101-150 Flashcards
A DBA reports that several production server hard drives were wiped over the weekend. The DBA also reports that several Linux servers were unavailable due to system files being deleted unexpectedly. A security analyst verified that software was configured to delete data deliberately from those servers. No backdoors to any servers were found. Which of the following attacks was MOST likely used to cause the data loss?
a. Logic bomb
b. Ransomware
c. Fileless virus
d. Remote access Trojans
e. Rootkit
a. Logic bomb
A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. In this case, it appears that the logic bomb was programmed to delete system files and data at a specific time (over the weekend). This explains the deliberate nature of the deletions and the unavailability of the servers without any backdoor being present.
The other options are less likely to be the cause for the following reasons:
Ransomware typically encrypts data and demands a ransom for decryption rather than simply deleting files. Fileless virus operates in memory and typically does not result in deliberate deletion of files but rather aims to exploit systems without leaving a trace on the disk. Remote access Trojans (RATs) are used for remote control of a system and typically involve data theft or surveillance rather than destruction of data without any further purpose. Rootkit hides the presence of other malicious software, such as keyloggers or viruses, but doesn't typically engage in the outright deletion of files as described.
Digital signatures use asymmetric encryption. This means the message is encrypted with:
a. the sender’s private key and decrypted with the sender’s public key.
b. the sender’s public key and decrypted with the sender’s private key.
c. the sender’s private key and decrypted with the recipient’s public key.
e. the sender’s public key and decrypted with the recipient’s private key.
a. the sender’s private key and decrypted with the sender’s public key.
Digital signatures indeed use asymmetric encryption, and the process involves the sender’s private and public keys. The correct option regarding the use of keys for creating and verifying a digital signature is:
a. the sender’s private key and decrypted with the sender’s public key.
Here’s how it works:
Creating the Signature: The sender creates a hash of the message. The sender encrypts this hash using their private key. This encrypted hash is the digital signature. Verifying the Signature: The recipient decrypts the digital signature using the sender's public key to retrieve the hash. The recipient also creates a hash of the received message. The recipient compares the decrypted hash with the newly created hash. If they match, the message is verified as authentic and untampered.
A security engineer was assigned to implement a solution to prevent attackers from gaining access by pretending to be authorized users. Which of the following technologies meets the requirement?
a. SSO
b. IDS
c. MFA
d. TPM
c. MFA (Multi-Factor Authentication)
Explanation:
Multi-Factor Authentication (MFA) adds an additional layer of security beyond just username and password. It requires users to provide two or more verification factors to gain access to a system or application. MFA typically combines something the user knows (password), with something the user has (like a smartphone app generating a code or a hardware token), or something the user is (biometric data). This approach significantly reduces the risk of unauthorized access because even if attackers manage to steal or guess a user's password, they would still need the additional factor to authenticate successfully. Single Sign-On (SSO) simplifies the user login process by allowing users to authenticate once to gain access to multiple systems or applications. While it improves user experience and can indirectly enhance security by reducing password fatigue, it does not inherently prevent attackers from pretending to be authorized users. Intrusion Detection System (IDS) monitors network or system activities for malicious activities or policy violations. While it detects suspicious behavior, it doesn't directly prevent attackers from impersonating authorized users. Trusted Platform Module (TPM) is a hardware-based security solution that provides cryptographic functionality to secure hardware and authenticate devices. It does not directly prevent attackers from pretending to be authorized users.
The Chief Information Security Officer (CISO) has requested that a third-party vendor provide supporting documents that show proper controls are in place to protect customer data. Which of the following would be BEST for the third-party vendor to provide to the CISO?
