Security Pro Chapter 8 Review
In the /etc/shadow file, which character in the password field indicates that a standard user account is locked?
!
An employee named Bob Smith, whose user name is bsmith, has left the company. You have been instructed to delete his user account and home directory. Which of the following commands would produce the required outcome? (Choose all that apply.)
** userdel -r bsmith ** userdel bsmith;rm -rf /home/bsmith
Which of the following are subject to SQL injection attacks? -ActiveX controls -Web servers serving static content -Browsers that allow clientside scripts -Database servers
-Database servers
You've been assigned to evaluate NoSQL databases as a part of a dig data analysis initiative in your organization. You've downloaded an open source NoSQL database from the internet and installed it on a test system in an isolated lab environment. What should you do to harden this database before implementing it in a production environment? (select two)
-Disable anonymous access Implement an application-layer protocol to encrypt data prior to saving it in the database
While using a Web-based order form, an attacker enters an unusually large value in the Quantity field. The value she entered is so large that it exceeds the maximum value supported by the variable type used to store the quantity in the Web application. This causes the value of the quantity variable to wrap around to the minimum possible value, which is a negative number. As a result, the Web application processes the order as a return instead of a purchase, and the attacker's account is credited with a large sum of money. Which practices would have prevented this exploit? (Select two.) -Using the latest browser version and patch level. -Implementing server-side validation. -Implementing client-side validation. -Installing antivirus, anti-spyware, pop-up blockers, and firewall software. -Installing the latest operating system updates.
-Implementing server-side validation. -Implementing client-side validation.
You've been assigned to evaluate NoSQL databases as a part of a dig data analysis initiative in your organization. You've downloaded an open source NoSQL database from the internet and installed it on a test system in an isolated lab environment. Which of the following are likely to be true about this test system? (select two)
-The database admin user has no password assigned. -Data will be stored in the database in unencrypted format
Which of the following advantages can single signon (SSO) provide? (Select two.)
-The elimination of multiple user accounts and passwords for each individual -Access to all authorized resources with a single instance of authentication
Which of the following information is typically not included in an access token? -User security identifier -User rights -Group membership -User account password
-User account password
Which chage option keeps a user from changing their password every two weeks?
-m 33
Which file should you edit to limit the amount of concurrent logins for a specific user? (Tip: Enter the full path to the file.)
/etc/security/limits.conf
Which of the following best describes Active Directory?
A centralized database that contains user account and security information
What is a cookie?
A file saved on your hard drive that tracks website preferences and use.
Which of the following is the strongest form of multi-factor authentication?
A password, a biometric scan, and a token device
Drag the Active Directory terms on the left to their corresponding definition on the right. [Domain] [Organizational Unit] [Objects] [Domain Controller]
A server that holds a copy of the Active Directory database that can be written to. [Domain Controller] A folder that subdivides and organizes network resources within a domain. [Organizational Unit] An administratively-defined collection of network resources that share a common directory database and security policies. [Domain] A computing element that identifies resources in the active directory database. [Objects]
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You would like to define a granular password policy for these users. Which tool should you use?
ADSI Edit
Which of the following terms describes the component that is generated following authentication and is used to gain access to resources following login? -Proxy -Account policy -Access token -Cookie
Access token
Tom Plask's user account has been locked because he entered too many incorrect passwords. You need to unlock the account. Click the tab in the properties of the Tom Plask user object you would use to unlock his account.
Account
You are configuring the Local Security policy of a Windows system. You want to require users to create passwords that are at least 10 characters long. You also want to prevent login after three unsuccessful login attempts. Which policies should you configure? (Select two)
Account lockout threshold Minimum password length
What is the most important aspect of a biometric device?
Accuracy
You manage several Windows systems. Deskstop users access an in-house application that is hosted on you intranet Web server. When a user clicks a specific option in the application, they receive an error message that the popup was blocked. You need to configure the security settings so that users can see the pop-up without compromising overall security. What should you do?
Add the URL of the website to the Local Intranet zone.
