2.3 Given a scenario, troubleshoot common security issues Flashcards

1
Q

What type of attack takes content from a local system, encrypts it and sends it to the attacker’s server via HTTP over the port 80?

A

Data exfiltration

Data exfiltration is an unauthorized copying or retrieval of data from a system. Data exfiltration attacks are one of the primary means for attackers to retrieve valuable data often destined for later sale on the black market.

DDoS (distributed denial of service) is an attack that uses multiple compromised computers (a “botnet” of “zombies”) to launch the attack.

A denial of service (DoS) attack causes a service at a given host to fail or to become unavailable to legitimate users.

An input validation attack passes invalid data to the application, and because the input handling on the routine is inadequate, it causes the application or even the OS to behave in an unexpected way.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Analyze the statements and select the best actions involved in ensuring compliance with license agreement. (Select more than one)

A

Ensure compliance with the terms for open source licensing.

Identify per-seat or per-user compliance with licensed software.

Identify unlicensed and unauthorized software installed on clients, servers, and VMs.

Identify unlicensed and unauthorized software installed on clients, servers, and VMs. Ideally, privileged management and change controlled instances would prevent this from happening.

Need to prepare for vendor audits by allowing the vendors, or their nominated third party, to access customer’s systems to audit the license usage.

The complex nature of client access type licensing means that many companies over-allocate seats compared to what their license agreement allows, so it is important to identify per-seat or per-user compliance.

If open source code is reused (whether in commercial or in-house software), the product must be distributed in compliance with the terms of the original open source license.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Analyze and select the statements that accurately distinguish the differences between Mean Time to Failure (MTTF) and Mean Time Between Failures (MTBF)? (Select two)

A

The MTBF and MTTF calculations are different for the same tests.

Non-repairable assets use an MTTF, while an MTBF would describe a server.

MTTF should be used for non-repairable assets, while a server (which could be repaired by replacing the hard drive) would be described with an MTBF.

MTTF and MTBF can be used to determine the amount of asset redundancy a system should have.

The calculation for MTBF is the total time divided by the number of failures. The calculation for MTTF for the same test, is the total time divided by the number of devices.

Mean Time to Repair (MTTR) is a measure of the time taken to correct a fault so that the system is restored to full operation. Neither MTTF or MTBF can do this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

An employee has an urgent deadline to meet, but does not have the appropriate software on the system for the task. The employee does not want to go through the process of getting the software approved, and downloads it onto the computer. The IT department finds the unauthorized software on the computer and begins an investigation on how the employee could install the software. Evaluate the statements and select the actions the IT department must perform to prevent future unauthorized software downloads. (Select more than one)

A

Verify user privileges and access controls on the host system.

Check event logs and browsing history.

Place the host system and software in a sandbox before analyzing its running state.

The need to determine if the package should be added to the whitelist is something that is done through the approval process, before it is installed on the system.

The IT department will need to put the host system and software in a sand box, before they analyze its running state.

The IT department will need to check the event logs and browsing history, to determine the source of the unauthorized software.

The IT department will need to verify the user’s privileges and access controls on the host system, to re-secure permissions and to determine if the privileges to install software may have mistakenly been given to the employee.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The IT department receives a phone call from an employee who is having an issue signing into the network. What can the IT department do to troubleshoot this problem? (Select two)

A

Ensure that authentication servers connect to the network and can communicate with other resources.

Verify that synchronization of date/time settings occur on both servers and clients.

A primary subject to check in an authentication issue is to make sure the authentication servers are connected to the network and can communicate with other resources.

Time synchronization is important for managing, securing, planning and debugging a network. Therefore, it is important to verify that the date/time setting on servers and clients are synchronized.

The use of a secure remote protocol, like Secure Shell (SSH), prevents accounts from becoming unsecure.

The use of an SSL/TLS (Secure Sockets Layer/Transport Layer Security) to secure communications with any compatible protocol, prevents accounts from becoming unsecure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The client is having a problem with the newly-installed certificate. An IT admin notes that the configured certificate is correct. Examine the following troubleshooting procedures to determine which actions apply to this situation. (Select more than one)

A

Install a root and intermediate CA certificate on the client.

Check that the client’s configuration is with the appropriate chain of trust.

Check for synchronization
of the time and date settings on both the server and the client.

If troubleshooting a new certificate that is correctly configured, check that the client has been configured with the appropriate chain of trust.

Before a leaf certificate can be trusted, root and intermediate CA certificates should be installed on the client. Be aware that some client applications might maintain a different certificate store to that of the OS.

