Security+ 501 - Chapter 6
A company is using a mobile device deployment model in which employees use their personal devices for work at their own discretion. Some of the problems the company is encountering include the following: There is no standardization. Employees ask for reimbursement for their devices. Employees do not replace their devices often enough to keep them running efficiently. The company does not have enough control over the devices. Which of the following is a deployment model that would help the company overcome these problems? A. CYOD B. COPE C. VOi D. BYOD
A. CYOD Choose Your Own Device (CYOD) is a business trend and phenomenon designed to give an organization more control of devices that employees use to handle company data. With CYOD, an organization allows employees to select from specified devices for business usage.
Due to regulatory requirements, a security analyst must implement full drive encryption on a Windows file server. Which of the following should the analyst implement on the system to BEST meet this requirement? (Choose two.) A. Enable and configure Bitlocker on the drives B. Ensure the hardware supports TPM, and enable it in the BIOS C. Enable and configure EFS on the file system D. Ensure the hardware supports VT-X, and enable it in the BIOS
A. Enable and configure Bitlocker on the drives B. Ensure the hardware supports TPM, and enable it in the BIOS Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to any other component, software, process, or user. You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys cannot be migrated, the private portion of the key is never exposed outside the TPM. Computers that incorporate a TPM can also create a key that has not only been wrapped, but is also tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as "sealing the key to the TPM." Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as Bitlocker Drive Encryption, you can implement full disk encryption on data until specific hardware or software conditions are met.
Joe a website administrator believes he owns the intellectual property for a company invention and has been replacing image files on the company's public facing website in the DMZ. Joe is using steganography to hide stolen data. Which of the following controls can be implemented to mitigate this type of inside threat? A. File integrity monitoring B. Stateful inspection firewall C. Change management D. Access controls E. Digital signatures
A. File integrity monitoring The fact is that bad actors-whether black hat hackers, or malicious insiders-look to exploit vulnerabilities and trust models across your IT assets to either disrupt your operations, to provide some competitive advantage, and/or for their financial gain. Once inside your environment, many attacks will do one or more of modifying critical system and application binaries and configuration files; accessing (to capture information) or modifying data files; and then modifying or deleting any log data to hide their tracks. That in mind, it is critical to know when a change or unauthorized access to a critical file is attempted and whether or not the attempt was successful. This is the realm of File Integrity Monitoring (FIM), a critical tool in the security defense of any organization wishing to protect its assets. FIM technologies typically work with one of the following approaches: 1. Baseline comparison, wherein one or more file attributes will be captured or calculated and stored as a baseline that can be compared against at some future time. This can be as simple as the time and date of the file, however, since this data can be easily spoofed; a more trustworthy approach is typically used. This may include periodically assessing the cryptographic checksum for a monitored file, (e.g. using the MD5 or SHA-2 hashing algorithm) and then comparing the result to the previously calculated checksum. 2. Real-time change notification, which is typically implemented within or as an extension to the kernel of the operating system that will flag when a file is accessed or modified. Regardless of approach, the end result is the same-to identify and alert you to any changes (creation, modification or deletion) to a monitored file or directory.
A botnet has hit a popular website with a massive number of GRE encapsulated packets to perform a DDoS attack. News outlets discover a certain type of refrigerator was exploited and used to send outbound packets to the website that crashed. To which of the following categories does the refrigerator belong? A. IoT B. ICS C. SoC D. MFD
A. IoT The Internet of Things (loT) is the network of physical devices, vehicles, home appliances and other items embedded with electronics, software, sensors, actuators, and connectivity which enables these objects to connect and exchange data. Each thing is uniquely identifiable through its embedded computing system but is able to inter-operate within the existing Internet infrastructure.
Which of the following precautions MINIMIZES the risk from network attacks directed at multifunction printers, as well as the impact on functionality at the same time? A. Isolating the systems using VLANs B. Implementing a unique user PIN access functions C. Enabling full disk encryption D. Installing a software-based IPS on all devices
A. Isolating the systems using VLANs Segmentation and micro-segmentation: This is a topic that we need to all consider with the rise in loT (Internet of Things) as devices that used to just print ink on paper connected to LPT and COM ports are now becoming increasingly connected. We can't simply just hook them up to the corporate user VLAN and throw them all into the same subnet as everything else. Just like we segment/isolate servers into separate VLANs - we want to do the same with multifunction printers. Architecture and design vulnerabilities that have led to the successful compromise of servers from other lower security zones (such as the DMZ and corporate user VLANs) was because the printers were not isolated into a printer VLAN with filtering in place to only permit the ports needed for workstations to print to them. The administrative interface should be filtered to only accept connections from an administrative VLAN where the IT, server, and network administrators are. If your maturity level of your network just isn't there yet, that's fine, use other filtering methods, either VACLs, filtering on the printer itself, or on core firewalls to allow traffic to those administrative ports only from the IT staff.
