Gsec 2022
Which SSO protocol uses a grant flow, consisting of a front and back channel, to provide access tokens for resources? -SAML -Kerberos -LDAP. -OAuth
OAuth OAuth uses a grant flow with front and back channels to protect access tokens. SAML uses XML messages, LDAP relies on directory services, and Kerberos provides tickets for authentication.
Developers have designed an application that allows a user to create a new account when placing an order online. What is an attacker attempting when providing the input below? bobtheattacker: ls-alf| -SQL injection -Cross-Site Scripting -OS command injection -Buffer overflow
OS command injection The attacker is trying to perform an OS command injection on the server through the application, If the application does not perform input validation and removes operating system commands, then depending on the logic of the application, it will execute the Is -alf and return the output of the command to the web session.
Which threat will be reduced by avoiding system calls from within a web application especially system calls based on user input? -Broken Authentication -OS command injection -SQL injection -Buffer Overflows
OS command injection The primary way to avoid OS command injection attacks is to avoid system calls from your web application, especially when the system call is built based on user input. In most cases, you should be able to find a function or library within your programming language that can perform the same action.
A Linux administrator ran the commands below. The content of each file is displayed after the command. What would cause the two files to have different hashes? root@system123:/tmp# cat example1.txt TEST FILE root@system123:/tmp# cat example99.txt TEST FILE root@system123:/tmp# md5sum example1.txt 5deffb997041bbb5f11bdcafdbb47975 root@system123:/tmp# md5sum exampleg9.txt 13927f6f0f7357427€8a32b5f4017ede -The two file names are different -One of the files has a hidden character -The length of the file names is different -md5sum changes the salt each time it is run
One of the files has a hidden character Hashing is based on the binary composition of the file, not the viewable ASCII characters. Even if the file visibility looks the same, if there are any hidden characters, the hashes will be different. A difference in file names, or lengths, of two files will not affect the hash. md5sum does not use a salt to hash files.
Use sudo to launch Snort with the /etc/snort/snort.conf file in full mode to generate alerts based on incoming traffic to eth0. What alert message is triggered by UDP packets from 10.101.88.36?
Open a Mate terminal and launch Snort with the following command: sudo snort -c /etc/snort/snort. conf -i eth0 -A full cat /var/log/snort/alert
Which of the following endpoint security features prevents a program from either running or accessing the internet until the program is approved? -Operating System Control Firewall -Packet Filter Firewall -Host Intrusion Detection System
Operating System Control Firewall The most flexible trust model of all for endpoint firewalls is Operating System Control Firewall. It will not even allow a program to run or access the internet until the program is approved. Endpoint firewalls typically treat the individual PC as a trusted domain and filter packets coming from the network to the trusted domain. One of the most popular approaches to commercial personal firewalls is Application Control Firewalls. These have the capability to screen incoming packets, but also keep a set of rules for applications. This allows the trust domain to be much more granular. One can configure a rule to allow a specific application to connect to a specific IP address or a specific port. The significance of this, as a user, is that when an unknown application on the PC attempts to access the internet, it is detected by the firewall, and the user is given an opportunity to approve the connection or refuse it. A Packet Filter Firewall examines each packet that crosses the firewall and tests the packet according to a set of rules that you set up. If the packet passes the test, it is allowed to pass. If the packet does not pass, it is rejected. A Host Intrusion Detection System is capable of monitoring and analyzing the internals of the host computing system and, similar to the way a Network Intrusion Detection System operates, monitors and analyzes network packets on the host's network interfaces as well.
Which of the following is a method of log filtering that focuses on collecting only organizationally defined high value logs for retention? -Rate-limiting -Output-driven -Hybrid -Input-driven
Output-driven Output-driven log filtering collects only the logs defined by the organization to be relevant and interesting, others are filtered out. Input-driven log filtering collects all the logs, applying no filters. Hybrid approaches typically collect all logs and then filters out log sources that are high volume, low interest. While rate-limiting isn't a log filtering strategy, this system protection mechanism may discard logs during especially high-volume logging periods.
Iptables is a popular application used in Linux to perform which of the following functions? -Integrity checker -Vulnerability assessment -Packet filtering -Proxy
Packet filtering Linux has had built-in firewall abilities since the mid-90's. The technology has been replaced a few times (you may see references to the old ipfwadm or ipchains), but the current packet filtering is called iptables,
A system administrator thinks an attacker is sending malicious data to a router. Which tool will help show this? -Router configuration guide -Remote access tool -NTP device -Packet sniffer
Packet sniffer Sniffers can be hardware devices that physically attach to the network, but more commonly, they are software programs that run on networked computers. The sniffers that come bundled with your operating system are designed as tools for the system administrator.
Which Windows native scripting language has additional logging capabilities to record the actions and activities in an operational transaction log? -Bash scripting -Perl -Batch commands -PowerShell
PowerShell PowerShell has the capability of enabling transcription logging which will create a file that contains the commands run from memory or from scripts wether or not encoding/obfuscation is enabled.
The IT team built and operates a storage center in the company's data center so that employees can safely access sensitive company data from company-owned assets using commercial tools. What type of infrastructure are they using? -Private Cloud -Hybrid Cloud -Infrastructure as a Service -Public Cloud
Private Cloud Cloud service types: Public: When all cloud services are operated by a third party. Private: When IT resources are built, operated, and managed by a single organization, typically in their own data center(s). Hybrid: When an organization uses a combination of public cloud services with on-premise, or "private," services. This is typically done when an enterprise has legacy systems of record that, for various reasons, cannot be moved to the cloud.
Which WPA3 feature will help to prevent 'a spoof of a disassociate request' type Dos attack? -Opportunistic Wireless Encryption -Protected Management Frames -Simultaneous Authentication of Equals -Dragonfly Handshake
Protected Management Frames Protected Management Frames (PMF) is less about confidentiality protection and more about integrity and availability. One of the most substantial risks that is natively inherent to wireless communications is the possibility of those communications being "interfered" with. Depending on how the communications are impacted, there is a large possibility of the network experiencing a DoS-a loss of availability. There are numerous different types of DoS that can be leveraged against WLAN, One type to focus on is a spoof of a disassociate request. Protected Management Frames are designed to try and prevent these types of attack scenarios. PMF are required and mandated for WPA3,
Internal firewalls and VLANs are useful tools for setting up which of the following? -Configuration management -Subnet ranges -Protected enclaves -Traffic proxies
Protected enclaves VLANs and firewalls are good ways, to segment network traffic into more secured enclaves.
Which is an advantage of centralized logging? -Protects against log wiping -Decreases the central syslog server target value -Requires less storage -Diminishes possibility of denial-of-service attack
Protects against log wiping The main advantage to centralized logging is that it makes it difficult for a remote attack to wipe or otherwise corrupt the system logs. Any logs generated from their attacks are sent immediately to another machine, which stores the data. Assuming the syslog server does not in turn get hacked, the information remains there to be discovered by the system administrator and can be used in the recovery process. One key vulnerability of this design is that it makes it possible to either cause the syslog client machines to send so much log data that it overwhelms the central syslog server, or an attacker can send false messages to the central syslog server directly to clutter up the logs.: The only protection against a syslog client that is sending lots of information is to have a syslog server that has lots of disks to store that information. The central syslog server is a machine that is critical to protect.
