GSEC-Q&A-practice-test-example
If an attacker was on Machine_A and he wanted to log into Machine_B without having to type a password, which file would he need to modify on Machine_B? .profile - .config - .ssh - .rhosts
.rhosts ( Explanation ) In Unix, there are many different types of files. Besides the regular text file, there are special files like directories, devices, pipes, and so forth. The file .config is a directory which contains settings and information related to Unix windows programs. .ssh is also a directory which contains files related to a user's secure shell configuration. The .profile file sets up a user's environment variables when he logs into a Unix system. There are other variations of it for different shells, such as .bash_profile for the BASH shell. The .rhosts file can be modified to allow users from specific remote machines to log into the local machine without typing a password. .rhosts can also be modified to allow any user from anywhere to log into the local machine.
In which directory can executable programs that are part of the operating system be found? (/) (/var) (/lib) (/dev) (/usr/bin) (/home) INCORRECT ON PT
/usr/bin
On a Windows computer the Default Domain Group Policy Object (GPO) has the screensaver timeout set to 10 minutes and the local GPO has the screensaver timeout set to 20 minutes. How long will it take for the screensaver to come on? 15 minutes - 30 minutes - 20 minutes - 10 minutes
10 minutes ( Explanation ) The Default Domain GPO takes precedent over the local GPO. The values are not averaged, or added, the value of the Default Domain GPO will be used.
Which of the following scenarios describes the responsible and effective use of a honeypot? A curious junior security engineer deploys a honeypot on the production network - A senior security engineer deploys an unmanned/unmonitored honeypot - A security researcher uses a honeypot to research penetration attacks - A desktop support technician testing anti-virus software on a honeypot
A security researcher uses a honeypot to research penetration attacks ( Explanation ) Honeypots can be an effective tool, but they must be used for the right purpose and deployed correctly. Curiosity, while admirable, is not an effective use of a honeypot. Without the proper expertise and deployment, including being manned and monitored, a honeypot could potentially be used to gain access to production systems. Testing anti-virus software would not be an effective use of a honeypot, largely because the goal is to capture insights to attack methodology.
Which of the following methods is part of the process of permitting remote access to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion even when restrictive permissions for remote access on all other keys has been set? Stop and disable the Remote Registry Service at the specific server. - Pause the Remote Registry Service at the specific server. - Add the key value to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths subkey. - Add proper ACLs to access the key value to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg\ key. INCORRECT ON PT
Add the key value to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths subkey. ( Explanation )You can add keys that will not be affected by the \winreg key ACL (which determines remote access permissions for the entire registry) to the AllowedPaths subkey in the \winreg key. Stopping the Remote Registry Services will prevent any remote access to the remote registry at the specific host.
Which of the problems below is tractable? Computing Data Encryption Standard ciphertext - Computing elliptic curves in a finite field - Solving the discrete logarithm problem - Factoring a large integer into its two prime factors
Computing Data Encryption Standard ciphertext ( Explanation ) Calculation of any standard encryption algorithm's ciphertext is a tractable problem. DES is an old algorithm with a small keyspace. The other problems are intractable. They can theoretically be solved. However, the enormous amount of time it will take to solve them makes them impractical to be solved.
Which objective can be met by using CFEngine or Puppet? Network Activity Baselining - Mandatory Access Control - Configuration Management - Log Analysis
Configuration Management ( Explanation ) Puppet and CFEngine are configuration management tools. They make it easier to apply a consistent secure configuration among Linux hosts.
What is the discipline of establishing a known baseline and managing that condition known as? Security establishment - Observation discipline - Condition deployment - Configuration management
Configuration management ( Explanation ) The discipline of establishing a known baseline and managing that condition is known as "configuration management."
How could a systems administrator set up a weekly job to check for listening ports on a Windows server? Configure schtasks.exe to run netbios.exe - Schedule netsh.exe to run using the at command - Schedule net.exe to run using the at command - Configure schtasks.exe to run netstat.exe
Configure schtasks.exe to run netstat.exe ( Explanation ) One way to schedule recurring tasks on a Windows box is to use the schtasks.exe command. The at command may also be used, but schtasks.exe is more powerful and is recommended by Microsoft. The netstat.exe command displays listening ports. The netbios.exe command lists NetBIOS related data. The net command can be used to manage network shares, network users, etc. It also shows running services, but not listening ports. The netsh.exe utility is used to display and manage network configuration of either the local or a remote computer.
What should an application developer do to reduce the likelihood of an OS command injection attack when creating a web form that accepts user input? Utilize stored procedures to interact with the database - Define allowed input characters and strip out disallowed characters - Validate input on the client instead of on the server - Have the web application make system calls rather than sending raw user input
Define allowed input characters and strip out disallowed characters ( Explanation ) Defenses against OS command injection include the following: avoid making system calls from within the application (use built-in application functions instead), stripping OS commands from input, and defining valid characters for input while stripping everything else out. Using stored procedures instead of SQL queries to interact with the database is a defensive measure for SQL injection. Validating user input can be done using scripts on the client, but this provides no additional security because an attacker can modify or bypass any scripting or validation done on the client. All data should be validated on the server.
What would an Active Directory administrator use to create large, corporate e-mail lists? Distribution group - DNS zone file - Security group - DNS record
Distribution group ( Explanation ) To create a Global or Universal group in Active Directory, open the Active Directory Users and Computers tool > right-click any Organizational Unit > New > Group. You can create a Domain Local, Global or Universal group this way. Each group can be marked as either a distribution or security group, for example, a Global distribution group is not the same thing as a Global security group. Security groups can have privileges and permissions assigned to them, whereas distribution groups cannot. Distribution groups are often for mailing lists.
Which type of event classification is missed by a NIDS and has the most potential to be a serious event? True positive - False positive - True negative - False negative
False negative ( Explanation ) • False negative: A false negative event is when the IDS identifies data as benign when, in fact, it is malicious. A false negative does not generate an alert for the analyst and therefore these can be dangerous because the analyst cannot take action.• True negative: A true negative event is what we want the IDS to see, the cases where data does not indicate any malicious activity, and the data is correct. In the case of a true negative, the IDS does notgenerate an alert for the analyst.• True positive: In these cases, the IDS worked as intended and correctly flagged the activity asanomalous behavior that might be malicious. True positives generate alerts for the analyst to process.• False positive: A false positive case is where the IDS generates an alert flagging hostile activity,which was benign. False positives generate alerts for the analyst to process, who then must decide how to handle the activity.
