system administrator scripts malware that will launch at the end of the year. What type of attack has the system admin planted? Trojan Backdoor Logic Bomb Ransomware
Logic Bomb
A company announces major layoffs in the near future are inevitable. Anticipating possible termination, a discontented system administrator scripts malware that will launch if their account is deleted. This type of malware has several names. Assess and select the correct options. (Choose two) Logic bomb Time bomb Ransomware Mine
Logic bomb Mine
A user leaves their workstation unattended while logged in, allowing an attacker to physically gain access. This is a: Shoulder surfing attack Lunchtime attack Tailgating attack Phishing attack
Lunchtime attack
Nathan is working at a secret service organization and has been tasked with coming up with a proper access control model to defer to when writing the network's Access Control Lists. The access model must be strict and inflexible, and contain labels similar in concept to security clearances. What access model should Nathan implement? MAC RBAC ABAC DAC
MAC
What is it called when both client and server verify themselves to eachother?
Mutual authentication
Which of the following frameworks focuses exclusively on IT security, rather than IT service delivery? National Institute of Standards and Technology (NIST) International Organization for Standardization (ISO) Control Objectives for Information and Related Technologies (COBIT) Sherwood Applied Business Security Architecture (SABSA)
National Institute of Standards and Technology (NIST) NIST is the only framework within the IT governance space focusing solely on security. Its standards are used by US federal agencies and publishes cybersecurity best practice guides and research. ISO develops standards and frameworks governing the use of computers, networks, and telecommunications, including ones for information security (27000 series). It is a commercial product. COBIT is an IT governance framework with security as a core component. COBIT is published by ISACA and is also a commercial product, available through APMG International. SABSA is a methodology for providing information assurance aligned to business needs and driven by risk analysis.
Your company has won a contract to work with the Department of Defense. What type of site access credentials will you need to provide?
Need a CAC (Common Access Card) with embedded token and photograph
In a compartmentalized implementation of MAC, a user can only access a resource if they belong to the same security label domain. What policy is this an example of? Need to Know Non-discretion Implicit Deny Set Permissions
Need to Know
What tool, available for both Windows and Linux, is easily configurable as a backdoor? Netcat ARP Netstat Nmap
Netcat The netstat command allows you to check the state of ports on the local machine. Most topology discovery is performed using a dedicated tool like Nmap. Nmap can use diverse methods of host discovery. ARP is the mechanism by which individual hardware MAC addresses are matched to an IP address on a network. To configure Netcat as a backdoor, you first set up a listener on the victim system set to pipe traffic from a program, such as the command interpreter, to its handler.
Terms for pentester to use any means necessary to hack.
No holds barred smash and grab
A user maintains a list of commonly used passwords in a file located deep within the computer's directory structure. Is this secure password management?
No, security by obscurity, can be found via search tools
What are the two main types of ransomware?
Non-encrypting ransomware makes the computer appear locked by using a different shell program or spawning pop-up windows continually. Encrypting (or crypto-malware) ransomware uses public key cryptography to encrypt data files then demands payment for access to the private key—the only means of reversing the encryption (unless the user has backups or the ransomware was poorly designed).
_______ means a subject can't deny doing something, such as creating/modifying/sending a resource.
Non-repudiation
Evaluate the following choices based on their potential to lead to a network breach. Select the choice that is NOT a network architecture weakness. The network architecture is flat. Services rely on the availability of several different systems. The network relies on a single hardware server. Not all hosts on the network can talk to one another.
Not all hosts on the network can talk to one another.
Which of the following are ways to inform users whether a certificate is valid, revoked, or suspended? (Choose 2) OCSP RA CRL ASCII
OCSP CRL
What process is described below: The SSL/TLS web server periodically obtains a time-stamped OCSP response from the CA. When a client submits an OCSP request, the web server returns the time-stamped response, rather than making the client contact the OCSP responder itself. PGP Certificate Pinning Key Escrow OCSP Stapling
OCSP Stapling
What is the fastest way for checking a digital certificate's status?
OSCP
What solution allows for checking the digital certificate revocation status without contacting the CA?
OSCP sampling
On the MAC Address, what can be used to identify the manufacturer of a network adapter?
OUI
Consider the Public Key Infrastructure (PKI) Trust Model. In which of the following is the root NOT the single point of failure? Single CA Intermediate CA Self-signed CA Offline CA
Offline CA
What is an OTP?
One time Pad allows the nits to stay the same in the plaintext and ciphertext but their order is changed
What is OSINT?
Open Source Intelligence Publicly available information online such as FB, Linkedin, ect.
Mark is a domain admin who has inherited a poorly organized Active Directory in his new role. The company he works for is very large, with offices in over six different geographical areas. With the way the AD is currently set up, there is no way for him to clearly see all the users who belong to these specific locations, which is making it very difficult to inform users of any relevant updates for the specific offices when he needs to. What can Mark use to help him better organize these various groups of users? Organizational Units Domain Controllers UAC Forests
Organizational Units
Which provides authentication, but sends the password to clear text? PAP CHAP MS-CHAP Kerberos
PAP
x.509 and PGP are a lot alike; what is a major difference?
PGP certificates can be signed by multiple users
What is the RSA PKI Standard
PKDCFv2
A hierarchical system for the creation, management, storage, distribution, revocation of digital certificates.
PKI
In what scenario would PAP be considered a secure authentication method?
Pap is legacy so not secure -> uses ASCII. Using IPSec for secure tunnels solves this
Presenting a captured hash to authenticate later is
Pass-the-hash
What is a dictionary attack?
Password attack where the most commonly used passwords are stored and used to guess a password.
What are the kill chain steps?
People Really Want Pasta and Rice 1. Plan/Scope 2. Recon 3. Weapons 4. Port Exploitation 5. Action on Objectives 6. Retreat
What are the six phases of the IR lifecycle?
People in Computers Eat Really Late Preparation -> planning, training, mitigation techniques Identification -> know what happened & when Containment, Eradication, and Recovery -> Don't let it spread, stop incident Lessons Learned -> analyze response
What is PFS?
