801-850 Flashcards
A penetration test revealed that several Linux servers were misconfigured at the file level and access was granted incorrectly. A security analyst is referencing the instructions in the incident response runbook for remediation information. Which of the following is the best command to use to resolve the issue?
A. chmod
B. cat
C. grep
D. dig
A. chmod
chmod: This command is used to change the permissions of files and directories on Linux and Unix-like operating systems. It allows the security analyst to modify the permissions (read, write, execute) for the owner, group, and others, thereby correcting any misconfigurations that may have granted incorrect access.
Here’s why the other options are not suitable:
B. cat: This command is used to concatenate and display the contents of files. It does not alter file permissions. C. grep: This command is used for searching text patterns in files. While useful for finding specific lines containing text, it does not change file permissions. D. dig: This command is used for querying DNS name servers. It is not related to changing file permissions.
Therefore, A. chmod is the correct and best command to use for remediation in this scenario where Linux servers have misconfigured file permissions granting incorrect access.
Which of the following is the most important security concern when using legacy systems to provide production service?
A. Instability
B. Lack of vendor support
C. Loss of availability
D. Use of insecure protocols
B. Lack of vendor support
Here’s why:
Lack of Vendor Support: Legacy systems often reach a point where the original vendor no longer provides updates, patches, or support. This leaves the system vulnerable to newly discovered security vulnerabilities and makes it difficult or impossible to address security issues promptly. Security Implications: Without vendor support, there are no security patches or updates to protect the system from evolving threats. This increases the risk of exploitation through known vulnerabilities, potentially leading to data breaches, unauthorized access, or service disruptions. Other Options: Instability (option A): While instability is a concern, lack of vendor support directly impacts the ability to secure and maintain the system over time. Loss of availability (option C): Loss of availability can be a concern, but it is often mitigated through redundancy and failover mechanisms rather than directly related to vendor support. Use of insecure protocols (option D): Using insecure protocols is a security concern, but it can often be addressed through configuration changes or network segmentation, whereas lack of vendor support cannot be easily remedied.
Therefore, B. Lack of vendor support is the most critical security concern when using legacy systems for production services, as it directly affects the ability to maintain the security posture of the system over its operational lifecycle.
Which of the following would best enable a systems administrator to easily determine which devices are located at a remote facility and allow policy to be pushed to only those devices?
A. Baseline configurations
B. Network diagrams
C. Standard naming conventions
D. Hot sites
C. Standard naming conventions
Explanation:
Standard Naming Conventions:
Definition: Standard naming conventions involve creating a systematic way of naming devices that reflect certain attributes, such as location, function, or department. Purpose: By using a consistent naming scheme, administrators can quickly identify and categorize devices based on their names. This is particularly useful for determining the location of devices (e.g., including site codes or location identifiers in the device names). Policy Application: Policies can be pushed to devices that match a specific naming pattern, making it easy to target only those devices at a specific remote facility.
Why Other Options Are Less Suitable:
A. Baseline configurations:
Definition: Baseline configurations refer to a set of standard settings and configurations that all devices should adhere to. Limitation: While useful for maintaining consistency, baseline configurations do not inherently provide information about the physical location of devices.
B. Network diagrams:
Definition: Network diagrams visually represent the network infrastructure, showing how devices are interconnected. Limitation: Although helpful for understanding the network layout, network diagrams do not offer a quick and automated way to determine device locations or push policies.
D. Hot sites:
Definition: A hot site is a fully equipped, operational facility that a company can use in the event of a disaster. Limitation: This concept is related to disaster recovery and business continuity rather than daily device management and policy application.
Therefore, standard naming conventions are the best choice for easily determining the location of devices and enabling the targeted application of policies.
A company is utilizing an offshore team to help support the finance department. The company wants to keep the data secure by keeping it on a company device but does not want to provide equipment to the offshore team. Which of the following should the company implement to meet this requirement?
