Practice Tests

Question :You are the systems administrator for your organization. You have been tasked to block database ports at the firewall. Which port should you block? A 443 B 1433 C 3389 D 53

1433 Port 1433 is used by Microsoft SQL Server databases and should be blocked at the firewall if you want to block SQL Server activity. Port 3389 is used by the Remote Desktop Protocol. Port 443 is used by HTTPS. Port 53 is used by DNS.

Question :Which port and transport mechanism protocol must be opened on a firewall to allow incoming SFTP connections? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A 22 and UDP B 21 and UDP C 22 and TCP D 21 and TCP

22 and TCP SFTP (Secure FTP) uses port 22 and rides on SSH to make connections. It uses TCP as the transport mechanism. Most secure connections of this sort require guaranteed, connection-oriented transmission of data—thus TCP. Port 21 is used by plain FTP, with no security. FTP also uses TCP as the transport mechanism. The answers listed might have appeared tricky at first, but if you know your protocols and associated port numbers and transport mechanisms used, you will prevail. Be sure to memorize Table 7-2 in the book!

You have been tasked to access an older network device. Your only option is to use Telnet. Which port would need to be open on the network device by default? A 23 B 135 C 161 D 3389

23 Telnet uses port 23 by default. Some older devices may not be accessible remotely without using the deprecated Telnet protocol. The best thing to do in this situation would be to update the network device, if possible, or replace it. Port 3389 is the default port for the Remote Desktop Protocol. Port 161 is the default port for SNMP. Port 135 is known as the DCE endpoint manager port or dcom-scm.

What port and transport mechanism does TFTP use by default? . A 69 and TCP B 68 and UDP C 69 and UDP D 68 and TCP

69 and UDP TFTP, the Trivial File Transfer Protocol, uses port 69 by default, and utilizes the UDP (User Datagram Protocol) connectionless transport mechanism. This makes for a simple, lightweight protocol used to automate the transfer of basic files such as boot files in a localized environment. For example, if a PXE-compliant client computer boots off of the network, it might make use of an embedded TFTP program within the network card to transfer the appropriate boot files from a server located somewhere on the local area network. TFTP is inherently insecure, so it is not recommended for use on the Internet. Port 68 is used by the Dynamic Host Configuration Protocol (DHCP) (client side) and the client side of the Bootstrap Protocol (BOOTP). TCP is the Transmission Control Protocol, which offers a guaranteed, connection-oriented transport mechanism, in contrast to UDP. TCP is not used by TFTP via port 69 or DHCP via port 68 (or port 67 for that matter).

You have been asked to set up a web server that will service regular HTTP requests as well as HTTP Secure requests. Which of the following ports would you use by default? A 80 B 25 C 21 D 445 E 443 F 135

80 & 443 The default port for HTTP requests is port 80. The default port for HTTP Secure (HTTPS) requests is port 443. Port 21 is FTP. Port 25 is SMTP. Port 135 is known as the DCE endpoint manager port or RPC (Remote Procedure Call); it is a DCOM-related port that is used to remotely manage services and is generally considered insecure. Port 445 is the Server Message Block (SMB) port that deals with Microsoft directory services.

You have been instructed to install an intrusion detection system that can protect a database server and the rest of the network. You cannot afford to use any more resources on the database server. You decide to implement a network intrusion detection system. Why is this superior to a host-based intrusion detection system? Each correct answer represents a complete solution. Choose two. A A HIDS can negatively impact system performance. B A HIDS is not reliable when it comes to detecting attacks. C Usually, a HIDS cannot detect network attacks. D A HIDS cannot be updated.

A HIDS can negatively impact system performance. Usually, a HIDS cannot detect network attacks. A HIDS usually cannot detect network attacks, whereas a NIDS can. A HIDS will definitely have a negative impact on system performance because it uses resources in the form of CPU and RAM; however, a HIDS is reliable when it comes to detecting attacks on an individual computer. Also, a HIDS can be updated.

A malicious computer is sending data frames with false hardware addresses to a switch. What is happening? A ARP poisoning B DNS poisoning C pWWN spoofing D MAC spoofing

ARP poisoning ARP poisoning is an attack that exploits Ethernet networks—spoofed frames of data will contain false MAC addresses, ultimately sending false hardware address updates to a switch. DNS poisoning is the unauthorized modification of name resolution information. pWWN spoofing is a type of spoof attack carried out on SANs. MAC spoofing is a technique for changing the MAC address of a network adapter.

Which of the following is the best description of a security advantage when using a standardized server image? A All antivirus software will be current. B OS licensing will be easier to track. C All mandated security configurations will already have been applied to the OS. D All current updates for the OS will already have been applied.

All mandated security configurations will already have been applied to the OS. Organizations develop standardized images for their server operating systems. They are standardized according to organizational policy. So, any mandated security configurations should be applied to the OS before it is made into an image to be used on the network. Unfortunately, that only gets the OS image to a certain point in time. Any new AV definitions, security updates to the OS, and so on, will need to be applied afterward according to organizational policy. OS licensing trackability should not change. Whether you track your OS licenses on paper or with a scanning program, they should be tracked in the same manner as with physical operating systems.

Question :You ran a penetration test against your two database servers and found out that each of them could be compromised with the default database user account and password. Which of the following did you forget to do to your database servers? A Application hardening B OS hardening C Patch management D Virtualization

Application hardening Part of application hardening includes renaming (or disabling) default accounts and setting complex passwords. If these steps are not taken, compromising the application becomes very easy for attackers. OS hardening is not correct in this instance because it is the database that can be compromised using the default database username/password. Databases are considered to be applications, not operating systems. Patch management won't affect the default user account. The account has to be secured manually. Virtualization of operating systems doesn't come into play here, although it could help to have backup virtual images made in the case that the database server is compromised.

Which of the following is a type of malware that is difficult to reverse engineer? A Armored virus B Backdoor C Worm D Logic bomb

Armored virus The armored virus protects itself from AV programs by tricking the program into thinking that it is located in a different place than where it actually resides. It thwarts attempts at analysis of its code. This makes it difficult to reverse engineer, and therefore makes building a defense against it difficult. A logic bomb is code that is inserted into software that "detonates" one of many types of malware when specific criteria are met. So, the logic bomb is more of a method of delivery for malware than the malware itself. The same holds true for backdoors; they are coded entrances to a system that either were designed for testing and forgotten about or are openings that were never found during a secure code review. A worm is similar to a virus except that it self-replicates. However, worms are fairly easy to detect and locate, making reverse engineering at least feasible.

In the event of a short-term power loss to the server room, what should be powered on first in order to establish DNS services? A RADIUS B Exchange server C Apache server D BIND server

BIND server BIND stands for Berkeley Internet Name Domain. It is the most widely used DNS server on the Internet and was originally designed at the University of California at Berkeley. It normally runs on Unix systems. This would have to be booted first in order to establish DNS services; in fact, it is the only server listed that will establish DNS services in this scenario. Apache is a type of web server. Exchange is a type of e-mail server. RADIUS is an authentication server. None of these establish DNS services, unless DNS has also been loaded on those computers separately.

What is another name for a malicious attacker? A Black hat B Fuzzer C Penetration tester D White hat

Black hat A black hat is someone who attempts to break into computers and networks without authorization. A black hat is considered to be a malicious attacker. A white hat is a nonmalicious hacker, often employed by an organization to test the security of a system before it goes online. An example of a white hat would be a penetration tester who administers active tests against systems to determine whether specific threats can be exploited. A fuzzer is a colloquial name for a software tester

What is another name for a malicious attacker? A Penetration tester B White hat C Black hat D Fuzzer

Black hat A black hat is someone who attempts to break into computers and networks without authorization. A black hat is considered to be a malicious attacker.A white hat is a nonmalicious hacker, often employed by an organization to test the security of a system before it goes online. An example of a white hat would be a penetration tester who administers active tests against systems to determine whether specific threats can be exploited. A fuzzer is a colloquial name for a software tester.

Your organization's network has a main office and has two remote sites that connect back to the main office solely. You have been tasked with blocking Telnet access into the entire network. Which would be the best way to go about this? A Block port 23 on each of the L2 switches at the remote sites. B Block port 25 on each of the L2 switches at the remote sites. C Block port 25 on the main office's firewall. D Block port 23 on the main office's firewall.

