2.4 Given a scenario, analyze and interpret output from security technologies.

Question 1

A systems administrator incorporated a software tool on each workstation that can prevent the use of USB (universal serial bus) drives on workstations. Without physically changing the client workstations, what other hardware alternatives can the administrator implement to prevent the use of a removable device? (Select two)

Answer 1

Disable SATA ports

BIOS settings

The BIOS (Basic Input/Output System) can be used to disable the USB ports on the motherboard. This does not require a hardware change, just a configuration update.

It is not possible to safely remove the USB ports without damaging the motherboard itself. However, USB hub may be removed that was installed as a hardware add-on, but this was not specified as the case.

Along with eSATA (external SATA), normal SATA connections on the motherboard that are not used should be disabled. Drives that are attached via SATA cables are still considered a removeable media or hard drive.

Removing the CD drive is a physical change that needs to be avoided based on the question.

Question 2

A new web server and Structured Query Language (SQL) database deploys. An administrator performs random tests, such as Cross-Site Scripting (XSS) attacks and SQL injection. What is the administrator most likely testing against?

Answer 2

Web application firewall

A web application firewall (WAF) is mainly designed to protect software running on web servers and their backend databases from code injection, denial of service (DoS) attacks, and XSS attacks.

A host-based firewall is a firewall application, like Windows Firewall, that is installed on a host (e.g., workstation). This type of firewall is not attacked by means of a SQL injection or similar.

DMZ or the demilitarized zone, is at the network edge that is exposed to the public Internet. This is where a web application firewall may reside, but the attacks mentioned do not target a DMZ.

A content filter is a software application that filters client requests for various types of Internet content (e.g., web).

Question 3

IT (Information Technology) management considers raising the standards of network security. They would like to improve security at the end points. Zero day attacks are a concern, therefore, a solution that examines processes is the main focus. The solution should be transparent to the user. Which of the following would an ISSO (Information System Security Officer) suggest to meet management’s vision? (Select two)

Answer 3

Intrusion prevention system

On-access virus scanner

Question 4

A workstation is not working properly and the system admin suspects it has a virus. However, the antivirus scanner does not work. The admin attempts to boot an antivirus app from the USB, but does not get recognized. Which of the following troubleshooting activities will help load the special antivirus software?

Answer 4

Reconfigure the BIOS settings

The BIOS (Basic Input/Output System) can be used to disable the USB ports on the motherboard. The USB ports must be enabled for the OS (from the USB drive) to load.

PXE boot is another option available to boot workstations from a network operating system image or other environment. However, the system admin wants to load the OS from the USB.

The device ID is useful for specifying which USB devices to put on the exceptions list of a DLP (Data Loss Prevention) rule.

An exception rule on a DLP will benefit a system that is already imaged and part of the network. The system admin is working on a new image and does not recognize a DLP.

Question 5

A hacker modified a company photo by embedding malicious code in the picture. The hacker emailed the picture to company employees and several employees opened the email. The hacker now has remote access to those employees’ computers. Which of the following can prevent this method of attack?

Answer 5

File integrity monitoring

File integrity monitoring is a feature available in most antivirus software or HIPS (Host-based Intrusion Prevention System). HIPS can capture a baseline of the image, any radical change (like an image), using hashing algorithms, will flag the incident, and quarantine the files.

Steganography is a technique for obscuring the presence of a message by embedding it within a file or other entity. In this case, the hacker embedded malicious code.

File encryption may be of use to protect data from being accessed, but these are free images that are consumed by the public.

A protocol analyzer, like Wireshark, is a tool for penetration testing and is not a viable solution for preventing the changing of these free images.

Question 6

A user reported that the office workstation is running extremely slow. Even after a reboot, the workstation still runs slow. These workstations have SSD (Solid State Drives) configuration on them for speed. As well, the antivirus scanner does not report any issues. Which of the following tools would an admin use and why? (Select two)

Answer 6

Look for unknown processes

Process Explorer

Process Explorer is part of Windows Sysinternals suite of tools. It can filter out the legitimate activity generated by normal operation of the computer.

Unknown processes in the Process Explorer view can help an admin understand the root cause of the computer’s poor performance. These unknown processes may have an unrecognized name or no icon.