An attacker maps open and closed ports on a perimeter packet filtering firewall by sending unsolicited packets with the ACK flag set. What should the firewall's response be for open ports? -ACK FIN -RST ACK -SYN ACK -SYN EIN
RST ACK When an attack sends a packet with only the ACK flag set to a host on a network protected by a packet filtering firewall, the response is typically a RST ACK since the firewall has no record of an outgoing SYN packet from the internal host.
Restoring system backups is performed during which NIST Cyber Framework Core category? -Recover -Identify -Detect -Respond -Protect
Recover Restoring system backups is a recovery function that occurs after system protection measures and incident response.
Which of the following processes reviews a complete incident and ensures that any gaps are identified and corrected? -Triaging -Patching -Verification -Remediation
Remediation Closely tied to recovery is remediation. Remediation involves taking in the full story of the attack and ensuring that all gaps are identified and remediated: The root cause of an incident can have many contributing factors. The detection may have been on a system that was reached after a web server was compromised in a DMZ, followed by lateral movement. A quick fix may be to patch and change passwords on the system where the incident was detected; however, the breadth of the attack may involve many systems. A "flat network" could have contributed to the ease in which an attacker was able.to. move around. This is when the internal design of the organization is such where there are no protected enclaves and controls preventing inside users from reaching sensitive systems such as those in a data center. Fixing this contributing factor may require a complete re-architecture of the network. The initial foothold may have been gained through an internet-facing system such as a web server, or it could have been gained through a phishing attack where a user opened a malicious document.
Why is the job of analyzing Network Intrusion Detection System (NIDS) logs more difficult than analyzing firewall logs? -NIDS produces false positives -NIDS time signatures do not correlate with other device signatures -NIDS logs do not use standard syslog format -IDS only creates Out-of-Baseline events
Reviewing Network IDS logs is extremely useful and is often a frustrating task because NIDSs sometimes produce false positives. Still, NIDS log analysis often comes second after firewalls; the value of such info for security is undeniable, and logs can, in most cases, be easily centralized for analysis. NIDS may or may not use syslog format, but collectors (or their pre-processors) normalize the logging differences of the logs they aggregate. In situations where correlation is important, the time difference between a IDS and another system is trivial in nearly all circumstances, Once properly tuned, NIDS produces routine, known bad, and out-of-baseline events.
Which of the following limits how long someone holds a job? -List-based access control -Rotation of duties -Least privilege -Separation of duties
Rotation of duties Separation of duties needs to be implemented, where a given task is split between two individuals so no single individual by himself can make a decision. Separation of duties works; but the more people work together, the greater the chance they will collude in order to accomplish a crime. The more people work together, the more the power of separation of duties erodes away because people build trust. To minimize the chance of this occurring, rotation of duties needs to be performed. This is where people are rotated out of certain jobs at set intervals so the chance of two people colluding is minimized.
Which of the following can be used to list all shares, including hidden shares, on a Windows server? -Open the Local Security Policy editor -Open My Network Places as an Administrator -Run net use from the command line -Run PowerShell's Get-SmbShare command
Run PowerShell's Get-SmbShare command If a share name ends with a dollar sign ($), then the share name is not visible in My Network Places. A list of all the shares on your computer, both visible and hidden, can be obtained from the command line using Get-SmbShare in PowerShell or NETSHARE on older systems. Looking for unwanted shares, especially hidden shares, should be a part of regular server audits.
Container technologies, such as Docker, are designed for which of the following? -Sharing host OS libraries and configuration files -Running their own guest OS -Sharing processes across applications -Running a single isolated application
Running a single isolated application Containers perform isolation at the application level. The applications run as isolated processes, but they run on a single host operating system. There is no guest OS. With containers, all the applications share the same kernel. Docker is an evolution of LXC that focuses on single application-level containers. Docker is also focused on single process and stateless-based containers.
Which algorithm is typically used to fingerprint digital evidence? -AES -ECC -RSA -SHA-256
SHA-256 A hashing algorithm's output might be referred to as a hash, message digest, or fingerprint. SHA256 is typically used to create a hash of digital evidence. A file is input into SHA256, and a 256-bit unique fingerprint of the file is created. Hashing does not modify the original file in any manner whatsoever. Because the primary application of hash functions is message integrity, security-conscious users may choose to cryptographically sign the fingerprint to guard it against inadvertent modification. Digitally signing a fingerprint safeguards the integrity of the fingerprint. RSA and ECC may be used for digital signatures for this protection. AES is a symmetric encryption algorithm.
Which of the following is a difference between EC2 security groups and VPC NACLs? -VPC NACLs will use the most permissive rule available in the list. -VPC NACLs only define ALLOW actions -Rule matching stops once a matching rule is found in a security group -Security groups are stateful rules
Security groups are stateful rules EC2 security groups differ from VPC NACLs in a few key ways including: • Security group rules only define ALLOW actions. There is no DENY option. • Security group rules are stateful (compared to stateless NACLs), which means that responses to inbound traffic are automatically allowed. • All rules are evaluated before making an allow or deny decision. In the event of a conflict, the most permissive rule wins.
Before deploying a web server in a production environment, what process could a systems administrator put in place to detect an attacker modifying data in the document root folder? -Configure packet sniffers that detect if private data is being passed in the clear to the Internet -Configure a perimeter firewall to log attempted network connections from known bad IP addresses -Set up an Intrusion Detection System to detect malicious packets coming into the web server -Set up an automated job that runs daily and determines if the web server's files have been altered
Set up an automated job that runs daily and determines if the web server's files have been altered The concept of integrity means determining if data has been altered or modified. Setting up a process that detects unauthorized changes to files is one step an administrator could take to determine this. Identifying private traffic that is passed in the clear is a step an administrator should take to ensure confidentiality. Determining if malicious packets are coming into the site, or if known bad sites are trying to connect to servers on the site's network; are good security practices, but they do not indicate the site's data has been altered.
Which choice best describes the line below? alert tcp any any -> 192.168.1.0/24 80 (content: "/cgi-bin/test.cgi"; msg: "Attempted CGI-BIN Access!!";) -Snort rule. -Wireshark filter -Tcpdump filter -iptables rule
Snort rule
What takes place during a çore evaluation test of a CIS control? -Awareness training -Paperwork review -Technical evaluation -Policy review
Technical evaluation Core evaluation tests are technical tests meant to test if the business goal of the CIS Critical Security control is being met. An example would be to install a benign software application on several computers and measure the amount of time it takes for the new software to be detected.
