Security+ Questions
Which of the following agreements is less formal than a traditional contract but still has a certain level of importance to all parties involved? Sal, bpa, isa, mou?
memorandum of understanding (MOU) is a type of agreement that is usually not legally binding. This agreement is intended to be mutually beneficial without involving courts or money. A SLA (service level agreement) defines the level of service the customer expects from the service provider. Thelevel of service definitions should be specific and measurable in each area. A BPA (business partnership agreement) is a legal agreement between partners. It establishes the terms, conditions, and expectations of the relationship between the partners. An ISA (interconnection security agreement) is an agreement that specifies the technical and security requirements of the interconnection between organizations.
Netstat options
netstat -a (display all connections and ports) -n (numeric not name format) -o (display owning process) -b (displays executable that launched connection)
C is responsible for various network protocols. The Network time protocol has been intermittently failing. What would be most affected? Kerberos, RADIUS, CHAP, LDAP?
only Kerberos uses various tickets each with time limit. So kerberos will be impacted if NTP fails.
PCI-DSS
payment card industry data security standard - credit card, prevent identity theft
GLBA
"Graham-Leach-Bliley Act" (Financial Services Modernization Act of 1999) repealed a 1933 law that barred the consolidation of financial institutions and insurance companies. Included within GLBA are multiple sections relating to the privacy of financial information. Companies must provide written notice to consumers of their privacy rights and explain the company's procedures for safeguarding data.
bastion host
A strongly protected computer that is in a network protected by a firewall (or is part of a firewall) and is the only host (or one of only a few hosts) in the network that can be directly accessed from networks on the other side of the firewall.
Which of the following are negotiation protocols commonly used by TLS? (Choose two.) A. DHE B. ECDHE C. RSA D. SHA
A & B. DHE (Diffie-Hellman Ephemeral) and ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) are commonly used with TLS to provide perfect forward secrecy. Option C is incorrect. RSA is an asymmetric algorithm (also known as public key cryptography) that uses a public and a private key to encrypt and decrypt data during transmissions. Option D is incorrect. SHA is a hashing algorithm and is used for integrity.
Which of the following best describes the disadvantages to quantitative risk analysis compared to qualitative risk analysis? (Choose two.) A. Quantitative risk analysis requires complex calculations. B. Quantitative risk analysis is sometimes subjective. C. Quantitative risk analysis is generally scenario based. D. Quantitative risk analysis is more time-consuming than qualitative risk analysis.
A & D. Quantitative risk analysis requires complex calculations and is more time-consuming. Options B and C are incorrect. These statements describe qualitative risk analysis, not quantitative risk analysis.
Jacob is responsible for database server security in his company. He is very concerned about preventing unauthorized access to the databases. Which of the following would be the most appropriate for him to implement? ABAC, TOTP, HIDS, DAMP
A Database Activity Monitoring and Prevention (DAMP) system would be the most effective of the choices given. These systems work like an IPS, but specifically for databases.
Farès has implemented a flood guard. What type of attack is this most likely to defend against? A. SYN attack B. DNS poisoning C. MAC spoofing D. ARP spoofing
A. A SYN attack is a type of flooding attack that is a denial of service. Flood guards are either stand-alone or, more often, part of a firewall, and they prevent flooding attacks. Option B is incorrect. DNS poisoning involves inserting fake entries into a DNS server; a flood guard will do nothing to prevent that. Option C is incorrect. Spoofing a MAC address does not involve any flooding. Option D is incorrect. Spoofing Address Resolution Protocol is a type of MAC spoofing and does not involve any flooding.
BPA
A business partners agreement (BPA) is a written agreement that details what the relationship will be between business partners. This agreement will include the partner's obligations toward the partnership. A BPA can help settle conflicts that arise within the partnership.
COBIT
A framework developed by the Information Systems Audit and Control Association and the IT Governance Institute. Defines the goals for the controls that should be used to properly manage IT and ensure IT maps to business needs. Four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate
DDoS mitigator
A hardware device that identifies and blocks real-time distributed denial of service (DDoS) attacks.
RIPEMD
A hash function developed in Belgium. The acronym expands to RACE Integrity Primitives Evaluation Message Digest, but this name is rarely used. The current version is RIPEMD-160.
SLA (Service Level Agreement)
A legally binding contract or part of a contract that defines, in plain language and in measurable terms, the aspects of a service provided to a customer. Specific details might include contract duration, guaranteed uptime, problem management, performance benchmarks, and termination options.
MOU
A memorandum of understanding (MOU) is an agreement of understanding between two or more parties signifying their purpose to work together toward a common goal. A MOU is less formal than an SLA and will not include monetary penalties.
Cross-Site Request Forgery (CSRF or XSRF)
A method of attacking a system by sending malicious input to the system and relying upon the parsers and execution elements to perform the requested actions, thus instantiating the attack. XSRF exploits the trust a site has in the user's browser.
Which of the following algorithms is typically used to encrypt data-at-rest? A. Symmetric B. Asymmetric C. Stream D. Hashing
A. A symmetric algorithm, sometimes called a secret key algorithm, uses the same key to encrypt and decrypt data and is typically used to encrypt data-at-rest. Option B is incorrect. An asymmetric algorithm, also known as public key cryptography, uses public and private keys to encrypt and decrypt data and is typically not used to encrypt data-at-rest. Option C is incorrect. Stream ciphers encrypt data one bit at a time. Option D is incorrect. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages.
RAID 1
Also called mirroring, this RAID array type provides fault tolerance because all the data is written identically to the two drives in the mirrored set. (2)
What does application management accomplish for mobile devices?A. Only allows applications from the iTunes store to be installed B. Ensures the company has a list of all applications on the devices C. Ensures only approved applications are installed on the devices D. Updates patches on all applications on mobile devices
Application management is primarily concerned with ensuring only authorized and approved applications are installed on mobile devices. Patch management can be a part of application management, but the primary goal is controlling what apps get installed on a device.
Karen is responsible for account security in her company. She has discovered a receptionist whose account has a six-character password that has not been changed in two years, and her password history is not being maintained. What is the most significant problem with this account? A. Nothing, this is adequate for a low-security position. B. The password length is the most significant problem. C. The lack of password history is the most significant problem. D. The age of the password is the most significant problem
B. While there are multiple issues with this account, the password length is the most significant. Shorter passwords are inherently insecure.
Which of the following terms refers to the process of establishing a standard for security? A. Baselining B. Security evaluation C. Hardening D. Normalization
Baselining is the process of establishing a standard for security. Option B is incorrect. Security evaluations or audits check security but don't establish security standards. Option C is incorrect. Hardening is the process of security a given system, but it does not establish security standards. Option D is incorrect. Normalization is the process of removing redundant entries from a database.
BAC
Business Availability Center. An application that shows availability and performance of applications used or provided by a business.
Hans is a network administrator for a large bank. He is concerned about employees violating software licenses. What would be the first step in addressing this issue? A. Performing software audits B. Scanning the network for installed applications C. Establishing clear policies D. Blocking the ability of users to install software
C. A clear security policy must be created that explains software licensing and the company processes for software licensing. Without clear policies, any other countermeasures will be less effective. Option A is incorrect. Although software audits are a good idea, meaningful audits can take place only after good policies are in place. Option B is incorrect. Scanning the network to see what is installed is a good idea, but policies must be established first. Option D is incorrect. This may, or may not, be a step the company wishes to take. But policies must be established first.
Greg is responsible for database security for his company. He is concerned about authentication and permissions. Which of the following should be his first step? A. Implement minimum password length. B. Implement password lockout. C. Conduct a permissions audit. D. Ensure least privileges.
C. A permissions audit will tell Greg exactly what the current situation is. He must know what is occurring now, in order to address any weaknesses. Option A is incorrect. Minimum password length is a good idea, but he first needs to know the current situation. Option B is incorrect. Password lockout is a good idea, but he first needs to know the current situation. Option D is incorrect. It's important to ensure least privileges, but Greg must first conduct a permissions audit in order to determine if this principle is being adhered to or not.
Greg is responsible for database security for his company. He is concerned about authentication and permissions. Which of the following should be his first step? A. Implement minimum password length B. Implement password lockout C. Conduct a permissions audit D. Ensure least privileges
C. A permissions audit will tell Greg exactly what the current situation is. He must know what is occurring now, in order to address any weaknesses. Option A is incorrect. Minimum password length is a good idea, but he first needs to know the current situation. Option B is incorrect. Password lockout is a good idea, but he first needs to know the current situation. Option D is incorrect. It's important to ensure least privileges, but Greg must first conduct a permissions audit in order to determine if this principle is being adhered to or not.
Terrance is looking for a physical access solution that uses Asymmetric cryptography (public key cryptography) to authorize the user. What type of solution is this? A. Asynchronous password token B. Challenge response token C. TOTP token D. Static password token
B. With a challenge response token, the system will encrypt some value (often a random number) with the user's public key. If the user's token has the correct private key, it can decrypt the value that the system sent, and confirm that. Option A is incorrect. An asynchronous password token generates a one-time password without the use of a clock. Option C is incorrect. TOTP is a time synchronized one-time password. Option D is incorrect. A static password token simply contains a password.
Your company's web server certificate has been revoked and external customers are receiving errors when they connect to the website. Which of following actions must you take? A. Renew the certificate.B. Create and use a self-signed certificate.C. Request a certificate from the key escrow.D. Generate a new key pair and new certificate.
D. A revoked certificate is no longer valid for the intended purpose, and a new key pair and certificate will need to be generated. Option A is incorrect. The certificate cannot be renewed after its expiration date.
Your CIO wants to move the company's large sets of sensitive data to an SaaS cloud provider to limit the storage and infrastructure costs. Both the cloud provider and the company are required to have a clear understanding of the security controls that will be applied to protect the sensitive data. What type of agreement would the SaaS cloud provider and your company initiate? A. MOU B. BPA C. SLA D. ISA
D. An ISA (interconnection security agreement) is an agreement that specifies the technical and security requirements of the interconnection between organizations.
You are the IT manager and one of your employees asks who assigns data labels. Which of the following assigns data labels? A. Owner B. Custodian C. Privacy officer D. System administrator
Data owners assign labels such as top secret to data. Option B is incorrect. Custodians assign security controls to data. Option C is incorrect. A privacy officer ensures that companies comply with privacy laws and regulations. Option D is incorrect. System administrators are responsible for the overall functioning of the IT system.
DBA
Database Administrator
You are instructing a group of junior administrators on the OSI model. You've explained that the data link later is the one that transfers information between adjacent network nodes. Several different protocols operate on this level, including the two sublayers, logical link control and media access control. This layer also houses several authentication technologies. What is an example of a data link layer authentication technology? A. 802.11 B. 802.12 C. 802.x D. 803.11
Correct answer: 802.1x 802.1x is an IEEE standard that defines port-based network access control. It should not be confused with 802.11, which is a WLAN standard. It allows you to apply a security control that ties physical ports to end-device MAC addresses.
In the event of a fire, having proper training in fire suppression systems, such as understanding which fire extinguisher is appropriate, can potentially reduce damage and business impact. What class of fire extinguisher is designated by a green triangle and is used for combustibles? A B C D
Correct answer: A Class A fire extinguishers are used for fires consuming solid combustibles such as wood. They are water based, so they should not be used in server rooms. Not implementing the proper fire extinguisher in computer equipment areas can be disastrous.