The Autoruns tool, which is part of Windows Sysinternals, can also help with hunting down malware on a computer.

The Autoruns’ ability to identify the startup services and their locations, can lead to finding ways to remove the malware and its rogue services.

Question 7

The CEO (Chief Executive Officer) noticed in a gmail account, a corporate email from the vice president containing PII (Personally Identifiable Information). The CEO immediately called the IT (Information Technology) manager to ask how to prevent this from happening again. What ideas did the IT manager suggest would be the most beneficial?

Answer 7

Implement DLP on the email gateway

A DLP (Data Loss Prevention) system can integrate with a mail gateway server to examine the contents of the email or attachments and determine if it can be sent. This will prevent situations, like the one mentioned, from occurring.

A classification marking, like “Confidential” or “Top Secret,” may help inform the reader of the type of information in the email. However, it will not stop an email from leaving the email gateway.

Email encryption will ensure the contents of the email are only seen by the intended recipient, but a CEO does not need to know PII (Personally Identifiable Information).

Updating the computer user policy will inform users of general guidelines. Employees are still able to choose how to follow those guidelines.

Question 8

An administrator tries to remotely access a virtual Windows 2016 server, but the connection fails. The admin pings the server and there is no packet loss. Regular services, such as file shares, still work for users. Which of the following is most likely causing the connection failures?

Answer 8

Windows Firewall

A Windows Firewall is a host-based firewall application that can set in-bound and out-bound rules for the system. The Windows firewall has a rule for RDP (remote desktop protocol) connections that may be disabled, which therefore, blocks any incoming RDP attempts.

A network intrusion detection system, usually on the network level, could detect all types of connections like an RDP, but do not normally drop connections, even within the internal network.

An antivirus software’s main purpose is to find and remove malicious software. Most basic antivirus software will not block everyday admin tasks that involve RDP connections from an admin workstation.

User privileges will be recognized while logging in. The main issue is trying to create the RDP connection.

Question 9

Since the company’s recent data leakage incident, management expedited the installation of a DLP (Data Loss Prevention) system. Workstations do not have CD drives. Which of the following is most likely the reason for these extreme and sudden measures?

Answer 9

Prohibit the use of personal devices

Removable media, like a USB drive or even a personal phone, might be a vector for malware, either through the files stored in the media or its firmware.

Removable media can also be used to exfiltrate or remove data from the company systems, and to leak data out to the public or other organizations.

CD drives being removed just for incompatibility reasons is an expensive mistake when planning for hardware, but in this case, it was for security reasons.

Hardware or peripherals that are nearing end of life (EOL) support do not need to be removed from use or inventory. This simply means the manufacturer will no longer provide technical support and/or a warranty.

Question 10

An HR (Human Resource) representative reported that an email was sent out by accident, containing personal information of an employee to the representative’s friend’s gmail account. The user asked to retract the email, but the IT (Information Technology) department explained that it could not be done. In what way can the IT department prevent a mistake like this from happening again?

Answer 10

Data Loss Prevention

Question 11

A hacker infiltrated a commercial stock image company and found a file share full of free images that users could download via a web server. The hacker replaced each image with malicious code, hoping the free images will get downloaded onto unsuspecting users’ computers. Which of the following can prevent this attack method?

Answer 11

File integrity monitoring

Question 12

Management received a report from the ISSO (Information System Security Officer) about malicious network traffic going in and out of specific ports on the file server. Findings showed encrypted packets using SSL (Security Sockets Layer). Management asked about the IP addresses for the destinations and sources. Which of the following tools or applications would easily provide the information requested by management?

Answer 12

Protocol analyzer

Having known the packets were encrypted, assumes the admin was using a protocol analyzer. A tool, like Wireshark, can capture activity in a file that can be reviewed later. The IP addresses can be retrieved from those logs.

Windows event logs will show Windows specific errors or successful logins. They will not have any detail to the network traffic going in and out, nor its IP address destinations and sources.

A firewall log will show information about an enforced rule, for example, to deny RDP (Remote Desktop Protocol) sessions. However, a protocol analyzer is more detailed with connection information.