You manage several windows systems. All computers are members of domain. You use an internal website that uses Integrated Windows Authentication. You attempt to connect the website and are prompted for authentication. You verify that your user account has permissions to access the website. You need to ensurer that your are automatically authenticated when you connect to the website. What should you do?
Add the internal website to the Local intranet zone
You want to allow e-commerce websites that you visit to keep track of your browsing history for shopping carts and other information, but want to prevent that information from being tracked by sites linked to the sites you explicitly visit. How should you configure the browser settings?
Allow first party cookies but block third-party cookies
Which access control model is based on assigning attributes to objects and using Boolean logic to grant access based on the attributes of the subject?
Attribute-Based Access Control (ABAC)
Which of the following is the term for the process of validating a subject's identity?
Authentication
A remote access user needs to gain access to resources on the server. Which of the following processes are performed by the remote access server to control access to resources?
Authentication and authorization
A programmer that fails to check the length of input before processing leaves his code vulnerable to what form of common attack?
Buffer overflow
Having poor software development practices and failing to program input validation checks during development of custom software can result in a system vulnerable to which type of attack?
Buffer overflow
Which type of attack is the act of exploiting a software program's free acceptance to input in order to execute arbitrary code on a target?
Buffer overflow
Click on the object in the TESTOUTDEMO.com active directory that is used to manage individual desktop workstation access.
CORPWS7
To help prevent browser attacks, users of public computers should do which of the following? -Not use any public computer that has been used in the last 30 minutes. -Clear the browser cache -Turn the public computer off immediately after use -Ensure that the public login credentials are unique
Clear the browser cache
You want to prevent your browser from running JavaScript commands that are potentially harmful. Which of the following would you restrict to accomplish this?
Client-side scripts
During the application development cycle, a developer asks several of his peers to assess the portion of the application he was assigned to write for security vulnerabilities. Which assessment technique was used in this scenario?
Code review
Which of the following is a password that relates to things that people know, such as a mother's maiden name or the name of a pet?
Cognitive
During the application development cycle, an application tester creates multiple virtual machines on a hypervisor, each with a different version and edition of Windows installed. She then installs the latest build of the application being developed on each virtual machine and evaluates them for security vulnerabilities. Which assessment technique was used in this scenario?
Configuration testing
For users on your network, you want to automatically lock user accounts if four incorrect passwords are used within 10 minutes. What should you do?
Configure account lockout policies in Group Policy
You want to make sure that all users have passwords over eight characters in length and that passwords must be changed every 30 days. What should you do?
Configure account policies in Group Policy
You have hired 10 new temporary workers who will be with the company for 3 months. How can you make sure that these users can only log on during regular business hours?
Configure day/time restrictions in the user accounts
Which of the ff. is a text file provided by a Web site to client that is stored on a user's hard drive in order to track and record information about the user? -Cookie -Mobile code -Digital signature -Certificate
Cookie
Use of which of the following is a possible violation of privacy? -VPNs -HTTP -FTP -Cookies
Cookies
Which access control type is used to implement short-term repairs to restore basic functionality following an attack?
Corrective
You want to ensure that all users in the Development OU have a common set of network communication security settings applied. Which action should you take?
Create a GPO computer policy for the computers in the Development OU.
You manage an Active Directory domain. All users in the domain have a standard set of internet options configured by a GPO linked to the domain. But you want users in the Administrators OU to have a different set of internet options. What should you do?
Create a GPO user policy for the Administrators OU.
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. Members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You define a new granular password policy with the required settings. All users in the Directors OU are currently members of the DirectorsGG group, a global security group in that OU. You apply the new password policy to that group. Matt Barnes is the chief financial officer. He would like his account to have even more strict password policies than is required for other members in the Directors OU. What should you do?
Create a granular password policy for Matt. Apply the new policy directly to Matt's user account.
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You need to make the change as easily as possible. Which should you do?
Create a granular password policy. Apply the policy to all users in the Directors OU.
Which form of access control enforces security based on user identities and allows individual users to define access controls over owned resources?
DAC
You have a system that allows the owner of a file to identify users and their permissions to the file. Which type of access control model is implemented?
DAC
Which of the following defines an object as an entity in the context of access control?
