401-450 Flashcards
A security analyst is reviewing logs on a server and observes the following output:
01/01/2020 03:33:23 admin attempted login with password sneak
01/01/2020 03:33:23 admin attempted login with password sneaked
01/01/2020 03:33:23 admin attempted login with password sneaker
01/01/2020 03:33:23 admin attempted login with password sneer
01/01/2020 03:33:23 admin attempted login with password sneeze
01/01/2020 03:33:23 admin attempted login with password sneezy
Which of the following is the security analyst observing?
a. A rainbow table attack
b. A password-spraying attack
c. A dictionary attack
d. A keylogger attack
c. A dictionary attack.
Here’s why:
Dictionary Attack: In a dictionary attack, the attacker uses a list of commonly used passwords or words from a dictionary to attempt to gain unauthorized access to a system. The log entries show multiple login attempts with variations of the password "sneak" (like "sneaked", "sneaker", "sneer", "sneeze", "sneezy"), indicating that the attacker is systematically trying different permutations of a known word or pattern. Rainbow Table Attack: A rainbow table attack involves precomputed hashes of commonly used passwords to quickly crack hashed passwords. It is not evident in the log entries provided, as the attempts are with different variations of a single word rather than hashed values. Password-Spraying Attack: Password-spraying involves attempting a few commonly used passwords against many accounts. It typically targets multiple usernames with a few common passwords rather than trying variations of a single password. Keylogger Attack: A keylogger attack involves malware or hardware that captures keystrokes entered by users, including passwords. There is no indication of keylogging in the log entries provided.
Therefore, based on the pattern of login attempts with variations of the password “sneak”, the activity described aligns with a dictionary attack where the attacker is systematically trying different variations of a word in an attempt to guess the correct password and gain unauthorized access.
A company is launching a website in a different country in order to capture user information that a marketing business can use. The company itself will not be using the information. Which of the following roles is the company assuming?
a. Data owner
b. Data processor
c. Data steward
d. Data collector
d. Data collector.
Here’s why:
Data Collector: A data collector is an entity that collects personal data directly from individuals or through other sources. In this case, the company is launching a website in a different country to capture user information. Although the company itself will not be using the information, it is gathering (collecting) this data on behalf of a marketing business. The primary function here is to gather the data from users. Data Owner: The data owner is typically the individual or organization that has ultimate control over the data, including its use and disclosure. In this scenario, it's not explicitly stated that the company retains ownership or control over the data after collection. Data Processor: A data processor processes personal data on behalf of the data controller (owner) based on their instructions. Since the company is not processing the data for its own purposes but rather collecting it for another entity (the marketing business), it does not fit the definition of a data processor. Data Steward: A data steward is responsible for managing and maintaining the quality, security, and use of data within an organization. This role focuses more on governance and ensuring that data is handled correctly within the organization, which differs from the primary function of collecting data from external sources.
Therefore, based on the description provided, the company assuming the role of gathering user information for a marketing business is acting as a data collector.
An organization would like to remediate the risk associated with its cloud service provider not meeting its advertised 99.999% availability metrics. Which of the following should the organization consult for the exact requirements for the cloud provider?
a. SLA
b. BPA
c. NDA
d. MOU
a. SLA (Service Level Agreement)
Here’s why:
SLA (Service Level Agreement): An SLA is a contract between a service provider (in this case, the cloud service provider) and the customer (the organization). It specifies the level of service that the provider agrees to offer, including metrics such as availability, performance, uptime guarantees, and response times. The SLA outlines what happens if the provider fails to meet these metrics, typically including remedies such as service credits or penalties. BPA (Business Partnership Agreement): A BPA typically outlines the broader terms and conditions of a business relationship but does not usually specify detailed service-level metrics like availability. NDA (Non-Disclosure Agreement): An NDA is a legal contract that protects confidential information shared between parties and is not related to service-level requirements. MOU (Memorandum of Understanding): An MOU is a formal agreement between parties outlining their mutual intentions and expectations, but it does not typically include specific service-level metrics or remedies for non-compliance.
