Test1
Your organization wants to install a new accounting system and is considering moving to a cloud-based solution to reduce cost, reduce the information technology overhead costs, to improve reliability, and to improve availability. Your Chief Information Officer is supportive of this move since it will be more fiscally responsible, but the Chief Risk Officer is concerned with housing all of the company's confidential financial data in a cloud provider's network that might be shared with other companies. Since the Chief Information Officer is determined to move to the cloud, what type of cloud-based solution would you recommend to account for the Chief Risk Officer's concerns?
A SaaS (Software as a Service) solution best describes an accounting system or software that is being used as part of a cloud service. This meets the CIO's requirements. To mitigate the concerns of the Chief Risk Officer, you should use a private cloud solution. This type of solution ensures that the cloud provider does not comingle your data with the data of other customers and providers dedicated servers and resources for your company's use only.
Dion Training Solutions has contracted a software development firm to create a bulk file upload utility for its website. During a requirements planning meeting, the developers asked what type of encryption is required for the project. After some discussion, Jason decides that the file upload tool should use a cipher that is capable of encrypting 8 bits of data at a time before transmitting the files from the web developer's workstation to the web server. What of the following should be selected to meet this security requirement?
A block cipher is used to encrypt multiple bits at a time prior to moving to the next set of data. Block ciphers generally have a fixed-length block (8-bit, 16-bit, 32-bit, 64-bit, etc). Stream ciphers encrypt a single bit at a time during its encryption process. Hashing algorithms would not meet the requirement, because the data would be encrypted using a one-way hash algorithm and be unusable once on the web server. A cyclic redundancy check (CRC) is an error-detecting code commonly used in digital networks and storage devices to detect accidental changes to raw data. Blocks of data entering these systems get a short check value attached, based on the remainder of a polynomial division of their contents.
Buffer Overflow
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information, this can cause an overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. To prevent this type of attack, programs should use validation of the variable size prior to writing the data to memory to ensure that the variable can fit into the buffer.
Cognitive password attack
A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, then this type of password can easily be bypassed. For example, during the 2008 elections, Vice Presidential candidate Sarah Palin's email account was hacked because a high schooler used the "reset my password" feature on the Yahoo's email service to reset her password using the information that was publically available about Sarah Palin (like her birthday, high school, and other such information).
Your company's offices utilize an open concept floor plan. You are concerned that a visitor might attempt to steal an external hard drive and carry it out of the building. To mitigate this risk, your security department has recommended installing security cameras that are clearly visible to both employees and visitors. What type of security control do these camera represent?
A deterrent control is designed to discourage the violation of a security policy. Since the cameras are clearly visible, they are acting as a deterrent control. A corrective control is one that is used to fix or eliminate a vulnerability. A compensating control is used to minimize a vulnerability when it is deemed too difficult or impractical to fully correct the vulnerability. An administrative control is used to create a policy or procedures to minimize or elminate a vulnerability.
False positive
A false positive occurs when an alert is triggered (system believes malicious activity occurred) when there is no malicious activity involved. A false positive is an error in some evaluation process in which a condition tested for is mistakenly found to have been detected.
group policy
A group policy is used to manage Windows systems in a Windows network domain environment by means of a Group Policy Object (GPO). GPO's include a number of settings related to credentials, such as password complexity requirements, password history, password length, account lockout settings. You can force a reset of the default administrator account password by using a group policy update.
You are attempting to architect a new architecture for your company's website. The current architecture involves a single server that hosts the website in its entirety. Your company's newest product has been creating a lot of interest in the media, and your CIO is concerned that the single server will not be able to handle the increased load and demand that could results from this increased publicity. What technology should you implement in the new architecture to allow you to use multiple web servers to share the work of serving up the website to this expected increase in demand from new users?
A load balancing allows for high availability and the ability to serve increased demand by splitting the workload across multiple servers. RAID is a high availability technology that allows for multiple hard disks to act logically as one to handle more throughput, but this will not solve the higher demand on the server's limited processing power like a load balancer would. A VPN concentrator is a type of networking device that provides secure creation of VPN connections and delivery of messages between VPN nodes. A data loss prevention (DLP) system is focused on ensuring that theft of intellectual property does not occur. This will not help meet the increased demand from new users.
Logic Bomb
A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company. Jeffrey is concerned that a logic bomb may have been created and installed on his system or across the network.
mandatory vacation
A mandatory vacation policy requires that all users take time away from work to enjoy a break from the day to day rountines of their job. But, there is a major side benefit to mandatory vacations in regards to your company's security posture. By requiring mandatory vacations, it will require the company to have another employee fill in for the vacationing employee's normal roles and responsibilities. By doing this, the employee who is filling in might come across fraud, abuse, or theft that the vacation employee is a part of. The concept of least privilege may not stop this theft from occuring, since two employees could work together to steal information that each of them has access to as part of their job. Also, acceptable use simply outlines the types of activities that are allowed and not allowed, it won't prevent theft from occurring. A privacy policy discusses how information should be properly stored and secured, but this won't stop an employee from stealing information or detecting if information was stolen.