Full disk encryption prevents data loss in which of the following scenarios? -A rootkit is installed -The computer is stolen -User accounts are compromised -There is a man in the middle attack between the computer and the internet
The computer is stolen On-the-fly Encryption: When a user accesses an encrypted file, the file is decrypted for reading. When the user closes the file (in other words, it is no longer being accessed), the file is re-encrypted back to the hard drive of the system. What this means is that the system, and consequently the encryption routines employed on the system, is accessing the file based on the context of the user. If the system is turned on, and the user is logged in, the user's permissions will dictate whether the file can be decrypted or not. If the user is authorized to decrypt the file, the file will be readable to anyone who accesses the system while the user is logged into. it. If the system is turned off and gets stolen, no one can access the file without logging in as the authorized user.
An employee is currently logged into the corporate web server, without permission. You log into the web server as "admin" and look for the employee's username "dmaul" using the "who" command. This is what you get back: [user@localhost ~]$ who admin :0 2010-09-11 06:49 dvader pts/3 2010-09-11 08:07 (Localhost. Localdomain) solo pts/4 2010-09-11 08:14 (192.168.54.3) cdooku pts/4 2010-09-11 08:14 (192.168.54.5) Based on what you see, which of the following probably occurred? -The contents of the http logs have been altered -The contents of the bash history file has been altered -The contents of the /var/log/messages file has been altered -The contents of the utmp file has been altered
The contents of the utmp file has been altered The "who" command gets its output from the utmp file, located at /var/run/utmp. The utmp file keeps track of users who are currently logged in. "W" and "finger" also get data from utmp. Based on the output of the who command, four users are logged in, but none are the user "dmaul". The most likely reason for this is that the user is trying to conceal their presence on the computer by altering the content of the utmp file. The who command does not get output from /var/log/messages, bash history or http logs.
For which of the following reasons does UDP work well for applications like real-time video? -The loss of one or two packets is tolerable. -It guarantees that all the packets will reach the destination. -The network prioritizes UDP higher than TCP. -It can set Quality-of-Service to a high level for better transmission.
The loss of one or two packets is tolerable. UDP is typically used in situations in which it is okay if some packets are lost or reordered. In a streaming audio application, for example, each packet contains such a small amount of audio data that the client probably can afford to lose one or two, packets in succession without suffering a noticeable lack of quality.
A security administrator downloads a template from NIST and applies it to user workstations. Complaints about not being able to access some network services soon flood the help desk, Which of the following choices is the most likely cause of the incident? -Security configurations need to be built on the individual machines -The template needs to be customized for the network -NIST templates are designed for stand alone systems -The firewall doesn't recognize changes made by the template
The template needs to be customized for the network Security templates may have to be customized to fit a specific network, as not everything can be taken into account, an administrator must know their own network but they don't have to start from scratch.
Use Hashcat to crack a local shadow file. What is the password for the user account Pangborn_Alan? Hints • The shadow file (shadow) and Hashcat wordlist (gsecwordlist.txt) are located in the directory /home/giac/PasswordHashing/ • Run Hashcat in straight mode (flag -a 0) to crack the SHA256 hashes (flag-m 7400) in the shadow file. • Use the hash values from the Hashcat output file and the shadow file to match the cracked password with the user name. • If required, a backup copy of the original files can be found in the shadowbackup directory.
The username Pangborn_Alan has a salted SHA256 hash stored in the shadow file. Hashcat can crack the SHA256 hashes In the shadow file with the following command: hashcat -m 7400 -a 0 -o cracked. txt /home/giac/PasswordHashing/shadow /home/giac/PasswordHashing/gsecwordlist.txt
What is a concept associated with a logical network diagram? -Current patch levels of systems and software -The way components interact with each other -Access controls for services on the network -The business case for the network topology
The way components interact with each other Building on top of the conceptual design, the logical network design will take what was identified from the conceptual design and drill down further into the actual details. The logical design will start to break out how the identified components operate-both independently and together. What we are NOT describing, at this point, are the finely detailed aspects of the components themselves. We are not discussing patch levels, hardening configurations, etc. That will occur in the next phase of the network architecture understanding.
What is the function of the TTL (Time to Live) field in IPv4 and the Hop Limit field in IPv6 in an IP Packet header? -These fields are initialized to an initial value to prevent packet fragmentation and fragmentation attacks. -These fields are decremented each time a packet is retransmitted to minimize the possibility of routing loops. -These fields are recalculated based on the required time for a packet to arrive at its destination. -These fields are incremented each time a packet is transmitted to indicate the number of routers that an IP packet has traversed.
These fields are decremented each time a packet is retransmitted to minimize the possibility of routing loops. As defined in RFC 3682, the TTL (Time to Live) in IPV4 or Hop Limit fields in IPv6 are decremented in order to prevent routing loops. The first distractor roughly describes the reverse of what is really happening with the TTL and Hop Limit. The second distractor describes a function that does not occur with these fields: In the final distractor, there is no recalculation process, only decrementing of the field value by 1.
Which of the following is a trait of persistent cookies? -They are the preferred mechanism to track web session state -They are stored in memory -Additional authentication could be required to establish a session -They can create privacy concerns
They can create privacy concerns Persistent cookies can create privacy concerns. Persistent cookies are stored on the disk Because of this they create security concerns when used to track session state and additional authentication is required to establish a session.
Together, Network Access Control (NAC) and a Virtual LAN (VLAN) can be used to achieve which objective? -To allow several computers to work closely together so they seem to form a single computer. -To allow remote users to access resources on an internal LAN. -To place systems on an isolated network segment until they are properly scanned and patched. -To authenticate users and determine what resources they are allowed to use.
To place systems on an isolated network segment until they are properly scanned and patched. Together, NAC and a VLAN can allow systems to be placed on isolated VLAN's until they have been scanned and properly patched, thus limiting their exposure to infecting other systems. Allowing remote users access to internal LAN resources is done through use of a VPN; authentication and authorization (and accounting - AAA) can be done with an LDAP server, RADIUS, or other protocol; several computers working together as one is an example of clustering technology.
Which of these log-monitoring detections is the highest priority security event for the log analyst performing daily log review? -Unauthorized configuration changes -Web browsing to non-work-related websites -Connections denied by the firewall -Collection of baseline data from a new logging source
Unauthorized configuration changes Unauthorized configuration changes are indicators of compromise, and so should be investigated promptly. The remaining answers are tasks that typically are dealt with monthly or quarterly if at all.
Amazon Cognito uses which of the following for authenticating access requests from an identity provider (IdP)? -Security groups -Managed policies -Shared access signatures -User pools
User pools Amazon Cognito is an authentication service that allows users to sign-up, sign-in and access your web and mobile applications. The authentication process relies on social identity providers (IdP) like Google, Facebook and Amazon or on enterprise identity providers like Azure Active Directory, Amazon Cognito supports user pools and identity pools.