After a routine audit, a company discovers that engineering documents have been leaving the network on a particular port. The company must allow outbound traffic on this port, as it has a legitimate business use. Blocking the port would cause an outage. Which of the following technology controls should the company implement? A. OLP B. Web Proxy C. NAC D. ACL
A. OLP Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.
Joe, an employee, wants to show his colleagues how much he knows about smartphones. Joe demonstrates a free movie application that he installed from a third party on his corporate smartphone. Joe's colleagues were unable to find the application in the app stores. Which of the following allowed Joe to install the application? (Select two.) A. Sideloading B. Near-field communication C. Rooting/jailbreaking D. Ad-hoc connections E. Tethering
A. Sideloading C. Rooting/jailbreaking Jailbreaking is the process of removing software restrictions put into place by Apple on devices that run the iOS operating system. To accomplish a jailbreak, a custom kernel is used to grant root access to the device. So on an Android device, rooting basically gives you access to more or less the entire operating system. You can completely remove the OS and replace it with user made operating systems that contain tweaks and enhancements (known as ROMS), and you can even access and adjust settings such as your processor speeds. Sideloading typically refers to media file transfer to a mobile device via USB, Bluetooth, WiFi or by writing to a memory card for insertion into the mobile device. When referring to Android apps, "sideloading" typically means installing an application package in APK format onto an Android device
Which of the following best describes the initial processing phase used in mobile device forensics? A. The phone and storage cards should be examined as a complete unit after examining the removable storage cards separately. B. The phone should be powered down and the battery removed to preserve the state of data on any internal or removable storage utilized by the mobile device C. The removable data storage cards should be processed first to prevent data alteration when examining the mobile device D. The mobile device should be examined first, then removable storage and lastly the phone without removable storage should be examined again
A. The phone and storage cards should be examined as a complete unit after examining the removable storage cards separately. The evidence initial processing phase is the starting phase and entails request forms and paperwork to document ownership information. In addition, the intake phase explains the type of incident the mobile device was involved in and outlines the type of data or information the requester is seeking. Developing specific objectives for each examination is the critical part of this phase. It serves to clarify the examiner's goals. Many mobile phones provide an option to extend the memory with removable storage devices, such as the Trans Flash Micro SD memory expansion card. In cases when such a card is found in a mobile phone that is submitted for examination, the card should be removed and processed using traditional digital forensic techniques. It is wise to acquire the card while in the mobile device to ensure data stored on both the handset memory and card are linked for easier analysis.
When systems, hardware, or software are not supported by the original vendor, it is a vulnerability known as: A. end-of-life systems B. default configuration C. system sprawl D. resource exhaustion
A. end-of-life systems End of life (EOL), in the context of manufacturing and product lifecycles, is the final stages of a product's existence. The particular concerns of end-of-life depend on the product in question and whether the perspective is that of the manufacturer or the user. For the manufacturer, EOL concerns involve not only discontinuing production but also continuing to address the market needs that the product addresses -- which might lead to the development of a new product. For the business using the product, EOL concerns include disposing of the existing product responsibly, transitioning to a different product and ensuring that disruption will be minimal. Product lifecycle management (PLM) is a systematic approach to managing the series of changes a product goes through, from its design and development to its ultimate retirement or disposal. PLM software can be used to automate the management of product-related data and integrate the data with other business processes such as enterprise resource planning (ERP) and manufacturing execution systems (MES).