A. VDI
B. MDM
C. VPN
D. VPC
A. VDI (Virtual Desktop Infrastructure)
Here’s why VDI is the appropriate choice:
VDI: Virtual Desktop Infrastructure allows users, in this case, the offshore team, to access virtual desktops hosted on company-owned servers or cloud infrastructure. The data and applications remain centralized within the company's infrastructure, ensuring that sensitive information stays secure and is not stored locally on the offshore team's devices. Security Benefits: With VDI, data remains within the controlled environment of the company's data center or cloud platform. Users access virtual desktops remotely using secure connections, such as VPN (Virtual Private Network) for additional security layers. Other Options: MDM (Mobile Device Management) (option B): MDM focuses on managing mobile devices (like smartphones and tablets) and may not directly apply to managing virtual desktops or securing data on company devices. VPN (Virtual Private Network) (option C): VPN provides secure remote access to the company's network but does not inherently control data storage or access on remote devices. VPC (Virtual Private Cloud) (option D): VPC is a virtual network dedicated to a single organization within a cloud provider's infrastructure and does not address the requirement to secure data on company devices without providing equipment to the offshore team.
Therefore, A. VDI (Virtual Desktop Infrastructure) is the best solution for allowing the offshore team to securely access and work with company data on company-controlled devices without needing to provide physical equipment to the team.
Which of the following is best used to detect fraud by assigning employees to different roles?
A. Least privilege
B. Mandatory vacation
C. Separation of duties
D. Job rotation
D. Job rotation
Job rotation will DETECT
Seperation of duties will PREVENT
A company implemented an MDM policy to mitigate risks after repeated instances of employees losing company-provided mobile phones. In several cases, the lost phones were used maliciously to perform social engineering attacks against other employees. Which of the following MDM features should be configured to best address this issue? (Choose two.)
A. Screen locks
B. Remote wipe
C. Full device encryption
D. Push notifications
E. Application management
F. Geolocation
(Community : AB 62%, BC 37%)
A. Screen locks
B. Remote wipe
Here’s why these features are appropriate:
Screen locks (option A): Configuring screen locks ensures that if a device is lost or left unattended, it automatically locks after a period of inactivity. This prevents unauthorized access to the device and the data it contains, reducing the risk of malicious use. Remote wipe (option B): Remote wipe allows administrators to remotely erase all data on a lost or stolen device. This feature is crucial in ensuring that sensitive company information does not fall into the wrong hands and cannot be used for malicious purposes. Other Options: Full device encryption (option C): While important for protecting data at rest, it does not directly prevent malicious use if the device is lost or stolen. Push notifications (option D): While useful for sending alerts or updates to devices, it does not directly mitigate the risk of malicious use. Application management (option E): Involves controlling which applications can be installed on devices, but it does not directly address the issue of lost devices being used for social engineering attacks. Geolocation (option F): Helps in locating lost or stolen devices, but it does not prevent malicious use once the device is lost.
Therefore, A. Screen locks and B. Remote wipe are the MDM features that should be configured to best mitigate the risk of lost company-provided mobile phones being used maliciously for social engineering attacks.
(Brain dump: B. Remote wipe, C. Full device encryption)
During a recent company safety stand-down, the cyber-awareness team gave a presentation on the importance of cyber hygiene. One topic the team covered was best practices for printing centers. Which of the following describes an attack method that relates to printing centers?
A. Whaling
B. Credential harvesting
C. Prepending
D. Dumpster diving
D. Dumpster diving
Here’s why:
Dumpster diving: This attack method involves searching through physical trash or recycling bins to find sensitive information that has been discarded improperly. In the context of printing centers, documents that are printed but not securely disposed of could end up in trash bins. Attackers can then retrieve these documents through dumpster diving to obtain sensitive information such as passwords, financial data, or confidential business information. Printing Centers: Printing centers often handle documents that may contain sensitive or confidential information. If these documents are not securely disposed of after use, they pose a significant risk if retrieved by unauthorized individuals through dumpster diving. Other Options: Whaling (option A): Whaling refers to a specific type of phishing attack targeting high-profile individuals within an organization, typically executives. It does not directly relate to printing centers. Credential harvesting (option B): This involves gathering login credentials through various means such as phishing, keylogging, or social engineering. It does not specifically relate to printing centers. Prepending (option C): This term refers to adding something at the beginning of a file or data stream, not typically related to physical security risks like dumpster diving.
Therefore, D. Dumpster diving is the attack method that relates to printing centers, highlighting the importance of securely disposing of printed documents to prevent unauthorized access to sensitive information.