Which system patching approach would align with the CIS Security Controls? -Updating machines using an ISO image DVD -Using WSUS to deploy patches -Synchronizing patches to annual Service Pack deployments -Allow all users to quickly access and install hotfixes as needed
Using WSUS to deploy patches One of the SC's Project Guiding Principles is: Defenses should be automated where possible and periodically or continuously measured using automated measurement techniques where feasible WSUS provides automation and reporting of Windows-related patches. The other approaches are non-automated approaches that do not provide central reporting/measurement.
What are the last four digits of the SHA1 hash of the file /opt/snmpcheck/snmpcheck.pl?
Using the Mate terminal execute the following command: sha1sum /opt/snmpcheck/snmpcheck.pl
With Active Directory, what is the prerequisite to being "in the domain"? -Valid Network Identifier (NID) .-Valid Security ID number (SID) -Valid Access Control List (ACL) -Valid Process Identifier (PID)
Valid Security ID number (SID) A "domain" is all of the users, computers and groups that have or, rather, are accounts in the Active Directory (AD) database. Who or what can be "in the domain"? Anything with a SID can be in a domain.
Analyze the screenshot below. What first step should the Linux administrator take to harden this host? Host is up (0.00013s latency). Not 'shown: 992 closed ports PORT STATE SERVICE 22/ tcp. open ssh 23/ tcp open. telnet 80/tcp open http 139/tcp open netbios-ssn 445/tcp. open microsoft-ds 631/tcp open. ipp 3128/tcp open. squid-http 3389/tcp open ms-term-sery Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds -Verify if running services are necessary -Implement two-factor authentication for telnet -Turn off host-based file integrity checking -Turn on modsecurity for the http service
Verify if running services are necessary Only authorized and needed services should be installed and running on a system. Verifying which services are needed should be done before taking other steps to lock down or add additional security software. Reducing the footprint of the Linux installation and kernel increases security from the significantly reduced threat surface. There are fewer applications and packages installed to be vulnerable over time.
Which of the following needs to be supported for a device to be classified as Wi-Fi 6 or 802.11ax capable? -WPA3 -AES -WEP -TKIP
WPA3 Devices that support WPA3 are Wi-Fi6 or 802.11 ax capable.
At what point in the Incident Handling process should an organization determine its approach to notifying law enforcement? -When recovering from the incident -When reacting to an incident -When performing analysis -When preparing policy
When preparing policy When it comes to incident handling, planning is everything, and preparation plays a vital role, It is very important to have a policy in place that covers an organization's. approach to dealing with an incident. One item that a security policy needs to cover is whether a company is going to notify law enforcement officials or remain silent when an incident occurs. If you are going to contact law enforcement, have a list of phone numbers for each agency you may need to involve. Another important item is whether to contain the incident and move into cleanup phases or to observe the attack in an attempt to gather more evidence.
Which Azure cloud service requires an RDP client? -Microsoft Office 365 -Windows Virtual Desktop -Windows Server Update Service (WSUS) -Windows Autopilot
Windows Virtual Desktop Instead of installing Windows 10 on the laptop in the user's hands, a Windows 10 virtual machine (VM) could be run in Azure and accessed using Remote Desktop Protocol (RDP). RDP allows remote control of the graphical desktop of the target VM in Azure. The only user-side requirement is being able to run an RDP client application that can reach the Azure cloud over a TLS-encrypted connection on TCP port 443. This Azure service is called Windows Virtual Desktop (WVD).
You are asked by your manager to run a vulnerability scan against the engineering department's network. What should you ensure you have before performing any scanning activity? -Previous Scan Results -Commercial Vulnerability Scanner -Written Permission -Root Access to Systems -Wireless Internet Scans
Written Permission Note that vulnerability scanning can be hazardous to your career. The difference between a penetration tester and an attacker is permission! Be sure you have it. If you are just now coming up with a scanning policy in your organization; get written permission from the highest level possible in your organization
Which data security model requires encrypted communication channels? -Defense, in Depth -Mandatory Access Control -Discretionary Access Control -Zero-Trust
Zero-Trust Zero-Trust is a form of Defense-in-Depth that is based on two key factors, authentication and encryption. Secure end-to-end channels are an absolute requirement to implement this model. The other security models could be enhanced with encrypted communication channels, but they are not a requirement.
A network analyst sees the Snort (IDS) log output message shown below while monitoring network traffic on the company's internal network SIEM. Which Snort rule could have generated the message? [**] [1:384:8] PROTOCOL-ICMP PING [**][Classification: Misc activity] [Priority: 3] 01/03-22:11:35.523853 7.7.0.5 -> 192.168.0.11ICMP TTL:1 TOS: 0X0 ID:14686 IpLen:20 DgmLen:60Type:8 Code:0 ID:1 Seq: 147 ECHO -alert imp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING": icode:O; itype:8; metadata:ruleset community; classtype:misc-activity; sid:384; rev:8) -alert imp $EXTERNAL_NET any -> $HOME _NET any (msg:"PROTOCOL-ICMP PING Unix", itype:8; content." 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1FM": depth:32; metadata:ruleset community; classtype:mise-activity; sid:366; rev:1 1;) -alert imp $EXTERNAL_NET any -> $HOME NET any (msg:"PROTOCOL-ICMP PING Windows", itype:8; content:"abcdefghijklmnop", depth:16; metadata:ruleset community: classtype:misc-activity; sid:382; rev:7 1;) -alert imp $EXTERNAL_NET any ->. $HOME_NET any (msg:"PROTOCOL-ICMP traceroute", itype:8; ttl:1; metadata:ruleset community; classtype:attempted-recon; sid:385; rev:8;)
alert imp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING": icode:O; itype:8; metadata:ruleset community; classtype:misc-activity; sid:384; rev:8) Snort is a lightweight network-based intrusion detection system (IDS) with a powerful rule set that uniquely defines all logged information. All Snort rules can be uniquely defined by the message (msg: field) and the sid. In the example provided, the log output references a SID of 384 and a message of PROTOCOL-ICMP PING which indicates that the rule that dumped the alert is "alert icmp $EXTERNAL _NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING": icode:0; itype:8;)
What tool is used to search for how many times the user 'DoeJ' ran the 'udevs' service? -logwatch -mySQL -grep -cipher
grep grep is a Unix command used to search for a string of characters that matches a specified pattern. Grep or a varlation of grep is typically implemented in most SIEM. to search for specific log events. Grep can also be used on Linux/Unix machine to independently search for log events logged by syslog-ng. Cipher is a Windows command that is used for managing encryption on a windows system.
Which Linux command below is similar to the Windows "dir" command? -cd -In -ls -file -du
ls The is command in Linux lists files and directory contents. The file command is used to describe what type of data is in a file. The cd command is used to change directories. The du command is used to describe how much space a file or directory takes. The In command is used to create a shortcut.
