Security+ 501 - Comprehensive Exam 2

Anne, the Chief Executive Officer (CEO), has reported that she is getting multiple telephone calls from someone claiming to be from the helpdesk. The caller is asking to verify her network authentication Credentials because her computer is broadcasting across the network. This is MOST likely which of the following types of attacks? A. Vishing B. Impersonation C. Spim D. Scareware

A. Vishing Vishing is the illegal access of data via voice over Internet Protocol (VoIP). Vishing is IP telephony's version of phishing and uses voice messages to steal identities and financial resources. The term is a combination of "voice" and "phishing." Vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies. Vishing is used in order to induce individuals to reveal personal information, such as bank details and credit card numbers

The Chief Security Officer (CISO) at a multinational banking corporation is reviewing a plan to upgrade the entire corporate IT infrastructure. The architecture consists of a centralized cloud environment hosting the majority of data, small server clusters at each corporate location to handle the majority of customer transaction processing, ATMs, and a new mobile banking application accessible from smartphones, tablets, and the Internet via HTTP. The corporation does business having varying data retention and privacy laws. Which of the following technical modifications to the architecture and corresponding security controls should be implemented to provide the MOST complete protection of data? A. Revoke exiting root certificates, re-issue new customer certificates, and ensure all transactions are digitally signed to minimize fraud, implement encryption for data in-transit between data centers B. Ensure all data is encryption according to the most stringent regulatory guidance applicable, implement encryption for data in-transit between data centers, increase data availability by replicating all data, transaction data, logs between each corporate location C. Store customer data based on national borders, ensure end-to end encryption between ATMs, end users, and servers, test redundancy and COOP plans to ensure data is not inadvertently shifted from one legal jurisdiction to another with more stringent regulations D. Install redundant servers to handle corporate customer processing, encrypt all customer data to ease the transfer from one country to another, implement end-to-end encryption between mobile applications and the cloud

A & C Data loss prevention (OLP) is a strategy deployed by businesses to ensure that sensitive data remains securely within the corporate network. Data loss prevention tools and software are designed to constantly monitor and filter data in real-time. In addition to dealing with the data being used, stored and transmitted within the network, data loss prevention applications ensure no harmful outside data is entering the company network. Data loss prevention is a subject new business owners need to pay special attention to when setting up a company. Every new piece of data created, stored, used and shared from the first day of work is sensitive information. Laying a strong foundation at the beginning will result in a little less disquiet down the road.

A technician must configure a firewall to block external DNS traffic from entering a network. Which of the following ports should they block on the firewall? A. 53 B. 110 C. 143 D. 443

A. 53 Security practitioners for decades have advised people to limit DNS queries against their DNS servers to only use UDP port 53. The reality is that DNS queries can also use TCP port 53 if UDP port 53 is not accepted. Now with the impending deployment of DNSSEC and the eventual addition of 1Pv6 we will need to allow our firewalls for forward both TCP and UDP port 53 packets. Furthermore, most organizations have also used firewalls to block TCP port 53 to and from their DNS servers and the Internet. This is double-protection in case the DNS server accidentally allowed transfers. Configuring your DNS servers to permit zone transfers to only legitimate DNS servers has always been and continues to be a best practice. However, the practice of denying TCP port 53 to and from DNS servers is starting to cause some problems. There are two good reasons that we would want to allow both TCP and UDP port 53 connections to our DNS servers. One is DNSSEC and the second is 1Pv6 .

Joe notices there are several user accounts on the local network generating spam with embedded malicious code. Which of the following technical control should Joe put in place to BEST reduce these incidents? A. Account lockout B. Group Based Privileges C. Least privilege D. Password complexity

A. Account lockout Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user who is attempting to determine an account password by trial and error. Windows domain controllers keep track of logon attempts, and domain controllers can be configured to respond to this type of potential attack by disabling the account for a preset period of time. Account Lockout Policy settings control the threshold for this response and the actions to be taken after the threshold is reached. The Account Lockout Policy settings can be configured in the following location in the Group Policy Management Console: Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy

A systems administrator is reviewing the following information from a compromised server: Process DEP Local Address Remote Address LSASS YES 0.0.0.0 10.210.100.62 APACHE NO 0.0.0.0 10.130.210.20 MySQL NO 127.0.0.1 127.0.0.1 TFTP YES 191 .168.1.10 10.34.221.96 Given the above information, which of the following processes was MOST likely exploited via a remote buffer overflow attack? A. Apache B. LSASS C. MySQL D. TFTP

A. Apache The remote host is running a vulnerable version of Apache. It is reported that Apache is prone to a remote buffer overflow attacks. An attacker may use this vulnerability to execute arbitrary code on the remote host or to deny service to legitimate users. A remote attacker can cause an application crash, leading to a Denial of Service condition, and possibly execute arbitrary code

An external contractor, who has not been given information about the software or network architecture, is conducting a penetration test. Which of the following BEST describes the test being performed? A. Black box B. White box C. Passive reconnaissance D. Vulnerability scan

A. Black box In a black box testing assignment, the penetration tester is placed in the role of the average hacker, with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black box penetration test determines the vulnerabilities in a system that is exploitable from outside the network. This means that black box penetration testing relies on dynamic analysis of currently running programs and systems within the target network. A black box penetration tester must be familiar with automated scanning tools and methodologies for manual penetration testing. Black box penetration testers also need to be capable of creating their own map of a target network based on their observations since no such diagram is provided to them. The limited knowledge provided to the penetration tester makes black box penetration tests the quickest to run, since the duration of the assignment largely depends on the tester's ability to locate and exploit vulnerabilities in the target's outward-facing services. The major downside of this approach is that if the testers cannot breach the perimeter, any vulnerability of internal services remains undiscovered and unpatched.

An organization relies heavily on an application that has a high frequency of security updates. At present, the security team only updates the application on the first Monday of each month, even though the security updates are released as often as twice a week. Which of the following would be the BEST method of updating this application? A. Configure testing and automate patch management for the application. B. Configure security control testing for the application C. Manually apply updates for the application when they are released. D. Configure a sandbox for testing patches before the scheduled monthly update

A. Configure testing and automate patch management for the application. Testing patches before deployment is perhaps the most critical step in patch management process. As much as we want all applications updated, we need to be careful about how we introduce a new patch update into the application environment. The trick is to protect your systems as much as possible from vulnerabilities, without putting them at a different kind of risk from untested patches. Patch management software keeps enterprises better protected by automating the delivery of operating systems and application updates.

A vulnerability scanner that uses its running service's access level to better assess vulnerabilities across multiple assets within an organization is performing a: A. Credentialed scan B. Non-intrusive scan. C. Privilege escalation test D. Passive scan.

A. Credentialed scan Credentialed scans are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that cannot be seen from the network

Which of the following attacks specifically impact data availability? A. DDoS B. Trojan C. MITM D. Rootkit

A. DDoS A distributed denial-of-service (DDoS) attack is an attack in which multiple compromised computer systems attack a target, such as a server, website or other network resource, and cause a denial of service for users of the targeted resource. The flood of incoming messages, connection requests or malformed packets to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems.