Kerberos is a widely used network authentication mechanism and is used in Windows Active Directory domains and some Unix environments. When implemented in an environment, it has several requirements in order to operate optimally and provide a secure authentication process. Which of the following is not a Kerberos requirement? A. A method of using tickets for authentication B. time synchronization C. a process to handle the challenge in a challenge handshake communication D. a database of subjects or users
Correct answer: A process to handle the challenge in a challenge-handshake communication Kerberos provides mutual authentication, which assists in the prevention of man-in-the-middle attacks and uses tickets in order to avert replay attacks. When a user logs on with Kerberos, the key distribution center (KDC) issues a ticket that will last for 10 hours before it expires. This relies on a method of issuing tickets for authentication, which is handled by the KDC. It also requires time synchronization because of the timestamps applied to the communications and tickets. Finally, it requires a database that houses the various objects representing the users or subjects.
IT systems management is a dynamic process that requires both preemptive and reactive methods to ensure that an organization can prepare for and recover from an attack. Which of the following is the term applied to the mitigation action organizations take to defend against risk? Due care Offboarding Due process Due diligence
Correct answer: Due care Due care is the mitigation action that an organization takes to defend against the risks that have been uncovered during due diligence. Due care is what happens after an attack has been identified. The organization must assess the severity of the attack, contain the attack, stop it from harming performance, and then find the root cause.
An organization is rolling out a DLP system and they have already configured it on the network. They want to ensure that all the gaps are covered, so they run it on all the computers in the environment. What type of DLP system runs on every server and computer on the network to avoid data leakage from each system? Network Server Storage Endpoint
Correct answer: Endpoint Endpoint systems run on individual client and server computers. They control data leakage and alert an administrator if an attempted confidentiality breach occurs. They can sometimes take too many resources, in which case a network-based DLP is preferred.
A malicious attacker has gained access to a victim's network with the intent to DDoS the network resources. They spoof an IP address on a UDP echo and send it to a broadcast address in which all the devices reply to the target PC and take down its NIC. What type of attack is used with UDP echoes? Fraggle Ping flood SQL injection Smurf
Correct answer: Fraggle A fraggle attack is similar to a smurf attack, but it uses UDP echoes. The administrators can protect from this type of attack by configuring routers not to forward packets directed to broadcast addresses.
The Cyber Security Framework (CSF) is divided into three main components. Of the following, which is not one of the three main components of the CSF? Framework Profile Framework Core Framework Revision Implementation Tiers
Correct answer: Framework Revision The three main components of the Cyber Security Framework (CSF) include: 1. The Framework Core, 2. The Implementation Tiers, and 3. The Framework Profile. Framework Revision is not one of the three main components of CSF.
The executives at Acme Inc. are reviewing the data center design that will be installed at their new headquarters. The server administrators have voiced concerns that the design may create large amounts of unwanted heat in some areas, and they want to spread out the cooling methods to circulate air. What is one way to circulate air in separate segments of the server room? Heat Segmentation HVAC Hot and Cold Isles Hot and COld Sites
Correct answer: Hot and cold aisles Hot and cold aisles help improve heat situations by circulating air in different aisles. Cold air is pumped into one aisle and the second aisle contains a mechanism to move heat away from the servers
An administrator is working on a Windows server and receives notification that a vulnerability was discovered in one of the underlying operating system processes, but there has not been a full update. They want to close the vulnerability as soon as possible, so they go to Microsoft's website. Which of the following does Microsoft release for a single-purpose quick fix for its operating systems? A. service pack B. update C. hotfix D. patch
Correct answer: Hotfix A hotfix is a type of patch released to fix a specific problem with the operating system. It's unlike regular Microsoft patches because it only fixes one particular problem. This problem is usually an emergency issue that should be installed immediately. For instance, a known vulnerability that leaves millions of users open to hackers would require a hotfix.
An organization is interested in obscuring their workstations and servers from the internet to keep them anonymous, due to the sensitive data they process. They are looking for a proxy server solution. What type of proxy server secures a network by keeping machines anonymous using NAT? A. Transparent Proxy B. NAT proxy C. IP proxy D. cashing proxy
Correct answer: IP proxy An IP proxy keeps the network secure by hiding the internal IP address from the client machine accessing the internet. It does this using network address translation (NAT). IP proxies can be victims of DoS attacks, so it's important to always keep them updated and patched.
A retail store client is concerned that the contactless payment method they are implementing may be insecure. Of the following, what is typically used to secure data across NFC (near-field communication) to encrypt it? WEP WPA SSL AES
Correct answer: SSL The Secure Sockets Layer (SSL) offers encryption over a data connection, including NFC. SSL is common on web servers and the internet, but it can also be used with other communication such as NFC.
An attacker has managed to extract a cookie from an organization's user and proceeds to use that cookie to impersonate the user and log in to a CRM that the organization uses. What type of attack is done after stealing cookie data? Blind hijacking Phishing Session replay TCP hijacking
Correct answer: Session replay After an attacker is able to steal a cookie from the client computer, he can use packet header manipulation to access data from the client. Attackers can gain access to data, services, or other resources on the machine, depending on the application.
An administrator is investigating a server that appears to be rebooting several times a day, thus interrupting important business functions, especially file editing and saved version. The administrator wants to take a look at what time the shutdown may have occurred and any potential error codes. What section of the Windows Event Viewer logs system shutdown events? Security System Custom Application
Correct answer: System The System section in Event Viewer gives you a view of several system events, including when the server is shut down. It also logs any driver failure events. The other sections of Event Viewer all provide similar functionality for their respective areas: Application Security Setup System
A penetration tester is examining a client's network and is currently investigating the VLANs of the HR department switch. They are attempting to breach the VLAN security and eavesdrop on the communications in the other segments. What can the tester use to bypass VLAN restricted access? A. IP spoofing B. MAC spoofing C. SQL injection D. VLAN hopping
Correct answer: VLAN hopping Normally, a VLAN tags an Ethernet frame with the correct routing information. However, this can be bypassed through the use of VLAN hopping. VLAN hopping includes switch spoofing and double tagging.
A large subset of the Acme Inc. employee workforce works remotely and requires a VPN connection. Since there are several hundred employees, the VPN connections have grown in number. What should large organizations use to handle multiple VPN incoming sessions? VPN concentrator VPN router VPN centralizer VPN server
Correct answer: VPN concentrator A VPN concentrator is an appliance offered by several vendors that helps large organizations with VPN organization. It's used when the company needs hundreds of simultaneous connections during the workday.
During a routine system audit, an administrator discovers a serious software vulnerability. The administrator is concerned that it may affect more systems and that there may be other vulnerabilities that the organization is not aware of. Now the administrator is looking into how to effectively manage discovering, documenting, and mitigating vulnerabilities. What is this practice called? Vulnerability management Operational management Technical controls Detective controls
Correct answer: Vulnerability management Vulnerability management is the practice of finding and mitigating software vulnerabilities in computers and networks. It consists of analyzing network documentation, testing computers, and mitigating vulnerabilities.
There are reports that a file server at Acme Inc. might be hosting malicious files, or an attacker is opening sensitive information. The administrator is concerned and wants to know what files are currently open on the file server. What command in Windows can he use to see a list of opened files from remote computers? remotefiles seefiles openfiles localfiles
Correct answer: openfiles The "openfiles" command lets Windows server administrators view open files on the server. This can reveal any malicious activity; for instance, if a remote computer has a system file or sensitive document opened.
CAR
Corrective Action Report. A report used to document actions taken to correct an event, incident, or outage.
RAID 5
Disk striping with parity. RAID-5 uses three or more disks and provides fault tolerance.
RAID 6
Disk striping with parity. RAID-6 uses four or more disks and provides fault tolerance. It can survive the failure of two drives.
FACL
File System Access Control List. An ACL used for file systems. As an example, NTFS uses the DAC model to protect files and folders.
Fire Control
Fire control consists of depriving a fire of fuel, oxygen or heat (see fire triangle) to prevent it from spreading or to put it out entirely. To briefly summarise, here are the main differences between fire protection, prevention and suppression: Fire prevention systems aim to minimize potential fire hazards. Fire protection reduces damage and helps to safely evacuate a building. Fire suppression systems are intended to extinguish the flames.
GPG
GNU Privacy Guard (GPG). Free software that is based on the OpenPGP standard. It is similar to PGP but avoids any conflict with existing licensing by using open standards.
GCM
Galois/Counter Mode. A mode of operation used for encryption. It combines the Counter (CTM) mode with hashing techniques for data authenticity and confidentiality.
GRE
Generic Routing Encapsulation. A tunneling protocol developed by Cisco Systems.
walkthrough test
Going through the motions of fulfilling responsibilities and conducting the activities required during an actual incident or disaster.
IKE
Internet Key Exchange. Used with IPsec to create a secure channel over port 500 in a VPN tunnel.
Fares is a security administrator for a large company. Occasionally, a user needs to access a specific resource that they don't have permission to access. Which access control methodology would bemost helpful in this situation? MAC, DAC, Role-BAC, Rule-BAC?
Rule-Based Access Control applies a set of rules to an access request. Based on the application of the rules, the user may be given access to a specific resource that they were not explicitly granted permission to.
SOX
Sarbanes-Oxley Act of 2002 is a federal law that aims to protect investors by making corporate disclosures more reliable and accurate. ... In this such as Enron and WorldCom (today called MCI Inc.), that tricked investors and inflated stock prices.
SCEP
Simple Certificate Enrollment Protocol. A method of requesting a certificate from a CA.
NAS
Network Attached Storage - A Specialized file server that is designed and dedicated to support only data storage needs.
OVAL
Open Vulnerability Assessment Language
PCI
Payment Card Industry
PED
Personal Electronic Device
POTS
Plain Old Telephone Service
Remote employees at your company frequently need to connect to both the secure company network via VPN and open public websites, simultaneously. What technology would best support this?A. Split tunnel B. IPSec C. Full tunnel D. TLS
Split tunneling allows a mobile user to access dissimilar security domains like a public network (e.g., the Internet) and a local LAN or WAN at the same time. A full tunnel is a dedicated tunnel to one single target.
Splunk
Splunk (the product) captures, indexes and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards and visualizations. ... Splunk is a horizontal technology used for application management, security and compliance, as well as business and web analytics.
SAST
Static Application Security Testing
You are concerned about a wide range of attacks that could affect your company's web server. You have recently read about an attack wherein the attacker sends more data to the target than the target is expecting. If done properly, this could cause the target to crash. What would best prevent this type of attack? A. An SPI firewall B. An active IDS/IPS C. Checking buffer boundaries D. Checking user input
You are concerned about buffer overflows, and thus checking buffer boundaries is the best defense. Checking user input helps defend against SQL injection and cross-site scripting.
Which of the following is a difference between TACACS and TACACS+? A. TACACS uses TCP, TACACS+ uses UDP B. TACACS uses UDP, TACACS+ uses TCP C. TACACS uses TCP or UDP, TACACS+ uses UDP D. TACACS uses UDP, TACACS+ uses UDP or TCP
TACACS+ can use TCP or UDP, though it is more common to use TCP. It should also be noted that TACACS+ is not backward compatible. Options A, B, And C are all incorrect. These do not accurately describe TACACS v TACACS+.