Perfect Forward Secrecy
A network administrator regularly reviews group membership and access control lists for each resource. They also look for unnecessary accounts to disable. What is the administrator executing in this situation? Logging Usage auditing Permission auditing Privilege escalation
Permission auditing
A hacker has established a Command and Control network to control a compromised host. What is the ability of the hacker to use this remote connection method as needed known as? Weaponization Persistence Reconnaissance Pivoting
Persistence
A hacker has established a Command and Control network to control a compromised host. What phase of penetration testing are they currently in? Pivoting Reconnaissance Persistence Weaponization
Persistence Persistence refers to the tester or attacker's ability to reconnect to the compromised host and use it as a Remote Access Tool (RAT) or backdoor. To do this, the tester must establish a Command and Control (C2 or C&C). Weaponization is a step in the Kill Chain process and is the phase where the attacker or tester utilizes an exploit to gain access. Reconnaissance is the phase where the pen tester or attacker establishes a profile of the target of investigation and surveys the potential "attack surface" for weaknesses and vulnerabilities. Pivoting refers to a system and/or set of privileges that allow attackers or testers to compromise other network systems
Which of the following depict ways an attacker can gain access to a target's network? (Choose two) Ethical hacking Phishing Shoulder surfing Mantrap
Phishing Shoulder surfing
_________ is a situation where the attacker enters a secure area with an employee's permission. Piggybacking Shoulder surfing Tailgating Crowding
Piggybacking
What is a pivot vs an escalation?
Pivot - privileges that allow tester to compromise other systems Escalation- gaining higher privileges
What is the first step of the kill chain?
Planning/scoping People really want pasta and Rice
Establishing strong password policies and configuring firewalls would fall under what incident response phase? Identification Preparation Containment, Eradication, Recovery Lesson
Preparation
Arrange the following stages of the incident response lifecycle in the correct order. Preparation; Identification; Containment, Eradication, and Recovery; Lessons Learned Identification; Preparation; Containment, Eradication, and Recovery; Lessons Learned Containment, Eradication, and Recovery; Identification; Preparation; Lessons Learned Identification; Containment, Eradication, and Recovery; Preparation; Lessons Learned
Preparation; Identification; Containment, Eradication, and Recovery; Lessons Learned
The recovery phase of an incident response involves several steps. Which of the following is NOT a step in the recovery phase? Re-audit security controls. Reconstitute affected systems. Prepare a lessons learned report. Notify affected parties with instructions to remediate affected systems.
Prepare a lessons learned report.
What are the three primary goals/functions involved in the practice of information security? Prevention, Detection, Recovery Confidentiality, Integrity, Availability Protection, Detection, Response Confidentiality, Internetworks, Authentication
Prevention, Detection, Recovery
SAML was developed to provide federated networks a way to handle user identity and transmit authorizations between the __________________, the ______________________, and the _________________. (Choose three, order isn't important) Principal Service Provider Domain Relying Party Identity Provider
Principal Service Provider Identity Provider
A company tells the IT department that a few users need additional privileges granted temporarily for a short project, then revoked as soon as the task is finished or the need has passed. Based on Account Management practices, what is the company asking the IT department to implement? Privilege bracketing Offboarding Identity and Access Managment (IAM) Onboarding
Privilege bracketing
What are the two different impact types that improperly configured accounts can cause? (Choose two) Privileges that are too strict, causing large volumes of support calls and reduced productivity Privileges that are too vaguely defined, leading to ease of privilege escalation and unclear user roles Privileges that are assigned incorrectly, leading to system errors and increased latency Privileges that are given too freely, resulting in a weakened security system and increased risk of malware/breaches
Privileges that are too strict, causing large volumes of support calls and reduced productivity Privileges that are given too freely, resulting in a weakened security system and increased risk of malware/breaches
What mode can most sniffers make a network adapter work in so that it receives all traffic within the Ethernet broadcast domain, regardless of whether it's intended for the host machine or not? Neighbor Discovery mode Promiscuous mode All-to-one mode Broadcast mode
Promiscuous mode
What mode does a sniffer make a NIC (network adapter) work in to recieve all traffic?
Promiscuous mode
The IT department head returns from an industry conference feeling inspired by a presentation on the topic of defense in depth. A meeting is scheduled with IT staff to brainstorm ideas for implementing defense in depth throughout the organization. Which of the following ideas are consistent with this industry best practice? (Select two) Provide user training on identifying cyber threats. Adopt a vendor-specific stance. Align administrative and technical controls with control functions. Move endpoint security to the firewall.
Provide user training on identifying cyber threats. Align administrative and technical controls with control functions.
A response team has to balance the need for business continuity with the desire to preserve evidence when making incident management decisions. Consider the following and determine which would be an effective course of action for the goal of collecting and preserving evidence to pursue prosecution of the attacker(s)? (Choose two) Analysis Quarantine Hot swap Prevention
Quarantine Hot swap
On a directory there's generally two levels of access that need to be granted. Read-only access, which is known as a(n) _______, and read/write, which is known as a(n) _______ .
Query Update
Rule-based access control is a term that can refer to any sort of access control model where access control policies are determined by system-enforced rules rather than system users. What three models fit this description? (Select three) RBAC ABAC MAC DAC
RBAC ABAC MAC
Many public key cryptography products are based on the _______ algorithm.
RSA
Tanya recently moved from a job in accounting to a job in the HR department. All the privileges she had while she was in accounting now need to be revoked, and her new HR privileges have to be granted in their place. What is this process an example of? Usage Auditing Recertification Onboarding Privilege Escalation
Recertification
By searching through ABC Company's postings on a job board, a hacker is able to determine from the job requirement descriptions that it uses Windows Server 2008 R2, Windows 7, PostgreSQL 9, and XenApp 6. Identify the stage of the kill chain this represents. Data exfiltration Reconnaissance Active scanning Scoping
Reconnaissance
By searching through ABC Company's postings on a job board, a hacker is able to determine from the job requirement descriptions that it uses Windows Server 2008 R2, Windows 7, PostgreSQL 9, and XenApp 6. Identify the stage of the kill chain this represents. Reconnaissance Data exfiltration Active scanning Scoping
Reconnaissance
Consider the process of obtaining a digital certificate and determine which of the following statements is incorrect. The registration function may be delegated by the CA to one or more RAs. Registration is the process where end users create an account with the RA and become authorized to request certificates. CAs ensure the validity of certificates and the identity of those applying for them When a subject wants to obtain a certificate, it completes a CSR.