The computer resource center issued smartphones to all first-level and above managers. The managers have the ability to install mobile tools. Which of the following tools should be implemented to control the types of tools the managers install? A. Content manager B. Application manager C. Download manager D. Segmentation manager
B. Application manager An application manager (app manager) is programming for overseeing the installation, patching and updating and perhaps access of software applications. An application manager can be used to monitor a software application's performance and alert administrators if there is a problem. Some application managers for enterprise IT also provide context-aware network access control and mobile device application management. In such a scenario, if a device fails to comply with the app manager's security policies, the device is refused access to applications. Application management is related to application lifecycle management, which involves the tracking of different software versions. A mobile application manager is a tool used by network administrators to remotely install, update, remove, audit, and monitor software programs installed on smartphones and tablets. The term is also used to describe the person whose job involves managing mobile apps.
A security analyst observes the following events in the logs of an employee workstation: 1/23 1:07:16 865 Access to C:\Users\user\temp\oasdfkh.hta has been restricted by your administrator by the default restriction policy level. 1/23 1:07:09 1034 The scan completed. No detections were found. The security analyst reviews the tile system and observes the following: C:\>dir C:\ Users\user\temp 1/23 1:07:02 oasdfkh.hta 1/23 1:07:02 update.bat 1/23 1:07:02 msg.txt Given the information provided, which of the following MOST likely occurred on the workstation? A. Antivirus software found and quarantined three malware files B. Application whitelisting controls blocked an exploit payload from executing. C. Automatic updates were initiated but failed because they had not been approved. D. The SIEM log agent was not turned properly and reported a false positive.
B. Application whitelisting controls blocked an exploit payload from executing. TA is short for HTML Application, which are programs based on HTML and one or more scripting languages supported by Internet Explorer, usually VBScript or JScript. The default file-association for the .hta extension is the Microsoft HTML Application Host (mshta.exe). If you have not disabled or changed this file association, in effect the HTA file behaves like an executable when double-clicked. An HTA runs as a fully trusted application and as a result has a lot more privileges than a normal HTML file.
A company has a data system with definitions for "Private" and "Public". The company's security policy outlines how data should be protected based on type. The company recently added the data type "Proprietary". Which of the following is the MOST likely reason the company added this data type? A. Expanded authority of the privacy officer B. Better data classification C. Reduced cost D. More searchable data
B. Better data classification Classification of commercial or nongovernment organizations does not have a set standard. The classification used is dependent on the overall sensitivity of the data and the levels of confidentiality desired. Additionally, a nongovernment organization might consider the integrity and availability of the data in its classification model. There is no formula in creating the classification system-the system used is dependent on the data. Some organizations use two types of classification: confidential and public. For others, a higher granularity might be necessary. Below contains a typical list of classifications that can be used for commercial organizations, from highest to lowest. Sensitive: Data that is to have the most limited access and requires a high degree of integrity. This is typically data that will do the most damage to the organization should it be disclosed. Confidential: Data that might be less restrictive within the company but might cause damage if disclosed. Private: Private data is usually compartmental data that might not do the company damage but must be keep private for other reasons. Human resources data is one example of data that can be classified as private. Proprietary: Proprietary data is data that is disclosed outside the company on a limited basis or contains information that could reduce the company's competitive advantage, such as the technical specifications of a new product. Public: Public data is the least sensitive data used by the company and would cause the least harm if disclosed. This could be anything from data used for marketing to the number of employees in the company.
A security administrator determined that users within the company are installing unapproved software. Company policy dictates that only certain applications may be installed or ran on the user's computers without exception. Which of the following should the administrator do to prevent all unapproved software from running on the user's computer? A. Prevent users from running as administrator so they cannot install software B. Create an application whitelist and use OS controls to enforce it C. Deploy antivirus software and configure it to detect and remove pirated software D. Configure the firewall to prevent the downloading of executable files
B. Create an application whitelist and use OS controls to enforce it In Windows it is possible to configure two different methods that determine whether an application should be allowed to run. The first method, known as blacklisting, is when you allow all applications to run by default except for those you specifically do not allow. The other, and more secure, method is called whitelisting, which blocks every application from running by default, except for those you explicitly allow. Application whitelisting is the practice of specifying an index of approved software applications that are permitted to be present and active on a computer system. The goal of whitelisting is to protect computers and networks from potentially harmful applications. In general, a whitelist is an index of approved entities. Whitelisting works best in centrally managed OS controlled environments, where systems are subject to a consistent workload. The National Institute of Standards and Technology suggests using application whitelisting in high-risk environments, where it is vitally important that individual systems be secure and less important that software be useable without restrictions. To provide more flexibility, a whitelist may also index approved application components, such as software libraries, plug-ins, extensions and configuration files.
