2.4 Given a scenario, analyze and interpret output from security technologies. Flashcards
A systems administrator incorporated a software tool on each workstation that can prevent the use of USB (universal serial bus) drives on workstations. Without physically changing the client workstations, what other hardware alternatives can the administrator implement to prevent the use of a removable device? (Select two)
Disable SATA ports
BIOS settings
The BIOS (Basic Input/Output System) can be used to disable the USB ports on the motherboard. This does not require a hardware change, just a configuration update.
It is not possible to safely remove the USB ports without damaging the motherboard itself. However, USB hub may be removed that was installed as a hardware add-on, but this was not specified as the case.
Along with eSATA (external SATA), normal SATA connections on the motherboard that are not used should be disabled. Drives that are attached via SATA cables are still considered a removeable media or hard drive.
Removing the CD drive is a physical change that needs to be avoided based on the question.
A new web server and Structured Query Language (SQL) database deploys. An administrator performs random tests, such as Cross-Site Scripting (XSS) attacks and SQL injection. What is the administrator most likely testing against?
Web application firewall
A web application firewall (WAF) is mainly designed to protect software running on web servers and their backend databases from code injection, denial of service (DoS) attacks, and XSS attacks.
A host-based firewall is a firewall application, like Windows Firewall, that is installed on a host (e.g., workstation). This type of firewall is not attacked by means of a SQL injection or similar.
DMZ or the demilitarized zone, is at the network edge that is exposed to the public Internet. This is where a web application firewall may reside, but the attacks mentioned do not target a DMZ.
A content filter is a software application that filters client requests for various types of Internet content (e.g., web).
IT (Information Technology) management considers raising the standards of network security. They would like to improve security at the end points. Zero day attacks are a concern, therefore, a solution that examines processes is the main focus. The solution should be transparent to the user. Which of the following would an ISSO (Information System Security Officer) suggest to meet management’s vision? (Select two)
Intrusion prevention system
On-access virus scanner
A workstation is not working properly and the system admin suspects it has a virus. However, the antivirus scanner does not work. The admin attempts to boot an antivirus app from the USB, but does not get recognized. Which of the following troubleshooting activities will help load the special antivirus software?
Reconfigure the BIOS settings
The BIOS (Basic Input/Output System) can be used to disable the USB ports on the motherboard. The USB ports must be enabled for the OS (from the USB drive) to load.
PXE boot is another option available to boot workstations from a network operating system image or other environment. However, the system admin wants to load the OS from the USB.
The device ID is useful for specifying which USB devices to put on the exceptions list of a DLP (Data Loss Prevention) rule.
An exception rule on a DLP will benefit a system that is already imaged and part of the network. The system admin is working on a new image and does not recognize a DLP.
A hacker modified a company photo by embedding malicious code in the picture. The hacker emailed the picture to company employees and several employees opened the email. The hacker now has remote access to those employees’ computers. Which of the following can prevent this method of attack?
File integrity monitoring
File integrity monitoring is a feature available in most antivirus software or HIPS (Host-based Intrusion Prevention System). HIPS can capture a baseline of the image, any radical change (like an image), using hashing algorithms, will flag the incident, and quarantine the files.
Steganography is a technique for obscuring the presence of a message by embedding it within a file or other entity. In this case, the hacker embedded malicious code.
File encryption may be of use to protect data from being accessed, but these are free images that are consumed by the public.
A protocol analyzer, like Wireshark, is a tool for penetration testing and is not a viable solution for preventing the changing of these free images.
A user reported that the office workstation is running extremely slow. Even after a reboot, the workstation still runs slow. These workstations have SSD (Solid State Drives) configuration on them for speed. As well, the antivirus scanner does not report any issues. Which of the following tools would an admin use and why? (Select two)
Look for unknown processes
Process Explorer
Process Explorer is part of Windows Sysinternals suite of tools. It can filter out the legitimate activity generated by normal operation of the computer.
Unknown processes in the Process Explorer view can help an admin understand the root cause of the computer’s poor performance. These unknown processes may have an unrecognized name or no icon.
The Autoruns tool, which is part of Windows Sysinternals, can also help with hunting down malware on a computer.
The Autoruns’ ability to identify the startup services and their locations, can lead to finding ways to remove the malware and its rogue services.
The CEO (Chief Executive Officer) noticed in a gmail account, a corporate email from the vice president containing PII (Personally Identifiable Information). The CEO immediately called the IT (Information Technology) manager to ask how to prevent this from happening again. What ideas did the IT manager suggest would be the most beneficial?
Implement DLP on the email gateway
A DLP (Data Loss Prevention) system can integrate with a mail gateway server to examine the contents of the email or attachments and determine if it can be sent. This will prevent situations, like the one mentioned, from occurring.