A network uses 10.1.1.0/24 addressing for client systems and 10.5.5.0/24 for internal servers. Which of the following would prevent a host on the client network from sending packets with a spoofed source address of 10.5.5.101 to a host on the server network? DHCP - Anti-virus - HIDS - Firewall
Firewall ( Explanation ) Firewalls know which IP addresses should appear only inside a network segment and reject external traffic bearing those addresses. Spoofing will fail because the firewall will reject spoofed packets, which originated from outside the network yet appeared to use an internal IP address
A security analyst is preparing a vulnerability assessment against her organization's network. Which is the appropriate first step? Configure the scanning tool for passive activity - Get a network diagram from the administrator - Get signed permission from the data owner - Determine which hosts are in-scope for the scan
Get signed permission from the data owner ( Explanation ) The difference between a penetration tester and an attacker is permission! Be sure you have it. If you are just now coming up with a scanning policy in your organization, get written permission from the highest level possible in your organization (like your Chief Information Officer).
Which of the following is considered a recommended practice but not a business requirement? Guideline - Standard - Baseline - Procedure INCORRECT ON PT
Guideline ( Explanation ) Guidelines, unlike standards and policies, are not mandatory. Guidelines are more of a recommendation of how something should be done.
Which of the following uses file-integrity monitoring to alert the security team when a new executable is created in a system directory? HIDS - Host-based firewall - NIDS - Network-based firewall
HIDS ( Explanation ) HIDS incorporates file-integrity checking to detect and alert when changes are made to system files or directories that are being monitored. Firewalls and network based controls use other types of monitoring to detect malicious activity
Which of the following is a type of algorithm that is important in encryption and integrity that uses no key? Asymmetric - Base64 - Symmetric - Private - Hash
Hash ( Explanation ) There are three types of cryptography algorithms: secret key, public key, and hash functions. Unlike secret key and public key algorithms, hash functions, also called message digests or one-way encryption, have no key used in the transformation. Instead, a fixed-length hash value is computed based on the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered. The fixed-length output is what is often referred to as the key length of a hash function.
What step could a systems administrator take to prevent unauthorized software from running on a web server? Determine which user accounts do not have an expiration date - Deploy the web server in a virtualized environment - Set up a web application firewall on the server - Implement application whitelisting technology - Determine a timeline for reporting anomalous events
Implement application whitelisting technology ( Explanation ) Application whitelisting technology can be used to prevent unauthorized software from running on a machine. A web server running in a virtual environment is still vulnerable to being attacked and running malicious software programs. Determining a timeline for reporting anomalous events is a defense for the Incident Response and Management critical security control. Deploying web application firewalls is a defense for Critical Control #18 - Application Software Security defenses. Determining which user accounts on the web server do not have an expiration date is a defense for the Account Monitoring and Control critical security control.
Which of the following is BEST known for its encryption capabilities, but can also be used for static packet filtering? Secure Socket Layer (SSL) - Transport Layer Security (TLS) - Point-to-Point Tunneling Protocol (PPTP) - Internet Protocol Security (IPSec)
Internet Protocol Security (IPSec) ( Explanation )IPSec is best known for its encryption capabilities, but it also can be used for static packet filtering.
How is a Windows 2008 or 2012 server affected when the administrator disables the NetBIOS service? It will not have full backward compatibility with legacy systems like Windows NT - It will disable the Remote Procedure Call service on TCP port 135 - The server's File and Print Sharing services will run over TCP port 139 - The server will not be able to access SMB shares on remote hosts - The server will be immune to null user session attacks
It will not have full backward compatibility with legacy systems like Windows NT ( Explanation ) Disabling the NetBIOS service on a Windows server causes the server to not have full backward compatibility with old systems like Windows NT or legacy applications. The server will, however, be able to access SMB shares on other hosts as long as the NetBIOS Helper service is still running. Null Session user attacks do not require NetBIOS. The RPC service will not be affected if the NetBIOS service is disabled. When NetBIOS is running, file and print sharing services run over TCP port 139, otherwise they run on TCP port 445.
The Windows Firewall (WF) provides a popup when a new service attempts to listen on your machine. Which of the following should you train users to select from a security perspective if they are unsure of which option to select? (Keep Blocking) (Increase Security Level) (Safe Mode) (Send Request to Administrator)
Keep Blocking ( Explanation ) The three available options for Windows Firewall are Keep Blocking, Unblock and Ask Me Later. Keep Block does not allow the program to acquire a listening port. You should train your users to choose this option when there is any doubt as to what they should do. There are no Safe Mode or Send Request to Admin options.
Which of the following best describes Defense-in-Depth? Layered controls - Separation of duties - Hardened perimeter security - Risk management
Layered controls ( Explanation ) Defense-in-depth is best characterized by layered defenses. The idea is that any layer of defense may eventually fail, but a Layered Defense offers better protection. Risk management, separation of duties, and hardened perimeters are part of a layered defense but do not describe the full concept of DiD.
Which of the following would be a valid reason to use a Windows workgroup? Consistent permissions and rights - Simplicity of single sign-on - Lower initial cost - Centralized control INCORRECT ON PT
Lower initial cost ( Explanation )Workgroups do have lower initial costs. Disadvantages include no centralized control, difficulties with implementing single sign-on and no consistent permissions and rights.
Which algorithm is typically used to fingerprint digital evidence? AES - ECC - MD5 - RSA
MD5 ( Explanation ) A hashing algorithm's output might be referred to as a hash, message digest, or fingerprint. MD5 is typically used to create a hash of digital evidence. A file is input into MD5, and a 128-bit unique fingerprint of the file is created. Hashing does not modify the original file in any manner whatsoever. Because the primary application of hash functions is message integrity, security-conscious users may choose to cryptographically sign the fingerprint to guard it against inadvertent modification. Digitally signing a fingerprint safeguards the integrity of the fingerprint. RSA and ECC may be used for digital signatures for this protection. AES is a symmetric encryption algorithm.
Which algorithm should be used to protect stored passwords? MD5 - Elliptic curve - RSA - AES
MD5 ( Explanation ) Reversible algorithms (for example, symmetric and asymmetric) are not recommended for passwords, irreversible or hashing is recommended. MD5 is the only irreversible algorithm listed.
Which access control mechanism requires a high amount of maintenance since all data must be classified, and all users granted appropriate clearance? Mandatory - Role-Based - Ruleset-based - Discretionary INCORRECT ON PT
Mandatory Mandatory Access Control (MAC) is a control that is set by the system and cannot be overwritten by the administrator. MAC will require more effort to maintain, due to data classification requirements and user clearance.
A file is classified as "Secret" and can only be accessed by a user that has "Clearance Level B". Which type of access control is this? Role-based Access Control - Mandatory Access Control - Ruleset-based Access Control - Discretionary Access Control INCORRECT ON PT
Mandatory Access Control ( Explanation ) Mandatory access controls (MAC) are set by the system and cannot be overwritten by the administrator. MAC requires a lot of work to maintain because all data has a classification and all users have a clearance. Users must have the appropriate clearance to access data classified a certain way. Users cannot give their clearance to another person. In this case the data's classification is "Secret" and the user's clearance must be "Level B" to access the file.