Verify that the time and date settings on the server and client are synchronized. Incorrect
date/time settings are a common cause of certificate (and other) problems.

If the problem is with an existing certificate that has been working previously, check that the certificate has not expired or has been revoked or suspended.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A person stands outside a building impersonating a delivery driver. When an employee gains access to the building with security credentials, the attacker (carrying a package) asks the employee to hold the door open, which gives the impersonator access to the building. What type of social engineering is this?

A

Tailgating is a means of entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint.

Phishing is a type of email-based social engineering attack, in which the attacker sends an email from a supposedly reputable source.

Pharming is redirecting users from a legitimate website to a malicious one. Rather than social engineering techniques to trick the user, pharming relies on corrupting the way the victim’s computer performs.

Shoulder surfing refers to stealing a password or PIN (or other secure information) by watching the user type it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What happens to credentials stored or transmitted in cleartext?

A

The account loses it secure status.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Analyze and select the statement that accurately distinguishes the similarities between Mean Time to Failure (MTTF) and Mean Time Between Failures (MTBF)?

A

Both MTTF and MTBF can determine the amount of asset redundancy a system should have.

The similarity is that MTTF and MTBF can be used to determine the amount of asset redundancy a system should have. A redundant system can failover to another asset if there is a fault and continue to operate normally.

MTTF should be used for nonrepairable assets, while a server would be described with an MTBF.

The calculation for MTBF is the total time divided by the number of failures. The calculation for MTTF for the same test is the total time divided by the number of devices.

Mean Time to Repair (MTTR) is a measure of the time taken to correct a fault so that the system is restored to full operation. Neither MTTF or MTBF do this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A large part of accounting involves automatic logging actions. What purpose does logging serve? (Select more than one)

A

The logs can detect intrusions or attempted intrusions.

Logging accounts for all actions performed by users.

Accounting for all actions that have been performed by users. Change and version control systems depend on knowing when a file has been modified and by whom.

Detecting intrusions or attempted intrusions. Records of failure-type events are likely to be more useful, although success-type events can also be revealing if they show unusual access patterns.

When a log reaches its allocated size, it will start to overwrite earlier entries. This means that some system of backing up logs will be needed, to preserve a full accounting record over time.

The more events that are logged, the more difficult it is to analyze and interpret the logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Where do most companies and employees post a large amount of information about themselves and their businesses, which can exploit the vulnerabilities of the business?

A

Social Media

Most companies and the individuals that work for them publish a large amount of information about themselves on the web and on social media sites like Facebook, LinkedIn, Twitter, Instagram and YouTube.

The deep web is where cyber threat actors, such as organized crime and hacktivisits, exchange information beyond the reach of law enforcement.

Dark net is a type of deep web, established as an overlay to Internet infrastructure by software that acts to anonymize usage and prevent a third-party from knowing about the existence of the network or analyzing any activity taking place over the network.

The dark web is another type of deep web that has sites, content and services accessible only over a dark net.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When a system no longer aligns with the established baseline, what should a network administrator consider when troubleshooting? (Select more than one)

A

Check patches and other updates

The system may drift over time

Check for malicious intent

The state of a system will drift over time as a result of normal operations. This does not necessarily indicate that an attack has taken place.

The nature of a baseline deviation may reveal malicious intent. A system that is supposed to be shut off from remote access, and suddenly has Telnet installed and activated is a cause for concern.

Patches and other updates may cause the baseline to be outdated, prompting admin to update the baseline.

Multiple critical systems with the same or similar baseline deviations will require swift remediation and can affect the baseline alignment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Analyze the statements and select the best actions involved in ensuring compliance with license agreement. (Select more than one)

A

Identify per-seat or per-user compliance with licensed software.

Ensure compliance with the terms for open source licensing.

Identify unlicensed and unauthorized software installed on clients, servers, and VMs.

Identify unlicensed and unauthorized software installed on clients, servers, and VMs. Ideally, privileged management and change controlled instances would prevent this from happening.

Need to prepare for vendor audits by allowing the vendors, or their nominated third party, to access customer’s systems to audit the license usage.

The complex nature of client access type licensing means that many companies over-allocate seats compared to what their license agreement allows, so it is important to identify per-seat or per-user compliance.

If open source code is reused (whether in commercial or in-house software), the product must be distributed in compliance with the terms of the original open source license.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Company policy states that employees must use the Internet responsibly and productively. Limited Internet access applies only to job-related activities, prohibiting personal use. When an employee violates this policy, what corrective action should take place?