Parallel testing
The process of feeding test data into two systems, the modified system and an alternative system (possibly the original system), and comparing results to demonstrate the consistency and inconsistency between two versions of the application
Amelia is looking for a network authentication method that can use digital certificates and does not require end users to remember passwords. Which of the following would best fit her requirements? OAUTH, Tokens, OpenID, RBAC?
Tokens are physical devices that often contain cryptographic data for authentication. They can store digital certificates for use with authentication. OAuth (Open Authorization) is an open standard for token-based authentication and authorization on the Internet. The user still must remember a password. OpenID is a third-party authentication service; the user still must remember a password. Role-Based Access Control and Rule-Based Access Control (which both use the acronym RBAC) are access control models.
When phishing attacks are so focused that they target a specific individual, they are called what? A. Spear phishing B. Targeted phishing C. Phishing D. Whaling
Whaling is targeting a specific individual. Spear phishing targets a small group. Targeted phishing is not a term used in the industry.
confusion
cipher text significantly different from plain text
Arp Options
inet_addr eth_addr if_addr -a -g -N if_addr -d -s inet_addr eth_addr
ISSO
information system security officer
IP
intellectual property
Clickjacking
is a technique that tricks users into clicking on a malicious link by adding the link to a transparent layer over what appears to be a legitimate web page.
George wants a secure authentication protocol that can integrate with RADIUS and can use digital certificates. Which of the following would be his best choice? CHAP, 802.11i, 802.1x, OAUTH
802.1x
You are the network director and are creating the following year's budget. You submit forensic dollar amounts for the cyber incident response team. Which of the following would you not submit? (Choose two.) A. ALE amounts B. SLE amounts C. Training expenses D. Man-hour expenses
A and B. ALE (annual loss expectancy) is the product of the ARO (annual rate of occurrence) and the SLE (single loss expectancy) and is mathematically expressed as ALE = ARO × SLE. Single loss expectancy is the cost of any single loss and it is mathematically expressed as SLE = AV (asset value) × EF (exposure factor). Options C and D are incorrect. Training expenses and man-hour expenses are valid IT forensic budget items.
Nessus
A network-vulnerability scanner available from Tenable Network Security. Nessus is a remote security scanning tool, which scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to any computer you have connected to a network.
PDS (Protected Distribution System)
A protected distribution system (PDS) is required by some organizations and government agencies. It consists of approved circuits used to protect from wiretapping. It's used on cabling to prevent wiretapping on unencrypted data. A specification called the National Security Telecommunications and Information Systems Security Instruction (NSTISSI) was created to provide the standards and guidance for secure designs.
One-time pad
A running key using a random key that is never used again A one-time pad cipher is a stream cipher that encrypts plaintext with a secret random key that is the same length as the plaintext. It uses a string of bits generated at random and known as a keystream.
SLA
A service level agreement (SLA) is an agreement between a company and a vendor that specifies performance expectations. Minimum uptime and maximum downtime levels are included in an SLA. Also included is a monetary penalty should the vendor not be able to meet the agreed expectations.
polymorphic virus
A virus that can change its own code or periodically rewrites itself to avoid detection
Which of the following are examples of custodian security roles? (Choose two.) A. Human resources employee B. Sales executive C. CEO D. Server backup operator
A, D. Custodians maintain access to data as well as the integrity. Options B and C are incorrect. CEO and sales executives are not normally responsible for maintaining access to and integrity of the data.
You are a security administrator and advise the web development team to include a CAPTCHA on the web page where users register for an account. Which of the following controls is this referring to? A. Deterrent B. Detective C. Compensating D. Degaussing
A. As users register for an account, they enter letters and numbers they are given on the web page before they can register. This is an example of a deterrent control as it prevents bots from registering and proves this is a real person. Option B is incorrect. Detective controls detect intrusion as it happens and uncovers a violation. Option C is incorrect. A compensating control is used to satisfy a requirement for a security measure that is too difficult or impractical to implement at the current time. Option D is incorrect. Degaussing is a method of removing data from a magnetic storage media by changing the magnetic field.
Sheila is concerned that some users on her network may be accessing files that they should not—specifically, files that are not required for their job tasks. Which of the following would be most effective in determining if this is happening? A. Usage auditing and review B. Permissions auditing and review C. Account maintenance D. Policy review
A. Auditing and reviewing how users actually utilize their account permissions would be the best way to determine if there is any inappropriate use. A classic example would be a bank loan officer. By the nature of their job, they have access to loan documents. But they should not be accessing loan documents for loans they are not servicing. Option B is incorrect. The issue in this case is not permissions, because the users require permission to access the data. The issue is how the users are using their permissions. Option C is incorrect. Usage auditing and permissions auditing are both part of account maintenance, but answer A is directly addressing the issue in this question. Option D is incorrect. This is not a policy issue.
Jane is setting up login accounts for federated identities. She wants to avoid requiring the users to remember login credentials and allow them to use their logins from the originating network. Which of the following technologies would be most suitable for implementing this? A. Credential management B. OAUTH C. Kerberos D. Shibboleth
A. Credential management is expressly designed for this, and it is explicitly for federated identities. In fact, Microsoft has a credential management API that programmers can use to implement this. Option B is incorrect. OAUTH allows an end user's account information to be used by third-party services, without exposing the user's password and is used for services, not federated identities. Even the service being logged onto won't know the password. Option C is incorrect. Kerberos is a network/domain authentication protocol. Option D is incorrect. Shibboleth is a middleware solution for authentication and identity management that uses SAML (Security Assertion Mark-up Language) and works over the Internet
Which of the following EAP types use a three-phase operation? A. EAP-FAST B. EAP-TLS C. EAP-TTLS D. PEAP
A. EAP-FAST is for situations where strong password policy cannot be enforced and certificates are not used. EAP-FAST consists of three phases: EAP-FAST authentication, establishment of a secure tunnel, and client authentication. Options B, C, and D are incorrect. These EAP types do not use a three-phase phase. Instead of using a certificate to achieve mutual authentication. EAP-FAST authenticates by means of a PAC (Protected Access Credential) which can be managed dynamically by the authentication server EAP-TLS (Transport Layer Security) provides for certificate-based and mutual authentication of the client and the network. EAP-TLS. This security method provides for certificate-based, mutual authentication of the client and network through an encrypted channel (or tunnel),
When using any HIDS/HIPS or NIDS/NIPS, the output is specific to the vendor. However, what is the basic set of information that virtually all HIDSs/HIPSs or NIDSs/NIPSs provide? A. IP addresses (sender and receiver), ports (sender and receiver), and protocol B. IP addresses (sender and receiver), ports (sender and receiver), and attack type C. IP addresses (sender and receiver), ports (sender and receiver), usernames, and machine names D. Usernames, machine names, and attack type
A. HIDSs/HIPSs and NIDSs/NIPSs each have output that the vendor specifies. But all such devices will output what protocol the traffic was, the source and destination IP addresses, as well as the source and destination port. More information may be provided, but this is the essential basic information all IDSs/IPSs display
Valerie is responsible for security testing applications in her company. She has discovered that a web application, under certain conditions, can generate a memory leak. What, type of attack would this leave the application vulnerable to? A. DoS B. Backdoor C. SQL injection D. Buffer overflow
A. If an attacker can induce the web application to generate the memory leak, then eventually the web application will consume all memory on the web server and the web server will freeze up.
Which of the following is most important in managing account permissions? A. Account recertification B. Usage auditing C. Standard naming conventions D. Account recovery
A. Periodic recertification of accounts is critical. The recertification process verifies that the account holder still requires the permissions they have been granted
Mary is responsible for virtualization management in her company. She is concerned about VM escape. Which of the following methods would be the most effective in mitigating this risk? A. Only share resources between the VM and host if absolutely necessary. B. Keep the VM patched. C. Use a firewall on the VM. D. Use host-based antimalware on the VM.
A. VM escape is a situation wherein an attacker is able to go through the VM to interact directly with the hypervisor, and potentially the host operating system. The best way to prevent this is to limit the ability of the host and the VM to share resources. If possible, they should not share any resources.
Your company is issuing portable devices to employees for them to use for both work and personal use. This is done so the company can control the security of the devices. What, if anything, is an issue this process will cause? A. Personal information being exposed B. Company data being exfiltrated C. Devices being insecurely configured D. No issues
A. Since employees use the Company-Owned Personally Enabled (COPE) device for personal use, the devices will have the employee's personal information. This can lead to personal and private data being exposed to the company. Option B is incorrect. Any portable device has the chance of being used for data exfiltration, but COPE is no more susceptible than other configurations such as BYOD. Option C is incorrect. In fact, the opposite is true. It is less likely that devices will be improperly configured because the company controls configuration. Option D is incorrect. There are issues with this option.
You have been asked to implement security for SCADA systems in your company. Which of the following standards will be most helpful to you? A. NIST 800-82 B. PCI-DSS C. NIST 800-30 D. ISO 27002
A. The correct answer is NIST 800-82. Special Publication 800-82, Revision 2, "Guide to Industrial Control System (ICS) Security," is specific to industrial control systems. Industrial systems include SCADA (Supervisor Control And Data Acquisition) and PLCs (primary logic controllers). Option B is incorrect. PCI-DSS is a standard for credit card security. Option C is incorrect. NIST 800-30 is the U.S. standard for conducting risk assessments.
You are explaining facial recognition to a colleague. What is the most significant drawback to implementing facial recognition? A. These systems can be expensive. B. These systems can be fooled with facial hair, glasses, etc. C. These systems have a high false positive rate. D. The systems require a long time to observe a face
A. The correct answer is that facial recognition is among the most expensive biometrics to implement. Option B is incorrect. They cannot be fooled easily. Adding glasses, changing hair color, or even gaining or losing some weight, will not prevent most facial recognition systems from functioning properly. Option C is incorrect. Facial recognition systems actually have very low false positive rates. Option D is incorrect. Most of these systems only need a few seconds.
Mark is an administrator for a health care company. He has to support an older, legacy application. He is concerned that this legacy application might have vulnerabilities that would affect the rest of the network. What is the most efficient way to mitigate this? A. Use an application container. B. Implement SDN. C. Run the application on a separate VLAN. D. Insist on an updated version of the application
A. The correct answer is to use an application container to isolate that application from the host operating system. Applications containers provide a virtualized environment in which to run an application. Option C is incorrect. Not only will this not separate the application from the host operating system; it might not solve the problem.
You are a member of your company's security response team and have discovered an incident within your network. You are instructed to remove and restore the affected system. You restore the system with the original disk image and then install patches and disable any unnecessary services to harden the system against any future attacks. Which incident response process have you completed? A. Eradication B. Preparation C. Containment D. Recovery
A. The eradication process involves removing and restoring affected systems by reimaging the system's hard drive and installing patches. Option B is incorrect. The preparation process prepares a company's team to be ready to handle an incident at a moment's notice. Option C is incorrect. The purpose of the containment process is to minimize the damage and prevent any further damage from happening. Option D is incorrect. The recovery process brings affected systems back into the company's production environment carefully to avoid leading to another incident
Sheila is responsible for data backups for all the company servers. She is concerned about frequency of backup and about security of the backup data. Which feature, found in some backup utility software, would be most important to her? A. Using data encryption B. Digitally signing the data C. Using automated backup scheduling D. Hashing the backup data
A. When backing up data, if you do not encrypt the data, then it would be possible for anyone to restore the backup and have access to all data you have backed up. Not all backup utilities include data encryption. Options B and D are incorrect. Both of these are very good ideas and ensure data integrity, but they were not mentioned as one of Sheila's concerns. Option C is incorrect. Although this is important, it is a feature that exists in all backup utilities.