a. GDPR compliance attestation
b. Cloud Security Alliance materials
c. SOC 2 Type 2 report
d. NIST RMF workbooks
c. SOC 2 Type 2 report
Explanation:
SOC 2 (Service Organization Control 2) is a widely recognized auditing standard developed by the American Institute of CPAs (AICPA). It focuses on controls relevant to the security, availability, processing integrity, confidentiality, and privacy of data processed by service providers. A SOC 2 Type 2 report provides detailed information about how a service organization (the third-party vendor in this case) achieves key security objectives based on the Trust Services Criteria (TSC). It includes detailed testing of the effectiveness of controls over a period of time (usually a minimum of six months). This report is particularly relevant when a vendor needs to demonstrate that they have adequate controls in place to protect customer data, aligning with regulatory requirements and industry best practices. GDPR compliance attestation is specific to compliance with the European Union's General Data Protection Regulation (GDPR). While important for handling personal data of EU residents, it may not cover all aspects of data protection and security beyond GDPR requirements. Cloud Security Alliance (CSA) materials are valuable for understanding cloud security best practices and frameworks, but they do not provide specific independent assurance of controls implemented by the vendor. NIST RMF (Risk Management Framework) workbooks are used for managing and documenting security and privacy controls within federal information systems. However, they are less commonly used in vendor assessments compared to SOC 2 reports.
Which of the following is assured when a user signs an email using a private key?
a. Non-repudiation
b. Confidentiality
c. Availability
d. Authentication
a. Non-repudiation
Explanation:
Non-repudiation is assured when a user signs an email using a private key. This means the sender cannot deny having sent the email because the digital signature, created using the sender's private key, uniquely associates the sender with the message. Anyone with the corresponding public key can verify that the message was indeed signed by the holder of the private key. Confidentiality ensures that the content of the email is accessible only to the intended recipients. However, signing an email does not encrypt its contents; encryption for confidentiality requires using the recipient's public key. Availability refers to ensuring that the email is accessible to authorized users when needed. Signing an email does not directly impact its availability. Authentication is the process of verifying the identity of the sender. While signing an email does provide some level of authentication by verifying the sender, the primary assurance provided by signing an email is non-repudiation.
A systems administrator is troubleshooting a server’s connection to an internal web server. The administrator needs to determine the correct ports to use. Which of the following tools BEST shows which ports on the web server are in a listening state?
a. ipconfig
b. ssh
c. ping
d. netstat
d. netstat
Explanation:
netstat (network statistics) is a command-line tool that provides various network-related information, including the status of network connections, routing tables, and interface statistics. It is particularly useful for showing which ports are in a listening state on a server, which can help the systems administrator determine the correct ports to use. ipconfig is a command-line tool used to display and manage the IP configuration of network interfaces on a Windows computer. It does not provide information about listening ports. ssh (Secure Shell) is a protocol used for secure remote login and other secure network services over an insecure network. It is not used to show listening ports. ping is a command-line tool used to test the reachability of a host on an IP network. It does not provide information about listening ports.
Which of the following BEST reduces the security risks introduced when running systems that have expired vendor support and lack an immediate replacement?
a. Implement proper network access restrictions.
b. Initiate a bug bounty program.
c. Classify the system as shadow IT.
d. Increase the frequency of vulnerability scans.
a. Implement proper network access restrictions.
Explanation:
Implementing proper network access restrictions is the most effective way to reduce security risks for systems with expired vendor support. This approach limits exposure to potential threats by restricting access to the vulnerable system to only those who absolutely need it. It can include measures such as segmentation, firewalls, and access control lists (ACLs). Initiating a bug bounty program is useful for identifying vulnerabilities, but it is not as immediately effective in reducing risks for unsupported systems as network access restrictions. Classifying the system as shadow IT might help in acknowledging the risk, but it does not directly mitigate the risk. Increasing the frequency of vulnerability scans can help in identifying issues more quickly, but without the ability to patch or update the system, the effectiveness of this measure is limited compared to implementing network access restrictions.
Due to unexpected circumstances, an IT company must vacate its main office, forcing all operations to alternate, off-site locations. Which of the following will the company MOST likely reference for guidance during this change?
a. The business continuity plan
b. The retention policy
c. The disaster recovery plan
d. The incident response plan
a. The business continuity plan
Explanation:
The business continuity plan (BCP) is designed to ensure that a company can continue to operate during and after a major disruption, such as having to vacate its main office. The BCP includes strategies for maintaining business operations and addressing logistical challenges, such as relocating to alternate, off-site locations. The disaster recovery plan (DRP) focuses on restoring IT systems and data after a disaster, but it is more specific to IT infrastructure rather than overall business operations. The retention policy deals with how long records and data are kept and does not address operational relocations. The incident response plan (IRP) deals with responding to specific incidents, such as security breaches, but does not typically cover broad operational changes like relocating an entire office.