Block port 23 on the main office's firewall. You should block port 23 on the main office's firewall because, by default, Telnet uses port 23. By blocking port 23 on the main office's firewall, you will by default be blocking it for the entire network in the scenario. Port 25 is used by SMTP. L2 (Layer 2) switches deal with MAC addresses and other principles of the data link layer of the OSI model. They do not usually have the option to block particular TCP/IP ports.

Question :Your boss's smartphone is encrypted and has screen lock protection, yet data was still stolen from it. How is this possible? A GPS tracking B Botnet C Bluesnarfing D SIM cloning

Bluesnarfing Bluesnarfing is an attack that can steal data such as phonebook contacts, calendar information, and so on, regardless of the phone's encryption and screen lock. To protect against this, set the smartphone to undiscoverable and use a hard-to-guess Bluetooth pairing key. A botnet might try to target a smartphone, but more often will go for other targets; regardless, the phone might be rendered useless after a botnet attack, but the data would probably not be compromised. SIM cloning involves duplicating the SIM card on a GSM-enabled phone, which allows two phones to share an account. GPS tracking allows a smartphone to be located physically, but if the phone is still encrypted, GPS tracking will not help with the stealing of data.

Which of the following might be used to start a DDoS attack? A Worm B Spyware C Rootkit D Botnet

Botnet A botnet is often used to start a coordinated DDoS (distributed denial-of-service) attack. One master computer synchronizes many compromised zombie computers, which form the botnet, launching an all-out attack at the same time. Spyware is software that tracks a user's actions on the Internet. A worm is malicious code that can self-replicate. A rootkit is software that subverts the operating system so that a person can gain access at the level of an administrator.

Which of the following describes an application that accepts more input than it was originally expecting? A Brute force B Sandbox C Denial of service (DoS) D Buffer overflow

Buffer overflow Buffer overflows occur when an application or an operating system accepts more input than it expects. This could cause a radical behavior in applications, especially if the affected memory already has other data in it. A denial of service is a network attack perpetuated on servers to stop them from performing their proper functions for users. A sandbox is when a web script runs in its own environment so that it won't interfere with other processes; this is often used in testing environments. Brute force is a type of password-cracking attack.

A NOP slide is an indication of what kind of attack? A XSS B SQL injection C Buffer overflow D Smurf attack

Buffer overflow NOP slide is a technique used to exploit a buffer overflow. This is done by corrupting the stack with no-op machine instructions. A NOP slide is sometimes referred to as an NOP sled or NO-OP sled. SQL injections exploit databases. XSS (cross-site scripting) attacks exploit web servers and web pages. Smurf attacks are DoS attacks.

Your company has a mix of on-premises infrastructure and cloud-provider infrastructure and needs to extend the reach of its security policies beyond the internal infrastructure. Which of the following would be the BEST solution for the company to consider? A MaaS B PaaS C SaaS D CASB

CASB If there is a mix of on-premises infrastructure and cloud-provider infrastructure, a company might consider a cloud access security broker (CASB). A CASB is a software tool or service that acts as the gatekeeper between the two, allowing the company to extend the reach of its security policies beyond its internal infrastructure. Software as a service (SaaS) is when users access applications over the Internet that are provided by a third party. The applications need not be installed on the local computer. Platform as a service (PaaS) is a service that provides various software solutions to organizations, especially the ability to develop applications in a virtual environment without the cost or administration of a physical platform. PaaS is used for easy-to-configure operating systems and on-demand computing. Monitoring as a service (MaaS) is a framework that facilitates the deployment of monitoring within the cloud in a continuous fashion.

Which of the following protocols or services uses port 19? A Echo B CHARGEN C SMTP D Telnet

CHARGEN CHARGEN, the character generator, uses port 19. It is commonly used by a Fraggle attack. Echo uses port 7. Telnet uses port 23. SMTP uses port 25.

Question :The IT director asks you to protect a server's data from unauthorized access and disclosure. What is this an example of? A Non-repudiation B Integrity C Confidentiality D Availability

Confidentiality Confidentiality means preventing the access and disclosure of information to unauthorized persons. Integrity means that authorization is necessary before data can be modified by a user. Availability means that data is obtainable regardless of how information is stored, accessed, or protected. Non-repudiation is a concept of ensuring that people cannot refute claims against them; it is accomplished with computer evidence such as log files.

Specific secure data is only supposed to be viewed by certain authorized users. What concept ensures this? A Authenticity B Confidentiality C Integrity D Availability

Confidentiality The concept of confidentiality ensures that only authorized users can view secure data. Integrity ensures that data has not been tampered with. Availability ensures that data is accessible and ready. Authenticity ensures that data comes from who the data is supposed to come from and that it is a reputable source.

What are the three main goals of information security? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Non-repudiation B Integrity C Auditing D Availability E Risk assessment F Confidentiality

Confidentiality, integrity, and availability (known as CIA or the CIA triad) are the three main goals of information security. Another goal within information security is accountability.

There is an important upcoming patch to be released. You are required to test the installation of the patch a dozen times before the patch is distributed to the public. What should you perform to test the patching process quickly and often? A Create an incremental backup of an unpatched PC B Create a full disk image to restore after each installation C Create a virtualized sandbox and utilize snapshots D Create an image of a patched PC and replicate it to the servers

Create a virtualized sandbox and utilize snapshots You should create a virtualized sandbox—a place where you can work with many virtualized images and test them frequently. By utilizing snapshots, you are taking limited images of the systems at a specific point, most likely before and after the patch installation. The snapshot is a set of information at a particular point in time, and not necessarily an entire image. Creating a single image of a patched PC is not enough. Good patch management requires that the security administrator do thorough testing; in the scenario you are required to test the patch a dozen times. Incremental backups are used as a part of an efficient backup plan that usually includes incremental and full backups. But this—and the fact that the PC is unpatched—does not help a security administrator to test the patching process quickly and often. A full disk image after each patch installation could be very time consuming. Instead, snapshots are the better option.

Your organization uses a SOHO wireless router all-in-one device. The network has five wireless BYOD users and two web servers that are wired to the network. What should you configure to protect the servers from the BYOD users' devices? (Select the two best answers.) A Deny incoming connections to the outside router interface B Disable physical ports C Create an ACL to access the servers D Implement EAP-TLS E Change the default HTTP port F Create a VLAN for the servers

Create an ACL to access the servers & Create a VLAN for the servers If the servers and the BYOD users are on the same network, then the BYOD users could easily access the servers, regardless of whether a computer is connected in a wired fashion or wireless fashion by default. So to protect the servers from the users' mobile devices, you could first create a virtual LAN (VLAN) for the servers. This VLAN would separate the servers and you could then control who is allowed access to the servers via access control lists (ACLs) within the firewall portion of the SOHO all-in-one wireless router. If the SOHO router supported it, you could also place the web servers in a DMZ. The EAP-TLS authentication scheme should not be necessary for this scenario; it is used, for example, to authenticate wireless clients to a wireless network, which was not specified in the question. Changing the default HTTP port (which is normally 80) would cause your Internet guests some difficulty in finding the web servers, and is not necessary in this scenario either. Denying incoming connections to the outside router interface would also make it difficult for Internet users to access the web servers, and is therefore not recommended. If a physical port is disabled, anything connected to that port will be effectively offline. This also compounds the issue instead of solving it.

Which of the following web application security weaknesses can be mitigated by preventing the usage of HTML tags? A Rootkits B SQL injection C Cross-site scripting D LDAP injection

Cross-site scripting Cross-site scripting (XSS) is an attack on website applications that injects client-side script into web pages. SQL injection is a type of code injection that exploits vulnerabilities in databases. LDAP injection can be used to modify LDAP statements and modify the LDAP tree. Rootkits are software designed to gain administrator-level access over a computer system.