A

Incident response procedures

When an employee or a contractor violates company policies, it is necessary to follow incident response procedures, rather than act impulsively.

If the violation was accidental, there might be disciplinary action or simply a recommendation for re-training, depending on the seriousness of the violation.

If it is suspected that the violation constituted a malicious insider threat, a forensic investigation to gather appropriate evidence might be required.
The disciplinary actions depend on assessing whether the violation was accidental or intentional, and determining the severity of the violation. Terminating an employee is not the first course of action.

When an employee violates company policy, it is necessary to investigate the incident and follow the incident response procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What allows administrators to identify and troubleshoot serious logs and events anomalies promptly?

A

Automated alert or alarm

If a threshold is exceeded (a trigger), an automated alert or alarm notification must take place. A low priority alert may simply be recorded in a log. A high priority alarm will create an active notification, such as emailing a system administrator or triggering a physical alarm signal.

Thresholds are points of reduced or poor performance or change in configuration (compared to the baseline) that generate an administrative alert.

A baseline establishes (in security terms) the expected pattern of operation for a server or network.

Not all security incidents will be revealed by a single event. One of the features of log analysis and reporting software should be to identify trends.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What techniques should an IT administrator use to determine when employees use their unique knowledge of the organization to exploit it for personal gain? (Select two)

A

Conduct an exit interview and thoroughly offboard the terminated employee.

Regularly review and audit privileged users’ activities.

If a disgruntled employee uses their unique knowledge of the organization to exploit it for personal gain, then they should be terminated and a regular review and audit of the user’s activities should be done.

When personnel violate an organization’s policy and engage in unacceptable use of systems, data, and the network, then training should be conducted to better inform personnel of the policy to foster a culture of cybersecurity.

When personnel use social media and personal email accounts in ways that bring risk to the organization, the employee needs to be reminded of the policy of social media and that divulging too much information can help attackers infiltrate the system.

17
Q

An attacker contacted someone through a dating app and said they had previously spoken and had plans to meet up that fell through. The attacker did not meet or talk to this person, but knew the location and descriptions of the person through the dating site. What is this an example of?

A

Cyber stalking

An attacker can “cyber-stalk” his or her victims to discover information about them via Google Search or by using other web or social media search tools.

Dark net is a network established as an overlay to Internet infrastructure by software that acts to anonymize usage and prevent a third-party from knowing about the existence of the network or analyzing any activity taking place over the network.

The dark web are sites, content, and services accessible only over a dark net. This is a place where cyber criminals can securely exchange information.

A kill chain is a model for describing the general process of an attack on a system’s security, not the actual attack.

18
Q

Many breaches have taken place in recent years. Assess what kind of vulnerabilities may have caused these breaches.

A

Weak or misconfigured security configurations

19
Q

Security is one of the main concerns for any company’s IT infrastructure. When a trigger happens, a system administrator receives an alert or alarm notification. What does this allow the administrator to evaluate, as a means to identify and troubleshoot the issue?

A

Logs and events anomalies

20
Q

What is the unauthorized copying or retrieval of data from a system referred to as?

A

Data exfiltration

21
Q

An attacker manages to access the email address of an official, who works for a high-level government agency. The attacker performed vishing. What technique could the attacker have orchestrated to accomplish this?

A

The attacker made a phone call to get the information about the official’s email.

22
Q

What is the unauthorized copying or retrieval of data from a system referred to as?

A

Data exfiltration

Unauthorized copying or retrieval of data from a system is referred to as data exfiltration. Data exfiltration attacks are one of the primary means for attackers to retrieve valuable data.

Data loss prevention (DLP) products scan content in structured formats, such as a database with a formal access control model or unstructured formats (i.e., email or word processing documents).

File integrity monitoring (FIM) software audits key system files to make sure they match the authorized versions.

Unified threat management (UTM) refers to a system that centralizes various security controls (i.e., firewall, anti-malware, network intrusion prevention, spam filtering, content inspection, etc.) into a single appliance.

23
Q

An attacker manages to access the email address of an official, who works for a high-level government agency. The attacker performed vishing. What technique could the attacker have orchestrated to accomplish this?

A

The attacker made a phone call to get the information about the official’s email.

Vishing describes a phishing attack conducted through a voice channel (telephone or VoIP, for instance). For example, targets could be called by someone purporting to represent their bank asking them to verify a recent credit card transaction and requesting their security details.