Therefore, to understand the exact requirements for the cloud provider’s advertised availability metrics and to remediate the risk associated with non-compliance, the organization should refer to the SLA (Service Level Agreement). This document will provide clarity on the agreed-upon service levels and the recourse available if those levels are not met.
Which of the following secure application development concepts aims to block verbose error messages from being shown in a user’s interface?
a. OWASP
b. Obfuscation/camouflage
c. Test environment
d. Prevention of information exposure
d. Prevention of information exposure.
Here’s why:
Prevention of Information Exposure: This concept involves ensuring that sensitive information, such as verbose error messages that could potentially provide attackers with useful information about the application or its environment, is not exposed to users or unauthorized parties. By minimizing or controlling the amount of information exposed through error messages, developers can reduce the risk of attackers exploiting such information to launch targeted attacks.
Let’s briefly cover the other options to clarify:
OWASP: OWASP (Open Web Application Security Project) is a nonprofit organization focused on improving software security. While OWASP provides guidelines and resources for secure application development, it is not specifically focused on blocking verbose error messages. Obfuscation/Camouflage: Obfuscation and camouflage techniques are used to make code or data difficult to understand or analyze, which can help in protecting against reverse engineering or unauthorized access to sensitive information. However, they do not directly address the issue of verbose error messages in user interfaces. Test Environment: A test environment is where developers test their applications before deployment to ensure functionality and security. It is not directly related to blocking verbose error messages in a user interface.
Therefore, d. Prevention of information exposure is the concept that specifically addresses the secure development practice of ensuring that detailed error messages and other sensitive information are not exposed to users or attackers, thus minimizing security risks.
If a current private key is compromised, which of the following would ensure it cannot be used to decrypt all historical data?
a. Perfect forward secrecy
b. Elliptic-curve cryptography
c. Key stretching
d. Homomorphic encryption
a. Perfect forward secrecy.
Here’s why:
Perfect Forward Secrecy (PFS): PFS is a property of key-agreement protocols that ensures that session keys derived from a long-term key (such as a private key) are not compromised even if the long-term key is compromised at a later time. In other words, if a current private key is compromised and PFS is implemented, the compromise does not affect the confidentiality of past communications. Each session key is unique and not derived directly from the long-term private key, so compromising the long-term key does not compromise past session keys. Elliptic-curve Cryptography (ECC): ECC is an encryption method that uses elliptic curves to provide security. While it offers advantages such as smaller key sizes for equivalent security levels compared to RSA, it does not inherently prevent decryption of historical data if the private key is compromised. Key Stretching: Key stretching techniques (like PBKDF2, bcrypt, or scrypt) are used to make keys derived from passwords more resistant to brute-force attacks. They do not directly address the issue of protecting historical data if a private key is compromised. Homomorphic Encryption: Homomorphic encryption allows computations to be performed on encrypted data without decrypting it. It does not directly address the issue of preventing decryption of historical data if a private key is compromised.
Therefore, a. Perfect forward secrecy is the concept that ensures a compromised current private key cannot be used to decrypt all historical data, making it a crucial feature in secure communications protocols, particularly in scenarios where long-term keys might be compromised.
An organization has expanded its operations by opening a remote office. The new office is fully furnished with office resources to support up to 50 employees working on any given day. Which of the following VPN solutions would BEST support the new office?
a. Always-on
b. Remote access
c. Site-to-site
d. Full tunnel
c. Site-to-site VPN.
Here’s why:
Site-to-site VPN: This type of VPN establishes a secure connection between two or more physical locations (in this case, between the main office and the remote office). It allows all network traffic between the two sites to be encrypted and transmitted securely over the internet. Site-to-site VPNs are ideal for connecting entire networks, such as connecting the main office network to the network at the remote office with up to 50 employees. Always-on VPN: An always-on VPN is a type of VPN configuration where the VPN connection is automatically established whenever a device connects to the internet. It is suitable for individual devices rather than connecting entire office networks. Remote access VPN: A remote access VPN allows individual users to connect securely to a corporate network from remote locations. It is more suitable for mobile employees or individuals working from home rather than connecting an entire office. Full tunnel VPN: A full tunnel VPN directs all traffic from a client device through the VPN tunnel to the corporate network, regardless of whether the traffic is destined for resources on the corporate network or the internet. It is a configuration option rather than a type of VPN solution like site-to-site or remote access VPN.
