Part I: Attacks, Threats, and Vulnerabilities
1.1 Once an organization's security policies have been established, what is the single most effective method of countering potential social engineering attacks? A. An active security awareness program B. A separate physical access control mechanism for each department in the organization C. Frequent testing of both the organization's physical security procedures and employee telephone practices D. Implementing access control cards and the wearing of security identification badges
A. An active security awareness program Because any employee may be the target of a social engineering attack, the best thing you can do to protect your organization from these attacks is to implement an active security awareness program to ensure that all employees are cognizant of the threat and what they can do to address it.
1.2 While port-scanning your network for unauthorized systems, you notice one of your file servers has TCP port 61337 open. When you use Wireshark and examine the packets, you see encrypted traffic, in single packets, going back and forth every five minutes. The external connection is a server outside of your organization. What is this connection? A. Command and control B. Backdoor C. External backup location D. Remote login
A. Command and control. Periodic traffic that looks like a heartbeat on high ports to an unknown server outside the network is suspicious, and this is what many command-and-control signals look like.
1.2 A user has reported consistent activity delays with his PC when using a specific web browser. A quick investigation reveals abnormally high CPU usage. Which of the following types of malware is most likely affecting the user's PC? A. Crypto-malware B. Worm C. Macro virus D. Keylogger
A. Crypto-malware. Crypto-malware is most likely. While crypto-malware may have worm-like capabilities, such malware is known for heavy CPU use, and, because this particular issue happens when using the web browser, the problem is likely to be a cryptojacking variant. The other choices may result in anomalous CPU behavior, but that is not as likely as it would be with crypto-malware. Further, a macro virus would involve the use of office software. Thus, answers B, C, and D are incorrect.
1.4 Which specific type of attack occurs when a perpetrator redirects traffic by changing the IP record for a specific domain in order to be able to send legitimate traffic anywhere he chooses? A. DNS poisoning B. Domain hijacking C. On-path browser attack D. Port stealing
A. DNS poisoning Domain Name System (DNS) poisoning enables a perpetrator to redirect traffic by changing the IP record for a specific domain, thus permitting attackers to send legitimate traffic anywhere they choose. DNS poisoning sends a requestor to a different website and also caches this information for a short period, distributing the attack's effect to the server users. Answer B is incorrect. Domain hijacking, the act of changing domain name registration, occurs when an entire domain is taken over without the original owner's knowledge or consent. Answer C is incorrect. An on-path browser attack is a Trojan that infects web browser components such as browser plug-ins and other browser helper objects. Answer D is incorrect because port stealing is an on-path attack that exploits the binding between a port and a MAC address.
1.1 Charles wants to find out about security procedures inside his target company, but he doesn't want the people he is talking to realize that he is gathering information about the organization. He engages staff members in casual conversation to get them to talk about the security procedures without noticing that they have done so. What term describes this process in social engineering efforts? A. Elicitation B. Suggestion C. Pharming D. Prepending
A. Elicitation Elicitation is the process of using casual conversation and subtle direction to gather information without the targets realizing they have disclosed details to that social engineer. Suggestion is not one of the terms used in the Security+ exam outline, pharming redirects traffic to malicious sites, andprepending can include a variety of techniques that add data or terms.
1.2 Ben wants to analyze Python code that he believes may be malicious code written by an employee of his organization. What can he do to determine if the code is malicious? A. Run a decompiler against it to allow him to read the code. B. Open the file using a text editor to review the code. C. Test the code using an antivirus tool. D. Submit the Python code to a malware testing website
B. Open the file using a text editor to review the code. Python is an interpreted rather than a compiled language, so Ben doesn't need to use a decompiler. Instead, his best bet is to open the file and review the code to see what it does. Since it was written by an employee, it is unlikely that it will match an existing known malicious package, which means antivirus and antimalware tools and sites will be useless.
1.1 Alaina discovers that someone has set up a website that looks exactly like her organization's banking website. Which of the following terms best describes this sort of attack? A. Phishing B. Pharming C. Typosquatting D. Tailgating
B. Pharming Pharming best fits this description. Pharming attacks use web pages that are designed to look like a legitimate site but that attempt to capture information like credentials. Typo squatting relies on slightly incorrect hostnames or URLs, and nothing like that is mentioned in the question. Tailgating is an in-person attack, and phishing is typically done via email or other means to request information, not by setting up a site like this, although some phishing attacks may direct to a pharming website!
1.1 Your boss thanks you for pictures you sent from the recent company picnic. You ask him what he is talking about, and he says he got an e-mail from you with pictures from the picnic. Knowing you have not sent him that e-mail, what type of attack do you suspect is happening? A. Phishing B. Spear phishing C. Reconnaissance D. Impersonation
B. Spear phishing This is spear phishing, which is a targeted phishing attack against a specific person.
1.1 Alex discovers that the network routers that his organization has recently ordered are running a modified firmware version that does not match the hash provided by the manufacturer when he compares them. What type of attack should Alex categorize this attack as? A. An influence campaign B. A hoax C. A supply chain attack D. A pharming attack
C. A supply chain attack Supply chain attacks occur before software or hardware is delivered to an organization. Influence campaigns seek to change or establish opinions and attitudes. Pharming attacks redirect legitimate traffic to fake sites, and hoaxes are intentional deceptions.