You work for Big Data Incorporated as a physical security manager. You are concerned that the physical security at the entrance to the company is not sufficient. To increase your security, you are determined to prevent piggybacking. What technique should you implement first?
A mantrap is a device that only allows a single person to enter per authentication. This authentication can be done by RFID, a pin number, or other methods. Once verified, the mantrap lets a single person enter through a system, such as a turnstile or rotating door. CCTV will not stop piggybacking, but it could be used as a detective control after an occurence happened. Wearing security badges is useful, but it won't stop piggybacking by a skilled social engineer. RFID badges may be used as part of your entry requirements, but it won't stop a determined piggyback who follows an employee into the building after their authenticated RFID access has been performed.
network security policy
A network is only as strong as its weakest link (or host/server). When you co-mingle hosts/servers, there is a large risk that security policy violations could occur. This is because users may be used to follow a less stringent security policy for one set of machines, and carry over those procedures to a machine that should have had stronger security policies.
What type of malware changes its binary pattern in its code on specific dates or times in order to avoid detection by an antimalware scan?
A polymorphic virus alters its binary code in order to avoid detection by malware scanners that rely on signature-based detection. By changing its signature, the virus can avoid detection.
Rogue access point
A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.
trojan horse
A trojan is a program in which malicious or harmful code is contained inside apparently harmless program. In this example, the harmless program is the key generator (which does create a license key), but it also has malicious code inside of it (causing the additional alerts from the antimalware solution). Likely, this keygen has an embedded virus or remote access trojan (RAT) in its programming.
You are the network administrator for your company. The company just hired a new CIO and he has decided to allow employees to connect their devices to the corporate wireless network under a new BYOD policy. You have been asked to separate the corporate network into an administrative network (for corporate owned devices) and a untrusted network (for employee owned devices). What technology should you utilize to achieve this goal?
A virtual local area network (VLAN) is a type of network segmentation that is configured in your network switches that prevents communications between different VLANs without using a router. This allows two virtually separated networks to exist on one physical network and separates the two virtual network's data. A virtual private network (VPN) is a type of remote access capability to connect a trusted device over an untrusted network back to the corporate network. A VPN would not create the desired effect. WPA2 is a type of wireless encryption, but it will not create two different segemented networks on the same physical hardware. MAC filtering is used to allow or deny a device from connecting to a network, but it will not create two network segments, as desired.
Jason has installed multiple virtual machines on a single physical server. He needs to ensure that the traffic is logically separated between each virtual machine. How can Jason best implement this requirement?
A virtual switch is a software application that allows communication between virtual machines. A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. This solution will provide logical separation of each virtual machine through the use of VLANs on the virtual switch.
You have been hired as a consultant to Small Time Corp Incorporated to review their current disaster recovery plans. The CEO has requested that the plans ensure that the company can limit downtime in the event of a disaster, but due to staffing concerns he simply cannot approve the budget to implement or maintain a fully redundant offsite location to ensure a 99.999% availability. Based on that limitation, what should you recommend to the CEO of Small Time Corp?
A warm site provides some of the capabilities of a hot site, but it requires the customer to do more work to become operational. Warm sites provide computer systems and compatible media capabilities. If a warm site is used, administrators and other staff will need to install and configure systems to resume operations. For most organizations, a warm site could be a remote office, a leased facility, or another organization with which yours has a reciprocal agreement. By placing your redundant hardware at the offsite location and configuring it to be ready for recovery when needed, the company can have a higher level of availability than a cold site, but not have the full personnel costs involved with a hot site. A hot site would ensure that the offsite location has all the hardware, equipment, personnel, and data installed and ready to provide services at all times. Maintaining a hot site is much more expensive than a warm site. It is not recommended that your redundant servers are located within the same building, since a fire, flood, or other disaster could destroy your primary and redundant capabilities. Retaining the hardware at the office building but shipping the backups offsite is more in line with the description of a cold site. This would also not provide high levels of availability, since the systems would need to be setup, configured, and made ready for use.
Why would a company want to utilize a wildcard certificate for their servers?
A wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain. This saves money and reduces the management burden of managing multiple certificates, one for each subdomain. A single Wildcard certificate for *.diontraining.com, will secure all these domains (www.diontraining.com, mail.diontraining.com, ftp.diontraining.com, ...). The other options provided are not solved by using a wildcard certificate.
You are configuring the ACL for your network's perimeter firewall. You have just finished adding all the proper allow and deny rules. What should you place at the end of your ACL rules?
According to the best practices of firewall configurations, you should include an implicit deny at the end of your ACL rules. This will ensure that anything not specifically allowed in the rules above is blocked. Using an implicit allow is a bad security practice, since it will allow anything into the network that is not specifically denied. While time of day restrictions can be useful, they are not require for all network implementations.
multifactor authentication
All of the options presented are knowledge factors (something you know) except the 6 digit number sent by SMS to your smartphone. This SMS sent number is an example of a possession factor, or something you have, in this case it verifies you have your smartphone. By combining this possession factor with the already in use knowledge factor (username and password), you can etablish multifactor security for the login process.