Which of the following must be developed and approved before any other security policies can be put in place? Copyright agreement - Non-disclosure agreement - Mission statement - Password policy - Data recovery procedure
Mission statement ( Explanation ) A mission statement is an organization's reason for being. If an organization does not have a mission statement, you should attempt to develop one and get it approved. You need an approved mission statement as we move forward to evaluate policy.
Before deploying a web server in a production environment, what process could a systems administrator put in place to detect an attacker modifying data in the document root folder? Set up an automated job that runs daily and determines if the web server's files have been altered - Set up an Intrusion Detection System to detect malicious packets coming into the web server - Configure a perimeter firewall to log attempted network connections from known bad IP addresses - Configure packet sniffers that detect if private data is being passed in the clear to the Internet
Set up an automated job that runs daily and determines if the web server's files have been altered ( Explanation ) The concept of integrity means determining if data has been altered or modified. Setting up a process that detects unauthorized changes to files is one step an administrator could take to determine this. Identifying private traffic that is passed in the clear is a step an administrator should take to ensure confidentiality. Determining if malicious packets are coming into the site, or if known bad sites are trying to connect to servers on the site's network, are good security practices, but they do not indicate the site's data has been altered.
An administrator wants to verify that users have not used common information such as their username as a password on a system. Which John the Ripper mode should the administrator use? Incremental Mode - External Mode - Single Crack Mode
Single Crack Mode ( Explanation ) Single crack mode uses the username and GECOS information to guess passwords. John also adds previously guessed passwords to the list, helping to detect users with the same password on several accounts.
What information would an attacker need to carry out a TCP RST attack? Routing table for the router - Source and target port numbers - Router admin account and password - Target host MAC address
Source and target port numbers ( Explanation ) To carry out a TCP RST attack, an attacker would need to sniff packets exchanged between two hosts and determine the source and destination IP addresses, source and destination ports, and the changing sequence number. Then he could craft a packet with the Reset flag set by spoofing the original source port, IP address, and sequence number to make the target system think the original source wanted to end the conversation. An attacker with administrative access to a router would not be able to craft and inject packets into an ongoing TCP conversation. The TCP protocol does not include the MAC address. A routing table is used by a router to determine where to send packets based on IP addresses.
Which of the following is an attribute of a persistent cookie? New SSL session requests don't require new encryption keys - Remain on the hard drive until the user closes the browser - Deleted only if they have an expiration date - Stored on the computer's hard drive in a text file
Stored on the computer's hard drive in a text file ( Explanation ) Persistent cookies are stored in a file on the computer's hard drive. Their only criteria for deletion is the expiration date, and they all have expiration dates. After that date is reached, persistent cookies will be deleted. Every request a user makes to an SSL web server requires that new encryption keys be generated.
Which of the following is characteristic of a policy? Formulaic - Tactical - Referential - Strategic
Strategic Policies address the WHAT to do; are read cover to cover; are concise and focused; and are strategic - high level. Procedures address the HOW to do it; are referenced when having trouble following the policy; are detailed and step by step; and are tactical. Procedures are derived from policies; if you can characterize the procedures you follow (and you should be able to do that easily), then you can derive the parent policy. This is true even if it has not yet been written and signed. By walking through the who, what, when, where, and why, the parent policy is derived from an understanding of the procedure.
An attacker attempts to connect to port 22 on several hosts, and notices the connection attempt to 192.168.1.4 is very slow. Based on the tcpdump output below, what aggressive active defense technique has the system administrator implemented on 192.168.1.4? <image> Decloak - Beartrap - Tarpits - Artillery - Honey Badger
Tarpits ( Explanation ) Tarpits is the process of reducing the TCP windows size to a small value so that very little data can be passed between the hosts. Under certain conditions, this could cause an attacker's machine to have to keep ports open and thereby cause his machine to use up resources maintaining the connection(s). Beartrap opens up false ports on a system, and can block hosts that try to access those ports. Artillery can monitor systems and give early warning of attack attempts. Honey Badger attempts to determine the physical location of an attacker by running a java applet on his machine. Decloak attempts to find an attacker's real IP address.
Which of the following is a characteristic of a Windows NT File System (NTFS)? Permissions on a file or folder are not enforced when that object is accessed using FTP - The CHKDSK.EXE program is run automatically after a power failure or Blue Screen of Death - The driver does not provide compression on the file system, a separate application is required - Allow permissions take precedence over Deny permissions on a file or folder INCORRECT ON PT
The CHKDSK.EXE program is run automatically after a power failure or Blue Screen of Death ( Explanation ) NTFS uses transaction oriented processing on write operations to keep the file system in a consistent state, even after a power failure or Blue Screen of Death. In these cases, the system runs chkdsk.exe when the machine reboots. If a user is a member of two groups with conflicting permissions on a file or folder, DENY always takes precedence over ALLOW. On NTFS, file and folder permissions are always enforced by the operating system regardless of how the file is accessed. Compression is provided by the NTFS driver, no third party application is required.
The security team set up a device that records information about session IDs used on the company's website. Which information about session IDs would the security team be checking? What personal information each session ID is leaking - The strength of session ID encryption - The randomness of the session IDs - If any of the users are sharing the same session ID
The randomness of the session IDs ( Explanation ) Most session attacks require the attacker to guess another user's session ID. You need to ensure that the session IDs are random, so an attacker cannot identify a pattern or algorithm that would allow him to guess other user's session IDs. Tools are available that can help you test the predictability of session IDs, and this is what the security team was doing. An encryption method's strength is determined mathematically, not by sampling data. A session ID simply tracks a user's web session, providing "state" to the stateless HTTP protocol - no personal information is associated with a session ID. If two users happened to share the same session ID, it would mean that the website would treat both sessions as the same session. Websites protect against this mistake by verifying a session ID value is not currently being used before issuing it for a new session.
Together, Network Access Control (NAC) and a Virtual LAN (VLAN) can be used to achieve which objective? To place systems on an isolated network segment until they are properly scanned and patched. - To authenticate users and determine what resources they are allowed to use. - To allow remote users to access resources on an internal LAN. - To allow several computers to work closely together so they seem to form a single computer. INCORRECT ON PT
To place systems on an isolated network segment until they are properly scanned and patched. ( Explanation ) Together, NAC and a VLAN can allow systems to be placed on isolated VLAN's until they have been scanned and properly patched, thus limiting their exposure to infecting other systems. Allowing remote users access to internal LAN resources is done through use of a VPN; authentication and authorization (and accounting - AAA) can be done with an LDAP server, RADIUS, or other protocol; several computers working together as one is an example of clustering technology.
The UDP protocol belongs to which OSI layer? Network - Transport - Physical - Application
Transport ( Explanation ) The UDP, like TCP, belongs to the Transport layer of the OSI model.