A security analyst notices anomalous activity coming from several workstations in the organizations. Upon identifying and containing the issue, which of the following should the security analyst do NEXT? A. Document and lock the workstations in a secure area to establish chain of custody B. Notify the IT department that the workstations are to be reimaged and the data restored for reuse C. Notify the IT department that the workstations may be reconnected to the network for the users to continue working D. Document findings and processes in the after-action and lessons learned report

A. Document and lock the workstations in a secure area to establish chain of custody. What Is the Chain of Custody in Computer Forensics? The chain of custody in digital forensics can also be referred to as the forensic link, the paper trail, or the chronological documentation of electronic evidence. It indicates the collection, sequence of control, transfer, and analysis. Establishing chain of custody when authenticating digital media evidence for use in the courtroom is extremely important. The chain of custody must account for the seizure, storage, transfer and condition of the evidence. The chain of custody is absolutely necessary for admissible evidence in court. It is important to maintain the chain of custody to preserve the integrity of the evidence and prevent it from contamination, which can alter the state of the evidence. If not preserved, the evidence presented in court might be challenged and ruled inadmissible

Which of the following precautions MINIMIZES the risk from network attacks directed at multifunction printers, as well as the impact on functionality at the same time? A. Isolating the systems using VLANs B. Installing a software-based IPS on all devices C. Enabling full disk encryption D. Implementing a unique user PIN access functions

A. Isolating the systems using VLANs Segmentation and micro-segmentation: This is a topic that we need to all consider with the rise in loT (Internet of Things) as devices that used to just print ink on paper connected to LPT and COM ports are now becoming increasingly connected. We can't simply just hook them up to the corporate user VLAN and throw them all into the same subnet as everything else. Just like we segment/isolate servers into separate VLANs - we want to do the same with multifunction printers. Architecture and design vulnerabilities that have led to the successful compromise of servers from other lower security zones (such as the DMZ and corporate user VLANs) was because the printers were not isolated into a printer VLAN with filtering in place to only permit the ports needed for workstations to print to them. The administrative interface should be filtered to only accept connections from an administrative VLAN where the IT, server, and network administrators are. If your maturity level of your network just isn't there yet, that's fine, use other filtering methods, either VACLs, filtering on the printer itself, or on core firewalls to allow traffic to those administrative ports only from the IT staff.

Which of the following BEST describes a network-based attack that can allow an attacker to take full control of a vulnerable host? A. Remote exploit B. Amplification C. Sniffing D. Man-in-the-middle

A. Remote exploit A remote exploit is a malicious action that targets one or a network of computers. The remote attack does not affect the computer the attacker is using. Instead, the attacker will find vulnerable points in a computer or network's security software to access the machine or system. The main reasons for remote attacks are to view or steal data illegally, introduce viruses or other malicious software to another computer or network or system, and cause damage to the targeted computer or network

A new security policy in an organization requires that all file transfers within the organization be completed using applications that provide secure transfer. Currently, the organization uses FTP and HITP to transfer files. Which of the following should the organization implement in order to be compliant with the new policy? A. Replace FTP with SFTP and replace HTIP with TLS B. Replace FTP with FTPS and replaces HTIP with TFTP C. Replace FTP with SFTP and replace HTIP with Telnet D. Replace FTP with FTPS and replaces HTTP with IPSec

A. Replace FTP with SFTP and replace HTIP with TLS For decades, companies have relied on FTP (file transfer protocol) as their basic method of transferring files. However, as data security became a larger and more urgent issue for many companies, a number of alternative FTP solutions arose to address the security vulnerabilities of basic FTP. SFTP or FTP over SSH, increases FTP security by establishing a secure channel between the party sending data and the party receiving it. The SSH stands for "Secure Shell," meaning two computers establish an SSH-encrypted channel prior to logging in and transferring data. The secure channel protects data from being accessed by a party other than the intended recipient. TLS (Transport Layer Security) is just an updated, more secure, version of SSL. We still refer to our security certificates as SSL because it is a more commonly used term, but when you are buying SSL from Symantec, you are actually buying the most up to date TLS certificates with the option of ECC, RSA or DSA encryption. HTTPS (Hyper Text Transfer Protocol Secure) appears in the URL when a website is secured by an SSL certificate. The details of the certificate, including the issuing authority and the corporate name of the website owner, can be viewed by clicking on the lock symbol on the browser bar.

An employer requires that employees use a key-generating app on their smartphones to log into corporate applications. In terms of authentication of an individual, this type of access policy is BEST defined as: A. Something you have B. Something you know C. Something you do D. Something you are

A. Something you have Multifactor 2-Step verification provides stronger security for your accounts by requiring a second step of verification when you sign in. In addition to your password, you'll also need a code generated by the key-generating app on your phone. The password is something you know and the key-generating app is something you have

Which of the following occurs when the security of a web application relies on JavaScript for input validation? A. The integrity of the data is at risk. B. The security of the application relies on antivirus. C. A host-based firewall is required. D. The application is vulnerable to race conditions.

A. The integrity of the data is at risk Avoid placing the validation procedures only on the client side. All input should be validated server side. Client-side validation is executed by the client and can be easily bypassed. Client-side validation is a major design problem when it appears in web applications. It places trust in the browser, an entity that should never be trusted. If your application accepts input from the client, always validate for length, range and type on the server. Client-side validation should only be used to improve user experience, never for security purposes. A client-side input validation check can improve application performance by catching malformed input on the client and, therefore, saving a round trip to the server. However, client side validation can be easily bypassed and should never be used for security purposes. Always use server-side validation to protect your application from malicious attacks. Never trust the browser. Because the browser is running on the user's machine, it can be fully controlled by the user. Therefore, any client side validation code can be controlled and bypassed by an attacker. Use JavaScript only to enhance your pages. JavaScript is useful for enhancing your application's presentation. However, it has no mechanism to protect the integrity of its code. Do not rely on JavaScript to enforce security decisions.

A security administrator receives an alert from a third-party vendor that indicates a certificate that was installed in the browser has been hijacked at the root of a small public CA. The security administrator knows there are at least four different browsers in use on more than a thousand computers in the domain worldwide. Which of the following solutions would be BEST for the security administrator to implement to most efficiently assist with this issue? A. SSL B. CRL C. PKI D. ACL

B. CRL A CRL is a Certificate Revocation List. When any certificate is issued, it has a validity period, which is defined by the Certification Authority. Usually this is one or two years. Any time a certificate is presented as part of an authentication dialog, the current time should be checked against the validity period. A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. CRLs are a type of blacklist and are used by various endpoints, including Web browsers, to verify whether a certificate is valid and trustworthy. Digital certificates are used in the encryption process to secure communications, most often by using the TLS/SSL protocol. The certificate, which is signed by the issuing Certificate Authority, also provides proof of the identity of the certificate owner

A new intern in the purchasing department requires read access to shared documents. Permissions are normally controlled through a group called "Purchasing", however, the purchasing group permissions allow write access. Which of the following would be the BEST course of action? A. Modify all the shared files with read only permissions for the intern B. Create a new group that has only read permissions for the files C. Remove all permissions for the shared files. D. Add the intern to the "Purchasing" group.

B. Create a new group that has only read permissions for the files All files and directories are owned by the person who created them. That means you can specify who is allowed to read the file, write to the file, or (if it is an application instead of a text file) who can execute the file. Reading, writing, and executing are the three main settings in permissions. Since users are placed into a group when their accounts are created, you can also specify whether certain groups can read, write to, or execute a file. Remember that file permissions are a security feature. Whenever you allow anyone else to read, write to, and execute files, you are increasing the risk of files being tampered with, altered, or deleted. As a rule, you should only grant read and write permissions to those who truly need them

A company hired a third-party firm to conduct as assessment of vulnerabilities exposed to the Internet. The firm informs the company that an exploit exists for an FTP server that has a version installed from eight years ago. The company has decided to keep the system online anyway, as no upgrade exists from the vendor. Which of the following BEST describes the reason why the vulnerability exists? A. Default configuration B. End-of-life C. Weak cipher suite D. Zero-day threats

B. End-of-life The concept of an EOL product has been around for a while. Generally, EOL symbolizes the last stage of a product's life cycle, starting with design, development and eventual release and use. The rapid emergence of technology and other factors have led to bigger issues surrounding EOL products, which means manufacturers and vendors must anticipate the consequences of designating an EOL product. Some of the key issues involve disposal. For hardware devices, this means physically disposing old devices and installing newer versions. For software systems, it means "weaning" legacy systems or migrating applications to newer platforms in order to discard or change old systems

Joe, a technician, is working remotely with his company provided laptop at the coffee shop near his home. Joe is concerned that another patron of the coffee shop may be trying to access his laptop. Which of the following is an appropriate control to use to prevent the other patron from accessing Joe's laptop directly? A. full-disk encryption B. Host-based firewall C. Current antivirus definitions D. Latest OS updates