In the case of phishing, the attacker sets up a spoof website to imitate a target bank or e‑commerce provider’s secure website or some other web resource that should be trusted by the target.

Spear phishing refers to a phishing scam where the attacker has some information that makes an individual target more likely to be fooled by the attack.

Hoaxes, such as security alerts or chain emails, are another common social engineering technique, often combined with phishing or pharming attacks.

24
Q

An employee has authorized access to the company’s system and intentionally misused the data from that system. What type of attack has occurred?

A

Malicious insider threat

A malicious insider threat occurs when the perpetrator of an attack is a member of, ex-member of, or affiliated with the organization’s own staff, partners, or contractors.

An attacker can “cyber-stalk” his or her victims to discover information about them via Google Search, or by using other web or social media search tools. This information gathering is also referred to as passive reconnaissance.

Social engineering (or “hacking the human”) refers to various methods of getting users to reveal confidential information.

Impersonation (pretending to be someone else) is one of the basic social engineering techniques.

25
Q

Additional software installation on a client or server beyond its baseline, requires the use of execution control. What execution control applications prevent the use of unauthorized software? (Select two)

A

Whitelist

Blacklist

Execution control prevents the use of unauthorized software and can be implemented as an application whitelist. With whitelist control, nothing can run if it is not on the approved whitelist.

Enterprise security software applies policies to prevent or manage the use of removable media devices (i.e. memory cards). Removable media control policies would block access to any storage device without encrypted access controls.

Execution control prevents the use of unauthorized software and can also be implemented as an application blacklist. Blacklist control means that anything not on the prohibited blacklist can run.

Hardening is the process of putting an operating system or application in a secure configuration.

26
Q

A company needs to filter traffic passing in and out of their network. What software or hardware should they install?

A

Firewall

A firewall is software or hardware that filters traffic passing into and out of a network segment.

A topology is a description of how a computer network is physically or logically organized.

A DMZ is referred to as a perimeter network, in which traffic cannot pass through. A DMZ enables external clients to access data on private systems, such as web servers, without compromising the security of the internal network as a whole.

A bastion is a DMZ host and is a defensive structure in a castle. The bastion protrudes from the castle wall and enables the defenders to fire at attackers that have moved close to the wall.

27
Q

Most companies and employees use social networking. Which of the following represent social networking? (Select two)

A

Facebook

Twitter

Facebook is a popular, free social networking website that allows registered users to create profiles, upload photos and video. It is used to keep in touch with family and friends. Many companies and individuals publish huge amounts of information about themselves on Facebook.

Twitter is another free social networking website that is a microblogging service, that allows registered members to broadcast short posts called “tweets.”

Newspapers are an open source of information, but it is considered traditional media not social networking.

Television is also an open source of information, but it is considered traditional media not social networking.

28
Q

Assets support each IT system. What type of assessment can determine the reliability of each asset?

A

Key Performance Indicators (KPI)

Key performance indicators (KPI) can be used to determine the reliability of each asset.

Business impact analysis (BIA) is the process of assessing what losses might occur for each threat scenario.

Single Loss Expectancy (SLE) is the amount that would be lost in a single occurrence of the risk factor. This is determined by multiplying the value of the asset by an Exposure Factor (EF). EF is the percentage of the asset value that would be lost.

Annual Loss Expectancy (ALE)—the amount that would be lost over the course of a year.

29
Q

What allows administrators to identify and troubleshoot serious logs and events anomalies promptly?

A

Automated alert or alarm

If a threshold is exceeded (a trigger), an automated alert or alarm notification must take place. A low priority alert may simply be recorded in a log. A high priority alarm will create an active notification, such as emailing a system administrator or triggering a physical alarm signal.

Thresholds are points of reduced or poor performance or change in configuration (compared to the baseline) that generate an administrative alert.

A baseline establishes (in security terms) the expected pattern of operation for a server or network.

Not all security incidents will be revealed by a single event. One of the features of log analysis and reporting software should be to identify trends.

30
Q

When security engineers consider attacks against information systems, they think about protecting the technological components of those systems. What non-technological components should security also consider? (Select two)

A

Social engineering

The system’s users

The system’s users are as much a part of an information system as the technological components. Users have their own vulnerabilities, and they can be the first part of the system to succumb to certain types of attacks.

Social engineering should be considered since these are threats against the human factors in the technology environment.

A computer virus is a type of malware designed to replicate and spread from computer to computer, usually by “infecting” executable applications or program code.