Registration is the process where end users create an account with the RA and become authorized to request certificates.
Consider the process of obtaining a digital certificate and determine which of the following statements is incorrect. CAs ensure the validity of certificates and the identity of those applying for them. Registration is the process where end users create an account with the domain administrator. The registration function may be delegated by the CA to one or more RAs. When a subject wants to obtain a certificate, it completes a CSR.
Registration is the process where end users create an account with the domain administrator.
What is a RAT?
Remote access trojan. Gives control of the system to an attacker over a network.
What is a root kit?
Replaces integral system files. Provides attacker with continued access. A class of malware that modifies system files, often at the kernel level, to conceal its presence.
A pass-the-hash attack is an example of a ______ attack.
Replay
One of the most accurate forms of biometrics, but requires expensive equipment.
Retinal scan
The likelihood and impact (or consequence) of a threat actor exercising a vulnerability.
Risk
What does RSA stand for and what is it?
Rivest, Shamir, Adleman Widely used (SSL) TLS Asymmetric
What is RSA?
Rivest, Shamir, Adleman - asymmetric algorithm for key exchanges & digital signatures
A gaming company decides to add software on each CD it releases. This software will install itself on the user's system, gain administrative rights, and hide itself from detection. The company's objective is to prevent the CD from being copied, however, the software will also capture data on the user's gaming habits. This is done without the knowledge or consent of the user, and the software cannot be uninstalled. Analyze how each of the following malware types behave and select the type is being utilized by the gaming company. Spyware Keylogger Rootkit Trojan
Rootkit replace key system files and utilities
________ work by changing core system files and programming interfaces so that local processes no longer reveal them. Rootkits Trojans Worms Ransomwares
Rootkits Key points is "CORE SYSTEMS"
When considering the functions of a router, which of the following is NOT true? Routers can serve as a firewall. Routers can join networks together. Routers can subdivide networks. Routers can have only manually configured routes.
Routers can have only manually configured routes.
A cert that lets many domains used under a single cert, listing subdomains as extensions:
SAN (Subject Alternative Name) certificate
What way of binding an LDAP directory server involves the client and server agreeing upon a mutually supported security mechanism? SASL SAML LDAPS Simple Authentication
SASL
Jenny is in charge of configuring directory services for her network and is trying to find a solution for securing the inherently insecure LDAP. Which of the following answers are possible security solutions? (Select 2) RADIUS SASL LDAPS OAuth
SASL LDAPS
What offers better security: MD5 or SHA?
SHA (industry standard)
Given that layer 2 does not recognize Time to Live values, evaluate the potential solutions to determine which of the following options can prevent this issue. ICMP L2TP NTP STP
STP
What are the disadvantages of performing penetration testing against a simulated test environment?
Sandbox are expensive and complex, vulnerabilities may be missed.
The number of systems affected is better known as the: Downtime Scope Data integrity Detection time
Scope
There are several types of security zones on a network. Analyze network activities to determine which of the following does NOT represent a security zone. DMZ Screened host Wireless Guest
Screened host
What's the term for someone who uses hacking tools while not really knowing how they work?
Script kiddie
Which secure practice would never utilize cryptography? Non-repudiation Obfuscation Security through obscurity Resiliency
Security through obscurity Security through obscurity involves keeping something a secret by hiding it. With cryptography, messages don't need to be hidden since they aren't understandable unless decrypted. Non-repudiation is when the sender cannot deny sending the message. If the message has been encrypted in a way known only to the sender, logic follows the sender must have composed it. Obfuscation is the art of making a message difficult to understand. Cryptography is a very effective way of obfuscating a message by encrypting it. Resiliency occurs when the compromise of a small part of the system is prevented from allowing compromise of the whole system. Cryptography ensures the authentication and integrity of messages delivered over the control system.
What is used by Kerberos to provide access to target application servers for clients? Timestamp Password Service Ticket Ticket Granting Ticket
Service Ticket
_______________ is an open-source implementation of SAML. Shibboleth Kerberos SASL OpenID Connect
Shibboleth
Why might a PIN be a particularly weak type of something you know authentication?
Short pins easy to crack. Safe only if attempts limited
Before leaving for lunch, an employee receives a phone call, but there is no one on the line. Distracted by the odd interruption, the employee forgets to log out of the computer. Earlier that day, a person from the building across the street watched the employee entering login credentials using high-powered binoculars. Which form of social engineering is being used in this situation? Vishing Lunchtime attack Shoulder surfing Man-in-the-middle attack
Shoulder surfing While a lunchtime attack involves leaving a workstation unattended, it doesn't involve obtaining a password. Rather, physical access to the system is gained through a logged-in computer.
What is shoulder surfing?
Shoulder surfing is stealing a password (or other secure information) by watching the user type it.
What does netstat do?
Shows detailed information for active port and host connections. state of ports on the local machine
What is Spyware?
Software that records information about a PC and its users, often installed without the user's consent. ex. screenshots, video, ect.
What is google dorking?
Specific google search syntax to for narrowed search ex. allintext: "contact" (shows all links with contact in body)
What type of malware monitors user activity and sends the information to someone else? RAT Spyware Rootkit Adware
Spyware
A hacker is able to install a keylogger on a user's computer. What is the hacker attempting to do in this situation? Key management Encryption Obfuscation Steal confidential information
Steal confidential information
What is a technique for obscuring the presence of a message, typically by embedding information where you wouldn't expect to find it? Cryptography Steganography Encryption Sleuthing
Steganography
A single certificate can be issued for use with multiple subdomains in the following ways: (Choose 2) Subject Alternative Name (SAN) Wildcard Domain FQDN OCSP
Subject Alternative Name (SAN) Wildcard Domain
Which is faster: asymmetric encryption or symmetric encryption?
Symmetric
What is ElGamal?