A vulnerability scan that will identify vulnerabilities. It cannot determine malicious network activity and their locations.

Question 13

A new systems administrator works on a new image for a workstation. When working in the lab, the workstation cannot boot from a USB (Universal Serial Bus) drive, which prevents an OS from booting. There is no OS on the system and the computer can not connect to the network. Other system admins are not available. Which of the following troubleshooting activities will help the system admin the most?

Answer 13

Reconfigure the BIOS settings

Question 14

Several web servers deploy at the company’s DMZ (demilitarized zone). Customers can access their accounts, and other product and service information from these web servers. A system administrator suggests deploying a web application firewall in front of these web servers. What may be the reasons for this? (Select two)

Answer 14

Prevent SQL injections

Prevent DoS attacks

Question 15

Symantec Endpoint Protection (SEP) is a favorite software tool amongst private industries and government industries. It provides not only malware protection, but also intrusion prevention security. Which of the following features make SEP so versatile? (Select more than one)

Answer 15

Virus and spyware protection

Network and host exploit mitigation

Proactive threat protection

Question 16

A company set up controls to allow only a specific set of software and tools to install on workstations. A user navigates to a software library to make a selection. What type of method prevents installation of software that is not a part of a library known as?

Answer 16

Whitelisting

Execution control to prevent the use of unauthorized software can be implemented as a whitelist. This control means that nothing can run if it is not on the approved whitelist.

Blacklist is another method of blocking application. This control means that anything not on the prohibited blacklist can run.

Application hardening is the process of securing an application with settings like changing the default port of service or removing default administrative accounts.

Anti-malware or antivirus focuses on preventing the installing of an application, if it is found to have malicious code.

Question 17

The CEO (Chief Executive Officer) noticed in a gmail account, a corporate email from the vice president containing PII (Personally Identifiable Information). The CEO immediately called the IT (Information Technology) manager to ask how to prevent this from happening again. What ideas did the IT manager suggest would be the most beneficial?

Answer 17

Implement DLP on the email gateway

Question 18

When enabling a feature for data execution prevention, which of the following attacks would it protect a Windows operating system from?

Answer 18

Buffer overflow

A buffer overflow attack occurs when the virus tricks another program into executing it, when the other program thinks it is just processing some data. AMD’s No Execute (NX) and Intel’s Execute Disable (XD) prevent areas in memory marked for data storage from executing code.

SQL injection attack attempts to insert an SQL query as part of user input. It is not attempting to execute a program.

XML injection is similar to SQL injections, but targets web servers using XML applications.

Cross-Site Scripting (XSS) is a security vulnerability related to web applications. The attacker tricks users into coming to the website where scripts are run on the visitor’s workstation immediately.

Question 19

An increase in malware detection, due to certain web browsing activity in the workplace, caused the information systems security office (ISSO) to deploy a unified threat manager on the network. How would this network appliance help reduce malware on client workstations? (Select more than one)

Answer 19

Block malware

Block URLs

Scan web traffic

The UTM (Unified Threat Management) is an all-in-one security appliance. Its ability to block specific URLs or websites comes from its content filtering feature. Even unknown websites that fit the description of having inappropriate images can be set to block.

Many UTM appliances include a malware scanner that scans the web traffic and compares the packet or heuristic behavior to determine if a network connection is malicious.

A UTM is like an intrusion prevent system (IPS) that can block network connections or prevent a file from being download.

Encrypting traffic could mean the setting up of a virtual private network (VPN) or communication through a browser using SSL or TLS, which is not applicable in this case.

Question 20

A Windows 2012 server receives the latest operating system (OS) patches and updates, although with outdated Microsoft Office applications. The server is not part of the domain and it has Internet access. What can the system admin do to ensure this server receives the patches and updates for Microsoft Office from a central repository?

Answer 20

Configure the WSUS server

The WSUS (Windows Server Update Service) server is a central repository for updates related to OS and applications like Microsoft Office. Once downloaded locally, WSUS distributes the updates to the client computers.

Windows Updates service is running since OS-level patches and updates have been received by the server and installed. A standalone server in a Workgroup will default to OS updates from the Internet.