A company hired a third-party firm to conduct as assessment of vulnerabilities exposed to the Internet. The firm informs the company that an exploit exists for an FTP server that has a version installed from eight years ago. The company has decided to keep the system online anyway, as no upgrade exists from the vendor. Which of the following BEST describes the reason why the vulnerability exists? A. Default configuration B. End-of-life C. Zero-day threats D. Weak cipher suite
B. End-of-life The concept of an EOL product has been around for a while. Generally, EOL symbolizes the last stage of a product's life cycle, starting with design, development and eventual release and use. The rapid emergence of technology and other factors have led to bigger issues surrounding EOL products, which means manufacturers and vendors must anticipate the consequences of designating an EOL product. Some of the key issues involve disposal. For hardware devices, this means physically disposing old devices and installing newer versions. For software systems, it means "weaning" legacy systems or migrating applications to newer platforms in order to discard or change old systems.
A systems administrator wants to protect data stored on mobile devices that are used to scan and record assets in a warehouse. The control must automatically destroy the secure container of mobile devices if they leave the warehouse. Which of the following should the administrator implement? (Select two.) A. Near-field communication B. Geofencing C. Remote wipe D. Containerization E. Push notification services
B. Geofencing C. Remote wipe Geofencing is a location-based service in which an app or other software uses GPS, RFID, Wi-Fi or cellular data to trigger a pre programmed action when a mobile device or RFID tag enters or exits a virtual boundary set up around a geographical location, known as a geofence. A secure data container is a third-party mobile application that is used to separate and secure a portion of a device's storage from the rest of the device. Containerization provides a balance of security and enhanced productivity to employees. Since there are enterprise-grade mobile device solutions, either on premises or cloud MOM solutions can automatically wipe a device or wipe partial storage of a device when the device leaves a predefined "safe-area" as reported by GPS location (geo-fencing).
An application team is performing a load-balancing test for a critical application during off-hours and has requested access to the load balancer to review which servers are up without having the administrator on call. The security analyst is hesitant to give the application team full access due to other critical applications running on the load balancer. Which of the following is the BEST solution for security analyst to process the request? A. Give the application team administrator access during off-hours. B. Give the application team read-only access. C. Disable other critical applications before granting the team access. D. Share the account with the application team
B. Give the application team read-only access. Local user accounts are stored locally on the server. These accounts can be assigned rights and permissions on a particular server, but on that server only. Local user accounts are security principals that are used to secure and manage access to the resources on a standalone or member server for services or users. These accounts are typically non-personal and provide administrative access to the local host. These accounts are typically used by the IT staff to perform maintenance or to set up new workstations. Often, these accounts will have the same password across the platform or organizations. These shared passwords are used by thousands of hosts and create a soft target for hackers.
Joe, a technician, is working remotely with his company provided laptop at the coffee shop near his home. Joe is concerned that another patron of the coffee shop may be trying to access his laptop. Which of the following is an appropriate control to use to prevent the other patron from accessing Joe's laptop directly? A. Latest OS updates B. Host-based firewall C. full-disk encryption D. Current antivirus definitions
B. Host-based firewall A host-based firewall is a piece of firewall software that runs on an individual computer or device connected to a network. These types of firewalls are a granular way to protect the individual hosts from viruses and malware, and to control the spread of these harmful infections throughout the network.
The security administrator receives an email on a non-company account from a coworker stating that some reports are not exporting correctly. Attached to the email was an example report file with several customers' names and credit card numbers with the PIN. Which of the following is the BEST technical controls that will help mitigate this risk of disclosing sensitive data? A. Classify all data according to its sensitivity and inform the users of data that is prohibited to share B. Implement a DLP solution on the email gateway to scan email and remove sensitive data or files C. Create a user training program to identify the correct use of email and perform regular audits to ensure compliance D. Configure the mail server to require TLS connections for every email to ensure all transport data is encrypted
B. Implement a DLP solution on the email gateway to scan email and remove sensitive data or files Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer. DLP software products use business rules to classify and protect confidential and critical information so that unauthorized end users cannot accidentally or maliciously share data whose disclosure could put the organization at risk. For example, if an employee tried to forward a business email outside the corporate domain or upload a corporate file to a consumer cloud storage service like Dropbox, the employee would be denied permission. Adoption of DLP is being driven by insider threats and by more rigorous state privacy laws, many of which have stringent data protection or access components. In addition to being able to monitor and control endpoint activities, some DLP tools can also be used to filter data streams on the corporate network and protect data in motion.