Therefore, c. Site-to-site VPN is the best choice for connecting the new remote office with up to 50 employees to the main office network securely and efficiently. It provides a seamless and secure connection between the two office locations, enabling access to shared resources and applications as if they were locally connected.
Which of the following scenarios BEST describes a risk reduction technique?
a. A security control objective cannot be met through a technical change, so the company purchases insurance and is no longer concerned about losses from data breaches.
b. A security control objective cannot be met through a technical change, so the company implements a policy to train users on a more secure method of operation.
c. A security control objective cannot be met through a technical change, so the company performs regular audits to determine if violations have occurred.
d. A security control objective cannot be met through a technical change, so the Chief Information Officer decides to sign off on the risk.
b. A security control objective cannot be met through a technical change, so the company implements a policy to train users on a more secure method of operation.
Here’s why:
Training Users on Secure Methods: This approach addresses the inability to meet a security control objective through technical means by focusing on human behavior and awareness. By educating users on more secure methods of operation, such as proper handling of data, recognizing phishing attempts, or following secure procedures, the organization reduces the likelihood of security incidents caused by human error or ignorance.
Let’s briefly cover the other options to clarify:
Purchasing Insurance: While purchasing insurance can mitigate financial losses from data breaches, it does not directly reduce the risk associated with the security control objective itself. It is more of a risk transfer mechanism rather than a risk reduction technique. Performing Regular Audits: Audits help in detecting violations or non-compliance but do not actively reduce the risk associated with the security control objective. They are more about monitoring and ensuring adherence to policies rather than directly mitigating risks. Signing Off on the Risk: Signing off on the risk (option d) implies accepting the risk rather than actively reducing it. It does not involve implementing controls or measures to decrease the likelihood or impact of a security incident.
Therefore, b. Implementing a policy to train users on a more secure method of operation is the option that represents a proactive risk reduction technique by addressing the human element and enhancing security awareness and practices within the organization.
Which of the following social engineering attacks BEST describes an email that is primarily intended to mislead recipients into forwarding the email to others?
a. Hoaxing
b. Pharming
c. Watering-hole
d. Phishing
a. Hoaxing.
Here’s why:
Hoaxing: Hoaxing involves spreading false information or rumors through various means, including emails, with the intent to deceive and mislead recipients. In the context of emails, hoax emails often encourage recipients to forward the message to others, typically by appealing to emotions, spreading false news, or promoting chain letters.
Let’s briefly cover the other options to clarify:
Pharming: Pharming is a cyber attack where malicious code is used to redirect a website's traffic to a fake website without the user's knowledge. It typically involves DNS hijacking or malware and is not directly related to forwarding misleading emails. Watering-hole: A watering-hole attack involves compromising websites that a targeted group of individuals is likely to visit and injecting them with malware. It aims to infect visitors with malware rather than forwarding misleading emails. Phishing: Phishing is a social engineering attack where attackers send deceptive emails or messages pretending to be from a reputable source to trick recipients into revealing sensitive information or clicking on malicious links. While phishing emails can sometimes instruct recipients to forward the message, their primary goal is usually to deceive recipients into taking actions like clicking links or providing credentials.
Therefore, a. Hoaxing is the social engineering attack that specifically involves emails intended to mislead recipients into forwarding the email to others, often perpetuating false information or initiating chain messages.
Which of the following will provide the BEST physical security countermeasures to stop intruders? (Choose two.)
a. Alarms
b. Signage
c. Lighting
d. Access control vestibules
e. Fencing
f. Sensors
(Community : DE 100%)
d. Access control vestibules
e. Fencing
Intruders can be detected by strong lightning, alarms, and sensors. However, these measures alone don’t physically prevent intruders from bypassing security. Signage may discourage intruders but doesn’t physically stop them. Access control vestibules and fences can physically prevent intruders from accessing valuable assets and restricted areas
ChatGPT : DE
d. Access control vestibules: Also known as mantraps, these are secure entryways that use two sets of interlocking doors to prevent unauthorized access. They provide a high level of security by ensuring that only authorized personnel can enter the premises.
e. Fencing: Fencing acts as a physical barrier to entry, making it more difficult for intruders to gain access to the property. It can also be combined with other security measures like barbed wire, sensors, and cameras to enhance overall security.