Data, applications, systems, networks, and physical space.*
Active Directory is a hierarchical database. Hierarchical directory databases have several advantages over flat file database structures. Which of the following is not an advantage of Active Directory's hierarchical database structure?
Decentralization
Upon running a security audit in your organization, you discover that several sales employees are using the same domain user account to log in and update the company's customer database. Which action should you take? (Select two, Each response is a part of a complete solution.)
Delete the account that the sales employees are currently using. Train sales employees to use their own user accounts to update the customer database.
Audit trails produced by auditing activities are which type of security control?
Detective
What should you do to a user account if the user goes on an extended vacation?
Disable the account
When you browse to a website, a popup window tells you that your computer has been infected with a virus. You click on the window to see what the problem is. Later, you find out that the window has installed spyware on your system. What type of attack has occurred?
Drive-by download
Which of the following is not an important aspect of password management?
Enable account lockout.
You are configuring the local security policy of a Windows system. You want to prevent users from reusing old passwords. You also want to force them to use a new password for at least five days before changing it again. Which policies should you configure? (Select two)
Enforce password history Minimum password age
Which of the following will enter random data to the inputs of an application?
Fuzzing
Marcus White has just been promoted to a manager. To give him access to the files that he needs, you make his user account a member of the Managers group, which has access to a special shared folder. Later that afternoon, Marcus tells you that he is still unable to access the files reserved for the Managers group. What should you do?
Have Marcus log off and log back in
Computer policies include a special category called user rights. Which action does user rights allow an administrator to perform?
Identify users who can perform maintenance tasks on computers in an OU.
Which statement is true regarding application of GPO settings?
If a setting is defined in the Local Group policy on the computer and not defined in the GPO linked to the OU, the setting is applied.
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You need to make the change as easily as possible. Which should you do?
Implement a granular password policy for the users in the Directors OU.
An attacker inserts SQL database commands into a data input field of an order form used by a Web-based application. When submitted, these commands are executed on the remote database server, causing customer contact information from the database to be sent to the malicious user's Web browser. Which practice would have prevented this exploit?
Implementing client-side validation
Which of the following is specifically meant to ensure that a program operates on clean, correct and useful data?
Input Validation
While using a Web-based order form, an attacker enters an unusually large value in the Quantity field. The value she entered is so large that it exceeds the maximum value supported by the variable type used to store the quantity in the Web application. This causes the value of the quantity variable to wrap around to the minimum possible value, which is a negative number. As a result, the Web application processes the order as a return instead of a purchase, and the attacker's account is refunded a large sum of money. What type of attack has occurred in this scenario?
Integer overflow
Which of the following is an example of a single sign-on authentication solution? Digital certificates Kerberos RADIUS Biometrics
Kerberos
Which of the following are examples of single sign-on authentication solutions? (Select two.) Kerberos RADIUS DIAMETER Biometrics Digital certificates SESAME
Kerberos SESAME
Within the /etc/security/limits.conf file, you notice the following entry: @guests hard maxlogins 3 What effect does this line have on the Linux system?
Limits the number of logins from the Guest group to three
Group Policy Objects (GPO) are applied in which of the following orders?
Local group policy, GPO linked to site, GPO linked to domain, GPO linked to Organizational Unit highest to lowest.
While using a Web-based game created using Adobe Flash, a Flash cookie is set on a user's computer. The game saves legitimate data in the Flash cookie, such as statistics and user preferences. However, the game creator also programmed the game to track the Web sites that that user visits while the game is running and save them in the Flash cookie. This data is transferred to a server over an Internet connection without the user's permission. What type of exploit has occurred in this scenario?
Locally shared object (LSO) exploit
Which of the following is the single best rule to enforce when designing complex passwords?
Longer passwords
Which access control model is based on multilevel security where objects are assigned a security classification and subjects are granted a security clearance which allows them to access objects at or below that security classification?
Mandatory access control (MAC)
Tom Plask was recently transferred to the Technical Support department. He now needs access to the network resources used by Support employees. To grant him access, you need to add Tom Plask's user account to the Support group in the Active Directory domain. Click the tab in the properties of the Tom Plask user object you would use to accomplish this.