Michelle has just finished installing a new database application on her server. She then proceeds to uninstall the sample configuration files, properly configures the application settings, and updates the software to the latest version according to her company's policy. What best describes the actions Michelle just took?
Application hardening involves taking actions to best secure the application from attack. This involves removing any default or sample configurations, properly configuring settings, and updating the application to the latest and more secure version. Patch management is incorrect because only updating the software falls under patch management, not the configuration portions of her actions. Vulnerability scanning involves scanning a device for known vulnerabilities in an effort to update the device and prevent future attack. Input validation is a technique to verify user provided data meets the expected length and type prior to allowing a program to utilize it.
You want to implement a technology to BEST mitigate the risk that a zero-day virus might infect your corporate workstations. Which of the following should you implement first?
Application whitelisting will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation again a zero-day virus. An intrusion detection system might detect the anomolous activity created by a piece of malware, but it will only log or alert based on the activity, not prevent it. A host-based firewall may prevent a piece of malware from establishing a network connection with a remote server, but again, it wouldn't prevent an infection or prevent it from executing. An anti-malware solution is a good investment towards improving your security, but since the threat is a zero-day virus, an anti-malware solution will not be able to detect it using its signature database.
What type of malware is designed to be difficult for malware analysts to reverse engineer?
Armored viruses are a type of virus that use various techniques to protect it from being reverse engineered. This includes changing its code during execution and encrypting its payloads.
You have been asked to determine if one of your company's web servers is vulnerable to a recently discovered attack on an old version of SSH. Which technique should you use to determine the current version of SSH running on the web server?
Banner grabbing is conducted by actively connecting to the server using telnet or netcat and collecting the response from the web server. This banner usually contains the operating system being run by the server as well as the version number of the service (SSH) being run. This is the fastest and easiest way to determine the version of SSH being run on this web server. While it is possible to use a vulnerability scanner, protocol analyzer, or to conduct a passive scan to determine the version of SSH, these are more time consuming and not fully accurate methods to determine the version being run.
Hactivist
Based on the message of the website defacement, it appears this hack was motivated by a pro-environmentalist agenda. This is an example of hacktivism. In 2012, five top multinational oil companies were targeted by members of Anonymous, as a form of digital protests against drilling in the Arctic, a practice that these hacktivists believe has contributed to the melting of the ice caps there.
During your lunch break, your phone begins to receive unsolicited messages. What might this be an example of?
Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as smartphones and tablets. Bluesnarfing, on the other hand, involves taking data from a smartphone or tablet over Bluetooth without permission. Bluetooth has a very limited range, so the attacker is likely within 10 meters of the victimized device. Geotagging involves embedded the geolocation coordinates into a piece of data (normally a photo or video). Packet sniffing is a passive method of collecting network traffic for follow-on analysis at a later time.
An analyst is reviewing the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors are able to access the internet. How can this type of attack be prevented from occurring in the future?
By utilizing NAC, each machine connected to the open wireless network could be checked for compliance and determine if it is a 'known' machine that should be given access to the entire network, or if it is an unknown machine that should be placed into an internet-only network (which would have no access to the HVAC control system). While a VLAN is useful to segment out network traffic to various parts of the network, if data is still being routed to/from the HVAC VLAN then this won't stop someone from the open wireless network from being able to attempt to login to the HVAC controls. An IDS would be a good solution to detect the attempted logins, but it won't be able to prevent them. Instead, an IPS would be required to prevent logins.
The public library has had a recent issue with their laptops being stolen from their computer lab. Since this is a public library, it is not a high security area and is fully accessible by patrons during the day. What is the best way to prevent the theft of the laptops?
Cable locks are the best solution, as it will allow the laptops to be physically connected to the desks in the computer lab and can prevent theft. CCTV is a deterrent or detective control, but will require someone monitoring it to detect the theft. Mobile device management is focused on tablets or phones, not laptops. Motion sensors are not useful during the library's open hours, since authorized patrons are allowed into the lab during the day. Therefore, if a laptop is being stolen during the day, motion senors will be useless to stop them.
During a security audit, you discovered that customer service employees have been sending unencrypted confidential information to their personal email accounts via email. What technology could you employ to detect these occurrences in the future and send an alert to the appropriate security personnel?
Data loss prevention (DLP) software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in-use, in-motion, and at-rest. This can be configured to detect and alert on future occurences of this issue. Secure Socket Layer (SSL) is a distraction in this question since the questions asked about information being sent unencrypted. Using SSL, the connection between the client and the email server could be enrypted, but the information is still be sent to an employee's personal email account and this equates to a loss of control over the confidential data by the company. Mobile Device Management (MDM) software is used for the configuration and securing of mobile devices like smartphones and tablets. Unified Threat Management (UTM) is a device that combines the functions of a firewall, anti-malware solution, and IDS into a single piece of hardware. Some UTM's may the functionality of a DLP, but the answer of a DLP is a better answer to this question.
