Security+ - Practice Test A
You find out that confidential information is being encoded into graphic files in a form of security through obscurity. What have you encountered? A. non-repudiation B. confidentiality C. steganography D. digital signature
Answer C is correct. Steganography is the art and science of hiding messages within other messages. For example, hiding messages within the bits of a graphic file. It is a form of security through obscurity. Digital signatures, non-repudiation, and confidentiality are less ambiguous terms as opposed to steganography.
Which of the following should be performed on a computer to protect the OS from malicious software? Each correct answer represents a part of the solution. Choose two. A. update HIPS signature B. update NIDS signature C. disable unused services D. disable DEP setting E. install a perimeter firewall
Answers A and C are correct. An individual operating system should be protected by disabling unused services, and by updating any host-based intrusion detection systems or intrusion prevention systems. Since we're talking about a single computer, network intrusion detection systems and perimeter firewalls are not required. DEP stands for data execution prevention and does not apply to this scenario.
Which of the following protocols does the 802.11i standard support? Each correct answer represents a complete solution. Choose all that apply. A. TKIP B. ECC C. DES D. AES E. RSA
Answers A and D are correct. AES (Advanced Encryption Standard) and TKIP (Temporal Key Integrity Protocol) are supported by the 802.11i standard, which deals with wireless transmissions. RSA deals with the encrypting of data through the use of tokens. ECC (elliptic curve cryptography) and DES are also used to encrypt data.
Which of the following authentication protocols makes use of a supplicant, authenticator, and authentication server? A. 802.1X B. RADIUS C. LDAP D. kerberos
Answer A is correct. 802.1X makes use of three components: a supplicant, which is software running on a workstation; an authenticator, which is a wireless access point or switch; and an authentication server, which is an authentication database, most likely a RADIUS server. Kerberos makes use of a key distribution center that works with tickets to prove the identity of users. RADIUS provides centralized administration of dial-up, VPN, and wireless authentication and can be used with 802.1X and EAP (Extensible Authentication Protocol). LDAP (Lightweight Directory Access Protocol) can access and modify directory services data.
You are required to renew an SSL certificate for a web server. Which of the following should you submit to the certificate authority? A. CSR B. CRL C. RA D. private key
Answer A is correct. A CSR (certificate signing request) is used when a new, or renewed, certificate is required for a web server. It is submitted to the company that sells the SSL certificates (such as VeriSign). A private key is first generated (usually an RSA key), which the CSR is based on, but that key should be kept private. Only the admin should know the key. A CRL (certificate revocation list) contains certificates that have expired or have been revoked because they were compromised. RA can stand for either registration authority, which works in conjunction with the CA, or recovery agent, which is needed to recover keys that have been lost.
Your high-tech server room needs a quality fire suppression system. What is the most appropriate type of fire suppression system to install? A. gaseous fire suppression B. dry chemical suppression C. dry-pipe sprinkler system D. wet chemical suppression
Answer A is correct. A gaseous fire suppression system is the best way to go in this scenario. Server room equipment can be easily damaged by other types of systems. An example of a gaseous fire suppression system would be FM-200. A less powerful example would be a CO2 fire extinguisher. Some municipalities require that a sprinkler system be installed, even if a gaseous fire suppression system has already been installed to the server room. If this is the case, a dry pipe sprinkler system will be installed in addition to the gaseous fire suppression system. Multipurpose dry chemical fire extinguishers can be extremely messy and can damage server room equipment easily and therefore should not be used. Wet chemical suppression is even worse. These and water-based fire extinguishers should not be used in server rooms.
You want to prevent any intrusions to a single computer. What is the best solution? A. host-based firewall B. host-based intrusion detection C. network firewall D. VPN concentrator
Answer A is correct. A host-based firewall is the best solution to prevent intrusions to a single computer. Firewalls can block various types of traffic that might include attacks or other intrusions. A VPN concentrator allows remote access for multiple users. Host-based intrusion detection (via a HIDS) will locate an intrusion but not prevent it; to prevent it you would want a host-based intrusion prevention system (HIPS). A network firewall can help to protect an entire network but will not be the best solution if you were only trying to prevent intrusions to a single computer. The host-based firewall will have definitions that are more specific to the types of attacks that might be perpetuated on a single local computer.
Which of the following anomalies can a protocol analyzer detect? A. malformed or fragmented packets B. passive sniffing of network traffic C. decryption of encrypted network traffic D. disabled network adapters
Answer A is correct. A protocol analyzer usually detects malformed, fragmented, or oversized packets. You can then use a protocol analyzer to delve into those packets and find out why they were defective. You can find out whether network adapters have been disabled by using a variety of command-line tests or by checking the local computer's Device Manager. A HIDS, NIDS, or NIPS should be able to find out whether encrypted network traffic is being decrypted anywhere other than its intended destination. Identifying passive sniffing of network traffic can be difficult; however, tools are available to locate other computers that are running protocol analyzers in a passive mode. Some vulnerability scanners can accomplish this.
You have been contracted to determine if network activity spikes are related to an attempt by an attacker to breach the network. The customer wants you to identify when the activity occurs and what type of traffic causes the activity. Which type of tool should you use? A. protocol analyzer B. network mapper C. performance monitor D. system monitor
Answer A is correct. A protocol analyzer will capture packets and timestamp each one. This tells you exactly what type of packets were captured and when. If the timestamps correspond to the network activity spikes, you know you have a match for the time. By digging into the packets with a protocol analyzer, you can find out exactly what type of traffic is causing the activity. Network mappers such as SolarWinds' Network Topology Mapper locate all the hosts on a network. System Monitor is a program used by Linux, and Performance Monitor is a program used by Windows; both of these monitor a server's resources such as CPU, RAM, and hard drive. While the Performance Monitor can identify spikes associated with the local computer's network adapter, a protocol analyzer such as Wireshark will be the better tool to identify network spikes, meaning spikes that might occur in various places on the network.
A systems administrator requires an all-in-one device that combines various levels of defense into one solution. She requires a single device that sits last on the network before the Internet connection. Which of the following would be the best solution? A. UTM B. WIDS C. DLP D. circuit-level gateway
Answer A is correct. A unified threat management (UTM) device is an all-in-one device that combines the various levels of defense into one solution. Often, this is a single device that sits last on the network before the Internet connection. A circuit-level gateway works at the session layer of the OSI model, and applies security mechanisms when a TCP or UDP connection is established; it acts as a go-between for the transport and application layers in TCP/IP. Circuit-level gateways hide information about the private network, but they do not filter individual packets. Data loss prevention (DLP) systems are designed to protect data by way of content inspection. They are meant to stop the leakage of confidential data, often concentrating on communications. A WIDS is a wireless IDS that monitors the radio spectrum for unauthorized access and rogue access points.
