AUD507 Auditing & Monitoring Networks, Perimeters & Systems
Q59 Which two risk assessment methodologies can be combined to create the Consequence Cause Analysis(CCA) ?
Fault Trees and Event trees
Q88 Which of the following choices characterize how Unix file permissions are defined for and applied to?
Owner, Group and World
Q73 A team is assembled to focus on the employee on-boarding process, and given the ISO-27001 as their standard. What is their recommended next step?
Perform progressive risk assessments
Q12 Which of the following steps is the last step of the six -step audit process ?
Report to management
Q33 What is the primary benefit of performing a risk assessment before beginning a vulnerability assessment?
The results of the vulnerability assessment will be better prioritized
Objective
Why are we looking? Always linked to the scope. The targets we aim at
Q7 When testing for web server vulnerabilities which of the following two ports should be considered ?
80 and 443
Q38 Idaho Mayo Company would like to have fewer than 10 hours of downtime per year. What uptime percentage guarantee should they ask for when reviewing their service level agreement with their ISP?
99.9% = DIS= The acceptable downtime in seconds is 36,000 DIS=SPY*(100-DP)/100
Q11 What does an auditor look for in the /etc/xinetd.d/ directory on a nix System
Configuration files for system services
Q44 Which of the following is a strength of form-based web authentication?
Easy to implement
Q5 What is the purpose of the tool shown below (image shows MS Baseline Security Analyzer)
Provides basic vulnerability scanning for MS OS and integrated services
Q63 You are mapping a network using the following command $ nmap -PE 192.168.144.0/24 but it is not generating an accurate list of available hosts. Which of the following is MOST likely the cause?
Some hosts are blocking ICMP packets
Auditing
Test of an assertion Measuring something against a standard For System Auditors: Measure the security over time of a system
Protection of information in computer systems
1975 IEEE Paper - Economy of mechanism = simple systems are easy to secure - Fail-Safe defaults = firewall failure state blocks all traffic as opposed to allow all traffic - Complete mediation = all security decision made in a centralized location - Open design =
Q22 Which of the following is the best practice for secure session management?
Assign session IDs when a user authenticates to the application
Q23 Which of the following scenarios commonly results in poorly selected and inefficient security controls?
Assigning an independent team to apply all controls referenced by regulations the organization must comply with to limit risk.
Q87 Donealreadydaneit Inc. wants to ensure all registry key changes are being audited. What audit policy does the company need to enable?
Audit object access = audits all windows objects including files, directory, registry keys, and printers.
Q24 What is the recommended setting for auditing account management in a typical environment?
Audit successful and failed events
What are Audits
Audits are most valuable when conducted in support of strong policy, reinforced by procedures. Explanation: Good policy is the starting point which enables the creation of robust technical and organizational procedures. Audits are most valuable in validating the performance of policy and procedures.
Q76 You conduct a port scan while auditing a network and find that several workstations have port 6657 open_ Port 6667 is often associated with IRC. What should you do?
Check whether the organization's policy allows it.
Q53 What is a problem with WPA2 networks using PSK for security?
Common SSIDs and passwords enable cracking in minutes
Q50 Logan Inc. has an acceptable use policy that prohibits the use of peer-to-peer (P2P) file sharing. However, there has been a recent surge in malware-related incidents that was traced back to users downloading files through Internet-based P2P software on their work computers. What action should be taken to prevent future incidents?
Controls should be put into place on the network perimeter
Q70 Which of the following is another name for permissions on a system?
DACL = Discretionary Access Control Lists (DACLs) define the "trustees" (users and groups) that are allowed or denied access to an object and the type(s) of access allowed; in other words, permissions an system.
Q29 What will happen when the following query is processed by an application that's vulnerable to SQL injection? "SELECT * FROM ACCOUNTS WHERE or 'admin' = 'admin'";
Data stored in the ACCOUNT table will be displayed to the client's browser
Q40 Your organization is going through an exercise on measuring risk and has compiled list of several threats that have been witnessed in the vast. 'Which of the following threats is considered accidental?