One of your servers (10.254.254.201) is only allowing slow and intermittent connections to clients on the network. You check the logs of the server and see a large number of connections from the following IP addresses:10.254.254.3810.254.254.7910.254.254.10211.57.86.86198.155.201.214212.119.64.32The connections from these six hosts are overloading the server and causing it to stop responding to requests from clients. What type of attack is happening? A XSS B Xmas tree C DDoS D DoS

DDoS A DDoS (distributed denial of service) attack is occurring. Most likely there is a botnet with computers on the Internet (such as 212.119.64.32) and computers on the LAN (such as 10.254.254.102) that are all zombies—and part of the botnet—concentrating an attack on the server at 10.254.254.201. It is known as a distributed attack because the entire attack is broken up among multiple computers. These attacks often happen on a large scale, where thousands of computers simultaneously attack a well-known server. The Xmas tree attack is one where special packets are sent that have specific flags set. It can ultimately act as a denial of service (DoS) attack if launched correctly. But it is not used for distributed DoS attacks. XSS stands for cross-site scripting, a type of code injection attack that exploits a computer programming flaw, often in web server forms. As mentioned, DoS stands for denial of service, an attack often performed by a single computer, not six or thousands in the way that a DDoS attack would occur.

Your organization is attempting to reduce risk concerning the use of unapproved USB devices to copy files. What could you implement as a security control to help reduce risk? A Content filtering B Auditing C IDS D DLP

DLP DLP (data loss prevention) methods are often implemented in scenarios where USB mass storage devices are utilized (such as USB flash drives and external hard drives). A storage-based DLP system monitors data at rest, and performs content inspection in order to prevent unauthorized use of the data.An IDS (intrusion detection system) is used to detect attacks and anomalies on the network. Content filtering is performed by proxy servers and Internet content filters—usually relating to Internet content. Auditing is when files and other resources are investigated in real time to see who accessed what and when.

Which of the following is most likely to result in data loss? A Accounting personnel transferring confidential staff information with SFTP B Back office staff updating details on a mainframe with SSH C Encrypted backup tapes left unattended at reception for offsite storage D Developers copying data from production to test environments with USB sticks

Developers copying data from production to test environments with USB sticks By default, if data is copied to a USB stick, it is not encrypted. There is virtually no security in this scenario, and the worst part is that the USB sticks are physically traveling from one department to another. To rectify the situation, the developers could consider using AES-256 to encrypt the data on the USB flash drives. The accounting personnel are using SFTP, the backup tapes are encrypted, and the back office staff is using SSH. All these other scenarios at least have some kind of security in mind.

You have been asked by an organization to help correct problems with users unknowingly downloading malicious code from websites. Which of the following should you do to fix this problem? A Disable unauthorized ActiveX controls B Install a network-based intrusion detection system C Use virtual machines D Implement a policy to minimize the problem

Disable unauthorized ActiveX controls ActiveX controls can be built directly into websites and can contain malicious code that can be easily downloaded by users without their knowledge. ActiveX controls can be disabled in whole or in part within the browser and can also be controlled as add-ons. A NIDS can possibly defend against malicious ActiveX controls to a certain extent, but you should not solely depend on it. Implementing policies is always a good idea, but you don't want to minimize the problem; you want to fix it. The use of virtual machines works well to isolate problems that might occur from ActiveX controls, but it does not fix the problem as far as downloading the malicious code.

You have been tasked with securing a switch from physical access. Which of the following should you implement first? A Disable unnecessary accounts. B Disable unused ports. C Check the baseline configuration. D Set up access control lists.

Disable unused ports. If you need to physically secure a switch, you should first disable unused ports so that a person who has gained unauthorized access to your server room or data center cannot plug a laptop into one of those ports and access the network. It would also be wise to check (or create) a security baseline at some point after this. Access control lists are generally set up on routers, not on switches. Regardless, they deal with the logical, not the physical. The same holds true for accounts; they are of a logical nature and are usually set up on servers and routers.

Which of the following should be performed on a computer to protect the OS from malicious software? Each correct answer represents a part of the solution. Choose two. A Disable DEP settings B Disable unused services C Update NIDS signatures D Update HIPS signatures E Install a perimeter firewall

Disable unused services & Update HIPS signatures\ An individual operating system should be protected by disabling unused services, and by updating any host-based intrusion detection systems or intrusion prevention systems. Since we're talking about a single computer, network intrusion detection systems and perimeter firewalls are not required. DEP stands for data execution prevention and does not apply to this scenario.

Question :A user can enter improper input into a new computer program and is able to crash the program. What has your organization's programmer most likely failed to implement? A SDLC B CRC C Error handling D Data formatting

Error handling Error handling is the practice of anticipating, detecting, and resolving programming errors. Programs should be thoroughly tested with various user input before being implemented in a real environment. A CRC (cyclic redundancy check) is a hash function that produces a checksum that can detect errors in data to be sent across a network. SDLC is the systems development life cycle, a process for creating computing systems. Data formatting deals with the type of data in question and the organization of that data.

You are a security tester for a penetration testing security company. You are currently testing a website and you perform the following manual query:http://www.davidlprowse.com/cookies.jsp?products=5%20and%201=1The following response is received in the payload:"ORA-000001: SQL command not properly ended"Based on the query and the response, what technique are you employing? A Zero day B Remote code execution C Fingerprinting D Privilege escalation E SQL injection F Cross-site scripting

Fingerprinting The technique being used here is fingerprinting, which is used to find out information about a system. It can be done passively by sniffing packets between hosts, or actively by sending special packets to a target and analyzing the responses. It can be done by scanning ports, or by using commands in a browser's URL bar as is the case in this scenario. By adding syntax to the end of a domain, you can "test" the web server and ascertain information about it based on the results. In this case, we see "ORA-000001: SQL command not properly ended" is the result. This tells us that the website is running an Oracle database (a relational SQL-oriented database). From there an attacker could limit attack techniques to that particular type of server, saving time. Now, if you were to run that actual syntax against my website, you would not see anything about Oracle, but you might get a 404 Not Found error. Underneath it would tell you that the server is running Apache web server software, OpenSSL, and more. Unless, that is, we improved upon our input validation and secure coding concepts, which is exactly why these tests are performed—to uncover these vulnerabilities. Cross-site scripting (XSS) exploits the trust a user's browser has in a website through code injection, often in web forms, but not in the URL bar. SQL injection is a type of code injection when user input in database web forms is not filtered correctly and is executed improperly. Privilege escalation is the act of exploiting a bug or design flaw in a software or firmware application to gain access to resources that normally would've been protected from an application or user. Remote code execution (RCE) is when an attacker obtains control of a target computer through some sort of vulnerability. Finally, a zero day attack is one that is executed on a vulnerability in software before that vulnerability is known to the creator. Unfortunately, as a security administrator, you are expected to be able to predict the future to a certain extent, and protect against the unknown. Don't worry though, the more experienced you get, the easier this becomes!

What would you use a TPM for? A System hardening B Input validation C Full disk encryption D Cloud computing

Full disk encryption A TPM (trusted platform module) is a chip that resides on a motherboard (or similar location) that stores encrypted keys used to encrypt the entire hard disk on the system. Input validation is a technique used by programmers to secure their forms. System hardening is the process of securing a computer system through updates, closing ports, and so on. Cloud computing is the use of web-based applications (and other software, platforms, and infrastructures) that are provided by an external source on the Internet.

Question :A co-worker's laptop has been compromised. What is the best way to mitigate data loss? A Full disk encryption B Biometric authentication C Strong password D Common Access Card

Full disk encryption Full disk encryption is the best way (listed) to mitigate data loss in the case of a stolen or otherwise compromised laptop because it will be difficult to decrypt the data on the laptop. A Common Access Card is a smart card/photo ID used by the DoD. Strong passwords are a good idea on portable devices but can be cracked or circumvented more easily than a full disk encryption solution. Biometric authentication can also be cracked given enough time.

An attacker has identified and exploited several vulnerabilities in a closed-source application that your organization has developed. What did the attacker implement? A Vulnerability testing B Fuzzing C Compiling D Secure code review

Fuzzing Fuzzing (fuzz testing) is the automated insertion of random data into a computer program. It is used to find vulnerabilities by the people who developed the program and by attackers. Secure code review is the analysis of source code by authorized individuals in an attempt to find problems and security issues. Vulnerability testing is a scan done on computers and networks to find their vulnerability level. Compiling is the transformation of source code, generally done to create executable programs.

Of the following, what is the best option to implement if you want to be able to recover a lost laptop? A Remote wipe B Whole disk encryption C GPS D HIDS

GPS GPS tracking is the best answer listed if you want to be able to recover a lost laptop. If installed properly (and if in GPS range), the GPS chip will enable the laptop to be tracked. Remote wipe (or remote sanitization) will wipe out all the data on the laptop (if it is accessible) but will, of itself, not inform you as to the location of the laptop. A HIDS (host-based intrusion detection system) is software that can be loaded on the laptop that will detect malicious activity. Whole disk encryption (such as BitLocker or TrueCrypt) will make the data hard to decrypt and read but won't aid in the tracking of the laptop.