You have been asked by an organization to help correct problems with users unknowingly downloading malicious code from websites. Which of the following should you do to fix this problem? A. disable unauthorized ActiveX controls B. implement a policy to minimize the problem C. use virtual machines D. install a network-based intrusion detection system
Answer A is correct. ActiveX controls can be built directly into websites and can contain malicious code that can be easily downloaded by users without their knowledge. ActiveX controls can be disabled in whole or in part within the browser and can also be controlled as add-ons. A NIDS can possibly defend against malicious ActiveX controls to a certain extent, but you should not solely depend on it. Implementing policies is always a good idea, but you don't want to minimize the problem; you want to fix it. The use of virtual machines works well to isolate problems that might occur from ActiveX controls, but it does not fix the problem as far as downloading the malicious code.
You have collected login information, file access information, security log files, and unauthorized security violations. What is this collection known as? A. audit trail B. audit C. access control list D. security log
Answer A is correct. An audit trail is a collection of security log files, unauthorized security violations, and other logged information such as successful or failed logins. The audit is the technical assessment made of applications, files, and networks; quite often this includes an audit trail. An access control list (ACL) is a set of rules or permissions. The security log is the log file in Windows (found in the Event Viewer) that shows security violations or allowed access whether they succeeded or not; it works when auditing has been turned on.
What is a definition of implicit deny? A. resources that are not given access are denied by default B. everything is denied by default C. all traffic from one network to another is denied D. ACLs are used to secure the firewall
Answer A is correct. If a resource is not given specific access, it will be implicitly denied by default. Access control lists are used to permit or deny access from one network to another and are often implemented on a firewall. Rarely is everything denied by default, though it is possible; for example, a SOHO router's firewall will deny all inbound ports by default (unless connections were initiated internally). The term everything in the answer is somewhat vague. Implicit deny deals with specific resources and whether those resources are not configured to give access. An implicit deny might be configured for entire networks, but that is not at the core of the definition. ACLs are most certainly used to secure a firewall and one or more of those might be an implicit deny, but the ACL itself is not necessarily an implicit deny. ACLs can permit or deny access to resources, systems, or networks.
Your company has a mix of on-premises infrastructure and cloud-provider infrastructure and needs to extend the reach of its security policies beyond the internal infrastructure. Which of the following would be the BEST solution for the company to consider? A. CASB B. SaaS C. PaaS D. MaaS
Answer A is correct. If there is a mix of on-premises infrastructure and cloud-provider infrastructure, a company might consider a cloud access security broker (CASB). A CASB is a software tool or service that acts as the gatekeeper between the two, allowing the company to extend the reach of its security policies beyond its internal infrastructure. Software as a service (SaaS) is when users access applications over the Internet that are provided by a third party. The applications need not be installed on the local computer. Platform as a service (PaaS) is a service that provides various software solutions to organizations, especially the ability to develop applications in a virtual environment without the cost or administration of a physical platform. PaaS is used for easy-to-configure operating systems and on-demand computing. Monitoring as a service (MaaS) is a framework that facilitates the deployment of monitoring within the cloud in a continuous fashion.
Your organization implements a policy in which accounting staff needs to be cross-trained in various banking software to detect possible fraud. What is this an example of? A. job rotation B. due care C. separation of duties D. least privilege
Answer A is correct. Job rotation is one of the checks and balances that might be employed to enforce proper separation of duties. Job rotation can increase user insight and skill level and prevent fraud, thereby increasing the security of an organization's data and applications. It is quite often implemented through the use of cross-training. Separation of duties is when more than one person is required to complete a particular task. The principle of least privilege states that a user will be given only the permissions necessary to complete a task. Due care is the mitigation action an organization takes to defend against the risks that have been uncovered during due diligence.
You have completed the deployment of PKI within your organization's network. Legally you are required to implement a way to provide decryption keys to a governmental third party on an as-needed basis. Which of the following should you implement? A. key escrow B. recovery agent C. certificate registration D. additional certificate authority
Answer A is correct. Key escrow should be implemented so that the governmental third party can be provided decryption keys as necessary. Key escrow is when certificate keys are held in the case that third parties such as government or other organizations need access to encrypted communications. Additional certificate authorities are normally implemented as a form of fault tolerance. To avoid single points of failure such as a single CA, certificate authorities can be organized in a hierarchical manner. Key recovery agents are configured if the lost or corrupted keys need to be restored. Certificate registration occurs when a user tries to access secure information and needs to apply for a certificate. The registration might be completed by the certificate authority or by a registration authority.
Which of the following concepts best describes the mandatory access control model? A. Lattice B. Bell-LaPadula C. Clark-Wilson D. Biba
Answer A is correct. Mandatory access control (MAC) has two common implementations: rule-based access control and lattice-based access control. Lattice-based access control is used for more complex determinations of object access by subjects; this is done with advanced mathematics that creates sets of objects and subjects and defines how the two interact. Bell-LaPadula is a state machine model used for enforcing access control in government applications. It is a less- common, multilevel security derivative of mandatory access control. This model focuses on data confidentiality and controlled access to classified information. The Biba Integrity Model describes rules for the protection of data integrity. Clark-Wilson is another integrity model that provides a foundation for specifying and analyzing an integrity policy for a computing system.
You and your security team have established a security awareness program to help educate the employees in your organization. Which of the following would give you the best indication of the success of the program? A. metrics B. procedures C. policies D. standards
Answer A is correct. Metrics are actual data that enables an administrator to see the performance of a particular training program or technology. In this scenario, a good way to obtain metrics would be to test the employees after training. Collect the information by computer to see how well the employees performed as a whole, and therefore how well they know the content of the training. The concept can be applied to technologies such as servers and networking connections as well. Policies and procedures are written to increase the level of security and reduce risk to an organization, but do not indicate whether they are successful or not. The same holds true for standards. Standards and protocols are used to provide a commonality between employees when they work on their computers. It could be as simple as logging in before starting work, or as complex as using a cipher suite such as TLS (including RSA, AES, and SHA-1) when connecting to the organization's website. But you would have to test those protocols and connections to make sure they work. Multiple tests and baselining could ultimately provide metrics.
Which of the following encryption protocols uses a PSK? A. PGP B. CRL C. TPM D. DLP
Answer A is correct. PGP (Pretty Good Privacy) uses a preshared key (PSK), which was previously shared between two parties using a secure channel before it is used to decrypt data. TPM stands for trusted platform module. CRL stands for certificate revocation list. DLP stands for data loss prevention. These are all separate technologies that might have encryption associated with them, but are not themselves encryption protocols. The closest is the TPM, which will house encryption keys (including a PSK), but the TPM is the chip, not the encryption protocol.
