2.2 Given a scenario, use appropriate software tools to assess the security posture of an org Flashcards
A company is using Microsoft’s Security Compliance Toolkit (SCT) and Nessus to get a sense of the company’s security posture. What of the following does NOT describe nor apply to either of these applications? (Select two)
Nessus compares with a system configuration template
SCT patches non-compliant systems
Nessus is, by design, a vulnerability scanner. It does not have a database of system configuration templates, for example, specific to Windows, to compare hosts with.
SCT does not patch systems. Any findings of non-compliance can be used to determine actions for a WSUS (Windows Server Update Services) server to handle.
Microsoft’s Policy Analyzer is part of the Security Compliance Toolkit (SCT). It compares scanned hosts with a template of controls and configuration settings to determine system compliance.
CVEs (Common Vulnerabilities and Exposures) can be used by Nessus scanner to compare and find vulnerabilities in commonly used systems. Vulnerability scans and security compliance audits can be gathered all at once with Nessus.
A company is going through excess equipment and recyclables. Management will repurpose all the computer workstations and discard archived printed documents. Which of the following can help achieve the company’s goals? (Select two)
Active KillDisk software
Paper shredder
Active KillDisk is a disk wiping sanitization software tool that can purge data on disk by overwriting data with 1s and 0s. Overwriting might also be performed in multiple passes. The disk can be recycled after using this software.
A paper shredder can make printed information harder to read or recover. This type of machinery cannot shred hard drives or other computer parts.
A powerful magnet can erase data on a hard drive, but it also renders the hard drive inoperable by eliminating the disk’s magnetic charge.
A hard drive shredder would break apart or pulverize a hard drive and make it is unusable.
And admin wants to quickly asses the open ports of a Windows server. Which command will provide the admin with the right information?
netstat
The netstat command allows the admin to check the state of ports on the local machine (Windows or Linux). He or she may also be able to identify suspect remote connections to services on the local host or from the host to remote IP (Internet protocol) addresses.
The netcat (or nc for short) is a remote access software that is available for both Windows and Linux. It can be used as a backdoor to other servers.
The ipconfig command only provides network adapter information such as the IP address of the server.
The ip command is a replacement to the ifconfig command that is used on Linux servers. It serves the same functionality as the ipconfig command used on the Windows operating system.
A security event popped up, alerting security of a suspicious user gaining access to and copying files from the %SystemRoot%\NTDS\ file path on a server. What is the user trying to do?
Gather employee login credentials.
The %SystemRoot%\NTDS\NTDS.DIT file stores domain user passwords and credentials. Employees commonly use their domain credentials to login to do work and gain access to corporate information.
BitLocker keys are stored along with the associated computer account object in Active Directory. It is viewable in the object’s properties view. This is a different location than the NTDS.DIT file.
A brute force attack is the process of using precompiled dictionaries and rainbow tables to break naïvely chosen passwords. Only file copies are occurring at this point.
Proprietary company information is never stored in the same location as Windows operating system files and folders or the C: drive.
Which password cracking tool comes with a password sniffing tool and is compatible with Windows computers?
Cain and Abel
Cain and Abel is used to recover Windows passwords and includes a password sniffing utility.
John the Ripper is compatible with multiple platforms such as Windows, MAC OS X, Solaris, and Android, and is primarily used as a password hash cracker.
THC Hydra is often used against remote authentication using protocols such as Telnet, FTP (file transfer protocol), HTTPS (hypertext transfer protocol secure), SMB (server message protocol), etc.
Aircrack is used to sniff and decrypt WEP (wired equivalent privacy) and WPA (wireless protected access) wireless traffic.
A hacker obtained the 24-bit prefix of several network interface MAC (media access control) addresses. From this information, the hacker notated that the target company has Cisco and Dell devices. What type of attack technique did the hacker use?
OUI grabbing
OUI (Organizationally Unique Identifier) grabbing is like banner grabbing or OS fingerprinting. The OUI can identify the manufacturer of the network adapter and therefore, conclude other assumptions related to system type and/or purpose.
OS (operating system) fingerprinting is a method used by Nmap to probe hosts for running OS type and version, and even application names and device type (e.g., laptop or virtual machine).
Packet injection refers to injecting forged or spoofed network traffic. Often, network sniffing software libraries allow frames to be inserted into the network steam in this manner.
Side channel attacks is a technique used in cryptographic systems and is not applicable to this scenario.
Management wants to create a fake network with similar network security boundaries as the operational network. This fake network will host a few servers and will be near the DMZ (Demilitarized Zone). Which of the following solutions will allow an administrator to gather information about how an attacker penetrates a network of working servers and services, while the attack happens?
Honeynet
A honeynet is a whole network, which can be simulated, to attract attackers, with the intention of analyzing attack strategies and tools and to provide early warnings of attack attempts.
NIDS or network intrusion detection provides real-time analysis of either network traffic or system and application logs.
A honeypot is similar in purpose as a honeynet, but represents only a single computer system. This is best for analyzing penetration techniques on a Windows server, for example.
Firewalls are the devices principally used to implement security zones, such as intranet, DMZ, and the Internet. The basic function of a firewall is traffic filtering.
A network administrator’s computer desktop is full of network security tools that are useful for patching and hardening the network. However, after an audit, admin recently discovered a Wireshark application, which alarmed management. What is it about Wireshark that makes management apprehensive about having it on company computers? (Select two)
Can eavesdrop on network communication
Can scan a network for open ports
A protocol analyzer tool like Wireshark facilitates eavesdropping, which is a valuable counterintelligence technique. It can decode a captured frame to reveal its contents in a readable format.
Packets that are analyzed or decoded will provide information, such as protocol used and at what port. If a port is open, it will be listed in the analyzed information.
