1-50 Flashcards
A user is attempting to navigate to a website from inside the company network using a desktop. When the user types in the URL, https://www.site.com, the user is presented with a certificate mismatch warning from the browser. The user does not receive a warning when visiting http://www.anothersite.com. Which of the following describes this attack?
a. on-path
b. Domain hijacking
c. DNS poisoning
d. Evil twin
c. DNS poisoning
Here’s how DNS poisoning fits the scenario:
DNS Poisoning (or DNS Spoofing): This attack involves corrupting the DNS resolution process in order to redirect domain name lookups to malicious IP addresses. In this case, when the user tries to access https://www.site.com, the DNS responses could have been tampered with to redirect the user to a different (potentially malicious) IP address that does not match the expected SSL certificate for www.site.com. This causes the browser to display a certificate mismatch warning because the certificate presented by the server does not match the domain name requested by the user (www.site.com). HTTP vs HTTPS: The lack of warnings for http://www.anothersite.com suggests that the DNS poisoning is specifically targeting HTTPS (SSL/TLS) connections (https://www.site.com). HTTP connections (http://www.anothersite.com) do not use SSL/TLS and thus do not trigger certificate mismatch warnings.
Here’s why the other options are less likely:
On-path: While an on-path attack involves intercepting and manipulating traffic between two parties, it typically does not specifically cause SSL certificate mismatch warnings unless combined with DNS poisoning or other techniques to redirect traffic. Domain hijacking: Domain hijacking involves unauthorized changes to domain registration records, leading to control over the domain itself. While related, it does not directly cause certificate mismatch warnings as described. Evil twin: An evil twin attack involves setting up a rogue Wi-Fi access point with the same name (SSID) as a legitimate one to intercept wireless communications. It is not directly related to DNS poisoning or causing certificate mismatch warnings in the context of accessing websites.
Which of the following tools is effective in preventing a user from accessing unauthorized removable media?
a. USB data blocker
b. Faraday cage
c. Proximity reader
d. Cable lock
a. USB data blocker
Explanation:
USB data blocker: This device is specifically designed to allow charging of a device while blocking data transfer through the USB port. This prevents unauthorized access to removable media by ensuring that data cannot be transferred to or from the USB port.
Other Options:
Faraday cage: This is a shield used to block electromagnetic fields. It is not designed for preventing access to removable media and is generally used for different purposes, such as preventing wireless communication. Proximity reader: This is used for access control, such as securing physical entry to a location. It does not prevent access to removable media. Cable lock: This is used to physically secure a device to prevent theft but does not control access to removable media.
Therefore, the USB data blocker is the most suitable tool for the specified purpose.
A Chief Security Officer is looking for a solution that can provide increased scalability and flexibility for back-end infrastructure, allowing it to be updated and modified without disruption to services. The security architect would like the solution selected to reduce the back-end server resources and has highlighted that session persistence is not important for the applications running on the back-end servers. Which of the following would BEST meet the requirements?
a. Reverse proxy
b. Automated patch management
c. snapshots
d. NIC teaming
a. Reverse proxy
Here’s how a reverse proxy aligns with the specified needs:
Increased scalability and flexibility: A reverse proxy can distribute client requests across multiple back-end servers, allowing for easier scaling by adding or removing servers as needed. It can also provide flexibility by routing requests based on various criteria (e.g., URL, headers). Updating and modifying back-end infrastructure without disruption: A reverse proxy can route traffic to different versions of back-end servers seamlessly during updates or modifications, ensuring continuous service availability without interruptions. Reducing back-end server resources: By offloading tasks like SSL termination, caching, and load balancing, a reverse proxy can optimize the usage of back-end server resources. Session persistence not important: Reverse proxies can handle session management and load balancing without requiring session persistence on the back-end servers, which aligns with the stated preference.