What is the sudo-elevated account that is created on Linux to run a Hybrid Runbook Worker job? -system -daemon -nxautomation -root
nxautomation On Windows, Hybrid Runbook Worker jobs run as the local System identity in a service. On Linux, these jobs run as a special sudo-elevated account named "nxautomation" that was created when the Hybrid Runbook Worker agent was installed. On both platforms, a job can be given "run as" credentials when that job needs to authenticate to other machines or services. These credentials, as well as the private key of the Automation account and other secrets, are encrypted with Microsoft-managed keys and stored in Azure Key Vault.
Perform an OS fingerprinting map scan against 10.10.10.115. What are the OS details?
$ sudo map -O 10.10.10.115
Perform an nmap ACK scan against 10.10.10.37. How many ports are returned?
$ sudo map -sA 10.10.10.37 If other scans are performed agains this host (such as a SYN scan, or TCP connect scan, the host will return a different number of ports).
A sysadmin has chrooted an Apache server on an Ubuntu system in the directory /home/elmo. Where will the webadmin find the configuration file /etc/apache2/apache2.conf that will be used by the chrooted version of Apache? -/home/elmo/apache2.conf - /home/elmo/etc/apache2/apache2.conf - /etc/apache2/apache2.conf - /home/elmo/etc/apache2.conf
/home/elmo/etc/apache2/apache2.conf The chroot0 system call isolates an application to a directory and its subdirectories. Files outside of that directory structure are not visible to the application. Any file the application needs to access is located relative to the chroot() directory. So if the application had been configured by chroot() to use /home/elmo as its new root directory, to find /etc/apache2/apache2.conf the application would go to /home/elmo/etc/apache2/apache2.conf.
When will the following cron command execute? 0 0 1 * * root /usr/bin/apt-get update -12:00 AM on the first day of every month -12:00 AM on the first Monday of January -12:00 AM on the first day of every week -12:00 AM on January 1 every year
12:00 AM on the first day of every month From left to right the cron options are min (0-59), hour (0-23), day of month (1-31) month. (1-12), and day of week (0-7). This command in crontab is configured to run at 12:00 AM on the first day of every month.
How many ports will be scanned by nmap in the following command? nmap -sU :10.10:10.25 -p22, 443 -1024 -422 -2 -8955 -421
2 nmap will scan the two ports 22 and 443
192.169 * * How many ips?
65335
How many concurrent TCP streams can a firewall handle, using port address translation and a single, public, IP address? -262140 -255 -65535 -53955 -10000
65535 The port field was two bytes long or 16 bits - 2^16 is 65,536; because 0 is not typically a legal port value, this leaves us with 65,535 possible source or destination ports. This means that a firewall can track up to 65,535 concurrent UDP streams and 65,535 TCP connections from a single NAT address.
What is a Microsoft servicing channel? -A contract level that allows an administrator to escalate service issues and seek timely support -An update mechanism that an administrator can deploy to control the amount of telemetry data that is sent to Microsoft -An organization of non-Windows devices in a domain network that are controlled and updated by an administrator through a WSUS server -A logical structure that allows an administrator the ability to control when patches, updates and upgrades are performed
A logical structure that allows an administrator the ability to control when patches, updates and upgrades are performed A servicing channel is a configuration option that allows an administrator to group a series of workstations within a Windows network and delay the installation of updates and patches. The purpose of a service channel is to provide reliability and stability to the deployment and testing process of new features and bug fixes for administrators.
With regard to defense-in-depth, which of the following statements about network design principles is correct? -A secure network design requires that systems that have outbound access to the Internet should not have inbound access from the Internet. -A secure network design will seek to separate resources by providing a security boundary between systems that have different network security requirements. -A secure network design will seek to provide an effective administrative structure by providing a single choke-point for the network from which all security controls and restrictions will be enforced. -A secure network design requires, that networks utilize VLAN (Virtual LAN) implementations to ensure that private and semi-public systems are unable to reach each other without going through a firewall.
A secure network design will seek to separate resources by providing a security boundary between systems that have different network security requirements. Secure network design is dependent upon using resource separation. This includes not only networks but also the servers that provide services especially to the outside world. Defense-in-depth suggests that security is enforced at multiple layers rather than a single choke-point. While a VLAN "can" be used in a secure network design, it is not always mandatory as networks can be separated from each other by a true physical division involving an independent switch for each network.
Which Authenticator Assurance Level will accept a single-factor authentication? -AAL2 -AAL3 -AAL1
AAL1 • AAL1 - AAL1 requires either single-factor or multi-factor authentication using a wide range of available authentication technologies. Successful authentication requires that the claimant proves possession and control of the authenticator through a secure authentication protocol. AAL1 provides some assurance that the claimant controls an authenticator bound to the account. • AAL2 - Proof of possession and control of two different authentication factors is required, through secure authentication protocols. Approved cryptographic techniques are required at AAL2 and above. AAL2 provides high confidence that the claimant controls the authenticators bound to the account. • AAL3 - Authentication at AAL3 is based on proof of possession of a key through a cryptographic protocol. AAL3 authentication requires (1) a hardware- based authenticator and (2) an authenticator that provides verifier impersonation resistance; the same device may fulfill both these requirements. In order to authenticate at AAL3, claimants are required to prove possession and control of two distinct authentication factors through secure authentication protocol(s). Approved cryptographic techniques are required. AAL3 provides very high confidence that the claimant controls authenticator(s) bound to the subscriber's account.
Which of the following is an advantage of a Host Intrusion Detection System (HIDS) versus a Network Intrusion Detection System (NIDS)? -Ability to detect malicious traffic before it has been decrypted. -Ability to decrypt network traffic -Ability to listen to network traffic at the perimeter -Ability to detect-malicious traffic after it has been decrypted by the host
Ability to detect-malicious traffic after it has been decrypted by the host Notably, a Host Intrusion Detection System (HIDS) does not suffer from the same restrictions of the Network Intrusion Detection System (NIDS) when processing encrypted traffic, since the HIDS can process the traffic after it is unencrypted by the host.
