601-650 Flashcards
Which of the following can only be mitigated through the use of technical controls rather that user security training?
B.
Zero-day
The security administrator is observing unusual network behavior from a workstation. The workstation is communicating with a known malicious destination over an encrypted tunnel. A full antivirus scan, with an updated antivirus definition file, does not show any signs of infection.
Which of the following has happened on the workstation?
A.
Zero-day attack
Which of the following types of application attacks would be used to identify malware causing security breaches that have NOT yet been identified by any trusted sources?
A.
Zero-day
Which of the following may cause Jane, the security administrator, to seek an ACL work around?
A.
Zero-day exploit
Matt, an IT administrator, wants to protect a newly built server from zero day attacks.
Which of the following would provide the BEST level of protection?
A.
HIPS
Joe, a user, in a coffee shop is checking his email over a wireless network. An attacker records the temporary credentials being passed to Joe’s browser. The attacker later uses the credentials to impersonate Joe and creates SPAM messages.
Which of the following attacks allows for this impersonation?
D.
Session hijacking
How often, at a MINIMUM, should Sara, an administrator, review the accesses and rights of the users on her system?
A.
Annually
Which of the following types of logs could provide clues that someone has been attempting to compromise the SQL Server database?
A.
Event
Ann, the security administrator, received a report from the security technician, that an unauthorized new user account was added to the server over two weeks ago.
Which of the following could have mitigated this event?
A.
Routine log audits
A security administrator needs to determine which system a particular user is trying to login to at various times of the day.
Which of the following log types would the administrator check?
D.
Security
The security administrator is analyzing a user’s history file on a Unix server to determine if the user was attempting to break out of a rootjail.
Which of the following lines in the user’s history log shows evidence that the user attempted to escape the rootjail?
A.
cd ../../../../bin/bash
A security technician is attempting to improve the overall security posture of an internal mail server.
Which of the following actions would BEST accomplish this goal?
B.
Disabling unnecessary services
A vulnerability assessment indicates that a router can be accessed from default port 80 and default port 22.
Which of the following should be executed on the router to prevent access via these ports? (Choose two.
C.
SSH service should be disabled
D.
HTTP service should disabled
During a routine audit a web server is flagged for allowing the use of weak ciphers.
Which of the following should be disabled to mitigate this risk? (Choose two.)
A.
SSL 1.0
F.
TLS 1.0
A new web server has been provisioned at a third party hosting provider for processing credit card transactions. The security administrator runs the netstat command on the server and notices that ports 80, 443, and 3389 are in a `listening’ state. No other ports are open.
Which of the following services should be disabled to ensure secure communications?
B.
HTTP
Joe analyzed the following log and determined the security team should implement which of the following as a mitigation method against further attempts?
Host 192.168.1.123
[00: 00: 01]Successful Login: 015 192.168.1.123 : local
[00: 00: 03]Unsuccessful Login: 022 214.34.56.006 : RDP 192.168.1.124
[00: 00: 04]UnSuccessful Login: 010 214.34.56.006 : RDP 192.168.1.124
[00: 00: 07]UnSuccessful Login: 007 214.34.56.006 : RDP 192.168.1.124
[00: 00: 08]UnSuccessful Login: 003 214.34.56.006 : RDP 192.168.1.124
D.
Hardening
The Chief Technology Officer (CTO) wants to improve security surrounding storage of customer passwords.
The company currently stores passwords as SHA hashes.
Which of the following can the CTO implement requiring the LEAST change to existing systems?
A.
Smart cards
An auditor’s report discovered several accounts with no activity for over 60 days. The accounts were later identified as contractors’ accounts who would be returning in three months and would need to resume the activities.
Which of the following would mitigate and secure the auditors finding?
A.
Disable unnecessary contractor accounts and inform the auditor of the update.
An administrator notices that former temporary employees’ accounts are still active on a domain.
Which of the following can be implemented to increase security and prevent this from happening?
D.
Run a last logon script to look for inactive accounts.
How must user accounts for exiting employees be handled?
A.
Disabled, regardless of the circumstances
An administrator has a network subnet dedicated to a group of users. Due to concerns regarding data and network security, the administrator desires to provide network access for this group only.
Which of the following would BEST address this desire?
C.
Configure the switch to allow only traffic from computers based upon their physical address.