Let’s briefly consider why the other options are less suitable:
Automated patch management: While important for security and maintenance, automated patch management primarily focuses on keeping servers up to date with the latest patches and updates. It doesn't directly address scalability, flexibility, or resource reduction. Snapshots: Snapshots are a feature used for data protection and recovery but do not inherently provide scalability, flexibility, or resource reduction for back-end infrastructure. NIC teaming: NIC teaming (or network bonding) is used to increase network bandwidth and provide redundancy, primarily at the network interface level. It does not directly address the scalability, flexibility, or resource reduction needs of back-end infrastructure in the context described.
Which of the following describes a social engineering technique that seeks to exploit a person’s sense of urgency?
a. A phishing email stating a cash settlement has been awarded but will expire soon
b. A smishing message stating a package is scheduled for pickup
c. A vishing call that requests a donation to be made to a local charity
d. A SPIM notification claiming to be undercover law enforcement investigating a cybercrime
a. A phishing email stating a cash settlement has been awarded but will expire soon
The social engineering technique that seeks to exploit a person’s sense of urgency is described in option A. By stating that a cash settlement has been awarded but will expire soon, the attacker creates a sense of urgency and tries to manipulate the recipient into taking immediate action without thoroughly considering the authenticity or legitimacy of the email. This technique aims to pressure the target into making a hasty decision or divulging sensitive information.
A security analyst is reviewing application logs to determine the source of a breach and locates the following log: https://www.comptia.com/login.php?id=’%20or%20’1’1=’1
Which of the following has been observed?
a. DLL Injection
b. API attack
c. SQL injection
d. XSS
c. SQL injection
The log entry provided (https://www.comptia.com/login.php?id=’%20or%20’1’1=’1) indicates a type of attack where a malicious actor is trying to manipulate the SQL query used by the application. This pattern matches the characteristics of a SQL injection attack.
SQL injection (SQLi) involves inserting or “injecting” SQL queries via the input data from the client to the application. This can allow attackers to bypass authentication, access, modify, or delete data, and execute administrative operations on the database.
The specific part of the log entry id=’%20or%20’1’1=’1 is a classic example of an SQL injection attempt. The attacker is trying to manipulate the SQL query logic to always evaluate to true (e.g., 1=1), which can potentially bypass login authentication or retrieve unauthorized information.
An audit identified PII being utilized in the development environment of a critical application. The Chief Privacy Officer (CPO) is adamant that this data must be removed; however, the developers are concerned that without real data they cannot perform functionality tests and search for specific data. Which of the following should a security professional implement to BEST satisfy both the CPO’s and the development team’s requirements?
a. Data anonymization
b. Data encryption
c. Data masking
d. Data tokenization
(Community C 54%, A 45% )
c. Data masking
Explanation:
Data masking: This technique involves creating a structurally similar but inauthentic version of an organization's data that can be used for purposes such as software testing and user training. It allows the developers to use data that appears real but doesn't contain actual sensitive information, thus satisfying the Chief Privacy Officer's (CPO) requirement to remove Personally Identifiable Information (PII) while still allowing the developers to perform functionality tests and search for specific data.
Why other options are less suitable:
Data anonymization: This method removes or modifies PII so that it can no longer be attributed to a specific individual. While it ensures privacy, it might alter the data to an extent that makes it less useful for testing specific functions or searches. Data encryption: Encryption protects data by converting it into a coded format that is unreadable without a decryption key. While it secures the data, it doesn't help developers who need to interact with and test the functionality of the data in its original form. Data tokenization: This process replaces sensitive data with unique identification symbols (tokens) that retain essential information without compromising security. Although it can be useful, tokenized data might not always be suitable for all types of functionality testing or specific searches needed by developers.
Therefore, data masking is the best option to meet both the privacy concerns of the CPO and the functional needs of the development team.
A company is implementing a DLP solution on the file server. The file server has PII, financial information, and health information stored on it. Depending on what type of data that is hosted on the file server, the company wants different DLP rules assigned to the data. Which of the following should the company do to help accomplish this goal?
a. Classify the data.
b. Mask the data.
c. Assign the application owner.
d. Perform a risk analysis.
a. Classify the data.