A security administrator suspects that data on a server has been exfiltrated as a result of unauthorized remote access. Which of the following would assist the administrator in confirming the suspicions? (Select TWO) A. File integrity monitoring B. Log analysis C. OLP alerts D. Networking access control E. Host firewall rules
B. Log analysis C. OLP alerts Data loss prevention (OLP) is a set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. DLP software classifies regulated, confidential and business critical data and identifies violations of policies defined by organizations or within a predefined policy pack, typically driven by regulatory compliance such as HIPAA, PCI-DSS, or GDPR. Once those violations are identified, DLP enforces remediation with alerts, encryption, and other protective actions to prevent end users from accidentally or maliciously sharing data that could put the organization at risk. Data loss prevention software and tools monitor and control endpoint activities, filter data streams on corporate networks, and monitor data in the cloud to protect data at rest, in motion, and in use. DLP also provides reporting to meet compliance and auditing requirements and identify areas of weakness and anomalies for forensics and incident response. Computers, networks, and other IT systems generate records called audit trail records or logs that document system activities. Log analysis is the evaluation of these records and is used by organizations to help mitigate a variety of risks including data loss prevention and meet compliance regulations.
A copy of a highly confidential salary report was recently found on a printer in the IT department. The human resources department does not have this specific printer mapped to its devices, and it is suspected that an employee in the IT department browsed to the share where the report was located and printed it without authorization. Which of the following technical controls would be the BEST choice to immediately prevent this from happening again? A. Implement a OLP solution and classify the report as confidential, restricting access only to human resources staff B. Restrict access to the share where the report resides to only human resources employees and enable auditing C. Have all members of the IT department review and sign the AUP and disciplinary policies D. Place the human resources computers on a restricted VLAN and configure the ACL to prevent access from the IT department
B. Restrict access to the share where the report resides to only human resources employees and enable auditing If you are planning a data security regime, keep your system as simple and as open as you can. When plotting data access, only restrict access to information that absolutely cannot be available to all staff. The simplest data security regime is based on two types of users - one being system administrators, allowing access to all the administrative goodies like setting up new users and adding new fields, and the other providing access to all data but without administrative privileges. You are unlikely to end up with this degree of simplicity. You will encounter solid organizational reasons for restricting access to some data, noting that "solid" in this case can mean either sound or immovable. There can also be legal or compliance reasons for restricting data access, particularly if your organization provides health or social services.
A dumpster diver recovers several hard drives from a company and is able to obtain confidential data from one of the hard drives. The company then discovers its information is posted online. Which of the following methods would have MOST likely prevented the data from being exposed? A. Removing the hard drive from its enclosure B. Using magnetic fields to erase the data C. Using software to repeatedly rewrite over the disk space D. Using Blowfish encryption on the hard drives
B. Using magnetic fields to erase the data Degaussing is the process of reducing or eliminating an unwanted magnetic field (or data) stored on tape and disk media such as computer and laptop hard drives, diskettes, reels, cassettes and cartridge tapes. When exposed to the powerful magnetic field of a degausser, the magnetic data on a tape or hard disk is neutralized, or erased. Degaussing is the guaranteed form of hard drive erasure, as such; it serves as the standard method of data destruction. Using the right degausser will guarantee that your information is no longer retrievable.
An information security analyst needs to work with an employee who can answer questions about how data for a specific system is used in the business. The analyst should seek out an employee who has the role of: A. privacy officer B. owner C. steward D. systems administrator
B. owner Data ownership is the act of having legal rights and complete control over a single piece or set of data elements. It defines and provides information about the rightful owner of data assets and the acquisition, use and distribution policy implemented by the data owner.
A company would like to prevent the use of a known set of applications from being used on company computers. Which of the following should the security administrator implement? A. Anti-malware B. Application hardening C. Blacklisting D. Disable removable media E. Whitelisting
C. Blacklisting A blacklist is list of items, such as usernames or IP addresses, that are denied access to a certain system or protocol. When a blacklist is used for access control, all entities are allowed access, except those listed in the blacklist. The opposite of a blacklist is a whitelist, which denies access to all items, except those included in the list.