Which of the following is used to protect passwords from successful pre-computation attacks? -Storing private keys separate from password values -Using a strong key with AES to encrypt passwords -Adding a random value to a password before hashing -Configuring account lockout after failed login attempts
Adding a random value to a password before hashing By pre-computing hashes of possible passwords and storing the results in a database or table, matching hashes with passwords is only a matter of searching through the pre- computed tables. Adding a random value, or a salt, to a password hash makes this process much more difficult for the attacker. As pre-computation attacks are offline attacks, lockout thresholds don't apply. They are not typically associated with symmetric encryption
What is required to perform configuration management? -A data classification policy -An accurate baseline document. -Up-to-date firmware for the devices -Data regarding the cost of ownership
An accurate baseline document. Managing configurations requires an accurate baseline document and a way to detect that a change has happened
Based on the output of the log file below, what action is the firewall taking? 04/14/2017 7:04:57 - 1155 - Firewall - Alert - 162.220.223.28, 443, X1-172.16.64.140, 58074, X0 - tcp - Application Control Prevention Alert: PROXY-ACCESS Encrypted Key Exchange -- TCP Random Encryption(Skype, Ultrasurt, Emule), SiD: 5, AppID: 2980, Cat ID: 27 -Stateful Packet Filtering is blocking an attempted secure connection between host 172.16.64.143 and server 162.220.223.28 -Circuit Level Gateway is blocking an attempt by host 172.16.64.143 to connect to server 162.220.223.28 via a proxy server -Operating System Control is preventing a program from executing on the local host 172.16.64.143 -Application Control is stopping an application from establishing a secure connection to the external server 162.220.223.28
Application Control is stopping an application from establishing a secure connection to the external server 162.220.223.28 These alerts were generated by an Application Control firewall. The firewall is preventing what it believes to be an application (Skype, Mule, Ultrasurf) from making an HTTPS connection to external host 162.220.223.28. Operating System Control stops programs from running on a computer. The log file indicates this is network traffic. Stateful Packet Filtering blocks packets based on IP address and port number, not on application or payload. Circuit Level Gateways are a type of firewall which monitor TCP connections to determine if they are legitimate. However, they do not monitor the packet payload.
Which of the following is an example of hybrid cloud? -Applications run in Azure cloud, but they store data in an AWS $3 storage solution. -An application is deployed in Azure using containers, but it also leverages serverless functions. -An application is deployed in AWS, and it uses both windows and linux components. -Applications run in AWS, but some of them consult data from a legacy system in the company's data center.
Applications run in AWS, but some of them consult data from a legacy system in the company's data center. Hybrid cloud refers to the combined use of public and private cloud. Public cloud uses resources provided by a third party, while private cloud uses a company's own resources. Both Azure and AWS are public cloud. Using different OSs or paradigms can be done in either private or public cloud solutions, and it does not relate to the concept of hybrid cloud.
What is returned to Powershell when the command Connect-AzAccount is run and an authentication request is successfully completed? -List of Az roles -Authentication token -List of Az virtual machines -Security access token
Authentication token The Power shell cmdlet Connect-AzAccount will open a web browser and request authentication criteria. Once supplied and successfully authenticated Azure will pass an Authentication token back to Power shell to be used by other modules in the instance. Listing Az virtual machines and roles would require additional commands. Security Access Tokens (SATs) are provided by Kerberos for local authorization.
What differentiates Azure Active Directory (AD) from Azure Active Directory Domain Services (ADDS)? -Azure AD supports Group Policy while Azure AADS is integrated into Intune -Azure AD is queried using LDAP while Azure AADS is queried using REST -Azure AD is a Microsoft-managed domain while Azure ADDS is self-managed -Azure AD supports OAuth while Azure ADDS supports Kerberos
Azure AD supports OAuth while Azure ADDS supports Kerberos Azure AD supports OAuth, SAML, OpenID Connect and WS Federation but does not support Kerberos, NTLM, or LDAP. Instead of Group Policy, it is integrated into Intune and is queried using REST as opposed to LDAP. Both services are managed to some extent by Microsoft.
What is the purpose of macOS Gatekeeper? -Prevent applications from running that match known malware signatures -Compare URLs to a deny list containing known phishing servers -Block execution of applications that are not signed by an Apple developer certificate -Create a security enclave that performs sensitive cryptographic operations
Block execution of applications that are not signed by an Apple developer certificate macOS Gatekeeper blocks by default all applications which are not signed by an Apple developer certificate; unsigned applications can still be run if needed by explicitly allowing execution. XProtect consists of a deny list with signatures of known malware and YARA rules. Whenever an application is executed, it will be checked against XProtect's database and be blocked if matched. macOS also has anti-phishing capabilities built into the Safari web browser that is based on a deny list containing known phishing servers and domains. Apple offers macOS devices with a T2 Security Chip, which contain a security enclave that will handle all sensitive operations regarding cryptography and some peripheral access.
Which of the following is a function of HIPS? -Checking the permissions on a system executable -Crafting packets to test firewall rules -Monitoring performance of a site's network -Testing password strength of user accounts
Checking the permissions on a system executable HIPS protects a system by performing the following three functions. First, HIPS ensures key files haven't been modified or had their permissions changed. Second, HIPS monitors network activity relating to the specific host it is installed on. Third, HIPS checks on application calls and interactions with the system and other applications.
How are subnets partitioned into smaller virtual network segments in a VPC network? -Internet Gateway -CiDR blocking -Network Address Translation -Network Access Control Lists
CiDR blocking Subnets in a VPC network are partitioned through the use of CIDR blocking.
Which vulnerability is introduced into a website if developers fail to validate user input? -Invalid certificate -Code injection -Downgraded encryption -Inability to white list users
Code injection Programming libraries called do not innately perform input validation. Users would then be able to inject malicious code because there was no input validation.
Which of the following capabilities is provided exclusively by IPSec's Encapulating Security Payload (ESP) protocol? -Anti-replay -Source authentication -Data integrity -Confidentiality
Confidentiality ESP provides confidentiality and authentication. It is possible to use ESP to only perform authentication or confidentiality or both. When encryption is chosen, all the information in the packet above the network level is encrypted using the selected encryption algorithm. This includes the embedded protocol header (for example, TCP, UDP. or IMP) and all of the message data. The packet is then rewritten by replacing all of the transport data with the payload field of the ESP message. Encryption can be turned off by using the NULL algorithm. This algorithm, as you might guess from the name, does nothing to the message. When used, an ESP message is still generated and placed into the outgoing packet. The only difference is that the message data contained in the ESP payload is still in its original form (for example, plaintext).
Centrally managing a standardized time zone for all systems simplifies which log process? -Normalization -Correlation -Collection: -Storage
Correlation Correlating events across several log types is highly time dependent. Events that occur in sequence may not appear that way if staggered across multiple time zones, making the analyst's job harder and automated alerting much less accurate. Log collection and storage are not dependent upon log time. Log normalization is not dependent upon time, but rather log format and a common data taxonomy.
If a web application needed to accept user input, what could the developer do to reduce the likelihood of OS command-line injection? -Use system calls instead of programming language functions -Validate user input by running scripts on the client side -Configure the application to run with administrative privileges -Define which characters are valid and filter out everything else
Define which characters are valid and filter out everything else One of the best ways to prevent OS command line injection is by defining. acceptable characters (usually numbers and letters), and stripping out everything else. Another, though less effective, method is to strip out OS commands and special characters. The problem with this is the developer may miss some special characters or commands that could be used maliciously. Applications should be run with non-administrative permissions to prevent the amount of damage an attacker could cause if he were able to exploit the application. A developer should use programming language functions instead of system calls because system calls interact directly with the kernel. Validating user input should be performed on the server, not on the client because a malicious user can bypass or modify scripting performed on the client.