Firewall does not need to be configured since the Windows update service and network connections are working properly. The server just needs to be joined to the domain so it can automatically retrieve updates from the WSUS server.

The OS does not need further upgrading. Microsoft Office is the focus and can be handled independently.

Question 21

A systems administrator copies a large .iso file to a remote server over a high-latency network. The copy took about 12 hours to complete. There is a possibility that file tampering occurred during transit. How may the administrator verify the file is safe to use and deploy?

Answer 21

Capture a hash

Capturing the hash of a file prior to sending it to a remote server, and afterwards, will prove file integrity. Common hash files used for comparison are MD5 and SHA256.

An antivirus scan checks for a virus in the file, in case it was ever tampered with in transit. However, a scan should have been performed prior to being copied over. A hash will determine if the file is fully copied over and ready to deploy.

A tracert command can help reveal the path the copy took. However, most system administrators may not know which of the routers used are valid.

A VPN guarantees encrypted traffic over public Internet, but it does not guarantee file integrity when copying over files.

Question 22

Along with running the latest operating system, security patches, and updates, which of the following tools or applications should any Windows 10 client build include for security threats?

Answer 22

Antivirus

Antivirus software is the most common tool or application that should be on any stand alone or domain client workstation. Its purpose is to detect and remove virus infections and, in most cases, other types of malware, such as worms, Trojans, adware, etc.

BitLocker is Microsoft’s full drive encryption technology that is already a part of Windows operating system builds, since Windows Vista Enterprise.

Windows update is an included feature on all Windows operating systems. It does not actively seek for threats, but it can update the OS and other applications to safeguard itself against threats.

A hardware security module, like a trust platform module (TPM) is used for encryption solutions, such as BitLocker.

Question 23

The security administrator drafted a report on some malicious activity. Initial peer review suggests providing proof of findings. Any information gathering must be non-intrusive and does not prevent normal operations of business. Which of the following activities will be the most beneficial?

Answer 23

Use a protocol analyzer to log traffic

A protocol analyzer, like Wireshark, can be used as a tool to research vulnerabilities or malicious activity. This tool will provide detailed information, even plain text data, to prove an activity is malicious.

A Window’s application logs will output error type logs or crashes. An error log does not necessarily assume a malicious activity is taking place.

A firewall log will show information about an enforced rule, for example, to deny RDP (Remote Desktop Protocol) sessions. However, a protocol analyzer is more detailed with connection information.

A vulnerability scan that has identified vulnerabilities does not assume it has been penetrated. Proof of actual malicious activity is required.

Question 24

Symantec Endpoint Protection (SEP) reported a threat with a pop-up notification on the Windows desktop. The threat (which is an executable) is a known trojan based on a signature database. In this incident, what did SEP do with the file? (Select more than one).

Answer 24

Cleaned

Logged

When Symantec Endpoint Protection (SEP) finds a known virus or malware like a Trojan, it performs a “Cleaned by deletion” action.

SEP also keeps a log of any incidents and the actions taken. These logs can be used by a security administrator to perform deeper analysis.

A file is placed in quarantine if a file or process acts similarly to a known malware. The software does not necessarily know what to do with it and asks the user for next actions to take. The usual answer would be to delete the file.

Malware is never transferred to another location in the network, due to the risk of losing the file and infecting other systems.

Question 25

A server has software that notifies the administrator when specific system files get modified. This notification informed the admin that modification occurred since the system last shut down. What type of software does this describe?

Answer 25

HIDS

HIDS (Host Intrusion Detection System) is a type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system’s state. Key difference is to monitor.

NIDS (Network Intrusion Detection System) is a system that uses passive hardware sensors to monitor traffic on a specific segment of the network. If there are any warnings, a log is generated, and a notification is sent out.

SFC (System File Checker) is a Windows tool used to manually verify operating system (OS) files.

HIPS (Host Intrusion Prevention System) is like HIDS, but with active response. It can prevent events, such as system files being modified or deleted or prevent services from being stopped.

Question 26

Management received a report from the ISSO (Information System Security Officer) about malicious network traffic going in and out of specific ports on the file server. Findings showed encrypted packets using SSL (Security Sockets Layer). Management asked about the IP addresses for the destinations and sources. Which of the following tools or applications would easily provide the information requested by management?