Classifying the data involves identifying and categorizing the types of data stored on the file server. This classification process allows the company to apply specific DLP rules tailored to each category of data. For example, different DLP policies can be enforced for PII, financial information, and health information once they are properly classified.
Here’s why the other options are less suitable in this context:
Mask the data: Data masking is a method of protecting sensitive information by replacing it with fictitious but realistic data. While it can enhance security, it does not help in creating and applying different DLP rules based on the data type. Assign the application owner: While assigning ownership can help with accountability and management, it does not directly address the need to apply different DLP rules to different types of data. Perform a risk analysis: Risk analysis helps identify potential threats and vulnerabilities, which is important for overall security strategy, but it does not directly assist in applying specific DLP rules based on the type of data.
A forensics investigator is examining a number of unauthorized payments that were reported on the company’s website. Some unusual log entries show users received an email for an unwanted mailing list and clicked on a link to attempt to unsubscribe. One of the users reported the email to the phishing team, and the forwarded email revealed the link to be:
<a>Click here to unsubscribe</a>
Which of the following will the forensics investigator MOST likely determine has occurred?
a. SQL injection
b. Broken authentication
c. XSS
d. XSRF
d. XSRF
The forensics investigator will most likely determine that a Cross-Site Request Forgery (CSRF) attack has occurred. In a CSRF attack, an attacker tricks a user into performing an unintended action on a website or application by forging a request that appears to come from a trusted source. In this case, the users were directed to a website where they unknowingly made unauthorized payments by clicking on a link in a phishing email. The link appears to be harmless, but actually contains code that instructs the user’s browser to make a payment on the company’s website. The unauthorized payments were made because the website accepted the forged request without verifying the authenticity of the request.
A report delivered to the Chief Information Security Officer (CISO) shows that some user credentials could be exfiltrated. The report also indicates that users tend to choose the same credentials on different systems and applications. Which of the following policies should the CISO use to prevent someone from using the exfiltrated credentials?
a. MFA
b. Lockout
c. Time-based logins
d. Password history
a. MFA (Multi-Factor Authentication)
Multi-Factor Authentication (MFA) significantly enhances security by requiring users to provide two or more verification factors to gain access to a resource such as an application, online account, or VPN. Even if an attacker obtains user credentials, they would still need the additional factor(s) to successfully log in, thus preventing unauthorized access.
Here’s why the other options are less suitable in this context:
Lockout: This policy locks an account after a certain number of failed login attempts, which helps to prevent brute force attacks but does not address the issue of stolen credentials being used successfully. Time-based logins: Restricting logins to specific times can add a layer of security, but it does not prevent the use of stolen credentials outside of those times. Password history: Enforcing password history prevents users from reusing recent passwords, but it does not prevent the use of current stolen credentials.
A company wants to simplify the certificate management process. The company has a single domain with several dozen subdomains, all of which are publicly accessible on the internet. Which of the following BEST describes the type of certificate the company should implement?
a. Subject alternative name
b. Wildcard
c. Self-signed
d. Domain validation
b. Wildcard
A wildcard certificate allows you to secure a single domain and all its subdomains with a single certificate. This greatly simplifies management because you don’t need a separate certificate for each subdomain. For example, a wildcard certificate for *.example.com would cover example.com, sub1.example.com, sub2.example.com, etc.
Here’s why the other options are less suitable:
Subject Alternative Name (SAN): SAN certificates can cover multiple specific domain names and subdomains, but they require each name to be listed explicitly in the certificate, which can be less efficient and more cumbersome to manage if the number of subdomains is large or if subdomains change frequently. Self-signed: Self-signed certificates are not trusted by default by users' browsers and operating systems, making them unsuitable for public-facing websites. Domain validation (DV): DV certificates indicate that the certificate authority has verified the domain ownership, but they do not simplify the management of multiple subdomains any more than any other type of certificate.