The security operations center is researching an event concerning a suspicious IP address. A security analyst looks at the following event logs and discovers that a significant portion of the user accounts have experienced failed log-in attempts when authenticating from the same IP address:
184.168.131.241 - userA - failed authentication
184.168.131.241 - userA - failed authentication
184.168.131.241 - userB - failed authentication
184.168.131.241 - userB - failed authentication
184.168.131.241 - userC - failed authentication
184.168.131.241 - userC - failed authentication
Which of the following most likely describes the attack that took place?
A. Spraying
B. Brute-force
C. Dictionary
D. Rainbow table
A. Spraying
Here’s why:
Spraying: In a spraying attack, attackers attempt to gain unauthorized access to multiple accounts by trying a small number of commonly used passwords or weak credentials across many accounts. The goal is to avoid triggering account lockouts or detection mechanisms that typically respond to numerous failed attempts on a single account. Event Scenario: The logs show multiple failed authentication attempts across different user accounts (userA, userB, userC) from the same IP address. This pattern suggests that the attacker is trying a few credentials across various accounts to avoid detection, which aligns with the spraying attack method. Other Options: Brute-force (option B): Brute-force attacks involve systematically trying all possible combinations of passwords until the correct one is found. This would typically result in many failed attempts on the same account, not spread across multiple accounts as shown in the logs. Dictionary (option C): Dictionary attacks involve using a predefined list of common passwords or words. However, this attack method also typically focuses on a single account rather than multiple accounts simultaneously. Rainbow table (option D): Rainbow table attacks are based on precomputed tables used to crack hashed passwords quickly. This is not indicated by the log entries provided, which show failed authentication attempts without reference to password cracking or hash tables.
Therefore, A. Spraying is the attack method that most likely describes the event where multiple user accounts experienced failed log-in attempts from the same IP address.
Which of the following is an algorithm performed to verify that data has not been modified?
A. Hash
B. Code check
C. Encryption
D. Checksum
A. Hash
Hashing is the process of taking an input (or ‘message’) and returning a fixed-size string of bytes. This output, known as the hash value or hash code, is unique to the specific input and is determined by the hashing algorithm used. Hash functions are designed to be fast to compute and irreversibly transform data into a fixed-size output.
Here’s why the other options are not correct:
Code check (option B): This generally refers to verifying the integrity or correctness of software code rather than data integrity. Encryption (option C): Encryption is a process of transforming data to make it unreadable without specific knowledge or keys. While encryption can ensure confidentiality, it does not inherently verify data integrity. Checksum (option D): Checksums are a form of error-detecting code used to detect accidental changes to raw data, such as file transfers. While similar to hashing in some aspects, checksums are generally simpler and less secure for ensuring data integrity compared to cryptographic hash functions.
Therefore, A. Hash is the algorithm performed to verify that data has not been modified, ensuring data integrity by producing a unique hash value based on the content of the data itself.
(Brain dump : D. Checksum)
A network administrator deployed a DNS logging tool that logs suspicious websites that are visited and then sends a daily report based on various weighted metrics. Which of the following best describes the type of control the administrator put in place?
A. Preventive
B. Deterrent
C. Corrective
D. Detective
D. Detective
Here’s why:
Detective controls: These are controls that are designed to identify and record potentially harmful activities or security violations. They provide information about what has happened, enabling the organization to respond appropriately. The DNS logging tool that logs suspicious websites and sends reports helps to detect and record any potentially malicious or suspicious activity, making it a detective control. Other Options: Preventive (option A): Preventive controls are intended to stop or prevent security incidents from occurring in the first place. Examples include firewalls, antivirus software, and access controls. The DNS logging tool does not prevent access to suspicious websites but rather logs and reports it. Deterrent (option B): Deterrent controls are intended to discourage individuals from engaging in potentially harmful activities. Examples include warning banners and surveillance cameras. While the logging tool might have a minor deterrent effect, its primary function is to detect and report. Corrective (option C): Corrective controls are designed to correct or mitigate the effects of an incident after it has occurred. Examples include backup systems and incident response plans. The DNS logging tool does not correct issues but detects and logs them.
Therefore, D. Detective best describes the type of control the administrator put in place with the DNS logging tool.