These two countermeasures provide substantial physical barriers and control mechanisms to effectively deter and stop intruders from gaining unauthorized access.
An organization is concerned about hackers potentially entering a facility and plugging in a remotely accessible Kali Linux box. Which of the following should be the first lines of defense against such an attack? (Choose two.)
a. MAC filtering
b. Zero trust segmentation
c. Network access control
d. Access control vestibules
e. Guards
f. Bollards
(Community : DE 49%, CD 49%)
Choose CD.
ChatGTP
c. Network access control
d. Access control vestibules
Explanation:
Network Access Control (NAC): Purpose: NAC systems enforce security policy on devices seeking to access network resources. They can block unauthorized devices, such as a rogue Kali Linux box, from gaining network access. Benefit: This helps prevent unauthorized devices from communicating over the network, thus mitigating the risk of data breaches and other security threats. Access Control Vestibules: Purpose: These are physical security measures that control and monitor the entry of personnel into a facility. Often referred to as "mantraps," these vestibules ensure that only authorized individuals gain access to secure areas. Benefit: This reduces the risk of unauthorized individuals physically entering the premises and deploying malicious devices.
Why the other options are less suitable as first lines of defense:
a. MAC filtering: While useful, MAC filtering can be bypassed by spoofing the MAC address. It is more of a secondary measure rather than a primary defense against physical intrusion and rogue devices. b. Zero trust segmentation: This is an excellent internal network security strategy but does not address the physical aspect of preventing unauthorized device access at the network level. e. Guards: While security guards are important, they are not as effective on their own as access control vestibules for systematically ensuring that unauthorized individuals do not gain access to secure areas. f. Bollards: Bollards are designed to prevent vehicular access and do not directly prevent individuals from physically entering a facility and deploying a rogue device.
By focusing on network access control to block unauthorized devices and access control vestibules to prevent unauthorized physical access, the organization can effectively mitigate the risk of hackers deploying a remotely accessible Kali Linux box.
(Braindump : A. Zero trust segmentation c. Network access control)
An employee used a corporate mobile device during a vacation. Multiple contacts were modified in the device during the employee’s vacation. Which of the following attack methods did an attacker use to insert the contacts without having physical access to the device?
a. Jamming
b. Bluejacking
c. Disassociation
d. Evil twin
b. Bluejacking.
Here’s why:
Bluejacking: Bluejacking is a relatively harmless attack where an attacker sends unsolicited messages or contacts over Bluetooth to nearby Bluetooth-enabled devices. The goal is typically to send spam or messages rather than maliciously modify contacts, but in some cases, it could involve adding or modifying contacts if the device settings allow it.
Let’s briefly cover the other options to clarify:
Jamming: Jamming involves intentionally disrupting wireless communication signals (such as Wi-Fi or Bluetooth) to prevent normal operation. It does not involve modifying contacts or inserting data into devices. Disassociation: Disassociation typically refers to the process of disconnecting a device from a wireless network. It is not related to inserting or modifying contacts on a mobile device. Evil twin: An evil twin attack involves creating a rogue wireless access point (Wi-Fi hotspot) that masquerades as a legitimate one to trick users into connecting. It does not directly involve inserting or modifying contacts on a mobile device.
Therefore, b. Bluejacking is the attack method where the attacker could have sent or modified contacts on the corporate mobile device via Bluetooth without physically accessing the device, assuming the device was susceptible to such actions over Bluetooth connections.
A security administrator wants to implement a program that tests a user’s ability to recognize attacks over the organization’s email system. Which of the following would be best suited for this task?
a. Social media analysis
b. Annual information security training
c. Gamification
d. Phishing campaign
d. Phishing campaign.
Here’s why:
Phishing Campaign: A phishing campaign involves sending simulated phishing emails to employees to test their awareness and ability to identify phishing attacks. These emails are designed to mimic real phishing attempts, but without malicious intent, aiming to educate users on how to recognize and respond to phishing emails correctly.