B. Host-based firewall A host-based firewall is a piece of firewall software that runs on an individual computer or device connected to a network. These types of firewalls are a granular way to protect the individual hosts from viruses and malware, and to control the spread of these harmful infections throughout the network

A security analyst is hardening a server with the directory services role installed. The analyst must ensure LDAP traffic cannot be monitored or sniffed and maintains compatibility with LDAP clients. Which of the following should the analyst implement to meet these requirements? (Select two.) A. Generate an X.509-compliant certificate that is signed by a trusted CA B. Install and configure an SSH tunnel on the LDAP server C. Ensure port 389 is open between the clients and the servers using the communication. D. Ensure port 636 is open between the clients and the servers using the communication. E. Remote the LDAP directory service role from the server

B. Install and configure an SSH tunnel on the LDAP server D. Ensure port 636 is open between the clients and the servers using the communication. The requirement is that only TLS connections will be supported by this server. The strategy adopted is to drop the listens for normal LDAP URL traffic (port 389) leaving only LDAPS URL (port 636) listens and to introduce a couple of basic rules to force secured simple binding and prevent anonymous binding. Finally, port forwarding can be used to set up SSH tunneling for communications between the client and the server or between the client and the firewall/gateway over the Internet, in which case the firewall and server need to be able to connect to each other on the same LAN.

The IT department needs to prevent users from installing untested applications. Which of the following would provide the BEST solution? A. Job rotation B. Least privilege C. Account lockout D. Antivirus

B. Least privilege The Principle of Least Privilege states that a subject should be given only those privileges needed for it to complete its task. Only the minimum necessary rights should be assigned to a subject that requests access to a resource and should be in effect for the shortest duration necessary (remember to relinquish privileges). Granting permissions to a user beyond the scope of the necessary rights of an action can allow that user to obtain or change information in unwanted ways. Therefore, careful delegation of access rights can limit attackers from damaging a system

A software development company needs to share information between two remote servers, using encryption to protect it. A programmer suggests developing a new encryption protocol, arguing that using an unknown protocol with secure, existing cryptographic algorithm libraries will provide strong encryption without being susceptible to attacks on other known protocols. Which of the following summarizes the BEST response to the programmer's proposal? A. The newly developed protocol will only be as secure as the underlying cryptographic algorithms used. B. New protocols often introduce unexpected vulnerabilities, even when developed with otherwise secure and tested algorithm libraries C. A programmer should have specialized training in protocol development before attempting to design a new encryption protocol D. The obscurity value of unproven protocols against attacks often outweighs the potential for introducing new vulnerabilities.

B. New protocols often introduce unexpected vulnerabilities, even when developed with otherwise secure and tested algorithm libraries Vulnerability is a weakness in a system that can be exploited to negatively affect confidentiality, integrity, and/or availability. Vulnerabilities can be categorized in many ways. No system is 100% secure every system has vulnerabilities. At any given time, a system may not have any known software flaws, but security configuration issues, encryption protocols and software feature misuse vulnerabilities are always present. Misuse vulnerabilities are inherent in software features because each feature must be based on trust assumptions-and those assumptions can be broken, albeit involving significant cost and effort in some cases. Security and encryption configuration issues are also unavoidable for two reasons. First, many configuration settings increase security at the expense of reducing functionality, so using the most secure settings could make the software useless or unusable. Second, many security settings have both positive and negative consequences for security. An example is the number of consecutive failed authentication attempts to permit before locking out a user account. Setting this to 1 would be the most secure setting against password guessing attacks, but it would also cause legitimate users to be locked out after mistyping a password once, and it would also permit attackers to perform denial-of-service attacks against users more easily by generating a single failed login attempt for each user account.

A company wants to ensure that the validity of publicly trusted certificates used by its web server can be determined even during an extended internet outage. Which of the following should be implemented? A. Recovery agent B. OCSP C. CRL D. Key escrow

B. OCSP OCSP (Online Certificate Status Protocol) is one of two common schemes for maintaining the security of a server and other network resources. The other, older method, which OCSP has superseded in some scenarios, is known as Certificate Revocation List (CRL). OCSP overcomes the chief limitation of CRL: the fact that updates must be frequently downloaded to keep the list current at the client end. When a user attempts to access a server, OCSP sends a request for certificate status information. The server sends back a response of current, expired, or unknown. The protocol specifies the syntax for communication between the server (which contains the certificate status) and the client application (which is informed of that status). OCSP allows users with expired certificates a grace period, so they can access servers for a limited time before renewing.

A security engineer is configuring a system that requires the X.509 certificate information to be pasted into a form field in Base64 encoded format to import it into the system. Which of the following certificate formats should the engineer use to obtain the information in the required format? A. PFX B. PEM C. DER D. GER

B. PEM PEM is a de facto file format for storing and sending cryptography keys, certificates, and other data, based on a set of 1993 IETF standards defining "privacy-enhanced mail." While the original standards were never broadly adopted, and were supplanted by PGP and S/MIME, the textual encoding they defined became very popular. The PEM format was eventually formalized by the IETF in RFC 7468. Many cryptography standards use ASN.1 to define their data structures, and Distinguished Encoding Rules (DER) to serialize those structures. Because DER produces binary output, it can be challenging to transmit the resulting files through systems, like electronic mail, that only support ASCII. The PEM format solves this problem by encoding the binary data using base64.

An administrator discovers the following log entry on a server: Nov 12 2013 00:23:45 httpd[2342:] GET /app2/prod/proc/ process.php?input=change;cd% 20../../../etc;cat%20shadow Which of the following attacks is being attempted? A. Command injection B. Password attack C. Buffer overflow D. Cross-site scripting

B. Password attack One of the first post exploitation activities when we have compromised a target is to obtain the passwords hashes in order to crack them offiine. If we managed to crack the hashes then we might be able to escalate our privileges and to gain administrative access especially if we have cracked the administrator's hash. After gaining access to a root account, the next order of business is using that power to do something more significant. If the user passwords on the system can be obtained and cracked, an attacker can use them to pivot to other machines if the login is the same across systems. There are two tried-and-true password-cracking tools that can accomplish this: John the Ripper and Hashcat. A couple files of particular interest on Linux systems are the /etc/passwd and /etc/shadow files. The /etc/passwd file contains basic information about each user account on the system, including the root user, which has full administrative rights, system service accounts, and actual users. There are seven fields in each line of /etc/passwd. The /etc/shadow file contains the encrypted passwords of users on the system. While the /etc/passwd file is typically world-readable, the /etc/shadow is only readable by the root account. The shadow file also contains other information such as password expiration dates. As we know in UNIX systems, the password hashes are stored in the /etc/shadow location so we will run the command cat /etc/shadow in order to see them.

A network technician is trying to determine the source of an ongoing network based attack. Which of the following should the technician use to view 1Pv4 packet data on a particular internal network segment? A. Proxy B. Protocol analyzer C. Switch D. Firewall

B. Protocol analyzer A protocol analyzer is a computer application used to track, intercept and log network traffic that passes over a digital network. It analyzes network traffic and generates a customized report to assist organizations in managing their networks. Protocol analyzers also may be used by hackers to intrude on networks and steal information from network transmissions. A protocol analyzer is also known as a sniffer, network analyzer or packet analyzer

Joe, an employee, wants to show his colleagues how much he knows about smartphones. Joe demonstrates a free movie application that he installed from a third party on his corporate smartphone. Joe's colleagues were unable to find the application in the app stores. Which of the following allowed Joe to install the application? (Select two.) A. Near-field communication. B. Rooting/jailbreaking C. Ad-hoc connections D. Tethering E. Sideloading

B. Rooting/jailbreaking E. Sideloading Jailbreaking is the process of removing software restrictions put into place by Apple on devices that run the iOS operating system. To accomplish a jailbreak, a custom kernel is used to grant root access to the device. So on an Android device, rooting basically gives you access to more or less the entire operating system. You can completely remove the OS and replace it with user made operating systems that contain tweaks and enhancements (known as ROMS), and you can even access and adjust settings such as your processor speeds. Sideloading typically refers to media file transfer to a mobile device via USB, Bluetooth, WiFi or by writing to a memory card for insertion into the mobile device. When referring to Android apps, "sideloading" typically means installing an application package in APK format onto an Android device.