Which of the following is a removable device that can be used to encrypt in a high-availability, clustered environment? A TPM B Cloud computer C Biometrics D HSM

HSM An HSM (hardware security module) is a device used to manage digital keys and provide authentication. It can be connected to a computer, a server, or a particular server in a clustered environment. Biometrics is the science of authenticating individuals by their physical traits. A cloud computer is a computer that resides on the Internet and is run by a third-party service provider that offers various computing services to individual users and small to midsized companies. A TPM is a trusted platform module that is similar to an HSM but is internal to the computer, perhaps as a chip on the motherboard.

Which device is used to encrypt the authentication process? A Smart card B Enigma machine C HSM D WPA

HSM An HSM (hardware security module) is a physical device that acts as a secure cryptoprocessor. It is used for the digital signing of data and login/authentication processes. WPA (Wi-Fi Protected Access) is a wireless protocol. An Enigma machine is a machine that was used in World War II for the encryption/decryption of secret messages. Smart cards are used to authenticate individuals, but an HSM offers faster software encryption.

Randy needs an external add-on solution that can provide encryption and integrate with his existing database server. Which of the following would meet his needs? A TPM B HSM C CAC D FDE

HSM An HSM (hardware security module) provides encryption and can be an external device that can integrate with an existing server. A TPM (trusted platform module) is an encrypting chip that resides on a motherboard. FDE stands for full disk encryption, which can be implemented with a TPM. CAC stands for Common Access Card, a smart ID card used by the Department of Defense (DoD).

A security administrator analyzed the following logs: Host: 10.248.248.67[02: 15: 11]Successful Login: 045 10.248.248.67:local[02: 15: 16]Unsuccessful Login: 067 208.159.67.23: RDP 10.248.248.67[02: 15: 16]Unsuccessful Login: 072 208.159.67.23: RDP 10.248.248.67[02: 15: 16]Unsuccessful Login: 058 208.159.67.23: RDP 10.248.248.67[02: 15: 16]Unsuccessful Login: 094 208.159.67.23: RDP 10.248.248.67What should the security administrator implement as a mitigation method against further attempts? A IDS B Hardening C Reporting D System log monitoring

Hardening It appears that an external IP address (208.159.67.23) is attempting to connect remotely to the local computer (10.248.248.67), possibly using the Remote Desktop Connection program. The connections were unsuccessful, but hardening is required at the local system and at the firewall to ensure that this IP address cannot connect through to the local computer. Services should be analyzed and, if necessary, shut down at the local computer. Ports should be scanned and, if necessary, closed at the firewall. System log monitoring is incorrect because the logs are present, and they have been monitored and analyzed, resulting in the answer that additional hardening is necessary. An IDS (intrusion detection system) looks for attacks and will notify an administrator (and possibly shut down a firewall if necessary), but it is not working correctly at this point. To truly mitigate the problem, the IDS should be reconfigured and hardened, or an IPS (intrusion prevention system) should be implemented. Reporting, along with the logs, seems to be working properly.

The security administrator has added the following information to a SOHO router:PERMIT 00:1C:C0:A2:56:18DENY 01:23:6D:A9:55:ECNow, a mobile device user reports a problem connecting to the network. What is preventing the user from connecting? A Hardware address filtering has been implemented. B IP address filtering has been implemented. C Port filtering has been implemented. D WPA2-PSK requires a supplicant on the mobile device.

Hardware address filtering has been implemented The security administrator denied one MAC address at the SOHO router: 01:23:6D:A9:55:EC. This is most likely the MAC address of the mobile device that cannot connect to the network. Individual octets of a MAC address are often separated by colons when working in a router. However, in an operating system such as Windows they are often separated by hyphens. Be able to identify both. Note that the admin also permitted (or allowed) a particular MAC address to connect to the network. Access control lists (ACLs), or rules, such as these are created on the router to allow or disallow access. Port filtering could mean physical ports or logical TCP/IP ports such as port 80 HTTP. IP address filtering means that entire IP addresses (such as 10.254.254.101) have been filtered out. Both of these answers are incorrect because this scenario clearly deals with MAC addresses. WPA2-PSK is a method of connecting, but the "PSK" portion implies that it does not require a supplicant the way a technology such as 802.1X does. PSK means pre-shared key, a key that the admin selects and inputs into the router, which the user must know in order to connect to a wireless network.

Which of the following best describes a TPM? A USB encryption B Third-party certificate authority C High-speed secure removable storage device D Hardware chip that stores keys

Hardware chip that stores keys A TPM (trusted platform module) is a chip that resides on a motherboard that stores encrypted keys used to encrypt the entire hard drive of a computer.A hardware security module (HSM) is an example of a high-speed secure removable storage device. An example of a third-party certificate authority (CA) is a company such as VeriSign that develops and distributes trusted certificates. USB encryption is a removable type of encryption; for example, a USB flash drive might be encrypted with AES-256 to keep data secure.

You want to prevent any intrusions to a single computer. What is the best solution? A Network firewall B VPN concentrator C Host-based firewall D Host-based intrusion detectionvvvv

Host-based firewall A host-based firewall is the best solution to prevent intrusions to a single computer. Firewalls can block various types of traffic that might include attacks or other intrusions. A VPN concentrator allows remote access for multiple users. Host-based intrusion detection (via a HIDS) will locate an intrusion but not prevent it; to prevent it you would want a host-based intrusion prevention system (HIPS). A network firewall can help to protect an entire network but will not be the best solution if you were only trying to prevent intrusions to a single computer. The host-based firewall will have definitions that are more specific to the types of attacks that might be perpetuated on a single local computer.

Question :Which of the following would be installed on a single computer to prevent intrusion? A Host intrusion detection system B Host-based firewall C Network firewall D VPN concentrator

Host-based firewall Firewalls are designed to prevent intrusion. To prevent intrusion on a single computer, install a host-based firewall. Another viable option would be to install a host-based intrusion prevention system (HIPS) but not a host-based intrusion detection system (HIDS) because the HIDS will only detect the intrusion, not prevent it. A network firewall prevents intrusion for the entire network, not just a single computer (although it could be used, with added expense). A VPN concentrator is used to enable secure remote connections between hosts and networks.

Question :Which of the following invalidates SQL injection attacks that were launched from a lookup field of a web server? A Buffer overflow protection B NIDS C Security template D Input validation

Input validation Input validation is a process that ensures the correct usage of data. It is important when dealing with any types of forms on a web server. Because these forms can be compromised by various attacks, forms should be coded in such a way that any input from the user will be validated by the web page before it is accepted. For example, if you were to type six digits in a ZIP code field when it expects only a maximum of five digits, input validation should deny that entry, and if coded properly it will ask you to re-enter the information. Security templates import many secure policies at one time. A NIDS protects an entire network from intrusion. Buffer overflow protection ensures that memory is storing data the way that the developer intended. Input validation also prevents buffer overflow attacks in addition to other types of attacks such as SQL injection attacks.

Question :Which of the following programming techniques can stop buffer overflow attacks? A Input validation B Sandbox C Backdoor analysis D SQL injection attack

Input validation Input validation is the best programming technique to stop buffer overflow attacks and is also used to prevent SQL injection attacks. A SQL injection attack is a code injection technique where SQL statements are inserted into fields of an application. A sandbox is used to run the web scripts in their own testing environment. Backdoors are used in computer programs to bypass normal authentication. Backdoor analysis includes checking the operating system, applications, and firmware on devices and making sure they are updated.

Some of the employees in your organization complain that they are receiving e-mail loaded with advertisements. What should you do? A Install a HIDS. B Install anti-spyware. C Install anti-spam. D Install antivirus.

Install Anti-spam Anti-spam software might be a standalone solution or part of an anti-malware suite of programs. This is the best option when attempting to lessen the number of spam e-mails that contain advertisements. Anti-malware suites usually also include anti-spyware tools and antivirus tools. A HIDS is a host-based intrusion detection system. This is used to detect whether malicious activity is occurring on an individual computer.