Takes DH and adds encryption & digital signing (not vulnerable to MITM)
A digital certificate has been received with a particular extension marked as critical. What does this marker signify? That the application processing the certificate must process the critical extension first before processing any further information on the certificate. That the application processing the certificate must forward the certificate on to the Root CA to handle the extension. That the application processing the certificate must give its best-effort to process the critical extension, but process the remainder of the certificate even if it cannot. That the application processing the certificate must be able to interpret it, or else the certificate should be rejected.
That the application processing the certificate must be able to interpret it, or else the certificate should be rejected.
Windows has several service account types, typically used to run processes and background services. Which of the following statements about service accounts is FALSE? The Local Service account can only access network resources as an anonymous user. Any process created using the System account will have full privileges over the local computer. The Network service account and the Local service account have the same privileges as the standard user account. The Local service account creates the host processes and starts Windows before the user logs on.
The Local service account creates the host processes and starts Windows before the user logs on.
When it comes to the rules of engagement for a pen test, what do the terms "no holds barred" or "smash and grab" refer to? The consultant will try to use any means to initially break into the network and information systems, then stop at the perimeter. The consultant will try to use passive techniques only to break into the network and information systems. The consultant will try to use primarily physical means to penetrate as far into the network and information systems as possible. The consultant will try to use any means to penetrate as far into the network and information systems as possible.
The consultant will try to use any means to penetrate as far into the network and information systems as possible.
The first responder to a security incident determines if the situation requires escalation. Consider the following, and select the scenario that best describes escalation in this situation. The first responder calls the company's legal team. The first responder shuts down the affected system. The first responder calls senior staff to get them involved. The first responder reviews user privileges to look for users who may have gained unauthorized privileges.
The first responder calls senior staff to get them involved.
Which of the following defines key usage with regard to standard extensions? The ability to create a secure key pair The purpose for which a certificate was issued To archive a key with a third party Configuring the security log to record key indicators
The purpose for which a certificate was issued
Which of the following defines key usage with regard to standard extensions? The purpose for which a certificate was issued. The ability to create a secure key pair. Configuring the security log to record key indicators. To archive a key with a third party.
The purpose for which a certificate was issued.
A user enters the web address of a favorite site and the browser returns: "There is a problem with this website's security certificate." The user visits this website frequently and has never had a problem before. Applying knowledge of server certificates, select the circumstances that could cause this error message. (Choose two) The system's time setting is incorrect. The certificate is pinned. The web address was mistyped. The certificate expired.
The system's time setting is incorrect. The certificate expired.
A user enters the web address of a favorite site and the browser returns: "There is a problem with this website's security certificate." The user visits this website frequently and has never had a problem before. He also made sure he didn't mistype the address. Applying knowledge of server certificates, select the circumstances that could cause this error message. (Choose 2) The certificate is pinned. The system's time setting is incorrect. The certificate expired. The OCSP staple did not refresh.
The system's time setting is incorrect. The certificate expired.
Applying an understanding of how to mitigate password cracking attacks, how would restricting the number of failed logon attempts be categorized as a vulnerability? The user is exposed to a replay attack. The user is exposed to a brute force attack. The user is exposed to a DoS attack. The user is exposed to an offline attack.
The user is exposed to a DoS attack.
Compare the characteristics of an Initialization Vector (IV), a nonce, and a salt. What purpose do these items serve in cryptography? They consist of exactly the same number of characters as the plaintext and must be generated by a truly random algorithm. They allow the units to stay the same in the plaintext and ciphertext, but their order is changed. They replace units in the plaintext with different ciphertext. They ensure identical plaintexts produce different ciphertexts.
They ensure identical plaintexts produce different ciphertexts.
Compare the characteristics of an Initialization Vector (IV), a nonce, and a salt. What purpose do these items serve in cryptography? They replace units in the plaintext with different ciphertext. They ensure identical plaintexts produce different ciphertexts. They allow the units to stay the same in the plaintext and ciphertext, but their order is changed. They consist of exactly the same number of characters as the plaintext and must be generated by a truly random algorithm.
They ensure identical plaintexts produce different ciphertexts.
What is a Trojan?
This type of malicious software pretends to be a useful program while secretly performing another function; Users may download and install what they believe to be legitimate software without realising that a Trojan horse will also be installed.
The potential for a threat actor to exploit a vulnerability, either purposefully or accidentally
Threat
Difference between risk and threat?
Threat -> potential for a vulnerability to be exploited Risk-> likelihood for a vulnerability to be exploited
What is TOTP?
Time-based One-Time Password Create an OTP that is only valid for a limited amount of time, like 60 secs
Which situation would require keyboard encryption software to be installed on a computer? To set up single sign-on privileges To comply with input validation practices For the purpose of key management To protect against spyware
To protect against spyware
Based on knowledge of the fundamentals of One-time Passwords (OTP), which of the following choices represents the problem that exists with HMAC-based One-time Password Algorithm (HOTP) and is addressed by Time-based One-time Password Algorithm (TOTP)? HOTP isn't configured with a shared secret. The server isn't configured with a counter in HOTP. Only the HOTP server computes the hash. Tokens can be allowed to continue without expiring in HOTP.
Tokens can be allowed to continue without expiring in HOTP.
Tools to explore the dark web?
Tor & Tails OS
Tim, Sandra, and Justin are all members of different domains. Currently Tim and Sandra's domains have been set up to trust each other and allow access to their respective resources. Sandra's domain is also set up to trust Justin's, and his likewise is set up to trust hers. Knowing this, Tim's domain now also trusts Justin's domain and vice versa. What sort of trust relationship is being demonstrated here? Chain of trust Non-transitive One-way Transitive
Transitive
T/F Advice from legal, HR, and marketing divisions should be taken into CIRT's account for major incidents.
True
T/F PFS ensure that a compromise of long-term encryption keys won't compromise data encrypted by these keys in the past.
True
T/F PGP operates with a web of trust model
True
T/F: It is possible to discover what ports are open on a web server from another computer on the internet?
True
T/F: It is possible to eavesdrop on the traffic passing over a company's internal network from the internet.
True
T/F Vendor diversity provides layered security
True So does educating users
When two domains consider each other peers and trust one another equally, this is known as what kind of trust? Equivalent Two-way Mutual One-way
Two-way
What is exploitation framework?
Type of scanning providing active testing of vulnerabilities using explicit modules Example: Metasploit
Define a vulnerability.
