2.3 Given a scenario, troubleshoot common security issues Flashcards
What type of attack takes content from a local system, encrypts it and sends it to the attacker’s server via HTTP over the port 80?
Data exfiltration
Data exfiltration is an unauthorized copying or retrieval of data from a system. Data exfiltration attacks are one of the primary means for attackers to retrieve valuable data often destined for later sale on the black market.
DDoS (distributed denial of service) is an attack that uses multiple compromised computers (a “botnet” of “zombies”) to launch the attack.
A denial of service (DoS) attack causes a service at a given host to fail or to become unavailable to legitimate users.
An input validation attack passes invalid data to the application, and because the input handling on the routine is inadequate, it causes the application or even the OS to behave in an unexpected way.
Analyze the statements and select the best actions involved in ensuring compliance with license agreement. (Select more than one)
Ensure compliance with the terms for open source licensing.
Identify per-seat or per-user compliance with licensed software.
Identify unlicensed and unauthorized software installed on clients, servers, and VMs.
Identify unlicensed and unauthorized software installed on clients, servers, and VMs. Ideally, privileged management and change controlled instances would prevent this from happening.
Need to prepare for vendor audits by allowing the vendors, or their nominated third party, to access customer’s systems to audit the license usage.
The complex nature of client access type licensing means that many companies over-allocate seats compared to what their license agreement allows, so it is important to identify per-seat or per-user compliance.
If open source code is reused (whether in commercial or in-house software), the product must be distributed in compliance with the terms of the original open source license.
Analyze and select the statements that accurately distinguish the differences between Mean Time to Failure (MTTF) and Mean Time Between Failures (MTBF)? (Select two)
The MTBF and MTTF calculations are different for the same tests.
Non-repairable assets use an MTTF, while an MTBF would describe a server.
MTTF should be used for non-repairable assets, while a server (which could be repaired by replacing the hard drive) would be described with an MTBF.
MTTF and MTBF can be used to determine the amount of asset redundancy a system should have.
The calculation for MTBF is the total time divided by the number of failures. The calculation for MTTF for the same test, is the total time divided by the number of devices.
Mean Time to Repair (MTTR) is a measure of the time taken to correct a fault so that the system is restored to full operation. Neither MTTF or MTBF can do this.
An employee has an urgent deadline to meet, but does not have the appropriate software on the system for the task. The employee does not want to go through the process of getting the software approved, and downloads it onto the computer. The IT department finds the unauthorized software on the computer and begins an investigation on how the employee could install the software. Evaluate the statements and select the actions the IT department must perform to prevent future unauthorized software downloads. (Select more than one)
Verify user privileges and access controls on the host system.
Check event logs and browsing history.
Place the host system and software in a sandbox before analyzing its running state.
The need to determine if the package should be added to the whitelist is something that is done through the approval process, before it is installed on the system.
The IT department will need to put the host system and software in a sand box, before they analyze its running state.
The IT department will need to check the event logs and browsing history, to determine the source of the unauthorized software.
The IT department will need to verify the user’s privileges and access controls on the host system, to re-secure permissions and to determine if the privileges to install software may have mistakenly been given to the employee.
The IT department receives a phone call from an employee who is having an issue signing into the network. What can the IT department do to troubleshoot this problem? (Select two)
Ensure that authentication servers connect to the network and can communicate with other resources.
Verify that synchronization of date/time settings occur on both servers and clients.
A primary subject to check in an authentication issue is to make sure the authentication servers are connected to the network and can communicate with other resources.
Time synchronization is important for managing, securing, planning and debugging a network. Therefore, it is important to verify that the date/time setting on servers and clients are synchronized.
The use of a secure remote protocol, like Secure Shell (SSH), prevents accounts from becoming unsecure.
The use of an SSL/TLS (Secure Sockets Layer/Transport Layer Security) to secure communications with any compatible protocol, prevents accounts from becoming unsecure.
The client is having a problem with the newly-installed certificate. An IT admin notes that the configured certificate is correct. Examine the following troubleshooting procedures to determine which actions apply to this situation. (Select more than one)
Install a root and intermediate CA certificate on the client.
Check that the client’s configuration is with the appropriate chain of trust.
Check for synchronization
of the time and date settings on both the server and the client.
If troubleshooting a new certificate that is correctly configured, check that the client has been configured with the appropriate chain of trust.
Before a leaf certificate can be trusted, root and intermediate CA certificates should be installed on the client. Be aware that some client applications might maintain a different certificate store to that of the OS.
Verify that the time and date settings on the server and client are synchronized. Incorrect
date/time settings are a common cause of certificate (and other) problems.
If the problem is with an existing certificate that has been working previously, check that the certificate has not expired or has been revoked or suspended.
A person stands outside a building impersonating a delivery driver. When an employee gains access to the building with security credentials, the attacker (carrying a package) asks the employee to hold the door open, which gives the impersonator access to the building. What type of social engineering is this?
Tailgating is a means of entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint.
Phishing is a type of email-based social engineering attack, in which the attacker sends an email from a supposedly reputable source.