Your company has just finished replacing all of its computers with brand new workstations. Colleen, one of your coworkers, has asked the owner of the company if she can have the old computers that are about to be thrown away. Colleen would like to refurbish the old computers by reinstalling a new operating system and donate them to a local community center for disadvantaged children in the neighborhood. The owner thinks this is a great idea, but is concerned that the private and sensitive corporate data on the old computer's hard drives might be placed at risk of exposure. You have been asked to choose the best solution to sanitize or destroy the data while ensuring the computers will still be usable by the community center. What type of data destruction or sanitization method do you recommend?
Data wiping occurs by using a software tool to overwrite the data on a hard drive in an effort to destroy all electronic data on a hard disk or other media. Data wiping may be performed with a 1x, 7x, or 35x overwriting, with a higher number of times being more secure. This allows the hard drive to remain functional and allows for hardware reuse. Degaussing a hard drive involves demagnetizing a hard drive to erase its stored data. You cannot reuse a hard drive once it has been degaussed, therefore it is a bad solution for this scenario. Purging involves the removal of sensitive data from a hard drive using the devices own electronics or an outside source (like a degausser). A purged device is generally not reusable. Shredding involves physical destruction of the hard drive. This is a secure method of destruction, but doesn't allow for device reuse.
You have recently been hired as a security analyst at Small Time Corporation. On your first day, your supervisor begins to explain the way their network is configured, showing you the physical and logical placement of each firewall, IDS sensor, host-based IPS installations, the networked spam filter, and the DMZ. What best describes how these various devices are incorporated into the network for the best level of security?
Defense in depth is the concept of layering various network appliances and configurations to create a more secure and defensible architecture. Small Time Corporation appears to be using various host-based and network-based devices to help ensure there are multiple layers of security in the network.
Dumpster diving
Dumpster diving involves searching through publically accessible garbage cans or recycling bins to find discarded paper, manuals, or other valuable types of information from a targeted company. This is often done as part of the reconnaissance phase before an attack is performed.
Sarah is working at a startup that is focused on making secure banking apps for smartphones. Her company needs to select an asymmetric encryption algorithm to encrypt the data being used by the app. Due to the need for high security of the banking data, the company needs to ensure that whatever encryption they use is consider strong, but also need to minimize the processing power required since it will be running on a mobile device with lower computing power. Which algorithm should Sarah choose in order to provide the same level of high encryption strength with a lower overall key length?
Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. One of the main benefits of ECC over non-ECC cryptography is an application can achieve the same level of security provided by non-ECC cryptography while using a shorter key length. For example, an ECC algorithm using a 256-bit key length is just as strong as a RSA or Diffie-Hellman algorithm using a 3072-bit key length.
False acceptance rate
False acceptance rate (FAR), or Type II, is the measure of the liklihood that the biometric security system will incorrectly accept an access attempt by an unauthorized user. The false rejection rate is calculated based upon the number of times an authorized user is denied access to the system.
In an effort to improve the security of the network, a security administrator wants to update the configuration of their wireless network in order for it to have IPSec built into the protocol by default. Additionally, the security administrator would like for NAT to no longer be required for extending the number of IP addresses available. What protocol should the administrator implement on the wireless network to achieve their goals?
IPv6 includes IPSec built-in to the protocol by default. Additionally, IPv6 also provides an extended IP address range for networks which eliminates the need for using NAT. IPv4 does not include IPSec or extended IP address ranges by default. WPA2 is the most modern and secure version of wireless encryption for WiFi networks, but it doesn't include IPSec or extended IP address ranges by default. WEP is an older version of wireless encryption for WiFi networks and doesn't provide these features by default, either.
Black Box
In a black box assessment, the penetration tester takes the role of an average hacker, with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black-box penetration test determines the vulnerabilities in a system that are exploitable from outside the network.
In an effort to increase the security of their passwords, Ted's company has added a salt and cryptographic hash to their passwords prior to storing them. To further increase security, they run this process many times before storing the passwords. What is this technique called?
In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key. The question describes one such key stretching technique.
What type of access control provides the strongest level of protection?
Manadatory Access Control (MAC) requires all access to be predefied based on system classification, configuration, and authentication. MAC is commonly used in highly centralized environments and usually relies on a series of labels, such as classification levels of the data.
Which of the following would be considered multi-factor authentication?
Multi-factor authentication requires a user to provide at least 2 different forms of authentication. This can be something you know (username, password, pin), something you have (token, key fob, smartphone), something you are (fingerprint, retina scan), something you do (the way you speak a phrase or sign your name), or somewhere you are (location factor based on IP address or geolocation).
Your company utilizes both a wired network throughout the building to provide network connectivity. You are concerned that a visitor might be able to plug their laptop into a CAT 5e wall jack in the lobby and access the corporate network. What technology should you utilize to prevent the user from gaining access to network resources if they are able to plug their laptop into the network?
Network Access Control is an approach to computer security that attempts to unify endpoint security technology, user or system authentication and network security enforcement. NAC restricts the data that each particular user can access, as well as implementing anti-threat applications such as firewalls, antivirus software and spyware-detection programs. NAC also regulates and restricts the things individual subscribers or users can do once they are connected. If a user is unknown, the NAC can quarantine the device from the network upon connection.