An administrator has concerns regarding the traveling sales team who works primarily from smart phones. Given the sensitive nature of their work, which of the following would BEST prevent access to the data in case of loss or theft? A. Enable screensaver locks when the phones are not in use to prevent unauthorized access B. Enable GPS tracking on all smart phones so that they can be quickly located and recovered C. Configure the smart phones so that the stored data can be destroyed from a centralized location D. Configure the smart phones so that all data is saved to removable media and kept separate from the device
C. Configure the smart phones so that the stored data can be destroyed from a centralized location Remote wipe is a security feature that allows a network administrator or device owner to send a command to a computing device and delete data. What remote wipe accomplishes can depend on the device, its specific operating system version and any third-party mobile device management (MOM) software installed on the device. A remote wipe may delete data in selected folders, repeatedly overwrite stored data to prevent forensic recovery, return the device to factory settings or remove all programming on the device, essentially turning it into a brick, meaning that it is no longer of any use to anyone.
The Chief Executive Officer (CEO) of a major defense contracting company is traveling overseas for a conference. The CEO will be taking a laptop. Which of the following should the security administrator implement to ensure confidentiality of the data if the laptop were to be stolen or lost during the trip? A. Remote wipe B. GPS tracking C. Full device encryption D. BIOS password
C. Full device encryption Full disk encryption (FOE) is widely used on a variety of desktop, laptop and mobile device operating systems. This technology helps secure important information and prevents breaches by encrypting all of the data on a hard drive at rest. If someone gets physical access to your computer and you are not using disk encryption, they can very easily steal all of your files. Encrypting your disk will protect you and your data in case your laptop falls into the wrong hands, whether it is because you accidentally left it somewhere, your home or office was burglarized, or it was seized by government agents at home or abroad.
Which of the following is the GREATEST risk to a company by allowing employees to physically bring their personal smartphones to work? A. Installing soft token software to connect to the company's wireless network. B. Company cannot automate patch management on personally-owned devices. C. Taking pictures of proprietary information and equipment in restricted areas. D. Increases the attack surface by having more target devices on the company's campus
C. Taking pictures of proprietary information and equipment in restricted areas. The biggest reason why businesses are weary of implementing a BYOD strategy is that it can potentially leave the company's system vulnerable to data breaches. Personal devices are not part of your business's IT infrastructure, which means that these devices are not protected by company firewalls and systems. There is also a chance that an employee will take work with them or use the camera to take pictures of proprietary information where they are not using the same encrypted servers that your company is using, leaving your system vulnerable to inherent security risks.
An organization relies heavily on an application that has a high frequency of security updates. At present, the security team only updates the application on the first Monday of each month, even though the security updates are released as often as twice a week. Which of the following would be the BEST method of updating this application? A. Configure a sandbox for testing patches before the scheduled monthly update B. Configure security control testing for the application C. Manually apply updates for the application when they are released D. Configure testing and automate patch management for the application.
D. Configure testing and automate patch management for the application. Testing patches before deployment is perhaps the most critical step in patch management process. As much as we want all applications updated, we need to be careful about how we introduce a new patch update into the application environment. The trick is to protect your systems as much as possible from vulnerabilities, without putting them at a different kind of risk from untested patches. Patch management software keeps enterprises better protected by automating the delivery of operating systems and application updates.
A new intern in the purchasing department requires read access to shared documents. Permissions are normally controlled through a group called "Purchasing", however, the purchasing group permissions allow write access. Which of the following would be the BEST course of action? A. Remove all permissions for the shared files. B. Modify all the shared files with read only permissions for the intern C. Add the intern to the "Purchasing" group. D. Create a new group that has only read permissions for the files.
D. Create a new group that has only read permissions for the files. All files and directories are owned by the person who created them. That means you can specify who is allowed to read the file, write to the file, or (if it is an application instead of a text file) who can execute the file. Reading, writing, and executing are the three main settings in permissions. Since users are placed into a group when their accounts are created, you can also specify whether certain groups can read, write to, or execute a file. Remember that file permissions are a security feature. Whenever you allow anyone else to read, write to, and execute files, you are increasing the risk of files being tampered with, altered, or deleted. As a rule, you should only grant read and write permissions to those who truly need them.