One of your users complains that he received an e-mail from a mortgage company asking for personal information. The user does not recognize this mortgage company as the company with which he first applied for a mortgage for his house. What is the best way to describe this e-mail? A. phishing B. denial of service C. spam D. hoax
Answer A is correct. Phishing is an attempt at fraudulently obtaining private information. The phisher usually masquerades as another entity and uses e-mail to accomplish its goal. A hoax is an attempt at deceiving people into believing something that is false. The difference between phishing and a hoax can be kind of a gray area. But generally, hoaxes are carried out in person, whereas phishing is done by e-mail or by phone. Spam is the abuse of electronic messaging systems such as e-mail or instant messaging; it is usually used to market illegitimate products. A denial of service is a type of attack associated with servers.
What kind of attack enables an attacker to access administrator-level resources using a Windows service that uses the local system account? A. privilege escalation B. spam C. spyware D. trojan
Answer A is correct. Privilege escalation is the act of gaining a higher level of access to resources. It is sometimes done by using the local system account in Windows. Privilege escalation is a method of attack, whereas Trojans, spyware, and spam are types of malware.
What two security precautions can best help to protect against wireless network attacks? A. authentication and WPA B. identification and WPA2 C. access control lists and WEP D. authentication and WEP
Answer A is correct. The best two security precautions are authentication and WPA. Although WPA2 is more secure than WPA, the term "identification" is not correct. WEP is a deprecated wireless encryption protocol and should be avoided.
A security incident just occurred involving a physical asset (a USB flash drive). Immediately afterward, what should be done first? A. record every person who was in possession of the asset during and after the incident B. back up the device C. document the incident and how it was mitigated D. create a working image of the data
Answer A is correct. The first thing you want to know is who was in possession of the USB flash drive. This will be important for your chain of custody, in case the asset is used as evidence in a trial. After the incident, continue logging who takes possession of the drive and when. Documentation is important, and in fact, recording each person who was in possession of the drive is a form of documentation. But other documentation such as mitigation methods are not important right away, aside from the fact that mitigation might not have been implemented yet. You don't want to back up the device because that will actually write information to the drive, but you should image it for data preservation purposes. However, this would be done after you document who had possession of the drive.
A user receives an encrypted message that was encrypted using asymmetric cryptography. What does this recipient need to decrypt the message? A. recipient's private key B. recipient's public key C. sender's private key D. sender's public key
Answer A is correct. The recipient's private key is necessary to decrypt the message. The recipient's private key is part of a key pair that also includes the public key that was used to encrypt the message. The recipient doesn't have a separate public key. The public key is generated by the sender and used by both parties. Likewise, the sender does not necessarily need a private key in this scenario. But it is very important for the recipient to use his or her private key to decrypt the message.
Virtualization is a broad term that includes the use of virtual machines and the extraction of computer resources. Which of the following is the best security reason for using virtualization of network servers? A. to isolate network services and role B. to add network services C. to analyze network traffic D. to centralize patch management
Answer A is correct. Virtualization is the creation of a virtual entity as opposed to an actual server or operating system. The most common type is the virtual machine that runs an entire operating system virtually within the original operating system of the computer. The best security reason for implementing virtualization is to isolate different services and roles. Patch management centralization is done to secure all the client operating systems on the network and make sure that they are up to date. Although network services can be added through the use of virtualization, it is the specific concept of isolating those additional network services that makes virtualization secure. The analysis of network traffic can be done with a protocol analyzer, otherwise known as a network sniffer.
Which of the following is embedded and contains a storage root key? A. bitLocker B. TPM C. HSM D. EFS
Answer B is correct. A TPM (trusted platform module) is a dedicated chip residing on the motherboard that stores encrypted keys. One of these is the storage root key. This is used to encrypt the contents of the entire hard drive and is used by programs such as BitLocker for full disk encryption. An HSM (hardware security module) is a separate physical device that manages digital keys. It is not embedded in the system, but is external to the computer. EFS (Encrypting File System) is Microsoft's system for encrypting individual files in Windows, at which point their filenames turn green when viewed in Windows Explorer or File Explorer. BitLocker is Microsoft's full disk encryption program in Windows, which can make use of a TPM.
Your company needs to have a backup plan in case power is lost for more than a few hours. Which of the following solutions should you implement? A. UPS B. generator C. warm site D. redundant power supplies
Answer B is correct. A backup power generator should be implemented, which is used in the case that power is lost for more than a few hours. Most uninterruptible power supply (UPS) systems provide electricity only for up to an hour. A warm site is not necessary in this scenario. Redundant power supplies are necessary if one power supply within a server fails; however, they do not help in the case of a power outage.
What are the minimum requirements for a cold site? A. location near the data center that meets power requirements B. location that meets power and connectivity requirements C. location with all required equipment loaded with all updates D. location with duplicate systems
Answer B is correct. A cold site only requires power and connectivity. All systems and data are configured afterward. Any other requirements would be needed by warm and hot sites—for example, duplicate systems, additional equipment, and a location near the data center.
What is it called when a hashing algorithm creates the same hash from two different messages? A. birthday attack B. collision C. MD5 D. rainbow tables
Answer B is correct. A collision occurs when a hashing algorithm creates the same hash from two different messages. The birthday attack is based off of causing a collision and uses the birthday paradox probability theory. However, collisions don't necessarily mean that an attack has occurred. Rainbow tables are lookup tables used in recovering passwords from a hash generated by a hash function. MD5 is the Message-Digest algorithm 5, a widely used hashing algorithm that provides integrity.
Network utilization is the ratio of current network traffic to the maximum amount of traffic that a network adapter or specific port can handle. Which of the following can help you to determine whether current network utilization is abnormal? A. security log B. performance baseline C. penetration testing D. vulnerability assessment
Answer B is correct. A performance baseline gives you the normal traffic that a network adapter sees at a specific time. By comparing this to current network utilization (as analyzed by a protocol analyzer or performance monitoring program), you can determine if the current amount of network traffic is abnormal. Security logs show auditing information such as object access and login information. Vulnerability assessments tell you whether there are open ports, weak passwords, and so on. Penetration testing is performed to see how a security system reacts to an attack.
A hacker develops a piece of malicious code that is not designed to automatically spread from one system to another. Instead, it is designed to spread from one file to another file on the individual computer. What type of malware is this? A. worm B. virus C. botnet D. trojan
Answer B is correct. A virus is designed to spread from one file to another file on an individual computer. It is not designed to automatically spread from one system to another; that would be a worm. A Trojan is malicious code that appears to do something legitimate but does something illegitimate outside the view of the user. A botnet is a group of compromised computers normally known as zombies.