Unpatched software apps, hosts without anti-virus, admins with weak passwords. All unsecure paths.
Lance is in charge of reviewing logs on his network for suspicious activity, user usage of files and storage space, as well as making sure that the security log is configured properly to record key indicators. What is Lance currently performing? Permission auditing Usage auditing Recertification File Security
Usage auditing
What is a Wireless Scanner and what is it used for? What's an example?
Used to detect wireless networks, reports frequency, SSID, security mode ex. Aircrack NG (does scanner and crack)
Suzanne is running some various troubleshooting tasks on her computer, and she chooses to continue her troubleshooting by running her Command Prompt as an Administrator. A pop-up comes onto her screen, asking her if she wants to allow the app to make changes to her device. What is this pop-up an example of? Permission Auditing Usage Auditing User Access Control Least Privilege
User Access Control
What is the best way to combat social engineering? Access controls User training Log monitoring Blocking URLs
User training
What is an exploit framework?
Uses vulnerabilities found in a scan and launches script or software to exploit it
What is Open Source Intelligence (OSINT)? Intelligence that is released to the public after a vulnerability scan or penetration test Using web search tools and social media to obtain information about the target Using mapping tools to obtain information about a host or network topology Obtaining information, physical access to premises, or even access to a user account through the art of persuasion
Using web search tools and social media to obtain information about the target
What is Open Source Intelligence (OSINT)? Obtaining information, physical access to premises, or even access to a user account through the art of persuasion. The means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources. Using web search tools and social media to obtain information about the target. Using software tools to obtain information about a host or network topology.
Using web search tools and social media to obtain information about the target.
A systems administrator downloads and installs open source software from the software developer's website. However, the website was hacked and the software was modified to include a backdoor. As a result, the hackers now have access to the administrator's network. Assess the behavior of the administrator and select which of the following measures would prevent a possible hack attempt. Validate the software using a key signing key. Validate the software using Kerberos. Validate the software using a certificate authority. Validate the software using a checksum.
Validate the software using a checksum.
A systems administrator downloads and installs open-source software from an FTP site. It turns out the install file was recently compromised, and the software was modified to include a backdoor. As a result, hackers now have access to the administrator's network. Which of the following measures would have prevented the system from being compromised? Validate the software using a checksum. Validate the software using a private certificate. Validate the software using a key signing key. Validate the software using Kerberos.
Validate the software using a checksum.
Consider the lifecycle of an encryption key. Which of the following is NOT a stage in a key's lifecycle? Revocation Expiration and renewal Verification Storage
Verification
Consider the lifecycle of an encryption key. Which of the following is NOT a stage in a key's lifecycle? Storage Verification Expiration and renewal Revocation
Verification
What is vishing?
Vishing is a phishing attack conducted through a voice channel.
What is an example of a behavioral technology?
Voice Recognition
A weakness that could be triggered accidentally or exploited intentionally to cause a security breach.
Vulnerability
What is the difference between pentesting and vulnerability scanning?
Vulnerability scanning (passive)- analysis of vulnerabilities Pentesting (active)- exploiting vulnerabilities
When comparing vulnerability scanning and penetration testing to each other, which statement is true? Vulnerability scanning is conducted by a "white hat", and penetration testing is carried out by a "black hat". Vulnerability scanning generally uses a passive approach, and penetration testing uses a more active approach. Penetration testing and vulnerability scanning are considered "ethical hacking" practices. Vulnerability scanning is a reconnaissance technique, but penetration testing is not.
Vulnerability scanning generally uses a passive approach, and penetration testing uses a more active approach.
Compare and contrast vulnerability scanning and penetration testing. Select the true statement from the following options. Vulnerability scanning is part of network reconnaissance, penetration testing uses vulnerability scans to attack the network. Penetration testing and vulnerability scanning are both considered "ethical hacking" practices. Vulnerability scanning uses passive reconnaissance and penetration testing is active. Vulnerability scanning is carried out by a 'black hat', while penetration testing is performed by a 'white hat'
Vulnerability scanning uses passive reconnaissance and penetration testing is active.
What relies on the circumstance that a group of targets may use an unsecure third-party website? Watering hole attack Spear phishing Pharming DoS
Watering hole attack
In which stage of the "kill chain" does a threat actor first gain access to a resource on the target network?
Weaponization
PGP operates under what kind of model? Web of trust GPG Hierarchial Chain of trust
Web of trust
What is active reconnaissance?
When you gain physical access to premises and use tools to target network.
A birthday attack is a type of brute force attack aimed at exploiting collisions in hash functions. What is a collision in this context? Where a key or password hash is intercepted then reused to gain unauthorized access. Where two hashes arrive at the server simultaneously. Where a session token is intercepted and forwarded to gain unauthorized access. Where a function produces the same hash value for two different plaintexts.
Where a function produces the same hash value for two different plaintexts.
In the containment phase of incident response, the Cyber Incident Response Team (CIRT) faces complex issues that need to be addressed quickly. During this phase, a member of the CIRT would be concerned about all EXCEPT which of the following issues? What damage has already occurred? Which password policy will prevent this in the future? What actions could alert the attacker that the attack has been detected? What countermeasures are available?
Which password policy will prevent this in the future?
What is a lunchtime attack?
While a lunchtime attack involves leaving a workstation unattended, it doesn't involve obtaining a password. Rather, physical access to the system is gained through a logged-in computer.
A cert that lets many domains be used under a single cert and cannot be issued with EV
Wildcard Certificate
What tool can be used to detect the presence of nearby wireless networks and report their SSID, BSSID, frequency band, radio channel used, and security mode? Wireless controller Wireless radar Wireless cracker Wireless scanner
Wireless scanner To decode wireless packets, an attacker most overcome (or "crack") the encryption system using a wireless cracker. A wireless controller is a dedicated hardware device that allows for centralized management and monitoring of the access points on the network. Wireless radar was a decoy answer and is not an industry term.
What are some pentesting tools?