Deletion of a Sensitive File in Corporate HR
Q51 Which of the following commands, when run on a mail server, could potentially reveal lists of users on a system?
EXPN=when run on a mail server, could potentially reveal lists of users on a system. The GET, RCPT: and PUT statements are more useful on web servers than mail servers„ and neither will display this same information.
Q74 Which risk assessment methodology is comprised of the following four steps: Analyze the system Identify detective controls Identify reactive controls Identify critical failures
Event Trees = An Event Tree is a method of analyzing a system's detective and reactive controls_ In addition to forcing us to inspect these two control types, the other output of the assessment method is the identification of critical failures.
Q8 An Auditor graphs out the expected results in the event their primary data center loses it's link to the internet. What is this practice called?
Event tree analysis
Q64 Recently, a SCADA system at your organization was hit by a virus for the second time in three months. You have gathered a team of system administrators to determine possible root causes for the security failure and recommend prevention methods in the future. What risk assessment tool would be the most appropriate one to find the root cause of the security failures?
Fault tree = A fault tree would be the most appropriate tool to trace a critical failure back to its root causes. An event tree is used as more of a preventative tool (starting with events and leading to possible consequences). Vulnerability scans and network diagrams may be part of an overall audit, but would not be an appropriate place to start when locating a root cause
Q65 You are performing an audit on the login page of GIAC.org. When you go to the URL see the login prompt below. Welcome to GIAC Web Applicaiton Login? User Name: Password: What type of authentication is in use?
Forms Based Authentication
Q2Which of the following is an example of HTTP
GET /login.cgl?username=George
Q49 What commandlet would be called in a Powershell script to view or modify system configuration settings?
Get-WmiOhject
Q16 What functionality does WSUS include ?
Granular reporting for system compliance
Q57 Which of the following tools can be used to automatically apply Security Template settings to selected users and/or computers through Active Directory?
Group Policy
Q25 Which of the following is used by the Event Tree methodology in risk assessments?
Identifying Detective and Reactive Controls
Q86 Which of the below would be a common reason for a vulnerability scanner to produce a false positive?
Inaccurate Application Identification
Q15 During a network audit , you notice VPN traffic from an organization's users passing through the IDS. The traffic is minimal, but since it is encrypted, it will not fire on any rules on the IDS. Though the traffic is probably legitimate, management voices a concern that malicious traffic could enter the network via VPN. What is your recommendation to detect malicious traffic entering the network?
Install the VPN appliance in front of the IDS
Q62 What is the recommended audit policy setting for "Audit process tracking" on a Windows system?
No auditing= Windows Audit process tracking audits the creation and deletion of all processes on the system and can potentially generate a vast number of events. For this reason, the recommended setting is not to audit this activity.
Q71 Which of the fallowing scanning techniques relies on information that can be altered by a system administrator to return false information about the target?
OS fingerprinting = Fingerprinting relies on banners that can be modified by an administrator. This can result in a web server being reported as an Apache server by a scanner when it's really an IIS server, for example. Port scanning, session ID analysis, and application fuzzing are all interactive scanning techniques that don't rely on banners or other information that can be falsified.
Controls & Objectives
Objectives: Targets that the company aims for Controls: put in place to ensure that they reach their objectives As an auditor find connections between controls and objectives
Q6 Which of the following is useful in mitigating cross site scripting vulnerabilities
Output sanitization
Q90 On a Windows system, which of the following log file settings will ensure that new events will be logged, even if the maximum log file size is reached?
Overwrite events as needed
Q47 Which of the following firewall filtering technologies provides the highest traffic throughput?
Packet filtering
Q58 When using the 'established' keyword with an access control list on a Cisco router, which of the fallowing types of packets are filtered by the router?
Packets with the SYN flag set
Q9 Examine the screenshot below of a robot.txt file. Which entry should be examined in further detail?
Path/testcode/ might contain resources which should not be published on the server
Q48 You walk into a meeting in which the CSO is discussing his need to understand the state of the network. This understanding will form the foundation of a new security metrics initiative. Which enterprise's requirement is he referring to?
Security baseline = is the known-good state from which we can compare subsequent measurements. All other options, while good measures in their own right, do not address the CISOs need for an initial configuration standard.