Answer 26

Protocol analyzer

Having known the packets were encrypted, assumes the admin was using a protocol analyzer. A tool, like Wireshark, can capture activity in a file that can be reviewed later. The IP addresses can be retrieved from those logs.

Windows event logs will show Windows specific errors or successful logins. They will not have any detail to the network traffic going in and out, nor its IP address destinations and sources.

A firewall log will show information about an enforced rule, for example, to deny RDP (Remote Desktop Protocol) sessions. However, a protocol analyzer is more detailed with connection information.

A vulnerability scan that will identify vulnerabilities. It cannot determine malicious network activity and their locations.

Question 27

A user reported that the office workstation is performing very poorly. For example, opening a word document takes three minutes. An admin found a service running on the workstation that is using a large amount of processing power. The admin was unable to find direct articles about the unknown service. Which of the following tools should the admin use to help resolve the issue and why? (Select two)

Answer 27

Identify service location

Autoruns

The Autoruns tool, which is part of Windows Sysinternals, can help with hunting down malware on a computer.

The Autoruns’ ability to identify the startup services and their locations, can lead to researching ways to remove the malware and its rogue services.

Process Explorer is part of Windows Sysinternals suite of tools. It can filter out the legitimate activity generated by normal operation of the computer, which is what the admin used to find the rogue service.

Unknown processes are easily seen in the Process Explorer view. These unknown processes may have an unrecognized name or no icon.

Question 28

A software on a server has blocked a connection when an unauthorized and unknown server attempted to use Telnet on port 23. This is an unsecure network protocol. What category does this software belong to on the server?

Answer 28

HIPS

HIPS (Host Intrusion Prevention System) is software located on the host system and has an active response to threats. It can prevent events, such as system files being modified or block unauthorized remote network connections.

NIPS (Network Intrusion Prevention System) is an appliance placed on the network to provide an active response to any network threats that matches its policies or signatures.

HIDS (Host Intrusion Detection System) is a type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system’s state. Key difference is to monitor.

Antivirus is mainly used for detecting malicious software or code on the system. However, many antivirus-specific software includes some IDS or IPS functionality.

Question 29

After an in-depth security analysis of recent detections of malware, the security admin found the root cause to be website blogs and online podcasts, which contained several pop-up ads. The information systems security officer (ISSO) wants to deploy a solution that blocks these websites, scans users’ web browsing traffic for malware, and blocks it from entering the Intranet. Which of the following will fulfil the security requirements?

Answer 29

UTM

The UTM (Unified Threat Management) is an all-in-one security appliance that combines the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, Data Loss Prevention, content filtering, and many more.

An IDS (Intrusion Detection System) by itself, out-of-the-box, will be able to notice a user visiting a bad website, and may do passive or non-intrusive notification, but nothing active will occur.

Firewall is a a software or hardware device that protects a system or network by blocking unwanted network traffic. It is not designed to scan for malware.

A DLP (Data Loss Prevention) system may prevent the removing or sending of protected information, but it cannot scan for malware.

Question 30

At the Windows desktop screen, a user reports a small pop-up window that shows information about a blocked IP (Internet protocol) address before disappearing. The user fears that Internet access dropped. Describe the type of pop-up window the user reported.

Answer 30

A host-based firewall notification

A host-based firewall application, with rules to block specific IP subnet ranges, or specific port or protocol connections, may be configured by default for user notification, when a denial rule has been enforced.

A Windows update is a common notification at the task bar, signaling the user about what has occurred and if a restart is required. However, the Windows update services does not block IP connections.

A USB connection shows up as an icon on the taskbar to notify the user of an active connection. Policies that block USB may not notify the user and does not block IP addresses.

Wi-Fi connections that are disconnected will usually show a red line across the icon and not an IP address.

Question 31

After a six-month inquiry, a company closed the investigation of a data leakage incident. The new management team issued an updated computer use policy to include the prohibited use of removable media. Workstations no longer have CD drives. What may be the reasons for this? (Select two)

Answer 31

Vector for malware

Exfiltrating data

Removable media, such as a USB drive or even a personal phone, might be a vector for malware, either through the files stored in the media, or its firmware.