Wireshark AirCrack hashcat & john the ripper (password cracker) Metasploit
Compare the following and select the appropriate methods for packet capture. (Choose TWO) Wireshark Packet analyzer Packet injection Tcpdump
Wireshark Tcpdump
What sort of malware can spread without the need for attaching to executable files or human interaction? Worm Virus Trojan Zero Day
Worm
Most directories are based on the same standard. What is the principal directory standard? X.500 X.503 802.1X X.509
X.500
Compare X.509 certificates with Pretty Good Privacy (PGP) certificates and identify which of the following is NOT true. X.509 certificates are signed by a single Certificate Authority, where PGPs are signed by multiple users. X.509 operates under a hierarchical trust model, where PGP uses a web of trust. X.509 and PGP are both implementations of the PKI Trust Model. X.509 links the identity of a user to a public key, while PGP links that identity to a private key.
X.509 links the identity of a user to a public key, while PGP links that identity to a private key.
Compare X.509 certificates with Pretty Good Privacy (PGP) certificates and identify which of the following is NOT true. X.509 certificates are signed by a single Certificate Authority, where PGPs are signed by multiple users. X.509 links the identiy of a user to a public key, while PGP links that identity to a private key. X.509 operates under a hierarchical trust model, where PGP uses a web of trust. X.509 and PGP are both implementations of the PKI Trust Model.
X.509 links the identiy of a user to a public key, while PGP links that identity to a private key.
What are SAML tokens written in? OpenID SASL X.500 XML
XML
What is a steganography?
a cryptography method in which data is hidden in another media type (picture)
What is the difference between dig and whois linux commands?
dig(L) whois (b) Both check DNS but whois checks the FQDN
What does nmap -o give you?
displays open ports and OS
What does nmap -a do?
enables software detection
What are the four main inputs for something you are technologies?
fingerprint, iris, retina, facial recog
What does nmap do?
host discovery, and identifies how the hosts are connected on the network
What command line tool would you use to identify the current network addressing configuration of a wired adapter on a Linux host? (choose 2) ifconfig dig ip ipconfig
ifconfig ip
Examples of non-tangible assets.
information resources plans reputation
What command line tool would you use to identify the current network addressing configuration of a wired adapter on a Linux host?
ip ipconfig(w)/ifconfig(w) ip -a (new)
What is a dedicated topology discovery tool?
nmap
A system administrator is tasked with scanning the company's network to include a traceroute, identify which common ports are open, and which software and software versions are running on each system. Evaluate and select the syntax that should be used to yield the desired information if the administrator will be executing this task from a Linux command line. netstat -a nmap -A 10.1.0.0/24 nmap -O 10.1.0.0/24 netstat -r
nmap -A 10.1.0.0/24
What does tracert do?
probes the path between one end system and another, shows hops
What is certificate pinning?
refers to several techniques to ensure that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate.
What is key management?
refers to the operations at various stages in a key's lifecycle
What is a substitution cipher?
replace units in the plaintext with different ciphertext
The hierarchical model, a single CA called the _____ issues certificates to several ____- CAs, which then give certificates to the end subjects.
root intermediate
What is the command-line packet capture for linux?
tcpdump
Compare the following and select the appropriate methods for packet capture. (choose 2) tcpdump Packet injection Wireshark Packet analyzer
tcpdump Wireshark Protocol analyzers decode already captured frames to reveal their contents in a readable format. Some attacks depend on sending forged or spoofed network traffic, called packet injection.
What is Banner Grabbing?
the term for probing a server to try and get a response that identifies the server app or version #
What is message digest?
value resulting from hashing encryption.
A primary target for a hacker gaining access to a network is user passwords. Consider the file locations where Windows and Linux each store passwords and determine which of the following is NOT used for password storage. %SystemRoot%\System32\config\SAM /etc/passwd %SystemRoot%\System32\Drivers\etc\hosts /etc/shadow
%SystemRoot%\System32\Drivers\etc\hosts
Arrange the following steps in the correct order for establishing a security policy. (1) Obtain support and commitment throughout the organization; (2) Analyze risks to security; (3) Implement controls that detect and prevent losses combined with a disaster recovery plan; (4) Review, test, and update procedures (1) Analyze risks to security; (2) Obtain support and commitment throughout the organization; (3) Implement controls that detect and prevent losses combined with a disaster recovery plan; (4) Review, test, and update procedures (1) Analyze risks to security; (2) Obtain support and commitment throughout the organization; (3) review, test, and update procedures; (4) Implement controls that detect and prevent losses combined with a disaster recovery plan (1) Obtain support and commitment throughout the organization; (2) Analyze risks to security; (3) review, test, and update procedures; (4) Implement controls that detect and prevent losses combined with a disaster recovery plan.
(1) Obtain support and commitment throughout the organization; (2) Analyze risks to security; (3) Implement controls that detect and prevent losses combined with a disaster recovery plan; (4) Review, test, and update procedures
If a company's IP address is in the Class B private range, which of the following IP addresses can be utilized? 172.20.26.1 192.168.0.1 10.10.1.0 172.16.256.1
172.20.26.1
Determine which of the following statements about 802.1x are true. (Select two) The device requesting access is the authenticator under 802.1X. 802.1X provides PNAC. The authentication server is typically a RADIUS server. In port-based authentication, the port acts as a firewall.
802.1X provides PNAC. The authentication server is typically a RADIUS server.
Why are backdoors and Trojans considered different types of malware?
A Trojan means a malicious program masquerading as something else; a backdoor is a covert means of accessing a host or network. A Trojan need not necessarily operate a backdoor and a backdoor can be established by exploits other than using Trojans. The term remote access trojan (RAT) is used for the specific combination of Trojan and backdoor
What is a block cipher?
A block cipher is a method of encrypting text (to produce ciphertext) in which a cryptographic key and algorithm are applied to a block of data (for example, 64 contiguous bits) at once as a group rather than to one bit at a time.
Evaluate the differences between stream and block ciphers and select the true statement. A block cipher is padded to the correct size if there is not enough data in the plaintext. A block cipher is suitable for communication applications. A stream cipher is subjected to complex transposition and substitution operations, based on the value of the key used. A stream cipher's plaintext is divided into equal-sized blocks.
A block cipher is padded to the correct size if there is not enough data in the plaintext.