Let’s briefly cover the other options to clarify:
Social Media Analysis: Social media analysis involves monitoring and analyzing social media platforms for security threats or information leakage related to an organization. It does not directly test a user's ability to recognize email-based attacks. Annual Information Security Training: While annual information security training is essential for educating employees on various security topics, including phishing, it does not specifically simulate real phishing attacks to test immediate recognition and response capabilities. Gamification: Gamification involves incorporating game-like elements (such as points, rewards, and competition) into training programs to engage and motivate participants. While it can enhance training effectiveness, it typically focuses on learning retention and engagement rather than testing specific skills like recognizing email attacks.
Therefore, d. Phishing campaign is the most appropriate choice for actively testing and improving users’ ability to identify and respond to phishing attacks via the organization’s email system. It provides a practical simulation of real-world threats to enhance awareness and readiness among employees.
A security analyst is reviewing packet capture data from a compromised host on the network. In the packet capture, the analyst locates packets that contain large amounts of text. Which of the following is most likely installed on the compromised host?
a. Keylogger
b. Spyware
c. Trojan
d. Ransomware
a. Keylogger
Here’s why:
Keylogger: Keyloggers are malicious programs designed to record keystrokes made by a user on a computer. They capture all keystrokes entered, including text typed into documents, web forms, passwords, and other sensitive information. If the packet capture data includes large amounts of text from various sources (such as documents, emails, or chat messages), it suggests that a keylogger is actively capturing and transmitting this information. Spyware: Spyware is a broader category of malicious software that includes keyloggers but also encompasses other types of software designed to monitor and gather information about a user's activities without their knowledge. However, keyloggers specifically target and capture keystrokes, which aligns with the description provided in the scenario. Trojan: Trojans are malicious programs disguised as legitimate software. While Trojans can include keyloggers or spyware functionality, the focus on capturing and transmitting text data specifically points towards a keylogger rather than a Trojan in general. Ransomware: Ransomware encrypts files on a computer and demands payment for decryption. It typically does not involve capturing large amounts of text data but rather focuses on locking access to files or systems.
Therefore, a. Keylogger is the most likely software installed on the compromised host based on the packet capture data showing large amounts of captured text.
An organization needs to implement more stringent controls over administrator/root credentials and service accounts. Requirements for the project include:
*Check-in/checkout of credentials
*The ability to use but not know the password
*Automated password changes
*Logging of access to credentials
Which of the following solutions would meet the requirements?
a. OAuth 2.0
b. Secure Enclave
c. A privileged access management system
d. An OpenID Connect authentication system
(Community C 100%)
C. A privileged access management system
Privileged access management (PAM, sometimes called privileged
account management) allows an organization to apply more stringent
security controls over accounts with elevated privileges, such as
administrator or root-level accounts.
Some capabilities of PAM are:
-Allow users to access the privileged account without knowing
the password
-Automatically change privileged account passwords
periodically
-Limit the time users can use the privileged account
-Allow users to check out credentials
-Log all access of credentials
ChatGPT
c. A privileged access management (PAM) system
Here’s how a PAM system aligns with each requirement:
Check-in/checkout of credentials: A PAM system provides a secure vault where privileged credentials (such as administrator/root credentials and service account passwords) are stored. Access to these credentials can be managed through check-in and checkout mechanisms, ensuring that credentials are only accessible when needed and are returned after use. The ability to use but not know the password: PAM systems typically provide mechanisms such as session management and password injection that allow users to access systems without revealing the actual passwords. Instead, credentials are managed and rotated automatically by the PAM system. Automated password changes: PAM systems can automate the rotation and changing of passwords according to policies and schedules defined by the organization. This ensures that passwords are regularly updated to enhance security. Logging of access to credentials: PAM systems maintain detailed audit logs of all access and actions performed using privileged credentials. This includes logging who accessed which credentials, when, and for what purpose, providing accountability and traceability.