A new virtual server was created for the marketing department. The server was installed on an existing host machine. Users in the marketing department report that they are unable to connect to the server. Technicians verify that the server has an IP address in the same VLAN as the marketing department users.
Which of the following is the MOST likely reason the users are unable to connect to the server?
A.
The new virtual server’s MAC address was not added to the ACL on the switch
Which of the following can be implemented if a security administrator wants only certain devices connecting to the wireless network?
C.
Enable MAC filtering
Which of the following implementation steps would be appropriate for a public wireless hotspot?
C.
Open system authentication
Which of the following controls would allow a company to reduce the exposure of sensitive systems from unmanaged devices on internal networks?
A.
802.1x
A system security analyst using an enterprise monitoring tool notices an unknown internal host exfiltrating files to several foreign IP addresses.
Which of the following would be an appropriate mitigation technique?
B.
Rogue machine detection
Matt, a developer, recently attended a workshop on a new application. The developer installs the new application on a production system to test the functionality.
Which of the following is MOST likely affected?
C.
Initial baseline configuration
In order to maintain oversight of a third party service provider, the company is going to implement a Governance, Risk, and Compliance (GRC) system. This system is promising to provide overall security posture coverage.
Which of the following is the MOST important activity that should be considered?
A.
Continuous security monitoring
A security analyst performs the following activities: monitors security logs, installs surveillance cameras and analyzes trend reports.
Which of the following job responsibilities is the analyst performing? (Choose two.)
A.
Detect security incidents
C.
Implement monitoring controls
Which of the following is an indication of an ongoing current problem?
C.
Alarm
Which of the following is a notification that an unusual condition exists and should be investigated?
A.
Alert
A security manager must remain aware of the security posture of each system.
Which of the following supports this requirement?
B.
Establishing baseline reporting
Suspicious traffic without a specific signature was detected. Under further investigation, it was determined that these were false indicators.
Which of the following security devices needs to be configured to disable future false alarms?
D.
Anomaly based IDS
Jane, a security administrator, has observed repeated attempts to break into a server.
Which of the following is designed to stop an intrusion on a specific server?
A.
HIPS
Which of the following tools will allow a technician to detect security-related TCP connection anomalies?
B.
Performance monitor
Which of the following would a security administrator implement in order to identify a problem between two systems that are not communicating properly?
A.
Protocol analyzer
Which of the following is BEST used to capture and analyze network traffic between hosts on the same network segment?
A.
Protocol analyzer
Which of the following would a security administrator implement in order to identify a problem between two applications that are not communicating properly?
A.
Protocol analyzer
Which of the following tools would allow Ann, the security administrator, to be able to BEST quantify all traffic on her network?
C.
Protocol analyzer
Joe, the security administrator, has determined that one of his web servers is under attack.
Which of the following can help determine where the attack originated from?
D.
Network sniffing
Which of the following BEST allows Pete, a security administrator, to determine the type, source, and flags of the packet traversing a network for troubleshooting purposes?
B.
Protocol analyzers
Which of the following security architecture elements also has sniffer functionality? (Choose two.)
B.
IPS
E.
IDS
Which of the following would a security administrator implement in order to discover comprehensive security threats on a network?
C.
Vulnerability scan
An administrator is concerned that a company’s web server has not been patched.
Which of the following would be the BEST assessment for the administrator to perform?
A.
Vulnerability scan
Which of the following would be used to identify the security posture of a network without actually exploiting any weaknesses?
C.
Vulnerability scan
Which of the following should an administrator implement to research current attack methodologies?
B.
Honeypot
Based on information leaked to industry websites, business management is concerned that unauthorized employees are accessing critical project information for a major, well-known new product. To identify any such users, the security administrator could:
A.
Set up a honeypot and place false project documentation on an unsecure share.
Joe, an administrator, installs a web server on the Internet that performs credit card transactions for customer payments. Joe also sets up a second web server that looks like the first web server.
However, the second server contains fabricated files and folders made to look like payments were processed on this server but really were not.
Which of the following is the second server?
D.
Honeypot
Which of the following can Joe, a security administrator, implement on his network to capture attack details that are occurring while also protecting his production network?
D.
Honeypot
What is a system that is intended or designed to be broken into by an attacker?
A.
Honeypot