Which device is used to encrypt the authentication process? A. WPA B. HSM C. enigma machine D. smart card
Answer B is correct. An HSM (hardware security module) is a physical device that acts as a secure cryptoprocessor. It is used for the digital signing of data and login/authentication processes. WPA (Wi-Fi Protected Access) is a wireless protocol. An Enigma machine is a machine that was used in World War II for the encryption/decryption of secret messages. Smart cards are used to authenticate individuals, but an HSM offers faster software encryption.
Which of the following is used when performing a quantitative risk analysis? A. best practice B. asset value C. surveys D. focus group
Answer B is correct. Asset value is an actual concrete piece of information that you can make risk-based decisions with in a quantitative manner. The other answers are vague at best and don't give solid details for your risk analysis; they might be better suited for qualitative risk analysis.
You are in charge of the disaster recovery plan for your organization. What can you do to make sure that the DRP can be implemented quickly and correctly? A. store the recovery plan in a secure area B. run a test of the recovery plan C. send the plan to management for approval D. distribute copies of the plan to key personnel
Answer B is correct. By running a test of the recovery plan, you can find out if the plan can be implemented quickly and correctly. Most likely, the first time you run through the tests, you will find several issues that need to be resolved to make the DRP run more efficiently. When your plan is complete, you should send it to management for approval, but that will not ensure that the actual implementation of the plan during a disaster will be quick and efficient. You need to distribute copies of the plan to key personnel, but unless the key personnel are trained properly and a test has been run, you will not know for sure if the DRP can be implemented quickly and efficiently. Storing your copy of the recovery plan in a secure area is an excellent method to ensure that it is not lost, but it doesn't let people know what the DRP is or ensure that the DRP will be implemented quickly.
The IT director asks you to protect a server's data from unauthorized access and disclosure. What is this an example of? A. availability B. confidentiality C. integrity D. non-repudiation
Answer B is correct. Confidentiality means preventing the access and disclosure of information to unauthorized persons. Integrity means that authorization is necessary before data can be modified by a user. Availability means that data is obtainable regardless of how information is stored, accessed, or protected. Non-repudiation is a concept of ensuring that people cannot refute claims against them; it is accomplished with computer evidence such as log files.
Which of the following defines the main difference between identification and authentication? A. authentication verifies a user ID that belongs to a specific user, whereas identification verifies the identity of a user group. B. authentication verifies a set of credentials, whereas identification verifies the identity of a user requesting credentials. C. authentication verifies the identity of a user requesting credentials, whereas identification verifies a set of credentials. D. authentication verifies a set of credentials, whereas identification verifies the identity of the network.
Answer B is correct. Identification is when a person is in a state of being identified. It can also be described as something that identifies a person, such as an ID card. Authentication is when a person's identity is confirmed or verified through the use of a specific system based on credentials.
Which of the following is a disadvantage of PGP? A. private keys can be compromised B. a recipient must trust a public key that is received C. weak encryption can be easily broken D. man-in-the-middle attacks are common
Answer B is correct. In PGP (Pretty Good Privacy), a user must trust any public keys that are received to access data from the sender. There is no centralized key distribution in PGP. It uses a web of trust. PGP is based on RSA encryption; as long as the RSA encryption is implemented properly, it should be uncrackable under normal circumstances (and as of the writing of this book), or at the very least, if implemented properly, will not be "weak" encryption. Private keys are just that, private. They should not be compromised. Man-in-the-middle attacks are not common with PGP; however, PGP has been known to be vulnerable to cryptanalysis attacks through use of Trojan horses.
Which of the following programming techniques can stop buffer overflow attacks? A. SQL injection attack B. input validation C. sandbox D. backdoor analysis
Answer B is correct. Input validation is the best programming technique to stop buffer overflow attacks and is also used to prevent SQL injection attacks. A SQL injection attack is a code injection technique where SQL statements are inserted into fields of an application. A sandbox is used to run the web scripts in their own testing environment. Backdoors are used in computer programs to bypass normal authentication. Backdoor analysis includes checking the operating system, applications, and firmware on devices and making sure they are updated.
Of the following, what is the service provided by message authentication code? A. fault tolerance B. integrity C. data recovery D. confidentiality
Answer B is correct. Message authentication code (MAC) is a short piece of information that authenticates the message in an attempt to guarantee the message's data integrity. The MAC algorithm is sometimes referred to as a cryptographic hash function. To maintain confidentiality, something needs to prevent the disclosure of information to unauthorized persons; it is often done with encryption, but not hashing. Fault tolerance is the capability for a server, network device, or entire network to continue functioning even if an error or attack occurs. Data recovery is necessary if a failure occurs that the network cannot recover from automatically. It is usually part of a disaster recovery plan.
Your organization wants to improve its security posture by addressing risks uncovered by a recent penetration test. Which of the following is most likely to affect the organization on a day-to-day basis? A. insufficient encryption B. lack of antivirus software C. corporate espionage D. large-scale natural disaster
Answer B is correct. Of the answers, the most likely to affect the organization on a day-to-day basis is a lack of antivirus software. Let's say the organization had 100 computers and 20% of them were not protected by AV software. Chances are that a good portion of those computers would be infected over the course of the year. AV software should be installed on all client systems and patched regularly. Centralized management software can be used to scan the network and find out what systems are not up to date. A penetration test is used to discover weaknesses in a server or a network. It does not tell you the likelihood of a natural disaster, but the chances of one are slim, and much less likely to affect the organization than a lack of AV software. Corporate espionage could be more common, especially if an organization deals with government secrets, patents, new products, and so on. But, once again, a penetration test will probably not uncover corporate espionage. Insufficient encryption is the next best answer to lack of AV software. It is a definite problem, but it all depends on the organization in question. Some organizations require more encryption than others. Still, it is not likely to affect an organization as much as a lack of AV software.
Your organization hires temporary users to assist with end-of-year resources and calculations. All the temporary users need access to the same domain resources. These "temps" are hired for a specific period of time with a set completion date. Users log on to a Windows domain controlled by a Windows Server domain controller. Your job is to make sure that the accounts can be used only during the specific period of time for which the temps are hired. The solution you select should require minimal administrative effort and upkeep. Of the following, what is the best solution? A. configure password expiration dates for temp user accounts B. configure expiration dates for the temp user accounts C. delete the temp user accounts at the end the work period D. configure a local password policy on the computers used by temp user accounts E. configure a domain password policy for the temp user accounts
Answer B is correct. One easy solution is to configure expiration dates for the temp user accounts. This can be done within the Account tab of each user's Properties window. This way, the users cannot log on to the domain after their work period has ended. You cannot configure password expiration dates for the user accounts within the user's Properties window; however, you can configure a policy with a password expiration date, but you have to make additional configurations for this to work properly. By default, the users would simply be asked to change their password when the password expiration date arrives. Password policies can be configured in the same manner (password expiration dates and so on), but they have the same problems as well. Deleting user accounts is usually not a good idea; organizations will generally disable accounts so that they can audit any actions the user accounts have taken in the past. Deleting a user account will make auditing difficult.