Removable media can also be used to exfiltrate or remove data from the company systems, and to leak data out to the public or other organizations.

Device incompatibility can be a valid reason to include in an updated computer use policy, but given the circumstance of the investigation, it seems highly unlikely.

End of life support information will never be included in a computer use policy. Information, such as these, are for administrators to plan for hardware or software refreshes.

Question 32

A small company has set up the domain environment to prevent the installation of a list of prohibited software. Employees received this same list via email. What type of method prevents installation of specific software on workstations known as?

Answer 32

Blacklisting

Execution control to prevent the use of unauthorized software can be implemented as a blacklist. This control means that anything not on the prohibited blacklist can run.

Whitelisting is another method to block the use of unauthorized software. This control means that nothing can run, if it is not on the approved whitelist.

Application hardening is the process of securing an application with settings, like changing the default port of service or removing default administrative accounts.

Anti-malware or antivirus focuses on preventing the installing of an application, if it is found to have malicious code.

Question 33

A Dell server is running an ESXi (Elastic Sky X Integrated) hypervisor and affected by Intel’s foreshadow vulnerability that allows an attacker to read cached data on a core shared by another virtual machine. The server provides a lot of processing power for the virtual machines. What actions should admin do to patch this server and mitigate the vulnerability? (Select two)

Answer 33

Update the server firmware

Upgrade hypervisor

Like any major vulnerability, application and operating system, vendors provide a new release to address it. VMware has a higher hypervisor version that mitigates the vulnerability, by carefully sharing the processors that are enabled through hypervisor.

The vulnerability affects a CPU (Central Processing Unit) chip and therefore, requires a firmware update of the server’s motherboard.

Disabling hyperthreading from within the BIOS is not recommended by VMware, due to performance degradation. However, it is addressed in the latest hypervisor build.

A VIB (vSphere Installation Bundle) is a zip file that provides additional features or integration capabilities with other devices, like NetApp storage.

Question 34

A systems administrator prepares to secure applications on several virtual machines against external attacks. An automated process is in place to update the operating system of these servers, as soon as an update or security patch is available. Which of the following activities is the most effective way to mitigate the risks of these attacks?

Answer 34

Setup application patch management

Application patch management is a process to update applications or software, rather than just the operating system. For example, to update Microsoft Office, the Windows update service can speak to a WSUS (Windows Server Update Service) to download applicable patches.

Application hardening is the process of securing an application at its current version. An example would be to use a service account. This does not protect against newly discovered vulnerabilities.

A host-based firewall can help with blocking unnecessary external communications. However, even legit connections to the application can be exploited unless remediated with patches.

An OS upgrade is not necessary in most cases, unless a newer and more secure version of an application is dependent on a higher OS build.

Question 35

A user reported the system being taken over for a few minutes (remotely) before deciding to power off the workstation. After reviewing the NIDS (Network Intrusion Detection System) during the time of the incident, there was no indication of unauthorized remote connections. What would be the benefits of installing a HIPS (Host Intrusion Prevention System) at the end points? (Select two)

Answer 35

Protection from zero day attacks

Prevent malicious traffic between VMs

Virtual machines (VMs) on a virtual stack communicate with each other immediately through a virtual switch where physical NIDS or NIPS do not exist. In this case, a HIPS (Host Intrusion Prevention System) will prevent malicious traffic between the VMs.

HIPS are equipped with heuristic monitoring techniques to protect against zero-day attacks. For example, it can gauge a baseline state of the system and take immediate action when an unknown service acts maliciously.

An update service, like Windows update, would perform the task of automatically updating the host with the latest patches.

Smart card login is a feature of the operating system that can be enabled and enforced. It is not a feature of a HIPS.

Question 36

A server has software that notifies the administrator when specific system files get modified. This notification informed the admin that modification occurred since the system last shut down. What type of software does this describe?

Answer 36

HIDS

Question 37

A workstation has a DLP (Data Loss Prevention) solution installed and USBs (Universal Bus Drives) prohibited from use and physical connections. How would a system admin setup the workstation to allow specific devices?