While reviewing an alert that shows a malicious request on one web application, a cybersecurity analyst is alerted to a subsequent token reuse moments later on a different service using the same single sign-on method. Which of the following would BEST detect a malicious actor?
a. Utilizing SIEM correlation engines
b. Deploying Netflow at the network border
c. Disabling session tokens for all sites
d. Deploying a WAF for the web server
a. Utilizing SIEM correlation engines
Explanation:
SIEM (Security Information and Event Management) correlation engines are designed to analyze and correlate events from multiple sources across the network, including different applications and services. They can identify patterns and link related incidents, such as the reuse of a token on a different service, indicating potential malicious activity. Deploying Netflow at the network border would help monitor network traffic patterns but might not effectively correlate the specific use of tokens across different services. Disabling session tokens for all sites could disrupt user sessions and might not specifically target the detection of malicious activity. Deploying a WAF (Web Application Firewall) can protect a web server from specific web-based attacks but might not have the capability to correlate token reuse across different services using SSO.
The Chief Information Security Officer wants to prevent exfiltration of sensitive information from employee cell phones when using public USB power charging stations. Which of the following would be the BEST solution to implement?
a. DLP
b. USB data blocker
c. USB OTG
d. Disabling USB ports
b. USB data blocker
Explanation:
A USB data blocker is designed to allow power to pass through to a device while blocking any data transfer through the USB port. This would prevent any exfiltration of sensitive information when employees use public USB power charging stations. DLP (Data Loss Prevention) solutions are typically software-based and are more suited for monitoring and controlling data within the organization's network rather than on individual cell phones in public scenarios. USB OTG (On-The-Go) is a standard that enables devices to act as a host, allowing other USB devices like keyboards or external storage to be attached, which does not address the issue of blocking data transfer in public charging stations. Disabling USB ports would prevent the use of public charging stations altogether, which is impractical for employees who need to charge their phones on the go.
Two organizations plan to collaborate on the evaluation of new SIEM solutions for their respective companies. A combined effort from both organizations’ SOC teams would speed up the effort. Which of the following can be written to document this agreement?
a. MOU
b. ISA
c. SLA
d. NDA
a. MOU (Memorandum of Understanding)
Explanation:
An MOU (Memorandum of Understanding) is a document that outlines the terms and details of an agreement between parties, including each party's requirements and responsibilities. It is often used to document an agreement to collaborate on projects or initiatives without the formal binding commitments of a contract. An ISA (Interconnection Security Agreement) is used to define the technical and security requirements for establishing, operating, and maintaining the interconnection of IT systems and networks. An SLA (Service Level Agreement) is a contract between a service provider and a customer that defines the level of service expected from the service provider. An NDA (Non-Disclosure Agreement) is a contract that establishes confidentiality between parties to protect sensitive information from being disclosed.
The board of directors at a company contracted with an insurance firm to limit the organization’s liability. Which of the following risk management practices does this BEST describe?
a. Transference
b. Avoidance
c. Mitigation
d. Acknowledgement
a. Transference
Explanation:
Transference in risk management involves shifting the risk to a third party. By contracting with an insurance firm, the organization is transferring the financial risk associated with potential liabilities to the insurance company, thus limiting its own liability. Avoidance involves eliminating the risk entirely by not engaging in the activity that presents the risk. Mitigation involves taking steps to reduce the impact or likelihood of the risk. Acknowledgement involves recognizing the risk but choosing to accept it without transferring or mitigating it.
Which of the following is a risk that is specifically associated with hosting applications in the public cloud?
a. Unsecured root accounts
b. Zero-day
c. Shared tenancy
d. Insider threat
c. Shared tenancy
Explanation:
Shared tenancy is a risk specific to public cloud environments where multiple customers share the same physical hardware and infrastructure. This can lead to potential vulnerabilities where one tenant's security issues could potentially affect others. Unsecured root accounts and insider threats are risks that can occur in both cloud and on-premises environments. Zero-day vulnerabilities are a general security risk that can impact any environment, whether cloud-based or not.