Which of the following fire extinguishers should be used to put out magnesium- or titanium-based metal fires? A. class B B. class A C. class D D. class C
Answer C is correct. Class D fire extinguishers are the type used for combustible metal fires such as ones that can burn magnesium, titanium, and lithium. They are designated with a yellowed decagon. Class A extinguishers are used for ordinary fires that consume wood. Class B extinguishers are used for liquid and gas fires. Class C extinguishers are used for electrical fires.
Which of the following methods is the most closely associated with DLL injection? A. vulnerability assessment B. penetration testing C. auditing D. performance monitoring
Answer B is correct. Penetration testing is the method most closely associated with DLL injection, which is a technique used to run code within the address space of another process by forcing it to load a dynamic link library. It is used to influence the behavior of a program in a way that the creator of the program did not intend. This type of injection can be incorporated into the Registry in Windows. Penetration testing is a type of active security analysis used to find out if DLL injection attempts will work. The other three answers are not active security and analyses; they are passive. Vulnerability assessment can find open ports and define the threats associated with those ports. Performance monitoring can analyze a server's resources such as CPU and RAM. Auditing is making a technical assessment of applications, systems, and networks. Auditing often includes reviewing security logs, vulnerability scans, performance logs, and policies.
Which of the following methods can possibly identify when an unauthorized access has occurred? A. two-factor authentication B. previous logon notification C. session lock mechanism D. session termination mechanism
Answer B is correct. Previous logon notification notifies the user and possibly the administrator of when the last-known good logon occurred. If a user knows that they did not log on at that time, it is a good indicator that unauthorized access occurred. Session lock mechanisms can be implemented on several different types of operating systems. For example, in Windows a policy can be created to lock the computer after a specific timeout. Sessions can also be terminated automatically via systems such as an FTP server after a specific timeout. Two-factor authentication is a type of multifactor authentication in which two types of identification are necessary to gain access to a network
What is the greatest benefit of using S/MIME? A. it expedites the delivery of your e-mails B. you can encrypt and digitally sign e-mail messages C. you can send e-mails with a return receipt D. you can send anonymous e-mails
Answer B is correct. S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard that provides cryptographic security for electronic messaging such as e-mail. It is used for authentication, message integrity, and non-repudiation. It encrypts and digitally signs e-mail messages. Generally, S/MIME relies on PKI. E-mails can be sent with a return receipt in most of today's e-mail applications, such as Microsoft Outlook. By default, e-mails are not sent anonymously. A person would need to maliciously adapt the e-mail to send it in an anonymous fashion. S/MIME does not expedite the delivery of e-mails but rather most likely slows down the transmission of e-mails because it is encrypting them.
What is it known as when an attacker provides falsified information? A. redirecting B. spoofing C. aliasing D. flooding
Answer B is correct. Spoofing is an attack where an attacker masquerades as another person by falsifying information. Types of spoofing attacks include the man-in-the-middle attack and phishing. Aliasing is when a secondary name is given to a computer or other device, usually for legitimate purposes. Flooding is a category of attack that can use different types of packets to flood a device or server to deny service. Redirecting is when a particular connection is redirected to another resource, for example, when mapping a network drive.
When is it appropriate to use vulnerability scanners to identify any potential holes in your security design? A. when testing disaster mitigation planning B. when testing to identify known potential security risks inherent to your design C. when testing the network's response to specific attacks D. when testing the automatic detection and alerts of your network
Answer B is correct. When it is time to identify known potential security risks that might be inherent to the design of your network, it is appropriate to use vulnerability scanners. At other times you may want a more active analysis approach, such as penetration testing, to find out your network's response to specific attacks, or when testing the automatic detection of those attacks. That, as well as role-playing, and drills can test disaster mitigation planning.
A virus is designed to format a hard drive on a specific day. What kind of threat is this? A. adware B. botnet C. logic bomb D. spyware
Answer C is correct. A logic bomb is a type of malware that is designed to be set off at a specific time. It could contain a virus or worm. A botnet is a group of compromised computers known as zombies. Spyware and adware are unwanted programs that are unknowingly downloaded from the Internet, usually through a browser.
Your organization has several building keys circulating among various executive and human resources employees. You are concerned that the keys could be easily lost, stolen, or duplicated, so you have decided to implement an additional security control based on facial recognition. Which of the following will address this goal? A. mantraps B. proximity readers C. security guard D. fingerprint scanner
Answer C is correct. A security guard will be able to recognize the faces of the employees in the organization. Usually, the guard will consult a physical access list on paper or on the computer to identify the employee. The guard might view the employee directly, through privacy glass, or via CCTV. Facial recognition can also be accomplished through advanced biometric systems, but these can be very costly to an organization. A fingerprint scanner will identify an employee by their fingerprint, not their facial characteristics, although both can be accomplished through the use of biometrics. A mantrap is used to keep employees inside an area of the building (usually with two or three doorways) while they are identified and authenticated. It is often used in conjunction with a security guard, or with a proximity or smart card system. Proximity readers are an electronic means of allowing access to a building or server room (or other secure area of the building), but the proximity card could be used by anyone.
An employee has been terminated from your organization. What can ensure that the organization continues to have access to the employee's private keys? A. retain the employee's token B. store the keys in a CRL C. store the keys in escrow D. delete the employee's user account
Answer C is correct. By storing the keys in escrow, the organization can continue to have access to them, even after the employee has been terminated. A CRL is a certificate revocation list, which stores certificates that have been revoked; for many different reasons, these certificates are no longer in circulation. Usually organizations will have a policy stating that employees' user accounts should not be deleted. By not deleting the user account, it will continue to be linked to the user's private keys and to any logged auditing information associated with the employee. Generally, when an employee is terminated, the hardware token and user's account will be disabled. A hardware token deals with a different technology than private keys being stored in escrow. The proper place to access the employee's private keys is within escrow within a PKI.