You just received an email from Bob, your investment banker, stating that he completed the wire transfer of $10,000 to your bank account in Vietnam. The problem is, you don't have a bank account in Vietnam! You immediately call Bob to ask what is happening. Bob explains that he received an email from you requesting the transfer. You insist you never sent that email to Bob initiating the transfer. What aspect of PKI is used to BEST ensure that a sender actually sent a particular email message?
Non-repudiation occurs when a sender cannot claim they didn't send an email when they did. To achieve non-repudiation, a digital signature should be attached to each email sent. This digital signature is comprised of a digital hash of the email's contents, and then encrypting that digital hash using the sender's private key. The receiver can then unencrypt the digital hash using the sender's public key to verify the integrity of the message.
weak password
Password policies often enforce a mixture of standard character types, which includes uppercase letters, lowercase letters, numbers, and symbols. The option 'pa55word' is the weakest choice, since it only includes lowercase letters and numbers. The option 'Pa55w0rd' is slightly more complex since it includes uppercase letters, lowercase letters, and numbers. The option 'P@$$W0RD is also similar in complexity, since it includes uppercase letters, numbers, and special characters. The most secure option is 'P@5$w0rd' since it includes a mixture of uppercase letters, lowercase letters, numbers, and special characters.
A company is using RADIUS authentication to connect a network client to a networked file server by providing its authentication credentials. The file server then uses the authentication credentials to issue a RADIUS authentication request to the RADIUS server. The RADIUS server then is able to exchange RADIUS authentication messages with the file server on behalf of the client. Throughout this process, a shared secret is used to protect the communication. Which of the following technologies relies upon the shared secret?
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol, operating on port 1812 that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service. The RADIUS protocol utilizes an obfuscated password that is created from the shared secret and creates a MD5 hash of the authentication request to protect the communications.
Your company has just suffered a website defacement of its public facing web server. The CEO believes this act of vandalism may have been done by the company's biggest competitor. The decision has been made to contact law enforcement so evidence can be collected properly for use in a potential court case. Laura is a digital forensics investigator assigned to collect the evidence. She create a bit-by-bit disk image of the web server's hard drive as part of her evidence collection. Which technology should Laura use after creating the disk image to verify the data integrity of the copy matches that of the original web server's hard disk?
SHA-256 is the Secure Hash Algorithm with a 256-bit length output. This is one of the most common hash algorithms in use and is employed in many applications and protocols. SHA-256 and other hashing algorithms are used to ensure the data integrity of a file has not been altered. RSA, 3DES, and AES are all encryption algorithms. These algorithms can ensure confidentiality, but not integrity.
Scarcity
Scarcity is used to create a fear in a person that they might miss out on a special deal or offer. This technique is used in advertising all the time, such as "supplies are limited", "only available for the next 4 hours", and other such articifical limitations being used.
Hilda needs a cost-effective backup solution that would allow for the restoration of data within a 24 hour RPO. The disaster recovery plan requires that backups occur during a specific timeframe each week and then the backups should be transported to an offsite facility for storage. What strategy should Hilda choose to BEST meet these requirements?
Since the RPO must be within 24 hours, either daily or hourly backups must be conducted. Since the requirment is for backups to be conducted at a specific time each week, hourly snapshots would not meet this requirement and are not easily transported since they are being conducted as a disk-to-disk backup. Replication to a hot site environment also doesn't allow for transportation of the data to an offsite facility for storage, and replication would continuously occur throughout the day. Therefore, a daily incremental backup should be conducted, since it will require the least amount of time to conduct, the tapes could be easily transported for storage, and restored incrementally from tape since the last full backup was conducted.
(Sample Simulation - On the real exam for this type of question, you would have access to the log files to determine which server on a network might have been affected, and then choose the appropriate actions.) A cybersecurity analyst has determined that an attack has occurred against your company's network. Fortunately, your company uses a good system of logging with a centralized SYSLOG server, so all the logs are available, were collected, and have been stored properly. According to the cybersecurity analyst, the logs indicate that the database server was the only company server on the network that appears to have been attacked. The network is a critical production network for your organization, therefore you have been asked to choose the LEAST disruptive actions on the network while performing the appropriate incident response actions. Which actions do you recommend to as part of the response efforts?
Since the database server is part of a critical production network, it is important to work with the business to time the period of remediation to minimize productivity losses. You can immediately begin to capture network traffic since this won't affect the database server or the network (least intrusive) while scheduling a period of downtime in which to take a forensic image of the database server's hard drive. All network captures and the hard drive should be maintained under the chain of custody in case it is needed for criminal prosecution or civil action after remediation. The server should be remediated and brought back online once the image has been created of its hard drive.
Session hijacking
Since the firewall wall is properly configured and the anti-malware solution is up-to-date, this signifies that a zero-day vulnerability may have been exploited. A zero-day vulnerability is an unknown vulnerability so a patch or virus definition has not been released yet. A zero-day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it. This exploit is therefore called a zero-day attack. Zero-day attacks can include the use of infiltrating malware, spyware or allowing unwanted access to user information.