Which of the following would enhance the security of accessing data stored in the cloud? (Select TWO) A. Block level encryption B. SAML authentication C. Transport encryption D. Multifactor authentication E. Predefined challenge questions F. Hashing

B. SAML authentication D. Multifactor authentication Implementing multifactor authentication provides basic authentication for cloud organization members. By enabling multifactor authentication, cloud administrators limit the likelihood that a member's cloud account could be compromised. To add additional authentication measures, cloud administrators can also enable SAML single sign-on (SSO) so that organization members must use single sign-on to access an organization. If both multifactor authentication and SAML SSO are enabled, organization members must do the following: • Use multifactor authentication to log in to their cloud account • Use single sign-on to access the cloud • Use an authorized token for API or cloud provider access and use L_ single sign-on to authorize the token

Which of the following use the SSH protocol? A. Telnet B. SCP C. SNMP D. FTPS E. SSL F. SFTP

B. SCP & F. SFTP SSH, also known as Secure Socket Shell is a network protocol that provides administrators with a secure way to access a remote computer. SSH also refers to the suite of utilities that implement the protocol. Secure Shell provides strong authentication and secure encrypted data communications between two computers connecting over an insecure network such as the Internet. SSH is widely used by network administrators for managing systems and applications remotely, allowing them to log in to another computer over a network, execute commands and move files from one computer to another. SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding TCP ports and X11 Unix connections; it can transfer files using the associated SSH file transfer (SFTP) or secure copy (SCP) protocols

Six months into development, the core team assigned to implement a new internal piece of software must convene to discuss a new requirement with the stake holders. A stakeholder identified a missing feature critical to the organization, which must be implemented. The team needs to validate the feasibility of the newly introduced requirement and ensure it does not introduce new vulnerabilities to the software and other applications that will integrate with it. Which of the following BEST describes the current software development phase? A. The system integration phase of the SDLC B. The system analysis phase of SDLC C. The system design phase of the SDLC D. The system development phase of the SDLC

B. The system analysis phase of SDLC A systems development life cycle (SDLC) is composed of a number of clearly defined and distinct work phases, which are used by systems engineers, and systems developers to plan for, design, build, test, and deliver information systems. In the systems analysis, requirements phase we define project goals into defined functions and operations of the intended application. This involves the process of gathering and interpreting facts, diagnosing problems, and recommending improvements to the system. Project goals will be further aided by analysis of end-user information needs and the removal of any inconsistencies and incompleteness in these requirements. A series of steps followed by the developer include: 1. Collection of facts: Obtain end user requirements through documentation, client interviews, observation, and questionnaires. 2. Scrutiny of the existing system: Identify pros and cons of the current system in-place, to carry forward the pros and avoid the cons in the new system. 3. Analysis of the proposed system: Find solutions to the shortcomings described in step two and prepare the specifications using any specific user proposals.

An organization's file server has been virtualized to reduce costs. Which of the following types of backups would be MOST appropriate for the particular file server? A. Snapshot B. Full C. Incremental D. Differential

C. Incremental The question specifically stated it is an organization's file server. An incremental backup is a type of backup that only copies files that have changed since the previous backup. For example, if a full backup was performed on Monday, Tuesday's incremental will back up all changed files since Monday's backup. However, Wednesday's incremental will only back up files that have changed since Tuesday's incremental backup and so on until another full backup is performed

During a recent audit, it was discovered that several user accounts belonging to former employees were still active and had valid VPN permissions. Which of the following would help reduce the amount of risk the organization incurs in this situation in the future? A. Time-of-day restrictions B. User access reviews C. Group-based privileges D. Change management policies

B. User access reviews Organizations these days are very dynamic with their distributed workforces and applications. As these companies grow, their IT teams must perform the increasingly complex task of user access management. Security professionals define access control policies and controls that mandate user access review on a periodic basis. The user access list is sent to application owners for review, and user IDs are disabled or deleted as necessary. The user access review control helps ensure that unauthorized users do not continue to exist in the system if the user ID is deleted during the normal offboarding process. However, if user access reviews have not been carried out diligently or organizational changes impede access management, the user ID deletion process becomes quite complex. For instance, if a large multinational corporation has been growing through mergers and acquisitions, the integration of user access systems is complicated and cumbersome. Statutory audits in these organizations often reveal noncompliance related to user access management.

Which of the following is an important step to take BEFORE moving any installation packages from a test environment to production? A. Roll back changes in the test environment B. Verify the hashes of files C. Archive and compress the files D. Update the secure baseline

B. Verify the hashes of files File integrity can be compromised, usually referred to as the file becoming corrupted. A file can become corrupted by a variety of ways: faulty storage media, errors in transmission, write errors during copying or moving, software bugs, and so on. Hash-based verification ensures that a file has not been corrupted by comparing the file's hash value to a previously calculated value. If these values match, the file is presumed to be unmodified. Due to the nature of hash functions, hash collisions may result in false positives, but the likelihood of collisions is often negligible with random corruption

An application developer is designing an application involving secure transports from one service to another that will pass over port 80 for a request. Which of the following secure protocols is the developer MOST likely to use? A. FTPS B. SFTP C. SSL D. LDAPS

C. SSL SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and_J browsers remain private and integral

An information security analyst needs to work with an employee who can answer questions about how data for a specific system is used in the business. The analyst should seek out an employee who has the role of: A. steward B. owner C. privacy officer D. systems administrator

B. owner Data ownership is the act of having legal rights and complete control over a single piece or set of data elements. It defines and provides information about the rightful owner of data assets and the acquisition, use and distribution policy implemented by the data owner.

An information security specialist is reviewing the following output from a Linux server. user@server: -$ crontab - 1 5 * * * * /user/local/bin/bacKup.sh user@server: - $ cat /usr/local/bin/backup.sh #!/bin/bash if ! grep - - quiet joeuser/etc/password then rm - rf / fi Based on the above information, which of the following types of malware was installed on the server? /local/ A. Logic bomb B. Trojan C. Backdoor D. Ransomware E. Rootkit

C. Backdoor First crontab -I (crontab list of cronjobs, display crontab file contents) then the 5 ****means execution time which is at 12:05 a.m. everyday. The next line is a simple backup script to run every morning at 5 minutes past midnight. -$ cat /usr/local/bin/backup.sh The very first line of a script is the header line. This line begins with #! at the top of the script, flush with the left margin. This character combination identifies the kind of (backdoor) script. Linux uses this information to start the right program to run the script. For Bash scripts, this line is the absolute pathname indicating where the Bash interpreter resides. On most Linux distributions, the first header line is as follows #!/bin/bash. For a specific user, you can get the same information simply by entering grep joeuser /etc/passwd q, --quiet, --silent Quiet; do not write anything to standard output. Exit immediately with zero status if any match is found, even if an error was detected. rm (remove) You can't just rm a directory by default, you'll need to add the -r flag (recursive) to remove all the files and any subdirectories it may have.

A company has a data system with definitions for "Private" and "Public". The company's security policy outlines how data should be protected based on type. The company recently added the data type "Proprietary". Which of the following is the MOST likely reason the company added this data type? A. Reduced cost B. More searchable data C. Better data classification D. Expanded authority of the privacy officer

C. Better data classification Classification of commercial or nongovernment organizations does not have a set standard. The classification used is dependent on the overall sensitivity of the data and the levels of confidentiality desired. Additionally, a nongovernment organization might consider the integrity and availability of the data in its classification model. There is no formula in creating the classification system-the system used is dependent on the data. Some organizations use two types of classification: confidential and public. For others, a higher granularity might be necessary. Below contains a typical list of classifications that can be used for commercial organizations, from highest to lowest. Sensitive: Data that is to have the most limited access and requires a high degree of integrity. This is typically data that will do the most damage to the organization should it be disclosed. Confidential: Data that might be less restrictive within the company but might cause damage if disclosed. Private: Private data is usually compartmental data that might not do the company damage but must be keep private for other reasons. Human resources data is one example of data that can be classified as private. Proprietary: Proprietary data is data that is disclosed outside the company on a limited basis or contains information that could reduce the company's competitive advantage, such as the technical specifications of a new product. Public: Public data is the least sensitive data used by the company and would cause the least harm if disclosed. This could be anything from data used for marketing to the number of employees in the company.