Jake is in the process of running a bulk data update. However, the process writes incorrect data throughout the database. What has been compromised? A Availability B Confidentiality C Integrity D Accountability

Integrity If incorrect data has been written throughout the database, then the integrity of the data has been compromised. The data is still secret, or as confidential as it is supposed to be. It is still available, although the data will now have errors. Someone (or something) needs to be held accountable for this problem, but accountability isn't necessarily something that can be compromised in the way that the other three concepts of the CIA triad can be.

In a scenario where data integrity is crucial to the organization, which of the following is true about input validation regarding client/server applications? A It should be performed on the client side only. B It should be performed on the server side. C It must rely on the user's knowledge of the application. D It must be protected by SSL.

It should be performed on the server side. The best answer is that it should be performed on the server side. Given the choice between server-side and client-side input validation, server-side wins out. However, both should be incorporated as secure coding methods. Using the client side only can actually create additional vulnerabilities at the server. As a programmer, you don't really care about the user's knowledge level; you have to assume that smart users or attackers will come along at some point and try to hack your forms, web pages, or other applications, and design the client and server sides of the application appropriately. Even SSL-protected pages can be hacked into if they weren't properly validated. In fact, SSL doesn't really have too much effect on the matter, especially when it comes to web forms built in PHP or other similar web programming languages.

Hardware-based encryption devices such as hardware security modules (HSMs) are sometimes deployed by organizations more slowly than in other organizations. What is the best reason for this? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A USB removable encryption B Lack of management software C Multifactor authentication D RBAC

Lack of management software A lack of management software can cause slower deployment of HSMs. Because an HSM is an external device, it requires management software to enable it to communicate with the computer it is connected to. The lack of decent management software could cause decision-makers at organizations to hesitate to adopt the solution. RBAC stands for role-based access control, which assigns roles to users based on sets of permissions. USB removable encryption is a decent solution for encrypting data, but unlike an HSM, it can't house extremely secure keys and doesn't have tamper protection, so USB removable encryption isn't really a substitute for an HSM. Multifactor authentication means that a user needs to have two forms of ID or needs to be authenticated in two or more ways to a system.

You have several unused USB flash drives, three laptops, and two HSMs that contain sensitive data. What is the best way to prevent the theft of these devices? A Hashing B GPS tracking C Encryption D Locking cabinet

Locking cabinet A locking cabinet is the best way listed to prevent the theft of physical devices such as USB flash drives and laptops, but only if the locking cabinet is locked. GPS tracking can aid in finding devices after they were stolen. Encryption helps in keeping data secure even if the device is stolen (although it isn't a perfect solution). Hashing provides integrity of data. However, GPS tracking, encryption, and hashing won't stop the physical devices from being stolen. It's important to keep physical devices locked up when not in use and monitored by video surveillance or other means

Question :A virus is designed to format a hard drive on a specific day. What kind of threat is this? A Adware B Botnet C Logic bomb D Spyware

Logic bomb A logic bomb is a type of malware that is designed to be set off at a specific time. It could contain a virus or worm. A botnet is a group of compromised computers known as zombies. Spyware and adware are unwanted programs that are unknowingly downloaded from the Internet, usually through a browser.

Which of the following would an antivirus program most likely not detect? A Trojan B Pharming C Logic bomb D Worm E Virus

Logic bomb & pharming Antivirus programs are meant to scan for viruses, worms, and Trojans. They are least likely to discover logic bombs because logic bombs don't manifest themselves right away. Pharming is a type of social engineering attack that antivirus programs are not designed to detect.

Which of the following is vulnerable to spoofing? A WPA-PEAP B WPA-LEAP C MAC filtering D Enabled SSID

MAC filtering When MAC filtering is enabled on a WAP, it actually broadcasts information wirelessly. This makes it vulnerable to spoofing. Because MAC filtering and a disabled SSID can be easily circumvented using a network sniffer, it is very important to also use strong encryption, and possibly consider other types of network access control (such as 802.1X) and external authentication methods (such as RADIUS). WPA-LEAP and WPA-PEAP are authentication protocols designed specifically to counter spoofing and other attacks. If the SSID is enabled, there is no need to do any spoofing because the SSID can be easily scanned for by war-drivers and other attackers.

You surmise that a user's session was interrupted by an attacker who inserted malicious code into the network traffic. What attack has occurred? A Phishing B Spoofing C DoS D Man-in-the-middle

Man-in-the-middle A man-in-the-middle (MITM) attack occurs when an attacker intercepts data between a client and a server and modifies the data in transit. DoS attacks are denial-of service attacks meant to disrupt a server. Spoofing is when an attacker masquerades as another person. Phishing is when a person attempts to obtain information from a person via e-mail.

Rick is reviewing the logs of a host-based IDS. They show that the computer has been compromised by a botnet and is communicating with a master server. If Rick needs to power the computer off, which of the following types of data will be unavailable? A The system disk, e-mail, and log files B Memory, system processes, and network processes C Memory, archival storage, and temporary files D Swap files, system processes, and the master boot record

Memory, system processes, and network processes Memory is cleared when the computer is shut down (unless hibernation mode has been implemented). This removes system and network processes from memory. Archival storage, the master boot record, system disk, e-mail, and log files will still be available. Although two other answers had possibilities within them, they weren't altogether correct.

The IT director asks you to create a solution to protect your network from Internet-based attacks. The solution should include pre-admission security checks and automated remediation and should also integrate with existing network infrastructure devices. Which of the following solutions should you implement? A VLAN B Subnetting C NAC D NAT

NAC NAC, or network access control, makes security checks of the users or the actual connections that are made before sessions are initiated. It can also remediate issues automatically if configured properly. 802.1X is an example of network access control. NAT (network address translation) converts one set of IP addresses to another. VLAN is a virtual local area network. Subnetting compartmentalizes IP networks by way of IP addresses and mathematics.

Which of the following would you most likely find in a buffer overflow attack? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Set flags B NOP instructions C Sequence numbers D IV length

NOP instructions A large number of No Operation instructions (known as NOP or no-op instructions) can be used to overflow a buffer, which could allow unwanted code to be executed or result in a denial of service (DoS). Large numbers of NOP instructions can be used to perform a NOP slide (or NO-OP sled). Sequence numbers are how TCP packets are numbered. IV length has to do with the length of a string in a cipher. Flags are one or more bits that are set to a binary number to indicate whether something is on or off.

You have disabled all unnecessary services on a domain controller. What is this an example of? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Patch management strategy B Baselining C Secure code review D OS hardening

OS hardening

You have disabled all unnecessary services on a domain controller. What is this an example of? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Patch management strategy B Baselining C Secure code review D OS hardening

OS hardening Hardening of the OS is the act of configuring an OS securely, updating it, creating rules and policies to help govern the system in a secure manner, and removing unnecessary applications and services. This is done to minimize OS exposure to threats and to mitigate possible risk. Secure code review is the analysis of code to make sure it cannot be corrupted; this is done through input validation, checking for unmanaged code, checking for sensitive data, and so on. Baselining is the process of measuring changes in a system. Patch management strategy is the entire four-step process involved when adding patches to a system.

Question :Your organization has implemented cloud computing. Which of the following security controls do you no longer possess? A Executive control of data B Logical control of data C Physical control of data D Administrative control of data

Physical control of data Cloud computing relies on an external service provider.Your organization would still be able to logically manipulate data services and have administrative control over them similar to if the data and services were administered locally. But physical control would be lost and the organization would rely solely on the cloud computing service for hardware, servers, network devices, and so on. In security there is no "executive control" per se as part of a standard security plan, and even if there was, your organization, by definition, would still maintain that control.

You are the security administrator working for a large corporation with many remote workers. You are tasked with deploying a remote access solution for both staff and contractors. Company management favors Remote Desktop Services because of its ease of use. Your current risk assessment suggests that you protect Windows as much as possible from direct ingress traffic exposure. Which of the following solutions should you choose? A Place the remote desktop server(s) on a screened subnet, and implement two-factor authentication. B Deploy a remote desktop server on your internal LAN, and require an Active Directory integrated SSL connection for access. C Change remote desktop to a non-standard port, and implement password complexity for the entire Active Directory domain. D Distribute new IPsec VPN client software to applicable parties, and then virtualize the remote desktop services functionality.