A business uses Wi-Fi with content filtering enabled. An employee noticed a coworker accessed a blocked site from a work computer and reported the issue. While investigating the issue, a security administrator found another device providing internet access to certain employees. Which of the following best describes the security risk?
A. The host-based security agent is not running on all computers.
B. A rogue access point is allowing users to bypass controls.
C. Employees who have certain credentials are using a hidden SSID.
D. A valid access point is being jammed to limit availability.
B. A rogue access point is allowing users to bypass controls.
Here’s why:
Rogue Access Point: A rogue access point is an unauthorized wireless access point that has been installed on a network without the knowledge or permission of the network administrator. Rogue access points can provide unrestricted access to the internet, bypassing the company's security measures, such as content filtering and monitoring. This can lead to significant security risks as employees can access blocked or malicious sites, potentially exposing the network to security threats. Other Options: Host-based security agent is not running on all computers (option A): While this could be a security concern, it does not directly explain the ability to access blocked sites via another device providing internet access. Employees using a hidden SSID (option C): This implies using a different, possibly authorized network with hidden SSID, which is not the main issue described. The main problem is the unauthorized internet access via another device. Valid access point being jammed (option D): This suggests interference with legitimate access points to deny service, which does not align with the scenario where employees are accessing the internet through another device.
Therefore, B. A rogue access point is allowing users to bypass controls best describes the security risk in the given situation.
While considering the organization’s cloud-adoption strategy, the Chief Information Security Officer sets a goal to outsource patching of firmware, operating systems, and applications to the chosen cloud vendor. Which of the following best meets this goal?
A. Community cloud
B. PaaS
C. Containerization
D. Private cloud
E. SaaS
F. IaaS
E. SaaS (Software as a Service)
Here’s why:
SaaS (Software as a Service): SaaS is a cloud service model where the cloud provider is responsible for managing the entire infrastructure, including the hardware, operating system, and the software applications. This means that patching of firmware, operating systems, and applications is handled by the SaaS provider. Users access the software over the internet, and the provider takes care of maintenance, including updates and security patches. Other Options: Community cloud (option A): This refers to a cloud infrastructure shared by several organizations with common concerns (e.g., security, compliance). While it provides shared resources, it does not inherently outsource patching responsibilities. PaaS (Platform as a Service) (option B): PaaS provides a platform allowing customers to develop, run, and manage applications without dealing with the underlying infrastructure. The provider manages the underlying infrastructure and operating systems, but the customer may still need to handle application-level patching. Containerization (option C): This is a technology used to package and run applications and their dependencies in isolated environments. While it helps in application deployment, it does not itself handle patching responsibilities. Private cloud (option D): A private cloud is a cloud infrastructure operated solely for a single organization. The organization typically retains control over and responsibility for its infrastructure, including patching. IaaS (Infrastructure as a Service) (option F): IaaS provides virtualized computing resources over the internet. While the provider manages the hardware and virtualization, the customer is responsible for patching the operating systems and applications.
Therefore, E. SaaS best meets the goal of outsourcing the patching of firmware, operating systems, and applications to the chosen cloud vendor.
A spoofed identity was detected for a digital certificate. Which of the following are the type of unidentified key and the certificate that could be in use on the company domain?
A. Private key and root certificate
B. Public key and expired certificate
C. Private key and self-signed certificate
D. Public key and wildcard certificate
C. Private key and self-signed certificate
Here’s why:
Self-signed Certificate: A self-signed certificate is signed by the entity that it certifies rather than a trusted Certificate Authority (CA). Because it is not verified by a third party, it is easier for an attacker to spoof the identity associated with the certificate. Private Key: The private key is used in conjunction with the certificate for authentication and encryption. If a spoofed identity is detected, it indicates that the private key, which is supposed to be secret, might have been compromised or replaced in the context of the self-signed certificate. Other Options: Private key and root certificate (option A): A root certificate is issued by a trusted CA and used to authenticate subordinate certificates. It is less likely to be spoofed because it is widely trusted and strictly controlled. Public key and expired certificate (option B): An expired certificate would not be trusted by browsers and systems, but it does not directly relate to identity spoofing. Public key and wildcard certificate (option D): A wildcard certificate is used to secure multiple subdomains with a single certificate. While it involves a public key, the issue described is more aligned with self-signed certificates where trust is not established by a third party.