Member Of
Which of the following best describes one-factor authentication?
Multiple authentication credentials may be required, but they are all of the same type.
You are the network administrator of a small nonprofit organization. Currently, an employee named Craig Jenkins handles all help desk calls for the organization. In recent months, the volume of help desk calls has exceeded what Craig can manage alone, so an additional help desk employee has been hired to carry some of the load. Currently, permissions to network resources are assigned directly to Craig's user object. Because the new employee needs exactly the same level of access, you decide to simply copy Craig's Active Directory domain user object and rename it with the new employee's name. Will this strategy work?
No. Permissions are not copied when a user account is copied.
What is another term for the type of login credentials provided by a token device?
One-time password
Match the authentication factor types on the left with the appropriate authentication factor on the right. Each authentication factor type can be used more than once. [Something You Know] [Something You Have] [Something You Are] [Somewhere You Are] [Something You Do] [Somewhere You Are]
PIN [Something You Know] Smart card [Something You Have] Password [Something You Know] Retina scan [Something You Are] Fingerprint scan [Something You Are] Hardware token [Something You Have] Pass phrase [Something You Know] Voice recognition [Something You Are] Wi-Fi triangulation [Somewhere You Are] Typing behaviors [Something You Do]
What type of password is maryhadalittlelamb?
Pass phrase
Which of the following is the most common form of authentication?
Password
As you browse the Internet, you notice that when you go to some sites, multiple additional windows are opened automatically. Many of these windows contain advertisements for product that are inappropriate for your family to view. Which tool can you implement to prevent these windows from showing?
Pop-up blocker
You have implemented an access control method that only allows users who are managers to access specific data. Which type of access control model is used?
RBAC
A router access control list uses information in a packet, such as the destination IP address and port number, to make allow or deny forwarding decisions. This is an example of which kind of access control model?
RSBAC
What form of access control is based on job descriptions?
Role-based access control (RBAC)
Which access control model manages rights and permissions based on job descriptions and responsibilities?
Role-based access control (RBAC)
Which of the following is an example of a Rule Based Access Control (RBAC)?
Router access control lists that allows or denies traffic based on characteristics of an IP packet
You have a website that accepts input from users for creating customers' accounts. Input on the form is passed to a database server where the user account information is stored. An attacker is able to insert database commands in the input files and have those commands execute on the server. Which type of attack has occurred?
SQL Injection
What is the effect of the following command? chage -M 60 -W 10 jsmith
Sets the password for jsmith to expire after 60 days and gives a warning 10 days before it expires.
Lori Redford, who has been a member of the Project Management group, was recently promoted to manager of the team. She has been added as a member of the Managers group. Several days after being promoted, Lori needs to have performance reviews with the team she manages but she cannot access the performance management system. As a member of the Managers group, she should have the Allow permission to access this system. What is most likely preventing her from accessing this system?
She is still a member of the Project Management group, which has been denied permission to this system. Deny permissions always override Allow permissions.
Which of the following is a hardware device that contains identification information and can be used to control building access or computer logon? -SSID -WAP -Smart card -Biometric -Security policy
Smart card
Which of the following is not true of smart cards?
Smart cards a powered internally by a small battery.
You are teaching new users about security and passwords. Which of the following is the best example of a secure password?
T1a73gZ9!
Encryption is which type of access control?
Technical
You have implemented account lockout with a clipping level of 4. What will be the effect of this setting?
The account will be locked after four incorrect attempts.
Which of the following defines the crossover error rate for evaluating biometric systems?
The point where the number of false positives matches t
Which of the following is not true regarding cookies? -They can retain connection and session information -They can collect user information -They can help a hacker spoof a user's identity -They operate within a security sandbox
They operate within a security sandbox
Which of the following is not a form of biometrics? Face recongnition Retina scan Token device Fingerprint
Token device
Which of the following is stronger than any biometric authentication factor?
Two-factor authentication
Recently, a Web site named www.vidshare.com has become extremely popular with users around the world. An attacker registers the following domain names: • www.videoshare.com • www.vidshar.com • www.vidsshare.com Each of these URLs points to a phishing Web site that tricks users into supplying their vidshare.com user names and passwords. What type of attack has occurred in this scenario?