Which of these log-monitoring detections is the highest priority security event for the log analyst performing daily log review? Web browsing to non-work-related websites - Connections denied by the firewall - Collection of baseline data from a new logging source - Unauthorized configuration changes
Unauthorized configuration changes ( Explanation ) Unauthorized configuration changes are indicators of compromise, and so should be investigated promptly. The remaining answers are tasks that typically are dealt with monthly or quarterly if at all.
What should be done before conducting a risk analysis? Understand business operations and the types of possible risk exposure - List the return on investment for each asset to calculate the quantitative risk - Deploy security devices to discover security gaps in the network - Conduct a Business Impact Analysis to gauge revenue impact
Understand business operations and the types of possible risk exposure ( Explanation ) Typically, before a risk assessment can be conducted, one must understand the business operations and what type of risk that the business maybe exposed to.
Which of the following is necessary to detect unusual events through log correlation for the devices in an organization? Understanding the normal network traffic and host activity for the organization - Triggering for incident response team activation when anomalies are detected - Visualization software for the combined system log files for the organization - Methodology for rotating and hashing central log files to prevent tampering
Understanding the normal network traffic and host activity for the organization ( Explanation ) You first want to establish a baseline (what does the system look like under normal load?). This gives you something to compare to as utilization grows or when problems or incidents occur.
What is a recommended action to take to make a wireless network more secure? Configure the Access Points to hide or cloak the SSID - Use equipment which generates a strong signal to reduce interference - Implement per-packet authentication per the wired equivalency protocol spec - Implement MAC based access control on the Access Points - Use network authentication software like PEAP or TTLS
Use network authentication software like PEAP or TTLS ( Explanation ) To prevent an attacker from spoofing the identity of an access point or legitimate node, an administrator can implement software like PEAP or TTLS which requires mutual authentication. If a wireless network is configured to hide or cloak its SSID, all an attacker has to do is sniff packets and wait until a client authenticates. Then he can grab the SSID. MAC based access control doesn't work effectively as a security mechanism because the attacker can sniff packets and determine "allowable" MAC addresses and then use one himself. To reduce the likelihood of eavesdropping, the recommendation is to limit signal strength through range-limiting antennas, placing access points as far from the exterior of the building as possible, etc. The wired equivalency protocol (802.11) spec does not address per-packet authentication.
What is the preferred method of setting up decoy ports on a server? Set up the host to use a very small window size to manage flow control to the ports - Use software which makes ports appear to be open but is not related to the real services - Configure a host-based firewall to respond with RST packets when the decoy port is the destination port - Enable the actual services for the decoy ports and then keep them patched and up to date
Use software which makes ports appear to be open but is not related to the real services ( Explanation ) To set up decoy ports, the systems administrator should not enable the actual services. Even if fully patched, each additional service would make the system more vulnerable. Installing software which makes the ports appear to be open but are not running the actual services is a better option. Another recommended option is to set up a gateway device which would lead an outsider to believe more ports were open. Configuring a host based firewall to send reset packets for ports would not give the illusion the ports were open. Changing the window size to manage flow control could be used to tie up an attacker's resources, but would have nothing to do with decoy ports.
Kevin wants to accomplish the following tasks: 1) Inventory all devices 2) Inventory all software 3) Secure Configurations on all devices 4) Constant Vulnerability Assessment and Remediation How should Kevin prioritize this list of tasks?? Using the CIS Critical Security Controls - Using the US-CERT Incident handling Guideline - Using the Verizon Data Breach Report - Using the Penetration Testing Framework
Using the CIS Critical Security Controls ( Explanation ) The CIS Critical Security Controls are prioritized technical security controls that was designed to prevent currently known high-priority attacks as well as future attacks.
Creating a file that has no legitimate purpose with a specific string embedded along with a corresponding IDS rule to detect this string is an example of what type of mechanism? Building malicious payloads to be used for 'hack back' campaigns - Establishing a baseline for which to compare future attacks - Creating canaries to slow down an adversary - Utilizing a honeytoken for detection of data exfiltration
Utilizing a honeytoken for detection of data exfiltration ( Explanation ) A honeytoken is a file placed on the production system that is designed to look legitimate, but does not have any true value. Embedding a honeytoken with a specific string inside of it that can be detected by an intrusion detection system is a great way to detect attempted data exfiltration. With the rule in place, when the file attempts to traverse the IDS, it would immediately be detected. If this is implemented in an IPS, the connection could be closed automatically and the IP blocked.
Which fact is associated with the RSA cryptosystem? It is useful in resource-constrained environments - The algorithm is primarily based on symmetric permutation - Vulnerabilities have been found in some implementations - It can be used for encryption, digital signatures, and hashing INCORRECT ON PT
Vulnerabilities have been found in some implementations Although there have been a large number of claims to having cracked the RSA algorithm, they have all turned out to be false. Vulnerabilities have been found in certain RSA implementations, however. Poor implementations of the RSA algorithm can be compromised but it does not mean the algorithm itself has been cracked. RSA is an asymmetric cryptosystem, and so does not use a symmetric algorithm. Elliptic Curve Cryptosystems are efficient and therefore useful in resource-constrained computing environments. RSA can be used for encryption and digital signatures, but not hashing.
When does applying an encryption algorithm multiple times provide additional security? When the algorithm is a group - When the algorithm is not a group - The algorithm uses xor - The algorithm is weak INCORRECT ON PT
When the algorithm is not a group ( Explanation ) Whether an algorithm is a group is an important statistical consideration. If it is a group, then applying the algorithm multiple times is a waste of time. In 1992, it was proven that DES is not a group, in fact, so encrypting multiple times with DES is not equivalent to encrypting once.
An organization is worried about malicious or unauthorized software being run on their network. What solution should they implement for the best security? VLANs - Blacklisting - Firewalls - Whitelisting
Whitelisting ( Explanation ) Whitelisting would be the best solution because it would ensure that only acceptable and authorized applications are being run. While blacklisting would accomplish this, it would only disallow specific applications. Programs or code that was not known by the blacklisting software would not be blocked. Firewalls can prevent traffic from unauthorized traffic from entering and leaving the network, but cannot prevent software from running on endpoints. VLANs don't stop software from being ran.
Windows IoT is a version of which Windows OS? Windows 8 - Windows 10 - Windows Server 2019 - Windows Hyper-V Server
Windows 10 ( Explanation ) Starting with Windows 10, Microsoft changed the name of Windows Embedded to Windows IoT to capitalize on the Internet of Things trend. Windows IOT operating systems are intended for dedicated-use appliances in industries such as utilities, manufacturing, retail, and healthcare. Windows IOT is also intended for all the small and inexpensive devices used for the "Internet of Things" (IoT), such as robots, quadcopters, sensors, toys, and 3D printers. Windows IOT is intended for industry-specific hardware appliances, such as ICS/SCADA equipment, retail point-of-sale, MRI scanners, robotics, digital signs, drones, 3D printers, and more. It supports the ARM platform, as well as x86 and x64 CPUs. It runs on Raspberry Pi, MinnowBoard, and Arduino devices. It is a rebranding of Windows Embedded version that was part of earlier OS's.