An organization has hired a penetration tester to test the security of its ten web servers. The penetration tester is able to gain root/administrative access in several servers by exploiting vulnerabilities associated with the implementation of SMTP, POP, DNS, FTP, Telnet, and IMAP. Which of the following recommendations should the penetration tester provide to the organization to better protect their web servers in the future? A. Increase application event logging B. Implement transport layer security C. Use a honeypot D. Disable unnecessary services
D. Disable unnecessary services Identifying and staying on top of the services and protocols used in your environment can be difficult. Below are some steps that can get you started and some tips on making it easier to manage in the future. Scan your environment to know which ports are open, what services are running, and what protocols are supported. Network scanning software such as OpenVAS, Nessus, or Alienvault OSSIM can let you know what devices have what services running, and what protocol versions are supported. Particularly in larger networks, the results can be surprising. Close the ports and disable the services and protocols that are not needed. This should be done on both the server side and the client side. Any services or protocols that do not have a business need are unnecessary and must be disabled.
A mobile device user is concerned about geographic positioning information being included in messages sent between users on a popular social network platform. The user turns off the functionality in the application, but wants to ensure the application cannot re-enable the setting without the knowledge of the user. Which of the following mobile device capabilities should the user disable to achieve the stated goal? A. Device access control B. Application control C. Location based services D. GEO-Tagging
D. GEO-Tagging Geotagging is the addition of geographical information, usually in the form of latitude and longitude coordinates, to Web sites, images, videos, smartphone transmissions, and various other data types and sources. Sometimes geotagging includes place names such as street addresses, towns, postal zip codes, or telephone area codes. Less often, altitude data may be given as well.
A business has recently deployed laptops to all sales employees. The laptops will be used primarily from home offices and while traveling, and a high amount of wireless mobile use is expected. To protect the laptops while connected to untrusted wireless networks, which of the following would be the BEST method for reducing the risk of having the laptops compromised? A. MAC filtering B. Application white-listing C. Virtualization D. OS hardening
D. OS hardening OS hardening is making an operating system more secure. It often requires numerous actions such as configuring system and network components properly, deleting unused files and applying the latest patches. Hardening of the OS is the act of configuring an OS securely, updating it, creating rules and policies to help govern the system in a secure manner, and removing unnecessary applications and services. This is done to minimize a computer OS's exposure to threats and to mitigate possible risk.
A new hire wants to use a personally owned phone to access company resources. The new hire expresses concern about what happens to the data on the phone when they leave the company. Which of the following portions of the company's mobile device management configuration would allow the company data to be removed from the device without touching the new hire's data? A. Device access control B. Storage lock out C. Asset control D. Storage segmentation
D. Storage segmentation Mobile device management (MDM) is an industry term for the administration of mobile devices, such as smartphones, tablet computers, laptops and desktop computers. MDM is usually implemented with the use of a third party product that has management features for particular vendors of mobile devices. In order to prevent unauthorized access to the mobile device and the data it contains, access control is necessary, of course, and you can identify users by means of passwords, tokens and so on. Mobile devices have wireless capability to connect to the Internet and office/home computer systems. Wireless capability poses a number of specific security risks in addition to typical network associated risks. A secure data container is a third-party mobile application that is used to separate and secure a portion of a device's storage from the rest of the device. The goal of containerization (https:// searchvmware.techtarget.com/tip/ VMware-angles-for-control-of containerized-applications) is to isolate an application to prevent malware, intruders, system resources or other applications from interacting with the application - and any of its sensitive information - secured by the container.Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields.
The Chief Security Officer (CISO) at a multinational banking corporation is reviewing a plan to upgrade the entire corporate IT infrastructure. The architecture consists of a centralized cloud environment hosting the majority of data, small server clusters at each corporate location to handle the majority of customer transaction processing, ATMs, and a new mobile banking application accessible from smartphones, tablets, and the Internet via HTTP. The corporation does business having varying data retention and privacy laws. Which of the following technical modifications to the architecture and corresponding security controls should be implemented to provide the MOST complete protection of data? A. Install redundant servers to handle corporate customer processing, encrypt all customer data to ease the transfer from one country to another, implement end-to-end encryption between mobile applications and the cloud. B. Revoke exiting root certificates, re-issue new customer certificates, and ensure all transactions are digitally signed to minimize fraud, implement encryption for data in-transit between data centers C. Ensure all data is encryption according to the most stringent regulatory guidance applicable, implement encryption for data in-transit between data centers, increase data availability by replicating all data, transaction data, logs between each corporate location D. Store customer data based on national borders, ensure end-to end encryption between ATMs, end users, and servers, test redundancy and COOP plans to ensure data is not inadvertently shifted from one legal jurisdiction to another with more stringent regulations
D. Store customer data based on national borders, ensure end-to end encryption between ATMs, end users, and servers, test redundancy and COOP plans to ensure data is not inadvertently shifted from one legal jurisdiction to another with more stringent regulations Data loss prevention (DLP) is a strategy deployed by businesses to ensure that sensitive data remains securely within the corporate network. Data loss prevention tools and software are designed to constantly monitor and filter data in real-time. In addition to dealing with the data being used, stored and transmitted within the network, data loss prevention applications ensure no harmful outside data is entering the company network. Data loss prevention is a subject new business owners need to pay special attention to when setting up a company. Every new piece of data created, stored, used and shared from the first day of work is sensitive information. Laying a strong foundation at the beginning will result in a little less disquiet down the road.