Which of the following is an effective tool to stop or prevent the exfiltration of data from a network?
a. DLP
b. NIDS
c. TPM
d. FDE
a. DLP (Data Loss Prevention)
Data Loss Prevention (DLP) solutions are specifically designed to detect and prevent unauthorized data transmissions or leaks outside of the network. DLP can monitor and control data transfers, enforce encryption, and block unauthorized sharing of sensitive information such as PII, financial data, and intellectual property.
Here’s why the other options are less suitable:
NIDS (Network Intrusion Detection System): NIDS can detect suspicious activities and potential intrusions on the network but doesn't specifically prevent data exfiltration. It is more about detection rather than prevention. TPM (Trusted Platform Module): TPM is a hardware-based security feature used to secure hardware through integrated cryptographic keys, but it does not directly prevent data exfiltration from a network. FDE (Full Disk Encryption): FDE protects data at rest by encrypting the entire contents of a disk. While it secures data on a device, it does not prevent data from being exfiltrated over the network.
Several attempts have been made to pick the door lock of a secure facility. As a result, the security engineer has been assigned to implement a stronger preventative access control. Which of the following would BEST complete the engineer’s assignment?
a. Replacing the traditional key with an RFID key
b. Installing and monitoring a camera facing the door
c. Setting motion-sensing lights to illuminate the door on activity
d. Surrounding the property with fencing and gates
a. Replacing the traditional key with an RFID key
To implement a stronger preventative access control for a secure facility, replacing the traditional key with an RFID key would be the best solution. This change enhances security by using a more modern and harder-to-pick locking mechanism.
Here’s why the other options are less suitable:
Installing and monitoring a camera facing the door: This is more of a detective control than a preventative control. It helps in monitoring and recording any attempts but does not prevent the attempts themselves. Setting motion-sensing lights to illuminate the door on activity: This is also a deterrent and detection measure rather than a preventative one. It may discourage attempts but does not physically prevent access. Surrounding the property with fencing and gates: While this can be part of a comprehensive security strategy, it does not directly strengthen the specific access control of the door itself. It addresses perimeter security rather than the point of entry that is being targeted.
Which of the following can be used by a monitoring tool to compare values and detect password leaks without providing the actual credentials?
a. Hashing
b. Tokenization
c. Masking
d. Encryption
a. Hashing
Hashing is a process where a cryptographic hash function is applied to data (in this case, passwords) to produce a fixed-size string of characters, which is often referred to as the hash value or hash code. This hash value is unique to the input data and is deterministic, meaning the same input will always produce the same hash output.
In the context of detecting password leaks without exposing actual credentials, a monitoring tool can hash passwords (either locally or using a secure protocol) and then compare these hashed values against known leaked hashes from breached databases. If a match is found, it indicates that a password has been compromised without the monitoring tool needing access to the actual plaintext passwords.
Here’s why the other options are not correct in this context:
Tokenization: Tokenization involves substituting sensitive data with a non-sensitive equivalent (token). It is used to protect data but does not inherently involve comparison or detection of password leaks. Masking: Masking is the process of partially or completely hiding sensitive data (like passwords) by replacing it with placeholder characters. It does not facilitate the comparison or detection of password leaks. Encryption: Encryption involves transforming data (plaintext) into a form (ciphertext) that is unreadable without the correct decryption key. While encryption secures data, it does not typically facilitate comparison for detecting password leaks unless the encrypted values are compared directly, which is less common in such monitoring scenarios.
A security engineer is building a file transfer solution to send files to a business partner. The users would like to drop off the files in a specific directory and have the server send the file to the business partner. The connection to the business partner is over the internet and needs to be secure. Which of the following can be used?
a. S/MIME
b. LDAPS
c. SSH
d. SRTP
c. SSH
SSH provides a secure, encrypted connection between two systems, typically used for remote access and file transfer. Here’s how it aligns with the requirements:
Secure connection: SSH encrypts the data transmitted between the client (where the files are dropped off) and the server (which sends the files to the business partner), ensuring confidentiality and integrity of the transferred files. File transfer capability: SSH includes utilities like SCP (Secure Copy Protocol) or SFTP (SSH File Transfer Protocol) which allow secure file transfers over SSH connections. Users can drop off files in a specific directory on the server using SFTP or SCP commands.