Emma is concerned about credential management. Users on her network often have over a half-dozen passwords to remember. She is looking for a solution to this problem. Which of the following would be the best way to address this issue? A. Implement a manager. B. Use shorter passwords. C. Implement OAUTH. D. Implement Kerberos
A. While there are security concerns with password managers, they can provide a method for storing large numbers of passwords so that users don't have to remember them all. OAUTH allows an end user's account information to be used by third-party services, without exposing the user's password. It won't reduce the number of passwords one has to remember.
You are a manager of a bank and you suspect one of your tellers has stolen money from their station. After talking with your supervisor, you place the employee on leave with pay, suspend their computer account, and obtain their proximity card and keys to the building. Which of the following policies did you follow? Mandatory vacations, Exit interviews, Adverse actions, Onboarding
Adverse actions are administrative actions that are placed against employees. These actions include letters of reprimand, leave with or without pay, or termination. Along with these actions the policy should include actions such as disabling user accounts and revoking privileges, such as access to facilities to prevent data from being compromised. When an employee has been placed with administrative actions, the company shouldn't worry about vindictive actions they will take against the company. Mandatory vacation policy is used by companies to detect fraud by having a second person, familiar with the duties, help discover any illicit activities.
MOU (memorandum of understanding)
An agreement (bilateral or multilateral) between parties defining terms and conditions of an agreement. it's just an understanding
OSCP (Online Certificate Status Protocol)
An alternative to using a CRL. It allows entities to query a CA with the serial number of a certificate. The CA answers with good, revoked, or unknown. works in real-time with CA
Dominick is responsible for security at a medium-sized insurance company. He is very concerned about detecting intrusions. The IDS he has purchased states that he must have an IDS on each network segment. What type of IDS is this? A. Active B. IPS C. Passive D. Inline
An inline IDS is actually in the traffic line (i.e., on the network segment where traffic is).Option A is incorrect. An active IDS refers to one that takes action against suspected attack traffic—it has nothing to do with where it is placed. Option B is incorrect. IPS is another name for active IDS. Option C is incorrect. Passive refers to whether or not the system acts against suspected traffic, not the location of the IDS.
ISA
An interconnection security agreement (ISA) is an agreement that specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between at least two companies.
You are a security administrator for a bank. You are very interested in detecting any breaches or even attempted breaches of your network, including those from internal personnel. But you don't want false positives to disrupt work. Which of the following devices would be the best choice in this scenario? A. IPS B. WAF C. SIEM D. IDS
An intrusion detection system will simply report issues, and not block the traffic. Option C is incorrect. SIEMs aggregate logs for analysis.
ISA interconnection security agreement
Any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. An ISA sets out a security risk awareness process and commit the agency and supplier to implementing security controls.
John is concerned about disgruntled employees stealing company documents and exfiltrating them from the network. He is looking for a solution that will detect likely exfiltration and block it. What type of system is John looking for? A. IPS B. SIEM C. Honeypot D. Firewall
Any of these systems could help with detecting malicious activity by an insider, but the intrusion prevention system will block such activity, if detected
ASP
Application Service Provider
You work for a U.S. defense contractor. You are setting up access cards that have chips embedded in them to provide access control for users in your company. Which of the following types of cards would be best for you to use? A. CAC B. PIV C. NFC D. Smart card
B. Personal Identity Verification is a standardized FIPS 201 (Federal Information Processing Standard Publication 201) for use with federal employees. Option A is incorrect. Common Access Cards (CACs) are for U.S. Military personnel. Option C is incorrect. Near Field Communication (NFC) cards might be used, but PIV cards are more appropriate for DoD contractos. Answer D is incorrect. Smart card is a generic term. Both PIV and CAC are smart cards.
Which of the following plans best identifies critical systems and components to ensure the assets are protected? A. DRP B. BCP C. IT contingency plan D. Succession plan
B. A business continuity plan is a policy that describes and approves the company's overall business continuity strategy. This also includes identifying critical systems to protect. Option A is incorrect. A disaster recovery plan (DRP) is a policy that describes and approves the company's disaster recovery strategy. This plan will help the company recover from an incident with minimal loss of time and money. Option C is incorrect. An IT contingency plan is a component of the BCP. It specifies alternate IT procedures for a company to switch over to when it's faced with a disruption of service leading to a disaster for the company. Option D is incorrect. A succession plan ensures all key company personnel have at least one designated backup who can perform the critical functions when required.
Which of the following might you find in a DRP? A. Single point of failure B. Prioritized list of critical computer systems C. Exposure factor D. Asset value
B. A disaster recovery plan (DRP) is a plan that helps a company recover from an incident with minimal loss of time and money. It prioritizes critical computer systems. Option A is incorrect. A single point of failure is a weakness in the design, or configuration of a system in which one fault or malfunction will cause the whole system to halt operating and would not be found within a DRP. Option C is incorrect. Exposure factor would be found within a risk assessment. Option D is incorrect. Asset value would be found within a risk assessment.
Olivia has discovered steganography tools on an employee's computer. What is the greatest concern regarding employees having steganography tools? A. Password cracking B. Data exfiltration C. Hiding network traffic D. Malware
B. An employee could hide sensitive data in files using steganography and then exfiltrate that data.
A fire has broken out near the electrical generator that is powering the backup systems. It appears that the fuel used for the generator is burning, and the resources are unsure of what extinguisher to use. What class of fire extinguisher is used on flammable liquids like gasoline? A B C D
B. Class B fire extinguishers are designated by a red square and are used for flammable liquid fires such as gas fires.
The chief security officer (CSO) has seen four security breaches during the past two years. Each breach cost the company $30,000, and a third-party vendor has offered to repair the security weakness in the system for $250,000. The breached system is set to be replaced in five years. Which of the following risk response techniques should the CSO use? A. Accept the risk. B. Transfer the risk. C. Avoid the risk. D. Mitigate the risk.
B. Each breach cost the company $60,000 per year and over the course of 5 years, the total amount will total $300,000. Transferring the risk will help save money for the company because the third-party vendor's solution will cost $250,000. Option A is incorrect. Accepting the risk will cost the company $50,000. Option C is incorrect. Avoiding the risk is not engaging in the service at all, which may be the effective solution but often not possible due to the company's requirements. Option D is incorrect. Mitigating the risk is reducing the engagement of the service, and the company may not be able to reduce the system.
Which cloud service model provides the consumer with the infrastructure to create applications and host them? A. SaaS B. PaaS C. IaaS D. CaaS
B. In the Platform as a Service (PaaS) model, the consumer has access to the infrastructure to create applications and host them. Option A is incorrect. Software as a Service simply supplies a particular application. Option C is incorrect. Infrastructure as a Service provides entire network infrastructure. Option D is incorrect. Cloud as a Service provides access to cloud storage.
During which step of the incident response process does root cause analysis occur? A. Preparation B. Lessons learned C. Containment D. Recovery
B. Lessons learned process is the most critical phase because it is the phase to complete any documentation that may be beneficial in future incidents. Documentation should include information such as when the problem was first detected and by whom, how the problem was contained and eradicated, the work that was performed during the recovery, and areas that may need improvement. Option A is incorrect. The preparation process prepares a company's team to be ready to handle an incident at a moment's notice. Option C is incorrect. The containment process is designed to minimize the damage and prevent any further damage from happening. Option D is incorrect. The recovery process brings affected systems back into the company's production environment carefully to avoid leading to another incident.
Maria is a security engineer with a manufacturing company. During a recent investigation, she discovered that an engineer's compromised workstation was being used to connect to SCADA systems while the engineer was not logged in. The engineer is responsible for administering the SCADA systems and cannot be blocked from connecting to them. What should Maria do to mitigate this threat? A. Install host-based antivirus software on the engineer's system. B. Implement account usage auditing on the SCADA system. C. Implement an NIPS on the SCADA system. D. Use FDE on the engineer's system
B. Maria should implement ongoing auditing of the account usage on the SCADA system. This will provide a warning that someone's account is being used when they are not actually using it. Option A is incorrect. Host based antivirus is almost never a bad idea. But this scenario did not indicate that the compromise was due to malware, so anti-malware may not address the threat. Option C is incorrect. Since the engineer has access to the SCADA system, a NIPS is unlikely to block him from accessing the system. Option D is incorrect. Full disk encryption will not mitigate this threat.
Acme Company is using smart cards that use near-field communication (NFC) rather than needing to be swiped. This is meant to make physical access to secure areas more secure. What vulnerability might this also create? A. Tailgating B. Eavesdropping C. IP spoofing D. Race conditions
B. Near-field communication (NFC) is susceptible to an attacker eavesdropping on the signal. Option A is incorrect. Tailgating is a physical attack and not affected by NFC technology. Options C and D are incorrect. These are both unrelated to NFC technology.
You are responsible for mobile device security in your company. Employees have COPE devices. Many employees only enter the office infrequently, and you are concerned that their devices are not receiving firmware updates on time. What is the best solution for this problem? A. Scheduled office visits for updates B. OTA updates C. Moving from COPE to BYOD D. A policy that requires users to update their firmware regularly
B. Over-the-air (OTA) updates are accomplished wirelessly. This can be done over a cellular network, wherever the device is. Using OTA updates for the mobile devices is the most efficient solution. Option A is incorrect. This would work but would interrupt the employees normal work schedules and be inefficient. Option C is incorrect. Moving from Company-Owned and Personally Enabled to Bring Your Own Device (BYOD) would actually make the situation worse, but doing so would absolve the company of the responsibility of managing updates. Option D is incorrect. Policies require a mechanism for implementation. OTA is such a mechanism.
Users are currently accessing their personal email through company computers, so you and your IT team have created a security policy for email use. What is the next step after creating and approving the email use policy? A. Encrypt all user email messages. B. Provide security user awareness training. C. Provide every employee with their own device to access their personal email. D. Forward all personal emails to their company email account.
B. Provide security user awareness training to all employees regarding the risk of using personal email through company computers. The ability to access personal email is a security risk because the company is unable to filter emails through the company's Exchange server. Option A is incorrect. The company is unable to encrypt user's email messages through services such as Yahoo Mail and Gmail. The encryption is performed by the company providing the email service. Option C is incorrect. Providing every user with their own device to access their personal email is not the best option as the next step. While employees use these devices within the company's network, the company doesn't have full control of what emails are entering the network. Option D is incorrect. The company may have some control of personal emails routing through the company's Exchange server, but this is not the best next step after creating and approving the email use policy. The purpose of the email use policy is to limit the use of personal email because the company doesn't have full control of what emails the employees are allowing into the network.