MD5 can be manipulated by creating two identical hashes using two different messages, resulting in a collision. This is difficult (if impossible) to do with SHA-256. Why is this? A. MD5 has greater collision resistance than SHA-256 B. SHA-256 has greater collision strength than MD5 C. SHA-256 greater collision resistance than MD5 D. MD5 has greater collision strength than SHA-256
Answer C is correct. SHA-256 has greater collision resistance than MD5 because it employs a 256-bit hash, whereas MD5 employs a 128-bit hash. MD5 has weaker collision resistance than SHA-256. We aren't concerned with collision "strength" so to speak, but are more concerned with the cryptographic hash's resistance to collisions.
You need to protect passwords. Which of the following protocols is not recommended because it can supply passwords over the network? A. DNS B. kerberos C. SNMP D. ICMP
Answer C is correct. SNMP (Simple Network Management Protocol) can pass passwords over the network. This can be a security risk and should be avoided if possible. Or at the very least, use the latest version of SNMP, and be careful to protect devices that use SNMP for monitoring, such as switches, UPSs, and so on. DNS (Domain Name System) and ICMP (Internet Control Message Protocol) do not supply passwords over the network. Kerberos can possibly supply passwords over the network, but they will be in an encrypted format and difficult to crack.
You are designing security for an application. You need to ensure that all tasks relating to the transfer of money require actions by more than one user through a series of checks and balances. What access control method should you use? A. job rotation B. implicit deny C. separation of duties D. least privilege
Answer C is correct. Separation of duties is when more than one person is required to complete a task. Contrast separation of duties with job rotation, which is when multiple people are required to know the same task, but don't complete it together. Implicit deny is usually the last rule in a firewall rule set. Least privilege means that a program or a person only has the permissions needed to accomplish their task.
Which of the following environmental controls is part of the TEMPEST standards? A. HVAC B. fire suppression C. shielding D. biometrics
Answer C is correct. Shielding is part of the TEMPEST standards. TEMPEST is a group of standards that refers to the investigations of conducted admissions from electrical and mechanical devices that may or may not compromise an organization. It is important to shield devices such as air conditioners to prevent electromagnetic interference (EMI) to network devices and cabling. Suppression deals with the prevention of fires. HVAC deals with heating, ventilation, and air-conditioning. Biometrics is the measurement of human characteristics, such as thumbprint scans and voice recognition.
An IDS looks for patterns to aid in detecting attacks. What are these patterns known as? A. viruses B. malware C. signatures D. anomalies
Answer C is correct. Signatures are the patterns that an IDS looks for when detecting attacks. This is known as signature-based monitoring and is common to IDS solutions and antivirus programs. Anomalies are detected through the use of anomaly-based monitoring. Viruses and most other types of malware have a specific signature. As long as the signature-based monitoring system has the signature within its database, the virus or other malware should be detected. If the virus is brand new and the signature-based monitoring system has not been updated and does not have the signature of the new virus within its database, the virus just might wreak havoc.
Your boss asks you to replace the current RADIUS authentication system with a more secure system. Your current RADIUS solution supports EAP, and your new solution should do the same. Which of the following is the best option and would offer the easiest transition? A. SAML B. CHAP C. diameter D. kerberos
Answer C is correct. The Diameter protocol is, like RADIUS, another AAA protocol, but is a more evolved protocol and utilizes more reliable transport mechanisms such as TCP and Stream Control Transmission Protocol (SCTP), as opposed to UDP. Like RADIUS, many Diameter applications allow for the use of the Extensible Authentication Protocol (EAP). CHAP (Challenge-Handshake Authentication Protocol) is an authentication scheme used to authenticate a user or host. Whereas RADIUS and Diameter are authentication systems, they both make use of authentication schemes such as PAP, CHAP, and EAP. SAML (Security Assertion Markup Language) is an XML-based open standard for exchanging authentication and authorization data between two parties. It helps alleviate problems with single sign-on (SSO). Kerberos is another type of authentication system, but is used more commonly in localized environments; it is not meant as a replacement for RADIUS.
Which of the following attacks involves the interception of authentication traffic on a wireless network? A. evil twin B. replay attack C. IV attack D. near field communication
Answer C is correct. The IV (initialization vector) attack is when an attacker deciphers the fixed-size input at the beginning of each WEP or WPA packet. WEP is much more susceptible. To avoid the attack, use WPA2. An evil twin is a rogue access point that is controlled by an attacker. It has the same name and configuration as one of the legitimate WAPs in an organization. A replay attack is a network attack in which data packets are repeated or delayed by an outside attacker. Near field communication (NFC) is a technology of mobile devices that allows them to automatically pair and transmit data via Bluetooth.
Which of the following log files identifies when a computer was last shut down? A. application B. security C. system D. directory services
Answer C is correct. The System log file shows when a computer was started or shut down. The Security log file shows audit entries. The Application log file shows changes, warnings, or errors to applications built into Windows and third-party applications. The Directory Services log file shows events, warnings, and errors that occur on a domain controller.
You are configuring security for a network that is isolated from the Internet by a perimeter network. You need to test the network's ability to detect and respond to a DoS attack. What should you implement? A. vulnerability scanning B. port scanning C. network packet analysis D. penetration testing
Answer D is correct. Penetration testing is required in this scenario. The only way to simulate a denial of service (DoS) attack is to actively test the network with a penetration test of your own design. All of the other methods are passive attempts at testing the network. A vulnerability scan is generally considered to be the most passive (or least invasive) of the answers. A port scan is fairly passive as well; it only identifies open ports and does not attempt to access those ports any further. Network packet analysis is a bit more active in that it will allow you to disassemble packets coming from the source; however, it does not actively solicit new information or make new connections to the host as a penetration test will.
When you arrive at work in the morning, you discover that the server room has been the victim of a fire, and all the servers have been rendered useless. Which of the following is the most important item to have to ensure that your organization can recover from this disaster? A. warm site B. fault-tolerant servers C. disaster recovery plan D. offsite backup
Answer C is correct. The single most important thing that you should have in the case of a disaster is a disaster recovery plan (DRP). This needs to detail exactly who you should contact, what you should do, where you should go, and where your data should be located in the case of a disaster. A warm site is a secondary work location designed for your employees that can be up and running in a matter of hours. Offsite backup means that your files are backed up (often to tape), and transported to a separate secure location. Fault-tolerant servers are ones that can keep running in the event of a failure—they could be onsite or offsite—in the case of offsite they might exist in the cloud and interact with onsite servers. A DRP should include everything mentioned: warm sites, offsite backup, and fault tolerant servers.
