Security+ Udemy Exam
Question: a) b) c) d)
Answer:
Question: You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the attack's target? 21 389 443 3389
Answer: 443 OBJ-3.1: Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS). An attack against Active Directory is likely to be observed on port 389 LDAP. An attack on an FTP server is likely to be observed on port 21 (FTP). An attack using the remote desktop protocol would be observed on port 3389 (RDP).
Question: Dion Training has set up a lab consisting of 12 laptops for students to use outside of normal classroom hours. The instructor is worried that a student may try to steal one of the laptops. Which of the following physical security measures should be used to ensure the laptop is not stolen or moved out of the lab environment? Biometric locks Cable locks USB lock Key fob
Answer: Cable Locks OBJ-2.7: The Kensington lock is a small hole found on almost every portable computer or laptop made after 2000. It allows a cable lock to be attached to a portable computer or laptop to lock it to a desk and prevent theft. These locks often use a combination lock or padlock type of locking system. These locks do not affect the user's ability to use the laptop or device. It only prevents them from moving the laptop from the area. A biometric lock is any lock that can be activated by biometric features, such as a fingerprint, voiceprint, or retina scan. Biometric locks make it more difficult for someone to counterfeit the key used to open the lock or a user's account. A smart card is a form of hardware token. A key fob generates a random number code synchronized to a code on the server. The code changes every 60 seconds or so. This is an example of a one-time password. A SecureID token is an example of a key fob that is produced by RSA. USB lock prevents unauthorized data transfer through USB ports, reducing the risk of data leakage, data theft, computer viruses, and malware by physically locking and blocking the USB Ports.
Question: When you purchase an exam voucher at diontraining.com, the system only collects your name, email, and credit card information. Which of the following privacy methods is being used by Dion Training? a) Tokenization b) Anonymization c) Data masking d) Data minimization
Answer: Data minimization OBJ-5.5: Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Since we only need your name and email to deliver the voucher and your credit card to receive payment for the voucher, we do not collect any additional information, such as your home address or phone number. Data masking can mean that all or part of a field's contents are redacted, by substituting all character strings with x, for example. Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data anonymization is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous.
Question: You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank's cybersecurity program? a) GLBA b) HIPAA c) FERPA d) SOX
Answer: GLBA OBJ-5.2: The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information. The Health Insurance Portability and Accountability Act (HIPAA) is a US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Sarbanes-Oxley (SOX) is a United States federal law that sets new or expanded requirements for all US public company boards, management, and public accounting firms. The Family Educational Rights and Privacy Act (FERPA) of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.
Question: What should administrators perform to reduce a system's attack surface and remove unnecessary software, services, and insecure configuration settings? a) Windowing b) Hardening c) Stealthing d) Harvesting
Answer: Hardening > Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, removing unnecessary software, unnecessary usernames or logins, and disabling or removing unnecessary services. Windows is the use of windows for the simultaneous display of more than one item on a screen. Harvesting is the process of gathering data, normally user credentials. Stealthing is a made-up term in this question.
Question: Which of the following hashing algorithms results in a 160-bit fixed output? a) MD-5 b) SHA-2 c) RIPEMD d) NTLM
Answer: RIPEMD OBJ-2.8: RIPEMD creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.
SQL Injection vs. Command Injection vs. LDAP Injection vs. Directory/Path traversal
Answer: SQL Injection Based on the log entries, it appears the attack was successful in conducting a SQL injection. Notice the escape character (') used in the log. A connection to the MySQL database is being used in the script, which could be exploited since no input validation is being performed. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. SQL injection is a specific type of command injection. LDAP injection is a code injection technique used to exploit web applications that could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores. Directory traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory.
Question: Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate network. As part of the contract, the company has specified that it will not provide any network details to the penetration testing firm. Instead, the company wants to see how much information about the network can be found by the penetration testers using open-source research and scanning the corporate network. What type of assessment is this considered? a) Known environment testing b) Semi-trusted environment testing c) Partially known environment testing d) Unknown environment testing
Answer: Unknown environment testing OBJ-1.8: An unknown environment penetration test requires no previous information and usually takes the approach of an uninformed attacker. The penetration tester has no prior information about the target system or network in an unknown environment penetration test. These tests provide a realistic scenario for testing the defenses, but they can be costlier and more time-consuming to conduct as the tester is examining a system from an outsider's perspective. A partially known environment tester has the user's access and knowledge levels, potentially with elevated privileges on a system. These partially known environment penetration testers typically have some knowledge of a network's internals, potentially including design and architecture documentation and an account internal to the network. A known environment test is known by several different names, including clear-box, open-box, auxiliary, or logic-driven testing. It falls on the opposite end of the spectrum from an unknown environment test because the penetration testers have full access to source code, architecture documentation, and so forth. A known environment penetration tester can also perform static code analysis, so familiarity with source code analyzers, debuggers, and similar tools are necessary for this type of testing. A semi-trusted environment test is made up term and is used as a distractor in this question.
Question: What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system? a) You should ignore any remaining risk b) You should continue to apply additional controls until there is zero risk c) You should remove the current controls since they are not completely effective d) You should accept the risk if the residual risk is low enough
Answer: You should accept the risk if the residual risk is low enough OBJ-5.4: In most cases, you will be unable to remove all risks. Instead, it would be best to mitigate the risk to a low enough level to accept the residual risk. Removing the controls would add to the risk, which is a bad course of action to select. Ignoring the remaining risk is unacceptable; instead, you should acknowledge what risk remains and accept it if it is low enough. If it is not low enough, you should continue to mitigate the risk by adding additional control measures. It is unlikely you will ever be able to get all risk down to zero, but mitigating to a lower level and then accepting the residual risk is a common industry practice.
Question: You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command) a) journalctl _UID=1003 | grep -e 1003 | grep sudo b) journalctl _UID=1003 | grep sudo c) journalctl _UID=1003 | grep -e [Tt]erri | grep sudo d) journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo
Answer: journalctl _UID=1003 | grep sudo OBJ-4.3: journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd's log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes them easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. If there are too many results, we could further filter the results using regular expressions with grep using the -e flag. Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep filter as the only results for UID 1003 (terri) will already be shown. So, while all four of these would produce the same results, the most efficient option to accomplish this is by entering "journalctl _UID=1003 | grep sudo" in the terminal. Don't get afraid when you see questions like this; walk through each part of the command step by step and determine the differences. In this question, you may not have known what journalctl is, but you didn't need to. You needed to identify which grep expression was the shortest that would still get the job done. By comparing the differences between the options presented, you could likely take your best guess and identify the right one.