Evaluate the differences between stream and block ciphers and select the true statement. A block cipher is suitable for communication applications. A stream cipher is subjected to complex transposition and substitution operations, based on the value of the key used. A block cipher is padded to the correct size if there is not enough data in the plaintext. A stream cipher's plaintext is divided into equal-sized blocks.
A block cipher is padded to the correct size if there is not enough data in the plaintext.
Analyze the following attacks to determine which best illustrates a pharming attack. A customer gets an email that appears to be from their insurance company. The email contains a link that takes the user to a fake site that looks just like the real insurance company site. An employee gets a call from someone claiming to be in the IT department. The caller says there was a problem with the network, so they need the employee's password in order to restore network privileges. A company's sales department often has after-hour training sessions, so they order dinner delivery online from the restaurant across the street. An attacker is able to access the company's network by compromising the restaurant's unsecure website. A customer enters the correct URL address of their bank, which should point to the IP address 172.1.24.4. However, the browser goes to 168.254.1.1, which is a fake site designed to look exactly like the real bank site.
A customer enters the correct URL address of their bank, which should point to the IP address 172.1.24.4. However, the browser goes to 168.254.1.1, which is a fake site designed to look exactly like the real bank site.
There are a variety of methods for indicating a potential security breach during the identification and detection phase of incident response. Two examples of appropriate methods are Intrusion Detection System (IDS) alerts and firewall alerts. Evaluate the following evidence and select the alternate methods that would be of most interest to the IT department during this phase. (Select two) A daily industry newsletter reports on a new vulnerability in the software version that runs on the company's server. An anonymous employee uses an "out of band" communication method to report a suspected insider threat. The marketing department contacts the IT department because they can't post a company document to the company's social media account. An employee calls the help desk because the employee is working on a file and is unable to save it to a USB to work on at home.
A daily industry newsletter reports on a new vulnerability in the software version that runs on the company's server. An anonymous employee uses an "out of band" communication method to report a suspected insider threat.
What is an HSM?
A dedicated hardware device for key generation/storage and other cryptographic functions
What is the difference between a hacker and a script kiddie?
A hacker has the skills and experience to devise new types of attack and attack tools. A script kiddie lacks this skill and experience and is limited to using well- known and documented attack methods and tools.
What is the difference between a honeypot and a honeynet? A honeynet is a computer system designed to only attract one singular attacker at a time, a honeypot aims to attract entire groups of attackers. A honeynet is a computer system set up to attract attackers, a honeypot is an entire decoy network. A honeypot is a computer system designed to only attract one singular attacker at a time, a honeynet aims to attract entire groups of attackers. A honeypot is a computer system set up to attract attackers, a honeynet is an entire decoy network.
A honeypot is a computer system set up to attract attackers, a honeynet is an entire decoy network.
What is the key lifecycle stages?
A key's lifecycle may involve the following stages:• Key generation• Certificate generation• Storage• Revocation• Expiration and renewal
A crytpographic hash algorithm produces a fixed length string from a variable length string, called what? Passed hash. A collision. A checksum. A message digest.
A message digest. Collisions are when two different plaintext inputs produce the same exact ciphertext output. Checksums use a cryptographic algorithm to generate a unique value based on file contents, and can be used to ensure downloaded files haven't been tampered with.
What is the difference between a revoked key and a suspended key? A suspended key results from a key being compromised, a revoked key results from a key expiring. A suspended key can be re-enabled, a revoked key cannot. A revoked key results from a key being compromised, a suspended key results from a key expiring. A revoked key can be re-enabled, a suspended key cannot.
A suspended key can be re-enabled, a revoked key cannot.
What is key stretching?
A technique of putting a key through thousands of rounds of hashing.
What is a ransomeware?
A type of malware that tries to extort money from the victim; for instance, by appearing to lock the victim's computer or by encrypting their files.
Which of the following options represents Two-Factor Authentication (2FA)? A user logs in using a password and a PIN. A user logs in using a password and a smart card. A user logs in using a fingerprint and retina scanner. A user logs in using a smart card and a key fob.
A user logs in using a password and a smart card.
Evaluate how identification and authentication are distinct in their functions. Which of the following scenarios best illustrates a user being authenticated? A user's keyboard typing behavior is analyzed. A system administrator sets up a user account for a new employee after HR sends employment verification. An administrator sends an initial password to a new telecommuting employee through a VPN. A user is assigned an SID.
A user's keyboard typing behavior is analyzed.
A company mandates password changes every 60 days. Several employees find coming up with new passwords that they can remember frustrating, so one of them searches online and learns the default setting for password history is five. Hoping the default setting is in place, these employees change their password five times in a row, and it works. Now they can reuse their password for every reset. Analyze the scenario, and select the best description for what occurred. The employees acted as white hats. A vulnerability was exploited. The employees acted as hacktivists. A risk was exploited.
A vulnerability was exploited.
What access control model is considerably complex in terms of defining the rules that allow or deny access? DAC MAC RBAC ABAC
ABAC
Which of the following is the preferred block cipher algorithm by many new applications? 3DES Blowfish AES Twofish
AES
Which symmetric cipher is being selected for use in many new products?
AES (x509 Standard adopted this)
Evaluate the following statements and determine which explains why layer 2 is vulnerable to Man-in-the-Middle (MitM) attacks. (Select two) ARP operates at layer 2 DNS operates at layer 2 Mutual authentication is not prevalent at layer 2 Firewalls are not secure at layer 2
ARP operates at layer 2 Mutual authentication is not prevalent at layer 2
Audits and scheduled scans are considered what kind of security? Deterrent Technical Physical Administrative
Administrative
What is a Transposition cipher?
Allow the units to stay the same in the plain text and ciphertext, but their order is changed
Apply knowledge of identity and authentication concepts to select the true statement. A user profile must be unique. Credentials could include name, contact details, and group memberships. An identifier could be a username and password, or smart card and PIN code. An account consists of an identifier, credentials, and a profile.
An account consists of an identifier, credentials, and a profile.
Two individuals are communicating via encrypted data, in this instance they share a public key and each have a private key. What best describes the encryption type being used? Monosymmetric Encryption Asymmetric Encryption Shared Encryption Symmetric Encryption
Asymmetric Encryption Asymmetric encryption relies on the use of a key pair: one private, one public. Symmetric encryption uses just one shared secret key between the communicating users.