A system administrator wants to provide balance between the security of a wireless network and usability. The administrator is concerned with wireless encryption compatibility of older devices used by some employees. Which of the following would provide strong security and backward compatibility when accessing the wireless network? A. Open wireless network and SSL VPN B. WPA using a preshared key C. WPA2 using a RADIUS back-endfor 802.1x authentication D. WEP with a 40-bit key

C. WPA2 using a RADIUS back-endfor 802.1x authentication WPA2-Enterprise with 802.1x authentication can be used to authenticate users or computers in a domain. The supplicant (wireless client) authenticates against the RADIUS server (authentication server) using an EAP method configured on the RADIUS server

A security administrator determined that users within the company are installing unapproved software. Company policy dictates that only certain applications may be installed or ran on the user's computers without exception. Which of the following should the administrator do to prevent all unapproved software from running on the user's computer? A. Deploy antivirus software and configure it to detect and remove pirated software B. Configure the firewall to prevent the downloading of executable files C. Create an application whitelist and use OS controls to enforce it D. Prevent users from running as administrator so they cannot install software.

C. Create an application whitelist and use OS controls to enforce it. In Windows it is possible to configure two different methods that determine whether an application should be allowed to run. The first method, known as blacklisting, is when you allow all applications to run by default except for those you specifically do not allow. The other, and more secure, method is called whitelisting, which blocks every application from running by default, except for those you explicitly allow. Application whitelisting is the practice of specifying an index of approved software applications that are permitted to be present and active on a computer system. The goal of whitelisting is to protect computers and networks from potentially harmful applications. In general, a whitelist is an index of approved entities. Whitelisting works best in centrally managed OS controlled environments, where systems are subject to a consistent workload. The National Institute of Standards and Technology suggests using application whitelisting in high-risk environments, where it is vitally important that individual systems be secure and less important that software be useable without restrictions. To provide more flexibility, a whitelist may also index approved application components, such as software libraries, plug-ins, extensions and configuration files

An organization uses SSO authentication for employee access to network resources. When an employee resigns, as per the organization's security policy, the employee's access to all network resources is terminated immediately. Two weeks later, the former employee sends an email to the help desk for a password reset to access payroll information from the human resources server. Which of the following represents the BEST course of action? A. Approve the former employee's request, as a password reset would give the former employee access to only the human resources server. B. Deny the former employee's request, since the password reset request came from an external email address. C. Deny the former employee's request, as a password reset would give the employee access to all network resources. D. Approve the former employee's request, as there would not be a security issue with the former employee gaining access to network

C. Deny the former employee's request, as a password reset would give the employee access to all network resources. Off-boarding users is not only an HR responsibility; it is an IT management responsibility. To do their job, employees often require many tools such as laptops, phones, subscription accounts, software, and access to networks that hold corporate data. When employees leave a company, they are expected to return the equipment supplied by the IT department. While HR is tasked with offboarding users and maybe deactivating accounts in payroll or travel systems, it's too often a few days before anyone tells IT that the employee has been terminated. This is exactly the time, where an employee who was involuntarily terminated may be most motivated to inflict damage however possible. To solve all the issues above, organizations need to integrate all the separate systems that govern the identity lifecycle of a user and automate user access. Starting with connecting the HR system, which is the source of truth for when employees join, leave or move, to all the applications and permissions granted to users in the organization. In many cases this includes an overlay over old systems like Active Directory. An end to end automation of onboarding and offboarding processes can benefit not just the IT department, but also the business and the end-users.

A system administrator is configuring a site-to-site VPN tunnel. Which of the following should be configured on the VPN concentrator during the IKE phase? A. RIPEMD B. ECDHE C. Diffie-Hellman D. HTTPS

C. Diffie-Hellman IKE is a key management protocol standard that is used in conjunction with the IPsec standard. IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IPsec can be configured without IKE, but IKE enhances IPsec by providing additional features, flexibility, and ease of configuration for the IPsec standard. IKE is a hybrid protocol that implements the Oakley key exchange and Schema key exchange inside the Internet Security Association Key Management Protocol (ISAKMP) framework. Diffie Hellman is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecure communications channel. Diffie-Hellman is used within IKE to establish session keys

A security administrator has been tasked with improving the overall security posture related to desktop machines on the network. An auditor has recently found that several machines with confidential customer information displayed in the screens were left unattended during the course of the day. Which of the following could the security administrator implement to reduce the risk associated with the finding? A. Implement a clean desk policy B. Security training to prevent shoulder surfing C. Enable group policy based screensaver timeouts D. Install privacy screens on monitors

C. Enable group policy based screensaver timeouts Most of the companies today want the computers to be locked out after specific interval of time or after specific duration of inactivity on the computer. The employees are advised to lock their computer before they step away from the computer but if the employee steps away without locking the computer it could lead to unauthorized access to domain workstations within your organization. With the help of group policy, the administrator can define settings and automatically lock the computer after the specified amount of minutes. This will prevent the unauthorized access to the computer even though the employees forget to lock their computers

A security engineer is configuring a wireless network that must support mutual authentication of the wireless client and the authentication server before users provide credentials. The wireless network must also support authentication with usernames and passwords. Which of the following authentication protocols MUST the security engineer select? A. EAP-FAST B. E AP-TLS C. PEAP D. EAP

C. PEAP The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel. PEAP provides a transport layer security structure where it is needed within EAP. It uses a public-key encryption certificate for this purpose. Server-side public-key certificates authenticate servers. The use of dedicated keys is part of an elaborate security authentication model for these kinds of network traffic setups. PEAP also involves subtypes for specific security protocols WPA and WPA2. In general, the use of Protected Extensible Authentication Protocol helps to address security inadequacies in some types of authentication frameworks and prevents different kinds of hacking that may cause problems in 802.11 network traffic. While the methods of all this are fairly inscrutable to the lay audience, the details are important to security professionals who want to make sure that authentication happens in an effective and efficient way

A system administrator wants to implement an internal communication system that will allow employees to send encrypted messages to each other. The system must also support non- repudiation. Which of the following implements all these requirements? A. Bcrypt B. Blowfish C. PGP D. SHA

C. PGP Pretty Good Privacy (PGP) is a methodology used for encrypting and decrypting digital files and communications over the Internet. It was released with the BassOmatic symmetric key algorithm but later replaced by the International Data Encryption Algorithm (IDEA) to circumvent certain BassOmatic flaws. Created by Phil Zimmerman in 1991, PGP was initially designed for email security. PGP works on the public key cryptography mechanism, where users encrypt and decrypt data using their respective public and private keys. PGP uses a symmetric encryption key to encrypt messages, and a public key is used with each sent and received message. First, the receiver must use its private key to decrypt the key and then decrypt the message through the decrypted symmetric key. PGP also provides data/file integrity services by digitally signing messages, allowing receivers to learn whether or not message confidentiality is compromised. PGP is also used to encrypt files stored on a computer and/or complete hard disk drives.