You are responsible for email server security in your company. You want to implement encryption of all emails, using third-party authenticated certificates. What protocol should you implement? A. IMAP B. S/MIME C. PGP D. SMTP-S
B. Secure Multipurpose Internet Mail Extensions (S/MIME) encrypts email using X.509 certificates that are created and authenticated by a trusted third party. Option A is incorrect. The Internet Message Access Protocol is used for receiving email. It does not send email and is not natively encrypted. Option C is incorrect. PGP (Pretty Good Privacy) can be used to encrypt email, but it uses self-generated certificates that are not authenticated by a third party. Option D is incorrect. Simple Mail Transfer Protocol Secure is encrypted, but it is only for sending email, not receiving. It can also be done with S/MIME or PGP.
Bart is looking for a remote access protocol for his company. It is important that the solution he selects support multiple protocols and use a reliable network communication protocol. Which of the following would be his best choice? A. RADIUS B. TACACS+ C. NTLM D. CHAP
B. TACACS+ (Terminal Access Controller Access Control System plus) uses TCP rather than UDP, and is therefore more reliable. It also supports a wide range of protocols. Option A is incorrect. RADIUS uses UDP, an unreliable protocol, and does not support many protocols. Option C is incorrect. NTLM is the Windows authentication protocol. Option D is incorrect. CHAP is an authentication protocol, not a remote access protocol.
To mitigate the impact of a software vendor going out of business, a company that uses vendor software should require which one of the following? A. A detailed credit investigation prior to acquisition B. A third-party source-code escrow C. Substantial penalties for breach of contract D. Standby contracts with other vendors
B. The correct answer is to have the source code for the application stored with a third-party source code escrow. Should the vendor go out of business, or otherwise be unable to continue to support the application, the source code escrow will supply you with the source code you can then maintain yourself (or hire a new company).
Lucy works as a network administrator for a large company. She needs to administer several servers. Her objective is to make it easy to administer and secure these servers, as well as making the installation of new servers more streamlined. Which of the following best addresses these issues? A. Setting up a cluster B. Virtualizing the servers C. Putting the servers on a VLAN D. Putting the servers on a separate subnet
B. The correct answer is virtualization. By virtualizing the servers Lucy can administer them all in a single location, and it is very easy to set up a new virtual server, should it be needed.
You are responsible for BIOS security in your company. Which of the following is the most fundamental BIOS integrity technique? A. Verifying the BIOS version B. Using a TPM C. Managing BIOS passwords D. Backing up the BIOS
C. BIOS password management is the most basic security measure for the BIOS. Without this fundamental step, any other steps will be far less effective. Options A and B are incorrect. NIST 800-155 does list both of these as BIOS integrity measures, but they are not the most fundamental measures—passwords are. Option D is incorrect. Backing up the BIOS is not a common security measure, and it certainly would not be the most fundamental step.
Juan is responsible for wireless security in his company. He has decided to disable the SSID broadcast on the single AP the company uses. What will the effect be on client machines? A. They will no longer be able to use wireless networking. B. They will no longer see the SSID as a preferred network when they are connected. C. They will no longer see the SSID as an available network. D. They will be required to make the SSID part of their HomeGroup
C. Disabling the SSID broadcast keeps it from being seen in the list of available networks, but it is still possible to connect to it and use the wireless network.
Which of the following is required when employing PKI and preserving data is important? A. CA B. CRL C. Key escrow D. CER
C. Key escrow is a database of stored keys that can be retrieved should the original user's key be lost or compromised. The stored key can be used to decrypt encrypted material, allowing restoration of the original material to its unencrypted state. Option A is incorrect. A certificate authority (CA) is a trusted entity that issues electronic documents that verify a digital entity's identity on the Internet or computer network. Option B is incorrect. A certificate revocation list (CRL) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted. Option D is incorrect. CER is a certificate file extension for an SSL certificate and is used by web servers to help confirm the identity and security of the site a user is visiting.
You are a server administrator for your company's private cloud. To provide service to employees, you are instructed to use reliable hard disks in the server to host a virtual environment. Which of the following best describes the reliability of hard drives? A. MTTR B. RPO C. MTBF D. ALE
C. Mean time between failures (MTBF) is a measurement to show how reliable a hardware component is. Option A is incorrect. MTTR (mean time to repair) is the average time it takes for a failed device or component to be repaired or replaced. Option B is incorrect. RPO (recovery point objective) is the period of time a company can tolerate lost data being unrecoverable between backups. Option D is incorrect. ALE (annual loss expectancy) is the sum of the annual rate of occurrence and the single loss expectancy.
Robert is using PAP for authentication in his network. What is the most significant weakness in PAP? A. Unsigned authentication B. Single factor C. Credentials sent in cleartext D. PAP does not support TACACS+
C. Password Authentication Protocol (PAP) is a very old protocol that sent username and password in clear text. This should no longer be used. Options A, B, and D are all correct; however, these are not the most significant issues with PAP
Juan is responsible for the physical security of the company server room. He has been asked to recommend a type of fire suppression system for the server room. Which of the following would be the best choice? A. Wet pipe B. Deluge C. Pre-action D. Halon
C. Pre-action fire suppression is ideal for computers. The pipes have no water in them during normal operations. When the temperature rises to a certain level, water fills the pipes. Then if the temperature continues to rise, the fire suppression system activates. This provides time to stop the fire before the servers are soaked with water.
As the IT security officer, you are configuring data label options for your company's research and development file server. Regular users can label documents as contractor, public, or internal. Which label should be assigned to company trade secrets? A. High B. Top secret C. Proprietary D. Low
C. Proprietary data is a form of confidential information, and if the information is revealed, it can have severe effects on the company's competitive edge. Option A is incorrect. High is a generic label assigned to data internally that represents the amount of risk being exposed outside the company. Option B is incorrect. The top-secret label is often used within governmental systems where data and access may be granted or denied based on assigned categories. Option D is incorrect. Low is a generic label assigned to data internally that represents the amount of risk being exposed outside the company.
You have purchased new laptops for your salespeople. You plan to dispose of the hard drives of the former laptops as part of a company computer sale. Which of the following methods would you use to properly dispose of the hard drives? A. Destruction B. Shredding C. Purging D. Formatting
C. Purging removes all the data from a hard drive and the data cannot be rebuilt. Option A is incorrect. Destruction wouldn't help the company sell the hard drive at the computer sale. Option B is incorrect. Shredding wouldn't help the company sell the hard drive at the computer sale because it physically destroys the hard drive. Option D is incorrect. Formatting isn't good enough to remove data because it can be recovered by third-party software. Formatting moves the pointer to the location the data resides.
Ingrid is reviewing her company's recertification policy. Which of the following is the best reason to recertify? A. To audit usage B. To enhance onboarding C. To audit permissions D. To manage credentials
C. Recertification is a means for checking permissions. It essentially involves conducting certification of accounts, as if they were new. This can be done to audit permissions
You have been instructed to introduce an affected system back into the company's environment and be sure that it will not lead to another incident. You test, monitor, and validate that the system is not being compromised by any other means. Which of the incident response processes have you completed? A. Lessons learned B. Preparation C. Recovery D. Containment
C. Recovery process brings affected systems back into the company's production environment carefully to avoid leading to another incident.
You find one of your employees posting negative comments about the company on Facebook and Twitter. You also discover the employee is sending negative comments from their personal email on the company's computer. You are asked to implement a policy to help the company avoid any negative reputation in the marketplace. Which of the following would be the best option to fulfill the request? A. Account policy enforcement B. Change management C. Security policy D. Risk assessment
C. Security policy defines how to secure physical and information technology assets. This document should be continuously updated as technology and employee requirements change. Option A is incorrect. Account policy enforcement regulates the security parameters of who can and cannot access a system. Option B is incorrect. Change management is the process of managing configuration changes made to a network. Option D is incorrect. Risk assessment identifies the dangers that could negatively impact a company's ability to conduct business.
Which of the following is the best description of a stored procedure? A. Code that is in a DLL, rather than the executable B. Server-side code that is called from a client C. SQL statements compiled on the database server as a single procedure that can be called D. Procedures that are kept on a separate server from the calling application, such as in middleware
C. Stored procedures are commonly used in many database management systems to contain SQL statements. The database administrator, or someone designated by the DBA, creates the various SQL statements that are needed in that business, and then programmers can simply call the stored procedures. Option A is incorrect. Stored procedures are not related to dynamic linked libraries. Option B is incorrect. This is close but inaccurate, because stored procedures can be called by other stored procedures that are also on the server. Option D is incorrect. Stored procedures are not related to middleware.
Which of the following 802.11 standards is supported in WPA2, but not in WEP or WPA? A. 802.11a B. 802.11b C. 802.11i D. 802.11n
C. The WPA2 standard fully implements the 802.11i security standard. Options A, B, and D are incorrect. These standards are concerning bandwidth and frequency, not security
Hans is a security administrator for a large company. Users on his network visit a wide range of websites. He is concerned they might get malware from one of these many websites. Which of the following would be his best approach to mitigate this threat? A. Implement host-based antivirus. B. Blacklist known infected sites. C. Set browsers to allow only signed components. D. Set browsers to block all active content (ActiveX, JavaScript, etc.)
C. The correct answer is to only allow signed components to be loaded in the browser. Code signing verifies the originator of the component (such as an ActiveX component) and thus makes malware far less likely.
You are responsible for security at Acme Company. Recently, 20 new employee network accounts were created, with the default privileges for the network. You have discovered that eight of these have privileges that are not needed for their job tasks. Which security principle best describes how to avoid this problem in the future? A. Least privileges B. Separation of duties C. Implicit deny D. Weakest link
C. The security concept of implicit deny states that any new access account will by default be denied all access. When a request is made for specific privileges for that account, then the privileges are explicitly applied. This means that by default all privileges are implicitly denied
John is implementing virtual IP load-balancing. He thinks this might alleviate network slowdowns, and perhaps even mitigate some of the impact of a denial-of-service attack. What is the drawback of virtual IP load-balancing? A. It is resource-intensive. B. Most servers don't support it. C. It is connection-based, not load-based. D. It works only on Unix/Linux servers.
C. Virtual IP load balancing does not take the load of each interface into account and assumes all loads are essentially similar. Option A is incorrect. This load balancing is not resource intensive Option B is incorrect. Most servers do support virtual IP loadbalancing. Option D is incorrect. Windows will also support virtual IP loadbalancing.
Web developers in your company currently have direct access to the production server and can deploy code directly to it. This can lead to unsecure code, or simply code flaws being deployed to the live system. What would be the best change you could make to mitigate this risk? A. Implement sandboxing. B. Implement virtualized servers. C. Implement a staging server. D. Implement deployment policies.
C. You should implement a staging server so that code can be deployed to an intermediate staging environment. This will allow testing of security features, as well as checking to see that the code integrates with the entire system. Using third-party libraries and SDKs can help reduce errors and vulnerabilities in the code. Option A is incorrect. Sandboxing is used to isolate a particular environment. Option B is incorrect. Virtualization will not mitigate this risk. Even if the production server is virtualized, the risks are the same. Option D is incorrect. Deployment policies are a good idea, but they are not the most effective way to mitigate this particular risk.
CAPTCHA
Completely Automated Public Turing Test To Tell Computers and Humans Apart
CERT
Computer Emergency Response Team. A group of experts that respond to security incidents. Also known as CIRT, SIRT, or IRT.