Let’s briefly cover the other options to clarify why they are not as suitable:
OAuth 2.0: OAuth 2.0 is an authorization framework that allows third-party applications to obtain limited access to an HTTP service. It is not designed for managing privileged credentials and does not provide the comprehensive controls and auditing capabilities required for administrator/root credentials and service accounts. Secure Enclave: A secure enclave is a hardware-based security feature that provides isolated execution environments for sensitive computations. While it enhances security for specific tasks, it does not directly address the management and control of privileged credentials as comprehensively as a PAM system. An OpenID Connect authentication system: OpenID Connect is an authentication protocol that allows for the authorization of clients to access protected resources. It focuses on user authentication and identity management, rather than managing privileged credentials and enforcing strict controls over administrator/root accounts and service accounts.
Therefore, c. A privileged access management (PAM) system is the solution that best meets the requirements outlined for implementing stringent controls over administrator/root credentials and service accounts within the organization.
A systems analyst is responsible for generating a new digital forensics chain-of-custody form. Which of the following should the analyst include in this documentation? (Choose two).
a. The order of volatility
b. A forensics NDA
c. The provenance of the artifacts
d. The vendor’s name
e. The date and time
f. A warning banner
(Braindump : c. The provenance of the artifacts e. The date and time)
The systems analyst should include the date and time and the provenance of the artifacts in the digital forensics chain-of-custody form. The date and time are important for tracking when the evidence was collected and when it was transferred between individuals or organizations. The provenance of the artifacts is also important for tracking the chain of custody and ensuring that the evidence has not been tampered with.
The order of volatility is a concept used in digital forensics to determine the order in which volatile data should be collected. A forensics NDA is a non-disclosure agreement that is used to protect sensitive information during a digital forensics investigation. The vendor’s name is not typically included in a digital forensics chain-of-custody form. A warning banner is a message that is displayed to users before they log in to a system to warn them about the consequences of unauthorized access.
a. The order of volatility
The order of volatility refers to the sequence in which volatile data (data that is likely to change or be lost quickly) should be collected and preserved during the forensic investigation. This ensures that the most volatile data, which may provide crucial evidence, is collected first.
c. The provenance of the artifacts
Provenance refers to the origin or source of the artifacts collected during the investigation. It includes information such as where and how the artifacts were discovered, who collected them, and under what circumstances. Documenting provenance is critical for establishing the authenticity and reliability of the evidence in legal proceedings.
Let’s briefly cover the other options to clarify why they are not typically included in a digital forensics chain-of-custody form:
b. A forensics NDA: While a Non-Disclosure Agreement (NDA) is important for protecting confidential information and ensuring confidentiality among parties involved in the investigation, it is not typically part of the chain-of-custody form itself. NDAs are separate legal agreements that may be signed between parties involved in the investigation. d. The vendor's name: Unless the investigation involves external vendors or service providers who are directly handling or assisting with the forensic process, the vendor's name is not typically relevant to include in the chain-of-custody form. e. The date and time: While the date and time are crucial for documenting when artifacts were collected or transferred, they are usually included as part of the chain-of-custody process itself rather than being explicitly listed in the form. f. A warning banner: A warning banner is a notification displayed on systems to inform users of the monitoring or security policies in place. While important for system usage and awareness, it is not directly related to documenting the chain-of-custody for forensic artifacts.
Therefore, the systems analyst should focus on including a. The order of volatility and c. The provenance of the artifacts in the digital forensics chain-of-custody form to ensure comprehensive documentation and integrity of the forensic investigation process.
A security analyst reviews web server logs and notices the following line:
104.35.45.53 - - [22/May/2020:07:00:58 +0100] “GET /wordpress/wp-content/plugins/custom_plugin/check_user/php?userid=1 UNION ALL SELECT user_login, user,_pass, user_email from wp_users== HTTP/1.1” 200 1072 “http://www.example.com/wordpress/wp-admin/”
Which of the following vulnerabilities is the attacker trying to exploit?
a. SSRF
b. CSRF
c. XSS
d. SQLi
d. SQL Injection (SQLi) vulnerability.