Q18 You have been tasked with auditing the enterprise firewall. Your director stated that he not only wanted the firewall audited but he wanted you to validate the rule set. How would you validate the firewall?
Send blocked types of communication through the firewall to verify what actually passed
Q68 Review the information below from the SMTP server aperturesci.com. All email addresses at this organization use the format [lastname]@aperturesci.com. Based on the terminal capture below, what is the major security risk associated with this server?
Spammers or malicious users could use the server to generate false email messages
Q13 You have been asked to audit the perimeter configuration of GIAC.org You have been provided the following configuration for the GIAC edge router and have conducted a nmap scan of the target. What is the expected result of the nmap scan?
TCP 135-139 will be denied, all other TCP ports will be permitted.
Q55 Which of the following tasks do web proxies like Webscarab or Burp Suite perform
Tamper with session parameters
Controls
The activities, techniques, technologies, policies, and procedures that will limit the risk that a business will fail to reach its objectives.
Q52 What factor frequently causes failure of an organizations' security controls in limiting risk to an acceptable level?
The controls are not designed to address a risk's root cause
Q37 What does the "secure" attribute define in a web browser cookie?
The cookie is sent if SSL is used = The secure attribute defines whether or not SSL- is required to send the cookie. Note that this does not turn on SSL in order ta send the cookie. This simply means that if we're not using SSL, the cookie will not be sent.
Assesment
The gaps that need to be filled.
Q46 You are auditing a Linux system specifically file permissions using the find command. While reviewing the file permissions output you notice /usr/bin/passwd command was listed as a file to review. You ask the administrator to run the command II /usr/bin/passwd. He returns the following output: /usr/bin/passwd+ Why would this file require special attention?
The set-UID bit is set. = the II command shows the permissions of /usr/bin/passwd which has the SUIDbit set causing the file the special attention.
Objectives
These indicate what it is you wan to determine or prove through the various audit activities
Q75 You have been tasked with creating new audit checklists for the organization. There are several problems that are common among checklists. What should the author of a checklist avoid when crafting the document?
Too Vague
Q17 Which tool tool would generate a report similar to this one? (image shows an Integrity Check report)
Tripwire
Q61 Which session tracking method may reveal the session ID in an HTTP referrer field?
URL rewrites
Q10 Which of the following is recommended for protecting users from CSRF attack that attempts to transfer money from their accounts?
Unique token value in a hidden form field
Q3 If an audit client is trying to prevent webpages from one of their sites from being automatically stored in temporary internet files on visitor's computers, which of the following would you recommend ?
Use the HTTP Cache-Control header
Q39 Which of the following methods is used by servers to prevent caching of web pages?
Use the HTTP Expires header
Q4 What is the first step that a security administrator should take when implementing a change to the Tripwire Configuration
Verify fingerprints against known good copy
Q81 You have been tasked to audit the firewall architecture for a large company. You have been given the company's mission statement, security policy, network diagram, logical diagram and list of services running on each server. Which of the following statements accurately describes the task of auditing the firewall architecture?
Verify that the firewall architecture controls information flow according to the company security policy.
Q14 In the HTTP heather illustrated below, what is shown in the red rectangle ?
Web server and version number
The "What" vs. the "How"
What = Scope Considering the "How" too early Figure out the "What" First and worry about the "How" later
Scope of the audit
What, exactly are we looking at? What is the end view Always linked to the objective
Q42 Which of the following would MOST likely be depicted in an Event Tree diagram?
Where a point of critical failure exists
Q79 What is the main difference between xinetd and inetd?
Xinetd incorporates TCPWrappers into xinetd itself
Q27 You have written a shell script to merge the contents of three web server log files into one big file, delete the log files, then move that file to another location for archiving. The script you wrote is shown below (line numbers added for clarity). After testing the script you notice that the original log files are gone but that there is no httpdlogs file in /httpd/archive/. Which of the following is the most likely reason for this?
You used the wrong output redirection sign on line 3 - When writing a shell script you can use the output redirection sign to output the results of a command to a file_ In this the improper redirect sign was used, so httpdlogs was never created.