Multiple employees receive an email with a malicious attachment that begins to encrypt their hard drives and mapped shares on their devices when it is opened. The network and security teams perform the following actions: Shut down all network shares. Run an email search identifying all employees who received the malicious message. Reimage all devices belonging to users who opened the attachment. Next, the teams want to re-enable the network shares. Which of the following BEST describes this phase of the incident response process? A. Eradication B. Containment C. Recovery D. Lessons learned

C. Recovery

A bank requires tellers to get manager approval when a customer wants to open a new account. A recent audit shows that there have been four cases in the previous year where tellers opened accounts without management approval. The bank president thought separation of duties would prevent this from happening. In order to implement a true separation of duties approach the bank could: A. Require the use of two different passwords held by two different individuals to open an account B. Administer account creation on a role based access control approach C. Require all new accounts to be handled by someone else other than a teller since they have different duties D. Administer account creation on a rule based access control approach

C. Require all new accounts to be handled by someone else other than a teller since they have different duties Separation of duties is a classic security method to manage conflict of interest, the appearance of conflict of interest, and fraud. It restricts the amount of power held by any one individual. It puts a barrier in place to prevent fraud that may be perpetrated by one individual. Fraud will still occur if there is collusion. To be certain that you have identified all separation of duties issues, you will first need to create an information flow diagram for every function within each area of the organization. However, common sense can help identify a large number of situations where separation of duties is appropriate. For instance, positions that handle money, valuable items, and new and attractive items (think iPod after it first came out), require a number of controls. Although there are a number of similar controls among organizations, specific controls are relatively different between industries. There is no complete matrix that may be applied to all organizations. Separation of duties within each company is unique. Since separation of duties equates to additional cost because it often increases head count, a risk assessment should first be performed to determine whether it is necessary, or whether compensating controls are adequate. As you are aware, management may decide to accept, avoid, or transfer the risk instead of mitigating the risk through separation of duties. It is a balance between the cost and the amount of risk being considered and addressed. Once this is decided, management may determine where separation of duties will be applied.

Which of the following should be used to implement voice encryption? A. SSLv3 B. VDSL C. SRTP D. VoIP

C. SRTP Voice encryption (SRTP) The Secure Real Time Transport Protocol (SRTP) is based on the Real Time Transport Protocol (RTP). SRTP is used for example in internet telephony Voice over IP (VoIP), in order to guarantee an eavesdrop-secure transfer of telephone data between multiple conversation participants.

An organization wishes to provide better security for its name resolution services. Which of the following technologies BEST supports the deployment of DNSSEC at the organization? A. LDAP B. TPM C. TLS D. SSL E. PKI

C. TLS TLS/SSL encryption is currently based on certificates issued by certificate authorities (CAs). Within the last few years, a number of CA providers suffered serious security breaches, allowing the issuance of certificates for well-known domains to those who don't own those domains. Trusting a large number of CAs might be a problem because any breached CA could issue a certificate for any domain name. DNS based Authentication of Named Entities (DANE) is a protocol to allow X.509 certificates, commonly used for Transport Layer Security (TLS), to be bound to DNS names using Domain Name System Security Extensions (DNSSEC). DANE enables the administrator of a domain name to certify the keys used in that domain's TLS clients or servers by storing them in the Domain Name System (DNS). DANE needs the DNS records to be signed with DNSSEC for its security model to work.

Before an infection was detected, several of the infected devices attempted to access a URL that was similar to the company name but with two letters transported. Which of the following BEST describes the attack vector used to infect the devices? A. Cross-site scripting B. DNS poisoning C. Typo squatting D. URL hijacking

C. Typo squatting Typosquatting , also known as URL hijacking, is a form of cybersquatting (sitting on sites under someone else's brand or copyright) that targets Internet users who incorrectly type a website address into their web browser (e.g., "Gooogle.com" instead of "Google.com").

An incident responder receives a call from a user who reports a computer is exhibiting symptoms consistent with a malware infection. Which of the following steps should the responder perform NEXT? A. Capture and document necessary information to assist in the response. B. Request the user capture and provide a screenshot or recording of the symptoms C. Use a remote desktop client to collect and analyze the malware in real time. D. Ask the user to back up files for later recovery

C. Use a remote desktop client to collect and analyze the malware in real time.. The incident response team should work quickly to analyze and validate each incident, following a pre-defined process and documenting each step taken. When the team believes that an incident has occurred, the team should rapidly perform an initial analysis to determine the incident's scope, such as which networks, systems, or applicationsare affected; who or what originated the incident; and how the incident is occurring (e.g., what tools or attack methods are being used, what vulnerabilities are being exploited). The initial analysis should provide enough information for the team to prioritize subsequent activities, such as containment of the incident and deeper analysis of the effects of the incident

A security analyst wishes to increase the security of an FTP server. Currently, all traffic to the FTP server is unencrypted. Users connecting to the FTP server use a variety of modern FTP client software. The security analyst wants to keep the same port and protocol, while also still allowing unencrypted connections. Which of the following would BEST accomplish these goals? A. Require the SFTP protocol to connect to the file server. B. Use implicit TLS on the FTP server C. Use explicit FTPS for connections D. Use SSH tunneling to encrypt the FTP traffic

C. Use explicit FTPS for connections When an FTPS client is operating in "explicit" mode, the client itself is supposed to request certain security-related information from the server that it is communicating with before a file transfer can begin. When a connection is first established, the client itself will request certain encryption information that should be in place on the server level. Encryption more or less "scrambles" information while in transit, making sure that even if data is intercepted it will still not be accessible to someone without the appropriate key. With explicit mode, one of two things can happen if the client itself is not set up to make this security request: the server can either allow the client program to continue to operate in a natively insecure fashion (i.e. standard FTP), or the connection can be refused until security-related adjustments are made. Explicit mode essentially gives you options regarding how, where and why your files can be transferred at any given time. Thankfully, FTP Today offers site administrators the ability to require and enforce the use of explicit FTPS on port 21 and to deny the use of FTP on that same standard port. FTPS (Explicit) - tcp port 21 (command)+ passive ports (data) - This was added to FTP to all the client to negotiate encryption for the FTP communication. FTPS(E) functions the same as FTP except it negotiates an SSL or TLS connection when the client asks for it, prior to authentication.

A chief Financial Officer (CFO) has asked the Chief Information Officer (CISO) to provide responses to a recent audit report detailing deficiencies in the organization security controls. The CFO would like to know ways in which the organization can improve its authorization controls. Given the request by the CFO, which of the following controls should the CISO focus on in the report? (Select Three) A. Password complexity policies B. Hardware tokens C. Biometric systems D. Role-based permissions E. One time passwords F. Separation of duties G. Multifactor authentication H. Single sign-on I. Least privilege

D, F, & I Role-based access control (RBAC) is a method of access security that is based on a person's role within a business. Role-based access control is a way to provide security because it only allows employees to access information they need to do their jobs, while preventing them from accessing additional information that is not relevant to them. An employee's role determines the permissions he or she is granted and ensures that lower level employees are not able to access sensitive information or perform high-level tasks. Separation of duties is an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task. Separation of duties involves breaking down tasks that might reasonably be completed by a single individual into multiple tasks so that no one person is solely in control. Payroll management, for example, is an administrative area in which both fraud and error are risks. A common segregation of duties for payroll is to have one employee responsible for the accounting portion of the job and someone else responsible for signing the checks. The principle of least privilege, an important concept in computer security, is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. Under principle of least privilege, users are granted permission to read, write or execute only the files or resources they need to do their jobs: In other words, the least amount of privilege necessary.

Joe is exchanging encrypted email with another party. Joe encrypts the initial email with a key. When Joe receives a response, he is unable to decrypt the response with the same key he used initially. Which of the following would explain the situation? A. An ephemeral key was used for one of the messages B. A stream cipher was used for the initial email; a block cipher was used for the reply C. Out-of-band key exchange has taken place D. Asymmetric encryption is being used

D. Asymmetric encryption is being used Asymmetric Encryption is a form of encryption where keys come in pairs. What one key encrypts, only the other can decrypt. Frequently (but not necessarily), the keys are interchangeable, in the sense that if key A encrypts a message, then B can decrypt it, and if key B encrypts a message, then key A can decrypt it. While common, this property is not essential to asymmetric encryption. Asymmetric Encryption, known as Public Key Cryptography, since users typically create a matching key pair, and make one public while keeping the other secret. Users can "sign" messages by encrypting them with their private keys. This is effective since any message recipient can verify that the user's public key can decrypt the message, and thus prove that the user's secret key was used to encrypt it. If the user's secret key is, in fact, secret, then it follows that the user, and not some impostor, really sent the message. Users can send secret messages by encrypting a message with the recipient's public key. In this case, only the intended recipient can decrypt the message, since only that user should have access to the required secret key.