Let’s briefly consider why the other options are less suitable in this context:
S/MIME: S/MIME (Secure/Multipurpose Internet Mail Extensions) is used for securing email messages, not directly for file transfer scenarios where files need to be stored in a directory and sent automatically to a business partner. LDAPS: LDAPS (LDAP over SSL/TLS) is used for securing LDAP directory communications, not for file transfer scenarios as described. SRTP: SRTP (Secure Real-time Transport Protocol) is used for securing VoIP (Voice over IP) communications, not for file transfer scenarios over the internet.
An administrator needs to protect user passwords and has been advised to hash the passwords. Which of the following BEST describes what the administrator is being advised to do?
a. Perform a mathematical operation on the passwords that will convert them into unique strings.
b. Add extra data to the passwords so their length is increased, making them harder to brute force.
c. Store all passwords in the system in a rainbow table that has a centralized location.
d. Enforce the use of one-time passwords that are changed for every login session.
a. Perform a mathematical operation on the passwords that will convert them into unique strings.
In the context of protecting user passwords, hashing is a cryptographic technique where passwords (or any other data) are converted into fixed-length strings of characters (hash values) using a mathematical algorithm. Hashing ensures that the original password cannot be easily derived from the hash value, providing a layer of security in case the hashed data is exposed or compromised.
Let’s briefly explain why the other options are not correct:
b. Add extra data to the passwords so their length is increased, making them harder to brute force: This describes password salting, not hashing. Salting involves adding a random value (salt) to each password before hashing to ensure that even identical passwords produce different hashes. While salting is an important technique, it's not the same as hashing itself. c. Store all passwords in the system in a rainbow table that has a centralized location: Rainbow tables are precomputed tables used to crack hashed passwords through reverse lookup. Storing passwords in a rainbow table would defeat the purpose of hashing for security. d. Enforce the use of one-time passwords that are changed for every login session: One-time passwords are not related to hashing passwords. They are temporary passwords that are valid for a single login session and are typically used for two-factor authentication (2FA) or multi-factor authentication (MFA).
Which of the following would be indicative of a hidden audio file found inside of a piece of source code?
a. Steganography
b. Homomorphic encryption
c. Cipher suite
d. Blockchain
a. Steganography
Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. In the context of a hidden audio file found inside of a piece of source code, steganography would be the technique used to embed the audio file within the source code without altering the functionality or appearance of the source code itself. This allows the audio file to remain hidden unless someone knows how to extract it using specific tools or methods designed for steganographic detection.
Here’s why the other options are not correct:
b. Homomorphic encryption: Homomorphic encryption is a form of encryption that allows computations to be performed on encrypted data without decrypting it first. It is not related to embedding audio files within source code. c. Cipher suite: A cipher suite is a set of cryptographic algorithms used for securing network connections. It is not related to hiding audio files within source code. d. Blockchain: Blockchain is a decentralized digital ledger technology used for recording transactions across multiple computers. It does not relate to embedding audio files within source code.
A user enters a username and a password at the login screen for a web portal. A few seconds later the following message appears on the screen:
Please use a combination of numbers, special characters, and letters in the password field.
Which of the following concepts does this message describe?
a. Password complexity
b. Password reuse
c. Password history
d. Password age
a. Password complexity
Password complexity refers to the requirements and rules imposed on passwords to ensure they are sufficiently strong and resistant to various forms of attack. Common complexity requirements include using a combination of uppercase letters, lowercase letters, numbers, and special characters. These requirements aim to increase the difficulty of guessing or brute-forcing passwords.
Here’s a brief overview of the other options:
b. Password reuse: This concept relates to using the same password across multiple accounts or systems, which can pose security risks if one account is compromised. c. Password history: Password history refers to a security feature that prevents users from reusing previous passwords, enhancing security by ensuring passwords are not reused consecutively. d. Password age: Password age refers to the length of time a password has been in use before it needs to be changed as part of a password policy.