A sniffer is a tool that captures frames moving over the network medium. This might be a cabled or wireless network. Once captured, the protocol analyzer can decode the data and make sense of the information. Wireshark sniffs and analyzes captured data packets.
A blocked connection is more of an action performed by a firewall or NIPS (network intrusion prevention system).
Which procedure would a government agency prefer to use, to completely destroy top secret documentation removed from basement file cabinets?
Incinerate
Incineration is the process of destroying something by burning. Burning paper documents will leave no trace of top-secret information.
Degaussing is the process of exposing a computer disk to a powerful electromagnet that disrupts the magnetic pattern that stores the data. This option will destroy electronic documents stored on the disk.
Wiping is the process of writing zeroes and ones in a random pattern over existing data on the disk, to render the electronic information unrecoverable. This option is applicable to electronic documents.
Performing a low-level format resets a disk to factory condition. This option is applicable to electronic data on the disk.
Steganography is a technique for hiding data within other data. Typically, information embeds in the least expected places. Which of the following are examples of steganography? (Select three)
Embed a watermark on bank notes
Encode message within TCP packet data
Embedding a watermark using the design and color of bank notes is an example of steganography. This method is employed by the Counterfeit Deterrence System (CDS) and can be used for anti-counterfeiting efforts.
Encoding messages within TCP packet data fields to create a covert message channel is an example of steganography.
Changing the least significant bit of pixels in an image file (the cover file) is another example. This can code a useful amount of information, without distorting the original image noticeably.
IPSec or IP Security is used to secure data as it travels across the network or the Internet. Running in tunnel mode, IPSec encrypts the whole IP packet (header and payload) and a new IP header is added.
A local environment includes modern servers with Windows Server 2012 R2, along with some legacy systems using Windows Server 2003. A security administrator has concerns about legacy servers and their LAN (local area network) Manager service vulnerabilities with password hashes. What are the organization’s best options to improve authentication? (Select two)
Fresh install of Windows Server 2008 R2
Kerberos
Kerberos is the preferred method in a Windows domain, using a ticket-granting system to login and access resources on the network.
A fresh install will ensure core services and settings of a Windows Server 2008 R2 operating system is working and authentic. LM (LAN manager) is disabled by default starting with Windows Server 2008.
Windows server upgrade paths are not always clean. A system upgraded from Windows Server 2003 to Windows Server 2008 R2 may still hold residual systems files from Windows Server 2003.
NTLM (New Technology LAN Manager) and NTLMv2 (version 2) provide stronger session key generation for digital signing and sealing applications, rather than LM and LM version 2. However, they are still vulnerable to Man-in-the-Middle attacks and others.
Network administrators look for ways to map out their network to find rogue devices. The admins would prefer a solution with a UI or user interface to manage and view the map. Which of the following tools and features will provide a useful report of devices on the network? (Select more than one)
Zenmap
–traceroute
Zenmap is the GUI (Graphical User Interface) version for Nmap. Also known as Nmap Security Scanner, it uses diverse methods of host discovery.
Using the –traceroute switch with Zenmap, the GUI can record the path to an IP target address and present the route in a graphical view, like a map.
The basic syntax of an nmap command is to give the IP subnet (or IP address) to scan. When used without switches, it pings and sends a TCP ACK packet to ports 80 and 443 to determine whether a host is present. This is a command line view.
Nmap, by default, does a host discovery and port scan. Using a -sn switch suppresses the port scanning.
The security administrator at a brand-new company proposes the use of vulnerability scanners to find common targets. The admin suggests using a method that will not use up a lot of bandwidth on the network and does not need direct or privileged access. What type of scanning may this security administrator be proposing? (Select two)
Passive scanning
Non-credentialed scanning
A scanning technique to passively test security controls operates by sniffing network traffic to identify assets communicating on the network, service ports used, and potentially some types of vulnerabilities.
A non-credentialed scan is one that proceeds without being able to log on to a host. Consequently, the only view obtained is the one that the host exposes to the network.
Active scanning techniques involve making a connection to the target host. This might mean authenticating and establishing a session with the host or running an agent on a host.
A credentialed scan is given a user account with logon rights to various hosts. This method allows much more in-depth analysis, especially in detecting when applications or security settings may be misconfigured.
Which of the following will make data nearly impossible to recover on a hard disk drive (HDD) using basic recovery software?
Drilling holes
Drilling holes through a physical hard drive destroys the spinning platters and the mechanisms that make the disk work. Physical destruction like this renders the disk unusable and unrecoverable through common ways like using recovery software.
Encryption technologies, like Windows BitLocker, encrypt full hard drives. However, encryption technologies output a recovery key or password that can still be used to unlock an encrypted disk.
Disk formatting is the creation of a file system on disk. Formatting an already used hard drive does not wipe the data, but merely hides the data, allowing the operating system to write over blocks on a disk.
A CD shredder is useful to shred CDs, making them unusable and unrecoverable. There are hard drive shredders available for use.
After a recent hurricane, the company realizes that it is not ready to resume services of their online products immediately after the weather event. IT (Information Technology) management must develop an architectural solution to this dilemma. Which of the following will provide the best solution? (Select two)
Stand up a hot site
Create a failover process
The company, using Enterprise-level networking, can create a failover of the current site to an alternate processing site or recovery site, in the event the current site is no longer active.
A hot site can be described as an alternate processing site. Services at the main site can failover immediately to a hot site and will have duplicate services running.
A warm site can be described as a site with the necessary resources, but services will need to be loaded and/or manually activated. Typical recovery may take a few hours to a day.
Scheduled backups are a common configuration and should already be in place prior to planning a disaster recovery scenario. Backups can be restored at a recovery site.