DNAT
Destination Network Address Translation. A form of NAT that changes the destination IP address for incoming traffic. It is used for port forwarding.
CP
Contingency planning. Plans for contingencies in the event of a disaster to keep an organization operational. BCPs include contingency planning.
COOP
Continuity of Operations Plan. A COOP site provides an alternate location for operations after a critical outage. A hot site includes personnel, equipment, software, and communications capabilities of the primary site with all the data up to date. A hot site can take over for a failed primary site within an hour. A cold site will have power and connectivity needed for COOP activation, but little else. A warm site is a compromise between a hot site and a cold site.
An attacker forges address resolution protocol (ARP) requests with spoofed addresses in order to mislead computers and switches, while redirecting them to a malicious MAC address. This MAC address provides an ability for the attacker to eavesdrop on all communications. What attack is being used? ARP poisoning Directory traversal ARP injection Domain hijacking
Correct answer: ARP poisoning Address resolution protocol (ARP) resolves IP addresses to MAC addresses. The resolution is stored in the ARP table. If the attacker can change the resolution for a MAC address to his own, he can redirect users to his own site. This is usually done to change a router address to redirect traffic. This can provide an avenue for an attacker to redirect users to a malicious site or server in order to further attack the target or eavesdrop on communications.
A security engineer is consulting for a local hospital. Their IT systems are not using any method for emergency power, which has the executives concerned. What can the security engineer recommend as an emergency power system in case of a power outage? a. Redundant Power Supply b. Backup Generator c. UPS d. Surge Protector
Correct answer: Backup generator A backup generator is part of an emergency power system used when there is an outage of regular electric grid power. Some emergency power systems might include special lighting and fuel cells, and larger, more commercial backup generators can power portions of a building.
An employee working in a government nuclear facility arrives at work and notices a USB drive lying in the parking lot. Curious, the employee picks up the USB drive and connects it to their computer to see if there's any information on who dropped it, so they can return it. Unknown to them, malicious software has copied itself from the drive to their computer. What attack is being perpetrated? Eavesdropping Shoulder surfing Dumpster diving Baiting
Correct answer: Baiting Baiting is when a malicious individual leaves malware-infected removable media, such as a USB drive, lying around in plain view. The victim plugs in the USB and infects their computer. This form of attack was reportedly used to spread the famous Stuxnet virus, wherein a virus secretly sabotaged an Iranian nuclear facility and rendered their centrifuges inoperable. An employee found a USB drive in the parking lot and plugged it into one of the nuclear facility computers
An administrator is interested in gauging changes in performance over time within the environment. They need to determine what bottlenecks may exist, but there are no previous reports on this data to refer to. What is used to measure performance consistently over a period of time? Baseline Group Policy Editor Windows Manager Security template
Correct answer: Baseline Baselining is the process of measuring changes in networking, hardware and software. The administrator first must create a baseline and then monitor the network for performance over a period of time. For instance, the administrator might want to know the average amount of time for data transfer. He could create a baseline, or starting point, by capturing packets for a couple of hours during regular business hours.
Different fires require different chemical components to extinguish them, and it is important to understand the difference in cases of facility and data center management. What class of fire extinguisher is used for electrical fires? A B C D
Correct answer: C Class C fire extinguishers are designated with a blue circle. They are used for electrical fires, such as one started by an overloaded outlet. These extinguishers can be used in server rooms.
During the course of a reorganization, Smith Industries was interested in implementing a new IT security framework to promote enhanced security, along with proper processes for obtaining and deploying secure hardware and software. Of the following IT security frameworks, which divides IT into the following four sections: plan and organize; acquire and implement; deliver and support; and monitor and evaluate? PMBOK NIST COBIT ITIL
Correct answer: COBIT COBIT (Control Objectives for Information and Related Technologies) is a good-practice framework created by the international professional association ISACA for information technology management and governance. COBIT provides an implementable "set of controls over information technology and organizes them around a logical framework of IT-related processes and enablers."
An administrator has just realized that a server was illegally accessed, and he needs to report the crime. After alerting the authorities and following their instructions, what would be the next step in the legal process of handling the evidence? A. Review the logs and verify what data has been tampered with B. Capture a forensic system image C. Take hashes of the system drive to use later to verify nothing has changed D. Perform a restoration of any recently deleted data before it can be overwritten
Correct answer: Capture a forensic system image A forensic image of the disk captures any and all data available on the drive, and this will be performed first. The evidence cannot be disturbed, and analyzing the drive directly introduces a chance of modifying the data and rendering the evidence inadmissible. Forensic images differ from standard images in that forensic images capture all data on the disk, including recently deleted data that has not been overwritten. Some software can even make an image of volatile evidence such as that stored in memory (RAM).
What binds the digital signature to an identity key? A. Certificate B. Signature Key C. Public Key D. Private Key
Correct answer: Certificate A certificate is an electronic document that uses a digital signature to bind the key with the user's identity. This type of infrastructure takes an entire system of hardware, software, and software policies. Public Key Infrastructure (PKI) provides the backbone of digital signature verification to serve as a means of authentication and encryption. The sender uses their private key to encrypt a hash of the message. The recipient then uses the sender's public key to decrypt the hash and verify the authenticity.
An administrator has already installed a host-based DLP suite but is concerned with the possibility that an attacker can insert a live OS drive and boot to an alternative OS to exfiltrate information. Of the following options, what BIOS setting is useful when securing data from theft in this manner? Hard drive password User password Enable the data loss prevention BIOS plugin Disable removable media such as USB
Correct answer: Disable removable media such as USB Removable media is commonly used to steal data and cause data leakage. The administrator can disable removable media such as USB ports in the BIOS and in the operating system settings. Most companies restrict removable media usage for security reasons.
A marketing firm is developing a new front end for their customers to manage various settings. It is going to be a public-facing website, but the functionality will only be made available to authorized users with a log-in. They are concerned that unauthorized users might obtain access. Of the following types of testing, which would be recommended for testing this website? Input Validation Sandboxing Black box testing White Box testing
Correct answer: Input validation Input validation ensures that the right input is used and filtered from the website server. It checks for the correct use of data and validates that malicious input does not affect workflow. Incorrect input can cause vulnerabilities and lead to data breaches. Penetration testing software can be used for input validation.
A hotel chain decided that they wanted to force users to use their on-premises Wi-Fi and pay for it. To do so they employed devices that were capable of committing denial-of-service attacks against customers' personal Wi-Fi access points. Which of the following devices did they most likely use? Jammers Butt set Patchers Crimpers
Correct answer: Jammers Jammers can be used to interrupt a wireless signal. They can be purchased online to attack a wireless access point and initiate a denial of service. They create random noise on the Wi-Fi channel or attempt to disassociate clients from the device.
By itself, this protocol does not provide native encryption for data in transit, so it is unwise to implement it without the addition of IPSec. Which of the following can create an unencrypted tunnel for VPN connections, and with IPSec can provide data-in-transit encryption? A. SSL B. TLS C. PPTP D. L2TP
Correct answer: L2TP Layer 2 tunneling protocol (L2TP) is a protocol used to connect VPNs. It creates an unencrypted tunnel if used by itself. It can be included with IPsec to create a formidable tunneling protocol with security.
A directory information services technology used for accessing directory services, specifically x.500-based directory services, is being employed in an organization in order to house their directory and information. Of the following, which is an example of a Microsoft localized authentication that fits this description? A. VPN B. WEP C. LDAP D. CHAP
Correct answer: LDAP Lightweight Directory Access Protocol (LDAP) is a Microsoft technology that allows a user to log in to one location and share attributes with other systems. The user can gain access to other network resources as they are added, since only one authentication process is needed.
They are unaware that they've just been infected by Zeus, a Trojan horse that has infected the software application they used to access the website. Then they visit their bank website, and the Trojan steals the user's information and sends it back to the attacker, who then uses it to log in as the user. The Zeus attack is an example of which of the following? Driver manipulation Man-in-the-browser Domain hijacker Replay attack
Correct answer: Man-in-the-browser A man-in-the-browser attack infects the web browser and the software application used to visit websites, and is capable of keystroke logging and form grabbing. This enables the attacker to obtain user credentials, especially for bank log-ins, and begin the attack phase where they access the user's accounts and exfiltrate any money they can.
A law firm requires multiple secure connections into several court systems. The connections require advanced and effective security, and each connection will have an individual certificate bound to the law firm. What is the term used when more than one certificate is mapped to a recipient? Many-to-many mapping One-to-many mapping Many-to-one mapping One-to-one mapping
Correct answer: Many-to-one mapping Certificate mapping defines how many certificates are associated with a particular recipient. If multiple certificates are mapped to one recipient, it's referred to as many-to-one mapping.
Which of the following is a challenge-response authentication protocol for Windows hashing that uses HMAC-MD5 hashes composed of a combination of items such as the username, the log-on domain, the password, and the current time? LANMAN DES NTLMv2 AES
Correct answer: NTLMv2 NTLMv2 is the second version of the NTLM hashing scheme, and it uses MD5, which makes it very difficult to crack. It's a 128-bit encryption system. It's been available since Windows NT and is implemented in current Windows operating systems.
An administrator is concerned with their organization's upcoming move to the virtual servers. They will have several critical functions on a powerful host server, but the administrator is afraid that one VM might lead to access of another. Which of the following is an effective method for preventing VM escape? Virtual machine deployment processes Patching Firewall rules Non-persistent virtual machines
Correct answer: Patching In VM escape, an attacker gains access to the host system within a virtual system present on the host. Some vulnerabilities can present the attacker with access to the hypervisor, the software that runs the virtual machines. With this access, an attacker can run commands on the host and virtually gain administrative access to the host. These vulnerabilities would be discovered and reported to the vendors, who provide patches. IT teams should test and deploy these patches as soon as they are made available
An attacker has impersonated a technical support agent and managed to gain access to a user's computer. They proceed to update the HOSTS file to redirect websites such as those used for e-banking or cryptocurrencies to an illegitimate site that attempts to collect credentials. What attack changes HOSTS files and redirects users to a malicious website? Replay Pharming Ping of death Session hijacking
Correct answer: Pharming When a HOSTS file is changed to point a friendly URL to a malicious website, it's called pharming. It's a type of DNS poisoning. The user is tricked into accessing the malicious website and entering sensitive information such as a username and password.
A malicious actor working on behalf of a competitor has infiltrated their victim's network through a social engineering attack to get control of a workstation. They want to destabilize the network and attempt to do so by sending an overly large packet to the router through ping. What attack sends a ping packet of over 65,535 bytes? Smurf attack SYN attack Ping of death attack Snarf attack
Correct answer: Ping of death attack A ping of death attack sends a packet of over 65,535 bytes, which overflows the target system's memory buffers. The flooded memory resources cause the target system to crash. It's an older attack that is usually stopped by routers or the operating system.