Worms are memory-resident viruses that replicate over network resources. A worm is self-contained–it does not need to attach itself to another executable file.

31
Q

What term describes an attacker who uses information about a victim by using social media tools?

A

Cyber stalking

An attacker can “cyber-stalk” victims to discover information about them via Google Search, or by using other web or social media search tools.

Dark net is a network established as an overlay to Internet infrastructure by software that acts to anonymize usage and prevent a third-party from knowing about the existence of the network or analyzing any activity taking place over the network.

The dark web are sites, content, and services accessible only over a dark net. This is a place where cyber criminals can securely exchange information.

A kill chain is a model for describing the general process of an attack on a systems security not the actual attack.

32
Q

A person’s account needs re-securing each time the credentials get stored or transmitted in cleartext. There are various protocols that can prevent this from happening. Choose the selection that does NOT prevent an account from being unsecure.

A

Make sure to store passwords in the spreadsheets or data base files.

33
Q

The network team must choose the correct firewall to filter traffic between the trusted local network and untrusted external networks. Which firewall should they recommend?

A

Border firewalls

Border firewalls filter traffic between the trusted local network and untrusted external networks, such as the Internet. DMZ (Demilitarized Zone) configurations are established by border firewalls.

Internal firewalls can be placed anywhere within the network, either inline or as host firewalls, to filter traffic flows between different security zones.

Whole network firewalls are put into place to protect the whole network. They are placed inline in the network and inspect all traffic that passes through.

Single host firewalls are installed on the host and only inspect traffic destined for the host.

34
Q

A hacker takes contents from a local system, encrypts it with a variation of Advanced Encryption Standard (AES) and sends it to the attacker’s server via HTTP over the port 80. Once the PowerShell code executes, the HTTP POST request is sent to the attacker’s server. Analyze the options to determine what this represents.

A

Data exfiltration

Data exfiltration is an unauthorized copying or retrieval of data from a system. Data exfiltration attacks are one of the primary means for attackers to retrieve valuable data, such as Personally Identifiable Information (PII) or payment information, often destined for later sale on the black market.

DDoS (Distributed Denial of Service) is an attack that uses multiple compromised computers (a “botnet” of “zombies”) to launch the attack.

A Denial of Service (DoS) attack causes a service at a given host to fail or to become unavailable to legitimate users.

An input validation attack passes invalid data to the application, and since the input handling on the routine is inadequate, it causes the application (or even the OS) to behave in an unexpected way.

35
Q

A person’s account needs re-securing each time the credentials get stored or transmitted in cleartext. There are various protocols that can prevent this from happening. Choose the selection that does NOT prevent an account from being unsecure.

A

Make sure to store passwords in the spreadsheets or data base files.

To ensure that the account is secure, users should know that it is not a good practice to store passwords in spreadsheets, database files and unencrypted text.

Using a secure remote protocol, such as Secure Shell (SSH), will assure that the account is protected.

Using SSL/TLS (Secure Sockets Layer/Transport Layer Security) is one method to secure communications with any compatible protocol (i.e., HTTP, email, VoIP, FTP, etc.).

To prevent an account from being unsecure, the custom apps that are developed need to employ encryption for data at rest, in transit, and in use.

36
Q

Analyze the following scenarios and choose which one best represents tailgating.

A

An employee enters the building using security credentials. While the employee opens the door to gain access, a person pretending to deliver a package, follows directly behind the employee, which gives the impersonator access to the building.

Pharming occurs when users are redirected from a legitimate website to a malicious one. Rather than social engineering techniques to trick the user, pharming relies on corrupting the way the victim’s computer performs.

Example of Pharming

The employees of a company receive an email containing false news about the president of their company. The emails appear to be a link to a news story about the company president and directs the employees to connect to a web site for more information. When they click on the link, the employees go to one of five different malicious web sites, which infect their machines with malware.

37
Q

What is the function of an asset management database?

A

The asset management database takes inventory and tracks all of the organization’s critical systems.

An asset management process takes inventory of and tracks all of the organization’s critical systems, components, devices, and other objects of value. It also involves collecting and analyzing information about these assets so that personnel can make more informed changes, or otherwise work with assets to achieve business goals.

Threat assessment refers to compiling a prioritized list of probable and possible threats.

Business impact analysis (BIA) is the process of assessing what losses might occur for each threat scenario.

Qualitative risk assessment avoids the complexity of the quantitative approach and is focused on identifying significant risk factors.