Answer 37

Use the device instance ID

Information, like a vendor ID, product ID, or device instance ID, can be added to the “excluded drives” definition. Doing so will prevent all drives, except the specified USB IDs.

Removing the rule that blocks USB drives will allow the use of USB drives. The goal is to allow specific USB drives access, not to allow all USB drives.

An operating system (OS) update is not required, since the software and workstations are currently working properly. Only application-level configuration is required.

A firewall relates to rules and policies for in-bound and out-bound network traffic, not USB drive connections.

Question 38

A Cisco server is running an ESXi (Elastic Sky X Integrated) hypervisor and affected by Intel’s foreshadow vulnerability that takes advantage of hyperthreading, so a hacker may read data from another virtual machine. This affects multiple servers of the same model. Which of the following actions will NOT mitigate the vulnerability? (Select two)

Answer 38

Disable Hyperthreading

Install a VIB

Disabling hyperthreading from within the BIOS is not recommended by VMware, due to performance degradation. However, it is addressed in the latest hypervisor build.

A VIB (vSphere Installation Bundle) is a zip file that provides additional features or integration capabilities with other devices, like NetApp storage. These are not hardware or security patches.

Like any major vulnerability, application and operating system vendors provide a new release to address it. VMware has a higher hypervisor version that mitigates the vulnerability, by carefully sharing the processors that are enabled through hypervisor.

The vulnerability affects a CPU (Central Processing Unit) chip and a firmware update of the server’s motherboard will help mitigate the threat.

Question 39

Repeated attempts to access a remote server at a branch office from an unknown IP (Internet Protocol) address occurred. Logs from a network appliance show the same unknown traffic going to other areas of the internal network. Which of the following best provides an active and passive protection at the server level? (Select two)

Answer 39

HIPS (Host Intrusion Prevention System) is software located on the host system and has an active response to threats. In the example of an unknown IP range trying to gain access to a server, the HIPS at the server level will block the connection.

HIDS (Host Intrusion Detection System) is also software located on the host system. It can log and notify admins or users about intrusion attempts without an active response, like denying or blocking.

NIDS (Network Intrusion Detection System) is an appliance at the network level. The logs revealed, in this case, came from a NIDS. This device is generally non-intrusive.

NIPS (Network Intrusion Prevention System) is like a NIDS, but uses intrusive means to protect the network.

Question 40

A user reported that the office workstation is running extremely slow. Even after a reboot, the workstation still runs slow. These workstations have SSD (Solid State Drives) configuration on them for speed. As well, the antivirus scanner does not report any issues. Which of the following tools would an admin use and why? (Select two)

Answer 40

Process Explorer

Look for unknown processes

Process Explorer is part of Windows Sysinternals suite of tools. It can filter out the legitimate activity generated by normal operation of the computer.

Unknown processes in the Process Explorer view can help an admin understand the root cause of the computer’s poor performance. These unknown processes may have an unrecognized name or no icon.

The Autoruns tool, which is part of Windows Sysinternals, can also help with hunting down malware on a computer.

The Autoruns’ ability to identify the startup services and their locations, can lead to finding ways to remove the malware and its rogue services.

Question 41

A Dell server is running an ESXi (Elastic Sky X Integrated) hypervisor and affected by Intel’s foreshadow vulnerability that allows an attacker to read cached data on a core shared by another virtual machine. The server provides a lot of processing power for the virtual machines. What actions should admin do to patch this server and mitigate the vulnerability? (Select two)

Answer 41

Update the server firmware

Upgrade hypervisor

Like any major vulnerability, application and operating system, vendors provide a new release to address it. VMware has a higher hypervisor version that mitigates the vulnerability, by carefully sharing the processors that are enabled through hypervisor.

The vulnerability affects a CPU (Central Processing Unit) chip and therefore, requires a firmware update of the server’s motherboard.

Disabling hyperthreading from within the BIOS is not recommended by VMware, due to performance degradation. However, it is addressed in the latest hypervisor build.

A VIB (vSphere Installation Bundle) is a zip file that provides additional features or integration capabilities with other devices, like NetApp storage.