A junior administrator has just been brought into the company and is being briefed on how the update and patch management system is handled in the organization. Generally speaking, what is typically the first step in patch management? Testing Implementing Planning Auditing
Correct answer: Planning Step 1 - Planning: Planning is the first step in patch management. The planning stage helps the user decide if a patch is necessary and if it's compatible with other systems. The plan should also include information on ways to test the patch, when it will be implemented, and how it will be checked after deployment. Step 2 - Testing: Before deploying any automated update procedure, the administrator should first test it on an individual machine. The administrator can also use a group of machines to simulate the enterprise environment. This step takes additional IT resources, but it's well worth the cost to ensure that a deployment does not harm performance. Step 3 - Implementing: Only after testing can implementation be done. Implementing the patch is the step where the administrator deploys all patches necessary for the upgrade. It should be done during off-peak hours when users are not using their systems for work tasks. Step 4 - Auditing: After implementing patches, the administrator should then audit the system to ensure that the patch was properly deployed and to check for any errors. You can download third-party tools for auditing, such as SCCM and SMS.
A sales manager at Acme Inc. receives a call from an individual who identifies herself as a manager at another branch. She states that a customer does not have their membership card and they need to verify membership. What is the term used when an attacker invents a scenario to persuade a victim to divulge information in a social engineering attack? Tailgating Brute force Pretexting Piggybacking
Correct answer: Pretexting Pretexting is part of social engineering. The attacker invents a scenario, or pretext, in the hope of persuading a victim to divulge information. Usually, the attacker impersonates an employee or organization.
A warehousing company is interested in implementing RFID trackers for their shipments and packages, to have greater monitoring capabilities. They are concerned about the potential attacks they may encounter. Which of the following is not a common RFID attack/concern? A. DoS B.Sniffing C. Privilege Escalation D. Replay Attack
Correct answer: Privilege escalation There is not much to gain from attempting to escalate privileges in an RFID tag environment, as it is potentially one of thousands with no special permissions or privileges. Conversely, because the RFID tags transmit data over the air, is is possible for an attacker to intercept the communications and interpret the data. A replay attack could be used to spoof an RFID tag, enabling an attacker to steal the package. A denial of service (DoS) attack could be performed to take down the RFID network if the attacker knew the frequency of the system.
A new administrator is working at Acme Inc. and is learning about the server environment. The servers don't have any monitors attached to them, suggesting they're accessed remotely. What application would the administrator use to remotely control a Windows machine? A. Windows Remote Server B. Client Service C. TCP/IP D. Remote Desktop service
Correct answer: Remote Desktop Services Remote Desktop Services uses the remote desktop protocol to connect to a target machine and remotely control it. It's the standard service used by administrators to connect to any remote machine on the network and configure or troubleshoot it.
A secure communications channel is important when handling sensitive data, especially over unsecured networks such as the internet. What service was used initially to allow dial-up connections from remote clients but eventually evolved to incorporate high-speed connections? Remote challenge handshake Remote access services Remote desktop protocol Remote desktop services
Correct answer: Remote access services Remote access services (RAS) began as a service that enabled dial-up connections from remote clients. Now it offers remote dial-up services as well as high-speed technologies such as DSL and fiber optic connections.
The Cyber Kill Chain is a series of steps outlining the stages of a cyber attack. Of the following, which is not one of the stages? Reconnaissance Delivery Reporting Weaponization
Correct answer: Reporting The cyber kill chain is a series of steps that outline and trace the stages of a cyberattack. Security experts use this model to assist in understanding how threat actors perform their attacks. The steps include: Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Actions on Objectives Reporting is not one of the steps.
An administrator is interested in implementing email encryption throughout the organization. They have a PKI configured to work within the local network and would like to incorporate that. Which of the following protocols should they implement? S/MIME OpenPGP TLS PGP
Correct answer: S/MIME Secure/Multipurpose Internet Mail Extensions (S/MIME) is one of the most prevalent email encryption standards available. S/MIME uses RSA for asymmetric encryption and AES for symmetric encryption and can encrypt email at rest and in transit. Due to the use of RSA for asymmetric encryption, a PKI is required to provide and manage the appropriate certificates.
Which of the following hashing algorithms was designed by the NSA and published by the NIST and is grouped into four families of varying usage and currency? MD5 SHA Blowfish AES
Correct answer: SHA Secure hash algorithm (SHA) is one of the most widely used hashing algorithms. It employs a 160-bit hash. SHA-2 is considered a better version since it uses 256-bit block sizes. There are four families of the SHA algorithm: SHA-0 is not used. SHA-1 is an updated version that outputs 160-bit hashes similar to MD5 but with 160 bits instead of 125. SHA-2 improves over SHA-1 and has several versions based on the length of hash output. SHA-3 is a SHA-2 alternative that was created in a non-NSA public competition.
An attacker wants to get into an online cryptocurrency wallet account and is trying to subvert the two-factor authentication set to send a code to the victim's cell phone. The attacker is likely to use which of the following? Wi-Fi attacks Man-in-the-middle (MitM) SIM cloning SQL injection
Correct answer: SIM cloning SIM cloning (also known as phone cloning) allows two phones to use the same service and gives the attacker access to all phone data received over the network. V1 SIM cards are vulnerable to this type of attack due to weak security algorithms. V2 and higher cards are much more difficult to attack and clone. Recently, SIM cloning and social engineering attacks on phone company customer resources have enabled attackers to get the network data sent to a device that they own in order to intercept the security codes sent by two-factor authentication services.
XSS
Cross-site scripting. It scripting allows an attacker to redirect users to malicious websites and steal cookies. E-mail can include an embedded HTML image object or a JavaScript image tag as part of a malicious cross-site scripting attack. Websites prevent cross-site scripting attacks with input validation to detect and block input that include HTML and JavaScript tags. Many sites prevent the use of < and > characters to block cross-site scripting.
You discover that an investigator made a few mistakes during a recent forensic investigation. You want to ensure the investigator follows the appropriate process for the collection, analysis, and preservation of evidence. Which of the following terms should you use for this process? A. Incident handling B. Legal hold C. Order of volatility D. Chain of custody
D. Chain of custody refers to the chronological documentation showing the custody, control, transfer, analysis, and disposition of physical or electronic evidence. Option A is incorrect. Incident handling is a guide that explains the process and procedures of how to handle particular incidents. Option B is incorrect. Legal hold is a written directive issued by attorneys ordering clients to preserve pertinent evidence in an anticipated litigation, audit, or government investigation. This evidence can include paper documents and electronically stored information. Option C is incorrect. Order of volatility represents the order in which you should collect evidence. In general terms, evidence should be collected starting with the most volatile and moving to the least volatile. Volatile means data is not permanent
Juan is responsible for the SIEM in his company. The SIEM aggregates logs from 12 servers. In the event that a breach is discovered, which of the following would be Juan's most important concern? A. Event duplication B. Time synchronization C. Impact assessment D. Correlation
D. Correlating the events from the servers related to the breach would be the most important issue to address for the SIEM manager. Impact assessment is important, but is not part of SIEM management.
Tom is the network administrator for a small accounting firm. As soon as he comes in to work, users report to him that they cannot connect to the network. After investigating, Tom discovers that none of the workstations can connect to the network and all have an IP address in the form of 169.254.x.x. What has occurred? A. Smurf attack B. Man-in-the-middle attack C. DDoS D. DHCP starvation
D. IP addresses in the range of 169.254 are automatic private IP addresses (APIPA) and indicate the system could not get a dynamic IP address from the DHCP server. This is a typical symptom of DHCP starvation. Option A is incorrect. Smurf attacks involve sending spoofed broadcast messages to the target network's router. Option B is incorrect. Nothing in this scenario describes a man-in-the-middle attack. Option C is incorrect. Nothing in this scenario indicates a distributed denial-of-service attack.
You are a security administrator for an insurance company. You have discovered that there are a few active accounts for employees who left the company over a year ago. Which of the following would best address this issue? A. Password complexity B. Offboarding procedures C. Onboarding procedures D. Password expiration
D. Password expiration would mean that even if the exiting employee's login is not disabled, the password will simply expire without anyone having to take any action. Option B is incorrect. Offboarding would help in this situation and should be implemented. But password expiration would occur automatically, even if offboarding procedures are not followed. That is why password expiration is a better answer
Teresa is responsible for WiFi security in her company. Her main concern is that there are many other offices in the building her company occupies and that someone could easily attempt to breach their WiFi from one of these locations. What technique would be best in alleviating her concern? A. Using thin WAPs B. Geofencing C. Securing the Admin screen D. WAP placement
D. Placing the WAPs carefully so as to provide the best coverage for the company, with minimum overlap outside the company, will be the best way to keep those in adjacent offices from attempting to breach he WiFi. When placing WAPs for the best coverage, one needs to focus on signal strength to ensure there is no gaps between WPAs. Option A is incorrect. Thin versus fat WAP refers to the functionality in the WAP and won't have any effect on the ability of nearby people to breach the WAP. Option B is incorrect. Geofencing is used to limit the area in which a mobile device can be used. Option C is incorrect. Securing the admin screen is a great idea and should be done, but it won't address the issue of nearby tenants attempting to breach the WiFi.
Mohanned is responsible for account management at his company. He is very concerned about hacking tools that rely on rainbow tables. Which of the following would be most effective in mitigating this threat? A. Password complexity B. Password age C. Password expiration D. Password length
D. Rainbow table attacks are best mitigated by longer passwords. Generating rainbow tables are computationally intensive, and longer passwords (over 14 characters) cannot be cracked by most rainbow tables.
You are responsible for database security at your company. You are concerned that programmers might pass badly written SQL commands to the database, or that an attacker might exploit badly written SQL in applications. What is the best way to mitigate this threat? A. Programmer training B. Programming policies C. Agile programming D. Stored procedures
D. Stored procedures are the best way to have standardized SQL. Rather than programmers writing their own SQL commands, they simply call the stored procedures that the database administrator creates. Options A and B are both incorrect. Although these are good ideas, they are not as effective as stored procedures in addressing concerns about bad SQL commands. Option C is incorrect. Agile programming is a method for developing applications rapidly and won't determine how SQL commands are created.
Which of the following role-based positions should receive training on how to manage a particular system? A. Users B. Privileged users C. Executive users D. System owners
D. System owner is a type of employee who would receive role-based training on how best to manage a particular system. Option A is incorrect. Users are generally the front-line employees and would receive general security awareness training. Option B is incorrect. Privileged users would receive training on how best to handle additional network and system access. Option C is incorrect. Executive users would receive training on how to spot targeted attacks.
You are responsible for network security at a university. Faculty members are issued laptops. However, many of the faculty members leave the laptops in their offices most of the time (sometimes even for weeks). You are concerned about theft of laptops. In this scenario, what would be the most cost-effective method of securing the laptops? A. FDE B. GPS tagging C. Geofencing D. Tethering
D. Tethering is usually inexpensive, and simply tethering a portable device to a desk makes it difficult to steal the device. No antitheft method is foolproof, but tethering is simple, cost effective, and reasonably effective.
Lars is auditing the physical security of a company. The company uses chain-link fences on its perimeter. The fence is over pavement, not soft ground. How close to the ground should the bottom of the fence be? A. Touching the ground B. Within 4 inches C. There is no standard for this. D. Within 2 inches
D. The fence should reach within 2 inches of hard surfaces like pavement or concrete. For soft dirt it should actually go into the ground.
Gerard is trying to find a flexible remote access protocol that can use either TCP or UDP. Which of the following should he select? A. RADIUS B. DIAMETER C. TACACS+ D. TACACS
D. The original TACACS defined in RFC 1492 can use either UDP or TCP. Option A is incorrect. RADIUS uses only UDP. Option B is incorrect. DIAMETER uses only TCP. Option C is incorrect. TACACS+ uses only TCP.