Pharming is redirecting users from a legitimate website to a malicious one. Rather than social engineering techniques to trick the user, pharming relies on corrupting the way the victim’s computer performs.
Shoulder surfing refers to stealing a password or PIN (or other secure information) by watching the user type it.
What happens to credentials stored or transmitted in cleartext?
The account loses it secure status.
Analyze and select the statement that accurately distinguishes the similarities between Mean Time to Failure (MTTF) and Mean Time Between Failures (MTBF)?
Both MTTF and MTBF can determine the amount of asset redundancy a system should have.
The similarity is that MTTF and MTBF can be used to determine the amount of asset redundancy a system should have. A redundant system can failover to another asset if there is a fault and continue to operate normally.
MTTF should be used for nonrepairable assets, while a server would be described with an MTBF.
The calculation for MTBF is the total time divided by the number of failures. The calculation for MTTF for the same test is the total time divided by the number of devices.
Mean Time to Repair (MTTR) is a measure of the time taken to correct a fault so that the system is restored to full operation. Neither MTTF or MTBF do this.
A large part of accounting involves automatic logging actions. What purpose does logging serve? (Select more than one)
The logs can detect intrusions or attempted intrusions.
Logging accounts for all actions performed by users.
Accounting for all actions that have been performed by users. Change and version control systems depend on knowing when a file has been modified and by whom.
Detecting intrusions or attempted intrusions. Records of failure-type events are likely to be more useful, although success-type events can also be revealing if they show unusual access patterns.
When a log reaches its allocated size, it will start to overwrite earlier entries. This means that some system of backing up logs will be needed, to preserve a full accounting record over time.
The more events that are logged, the more difficult it is to analyze and interpret the logs.
Where do most companies and employees post a large amount of information about themselves and their businesses, which can exploit the vulnerabilities of the business?
Social Media
Most companies and the individuals that work for them publish a large amount of information about themselves on the web and on social media sites like Facebook, LinkedIn, Twitter, Instagram and YouTube.
The deep web is where cyber threat actors, such as organized crime and hacktivisits, exchange information beyond the reach of law enforcement.
Dark net is a type of deep web, established as an overlay to Internet infrastructure by software that acts to anonymize usage and prevent a third-party from knowing about the existence of the network or analyzing any activity taking place over the network.
The dark web is another type of deep web that has sites, content and services accessible only over a dark net.
When a system no longer aligns with the established baseline, what should a network administrator consider when troubleshooting? (Select more than one)
Check patches and other updates
The system may drift over time
Check for malicious intent
The state of a system will drift over time as a result of normal operations. This does not necessarily indicate that an attack has taken place.
The nature of a baseline deviation may reveal malicious intent. A system that is supposed to be shut off from remote access, and suddenly has Telnet installed and activated is a cause for concern.
Patches and other updates may cause the baseline to be outdated, prompting admin to update the baseline.
Multiple critical systems with the same or similar baseline deviations will require swift remediation and can affect the baseline alignment.
Analyze the statements and select the best actions involved in ensuring compliance with license agreement. (Select more than one)
Identify per-seat or per-user compliance with licensed software.
Ensure compliance with the terms for open source licensing.
Identify unlicensed and unauthorized software installed on clients, servers, and VMs.
Identify unlicensed and unauthorized software installed on clients, servers, and VMs. Ideally, privileged management and change controlled instances would prevent this from happening.
Need to prepare for vendor audits by allowing the vendors, or their nominated third party, to access customer’s systems to audit the license usage.
The complex nature of client access type licensing means that many companies over-allocate seats compared to what their license agreement allows, so it is important to identify per-seat or per-user compliance.
If open source code is reused (whether in commercial or in-house software), the product must be distributed in compliance with the terms of the original open source license.
Company policy states that employees must use the Internet responsibly and productively. Limited Internet access applies only to job-related activities, prohibiting personal use. When an employee violates this policy, what corrective action should take place?
Incident response procedures
When an employee or a contractor violates company policies, it is necessary to follow incident response procedures, rather than act impulsively.
If the violation was accidental, there might be disciplinary action or simply a recommendation for re-training, depending on the seriousness of the violation.
If it is suspected that the violation constituted a malicious insider threat, a forensic investigation to gather appropriate evidence might be required.
The disciplinary actions depend on assessing whether the violation was accidental or intentional, and determining the severity of the violation. Terminating an employee is not the first course of action.
When an employee violates company policy, it is necessary to investigate the incident and follow the incident response procedures.
What allows administrators to identify and troubleshoot serious logs and events anomalies promptly?
Automated alert or alarm
If a threshold is exceeded (a trigger), an automated alert or alarm notification must take place. A low priority alert may simply be recorded in a log. A high priority alarm will create an active notification, such as emailing a system administrator or triggering a physical alarm signal.
Thresholds are points of reduced or poor performance or change in configuration (compared to the baseline) that generate an administrative alert.
A baseline establishes (in security terms) the expected pattern of operation for a server or network.
Not all security incidents will be revealed by a single event. One of the features of log analysis and reporting software should be to identify trends.