Which class of Windows Operating Systems are commonly referred to as "Windows IOT"? Windows Embedded - Windows Ultimate - Windows Client - Windows Server
Windows Embedded The Windows Embedded class is commonly referred to as Windows IOT.
You are asked by your manager to run a vulnerability scan against the engineering department's network. What should you ensure you have before performing any scanning activity? Previous Scan Results - Commercial Vulnerability Scanner - Written Permission - Wireless Internet Scans - Root Access to Systems
Written Permission ( Explanation ) Note that vulnerability scanning can be hazardous to your career. The difference between a penetration tester and an attacker is permission! Be sure you have it. If you are just now coming up with a scanning policy in your organization, get written permission from the highest level possible in your organization
Why is the job of analyzing Network Intrusion Detection System (NIDS) logs more difficult than analyzing firewall logs? NIDS logs do not use standard syslog format - NIDS only creates Out-of-Baseline events - NIDS produces false positives - NIDS time signatures do not correlate with other device signatures
NIDS produces false positives ( Explanation ) Reviewing Network IDS logs is extremely useful and is often a frustrating task because NIDSs sometimes produce false positives. Still, NIDS log analysis often comes second after firewalls; the value of such info for security is undeniable, and logs can, in most cases, be easily centralized for analysis. NIDS may or may not use syslog format, but collectors (or their pre-processors) normalize the logging differences of the logs they aggregate. In situations where correlation is important, the time difference between a NIDS and another system is trivial in nearly all circumstances. Once properly tuned, NIDS produces routine, known bad, and out-of-baseline events.
What feature is not available in 802.11i but is addressed by 802.1x? Network Authentication - Replay Protection - Integrity - Encryption INCORRECT ON PT
Network Authentication ( Explanation ) The 802.11i specification accommodated two replacement encryption mechanisms for WEP, one that could be retrofit into existing hardware, and a second design that would be a "completely secure" solution, requiring new hardware for implementation. Known as the Temporal Key Integrity Protocol (TKIP) and the Counter-Mode/CBC-MAC Protocol (CCMP), respectively, these algorithms represent a significantly more secure option for organizations to deploy wireless LANs. Both protocols protect information on the wireless network through strong encryption, replay protection and integrity protection. While 802.11i accommodates privacy and encryption for network traffic, it does not address the issue of authentication.
Which Threat will be reduced when avoiding system calls from within a web app?
OS command injection ( Explanation ) The primary way to avoid OS command injection attacks is to avoid system calls from your web application, especially when the system call is built based on user input. In most cases, you should be able to find a function or library within your programming language that can perform the same action.
A Linux administrator ran the commands below. The content of each file is displayed after the command. What would cause the two files to have different hashes? root@system123:/tmp# cat example1.txt TEST FILE root@system123:/tmp# cat example99.txt TEST FILE root@system123:/tmp# md5sum example1.txt 5deffb997041bbb5f11bdcafdbb47975 - root@system123:/tmp# md5sum example99.txt 13927f6f0f7357427e8a32b5f4017edc - md5sum changes the salt each time it is run - One of the files has a hidden character - The two file names are different - The length of the file names is different
One of the files has a hidden character ( Explanation ) Hashing is based on the binary composition of the file, not the viewable ASCII characters. Even if the file visibility looks the same, if there are any hidden characters, the hashes will be different. A difference in file names, or lengths, of two files will not affect the hash. md5sum does not use a salt to hash files.
Which attack surface will be reduced by giving vague, generic errors to users and logging detailed error information to a log file? Buffer Overflows - OS command injection - Broken Authentication - SQL injection
SQL injection ( Explanation ) One aspect of many SQL injection attacks is the amount of information the attacker can learn about the database from the error messages returned. Error messages often disclose table names, column names or data types, and other important information to the end user. Your production server should be configured to give vague, generic errors to users, and log detailed error information to a log file.
When analyzing an entire TCP session with TCPdump, which TCP flags are used in the three-way handshake? SYN,SYN+ACK,ACK - SYN,ACK,FIN - SYN,SYN,ACK - SYN,SYN+ACK,SYN
SYN,SYN+ACK,ACK ( Explanation ) The TCP flags that make up a three-way handshake are SYN,SYN+ACK, and ACK. The other choices are incorrect sequences of SYN's and ACK's to initiate a TCP connection.
Which of the following is a characteristic of public key crypto algorithms? Symmetric key - Asymmetric key - 1-key encryption - No key encryption
Asymmetric key ( Explanation ) Public key crypto algorithms are asymmetric and have a dual or 2-key encryption scheme.
Which of the following event classification types occurs when an activity is malicious but an alert is not generated by the Intrusion Detection System? False negative - False positive - True positive - True negative
False negative ( Explanation ) A true positive is when the Intrusion Detection System (IDS) worked as intended and correctly flagged malicious activity as anomalous. A false positive is where the IDS generates an alert flagging benign activity as hostile. A true negative event is where activity is known to be benign and no alert is generated. A false negative event is when the IDS identifies data as benign, when in fact itwas malicious.
Of the following drives shared on a network, how many will users see when in My Network Places? IPC$ Marketing& Mgmt! print$ Useful# Users% 5 - 3 - 6 - 4 INCORRECT ON PT
4 ( Explanation ) The correct answer is 4. If the share name ends with a dollar sign ($), then the share name is not visible in My Network Places. By default, a shared folder is visible in Network Places and when browsing to the computer through its Universal Naming Convention (UNC) path (for example, \\ComputerName at the Run line). However, the only way you can access a share that ends with a dollar sign is by entering the full UNC path to it, for example, \\ComputerName\HiddenShare$.
How many concurrent TCP streams can a firewall handle, using port address translation and a single, public, IP address? 65535 - 10000 - 262140 - 255 INCORRECT ON PT
65535 ( Explanation ) The port field was two bytes long or 16 bits - 2^16 is 65,536; because 0 is not typically a legal port value, this leaves us with 65,535 possible source or destination ports. This means that a firewall can track up to 65,535 concurrent UDP streams and 65,535 TCP connections from a single NAT address.
What is hashed to compute the IPSec Authentication Header's Integrity Check Value? Sender's public key - Source and destination addresses - Every field in the packet - Every field in the packet that will not change during transit
Every field in the packet that will not change during transit ( Explanation ) The IPSec Authentication Header adds a keyed hash of the message to the packet. This hash is referred to as the Integrity Check Value (ICV). In the ICV computation, AH includes every field that does not change during its trip from source to destination. This includes the source address, destination address, length, and the data. This information is inserted into the packet after the regular IP header, but before the data.