Brute force attack
Since the policy will lockout the student for 15 minutes between attempts, it is a valid mitigation against a brute force attack. By extending the waiting period, the attacker's brute force attempts are less effective.
(Sample Simulation - On the real exam for this type of question, you may receive a list of different RAID types and asked to visually display which hard drives in the RAID are used for redundant data storage as either a stripe or a mirror. Then, you will have to identify which RAID type is most appropriate for each type of server shown.) You are configuring a RAID drive for a Media Streaming Server. Your primary concern is speed of delivery of the data. This server has two hard disks installed. What type of RAID should you install? What type of data will be stored on Disk 1 and what type of Disk 2?
Since this is a Media Streaming Server, you should implement a RAID 0 which provides disk stripping across both drives. This will increase the speed of the data delivery, but provides no redundancy. If you were concerned with redundancy, then you should choose a RAID 1 which uses a mirror of the data on both hard disks. You cannot use a RAID 5, since this requires a minimum of 3 disk drives and stripes the data across the hard disks. You also can not use a RAID 6 since this requires at least 4 hard disks with dual parity and disk stripping. A RAID 10 also requires 4 hard disks, and is a mirror of stripped drives (combining the benefits of RAID 1 and RAID 0).
The local electrical power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant's security administrators look to implement first as part of the critical defenses of the ICS/SCADA systems?
Since this questions is focused on the ICS/SCADA network, the best solution would be to implement an Intrusion Prevention System on the network. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity you could setup strict rules in the IPS to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won't prevent an issue and therefore isn't the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested prior to conducting any patches. Often, patches will break ICS/SCADA functionality. Antivirus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems don't rely on standard operating systems like Windows.
Your company is concerned with the possibility of employees accessing other user's workstations in secured areas without their permission. Which of the following would BEST be able to prevent this from happening?
The BEST choice is to implement biometric identification for user logins, such as a fingerprint reader or a retina scanner. This would ensure that even if an employee could discover another employees username and password, they would be prevented from logging into the workstation without the employee's finger or eye to scan. Enforcing a short password retention can limit the damage that is possible when a password is disclosed, but it won't prevent a login during the valid period. Security cameras may act as a deterrent or detective control, but they cannot prevent an employee logging into the workstation as another employee. Security cameras could be used to determine who actually logged in (after the fact), though.
Which protocol relies on mutual authentication of the client and the server for its security?
The Lightweight Directory Access Protocol (LDAP) uses a client-server model for authentication. LDAP is used to enable access to a directory of resources (workstations, users, information, etc).
Authentication Factors
The five factors of authentication are knowledge, possession, biometric, action, and location. This is also known as 'something you know', 'something you have', 'something you are', 'something you do', and 'somwhere you are'.
MTBF of hardware
The mean time between failure (MTBF) is the measure of the anticipated rate of failure for a system or component. This is effectively a measurement of the component's expected lifespan. If the HVAC capacity is increased, the server room can maintain a cooler temperature range. Datacenters produce a lot of heat from the equipment being operated. Excessive heat can damage components and cause premature hardware failure, therefore increasing the HVAC capacity and airflow can lead to longer lifespans for servers and networking equipment.
Your company has recently experienced a data breach and has lost nearly 1 GB of personally identifiable information about your customers. You have been assigned as part of the incident response team to identify how the data was leaked from the network. Your team has conducted an extensive investigation and so far, the only evidence of a large amount of data leaving the network is from the email server. There is one user that has sent numerous large attachments out of the network to their personal email address. Upon closer inspection, those emails only contains pictures of that user's recent trip to Australia. What is the most likely explanation of how the data left the network?
The most likely explanation is that the user has used steganography to hide the leaked data inside their photos from their trip. Steganography is the process of hiding one message inside another. By hiding the customer's information within the digital photos, the incident response team would not be able to see the data being hidden without knowing to look for it inside the seemingly benign pictures from the trip. The scenario did not mention whether or not the user connected to the corporate VPN from their home, and all VPN connections should be logged by the company, so this is not the correct answer. Additionally, the user could not hash the data and email it to themselves without losing the information itself. Hashes are a one-way algorithm, so if the user had the hash value, they would not have the personal information of the customers. Finally, the user's email showed no evidence of encrypted files being sent, according to the scenario.
Frank and John have started a secret club together. They want to ensure that when they send messages to each other, they are truly unbreakable. What encryption key would provide the STRONGEST and MOST secure encryption?