A classification marking, like “Confidential” or “Top Secret,” may help inform the reader of the type of information in the email. However, it will not stop an email from leaving the email gateway.
Email encryption will ensure the contents of the email are only seen by the intended recipient, but a CEO does not need to know PII (Personally Identifiable Information).
Updating the computer user policy will inform users of general guidelines. Employees are still able to choose how to follow those guidelines.
An administrator tries to remotely access a virtual Windows 2016 server, but the connection fails. The admin pings the server and there is no packet loss. Regular services, such as file shares, still work for users. Which of the following is most likely causing the connection failures?
Windows Firewall
A Windows Firewall is a host-based firewall application that can set in-bound and out-bound rules for the system. The Windows firewall has a rule for RDP (remote desktop protocol) connections that may be disabled, which therefore, blocks any incoming RDP attempts.
A network intrusion detection system, usually on the network level, could detect all types of connections like an RDP, but do not normally drop connections, even within the internal network.
An antivirus software’s main purpose is to find and remove malicious software. Most basic antivirus software will not block everyday admin tasks that involve RDP connections from an admin workstation.
User privileges will be recognized while logging in. The main issue is trying to create the RDP connection.
Since the company’s recent data leakage incident, management expedited the installation of a DLP (Data Loss Prevention) system. Workstations do not have CD drives. Which of the following is most likely the reason for these extreme and sudden measures?
Prohibit the use of personal devices
Removable media, like a USB drive or even a personal phone, might be a vector for malware, either through the files stored in the media or its firmware.
Removable media can also be used to exfiltrate or remove data from the company systems, and to leak data out to the public or other organizations.
CD drives being removed just for incompatibility reasons is an expensive mistake when planning for hardware, but in this case, it was for security reasons.
Hardware or peripherals that are nearing end of life (EOL) support do not need to be removed from use or inventory. This simply means the manufacturer will no longer provide technical support and/or a warranty.
An HR (Human Resource) representative reported that an email was sent out by accident, containing personal information of an employee to the representative’s friend’s gmail account. The user asked to retract the email, but the IT (Information Technology) department explained that it could not be done. In what way can the IT department prevent a mistake like this from happening again?
Data Loss Prevention
A hacker infiltrated a commercial stock image company and found a file share full of free images that users could download via a web server. The hacker replaced each image with malicious code, hoping the free images will get downloaded onto unsuspecting users’ computers. Which of the following can prevent this attack method?
File integrity monitoring
Management received a report from the ISSO (Information System Security Officer) about malicious network traffic going in and out of specific ports on the file server. Findings showed encrypted packets using SSL (Security Sockets Layer). Management asked about the IP addresses for the destinations and sources. Which of the following tools or applications would easily provide the information requested by management?
Protocol analyzer
Having known the packets were encrypted, assumes the admin was using a protocol analyzer. A tool, like Wireshark, can capture activity in a file that can be reviewed later. The IP addresses can be retrieved from those logs.
Windows event logs will show Windows specific errors or successful logins. They will not have any detail to the network traffic going in and out, nor its IP address destinations and sources.
A firewall log will show information about an enforced rule, for example, to deny RDP (Remote Desktop Protocol) sessions. However, a protocol analyzer is more detailed with connection information.
A vulnerability scan that will identify vulnerabilities. It cannot determine malicious network activity and their locations.
A new systems administrator works on a new image for a workstation. When working in the lab, the workstation cannot boot from a USB (Universal Serial Bus) drive, which prevents an OS from booting. There is no OS on the system and the computer can not connect to the network. Other system admins are not available. Which of the following troubleshooting activities will help the system admin the most?
Reconfigure the BIOS settings
Several web servers deploy at the company’s DMZ (demilitarized zone). Customers can access their accounts, and other product and service information from these web servers. A system administrator suggests deploying a web application firewall in front of these web servers. What may be the reasons for this? (Select two)
Prevent SQL injections
Prevent DoS attacks
Symantec Endpoint Protection (SEP) is a favorite software tool amongst private industries and government industries. It provides not only malware protection, but also intrusion prevention security. Which of the following features make SEP so versatile? (Select more than one)
Virus and spyware protection
Network and host exploit mitigation
Proactive threat protection
A company set up controls to allow only a specific set of software and tools to install on workstations. A user navigates to a software library to make a selection. What type of method prevents installation of software that is not a part of a library known as?
Whitelisting
Execution control to prevent the use of unauthorized software can be implemented as a whitelist. This control means that nothing can run if it is not on the approved whitelist.
Blacklist is another method of blocking application. This control means that anything not on the prohibited blacklist can run.
Application hardening is the process of securing an application with settings like changing the default port of service or removing default administrative accounts.
Anti-malware or antivirus focuses on preventing the installing of an application, if it is found to have malicious code.