Here’s why:
SQL Injection (SQLi): SQL Injection involves inserting malicious SQL code into input fields (in this case, the userid parameter in the URL) that are directly used in SQL queries executed by the application's backend database. The attacker aims to manipulate the SQL query to extract sensitive information from the database. In the log entry: userid=1 UNION ALL SELECT user_login, user,_pass, user_email from wp_users: This part of the URL is attempting to perform a SQL UNION query to retrieve user login names (user_login), passwords (user,_pass), and email addresses (user_email) from the wp_users table in the WordPress database (wp_users).
Let’s briefly cover why the other options are not correct:
a. SSRF (Server-Side Request Forgery): SSRF involves tricking the server into making requests on behalf of the attacker to internal or external systems that the server has access to. The provided log does not indicate any SSRF attempt. b. CSRF (Cross-Site Request Forgery): CSRF involves tricking a user into executing actions in an application without their knowledge or consent. It typically involves forging requests from the user's browser context, not directly through server logs as shown. c. XSS (Cross-Site Scripting): XSS involves injecting malicious scripts into web pages viewed by other users. It does not involve manipulating SQL queries to extract data from databases as shown in the log.
Therefore, the correct answer is d. SQLi, as the attacker is attempting to exploit a SQL Injection vulnerability by manipulating the SQL query through the userid parameter in the URL to extract sensitive information from the database.
A user is having network connectivity issues when working from a coffee shop. The user has used the coffee shop as a workspace for several months without any issues. None of the other customers at the coffee shop are experiencing these issues. A help desk analyst at the user’s company reviews the following Wi-Fi log:
Time Network Status Frequency
08:13:40 Coffee_Wi-Fi Network connected 5 GHz
08:13:45 Coffee_Wi-Fi Network disconnected 5 GHz
09:04:10 Coffee_Wi-Fi Network connected 5 GHz
09:04:15 Coffee_Wi-Fi Network disconnected 5 GHz
11:15:07 Coffee_Wi-Fi Network connected 2.4 GHz
11:15:12 Coffee_Wi-Fi Network disconnected 2.4 GHz
Which of the following best describes what is causing this issue?
a. Another customer has configured a rogue access point.
b. The coffee shop network is using multiple frequencies.
c. A denial-of-service attack by disassociation is occurring.
d. An evil twin access point is being utilized.
(Community : C 83%)
c. A denial-of-service attack by disassociation is occurring.
Here’s why:
The Wi-Fi log shows that the user’s device repeatedly connects to the network and then disconnects almost immediately. This pattern is indicative of a disassociation attack, a type of denial-of-service attack where an attacker sends disassociation frames to the victim’s device, causing it to disconnect from the network repeatedly.
Let’s briefly discuss why the other options are less likely:
a. Another customer has configured a rogue access point: While a rogue access point can cause connectivity issues, it would typically result in the user connecting to the wrong network rather than frequent disconnections after connecting to the correct network. b. The coffee shop network is using multiple frequencies: The log shows connections on both 5 GHz and 2.4 GHz frequencies, but the disconnection issue is not due to the use of multiple frequencies. If it were simply a frequency issue, we would not expect the immediate disconnections after connecting. d. An evil twin access point is being utilized: An evil twin attack involves setting up a malicious access point that mimics the legitimate one to intercept data. This could cause connection issues, but it typically results in connections to the fake access point rather than frequent disconnections.
Therefore, the log entries showing immediate disconnections after successful connections are most consistent with a denial-of-service attack by disassociation, where an attacker is deliberately causing the user’s device to disconnect from the network.
Which of the following is a physical security control that ensures only the authorized user is present when gaining access to a secured area?
a. A biometric scanner
b. A smart card reader
c. A PKI token
d. A PIN pad
a. A biometric scanner
Here’s why:
Biometric Scanner: A biometric scanner uses unique physical characteristics of an individual, such as fingerprints, facial recognition, iris scans, or voice recognition, to verify their identity. This ensures that the person attempting to gain access is physically present and is the authorized individual, as these biometric traits are difficult to replicate or share.