For pentesting, what is persistence?
Attacker has continued access to a host via a backdoor or RAT.
Which of the following is NOT an IAM main process? Identification Authorization Authentication Auditing
Auditing
Which of the following is provided through digital signatures? (Choose 3) Authentication Non-repudiation Integrity Authorization
Authentication Non-repudiation Integrity
What is the difference between authorization and authentication?
Authentication -> granting user right to use resource Authentication -> protect validity of user
_____________________ refers to probing a server to try to elicit any sort of response that will identify the server application and version number or any other interesting details about the way the server is configured. DNS harvesting Banner grabbing Passive reconnaissance Network mapping
Banner grabbing
A manufacturing company hires a pentesting firm to uncover any vulnerabilities in their network with the understanding that the pen tester is given no information about the company's system. Which of the following penetration testing strategies is the manufacturing company requesting? Black box Sandbox Gray box White box
Black box
A manufacturing company hires a pentesting firm to uncover any vulnerabilities in their network with the understanding that the pen tester is given no information about the company's system. Which of the following penetration testing strategies is the manufacturing company requesting? Sandbox Gray box White box Black box
Black box
Define the following: Black box pentest White box Pentest Grey box pentest
Black box- given no info (blind) white box - given full info Grey box- given SOME info
In what cipher is the plaintext divided into equal-size segments before encryption, and if there is not enough data in the plaintext padding is added to reach the length requirement? Padding Cipher Block Cipher Stream Cipher Segment Cipher
Block Cipher In a stream cipher, each byte or bit of data in the plaintext is encrypted one at a time.
Which of the following password cracker attacks are combined to create a hybrid attack? (Select two) Brute force Dictionary Rainbow table PTH
Brute force Dictionary
What uses every possible character combination in order to guess the password?
Bruteforce Attack
A trusted third party issuing digital certificates for creating digital signatures and public-private key pairs is a
CA
What protocol uses periodic handshakes with different challenge messages throughout the connection? CHAP PAP Kerberos TCP
CHAP
What are two solutions that allow to check whether a digital certificate has been revoked?
CRL & OSCP
What is the method for requesting a digital certificate?
CSR
Compare and contrast the modes of operation for block ciphers. Which of the following statements is true? ECB and CBC modes allow block ciphers to behave like stream ciphers. CTR and GCM modes allow block ciphers to behave like stream ciphers. ECB and GCM modes allow block ciphers to behave like stream ciphers. CBC and CTR modes allow block ciphers to behave like stream ciphers.
CTR and GCM modes allow block ciphers to behave like stream ciphers.
Compare and contrast the modes of operation for block ciphers. Which of the following statements is true? ECB and GCM modes allow block ciphers to behave like stream ciphers. ECB and CBC modes allow block ciphers to behave like stream ciphers. CTR and GCM modes allow block ciphers to behave like stream ciphers. CBC and CTR modes allow block ciphers to behave like stream ciphers.
CTR and GCM modes allow block ciphers to behave like stream ciphers.
Ways to ensure that when clients inspect certs from a sever, they're inspecting the proper cert
Certificate Pinning Proper cert
What is ROT13?
Cipher type where you rotate each letter 13 places to the right
MD5 is a popular hashing algorithm, despite being exploited to produce the same hash value for two different inputs. What weakness is being exploited in MD5? Weak key Checksum Collision Message digest
Collision Checksum - a digit representing the sum of the correct digits in a piece of stored or transmitted digital data, against which later comparisons can be made to detect errors in the data. Message digest - A fixed-length string produced by a cryptographic hash algorithm from a variable-length string. Weak key - A key that produces ciphertext that is easy to cryptanalyze.
MD5 is a popular hashing algorithm that can be exploited to produce the same hash value for two different inputs. What is this exploit known as? Checksum Collision Message digest Weak key
Collision Produce same hash value. MD5 no longer secure but forensic tools default to MD5 due to speed & compatibility MD5 -> Birthday -> Collision
What is pivoting?
Comes after persistence, privileges that allow hacker to compromise other network systems
What is the principle use of symmetric encryption?
Confidentiality
Secure information has three properties. What are they?
Confidentiality, Integrity, Availability
What are the uses of Cryptography?
Confidentiality, authentication/access control, non-repudication, integrity & resilience, obfuscation
_________________ means that the key should not be derivable from the ciphertext. Obfuscation Transposition Confusion Diffusion
Confusion Confusion means that the key should not be derivable from the ciphertext. If one bit in the key changes, many bits in the ciphertext should change. Diffusion means that predictable features of the plaintext should not be evident in the ciphertext. If one bit of the plaintext is changed, many bits in the ciphertext should change. Obfuscation is the art of making a message difficult to understand. Transposition is a type of cipher where the units stay the same in plaintext and ciphertext, but their order is changed, according to some mechanism.
What is the different between confusion and diffusion?
Confusion: key should not be deriable from ciphertext Diffusion: plaintext shouldn't be evident in the ciphertext
What is a system or procedure put in place to mitigate risk? Publication Control Standard Policy
Control
What properties of security controls provide layered security?
Control type diversity, vendor diversity
Network topology design has a hierarchy. Reflect on Physical and Data layers of the OSI model implementation and select the layers Cisco recommends for campus design. (Choose three) Core Permission Access Distribution
Core Access Distribution
After a poorly handled security breach, a company updates its security policy with an improved incidence response plan. Which of the following security controls does this update include? Compensating Deterrent Corrective Detective
Corrective
Deep web and Dark net sites are a useful source of: OSINT Counterintelligence Passive Reconnaissance Attacker Profiling
Counterintelligence
What is the different between a credentialed scan and a non-credentialed scan?
Credentialed Scan - uses a login non-credentialed- no login/admin
This sort of scan allows for a much more in-depth analysis, especially in detecting when applications or security settings may be misconfigured. Non-credentialed scan Credentialed scan Reconnaissance scan Passive scan
Credentialed scan
What is a CIRT?
Cyber Incident Response Team
If a company wants to ensure its following best practices in choosing security controls. What types of resources would provide guidance?
Cyber security framework and secure configuration guides