Place the remote desktop server(s) on a screened subnet, and implement two-factor authentication. The key phrase here is that the risk assessment suggests that Windows should be protected from ingress traffic. That mainly implies the Windows clients, but could include the Windows server as well. Either way, to that end, one of the best ways to secure the server is to compartmentalize the remote desktop server on a screened subnet. Remember that contractors will be using this server too, so you don't want it to be anywhere near other important servers in your network, and possibly it should be isolated from any and all servers. The two-factor authentication is the icing on the cake, and is an excellent solution for remote workers where theft/loss of laptops can occur. All in all, it's the best of the listed answers. Answer C is incorrect. Changing the remote desktop port is commonly implemented. For example, Microsoft remote desktop services uses 3389 inbound by default. Any attacker with a little experience knows this. So, changing the port is a good idea, but from the answer you can assume that the server is not in a screened subnet, DMZ, or similar protected area. Implementing password complexity for the Active Directory domain implies that the remote desktop server is located in the domain. You probably don't want that, or at least need to compartmentalize it in some way. Also, password complexity should already have been enabled, especially if this is an enterprise-level corporate network. Answer D is incorrect. It's kind of a given: you would have to distribute some kind of VPN client software in order for remote users to connect. However, IPsec implies an L2TP connection. There are better, more secure options such as a Cisco GRE tunnel, or an always-on SSL/TLS-based VPN. But that doesn't tackle the problem of server location. Also, "virtualize the remote desktop services functionality" is vague. Are we talking about the clients? Server? Both? Most likely clients, and virtualizing apps can have security benefits, but remote desktop client apps aren't commonly virtualized. And if this is a large enterprise network (implying lots of remote users), then a virtualized remote access server is probably not a good idea from a performance standpoint. Answer B is incorrect. We definitely don't want the remote access server on the LAN. No, it should be located somewhere more secure such as a DMZ, subnet, on the cloud, etc. Active Directory with SSL (meaning LDAP over SSL, port 636) is a good idea, but it again implies that the remote desktop server is on the LAN. Using a subnet or DMZ and using multifactor authentication dismisses most of the security issues associated with this incorrect answer's solution. Remember to carefully secure your remote desktop servers using a layered defense strategy, especially if that server requires communication with a domain controller or other server on the LAN.

What kind of attack enables an attacker to access administrator-level resources using a Windows service that uses the local system account? A Spyware B Trojan C Privilege escalation D Spam

Privilege escalation Privilege escalation is the act of gaining a higher level of access to resources. It is sometimes done by using the local system account in Windows. Privilege escalation is a method of attack, whereas Trojans, spyware, and spam are types of malware.

Question :Which of the following solutions should be used by heavily utilized networks? A Telephony B VPN concentrator C Remote access D Provider cloud

Provider cloud Provider clouds can offer Infrastructure as a Service (IaaS), which can alleviate some of the stress an organization's network might suffer from. In addition, provider clouds can offer software (SaaS) and platforms (PaaS). VPN concentrators and remote access are not good choices for heavily utilized networks. They are meant for smaller groups of remote users. Telephony is not a solution for heavily utilized networks. It is quite the opposite; often networks are the solution for telephony usage.

You have been tasked with investigating a compromised web server and just finished analyzing the logs of a firewall. You see the following open inbound ports appear in the log:22, 25, 445, 514, 1433, 3225, 3389Of the following answers, which was most likely used to access the server remotely? A HTTPS B Telnet C Syslog D HTTP E RDP F LDAP

RDP Most likely, RDP (Remote Desktop Protocol) was used to remotely access the server. RDP uses port 3389 by default, which is within the list of open inbound ports in the log. That would mean that Remote Desktop Services (or Terminal Services) is running on the web server. This is a no-no. Though it can allow an easy way for an admin to remotely connect to the server, it is so well known that it creates an exploitable open doorway for attackers. It is far better to use a remote control program via a secure browser session; one that uses AES for encryption as well as multifactor authentication. Once that is implemented, RDP should be disabled.HTTP uses port 80, which is not listed as an open port in the log. LDAP uses port 389, again not listed, and it shouldn't be. LDAP might be used by a Microsoft domain controller or similar server, but not by a web server. HTTPS uses port 443. This is the type of connection that services such as RealVNC would use to make remote connections. Port 443 is not listed in the log. Telnet uses port 23. It is not listed in the log, and you should thank your lucky stars that it isn't because it is the easiest to hack of everything listed in the question. Syslog uses port 514, which is listed in the log, but is not used for remote control of a server. Instead, it allows for the grabbing of log files from routers and other networking equipment. Note: The ports that are listed and their respective protocols are 22 (SSH), 25 (SMTP), 445 (SMB), 514 (Syslog), 1433 (Ms-sql-s), 3225 (FCIP), and of course 3389 (RDP). Know your protocols!

Your CFO's smartphone holding classified data has been stolen. What is the best way to reduce data leakage? A Remotely sanitize the device. B Track the device with GPS. C Inform law enforcement. D Use strong encryption.

Remotely sanitize the device. If a device holding classified data is stolen, the best thing to do is to remotely sanitize the device (known as a remote wipe). It is too late to use strong encryption, but that should always be implemented on mobile devices (or any devices, for that matter) with classified information. After remotely sanitizing the device, you might opt to inform law enforcement (or your organization's security company or internal security investigators) and possibly track the device via GPS.

You investigate an executive's laptop and find a system-level kernel module that is modifying the operating system's functions. What is this an example of? A Rootkit B Worm C Logic bomb D Virus

Rootkit Rootkits are designed to gain administrative control over an OS without being detected and perform malicious operations. Worms and viruses affect files but not the kernel of the OS. Logic bombs are ways of delivering malicious software at a specific date.

Which of the following protocols operates at the highest layer of the OSI model? A ICMP B SCP C IPsec D TCP

SCP SCP (Secure Copy) is a protocol/application used to transfer files securely between computers. It relies on Secure Shell (SSH) and uses port 22, and it is an application, and therefore resides on the application layer (layer 7), the highest layer of the OSI model, as does SSH. Because the OSI model is normally represented with a top-down approach, the application layer is at the top, and is considered "highest." IPsec is a protocol used to secure IP communications, for example within Layer 2 Tunneling Protocol (L2TP) VPN connections; it is a network layer (layer 3) protocol. TCP resides on the transport layer (layer 4). ICMP (Internet Control Message Protocol) resides on the network layer (layer 3), and is instrumental in testing networking connections; for example, with the ping command.

Which is the most secure option when transferring files from one host to another? A SFTP B TFTP C FTP D Telnet

SFTP SFTP (Secure File Transfer Protocol) is a secure version of regular FTP that is based on SSH, which enables it to run over a secure channel. TFTP (Trivial FTP) is a simplistic, insecure, and somewhat deprecated protocol. Telnet is also insecure and deprecated.

Which protocol is based on SSH? A SFTP B FTPS C FTP D TFTP

SFTP SFTP is the SSH File Transfer Protocol (also called Secure FTP). It is an extension of the SSH protocol, which uses port 22. Contrast SFTP with FTPS. FTPS is FTP Secure or FTP-SSL, which uses port 443. Plain FTP has no built-in security and is not based on SSH. TFTP is a simple version of FTP.

In an environment where the transmission and storage of PII data needs to be encrypted, what methods should you select? (Select the two best answers.) A SSH B PGP C SNMP D NTLM E TFTP F TKIP

SSH & PGP SSH (Secure Shell) can secure connections to remote machines and is instrumental in encrypting data in motion over the network. PGP (Pretty Good Privacy) encrypts data that is meant for transit via e-mail or for data that is meant to be at rest, or simply stored somewhere for an indeterminate amount of time. These are the only answers listed that will encrypt data and/or data sessions (and are not outdated). TFTP is used to send small and basic files in an unsecure manner between two hosts on a LAN. It does not encrypt data. The Temporal Key Integrity Protocol (TKIP) is used as a security protocol in wireless networks but is outdated and should be replaced by either Counter Mode CBC-MAC Protocol (CCMP) or Advanced Encryption Standard (AES). TKIP is insecure because it makes use of RC4, which is considered outdated. The Simple Network Management Protocol (SNMP) concerns the monitoring of networks and network devices and hosts. NTLM (NT LAN Manager hash) is a cryptographic hashing protocol used with Windows passwords. This is also outdated and should be replaced with NTLMv2.