Which item, when created with default options, is ciphertext? An automobile license plate - An Apple Lossless audio file - A ZIP file - A Windows executable file - A digital signature
A digital signature ( Explanation ) To digitally sign a message (that is, give some type of "digital proof" as to the signer's identity), we might choose an asymmetric algorithm, such as RSA or ECC with a hashing algorithm. The .exe, .m4a, and .zip files are able to be encrypted, some by using options when the file is created and others by a separate program. However, by default they are all not encrypted and therefore plaintext. The automobile license plate is also plaintext - it is a sequence that passes no information and is loosely coupled to the auto.
An attacker gets a SYN/AC from all ports. What could be the cause of this?
A network device with decoy ports ( Explanation ) An implementation of active defense would be to set up decoy ports on network devices that instead of responding with a RST packet to ports that are not open, they response with a SYN/ACK to any requests aimed at them. This can significantly slow down an attacker as not only will their scan take longer to complete, but also because they'll have to vet each individual port to see if it actually is open
Which description below is an example of an external threat to Acme Corporation? An Acme employee contracted to another company logging into Acme from a PC at the other company - A visitor to Acme who attempts to connect to Acme's enterprise network - A buggy software update that an Acme sys admin applied to an Acme server - An Acme employee returning from lunch and plugging in a USB drive she found INCORRECT ON PT
A visitor to Acme who attempts to connect to Acme's enterprise network ( Explanation ) The visitor attempting to access enterprise WiFi is the external threat. The other examples are insiders taking an action that poses a threat to Acme's information.
Normally, in a packet that is not crafted, a TCP SYN flag can exist by itself in a packet, or in combination with which other flag? RST - PSH - URG - FIN - ACK
ACK ( Explanation ) A SYN flag can exist by itself in a TCP packet (with no payload) to initiate a connection, and is only used in the first two exchanges of the TCP three-way handshake.. It will be responded to with a SYN/ACK packet. No other combinations of SYN with any other flag are allowed.
Which of the following is characteristic of a procedure? Addresses the what to do - Sets a starting point - Presents a recommendation - Addresses the how to do it
Addresses the how to do it ( Explanation ) Procedures address the HOW to do it; are referenced when having trouble following the policy; are detailed and step by step; and are tactical. Policies address the WHAT to do; are read cover to cover; are concise and focused; and are strategic - high level. Guidelines present a recommendation as they are neither binding nor enforceable. Baselines set a starting point for comparison. Procedures are derived from policies; if you can characterize the procedures you follow (and you should be able to do that easily), then you can derive the parent policy. This is true even if it has not yet been written and signed. By walking through the who, what, when, where, and why, the parent policy is derived from an understanding of the procedure.
Which of the following is one of the steps a HIDS performs when using FIC to assure file integrity? Scan the network for recently backed up files - Alert on any files where the hashes no longer match - Confirm cryptographic hashes can be modified - Perform backups of specified files at set intervals
Alert on any files where the hashes no longer match ( Explanation ) Steps performed by file integrity checking: 1. Define a list of files to check 2. Perform a cryptographic hashes cannot be modified 3. Store those files in a secure location 4. Confirm cryptographic hashes CANNOT be modified 5. At SET intervals, rerun cryptographic hashes on the specified files 6. Compare the new hashes against the original 7. Alert on any files where the hashes no longer match 8. Optional: Alert on new files within a certain directory One of the steps a HIDS using file integrity checking performs is alerting on any files where the hashes no longer match. A certain directory may be scanned for new files, however the network is not scanned for recently backed up files. File integrity checking confirms the cryptographic hashes cannot be modified and reruns cryptographic hashes of specified files at set intervals, it does not perform back ups of specified files.
What is required to perform configuration management? Data regarding the cost of ownership - Up-to-date firmware for the devices - A data classification policy - An accurate baseline document
An accurate baseline document ( Explanation ) Managing configurations requires an accurate baseline document and a way to detect that a change has happened
A user of a corporate network is accessing the Internet to check her email on her corporate notebook from an open wireless access point in a library. Against which attack will SSL provide protection? A PDF is attached to an email message and executes malicious code - An attacker captures network traffic and reads the email messages - An attacker connects a USB to the notebook which copies files from the disk - A packet sniffing program on her notebook is recording network traffic
An attacker captures network traffic and reads the email messages ( Explanation ) Although SSL encryption can help keep a third-party from snooping on a session, it does nothing to prevent an attacker from playing around with a session she has already established. SSL also does nothing to prevent manipulating user input which includes cross site scripting and SQL injection since the HTML is still clear text on the client end and therefore can be modified.
How is a TCP/IP Packet generated as it moves down through the TCP/IP stack? (Network Layer -> Transport Layer -> Internet Layer -> Application Layer ) (Network Layer -> Internet Layer -> Transport Layer -> Application Layer) (Application Layer -> Transport Layer -> Internet Layer -> Network Layer) (Application Layer -> Internet Layer -> Transport Layer -> Network Layer)
Application Layer -> Transport Layer -> Internet Layer -> Network Layer ( Explanation ) As a packet is generated the packet goes from the Application Layer to the Transport Layer to the Internet Layer and finally to the Network Layer.
Which of the following statements best describes where a border router is normally placed? Between your ISP and your external firewall - Between your firewall and your internal network - Between your ISP and DNS server - Between your firewall and DNS server
Between your ISP and your external firewall ( Explanation )A border router is normally placed between our Internet Service Provider (ISP) and our firewall.
Ralph, the network administrator, notices that there is a high volume of network traffic coming from a network printer. How does Ralph know there is a high volume of network traffic? By looking at POP (Port 110) traffic that is coming from the network printer - By comparing current network traffic with normal network traffic - By understanding the configuration of the network printer devices - By running Netstat on the network printer to see what ports are open
By comparing current network traffic with normal network traffic ( Explanation ) Ralph notices a high volume of network traffic because he can compare normal traffic with abnormal network traffic. Printer configuration will typically not give any details on network traffic. POP (Post Office Protocol) is an e-mail protocol that is used to send and receive email. Netstat is a command line tool used to show network connections.
Which type of risk assessment results are typically categorized as low, medium, or high-risk events? Quantitative - Management - Qualitative - Technical
Qualitative ( Explanation )Qualitative risk assessment results are typically categorized as low, medium, or high-risk events.
In PKI, when someone wants to verify that the certificate is valid, what do they use to decrypt the signature? Secret passphrase - CA's public key - CA's private key - X.509 certificate - Receiver's digital signature
CA's public key When using PKI, an individual's digital certificate is signed by the Certificate Authority's (CA) private key. When someone wants to verify that the certificate is valid, they use the CA's public key to decrypt the signature. If it decrypts successfully, they know that the CA issued the certificate.