Let’s briefly cover why the other options are less effective in ensuring the physical presence of the authorized user:
Smart Card Reader: A smart card reader authenticates access based on a smart card that the user possesses. While it confirms the presence of the card, it does not verify that the person holding the card is the authorized user, as smart cards can be lost, stolen, or shared. PKI Token: A Public Key Infrastructure (PKI) token provides authentication through cryptographic keys. Similar to smart cards, it ensures the presence of the token but does not verify the identity of the person holding the token. PIN Pad: A PIN pad requires the user to enter a Personal Identification Number (PIN) to gain access. While it authenticates based on knowledge of the PIN, it does not confirm the physical presence of the authorized user, as PINs can be shared or guessed.
Therefore, a. Biometric scanner is the best option for ensuring that only the authorized user is present when gaining access to a secured area, as it relies on unique, non-transferable physical characteristics.
During a forensic investigation, a security analyst discovered that the following command was run on a compromised host:
crackmapexec smb 192.168.10.232 -u localadmin -H 0A3CE8D07A46E5C51070F03593E0A5E6
Which of the following attacks occurred?
a. Buffer overflow
b. Pass the hash
c. SQL injection
d. Replay attack
b. Pass the hash
Here’s why:
Pass the Hash: The command crackmapexec smb 192.168.10.232 -u localadmin -H 0A3CE8D07A46E5C51070F03593E0A5E6 uses the crackmapexec tool to authenticate to an SMB (Server Message Block) service on the host 192.168.10.232 with the username localadmin and a hash (-H 0A3CE8D07A46E5C51070F03593E0A5E6). This indicates that the attacker is using the hash of the password rather than the password itself to authenticate. This technique is known as "Pass the Hash."
Let’s briefly cover why the other options are not applicable:
Buffer Overflow: A buffer overflow attack involves exploiting a program by overrunning a buffer’s boundary and overwriting adjacent memory. The given command does not show any indication of trying to overflow a buffer or manipulate memory boundaries. SQL Injection: SQL injection involves injecting malicious SQL statements into an input field for execution by a database. The given command does not interact with a database or include any SQL code. Replay Attack: A replay attack involves capturing and retransmitting valid data transmissions to repeat or delay a valid transaction. The given command does not indicate retransmitting data but instead shows an attempt to authenticate using a hash.
Therefore, b. Pass the hash is the correct answer, as the command shows the use of a hashed password to authenticate to a service.
A company is moving to new location. The systems administrator has provided the following server room requirements to the facilities staff:
*Consistent power levels in case of brownouts or voltage spikes
*A minimum of 30 minutes runtime following a power outage
*Ability to trigger graceful shutdowns of critical systems
Which of the following would BEST meet the requirements?
a. Maintaining a standby, gas-powered generator
b. Using large surge suppressors on computer equipment
c. Configuring managed PDUs to monitor power levels
d. Deploying an appropriately sized, network-connected UPS device
d. Deploying an appropriately sized, network-connected UPS device
Here’s why:
Consistent power levels in case of brownouts or voltage spikes: A UPS (Uninterruptible Power Supply) device can provide consistent power by regulating voltage levels and protecting against brownouts and voltage spikes. A minimum of 30 minutes runtime following a power outage: A properly sized UPS can provide battery backup power for a specified period, such as 30 minutes, allowing systems to remain operational during short outages. Ability to trigger graceful shutdowns of critical systems: A network-connected UPS can communicate with servers and other critical systems to initiate a graceful shutdown process when the UPS battery reaches a certain threshold, ensuring data integrity and preventing damage.
Let’s briefly cover why the other options are not as suitable:
a. Maintaining a standby, gas-powered generator: While a generator can provide power during an extended outage, it typically takes some time to start up, which may not cover the initial 30 minutes following a power outage. Additionally, it does not address voltage regulation or provide the capability to trigger graceful shutdowns. b. Using large surge suppressors on computer equipment: Surge suppressors can protect against voltage spikes but do not provide battery backup power during outages or brownouts. They also do not offer the ability to trigger graceful shutdowns. c. Configuring managed PDUs to monitor power levels: Managed Power Distribution Units (PDUs) can monitor and manage power distribution but do not provide battery backup power or protection against voltage fluctuations. They also do not have the capability to trigger graceful shutdowns on their own.
Therefore, d. Deploying an appropriately sized, network-connected UPS device is the best solution to meet all the specified server room requirements.