Which of the following is the best example of a strong password? A. the last four digit of your social security number B. a 15-character sequence of letters only C. a 14-character sequence of numbers, letters, and symbols D. the name of your pet
Answer C is correct. The strongest passwords incorporate numbers, letters, and symbols. Easily identifiable information such as the name of your pet or the last four digits of an ID such as a Social Security number or a driver's license number should not be used as passwords or for account numbers. It is wise to use 14 characters or more in a highly secure environment—length is very important—but it is also important to use uppercase letters, numbers, and symbols.
You are contracted with a customer to protect its user data. The customer requires the following: *Easy backup of all user data *Minimizing the risk of physical data theft *Minimizing the impact of failure on any one file server -Which of the following solutions should you implement? A. use file servers attached to a NAS. Lock the file servers and NAS in a secure area B. use internal hard disks installed in file servers. Lock the file servers in a secure area C. use file servers with removable hard disks. Secure the hard disks in a separate are after hours D. back up user files to USB hard disks attached to the customer's systems. Store the USB hard disks in a secure area after hours
Answer C is correct. Using file servers with removable hard disks is the best answer. All the other answers do not offer easy backup of user data. The time it would take to use separate USB hard disks makes it anything but easy. The idea of locking entire servers in a secure area doesn't sound easy either. However, securing removable hard disks in a separate area seems like an easy way to implement the solution. It should also minimize the risk of physical data theft because the hard disks are stored in a secure area. Using multiple file servers should minimize the impact of failure on any one file server.
Your organization does business with in a TEMPEST-certified building. What attack does this help to prevent? A. bluesnarfing B. weak encryption C. war-driving D. bluejacking
Answer C is correct. War-driving can be prevented by using TEMPEST-certified techniques. War-driving is when a person attempts to access a company's wireless network from a laptop within their vehicle. Weak encryption is not an attack, but is definitely something you want to remedy as soon as possible—for example, if a company is using WEP. Bluejacking and bluesnarfing are attacks that are perpetuated on mobile phones and smartphones.
Which of the following includes the examination of critical versus noncritical functions? A. RPO B. snapshots C. failover D. BIA
Answer D is correct. A business impact analysis (BIA) includes the examination of critical versus noncritical functions. An example of failover is when one server is ready to take over for another in case of failure. This type of redundancy is known as failover redundancy. A snapshot is a backup type, not an examination of critical versus noncritical functions. An RPO (recovery point objective) defines acceptable data loss.
The IT director asks you to set up a system that will encrypt credit card data. She wants you to use the most secure symmetric algorithm with the least amount of CPU usage. Which of the following algorithms should you select? A. RSA B. 3DES C. SHA-1 D. AES
Answer D is correct. AES (Advanced Encryption Standard) is the best solution for this scenario. It uses the least amount of CPU resources yet is the most secure symmetric algorithm listed. SHA-1 is not a symmetric encryption algorithm; it is a hashing algorithm; plus, it is outdated and, if used, should be replaced by a newer version of SHA. 3DES is the predecessor to AES; it is not as secure or fast. RSA is an asymmetric encryption algorithm; it is secure but can use a lot of CPU resources.
What kind of monitoring methodology does an antivirus program use? A. statistical-based B. anomaly-based C. behavior-based D. signature-based
Answer D is correct. Antivirus programs normally use signature-based monitoring. IDS solutions also use this. Signature-based monitoring analyzes frames and packets of network traffic for predetermined attack patterns. Anomaly-based monitoring establishes a performance baseline based on a set of normal network traffic and valuations. Behavior-based monitoring looks at the previous behavior of applications and compares that to the current activity on the system. Statistical-based monitoring is another name for anomaly-based monitoring.
A recent security audit has uncovered an increase in the number MITM attacks during the certificate validation process. Which of the following is a way to add security to the certificate validation process to help detect and block many types of MITM attacks by adding an extra step beyond normal X.509 certificate validation? A. S/MIME B. SSH C. OID stapling D. certificate pinning
Answer D is correct. One way to add security to the certificate validation process is to use certificate pinning (also known as SSL pinning or public key pinning). This can help to detect and block many types of MITM (man-in-the-middle) attacks by adding an extra step beyond normal X.509 certificate validation. OID (object identifier) stapling is invalid here. However, OCSP (Online Certificate Status Protocol) stapling allows the presenter of the certificate to bear the cost involved when providing OCSP responses and OIDs are built into Active Directory Certificate Services (AD CS) for either low, medium, or high assurance. Secure Shell (SSH) is a protocol that can create a secure channel between two computers or network devices, enabling one computer or device to remotely control the other. Secure/Multipurpose Internet Mail Extensions (S/MIME) is an IETF standard that provides cryptographic security for electronic messaging such as e-mail. It is used for authentication, message integrity, and non-repudiation of origin.
Which of the following algorithms depends on the inability to factor large prime numbers? A. elliptic curve B. diffie-hellman C. AES D. RSA
Answer D is correct. RSA (Rivest, Shamir, and Adleman) is a public-key cryptography algorithm based on the inability to factor large prime numbers. It is used in many e-commerce scenarios. AES (Advanced Encryption Standard) is based on the substitution-permutation network. Elliptic curve is based on the difficulty of certain mathematical problems that generate keys by graphing specific points on a curve. Diffie-Hellman relies on the secure exchange of keys before data can be transferred.
When creating a public/private key pair, which of the following would an admin need to specify key strength? A. AES B. DES C. SHA D. RSA
Answer D is correct. RSA is the only cipher listed that deals with private and public keys; it is an asymmetric algorithm. When creating a certificate, the admin needs to specify the underlying algorithm (most likely RSA) and its key strength (most likely 2048-bit or higher). AES and DES are symmetric algorithms—the admin does not select the key strength. SHA is a cryptographic hash function, and again, the admin does not select the key strength. These protocols (and their respective versions) are predetermined in their key length.
Which one of the following is the most common encryption protocol used for key exchange during a secure web session? A. AES B. SHA C. PKI D. RSA
Answer D is correct. The RSA encryption protocol is an asymmetric algorithm used for the key exchange during secure web sessions. Other options for key exchange include Diffie-Hellman and elliptic curve, with or without ephemeral properties. After the key exchange is made, the Advanced Encryption Standard (AES) is used for the transmission of session data. It is a symmetric algorithm that is also used for local data encryption and securing wireless connections. The Secure Hash Algorithm (SHA) is a cryptographic hash function. SHA is commonly used during secure web sessions, and further protects the session. PKI stands for public key infrastructure, the entire set of rules, policies, systems, and users that make secure connections using cipher suites such as TLS and SSL.