Q89 Review the screenshot below. Which log file is lastb parsing to collect this information?
btmp
Q20 What entry in the following Unix 'passwd' file could be of concern to an auditor?
jsmith - The user jsmith has a user id (010) and group id (CID) of O. This indicates that this user has full root privileges, which is unusual. A more typical method to assign administrator privileges to a user would be to add that user to the 'sudoers' list, allowing him to execute specific actions Wth n]0t privileges.
Q31 Which UNIX command would you use to identify the remote file shares a system is currently connected to?
mount
Q21 Which file would you review in Linux to determine whether the system can generate redirect messages forward packets, limit waiting SYNs to prevent a SYN flood, and accept source routed packets?
/etc/sysctl.conf = this file contains many configuration settings for Unix systems, including whether it can generate redirect messages, forward packets, limit waiting SYNs to prevent a SYN flood, and accept source routed packets. The other files are legitimate and contain other configuration information, but they don't specify the abilities listed above.
Q83 Identify the log from the file contents shown in the partial screenshot below. Ell e kciit Vie w Terminal Tans Help Apr .48 pan . session Opened for user root by Apr Localnost suf pam_ su session session opened ror user root Apr 6 19:ss,'17 Localhost su : 5e55ton) 5e5s10n cln5ed tor user root Apr 55.• 24 a lhost pam session closed ror user root Apr 29: 08:03 loc a ihost pan_unlxiqam: session' session closed tor user Apr 03 Aug 25 1B: 36:17 Loc a lhost Server listening on port 22. Aug 25 17 Loc a lh05t 55hd13849] : error: Bind to port 22 on e. 5. e -O failed: Add 25 37. LOC IhOS t gdtt[4148] auth) t Check PASS ; user utikfiOáti Aug 25 1B: 37, Localnost qam(41481 : pan_unïx/qdm: auth) : authentication tallure; to Aug 25 15 error retrieving int Aug Localnost session openea Tar user Aug 25 18.• 38,•46 localhost s" ; session opened for user root Log 25 • 46 I IhOSt closed root Dec 29 Localnost userheLper( 48701 : updated Dec 29 : 37 a lhost userhelper[4-874] : running '/usr/5bin/pup' With root privi
/var/log/secure
Q54 Which of the following UNIX logfiles contains the login-logout history'?
/var/log/wtmp
Q67 using a specific attack, it takes an attacker 20 minutes to enter your system. find the files he needs. download them, clear his tracks, and exit your system. It takes your IDS one minute to detect the intrusion and send an alert. Your administrator takes 1 5 minutes to respond to an intrusion alert. What is the exposure time for this attack?
1 6 minutes = The exposure time is the detection time + reaction time. In this case, that is 1 minute (for the IDS to detect the attack) + 1 5 minutes (for the administrator to respond).
Q60 Which task would WMIC be most effective at accomplishing?
Scripted queries for system information
Q84 Multiple svchost.exe processes appear in a running process list on system. What tool could an auditor run to determine which child services are being run under each svchost_exe process?
tasklist
Q43 Which of the following represents the directory in which a Windows operating system is installed?
%systemroot%
Q26 Your company is deploying a new industrial control system (ICS). The ICS must be deployed before Alice can perform a complete audit. Alice has decided to use Time Based Security (TBS) to determine if the passwords supplied by the vendor Will provide enough protection until a password attack is detected. After auditing the password Alice knows the password can be cracked in 1 hour. Alice knows the Security Operations Center (SOC) requires 1 hour to detect and validate the attack and an additional 0_25 hours to respond. Using TBS how long would the password have to provide protection?
1.26 Hours = The vendor supplied password will only provide 1 hour of protection, but it will take the SOC 1.25 hours to detect and respond. For the password to provide enough protection for the SOC to detect and respond it must provide at least 1 _26 hours of protection. This is determined by using the TBS formula which is: (P)rotection > (D)etection Time + (R)eaction Time. In this example the TBS formula results would be: 1 _O(P) < 1.0(D) + 0.258)
Q66 Consider the below lower-level objective. Which of the following is an example of a control closely related to that objective? The organization's systems and data should be protected against. malicious attacks .