Windows Autopilot manages which of the following? -Subscriptions -Certificates -Access tokens -Devices
Devices Windows Autopilot is device management using the Microsoft cloud.: Autopilot uses Microsoft Intune, Azure Active Directory and other Microsoft cloud technologies to streamline device management. Microsoft intune is a configuration management system for devices anywhere in the world because Intune is hosted and run from Azure.
What common access control model consists of something the user can manage, like a username or password? -Mandatory Access Control (MAC) -Role-Based Access Control -Discretionary Access Control (DAC) -Biometric-Based Access Control
Discretionary Access Control (DAC) Discretionary Access Control (DAC) consists of something the user can manage, like a username or password. For example, a user might choose to give a document password to someone without notifying the administrator.
What would an Active Directory administrator use to create large, corporate e-mail lists? -DNS record -DNS zone file -Distribution group -Security group
Distribution group To create a Global or Universal group in Active Directory, open the Active Directory Users and Computers tool > right-click any Organizational Unit > New > Group. You can create a Domain Local, Global or Universal group this way. Each group can be marked as either a distribution or security group, for example, a Global distribution group is not the same thing as a Global security group. Security groups can have privileges and permissions assigned to them, whereas distribution groups cannot. Distribution groups are often for mailing lists.
Which organization maintains the list of security risks shown in the screenshot? • A1:2017-Injection • A2:2017-Broken Authentication • A3:2017-Sensitive Data Exposure • A4:2017-XML External Entities (XXE) • A5:2017-Broken Access Control • A6:2017-Security Misconfiguration • A7:2017-Cross-Site Scripting (XSS) • A8:2017-Insecure Deserialization • A9:2017-Using Components with Known Vulnerabilities • A10:2017-Insufficient Logging & Monitoring -OWASP -MITRE -NIST -CIS
Embedding security earlier into the process is intended to help prevent application vulnerabilities from being introduced. The Open Web Application Security Project, (OWASP) regularly publishes their list of the Top Ten Most Critical Web Application Security Risks.
Which of the following is a DLP policy designed to protect data at-rest? -Block the upload of files, containing data labeled "Confidential" to cloud storage services -Append an "[External]" tag to the subject line of incoming emails that contain attachments -Alert the security team when an outgoing email containing data labeled "Sensitive" is detected -Encrypt files found on internal servers that contain Social Security number.
Encrypt files found on internal servers that contain Social Security number. A DLP policy defines where a tool must monitor for sensitive data, under which conditions it should intervene, and which actions need to be taken automatically by the tool when the conditions are fulfilled. DLP policies can protect both data when in-transit and at-rest. Monitoring internal servers for files containing Social Security numbers and encrypting the files is an example of protecting data at-rest. "Internal servers", this defines the location where the policy must monitor for sensitive data "containing Social Security numbers": this defines the conditions that the DLP tool should be on the lookout for. "encrypt the files": this defines the actions the DLP tool should take on any files that match the criteria. Block the upload of files containing data labeled "Confidential" to cloud storage services: This is an example of protecting data in-transit. The policy is designed to detect a transmission (upload of files) with sensitive data (data labeled "Confidential") and take an action (block the upload). Append an "(External)" tag to the subject line of incoming emails that contain attachments: This is not an example of a DLP policy because it is not designed to protect data within an organization.
How could a network administrator use the nmap tool for configuration management on his internal systems? -Identifying users who have access to specific applications on a server -Sniffing network packets to determine if unencrypted traffic is being passed -Establishing a known baseline of running systems and their open ports -Determining if files have been changed or deleted on the network servers
Establishing a known baseline of running systems and their open ports Configuration Management is establishing a known baseline of a network and its systems, and then managing changes to that network/systems. The nmap tool could be used to scan the network and determine which hosts are active as well as which ports are listening on each host. It can also detect software versions on a given port, identify the ÖS, and detect vulnerabilities. The nmap tool can not perform the following: sniff network traffic, identify which files have been altered on a system, or identify which users can access an application.
The "PCAP FILES" directory, on the Desktop contains several libpcap files. Open the garcia.pcap file with Wireshark and filter for FTP traffic. What is the password used by the user maxwell to access the FTP server?
FTP transmits data in plain-text, including login information. With access to the traffic, finding the password is as simple as typing "FTP" in the display filter bar of Wireshark and looking for USER: and PASS toward the beginning of the conversation. It would look similar to the following: Request: USER maxwell Response: 331 Please supply the password Request: PASS Lorentz Response: 230 Login successful.
Which of the following will best prevent access to sensitive files when a laptop is stolen? -Logins require two-factor authentication -Full disk encryption. -Login support for Kerberos and Active Directory -A strong user password
Full disk encryption. With full disk encryption all data stored on the hard drive is encrypted. Encrypted files are decrypted for user operations, and then stored encrypted back to the hard drive. All authentication methods are trivial to bypass once a laptop is stolen. The laptop can simply be removed and placed in a USB adapter, and all of its contents can be readily accessed.
A network administrator needs to disable World Wide Web Publishing on all desktops in the domain. What tool will allow this task to be completed quickly with minimal effort? -Services Tool - SC.EXE -Group Policy -PowerShell
Group Policy The System Services section of a GPO is more-or-less the Services applet; here you can disable any service you want, and that service will be disabled on all the systems to which the GPO applies, Services Tool is scaled through the system services section of the GPO, PowerShell and SC.EXE can be scripted but that would require more work than using Group Policy, SC.EXE is available through a resource kit and it may not be installed on all desktops in the domain.
Which of the following is a type of algorithm that is important in encryption and integrity that uses no key? -Private -Base64 -Hash -Asymmetric
Hash There are three types of cryptography algorithms: secret key, public key, and hash functions. Unlike secret key and public key algorithms, hash functions, also called message digests or one-way encryption, have no key used in the transformation. Instead, a fixed-length hash value is computed based on the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered. The fixed-length output is what is often referred to as the key length of a hash function.
Which cloud service allows for user control of the operating system? -IAAS -PAAS -SAAS
IAAS
Which AWS component provides the following capabilities? • Granting and managing access to external users • Setting granular permissions to, resources • Create roles that users can assume -KMS -Inspector -Amazon Cognito -IAM
IAM AWS IAM (Identity and Access Management) allows controlling access to resources within an AWS account. It includes capabilities such as Identity federation (providing access to external users), providing permissions to users via the assumption of roles, defining specific permissions to individual resources, analysis of access, temporary access, among others, Amazon Cognito enables the use of external. identity providers. AWS Inspector checks applications in order to identify vulnerabilities. AWS Access Keys are credentials used within AWS IAM.
What is the importance of the lessons learned phase of the Incident Handling Process? -Validate that the root cause of the incident has been identified -Observe the environment for the occurrence of the next incident -Determine who was responsible for the occurrence of the incident -Improve the incident response process and identify mistakes
Improve the incident response process and identify mistakes The lessons learned phase is not used to place blame but to evaluate how well the incident response plan worked and to correct any issues.