What kind of attack would a flood guard protect a network from? A Botnet B MITM attack C Xmas attack D SYN attack

SYN attack A SYN attack (also known as a SYN flood) is when a large amount of synchronization request packets are sent from a client to a server. To protect against this, SYN flood guards can be implemented within some firewalls or as separate devices altogether. If implemented on a firewall, some configuration is usually necessary. An Xmas attack (Christmas tree packet attack) is used to analyze TCP/IP responses. It might have many of the option bits in the header enabled, but it does not have the SYN flag set. MITM stands for man-in-the-middle, an attack that intercepts and modifies data traveling between a client and a server. A botnet is a group of compromised computers that jointly (and unknowingly) attacks single points of interest such as web servers.

Question :In the event that a mobile device is stolen, what two security controls can prevent data loss? (Select the two best answers.) A Screen locks B Inventory control C Full device encryption D GPS E Asset tracking

Screen locks & Full device encryption Screen locks (especially the password and passcode variety) can make it difficult for an attacker to get to the data stored on the device. Better yet, full device encryption will make it virtually impossible to read the data. These are the best options, but not the only options. For example, a security administrator might opt to install a remote wipe program. Once it is known the mobile device has been stolen, the admin can trigger the wipe from a central location. However, there is a time delay concerning this method, so it should be used with the previous techniques. From a security standpoint, a global positioning system (GPS) is usually more of a hindrance than a security control. It might help in recovering the device, but by that point the damage has probably already been done. Inventory control and the tracking of assets are important (and are sometimes done with the aid of GPS), but remember that an unprotected mobile device can have its data downloaded by an attacker in a matter of minutes. So these things are great from a management standpoint, but not from a security standpoint.

Tara has written an application and is ready to go through the hardening process. Which of the following could be considered a hardening process of the SDLC? A Disabling unnecessary services B Secure coding concepts C Disabling unnecessary accounts D Application patching management schedule

Secure coding concepts Secure coding concepts such as input validation will help to harden an application within the systems development life cycle (SDLC). Although disabling unnecessary services and accounts and patching the application are important, these could all be considered application or server hardening, not hardening within the SDLC.

What type of cloud service is webmail known as? A Remote Desktop B Platform as a Service C Infrastructure as a Service D Software as a Service

Software as a Service Webmail can be classified as Software as a Service (SaaS). This is when an external provider (in the cloud) offers e-mail services that a user can access with a web browser. Examples include Gmail and Outlook.com. Remote Desktop, or RDP, allows a person to remotely control another computer. Platform as a Service (PaaS) is when a cloud-based service provider offers an entire application development platform that can be accessed via a web browser or other third-party application. Infrastructure as a Service (IaaS) is when a cloud-based service provider offers an entire network located on the Internet.

Which of the following should you install to stop unwanted and unsolicited e-mails? A Spam filters B Pop-up blockers C Spyware definitions D Virus definitions

Spam filters Spam filters will help to filter out spam (unwanted e-mail). They can be configured in most e-mail programs or can be implemented as part of an anti-malware package. Spyware definitions are used to update a spyware application, making web browsing sessions more safe. Pop-up blockers remove a percentage of the pop-up windows common with many websites. Virus definitions should be updated often to prevent a virus from executing on a computer.

Question :What is it known as when an attacker provides falsified information? A Spoofing B Redirecting C Flooding D Aliasing

Spoofing Spoofing is an attack where an attacker masquerades as another person by falsifying information. Types of spoofing attacks include the man-in-the-middle attack and phishing. Aliasing is when a secondary name is given to a computer or other device, usually for legitimate purposes. Flooding is a category of attack that can use different types of packets to flood a device or server to deny service. Redirecting is when a particular connection is redirected to another resource, for example, when mapping a network drive.

What are the best reasons to use an HSM? A To store keys B For a CRL C To generate keys D To transfer keys to the hard drive E To recover keys

Store and generate keys An HSM (hardware security module) is a device that manages digital keys for cryptography. It allows for onboard secure storage of data and is used to generate and store keys. Key recovery and the transferring of keys is done by other methods. Although an HSM can be used in conjunction with a PKI, it does not have the option of storing a CRL.

HIDS and NIDS are similar intrusion detection systems. However, one is for individual computers, and the other is for networks. Which of the following would a HIDS be installed to monitor? A Network adapter performance B CPU performance C System files D Temporary Internet files

System files A HIDS, or host-based intrusion detection system, is software installed to an individual computer to monitor important files and watch for intrusions. System files are some of the most important files that will be monitored by a HIDS. Temporary Internet files are not nearly as important and are usually removed automatically by way of a policy in many organizations. CPU and network adapter performance is usually monitored by some type of performance monitoring program; these are often built into the operating system.

Which of the following is embedded and contains a storage root key? A BitLocker B TPM C HSM D EFS

TPM A TPM (trusted platform module) is a dedicated chip residing on the motherboard that stores encrypted keys. One of these is the storage root key. This is used to encrypt the contents of the entire hard drive and is used by programs such as BitLocker for full disk encryption. An HSM (hardware security module) is a separate physical device that manages digital keys. It is not embedded in the system, but is external to the computer. EFS (Encrypting File System) is Microsoft's system for encrypting individual files in Windows, at which point their filenames turn green when viewed in Windows Explorer or File Explorer. BitLocker is Microsoft's full disk encryption program in Windows, which can make use of a TPM.

You are surprised to notice that a co-worker's computer is communicating with an unknown IRC server and is scanning other systems on the network. None of this was scheduled by anyone in your organization, and the user appears to be unaware of what is transpiring. What is the most likely cause? A The computer is infected with a rootkit. B The computer is infected with spyware. C The computer is infected with a worm. D The computer is part of a botne

The computer is part of a botnet. If the computer in question is scanning the network and accessing an unknown IRC server without the user's knowledge, then the computer has probably been compromised as a zombie and is now part of a botnet. The IRC server probably acts as a central communication point for all zombies in the botnet. Though the computer had to be infected with some kind of payload originally, that malware is not responsible for the events that are transpiring currently.

What can happen if access mechanisms to data on an encrypted USB hard drive are not implemented correctly? A User accounts can be locked out. B The security controls on the USB drive can be bypassed. C Data on the hard drive can be vulnerable to log analysis. D Data on the USB drive can be corrupted.

The security controls on the USB drive can be bypassed. If access mechanisms such as permissions and policies are not implemented correctly on a USB hard drive (or any hard drive for that matter), then those security controls for that drive can be bypassed by an attacker. The possibility of data corruption usually happens because a hard drive physically fails or becomes too fragmented, not because of security controls being bypassed. Data on the USB drive should not be vulnerable to log analysis because the logs are normally stored in the system partition of the operating system. That drive is internal to the computer, whereas a USB hard drive will be external to the computer. The same holds true for user accounts. Those accounts are stored within the OS, and again on the main drive, not on a USB hard drive.

Virtualization is a broad term that includes the use of virtual machines and the extraction of computer resources. Which of the following is the best security reason for using virtualization of network servers? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A To analyze network traffic B To add network services C To isolate network services and roles D To centralize patch management

To isolate network services and roles Virtualization is the creation of a virtual entity as opposed to an actual server or operating system. The most common type is the virtual machine that runs an entire operating system virtually within the original operating system of the computer. The best security reason for implementing virtualization is to isolate different services and roles. Patch management centralization is done to secure all the client operating systems on the network and make sure that they are up to date. Although network services can be added through the use of virtualization, it is the specific concept of isolating those additional network services that makes virtualization secure. The analysis of network traffic can be done with a protocol analyzer, otherwise known as a network sniffer.

Question :What is the best reason for security researchers to use virtual machines? A To offer an environment where they can discuss security research B To offer an environment where network applications can be tested C To offer an environment where malware might be executed but with minimal risk to equipment D To offer a secure virtual environment where they can conduct online deployments

To offer an environment where malware might be executed but with minimal risk to equipment The best reason why security researchers use virtual machines is to offer an environment whereby malware might be executed but with minimal risk to the equipment. The virtual machine is isolated from the actual operating system, and the virtual machine can simply be deleted if it is affected by viruses or other types of malware. Although the other answers are possible reasons why a security researcher would use a virtual machine, the best answer is that it offers the isolated environment where a malicious activity can occur but be easily controlled and monitored.