Therefore, the combination of C. Private key and self-signed certificate best describes the scenario where a spoofed identity was detected for a digital certificate on the company domain.
A software developer would like to ensure the source code cannot be reverse engineered or debugged. Which of the following should the developer consider?
A. Version control
B. Obfuscation toolkit
C. Code reuse
D. Continuous integration
E. Stored procedures
B. Obfuscation toolkit
Here’s why:
Obfuscation toolkit: Code obfuscation is the process of modifying the source code to make it more difficult to understand and reverse engineer while preserving its functionality. An obfuscation toolkit will transform the code into a form that is hard for humans to interpret and for tools to analyze, thereby protecting it from reverse engineering and debugging. Other Options: Version control (option A): Version control systems (like Git) are used to manage changes to source code over time. While important for software development, they do not prevent reverse engineering or debugging. Code reuse (option C): Code reuse involves using existing code for new functions or software. While it can improve efficiency, it does not inherently protect against reverse engineering. Continuous integration (option D): Continuous integration is a development practice where code changes are automatically tested and integrated into a shared repository. It improves software quality and collaboration but does not protect against reverse engineering. Stored procedures (option E): Stored procedures are precompiled collections of SQL statements and optional control-of-flow statements stored under a name and processed as a unit. They are used in databases and can enhance security within the database context but do not directly address the protection of source code from reverse engineering.
Therefore, B. Obfuscation toolkit is the appropriate choice for a developer looking to ensure that the source code cannot be easily reverse engineered or debugged.
Which of the following is the most effective way to protect an application server running software that is no longer supported from network threats?
A. Air gap
B. Barricade
C. Port security
D. Screened subnet
Community : D 71%, A 29%
D. Screened subnet
One of the most effective ways to protect an application server is to use a screened subnet. A screened subnet is a network segment that is isolated from both the internet and the internal network by two firewalls. The application server is placed in the screened subnet, also known as the demilitarized zone (DMZ), and only the necessary ports are opened for communication. This way, the application server is shielded from external attacks and internal breaches, and the impact of a compromise is minimized.
ChatGPT & Brain dump:
A. Air gap
Here’s why:
Air gap: An air gap involves physically isolating the server from any network connections, effectively cutting it off from all external threats. This is the most secure method to protect an unsupported server from network-based attacks since there is no network path for an attacker to exploit. Other Options: Barricade (option B): This is not a standard network security term. It might imply a physical barrier or some form of defense, but it is not a specific, effective network security measure. Port security (option C): Port security is a feature on network switches that can control access to specific ports. While useful for securing network segments, it does not provide comprehensive protection for an unsupported application server. Screened subnet (option D): A screened subnet (or DMZ) is a network segment that is isolated from an internal network by a firewall. While it can limit exposure, it still allows some network access, which can be a risk for unsupported software.
Therefore, A. Air gap is the most effective way to protect an application server with unsupported software from network threats by completely isolating it from potential network-based attacks.
A growing company would like to enhance the ability of its security operations center to detect threats but reduce the amount of manual work required for the security analysts. Which of the following would best enable the reduction in manual work?
A. SOAR
B. SIEM
C. MDM
D. DLP
A. SOAR (Security Orchestration, Automation, and Response)
Here’s why:
SOAR (Security Orchestration, Automation, and Response): SOAR platforms are designed to improve the efficiency and effectiveness of security operations by automating repetitive tasks, orchestrating workflows, and integrating various security tools and data sources. This reduces the manual workload for security analysts and allows them to focus on more complex and strategic tasks. SOAR can automate incident response, threat detection, and other security operations processes, significantly enhancing the SOC's capabilities. Other Options: SIEM (Security Information and Event Management) (option B): SIEM systems collect and analyze security event data from various sources to detect threats and generate alerts. While SIEM is crucial for threat detection and response, it does not inherently automate responses and can still require significant manual intervention. MDM (Mobile Device Management) (option C): MDM solutions are used to manage and secure mobile devices within an organization. While important for mobile security, MDM does not directly reduce manual work for threat detection and response in the SOC. DLP (Data Loss Prevention) (option D): DLP solutions help prevent data breaches by monitoring and controlling data transfers and access. DLP is focused on data security rather than overall threat detection and response automation.