ESN
Electronic Serial Number. Numbers used to uniquely identify mobile devices.
What should be done to back up tapes that are stored off-site? A. Generate a file hash for each backup file.B. Scan the backup data for viruses.C. Perform a chain of custody on the backup tape.D. Encrypt the backup data.
Encrypting the backup data before storing it off-site ensures data confidentiality.
EAL
Evaluation Assurance Level of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. ... To achieve a particular EAL, the computer system must meet specific assurance requirements.
FRR
False rejection rate. Also called the false nonmatch rate. A rate that identifies the percentage of times a biometric authentication system incorrectly rejects a valid match.
fire supression
Focus on extinguishing the flame with Water, chemical depending on what kind of environment it is going to be used in
HIPAA
Health Insurance Portability and Accountability Act
ITCP
IT contingency plan. Part of risk management. Plan to ensure that IT resources remain available after a security incident, outage, or disaster.
IRP
Incident response plan. The procedures documented in an incident response policy. phases of incident response are : 1> Preperation, 2> identification, 3> Containment, 4> Eradication, 5> Recovery, and 6> Lessons Learned.
Ahmed is looking for an authentication protocol for his network. He is very concerned about highly skilled attackers. As part of mitigating that concern, he wants an authentication protocol that never actually transmits a user's password, in any form. Which authentication protocol would be a good fit for Ahmed's needs? CHAP, KERBEROS, RBAC, Type II
Kerberos does not send the users password across the network. CHAP sends the user's password encrypted. RBAC is an access control model, not an authentication protocol. When the user's name is sent to the authentication service, the service retrieves the hash of the user's password from the database, and thenuses that as a key to encrypt data to be sent back to the user. The user's machine takes the password that the user entered, hashes it, and then uses that as a key to decrypt what was sent back by theserver.
You are concerned about an attacker enumerating all of your network. What protocol might help at least mitigate this issue? A. HTTPS B. TLS C. IPSec D. LDAPS
Lightweight Directory Access Protocol Secure (LDAPS) would at least mitigate the risk. LDAP is a directory of the network (computers, users, etc.). Securing that would help mitigate network enumeration
MTTF
Mean time to failure. The length of time you can expect a device to remain in operation before it fails. It is similar to MTBF, but the primary difference is that the MTBF metric indicates you can repair the device after it fails. The MTTF metric indicates that you will not be able to repair a device after it fails.
MaaS
Monitoring as a Service or Management as a Service. Allows an organization to outsource the management and monitoring of IT resources.
Which authentication method was used as a native default older versions of Microsoft Windows? PAP. CHAP, OAUTH, NTLM
NTLM
Victor is trying to identify the protocol used by Windows for authentication to a server that is not part of the network domain. Which of the following would be most useful for Victor? Kerberos, NTLM, OpenID, CHAP
NTLM is an older Windows authentication protocol. Microsoft no longer recommends it except for certain specific situations. One of those is attempting to authenticate to a server that is not part of the domain.
netcat (nc)
Ncat IPADDRESS PORTNUMBER (connects to IP as client ncat -l portnumber (listen mode for inbound connections) ncat -e programname (launch program on successful connection) ncat -L Listen harder; re-listen on closed socket ncat -o local port number ncat -t Answer telnet negotiation ncat -u UDP mode ncat -v verbose mode ncat -w seconds (timeout for connect) ncat -n tells ncat not to perform DNS lookups on machines found
You have been asked to find an authentication service that is handled by a third party. The service should allow users to access multiple websites, as long as they support the third-party authentication service. What would be your best choice? OpenID, Kerberos, NTLM, Shibboleth
OpenID OpenID is an authentication service often done by a third party, and it can be used to sign into any website that accepts OpenID.
MS CHAP vs MS CHAPv2 vs PAP
PAP uses a two-way handshake for authentication, CHAP uses a three-way handshake for authentication, and MS-CHAPv2 adds mutual authentication.
You are the network administrator for a small office of 35 users and need to utilize mail encryption that will allow specific users to encrypt outgoing email messages. You are looking for an inexpensive onsite encryption server. Which of the following would you implement? A. PGP/GPG B. WPA2 C. CRL D. EAP-TLS
PGP (Pretty Good Privacy) or GPG (GNU Privacy Guard) provides a low-cost or open source alternative solution that allows users to encrypt their outgoing emails. Option B is incorrect. WPA2 is a security standard that secures computers connected to a Wi-Fi network. Option C is incorrect. A CRL (certificate revocation list) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted. Option D is incorrect. EAP-TLS is a remote access authentication protocol that supports the use of smartcards.
L2TP vs PPTP
PPTP (Point-to-Point Tunneling Protocol) is lower level encryption method compared to L2TP and OpenVPN. ... L2TP (Layer Two Tunneling Protocol) is considered a bit more secure than PPTP as it uses 256 bit keys giving a higher level of encryption. L2TP encapsulates data twice making it less efficient and slightly slower L2TP port 1701 PPTP port 1723
PRINCE2
PRojects IN Controlled Environments 2. A project management methodology.
PIA
Privacy Impact Assessment
PTA
Privacy Threshold Analysis
You are a security administrator, and your manager has asked you about protecting the privacy of personally identifiable information (PII) that is collected. Which of the following would be the best option to fulfill the request? Pia, bia, rto, spf
Privacy impact assessment (PIA) is a measurement of how a company can keep private information safe while the company is in possession of PII. Business impact analysis (BIA) determines the potential effects of an interruption to a company's operations as a result of a disaster or emergency.Business impact analysis (BIA) determines the potential effects of an interruption to a company's operationsas a result of a disaster or emergency. A single point-of-failure (SPF) is a component that will stop the entire operations of a system to work if it fails
PAC
Proxy Auto Configuration
bootrec /fixmbr
Repairs the Master Boot Record
SAML
Security Assertions Markup Language. An XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications.
SCAP
Security Content Automation Protocol. A method with automated vulnerability management, measurement, and policy compliance evaluation tools
You have been asked to select an authentication method that will support single sign-on, with SAML, and work well over the internet. Which of the following would be your best choice? hibboleth, OAUTH, SPAP, CHAP?
Shibboleth is a middleware solution for authentication and identitymanagement that uses SAML. OAUTH (Open Authorization) allows an enduser's account information to be used by third-party services,without exposing the user's password. Challenge Handshake AuthenticationProtocol (CHAP) periodically re-authenticates the user.
Shimming vs Refactoring
Shimming is when the attacker places some malware between an application and some other file, and intercepts the communication to that file (usually to a library or system API). Refactoring is the process of changing names of variables, functions, etc. in a program.
SAN
Storage Area Network
RAID 0
Striping
SEH
Structured Exception Handler. Module within an application that handles errors or exceptions. It prevents applications from crashing or responding to events that can be exploited by attackers.
Fail Open
System default that allows access during a system or network failure.
ITIL
The Information Technology Infrastructure Library (ITIL) is a set of concepts and practices for Information Technology Services Management (ITSM), Information Technology (IT) development and IT operations. ITIL gives detailed descriptions of a number of important IT practices and provides comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs.
AlienVault
The AlienVault Unified Security Management (USM) Appliance is a virtual or hardware appliance-based threat detection and incident response platform that combines SIEM and log management functionality with other security tools, such as asset discovery, vulnerability assessment and intrusion detection
NTLMv2 vs NTLM
The difference lies in the challenge and in the way the challenge is encrypted: While NTLMv2 provides a variable-length challenge, the challenge used by NTLMv1 is always a sixteen byte random number. NTLMv1 uses a weak DES algorithm to encrypt the challenge with the user's hash. ... NTLMv2 uses HMAC-MD5 instead.
RAID 10
The opposite of RAID 0+1, two mirrored RAID 0 configurations. Also provides both speed and redundancy, and also requires four disks.
four primary modes of data acquisition for mobile devices
There are four primary modes of data acquisition for mobile devices. These four modes are: Physical: Sim card, memory cards, and backups Logical: Requires a forensic tool to create an image of the logical storage volumes Manual Access: Reviewing the contents of the live, unlocked phone Filesystem: Provide details of deleted files and existing files or directories
fire extinguishing
Type of fire : 1> Type A - common combustibles like wood paper, use water or foam, green triangle 2> type B - petroleum products like gasolene, use gas, CO2, foam and dry powder, red square 3> type C - electrical fire, use gas, CO2, dry powder, FM-200 4> Type D - combustible metals, use dry powder Fire suppression Methods with water 1>Wet pipe - Pipes are already filled with water and when fire breaks the bulb, water comes out 2> Dry Pipe - In extreme weather areas to avoid freezing of the water, pipes are air pressure maintained, when fire breaks the bulb, water filled in pipe and then distributed 3> Pre-action - By only sensing the heat and smoke water is dispersed and not waited till fire breaks the bulb 4>Deluge A large amount of water is used to extinguish the fire
What is Type I, Type II, and Type III authentication?
Type I --->something you know, Type II --> something you have, type III-----> something you are, secure --> multi-factor
URI
Uniform Resource Identifier (URI) is WWW identier that uniquely identifies a resource on the WWW -- e.g., http://host.com'.
Same sign-on
Users have to reenter their credentials each time they access another system
war flying
Warflying or warstorming is an activity consisting of using an airplane and a Wi-Fi-equipped computer, such as a laptop or a PDA, to detect Wi-Fi wireless networks. Warstorming shares similarities to Wardriving and Warwalking in all aspects except for the method of transport.
Tower of Hanoi
a problem in which you transfer a series of different-sized disks from one spindle to another following a specific set of rules
macro virus
a virus that attaches itself to a document that uses macros
windows service pack
all windows security patches
Sparse Infector Virus
avoids detection by carrying out their actions only sporadically such as on every 10th or 25th activation
ISO 73:2009
defines it as a "record of information about identified risks." Risk Management
multipartite virus
designed to infect multiple file types in an effort to fool the antivirus software that is looking for it
PGP/GPG/OpenPGP
don't need PKI
Perfect Forward Secrecy (PFS)
makes sure that a session key will remain secure, even if one of the private keys used to derive the session key becomes compromised.
Public key pinning
provides clients with list of public key hashes that clients can use to identify website impersonation attempts
certificate stapling
reduces OSCP traffic by appending timestamped, digitally signed OSCP response to certificate
Cutover Test
shuts down the main systems and has everything fail over to backup systems.
diffusion
small changes in plain text result in large changes in cipher text
fail safe
the system stops functioning to avoid causing harm in case of failure
theHarvester
theHarvester is another tool like sublist3r which is developed using Python. This tool can be used by penetration testers for gathering information of emails, sub-domains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database
Jared is responsible for network security at his company. He has discovered behavior on one computer that certainly appears to be a virus. He has even identified a file he thinks might be the virus. However, using three separate antivirus programs, he finds that none can detect the file. Which of the following is most likely to be occurring? A. The computer has a RAT. B. The computer has a zero-day exploit C. The computer has a logic bomb. D. The computer has a rootkit.
zero-day exploits are new, and they are not in the virus definitions for the antivirus programs. This makes them difficult to detect, except by their behavior. Options A, C, and D are incorrect. These are all forms of malware, but should be picked up by at least one of the antivirus programs.