A procedure for installing patches
Q19 Which of the following Windows accounts is always present as a local account?
Administrator
Q72 What is the purpose of "$1" in the script snippet below? #! /bin/bãsh if [ -a $1 ] ; then Echo error, please resubmit Exit 1 if echo copying data to: $1
It is a variable that holds a command line argument
Q78 Jim's Windows profile has a mapped drive H: to the 'Accounts' share on the Customer server. Given the configuration settings below, what are his effective permissions when accessing this data through the H: drive? Jim's Groups: 'Customer Service' and 'Accounts Receivable' 'Accounts' NTFS permissions: Read for 'Customer Service', Full Control for 'Account Managers' , and no access defined for other groups. 'Accounts' Share permissions: Full Control for all Authenticated Users
Jim will be able to Read the data in the H: drive (Accounts share).
Q28 Which of the following is the most secure option for authentication credentials in transit?
Kerberos =To protect passwords as they are transmitted across the network, Kerberos is the most secure and is the default authentication methad for modern Windows domains. LDAP and NTFS are not authentication protocols. SysKey is used to protect data at rest; not in transit
Controls
Limit the risk of failing to reach objectives
Q85 Which of the following is a weakness of the client-side certificate form of authentication?
Limited by interoperability issues
Q36 What is a critical consideration when using system baselines for audit purposes?
Make sure the baseline is current and has not been tampered with.
Q32 Which of the following is a startup type that a Windows service can be set to?
Manual
Q69 Which of the following terms can be used to describe a user's ability to read a file?
Permission = define the standard types of access to objects, such as read, execute: write, delete, and so on. Most often: we associate permissions with objects, such as files and directories. In Windows, nearly every object can have permissions, including printers, registry keys: services, and Active Directory objects and object properties. Each of these objects has a particular set of permissions associated with it (printers, for example, would include permissions such as the ability to print to the printer, to manage print jobs that you submit to the printer, to manage others' print jobs, to modify the printer properties, and so on).
Q30 Which of the following terms describes the human readable text as it relates to encryption?
Plain text
Q45 You are Tasked with auditing a new cloud service provider. This cloud service provider will be providing your organization operating system level access. What type of cloud service provider will you be auditing?
Platform as a Service (PaaS)
Q34 Which of the following would include the data element below? $output_file = "inventory .xml "
PowerShell script
Q77 Which of the following is a primary element of the Time Based Security formula?
Protection= The primary elements of the TBS formula are Protection, Detection and Response.
Q56 Which of the following firewall types are generally considered to provide the highest level of security, but are also the slowest?
Proxy firewalls = Proxy firewalls are generally considered to provide the highest level of security, but are also the slowest. The other firewall types listed are typically much faster since they do not as deep of a packet inspection, however as a result they are not as secure.
Q35 When auditing email systems, it is important to disable commands that can be used to provide attackers with additional information. An example of these commands is EXPN. Which of the following capabilities of the EXPN command can an attacker use to gather sensitive information?
Recursively list mail aliases = EXPN allows someone to telnet to the mail servers and provide an alias. The EXPN command expands the alias into the list of actual recipients. If someone can access either of these commands, it makes spammers job very easy in identifying users to send e-mail to. Additionally, these commands could provide an attacker with valid user IDs for the corporation. In the case of the EXPN command, a spammer can get a listing of multiple users.
Q82 Which of the following makes use of metacharacters to describe patterns of characters to be identified in a given data source?
Regular expressions
Q80 An administrator wants to configure a CISCO router to disable local logins and use TACACS+ instead. Which of the following commands would used first?
aaa new-model The command •aaa new-model' disables local logins. It is the first command of a sequence required to configure a system to use TACACS+. The "aaa old-model" uses local logins. None of the other three commands would be made before 'aaa new-model.'
Q41 Which of the following Cisco IOS access control list configurations uses the correct mask to only permit traffic from the IP address 1 92.168. 10.10?
access-list 1 5 permit 192.168.10.10 0.0.0.0