The concept that defenses should be automated where possible is a guiding principle of which security framework? ISO 9001:2015 - CIS Critical Security Controls - ISO 27002:2013 - IEEE 802.1x
CIS Critical Security Controls ( Explanation ) The following principle is a key components of the CIS Critical Security Controls:Defenses should be automated where possible and periodically or continuously measured using automated measurement techniques where feasible: While having controls is good, having controls that can be automated is even better.
Which of the following is a characteristic of a cookie? Can keep track of user authentication data and application session state - Set when the browser adds the set-cookie header to one of its requests - Can contain data which the web server searched for and found on the user's hard drive - Editable by users when stored on the hard drive, but not when residing in memory - Sent using SSL when the browser initially sets the optional secure flag
Can keep track of user authentication data and application session state ( Explanation ) Cookies normally keep track of user authentication data and the session state of the application. They are set when the server adds the set-cookie header to one of its responses. The web server does not search a client's hard drive to find information to put into cookies, the user provides the web server with that type of information. The server can set an optional secure flag on a cookie to notify the browser to send it only using SSL. Cookies can be edited when they are on the hard drive, or in memory using a proxy like Paros or ZAP.
Which 2 layers from the OSI Protocol Stack perform the same functions as the Network layer in the TCP/IP protocol stack? Session and Transport - Presentation and Session - Application and Network - Data Link and Physical
Data Link and Physical ( Explanation ) The Network layer in the TCP/IP protocol is the equivalent of Layers 1 (Physical) and 2 (Data Link).The other answers are wrong for the following reasons:The Session layer in OSI performs some of the functions in the Application layer of TCP/IP.The Transport layer in OSI performs the same functions as the Transport layer of TCP/IP.The Application layer in OSI performs some of the functions in the Application layer of TCP/IP.
Which of the following methods could a Linux Systems Administrator use to close a single unneeded port? Disable the service using the netstat utility - Edit /etc/inittab then stop and start the init daemon - Edit the service file in /etc/xinetd.d then restart xinetd - Disable the listening port using the lsof program
Edit the service file in /etc/xinetd.d then restart xinetd ( Explanation ) To disable a service such as telnet on a Linux system running the xinetd daemon, the administrator would set the disable parameter to "no" in the /etc/xinetd.d/telnet file, then restart the xinetd daemon. The netstat utility is a command line tool for displaying network connections. The lsof program lists open files and the processes that opened those files. The /etc/inittab file defines what services are started at a specific run level, it is not used to manage specific services. Stopping the init daemon would crash the system.
How often by default does Windows Group Policy check for updated policies? (Once a day) (Within 30 minutes of an applied policy change) (Every quarter hour) (Every 90-120 minutes) INCORRECT ON PT
Every 90-120 minutes ( Explanation ) When a computer boots up, it downloads the GPO's assigned to it and executes them automatically. Every 90-120 minutes thereafter, the computer checks that none of the GPO's assigned to it have changed, if any have, those are downloaded and run automatically even if the computer has not rebooted. 0-30minutes, 30-60 minutes and 120-180 minutes are durations a group policy could possibly be modified to use, the standard duration used by Group Policy is 90-120 minutes.
What term describes software products deployed directly on a computer that analyze system event logs and use signature matching to flag suspicious activity? Network based IDS - Antivirus scanner - Host based IDS - File integrity monitors
Host based IDS ( Explanation ) Instead of analyzing network traffic, host-based sensors (or host IDS) analyze the event logs from one or several hosts. By watching event logs, host-based sensors are able to catch some intrusion attempts network-based intrusion detection would miss. Network based sensor, antivirus software, and file integrity monitors do not check system event logs by definition.
Analyze the following screenshot. How should the system that generated this alert be classified? Proxy-based firewall - Host-based intrusion prevention - Network-based intrusion prevention - Network behavior analysis
Host-based intrusion prevention ( Explanation ) Application behavior monitoring is a feature of HIPS software where a manufacturer selects a supported application, and records the intended functionality of the application in normal use.
What is a characteristic of the VPN packets shown in the tcpdump capture below? Payload data is encrypted and/or authenticated - The Time-To-Live value is authenticated - SPI and Sequence numbers are encrypted - Source IP addresses are authenticated
Payload data is encrypted and/or authenticated ( Explanation ) The tcpdump output is a packet capture of ESP traffic going over the network. With ESP, payload data (protocol header above layer 3 and its data) may be encrypted, authenticated, or both. The AH protocol authenticates certain fields in the IPv4 header, such as the source and destination IP addresses. AH does not authenticate the TTL value because that changes as the packets go through routers. ESP does not authenticate any fields in the IPv4 header. Neither ESP nor AH encrypt the Security Parameters Index (SPI) or Sequence numbers.
What is a benefit of running virtual instances in a public cloud environment? Physical hardware flaws such as those involving processors do not affect virtual instances - Cloud APIs have stronger authentication than those written for traditional environments - Incident Responders can more effectively and efficiently handle containment and recovery - Network traffic between virtual machines is more secure because it can not be captured on a virtual switch
Incident Responders can more effectively and efficiently handle containment and recovery ( Explanation ) Virtualization technologies and the elasticity inherent in cloud platforms allows for more efficient and effective containment and recovery with less service interruption than with more traditional technologies. Virtual machine traffic sniffing occurs when an adversary has gained access to a victim network and starts sniffing and monitoring VM traffic. This is especially effective if the attacker can gain access to the vSwitch. Successful exploitation of physical flaws that reside on a computer's processor can result in kernel level permissions and root-level file access. Most Cloud APIs are written with weak authentication due to the desire for simplicity.
Which of the following is a characteristic of Quality Updates for Windows? Are released less frequently than Feature Updates - Support deferring installation on Home edition devices - Include bug fixes and security patches - Increment the version of Windows
Include bug fixes and security patches ( Explanation ) Quality Updates are smaller improvements to already existing software on Windows systems, and include bug fixes and security fixes. They are released about every 30 days, whereas Feature Updates are released a couple of times a year and increment the Windows version. Installation of Quality Updates may be deferred for up to 30 days, except on Home edition devices.
The Return on Investment (ROI) measurement used in Information Technology and Information Security fields is typically calculated with which formula? ROI = (loss + expenditure)/(expenditure) X 100% - ROI = (gain - expenditure)/(expenditure) X 100% - ROI = (loss - expenditure)/(expenditure) X 100% - ROI = (gain + expenditure)/(expenditure) X 100%
ROI = (gain - expenditure)/(expenditure) X 100% ( Explanation )The Return on Investment measurement we use in Information Technology and Information Security fields is typically calculated with the formula ROI = (gain - expenditure)/(expenditure) X 100%.