A thumb drive has been used to compromise systems and enable unauthorized access. What kind of malware was most likely installed to the thumb drive? A Trojan B Virus C Logic bomb D Bot

Trojan Trojans are used to access a system without authorization. They can be installed to USB flash drives, can be remote access programs, or could be unwittingly stumbled upon when accessing disreputable websites. The key phrase here is "unauthorized access"; that is what the Trojan is trying to do.A bot is a computer that performs actions without the user's consent and is often controlled by a remote master computer. Although the bot doesn't enable unauthorized access, a Trojan might carry a bot program as part of its payload. Logic bombs are generally a method of transferring malware and are meant to initiate a malicious function at a specific time. Viruses infect a computer but are not used for unauthorized access.

What would you implement to separate two departments? A VLAN B SaaS C MAC filtering D Cloud computing

VLAN A virtual LAN (VLAN) is used to logically separate groups of computers. It is often done to separate departments in a virtual manner without having to change the physical cabling design. MAC filtering is a method implemented on access points to allow only specific systems onto the wireless network. Cloud computing is a group of various services offered by third-party organizations; the services are hosted on the Internet. SaaS (Software as a Service) is an example of cloud computing. Lesson: Network Design Elements

What is the best way to prevent ARP poisoning across a network? A MAC flooding B VLAN segregation C Loop protection D Log analysis

VLAN segregation By segregating a network into multiple virtual LANs, ARP poisoning attacks hopefully will falter when trying to cross from one VLAN to the next. This isn't always successful, but it is one smart way to try to avoid ARP poisoning attacks. A MAC flood is an attack in which numerous packets are sent to a switch, each with a different MAC address. Log analysis is used to determine what happened at a specific time on a particular system. Loop protection can be enabled on some switches, which protects from a person connecting both ends of a patch cable to two different switch ports on a switch.

What are the best ways for a web programmer to prevent website application code from being vulnerable to XSRF attacks? (Select the two best answers.) A Ensure HTML tags are enclosed within angle brackets B Validate input on the client and the server side C Use a web proxy to pass website requests between the user and the application D Restrict the use of special characters in form fields E Permit URL redirection

Validate input on the client and the server side & Restrict the use of special characters in form fields Input validation is extremely important when it comes to website attacks such as XSRF (cross-site request forgery) and cross-site scripting (XSS) attacks. Forms and other documents should be validated on the client side and the server side (if at all possible). Special characters should be restricted and sanitized within form fields and URLs. This is all part of secure coding. Using angle brackets for HTML code (for example < and >) is just good programming. Without angle brackets, the HTML statement won't work, but it has nothing to do with input validation. The more redirection that occurs, the more the chance of vulnerabilities being exploited. URL redirection should be limited if not eliminated. Web proxies make for more efficient web connections in a variety of ways but do nothing for input validation.

A programmer wants to prevent cross-site scripting. Which of the following should the programmer implement? A Validation of input to remove hypertext B Validation of input to remove bit code C Validation of input to remove shell scripts D Validation of input to remove batch files

Validation of input to remove hypertext Cross-site scripting (XSS) is a vulnerability to web applications. For example, a malicious attacker might attempt to inject hypertext into a standard text-based web form. Shell scripts, batch files, and Java bit code are not associated with XSS attacks.

Question :The IT director asks you to verify that the organization's virtualization technology is implemented securely. What should you do? A Subnet the network so that each virtual machine is on a different network segment B Perform penetration testing on virtual machines C Verify that virtual machines are multihomed D Verify that virtual machines have the latest updates and patches installed

Verify that virtual machines have the latest updates and patches installed One of the most important security precautions you can take is to install the updates and patches. This concept applies to regular operating systems, applications, and virtual machines. It is unnecessary for virtual machines to be multihomed because this will not increase their security. In fact, the more network connections a VM has, the less security it has. Penetration testing should be completed before the virtual machines have been implemented. Subnetting is not necessary for virtual machines, although it can increase security. Subnetting should be taken into account during the planning and implementation stage.

A hacker develops a piece of malicious code that is not designed to automatically spread from one system to another. Instead, it is designed to spread from one file to another file on the individual computer. What type of malware is this? A Botnet B Trojan C Worm D Virus

Virus A virus is designed to spread from one file to another file on an individual computer. It is not designed to automatically spread from one system to another; that would be a worm. A Trojan is malicious code that appears to do something legitimate but does something illegitimate outside the view of the user. A botnet is a group of compromised computers normally known as zombies.

A hacker develops a piece of malicious code that is not designed to automatically spread from one system to another. Instead, it is designed to spread from one file to another file on the individual computer. What type of malware is this? A Botnet B Trojan C Worm D Virus

Virus A virus is designed to spread from one file to another file on an individual computer. It is not designed to automatically spread from one system to another; that would be a worm.A Trojan is malicious code that appears to do something legitimate but does something illegitimate outside the view of the user. A botnet is a group of compromised computers normally known as zombies.

You get an automated call from what appears to be your bank. The recording asks you to state your name, state your birthday, and enter your bank account number to validate your identity. What type of attack has been perpetuated against you? A Vishing B Spoofing C Pharming D Phishing

Vishing Vishing is a type of phishing social engineering attack, but it is done over the phone, whereas regular phishing is usually done by e-mail. Pharming is an attack designed to redirect a website's traffic to another website. Spoofing is an attack where a person or a program masquerades as another one.

Which of the following can be implemented in hardware or software to protect a web server from XSS attacks? A URL content filter B IDS C Flood guard D WAF

WAF A WAF (web application firewall) can be implemented as hardware or software. Among other things it can protect from XSS (cross-site scripting) and SQL injection attacks. The WAF can be an appliance, server software, or plug-in, and applies a set of rules to HTTP sessions to protect from various attacks. WebKnight and ModSecurity are examples of open source WAFs. Unlike other devices such as network intrusion detection systems (NIDSs), routers, and some firewalls, the WAF operates at layer 7 of the OSI model (application layer). A flood guard is a separate feature of firewalls that can protect against SYN flood attacks. IDS stands for intrusion detection system—a device or software that monitors network activities and alerts an administrator to various types of malicious activities. A URL content filter is a software filter that monitors for specific URLs (domain names and website names) that are undesirable and disallows access to them.

The security company you work for has been contracted to discern the security level of a software application. The company building the application has given you the login details, production documentation, a test environment, and the source code. Which of the following testing types has been offered to you? A White box B Gray box C Red teaming D Black box

White box White box testing is when you are given as many details as possible about the application you are about to test. White box testing tests the internal workings of an application. Black box testing tests the functionality of an application without any real specific knowledge of the application. Gray box testing is when the owners of the application give you partial internal knowledge of the application to be tested. A red team is a group of penetration testers that assesses the security of an organization as opposed to an individual application.

What is the main difference between a worm and a virus? A A worm is self-replicating. B A virus is larger. C A virus is easily removed. D A worm is undetectable.

Worms are self-replicating once they are executed, whereas viruses are not. Viruses may spread out and infect one or more files, but the actual virus cannot replicate itself.Viruses and worms can be difficult to remove, depending on their severity and age. Both worms and viruses can be detected with antivirus software. Viruses can be larger or smaller than worms. The two are similar in general, aside from self-replication.

Question :A security administrator for your organization utilized a heuristic system to detect an anomaly in a desktop computer's baseline. The admin was able to detect an attack even though the signature-based IDS and antivirus software did not detect it. Upon further review, it appears that the attacker had downloaded an executable file on the desktop computer from a USB port, and executed it triggering a privilege escalation. What type of attack has occurred? . A XML injection B Zero day C Baiting D Directory traversal

Zero day A zero day attack (such as a zero day virus) is one that up until the point of time when the attack occurs was previously unknown to antivirus software companies and IDS companies. So, for the attack in question there was no AV or IDS signature available to detect it—it is an unknown and undocumented exploit. The admin found it by utilizing a heuristic system, which is a more advanced type of IDS. In a similar scenario, if a malicious exploit is found in an application and you inquire with the software vendor about remediation steps, and then find that no patches are available, you have most likely found a zero day attack. In these situations, you will have to improvise. The rest of the answers are known attacks. Directory traversal is a method of accessing unauthorized parent directories on web servers. XML injection is a type of code injection used on website forms. Baiting is a type of social engineering attack where a USB flash drive or other type of removable media (often containing malware) is left out in the open for an unsuspecting person to pick up and (hopefully) insert into a computer.