A company recently experienced an inside attack using a corporate machine that resulted in data compromise. Analysis indicated an unauthorized change to the software circumvented technological protection measures. The analyst was tasked with determining the best method to ensure the integrity of the systems remains intact and local and remote boot attestation can take place. Which of the following would provide the BEST solution?
a. HIPS
b. FIM
c. TPM
d. DLP
c. TPM (Trusted Platform Module)
TPM (Trusted Platform Module) is a hardware-based security feature that provides a secure area within the system for storing cryptographic keys, certificates, and measurements. It enables several security functions, including secure boot attestation, which verifies the integrity of system components during the boot process. Here’s how TPM aligns with the requirements:
Integrity of systems: TPM ensures the integrity of the system by securely storing measurements (hashes) of boot components and providing these measurements for verification during the boot process. Any unauthorized changes to the software or system configurations can be detected through these measurements. Local and remote boot attestation: TPM supports both local and remote attestation mechanisms. Local attestation verifies the integrity of the system components locally, while remote attestation allows external entities (like a remote server or security service) to verify the system's integrity before allowing access or exchanging sensitive information.
Here’s why the other options are less suitable in this context:
a. HIPS (Host-based Intrusion Prevention System): HIPS monitors and analyzes the internals of a computing system, but it does not inherently provide the cryptographic capabilities or secure storage necessary for boot attestation. b. FIM (File Integrity Monitoring): FIM detects changes to files and system configurations, but it primarily focuses on monitoring file changes rather than providing the comprehensive security features required for boot attestation and ensuring the integrity of the entire system. d. DLP (Data Loss Prevention): DLP solutions focus on protecting data from unauthorized access and exfiltration rather than ensuring the integrity of system components and supporting boot attestation.
Which of the following is a reason to publish files’ hashes?
a. To validate the integrity of the files
b. To verify if the software was digitally signed
c. To use the hash as a software activation key
d. To use the hash as a decryption passphrase
a. To validate the integrity of the files
Publishing files’ hashes allows users to verify the integrity of downloaded files by comparing the hash provided by the publisher with the hash computed from the downloaded file. If the hashes match, it indicates that the file has not been tampered with or corrupted during transmission.
Here’s why the other options are not correct:
b. To verify if the software was digitally signed: Digital signatures are used to verify the authenticity and integrity of software, not hashes. Digital signatures include a hash of the signed content, but the primary purpose of publishing a digital signature is to verify the signer's identity and ensure the software has not been tampered with since it was signed. c. To use the hash as a software activation key: Hashes are not used as activation keys for software. Activation keys typically are alphanumeric codes that are used to activate or validate software licenses. d. To use the hash as a decryption passphrase: Hashes are not used directly as decryption passphrases. Passphrases are typically longer and more complex strings used to decrypt encrypted data.
A security manager has tasked the security operations center with locating all web servers that respond to an unsecure protocol. Which of the following commands could an analyst run to find the requested servers?
a. nslookup 10.10.10.0
b. nmap -p 80 10.10.10.0/24
c. pathping 10.10.10.0 -p 80
d. ne -l -p 80
b. nmap -p 80 10.10.10.0/24
Here’s how this command works:
nmap: Nmap (Network Mapper) is a network scanning tool used for discovering hosts and services on a computer network. -p 80: This option specifies that Nmap should scan for hosts that have port 80 (HTTP) open. 10.10.10.0/24: This is the network range in CIDR notation (Classless Inter-Domain Routing), which specifies a range of IP addresses to scan. /24 indicates that it's scanning all IP addresses from 10.10.10.0 to 10.10.10.255.
Explanation of why the other options are incorrect:
a. nslookup 10.10.10.0: nslookup is used to query DNS servers for domain name information. It does not scan for open ports on servers. c. pathping 10.10.10.0 -p 80: pathping is used to trace the route packets take to a network host, not to scan for open ports. d. ne -l -p 80: There is no commonly known command ne with options -l and -p 80. It does not appear to be a valid command for the intended purpose.