During an application design, the development team specifies a LDAP module for single sign-on communication with the company's access control database. This is an example of which of the following? A. Application control B. Data in-transit C. Identification D. Authentication

D. Authentication Single sign-on is an access control management method that is used to provide login access to various services using a central credentials management server. All other services that are integrated in the central authentication server can then be used only using a single authentication mechanism. In most organizations, SSO is setup using a directory service. A directory service is a kind of database system that holds the authentication and policy structure. Lightweight Directory Access Protocol (LDAP) protocol is the most common way of setting up access to the directory service. This is a standardized and vendor neutral protocol. An LDAP server holds entries for all the employees and various attributes and can be set on those entries that define its access scope. Whenever an employee wants to login to any service, they provide their internal credentials, and the service makes a trip to the LDAP server to get attributes for their entry. If they have the required attributes to access the service, they go through the authentication. It is worth noting that LDAP is a plain-text protocol and should only be used with SSL. This means using LDAPS instead. Another common method used is Kerberos. In contrast to LDAP, this system only requires one time login and provides an access token that is used to automatically login to all other services. SAML is often used for applications that are web-based.

The security administrator has noticed cars parking just outside of the building fence line. Which of the following security measures can the administrator use to help protect the company's WiFi network against war driving? (Select TWO) A. Create a honeynet B. Reduce beacon rate C. Add false SSID D. Change antenna placement E. Adjust power level controls F. Implement a warning banner

D. Change antenna placement E. Adjust power level controls Wardriving refers to hackers driving around with laptops or mobile devices connected to high-powered antennas, scanning for unlocked (i.e., no password needed for access) or poorly protected networks. Configuring a wireless network requires a combination of power settings, antenna choice, and antenna location. A feature that can really help you with security in your wireless access point configuration, you may have controls over how much power you put out on the wireless access point. Ideally, you would set this to go as low as you possibly can and still have people communicating. That way you are not sending your signal out to the parking lot where other people may be able to hear what is going on your wireless network. Along those same lines, it really does make a difference where you put the antenna for your wireless access point, especially if you need to overlap different parts of the organization. You may have a big floor. Moreover, it may not be possible to put a single wireless access point in the middle and try to see if everybody can hear that access point. So this is where you may want to adjust power levels, adjust where your different antennas are being placed, and maybe even change the type of antenna you're using, maybe not to be an omnidirectional antenna. Maybe choose one that only looks in different directions to send its signal and receive its signal. There are many options out there. You can check with your manufacturer of your wireless access point and see what types of antennas are available for the particular model that you have.

Which of the following types of cloud infrastructures would allow several organizations with similar structures and interests to realize the benefits of shared storage and resources? A. Private B. Hybrid C. Public D. Community

D. Community A community cloud in computing is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally. This is controlled and used by a group of organizations that have shared interest. The costs are spread over fewer users than a public cloud (but more than a private cloud), so only some of the cost savings potential of cloud computing are realized

An information system owner has supplied a new requirement to the development team that calls for increased non-repudiation within the application. After undergoing several audits, the owner determined that current levels of non-repudiation were insufficient. Which of the following capabilities would be MOST appropriate to consider implementing in response to the new requirement? A. Transitive trust B. Symmetric encryption C. Two-factor authentication D. Digital signatures E. One-time passwords

D. Digital signatures A valid digital signature gives a recipient reason to believe that the message was created by a known sender (authentication), that the sender cannot deny having sent the message (non-repudiation), and that the message was not altered in transit (integrity). Digital signatures employ asymmetric cryptography

The SSID broadcast for a wireless router has been disabled but a network administrator notices that unauthorized users are accessing the wireless network. The administer has determined that attackers are still able to detect the presence of the wireless network despite the fact the SSID has been disabled. Which of the following would further obscure the presence of the wireless network? A. Upgrade the encryption to WPA or WPA2 B. Create a non-zero length SSID for the wireless router C. Reroute wireless users to a honeypot D. Disable responses to a broadcast probe request

D. Disable responses to a broadcast probe request In order to make the discovery and selection of an AP easier, a Service Set Identifier (SSID) is assigned to it, which is human readable name for the network with a maximum length of 32 characters. Generally, AP devices have a unique SSID assigned to them at manufacturing time, but many users customize them for their convenience. A user, who desires to connect to a network, needs to select the SSID from the list of nearby networks and provide the corresponding password to establish a secure connection. To reduce user burden when re-connecting to known AP, devices typically cache credentials and SSIDs and scan for nearby APs. If a known AP is discovered, the device re-connects automatically to it. Although APs periodically announce their SSID and it is possible to scan them passively, the preferred way for scanning is active scanning by the client using WIFI probe request frames. A probe request is essentially a broadcast question: "Is AP with SSID xxxx listening? Please respond". These probe requests are sent out in bursts, one for every saved AP SSID, usually once every 60 seconds. Between the bursts the radio can be turned off, which saves power. Whenever an AP receives a probe request with its assigned SSID, it responds with a probe response frame and connection is initiated. The simplest and most secure option to obscure the presence of the wireless network of course is manually switch off WIFI when it is not used. Finding and disabling the option to automatically connect to WIFI networks should have similar effect. The option to not scan or automatically reconnect to known APs may not be present or may be ineffective disabling probe requests. In these cases it may be necessary to disable option to remember network for sensitive networks, to not use the device in places where monitoring is probable, and to manually switch off WIFI whenever possible.

A mobile device user is concerned about geographic positioning information being included in messages sent between users on a popular social network platform. The user turns off the functionality in the application, but wants to ensure the application cannot re-enable the setting without the knowledge of the user. Which of the following mobile device capabilities should the user disable to achieve the stated goal? A. Device access control B. Location based services C. Application control D. GEO-Tagging

D. GEO-Tagging Geotagging is the addition of geographical information, usually in the form of latitude and longitude coordinates, to Web sites, images, videos, smartphone transmissions, and various other data types and sources. Sometimes geotagging includes place names such as street addresses, towns, postal zip codes, or telephone area codes. Less often, altitude data may be given as well

Which of the following can affect electrostatic discharge in a network operations center? A. Fire suppression B. Environmental monitoring C. Proximity card access D. Humidity controls

D. Humidity controls Temperature is the hottest topic (pardon the pun) when it comes to maintaining the proper environmental conditions in a data center-particularly in the context of energy consumption and cost-but humidity is also important. Liquid water is generally a bad thing in your data center, but in the air, it is something you need in the right proportions. Too much humidity can lead to condensation, which can in turn cause corrosion or-in sufficient amounts-electrical shorts. Too little humidity promotes buildup of electrostatic charge, and discharges of static electricity can damage or destroy sensitive electronics. Part of the solution is data center measurement and monitoring. Installing humidity sensors (along with temperature sensors) provides information that enables maintaining proper environmental conditions

A security analyst has been asked to perform a review of an organization's software development lifecycle. The analyst reports that the lifecycle does not A. Architecture evaluation B. Baseline reporting C. Whitebox testing D. Peer review

D. Peer review The benefits of code review are widely accepted as a quality improvement and control strategy. The development community now understands the impact of code review on overall software quality- the ability to identify and remediate errors and issues before the code is passed over to QA for testing. The software development lifecycle (SDLC) peer review contributes a measure of quality control practices to software development by allowing teams to review their development artifacts early and often. The ability to review these documents easily and thoroughly is critical to ensuring that everyone is one the same page, especially important as teams grapple with last-minute customer demands and requirements changes. The extended development team needs to understand the impact of changing requirements on everything from development effort to task and release management. The consistent review of all development artifacts helps teams meet specified project and delivery goals

A security analyst wants to harden the company's VoIP PBX. The analyst is worried that credentials may be intercepted and compromised when IP phones authenticate with the PBX. Which of the following would best prevent this from occurring? A. Implement SRTP between the phones and the PBX B. Place the phones and PBX in their own VLAN. C. Restrict the phone connections to the PBX. D. Require SIPS on connections to the PBX.