Typosquatting (Also called URL highjacking)
Which security mechanism uses a unique list that meets the following specifications: • The list is embedded directly in the object itself • The list defines which subjects have access to certain objects • The list specifies the level or type of access allowed to certain objects
User ACL
You are creating a new Active Directory domain user account for the Rachel McGaffey user account. During the account setup process, you assigned a password to the new account. However, you know that the system administrator should not know any user's password for security reasons. Only the user should know his or her own password—no one else. Click the option you would use in the New Object User dialog to remedy this situation.
User must change password at next logon
You have just configured the password policy and set the minimum password age to 10. What will be the effect of this configuration?
Users cannot change the password for 10 days
Which of the following is an example of decentralized privilege management solution?
Workgroup
Which of the following is an attack that injects malicious scripts into Web pages to redirect users to fake websites or gather personal information? -XSS -SQL injection -Driveby download -DLL injection
XSS
Match each smart card attack on the left with the appropriate description on the right. [Accessing the chip surface directly to observe, manipulate, and interfere with a circuit] [Exploiting vulnerabilities in a card's protocols or encryption methods] [Capturing transmission data produced by a card as it is used] [Deliberately inducing malfunctions in a card]
[Software Attacks] *Exploiting vulnerabilities in a card's protocols or encryption methods* [Eavesdropping] *Capturing transmission data produced by a card as it is used* [Fault Generation] *Deliberately inducing malfunctions in a card* [Microprobing] *Accessing the chip surface directly to observe, manipulate, and interfere with a circuit*
Match the exploit on the right with the appropriate description on the left. [An attacker compromises a Web site, hoping that a target individual will access the site an be exposed to the exploit.] [A vulnerability in a running process allows an attacker to inject malicious instructions and run them.] [An attacker exploits computer application vulnerabilities before they are known and patched by the applications developer.] [A Flash cookie is used to collect information about the user's browsing habits without their permission.]
[Watering hole attack] *An attacker compromises a Web site, hoping that a target individual will access the site an be exposed to the exploit.* [Arbitrary code execution exploit] *A vulnerability in a running process allows an attacker to inject malicious instructions and run them.* [LSO exploit] *A Flash cookie is used to collect information about the user's browsing habits without their permission.* [Zero-day attack] *An attacker exploits computer application vulnerabilities before they are known and patched by the applications developer.*
What chage command should you use to set the password for jsmith to expire after 60 days and give a warning 10 days before it expires? (Tip: Enter the command as if at the command prompt.)
chage -M 60 -W 10 jsmith
You have a group named Research on your system that needs a new password because a member of the group has left the company. Which of the following commands should you use?
gpasswd Research
You are the administrator for a small company. You need to add a new group of users to the system. The group's name is sales. Which command will accomplish this?
groupadd sales
You have a group named temp_sales on your system. The group is no longer needed, and you should remove the group. Which of the following commands should you use?
groupdel temp_sales
Due to a merger with another company, standardization is now being imposed throughout the company. As a result of this, the sales group must be renamed marketing. Which of the following commands will accomplish this? groupmod -n marketing sales
groupmod -n marketing sales
You want to see which primary and secondary groups the dredford user belongs to. Enter the command you would use to display group memberships for dredford.
groups dredford
You suspect that the gshant user account is locked. Enter the command you use at the command prompt to show the status of the user account.
passwd -S gshant
A user with the account name larry has just been terminated from the company. There is good reason to believe that the user will attempt to access and damage files in the system in the very near future. Which of the following commands will disable or remove the user account from the system and remove his home directory?
userdel -r larry
Which of the following utilities could you use to lock a user account? (Select two. Each answer represents an independent solution.)
usermod passwd
You have performed an audit and have found an active account for an employee with the username joer. This user no longer works for the company. Which command can you use to disable this account?
usermod -L joer
One of your users, Karen Scott, has recently married and is now Karen Jones. She has requested that her username be changed from kscott to kjones, but no other values change. Which of the following commands will accomplish this?
usermod -l kjones kscott