A company has a security policy that specifies all endpoint computing devices should be assigned a unique identifier that can be tracked via an inventory management system. Recent changes to airline security regulations have cause many executives in the company to travel with mini tablet devices instead of laptops. These tablet devices are difficult to tag and track. An RDP application is used from the tablet to connect into the company network. Which of the following should be implemented in order to meet the security policy requirements? A. RFID tagging system B. WS-security and geo-fencing C. A hardware security module (HSM) D. Security Requirements Traceability Matrix (SRTM) E. MDM software F. Virtual desktop infrastructure (IDI)
E. MDM software Mobile device management (MDM) is an industry term for the administration of mobile devices, such as smartphones, tablet computers, laptops and desktop computers. MDM is usually implemented with the use of a third party product that has management features for particular vendors of mobile devices. Mobile device management (MDM) is software that allows IT administrators to control, secure and enforces policies on smartphones, tablets and other endpoints. MDM is a core component of enterprise mobility management (EMM) which also includes mobile application management, identity and access management and enterprise file sync and share. The intent of MDM is to optimize the functionality and security of mobile devices within the enterprise while simultaneously protecting the corporate network.
An administrator is configuring access to information located on a network file server named "Bowman". The files are located in a folder named "BalkFiles". The files are only for use by the "Matthews" division and should be read-only. The security policy requires permissions for shares to be managed at the file system layer and also requires those permissions to be set according to a least privilege model. Security policy for this data type also dictates that administrator-level accounts on the system have full access to the files. The administrator configures the file share according to the following table: Share permissions 1 Everyone Full control File System permissions 2 Bowman\Users Modify Inherited 3 Domain\Matthews Read Not Inherited 4 Bowman\System Full control Inherited 5 Bowman\Administrators Full control Not Inherited Which of the following rows has been misconfigured? A. Row 1 B. Row 5 C. Row 3 D. Row 2 E. Row 4
E. Row 4 Most file systems have methods to assign permissions or access rights to specific users and groups of users. These permissions control the ability of the users to view, change, navigate, and execute the contents of the file system. Permissions are applied to every file and folder stored on a volume formatted with the file system. By default, permissions are inherited from a root folder to the files and subfolders beneath it, though this inheritance can be disabled. Permissions take effect regardless of whether a file or folder is accessed locally or remotely. Permissions, at ' the basic level, offer access levels of Read, Read and Execute, Write, Modify, List Folder Contents, and Full Control. There is also an advanced set of permissions, which divides the basic access levels into more granular settings. These advanced permissions vary depending on the type of object to which they are applied.
A security consultant discovers that an organization is using the PCL protocol to print documents, utilizing the default driver and print settings. Which of the following is the MOST likely risk in this situation? A. An attacker can access and change the printer configuration. B. Attackers can use the PCL protocol to bypass the firewall of client computers. C. An attacker can easily inject malicious code into the printer firmware. D. An MITM attack can reveal sensitive information. E. SNMP data leaving the printer will not be properly encrypted.
E. SNMP data leaving the printer will not be properly encrypted. The risk of PCL is the information being sent to the printer can be captured encrypted. Unencrypted print data are a weakness in every IT security environment because without encryption, all printing protocols transmit print data as (more or less) readable, clear text. The printer command languages PCL (Printer Control Language) and Postscript are page-description protocols that include the document information in clear text in addition to control and command characters. Reading a text transmitted in ASCII format is even simpler