You are in charge of auditing resources and the changes made to those resources. Which of the following log files will show any unauthorized changes to those resources? A. system log file B. application log file C. directory services log file D. security log file
Answer D is correct. The Security log file shows any unauthorized changes to the resources that you decide to audit. These resources can include files, folders, printers, and so on. This can work only if object access auditing has been enabled, and if auditing has been turned on for the resource in question. The System log file logs information pertaining to drivers, operating system files, the kernel, and so on. The Application log file logs information pertaining to applications such as Windows Explorer, File Explorer, the Command Prompt, and third-party applications. The Directory Services log file takes care of logging information pertaining to Active Directory.
Which of following log files would be the most useful in determining which internal user was the source of an attack that compromised another computer on the same network? A. directory service logs B. the attacking computer's audit logs C. the firewall logs D. the target computer's audit logs
Answer D is correct. The target computer's audit logs should show the IP address and MAC address of the attacking computer if it were within the same network. Directory Services logs give information about Active Directory on a domain controller. It would be difficult to find out who the attacking computer is, which is why you look to the target computer (the computer that was affected by the attack) for clues. The firewall logs show information concerning attackers from outside the network but will probably not give information about attackers inside the network.
The IT director asks you to determine if weak passwords are used by any of the users on your network. You run a password-cracking program to determine this. What is this an example of? A. antivirus scanning B. baselining C. fingerprinting D. vulnerability assessment
Answer D is correct. Vulnerability assessments can include password analysis, port scanning, network mapping, and network sniffing. Antivirus scanning might also be included in a vulnerability assessment of an individual computer. Fingerprinting (of an OS) usually means finding all the open ports, entrances, and backdoors into a computer. Baselining is a type of vulnerability assessment but does not deal with password cracking.
Which of the following is used to implement an unencrypted tunnel between two networks? A. AES B. PPTP C. HTTPS D. Always-on VPN E. L2TP
Answer E is correct. L2TP (Layer Two Tunneling Protocol) implements an unencrypted tunnel between two devices or networks. The protocol that handles encryption in this type of VPN is IPsec, but that is normally added to L2TP separately. Hypertext Transfer Protocol Secure (HTTPS) secures websites (usually as an SSL/TLS secure connection). Point-to-Point Tunneling Protocol (PPTP), which is used in VPNs, has built-in encryption and automatically creates an encrypted tunnel but is less secure than a VPN using L2TP with IPsec. The Advanced Encryption Standard (AES) is common in wireless networks. Always-on VPNs tend to avoid PPTP and L2TP and instead use SSL/TLS.
You have been tasked with investigating a compromised web server and just finished analyzing the logs of a firewall. You see the following open inbound ports appear in the log: 22, 25, 445, 514, 1433, 3225, 3389 Of the following answers, which was most likely used to access the server remotely? A. HTTPS B. telnet C. syslog D. HTTP E. RDP F. LDAP
Answer E is correct. Most likely, RDP (Remote Desktop Protocol) was used to remotely access the server. RDP uses port 3389 by default, which is within the list of open inbound ports in the log. That would mean that Remote Desktop Services (or Terminal Services) is running on the web server. This is a no-no. Though it can allow an easy way for an admin to remotely connect to the server, it is so well known that it creates an exploitable open doorway for attackers. It is far better to use a remote control program via a secure browser session; one that uses AES for encryption as well as multifactor authentication. Once that is implemented, RDP should be disabled. HTTP uses port 80, which is not listed as an open port in the log. LDAP uses port 389, again not listed, and it shouldn't be. LDAP might be used by a Microsoft domain controller or similar server, but not by a web server. HTTPS uses port 443. This is the type of connection that services such as RealVNC would use to make remote connections. Port 443 is not listed in the log. Telnet uses port 23. It is not listed in the log, and you should thank your lucky stars that it isn't because it is the easiest to hack of everything listed in the question. Syslog uses port 514, which is listed in the log, but is not used for remote control of a server. Instead, it allows for the grabbing of log files from routers and other networking equipment. Note: The ports that are listed and their respective protocols are 22 (SSH), 25 (SMTP), 445 (SMB), 514 (Syslog), 1433 (Ms-sql-s), 3225 (FCIP), and of course 3389 (RDP). Know your protocols!
You are logging a server. What security measures should you implement? Each correct answer represents a complete solution. Choose all that apply. A. perform hashing of the log files B. apply retention policies on the log files C. collect temporary files D. perform CRCs
Answers A and B are correct. You need to retain log files for future analysis. Log files are normally not deleted, and sometimes operating systems will overwrite events in log files after they reach their maximum size. Careful consideration should be taken when configuring log files. Hashing the log files enables people in the future to verify the integrity of those log files and verify that the files have not been tampered with. A cyclic redundancy check (CRC) is an error-detecting code that runs automatically, and isn't really something that would be performed per se. CRCs and collecting temporary files are not necessary when it comes to log files.
You are in charge of decreasing the chance of social engineering in your organization. Which of the following should you implement? Each correct answer represents a complete solution. Choose all that apply. A. security awareness training B. risk assessment C. a two-factor authentication scheme D. vulnerability assessment
Answers A and C are correct. Of the listed answers, the two best ways to decrease social engineering are to incorporate security awareness training and implement a multifactor authentication scheme. For example, users might be required to identify themselves with an ID card and by presenting a thumbprint for biometric scanning. Risk assessments and vulnerability assessments are performed to find out what kind of threats an organization faces. A viable threat might include social engineering; however, risk and vulnerability assessments will not decrease the chance of social engineering occurring.
Which of the following are symmetric encryption algorithms? Each correct answer represents a complete solution. Choose all that apply. A. ECC B. AES C. RSA D. DES E. RC4 F. diffie-hellman G. 3DES
Answers B, D, E, and G are correct. AES, DES, RC4, and 3DES are all symmetric encryption algorithms. ECC, RSA, and Diffie-Hellman are asymmetric encryption algorithms.
What is the main difference between a secure hash and secure encryption? Each correct answer represents a complete solution. Choose all that apply. A. secure encryption cannot be reversed B. a secure hash can be reversed C. a secure hash cannot be reversed D. secure encryption can be reversed
Answers C and D are correct. A secure hash cannot be reversed. This is an example of a one-way function. While a secure hash cannot be reversed, secure encryption can be reversed through decryption.
Why do hackers often target nonessential services? Each correct answer represents a part of the solution. Choose two. A. they are not used B. they are not monitored by an IDS C. quite often, they are not configured correctly D. they are not monitored as often
Answers C and D are correct. Nonessential services are often not configured and secured by the network administrator; this goes hand in hand with the fact that they are not monitored as often as essential services. It is imperative that network administrators scan for nonessential services and close any corresponding ports. Even though services may be nonessential, that doesn't necessarily mean that they are not used. An IDS, if installed properly, should monitor everything on a given system.