D. Require SIPS on connections to the PBX. In Voice over IP telephony, two standard protocols are used. SIP (Session Initiation Protocol port 5060) creates the connection from peer to peer (e.g. phone to phone or phone to phone system). Let's say it sets the switches for the audio stream. Once the connection is established, the RTP (Real time Transport Protocol) is used to transport the audio or video data. A big security issue of standard SIP/RTP connections is that SIP messages and RTP streams can be intercepted and read/listened to by everyone with basic network technology knowledge. Due to this, it is recommended to use plain SIP/RTP only in local area networks (LAN) and not via the public internet. To overcome the security flaws of SIP and RTP and safely make secure calls via the internet, encrypted versions of both protocols have been developed. SIPS (port 5061), which stands for SIP Secure, is SIP, extended with TLS (Transport Layer Security). With this TLS, a secure connection between IP PBX and VoIP telephone can be established using a handshake approach. SRTP encodes the voice into encrypted IP packages and transport those via the internet from the transmitter (IP phone system) to the receiver (IP phone or softphone), once SIPS has initiated a secure connection. To allow the receiver to decrypt the packages, a key is sent via SIPS, while the connection is initiated in the previous step

A system administrator wants to provide for and enforce wireless access accountability during events where external speakers are invited to make presentations to a mixed audience of employees and non-employees. Which of the following should the administrator implement? A. Shared accounts B. Preshared passwords C. Least privilege D. Sponsored guest

D. Sponsored guest Do you have guests at your workplace that require internet access? The advantage to deploying a sponsored guest network is the security that comes with it. By secluding this network, you can control who has access to your company's network of computers, servers, and printers. This also allows you to limit the internet resources available to visitors. You can restrict the guest network to a speed that offers reasonable access without affecting the network performance available to your employees

In determining when it may be necessary to perform a credentialed scan against a system instead of a noncredentialed scan, which of the following requirements is MOST likely to influence this decision? A. The scanner must be able to enumerate the host OS of devices scanned B. The scanner must be able to footprint the network. C. The scanner must be able to check for open ports with listening services. D. The scanner must be able to audit file system permissions

D. The scanner must be able to audit file system permissions Credentialed scans are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that cannot be seen from the network. Credentialed scanning, and more specifically, the Policy Compliance plugins, allow customized auditing of operating systems, applications, databases, file content - nearly all aspects of configuration that impacts security. Nessus offers baseline files for a variety of operating systems, applications, standards, and policies

The chief security officer (CSO) has issued a new policy that requires that all internal websites be configured for HTIPS traffic only. The network administrator has been tasked to update all internal sites without incurring additional costs. Which of the following is the best solution for the network administrator to secure each internal website? A. Use certificates signed by the company CA B. Use a signing certificate as a wild card certificate C. Use certificates signed by a public ca D. Use a self-signed certificate on each internal server

D. Use a self-signed certificate on each internal server An SSL certificate is a means to bind a cryptographic key to company's details. When used properly, it ensures web customers that the site they are visiting does, in fact, belong to you. SSL certificates also helps to enable secure http (HTTPS) on your website, thereby securing transactions of various sorts. For most businesses, these SSL certificates are purchased from companies like VeriSign, Symantec, and Network Solutions. Purchasing an SSL certificate is not the only means of acquiring such a file. For those not in the know, there is always the self-signed certificate. Simply put, the self-signed SSL certificate is created in house. Technically, Self Sign SSL Certificate means a certificate, which is signed by the same individual whose identity it certifies. It means that the private key is signed by the owner of the certificate him/herself (not by trusted Certificate Authority). A self-signed certificate is free of cost, thereby encourages website owners to secure their website. If you have a website that has limited pages and limited users, then self-sign SSL certificate can be a good option for you

A security administrator is tasked with conducting an assessment made to establish the baseline security posture of the corporate IT infrastructure. The assessment must report actual flaws and weaknesses in the infrastructure. Due to the expense of hiring outside consultants, the testing must be performed using in-house or cheaply available resource. There cannot be a possibility of any requirement being damaged in the test. Which of the following has the administrator been tasked to perform? A. Risk transference B. Penetration test C. Threat assessment D. Vulnerability assessment

D. Vulnerability assessment A vulnerability assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures and providing the organization doing the assessment with the necessary knowledge, awareness and risk background to understand the threats to its environment and react appropriately. A vulnerability assessment provides an organization with information on the security weaknesses in its environment and provides direction on how to assess the risks associated with those weaknesses and evolving threats. This process offers the organization a better understanding of its assets, security flaws and overall risk, reducing the likelihood that a cybercriminal will breach its systems and catch the business off guard.

Joe, the security administrator, sees this in a vulnerability scan report: "The server 10.1.2.232 is running Apache 2.2.20 which may be vulnerable to a mod_cgi exploit." Joe verifies that the mod_cgi module is not enabled on 10.1.2.232. This message is an example of: A. a threat. B. a risk C. a false negative. D. a false positive

D. a false positive Microsoft Terminal Services uses the RDP (Remote Desktop Protocol). In this default configuration, an attacker could perform man in-the-middle (MiTM) attacks to obtain the username and password, in addition to logging the keystrokes sent to the systems being managed. You will have to apply the following scenarios to your environment and come to your own conclusions on how to deploy (or not deploy) RDP as the remote access solution for your systems: • Attackers able to perform a MiTM attack will steal credentials and have the ability to log keystrokes • Attackers able to send packets to the RDP port (3389) can execute denial of service attacks • If attackers already have, or develop, a working exploit, it would allow them to control the target system • Exposed services, depending on configuration, are vulnerable to brute-force password attacks

A company has a security policy that specifies all endpoint computing devices should be assigned a unique identifier that can be tracked via an inventory management system. Recent changes to airline security regulations have cause many executives in the company to travel with mini tablet devices instead of laptops. These tablet devices are difficult to tag and track. An RDP application is used from the tablet to connect into the company network. Which of the following should be implemented in order to meet the security policy requirements? A. Virtual desktop infrastructure (IOI) B. WS-securityand geo-fencing C. A hardware security module (HSM) D. RFIO tagging system E. MOM software F. Security Requirements Traceability Matrix (SRTM).

E. MOM software Mobile device management (MOM) is an industry term for the administration of mobile devices, such as smartphones, tablet computers, laptops and desktop computers. MOM is usually implemented with the use of a third party product that has management features for particular vendors of mobile devices. Mobile device management (MOM) is software that allows IT administrators to control, secure and enforces policies on smartphones, tablets and other endpoints. MOM is a core component of enterprise mobility management (EMM) which also includes mobile application management, identity and access management and enterprise file sync and share. The intent of MOM is to optimize the functionality and security of mobile devices within the enterprise while simultaneously protecting the corporate network

A security administrator wants to configure a company's wireless network in a way that will prevent wireless clients from broadcasting the company's SSID. Which of the following should be configured on the company's access points? A. Enable ESSID broadcast B. Enable protected management frames C. Enable wireless encryption D. Disable MAC authentication E. Disable WPS F. Disable SSID broadcast

F. Disable SSID broadcast Most broadband routers and other wireless access points (APs) automatically transmit their network name (SSID) into the open air every few seconds. You can choose to disable this feature on your Wi Fi network but before you do, be aware of the pros and cons. The simple reason SSID broadcasting is used in the first place is to make it easy for clients to see and connect to the network. Otherwise, they have to know the name beforehand and set up a manual connection to it. However, with the SSID enabled, not only do your neighbors see your network any time they browse for nearby Wi-Fi, it makes it easier for potential hackers to see that you have a wireless network within range. Similarly, while it is technically a better decision to keep your SSID hidden away, it is not a foolproof security measure. A hacker with the right tools and enough time, can sniff out the traffic coming from your network, find the SSID and continue on their hacking way. Knowing your network's name brings hackers one-step closer to a successful intrusion, just like how an unlocked door paves the way for an attacker