The only truly unbreakable encryption is one that uses a one-time use pad. This ensures that every message is encrypted with a different shared key that only the two owners of the one-time use pad would know. This technique ensures that there is no pattern in the key for an attacker to guess or find. Even if one of the messages could be broken, all of the other messages would remain secure since they use different keys to encrypt them. Unfortunately, one-time use pads require two identical copies of the pad be produced and distributed securely before use. DES and AES both rely on a single shared secret key, making it vulnerable to attack. DES has already been broken, while AES remains unbroken (today). With enough time and computing power, though, and AES key could be discovered. RSA is also vulnerable to attack with enough time and computing power.
digital evidence collection order
The order of volatility states that you should collect the most volatile (least persistent) data first, and the least volatile (most persistent) data last. The most volatile data resides in the CPU Cache, since this small memory cache is overwritten quickly during computer operations. Next, you should collect the data in the system memory (RAM) since it will be erased if the workstation is shutdown or the power is lost. Third, you should collect the Swap file, which is a form of temporary memory located on the hard disk. These files are also overwritten frequently during operations. Finally, you should collect the data from the hard disk, as it is the least volatile and remains on the hard disk until a command is given to delete it. Data on a hard disk remains even when power is removed from the workstation.
(Sample Simulation - On the real exam for this type of question, you would have to rearrange the steps into the proper order by dragging and dropping them into place.) What is the correct order of the Incident Response process?
The proper order of the Incident Response process is Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.
smurf pic
This illustrates a smurf attack. In this attack, a single ping with a spoofed source address is sent to the broadcast address of a network. This causes every device within the network to receive the single ping which appears to come from the device with the spoofed source address. Each network device then responds to the spoofed address, causing the victim (whos address was spoofed) to be overwhelmed with the responses to the initial ping.
James, a programmer at Apple Computers, is surfing the internet on his lunch break. He comes across a rumor site that is focused on providing details of the upcoming iPhone being released in a few months. James knows that Apple likes to keep their product details a secret until they are publicly announced. As James is looking over the website, he sees a blog post with an embedded picture of a PDF containing detailed specifications for the next iPhone and labeled as "Proprietary Information - Internal Use Only". The new iPhone is still several months away from release. What should James do next?
This is an example of an either a data leak or a data breach. James is not sure how the website got a copy of the specifications details. Therefore, he should follow his organizational procedures for notification that internal company information has been leaked to the internet. In most organizations, the service desk acts as the single point of contact for all IT issues (even possible data breaches), and they can refer James to the incident response team (if one is currently stood up). Since James works as a programmer, it is unlikely that his team lead is responsible for handling a data leak or data breach, so it is better to contact the service desk first. James should not contact the website directly nor reply to the blog post, instead he should leave the response actions to the security team and incident response team.
William would like to use full-disk encryption on his laptop. He is worried about slow performance, though, so he has requested that the laptop have an onboard hardware-based cryptographic processor. Based on this requirement, what should William ensure the laptop contains?
This question is really asking if you know what each acronym means. Trusted Platform Module (TPM) is a hardware-based cryptographic processing component that is a part of the motherboard. A Pluggable Authentication Module is a device that looks like a USB thumbdrive and is used as a software key in cryptography. Full Disk Encryption (FDE) can be hardware or software-based, therefore it isn't the right answer. The Advanced Encryption System (AES) is a cryptographic algorithm, therefore it isn't a hardware solution.
On your lunch break, you walked down to the coffee shop on the corner. You open your laptop and connect to their wireless network. After a few minutes of surfing the internet, a pop-up is displayed on your screen. You close the pop-up, finish your lunch break, shutdown the laptop, and put it back into your backpack. When you get back to the office, you take out the laptop and turn it on, but instead of your normal desktop background you are greeted by a full screen image with a padlock and a message stating you have to pay 5 Bitcoin to regain access to your personal files. What type of malware did you accidentally get installed while at the coffee shop?
This scenario is describing a ransomware attack. Your personal files are being held hostage and will not be released unless you pay a random (5 Bitcoin). You should restore your machine from a known good backup, and restore your personal files from the backup, as well.
Provide Accountability
To adequately provide accountability, the use of shared or group accounts should be disabled. This allows you to log and track individual user actions based on their individual user accounts. This enables the organization to hold users accountable for their actions, too.
ALE calculation
To calculate the ALE, you need to multiple the Single Loss Expectancy (SLE) by the Annual Rate of Occurrence (ARO). The SLE is calculated by multiplying the Exposure Factor (EF) by the Asset Value (AV). Therefore, SLE = EF x AV, and ALE = SLE x ARO. For this scenario, the asset value is $15,000, the annual rate of occurrence is 10 times per year, and the exposure factor is 5% (or 0.05). To calculate the SLE, SLE = 0.05 x $15,000 = $750. Therefore, the ALE = SLE x ARO = $750 x 10 = $7,500.
Tim, a help desk technician, receives a call from a frantic executive who states that their company issued smartphone was stolen during their lunch meeting with a rival company's executive. Tim quickly checks the MDM administration tool and identifies that the user's smartphone is still communicating with the MDM and displays the location of the device on a map. What should Tim do next to ensure the data on the stolen device remains confidential and inaccessible to the thief?
To ensure the data remains confidential and is not accessed by the thief, Tim should perform a remote wipe of the device from the MDM. This will ensure any and all corporate data is erased prior to anyone accessing it. Additionally, Tim could reset the device's password, but if the thief is able to guess or crack the password, then they would have access to the data. Identifying the IP address of the smartphone is not a useful step in protecting the data on the device. Additionally, devices should be encrypted BEFORE they are lost or stolen, not after, therefore the option to remotely encrypt the device was provided as a wrong answer and distraction.