1.2 A user in finance opens a help desk ticket identifying many problems with her desktop computer, including sluggish performance and unfamiliar pop-ups. The issues started after she opened an invoice from a vendor. The user subsequently agreed to several security warnings. Which of the following is the user's device most likely infected with? A. Ransomware B. Spyware C. Backdoor D. Adware
C. Backdoor. Because the user opened an attachment that masqueraded as something legitimate and required agreement to various security prompts, it is most likely a backdoor installed on the system. Answer A is incorrect because, with ransomware, the attacker would be asking for a ransom payment. While both spyware and adware may cause problems with performance, they would not likely prompt the user with security dialogs. Thus, answers B and D are incorrect.
1.2 Naomi wants to provide guidance on how to keep her organization's new machine learning tools secure. Which of the following is not a common means of securing machine learning algorithms? A. Understand the quality of the source data B. Build a secure working environment for ML developers C. Require third-party review for bias in ML algorithms D. Ensure changes to ML algorithms are reviewed and tested
C. Require third-party review for bias in ML algorithms Requiring third-party review of ML algorithms is not a common requirement, but ensuring that you use high-quality source data, that the working environment remains secure, and that changes are reviewed and tested are all common best practices for ML algorithm security.
1.2 Fred receives a call to respond to a malware-infected system. When he arrives, he discovers a message on the screen that reads "Send .5 Bitcoin to the following address to recover your files." What is the most effective way for Fred to return the system to normal operation? A. Pay the Bitcoin ransom. B. Wipe the system and reinstall. C. Restore from a backup if available. D. Run antimalware software to remove malware.
C. Restore from a backup if available. turn to normal operation. If no backup exists, Fred may be faced with a difficult choice. Paying a ransom is prohibited by policy in many organizations and does not guarantee that the files will be unlocked. Wiping and reinstalling may result in the loss of data, much like not paying the ransom. Antimalware software may work, but if it did not detect the malware in the first place, it may not work, or it may not decrypt the files encrypted by the malware.
1.2 Angela wants to limit the potential impact of malicious Bash scripts. Which of the following is the most effective technique she can use to do so without a significant usability impact for most users? A. Disable Bash. B. Switch to another shell. C. Use Bash's restricted mode. D. Prevent execution of Bash scripts.
C. Use Bash's restricted mode. Bash's restricted shell mode removes many of the features that can make Bash useful for malicious actors.
1.1 You have been contacted by your company's CEO after she received a personalized but suspicious e-mail message from the company's bank asking for detailed personal and financial information. After reviewing the message, you determine that it did not originate from the legitimate bank. Which of the following security issues does this scenario describe? A. Dumpster diving B. Phishing C. Whaling D. Vishing
C. Whaling Whaling is a type of phishing attack that is targeted at a specific high-level user. The victim is usually a high-profile member of the organization who has much more critical information to lose than the average user. The messages used in the attack are usually crafted and personalized toward the specific victim user.
1.2 Mike discovers that attackers have left software that allows them to have remote access to systems on a computer in his company's network. How should he describe or classify this malware? A. A worm B. Crypto malware C. A Trojan D. A backdoor
D. A backdoor Remote access to a system is typically provided by a backdoor. Backdoors may also appear in firmware or even in hardware. None of the other items listed provide remote access by default, although they may have a backdoor as part of a more capable malware package.
1.1 What type of malicious actor is most likely to use hybrid warfare? A. A script kiddie B. A hacktivist C. An internal threat D. A nation-state
D. A nation-state Hybrid warfare combines active cyberwarfare, influence campaigns, and real-world direct action. This makes hybrid warfare almost exclusively the domain of nation-state actors
1.1 Skimming attacks are often associated with what next step by attackers? A. Phishing B. Dumpster diving C. Vishing D. Cloning
D. Cloning Cloning attacks often occur after a skimmer is used to capture card information. Skimming devices may include magnetic stripe readers, cameras, and other technology to allow attackers to make a complete copy of a captured card. Phishing focuses on acquiring credentials or other information but isn't a typical follow-up to a skimming attack. Dumpster diving and vishing are both unrelated techniques as well.
1.2 Matt uploads a malware sample to a third-party malware scanning site that uses multiple antimalware and antivirus engines to scan the sample. He receives several different answers for what the malware package is. What has occurred? A. The package contains more than one piece of malware. B. The service is misconfigured. C. The malware is polymorphic and changed while being tested. D. Different vendors use different names for malware packages.
D. Different vendors use different names for malware packages. One of the challenges security practitioners can face when attempting to identify malware is that different antivirus and antimalware vendors will name malware packages and families differently. This means that Matt may need to look at different names to figure out what he is dealing with.
1.2 Nancy is concerned that there is a software keylogger on the system she is investigating. What data may have been stolen? A. All files on the system B. All keyboard input C. All files the user accessed while the keylogger was active D. Keyboard and other input from the user
D. Keyboard and other input from the user Though keyloggers often focus on keyboard input, other types of input may also be captured, meaning Nancy should worry about any user input that occurred while the keylogger was installed. Keyloggers typically do not target files on systems, although if Nancy finds a keylogger she may want to check for other malware packages with additional capabilities.
1.1 Lucca's organization runs a hybrid datacenter with systems in Microsoft's Azure cloud and in a local facility. Which of the following attacks is one that he can establish controls for in both locations? A. Shoulder surfing B. Tailgating C. Dumpster diving D. Phishing
D. Phishing Shoulder surfing, tailgating, and dumpster diving are all in-person physical attacks and are not something that will be in Lucca's control with a major cloud vendor. Antiphishingtechniques can be used regardless of where servers and services are located.