Which technique does 802.11ac use to increase throughput and bandwidth for supported wireless networks? Multiple input multiple output - Multiple radios aggregating the signal - Signal reflection - Faster hardware to support decryption of packets INCORRECT ON PT
Multiple radios aggregating the signal ( Explanation ) The 802.11ac wireless standard increases network bandwidth and throughput by supporting multiple radios on the wireless device to allow for up to 6.77Gbps. Signal reflection and MIMO are features of 802.11n.
A system administrator thinks an attacker is sending malicious data to a router. Which tool will help show this? Router configuration guide - Packet sniffer - Remote access tool - NTP device
Packet sniffer ( Explanation ) Sniffers can be hardware devices that physically attach to the network, but more commonly, they are software programs that run on networked computers. The sniffers that come bundled with your operating system are designed as tools for the system administrator.
Which of the following is supported for multi-factor authentication on Microsoft Azure AD? RSA Token - Smart Card - Retinal Scan - SMS PIN INCORRECT ON PT
SMS PIN ( Explanation ) Of the choices, only SMS PIN is supported by Azure AD.
Which is an advantage of centralized logging? Diminishes possibility of denial-of-service attack - Protects against log wiping - Requires less storage - Decreases the central syslog server target value
Protects against log wiping ( Explanation ) The main advantage to centralized logging is that it makes it difficult for a remote attack to wipe or otherwise corrupt the system logs. Any logs generated from their attacks are sent immediately to another machine, which stores the data. Assuming the syslog server does not in turn get hacked, the information remains there to be discovered by the system administrator and can be used in the recovery process. One key vulnerability of this design is that it makes it possible to either cause the syslog client machines to send so much log data that it overwhelms the central syslog server, or an attacker can send false messages to the central syslog server directly to clutter up the logs. The only protection against a syslog client that is sending lots of information is to have a syslog server that has lots of disks to store that information. The central syslog server is a machine that is critical to protect.
There are three key factors in selecting a biometric mechanism. What are they? User acceptance, encryption strength, and cost - Reliability, user acceptance, and cost - Encryption strength, authorization method, and cost - Reliability, encryption strength, and cost
Reliability, user acceptance, and cost ( Explanation ) The key factors in selecting a biometric mechanism are usually reliability, user acceptance, and cost.
Terminal Services and Remote Desktop BOTH rely on which protocol? Terminal Desktop Protocol (TDP) - Remote Desktop Protocol (RDP) - Terminal Services Protocol (TSP) - Remote Services Protocol (RSP)
Remote Desktop Protocol (RDP) ( Explanation )Terminal Services and Remote Desktop both use the Remote Desktop Protocol (RDP) on Transmission Control Protocol (TCP) port 3389.
Which encryption algorithm was selected as the official AES cipher? Twofish - 3DES - RC6 - Rijndael
Rijndael ( Explanation ) NIST selected the five AES finalists on August 9, 1999. In October 2000, Rijndael was announced as the winner and was approved as the official AES cipher
Which of the following is assigned to every user account, computer account, and group on a Microsoft operating system? UUID - RID - SID - GUID
SID ( Explanation ) Every user account, computer account, and group has a unique identifying Security ID (SID) number. It's like a Microsoft social security number. It's the "primary key" for any object in an Active Directory. A globally unique identifier (GUID) is a 128-bit value that is unique not only in the enterprise but also across the world. The relative identifier (RID) Is a variable length number that is assigned to objects at creation and becomes part of the object's security identifier. UUIDs could be generated to refer to almost anything imaginable. Microsoft and some other software companies refer to GUIDs (global unique identifiers), a type of UUID used to refer to Component Object Module objects and other software components. The first UUIDs were created in the Network Computing System (NCS), and subsequently became a component of the Distributed Computing Environment (DCE) of the Open Software Foundation (OSF).
An attacker does an ACK scan of a network but the scan doesn't detect any open ports, even though services in the DMZ are accessible. How would this result happen? There is a stateless firewall on the network - The firewall dropped the packets because the ESTABLISHED state was already in its database - The firewall dropped the packets because there was no ESTABLISHED state for the connection - The firewall dropped the packets because there is no LAST_ACK state in its database
The firewall dropped the packets because there was no ESTABLISHED state for the connection ( Explanation ) Instead, the stateful firewall uses a table of source address and source port, paired with the destination address and port information and astate flag. The state flag identifies the relationship between the source and destination address (and ports), and what the current status of the connection is. Possible values for state are as follows:• SYN_SENT: A SYN packet has been sent from host A to host B, the first step in the three-wayhandshake.• SYN_RECV : A SYN ACK packet has been received from host B, the second step in the three-wayhandshake.• ESTABLISHED: The third step in the three-way handshake has been completed and the connectionbetween host A and B is established.• FIN_WAIT1 : One host has issued a FIN packet indicating the connection should be gracefullyclosed.• LAST_ACK : The other host has acknowledged the request to gracefully close the connection.• FIN_WAIT2 : The other host has issued a FIN packet in response to the request to gracefully closethe connection. Both sides are finished communicating.• CLOSED: No connection between the two hosts
Which of the following Linux commands can change both the username and groupname a file belongs to? chown - chgrp - newgrp - chmod
chown ( Explanation ) The chown command can also be run to change both the user ownership and group ownership at the same time. For example to change the document 'file.txt' owner to a user 'jdoe' and the group identifier to 'marketing' you can issue this command: chown jdoe:marketing file.txt
Which Linux command below is similar to the Windows "dir" command? cd - ls - ls - ln - file - du
ls ( Explanation ) The ls command in Linux lists files and directory contents. The file command is used to describe what type of data is in a file. The cd command is used to change directories. The du command is used to describe how much space a file or directory takes. The ln command is used to create a shortcut.
Which of the following is a UDP based protocol? imap - ldap - telnet - snmp
snmp ( Explanation ) UDP is often used for applications that do not send very much data, perhaps just a handful of bytes. Simple Network Management Protocol (SNMP) is a UDP based protocol used as a management tool to query network and server-based devices for monitoring or troubleshooting purposes. telnet, imap, and ldap all use TCP to communicate.
What file on UNIX and Linux devices can be edited to forward logs to a log server? syslog.conf - logrotate.conf - /etc/trapconf.conf - /etc/logs/source.conf
syslog.conf ( Explanation ) The syslog.conf file tells the system where to forward syslogs. The logrotate.conf file is configured on the log server to receive the log files.
When the last command is run without any arguments, as shown in the image, what log file is it displaying? utmp - wtmp - btmp - syslog
wtmp ( Explanation ) When you are running last with no arguments, you will see the output of the wtmp log file. The last command, however, can read from utmp, wtmp, and btmp. Running the command last by itself will give you who logged in, when they logged in, and when they logged out, among other useful info on the screen, and it is historical data. If you pass the last command the -f switch, you also can tell last to read from the utmp or the btmp file.