You have decided to provide some training to your company's system administrators about the importance of proper patching of a system prior to deployment. To demonstrate the effects of deploying a new system without patching it first, you ask for the system administrators to provide you with an image of a brand-new server they plan to deploy. How should you deploy the image to demonstrate the vulnerabilities that are being exposure while maintaining the security of the corporate network?
To ensure the safety of your corporate network, any vulnerable image you deploy should be done within a sandboxed environment. This will ensure that an outside attacker is unable to exploit the vulnerabilities, but will still allow you to show the vulnerabilities found during a scan to demonstrate how important patching is to server security.
Susan, a help desk technician, has received several trouble tickets today related to employees receiving the same email as part of a phishing campaign. She has determined that the malicious link in the email is not being blocked by your organization's content filter or web proxy. Susan, knowing you recently earned your Security+ certification, calls you up and asks what action she can perform to prevent a user from reaching the website that is associated with the malicious link in the phishing email. What action do you recommend she perform?
To prevent a user from accessing the malicious website when the link is clicked, you should add the malicious domain name to the blacklist of your content filter and web proxy. This will ensure that no devices on your network can reach the malicious domain name. While blocking the IP address associated with the domain name might help, the owner of the malicious domain could quickly redirect the DNS to point to a different IP and then your users would still be able to access the malicious domain and its contents. Enabling TLS on your mail server will only encrypt the connection between the email server and your clients, but it will not prevent your users from still clicking on the malicious link. While informing your users that there is an active attempt at phishing being conducted against your organization is a good idea, forwarding the phishing email with the malicious link will generally cause more users to accidently click on the malicious link which further exacerbates the issue.
Assuming that Company X trusts Company Y, and Company Y trusts Company Z, then we can assume Company X trusts Company Z, too. What concept of PKI does this represent?
Transitive trust occurs when X trusts Y, and Y trusts Z, therefore X trusts Z. This is because the trust flows through the second party (Y in this example) to the third party (Z).
(Sample Simulation - On the real exam for this type of question, you may receive a list of attack vectors and targets. Based on these, you would select the type of attack that occurred.) (1) An attacker has been collecting credit card details by calling victims and using false pretexts to trick them. (2) An attacker sends out to 100,000 random email addresses. In the email the attacker sent, it claims that "Your Bank of American account has been locked out. Please click here to reset your password." What type of attacks have occurred in (1) and (2)?
Vishing is the use of a phone call to conduct information gathering and phishing type of actions. Spearphishing involves targeting specific individuals using well-crafted emails to gather information from a victim. Phishing relies on sending out a large volume of email to a broad set of recipients in the hopes of gathering the desired action or information. A hoax involves tricking a user into performing an action (such as virus remediation actions) when no infection has actually occurred. Pharming involves domain spoofing in an attempt to gather the desired information from a victim.
You need to determine the best way to test operating system patches in a lab environment prior to deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches prior to deployment?
When you have a limited amount of hardware resources to utilized but have a required to test multiple operating systems, you should setup a virtualized environment to test the patch across each operating system prior to deployment.
Which of the following features is only supported by Kerberos and not by RADIUS or diameter?
Whether you learned the in-depth details of each of these protocols during your studies or not, you should be able to answer this question by remembering that Kerberos is all about 'tickets'. Kerberos uses a system of tickets to allow nodes to communicate over a non-secure network and prove their identity in a secure manner. Kerberos is used heavily in Windows domain environments.
What type of wireless security measure can easily be defeated by a hacker by spoofing the hardware address of their network interface card?
Wireless access points can utilize MAC filtering to ensure only known network interface cards are allow to connect to the network. If the hacker changes their MAC address to a trusted MAC address, though, they can easily bypass this security mechanism. MAC filtering is considered a good security practice as part of a large defense in depth strategy, but it won't stop a skilled hacker for long. MAC addresses are permanently burned into the network interface card by the manufacter and serve as the device's physical address. WEP is the Wired Equivalent Privacy encryption standard, which is considered obsolete in modern wireless networks. WEP can be broken using a brute force attack within just a few minutes by an attacker. Another security technique is to disable the SSID broadcast of an access point. While this prevents the broadcast of the SSID, a skilled attacker can still find the SSID using discovery scanning techniques. WPS is the WiFi Protected Setup. WPS is used to easily connect and configure wireless devices to an access point.
Your company has created a baseline image for all of its workstations using Windows 10. Unfortunately, the image included a copy of Solitaire and the CIO has created a policy to prevent anyone from playing the game on the company's computers. You have been asked to create a technical control to enforce the policy (administrative control) that was recently published. What should you implement?
You should create and implement an application blacklist that includes the Solitaire game on it. This will prevent the application from being able to be run on any corporate workstation. Application whitelists will allow only authorized applications to be run, while application blacklists will prevent any application listed from being run. Application hardening involves updating and patching your software (not applicable to this question). Disabling removable media is a good practice, but it won't prevent the game that was already installed from being run from the hard drive.