Where are most of the configuration settings for a Windows computer's hardware, operating system, applications and its user's preferences stored? -At a local copy of the SAM database -In %SystemRoot% -In the registry -In the Local Administrator's directory
In the registry Virtually all configuration settings for the computer's hardware, operating system, applications and its users' preferences are stored in a special miniature database called the "registry".
Moving a traditional web application to a microservice architecture has which of the following impacts? -Decreased number of active sessions to secure -Increased number of trust boundaries to secure -Increased number of user accounts to secure -Decreased number of database connections to secure
Increased number of trust boundaries to secure In a new microservice architecture, for example, instead of THREE primary trust boundaries, we now have over FORTY different connection points between the endpoint devices, microservices, and backend systems.
When malware adds files or backdoors to a system, it violates which of the core CIA principles? Integrity Authentication Identity Availability
Integrity By adding files, and possibly backdoor programs, to a system, worms and other malicious code create a problem of integrity. The system is no longer able to be altogether trusted. These do not inherently affect the availability of the system. Identity and Authentication are not part of ClA.
Which of the following is a good practice to follow when making and maintaining backups? -Settle on one backup technology for the enterprise to reduce learning curve -Verify backup systems only as part of a hardware or software upgrade -Remove Cloud storage from backup rotations to save time -Keep backups on separate networks when not actively in use
Keep backups on separate networks when not actively in use Some recommended practices to follow when making and maintaining backups: 1. Keep backups on separate networks: When a system is infected with ransomware (or other malware), there's a large chance the malware will look for network devices and propagate to them as well. This can destroy the backups on the network storage, or infect them with the malware so that restoring a backup is rendered useless. Therefore, backup storage should not be connected to the network when not actively taking a backup. 2. Cloud storage also requires backups: Redundancy is not a good substitute for backups, Just like with redundancy, you need to make sure your cloud solution is properly configured to automatically schedule frequent backups. Often, a cloud vendor only has limited retention periods for backup data. In this case, it might be necessary to store the backup data yourself if it needs to be kept for a longer time than the given retention time. 3. Use different technologies: It may be tempting to integrate all organizational systems on a single vendor's solution. However, if all systems are running on the same OS or stack, a single compromise of the system may spread across the entire network to all connected systems. 4. Frequently verify backup systems and backup data: Even a backup system is not immune to failures. Sometimes a backup does not get properly scheduled, or the backup data itself gets corrupted during the backup process. Therefore, a periodic review of the proper functioning of the systems and the integrity of the present backup data is vital.
Which layer of the OS model deals with routing between network segments? -Layer 2 -Layer 3 -Layer 4 -Layer 6
Layer 3 or the Network Layer, deals with logical addressing and finding paths from one IP address to a destination IP address. Layer 4, or the Transport Layer, handles transmission requirements, such as ensuring that no packets are lost during transport, dividing data into segments, or specifying an order for packets. Layer 6, or the Presentation Layer, handles the formatting of data, and Layer 2 (Data Link) connects physical network components to data
Which of the following is a characteristic of a Windows Server workgroup? -There are two domain controllers in a workgroup -Workgroups consist of more than fifty computers -Each workgroup account has the same Security ID -Local administrator authority does not extend to other computers in the workgroup
Local administrator authority does not extend to other computers in the workgroup
What is a benefit of running Windows 10 on an ARM platform versus either an X86 or X64 platform? -Access to all the same applications as an X86 or x64 platform -Longer device battery life -Can only run applications purchased at the Microsoft store -Supports the ReFS filesystem
Longer device battery life Windows on ARM will have longer battery life and will be less expensive. Some editions of Windows come in both 32-bit (×86) and 64-bit (×64) versions for platforms with Intel or AMD CPUs. However, Microsoft wants to move away from the older 32-bit (x86) platform and support only 64-bit (×64) going forward, at least for traditional laptops and desktop PCs. For the ARM platform, there are special editions of Windows 10 and'later, plus the obsolete Windows RT and Windows Phone products (which were replaced by the ARM version of Windows 10). Be careful, the Windows for ARM editions do not have the same features and cannot run all the same applications as Windows for x86/x64. The x86/×64 emulator on Windows for ARM is very good; but not perfect. X86 applications should be recompiled to ARM64 when an app relies on a driver that isn't designed for ARM. There is no backward compatibility with Windows RT.
A network technician began investigating complaints of slow network connectivity in a specific building. The technician connected to the switch and saw that there were many physical addresses in the address table assigned to a single interface. What most likely caused this? -MAC Flooding -VAN hopping -DHCP spoofing -SYN attack
MAC Flooding When the CAM table in a switch is filled up, it floods all traffic out of all the ports, making it act like a hub. This would significantly slow down traffic in enterprise environments. DHCP spoofing is an attack where another computer responds to DHCP requests and attempts to become the default gateway, VLAN hopping is the act of sending. spoofed packets from one VLAN to another. A SYN attack is used to create a DoS attack.
When downloading software from the Internet, what algorithm can be used to verify the integrity of the download? -AES -ECC -MD5 -RC6
MD5 MD5 accepts arbitrary lengths of input and produces a fixed-length output that is 128 bits; which is referred to as the key length. The purpose behind hashing a file is to create numeric representation of a file where the representation is unique every time. A hashing algorithm's output might be referred to as a hash, digest, or fingerprint. MD5 does not modify the original file in any manner whatsoever.
Intune improves cloud security by enforcing secure configurations for which of the following? -Removable media -Servers -Mobile devices -Networking equipment
Mobile devices Intune offers cross platform endpoint configuration management. It can enforce a secure configuration for endpoints used to manage systems in the Azure environment, lowering the risk typically presented by an unmanaged or BYOD device. Intune support is limited to endpoint computing so it would not support servers, networking equipment or removable media.
Name a requirement for a Network Intrusion Prevention System (NIPS). -Must be able to keep up with network latency with low-throughput -Must cost less than $10,000 per device -Must be able to act as an intelligent switch -Must be able to keep up with network throughput with low-latency
Must be able to keep up with network throughput with low-latency The fourth class of IPS, considered the most unique available today, is referred to as "an extra widget", These products makes the best use of firewalls, IDS tools, and routers/switches to create a single high-performance device.
Which of the following is vulnerable to password sniffing -SSL -SSH -NTLMV2 -NTLMV1
NTLMV1 NTLMV1 is susceptible to password sniffing with tools like LOphtCrack.
Which principle of access control recommends granting access to resources only when they are needed? -Separation of Duties -Need to Know -Data Classification -Rotation of Duties
Need to Know Some principles associated with access control: • Need to Know: Only grant someone access to resources when they need it-and revoke it when it is no longer required • Least Privilege: Give someone the least amount of access they need to do their job • Separation of Duties: Break critical tasks across multiple people to limit your points of exposure • Rotation of Duties: Change jobs on a regular basis to prevent anyone from being able to get comfortable in a position and, therefore, being able to cover their tracks and minimize the chance of collusion