DDoS attacks are causing an overload on the cluster of cloud servers. A security architect is researching alternatives to make the cloud environment respond to load fluctuation in a cost-effective way. Which of the following options BEST fulfills the architect’s requirements?
a. An orchestration solution that can adjust scalability of cloud assets
b. Use of multipath by adding more connections to cloud storage
c. Cloud assets replicated on geographically distributed regions
d. An on-site backup that is displayed and only used when the load increases
a. An orchestration solution that can adjust scalability of cloud assets
Explanation:
Orchestration solutions are designed to automatically manage, scale, and optimize resources in response to real-time demand. This allows the cloud environment to dynamically adjust its capacity, adding or removing resources as needed to handle load fluctuations efficiently. Multipath connections to cloud storage can enhance redundancy and performance but may not directly address the need for scalable compute resources to handle DDoS attacks. Replicating cloud assets across geographically distributed regions can provide redundancy and disaster recovery benefits but may not be as cost-effective for dynamic scalability in response to fluctuating loads. An on-site backup that is deployed only when load increases can be costly and less efficient compared to automated orchestration solutions that leverage cloud scalability features.
Which of the following documents provides expectations at a technical level for quality, availability, and responsibilities?
a. EOL
b. SLA
c. MOU
d. EOSL
b. SLA (Service Level Agreement)
Explanation:
SLA (Service Level Agreement) is a document that outlines the expectations between a service provider and a customer regarding the quality and availability of services. It defines metrics, responsibilities, and guarantees related to service performance, uptime, response times, and other key aspects. EOL (End of Life) and EOSL (End of Service Life) refer to the lifecycle stages of products or services, indicating when support or maintenance will end, rather than specifying operational expectations. MOU (Memorandum of Understanding) outlines broader agreements between parties but may not detail technical expectations at the level of a SLA.
Which of the following is an example of transference of risk?
a. Purchasing insurance
b. Patching vulnerable servers
c. Retiring outdated applications
d. Application owner risk sign-off
a. Purchasing insurance
An employee received a word processing file that was delivered as an email attachment. The subject line and email content enticed the employee to open the attachment. Which of the following attack vectors BEST matches this malware?
a. Embedded Python code
b. Macro-enabled file
c. Bash scripting
d. Credential-harvesting website
b. Macro-enabled file
A security proposal was set up to track requests for remote access by creating a baseline of the users’ common sign-in properties. When a baseline deviation is detected, an MFA challenge will be triggered. Which of the following should be configured in order to deploy the proposal?
a. Context-aware authentication
b. Simultaneous authentication of equals
c. Extensive authentication protocol
d. Agentless network access control
a. Context-aware authentication
Explanation:
Context-aware authentication involves using various contextual factors, such as user location, time of access, device type, and typical behavior patterns, to establish a baseline of normal activity for users. When there is a deviation from this baseline (such as unusual sign-in properties), it can trigger additional security measures like Multi-Factor Authentication (MFA). In this scenario, configuring context-aware authentication allows for the detection of baseline deviations and the subsequent triggering of MFA challenges, aligning with the security proposal described.
Which of the following secure coding techniques makes compromised code more difficult for hackers to use?
a. Obfuscation
b. Normalization
c. Execution
d. Reuse
a. Obfuscation
Explanation:
Obfuscation is a technique used to make code more difficult to understand or reverse-engineer. It involves transforming code in a way that preserves its functionality but makes it harder for attackers to analyze. By obfuscating code, even if it is compromised, it becomes more challenging for hackers to quickly exploit or understand its logic, thereby increasing the complexity and effort required to use the compromised code effectively.
As part of a security compliance assessment, an auditor performs automated vulnerability scans. In addition, which of the following should the auditor do to complete the assessment?
a. User behavior analysis
b. Packet captures
c. Configuration reviews
d. Log analysis
c. Configuration reviews
Explanation:
While automated vulnerability scans are essential for identifying technical vulnerabilities, configuration reviews are necessary to assess whether systems, networks, and applications are configured securely according to best practices and compliance requirements. Configuration reviews involve examining settings, policies, access controls, and configurations against established benchmarks or standards to ensure they align with security policies and industry best practices. Together with vulnerability scans, configuration reviews provide a comprehensive view of the security posture of the organization's IT infrastructure, ensuring that both technical vulnerabilities and misconfigurations are identified and remediated.