Therefore, A. SOAR is the best option to enable the reduction in manual work for security analysts while enhancing the SOC’s ability to detect and respond to threats.
Which of the following can a security director use to prioritize vulnerability patching within a company’s IT environment?
A. SOAR
B. CVSS
C. SIEM
D. CVE
B. CVSS (Common Vulnerability Scoring System)
Here’s why:
CVSS (Common Vulnerability Scoring System): CVSS provides a standardized way to assess and score the severity of vulnerabilities. It helps security professionals prioritize vulnerability patching by assigning a numerical score to each vulnerability, reflecting its potential impact and exploitability. This scoring system allows organizations to focus on the most critical vulnerabilities first. Other Options: SOAR (Security Orchestration, Automation, and Response) (option A): SOAR tools can automate and orchestrate responses to security incidents, but they do not specifically provide a system for scoring and prioritizing vulnerabilities. SIEM (Security Information and Event Management) (option C): SIEM systems collect and analyze security event data, providing real-time monitoring and alerts for potential threats. While valuable for threat detection and response, SIEM does not specifically provide a method for prioritizing vulnerability patching. CVE (Common Vulnerabilities and Exposures) (option D): CVE is a list of publicly disclosed information security vulnerabilities and exposures. While it is useful for identifying and referencing vulnerabilities, CVE itself does not provide a scoring or prioritization system.
Therefore, B. CVSS is the appropriate tool for a security director to use in prioritizing vulnerability patching within a company’s IT environment.
The Chief Information Security Officer wants to put security measures in place to protect PH. The organization needs to use its existing labeling and classification system to accomplish this goal. Which of the following would most likely be configured to meet the requirements?
A. Tokenization
B. S/MIME
C. DLP
D. MFA
C. DLP (Data Loss Prevention)
Here’s why:
DLP (Data Loss Prevention): DLP solutions are designed to detect and prevent data breaches by monitoring and controlling data transfers and ensuring that sensitive information is not shared or accessed inappropriately. DLP can be configured to work with an existing labeling and classification system to enforce policies that protect PII by identifying, monitoring, and controlling the movement of sensitive data across the organization. Other Options: Tokenization (option A): Tokenization replaces sensitive data with non-sensitive tokens. While it protects data, it does not directly integrate with labeling and classification systems to enforce security policies. S/MIME (option B): Secure/Multipurpose Internet Mail Extensions (S/MIME) is used to secure email communications through encryption and digital signatures. It does not address the broader requirement of protecting PII across the organization. MFA (Multi-Factor Authentication) (option D): MFA enhances access security by requiring multiple forms of verification. While important for protecting access to systems and data, it does not specifically address data protection and classification.
Therefore, C. DLP is the best option to configure in order to meet the requirements of protecting PII using the existing labeling and classification system.
A company wants to get alerts when others are researching and doing reconnaissance on the company. One approach would be to host a part of the infrastructure online with known vulnerabilities that would appear to be company assets. Which of the following describes this approach?
A. Watering hole
B. Bug bounty
C. DNS sinkhole
D. Honeypot
D. Honeypot
Here’s why:
Honeypot: A honeypot is a security mechanism set up to detect, deflect, or study attempts at unauthorized access to information systems. By deliberately hosting vulnerable systems that appear to be legitimate company assets, a honeypot can attract attackers and provide alerts when reconnaissance or other malicious activities are detected. This helps the company understand and respond to potential threats. Other Options: Watering hole (option A): A watering hole attack involves compromising a legitimate website that is frequented by the target group, infecting it with malware to compromise users when they visit the site. It is an offensive technique rather than a defensive one. Bug bounty (option B): A bug bounty program is an initiative where organizations offer rewards to individuals for discovering and reporting vulnerabilities in their systems. This approach involves inviting external security researchers to find vulnerabilities, not setting up vulnerable systems for detection purposes. DNS sinkhole (option C): A DNS sinkhole is used to redirect malicious traffic to a controlled IP address to prevent users from reaching harmful websites. It is more about preventing access to malicious domains than detecting reconnaissance activities.
Therefore, D. Honeypot is the correct term for the described approach.