ALL Flashcards

1
Q

What are the properties of a secure information processing system?

A

Confidentiality, Integrity, and Availability (and Non-repudiation).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What term is used to describe the property of a secure network where a sender cannot deny having
sent a message?

A

Non-repudiation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A multinational company manages a large amount of valuable intellectual property (IP) data, plus
personal data for its customers and account holders. What type of business unit can be used to
manage such important and complex security requirements?

A

A security operations center (SOC).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A business is expanding rapidly and the owner is worried about tensions between its established IT
and programming divisions. What type of security business unit or function could help to resolve
these issues?

A

Development and operations (DevOps) is a cultural shift within an organization to encourage much more
collaboration between developers and system administrators. DevSecOps embeds the security function within these teams as well.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You have implemented a secure web gateway that blocks access to a social networking site. How
would you categorize this type of security control?

A

It is a technical type of control (implemented in software) and acts as a preventive measure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
A company has installed motion-activated floodlighting on the grounds around its premises. What
class and function is this security control?
A

It would be classed as a physical control and its function is both detecting and deterring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A firewall appliance intercepts a packet that violates policy. It automatically updates its Access
Control List to block all further packets from the source IP. What TWO functions is the security
control performing?

A

Preventive and corrective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

If a security control is described as operational and compensating, what can you determine about
its nature and function?

A

That the control is enforced by a a person rather than a technical system, and that the control has been
developed to replicate the functionality of a primary control, as required by a security standard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

If a company wants to ensure it is following best practice in choosing security controls, what type of
resource would provide guidance?

A

A cybersecurity framework and/or benchmark and secure configuration guides.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following would be assessed by likelihood and impact: vulnerability, threat, or risk?

A

Risk. To assess likelihood and impact, you must identify both the vulnerability and the threat posed by a potential exploit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

True or false? Nation state actors primarily only pose a risk to other states.

A

False—nation state actors have targeted commercial interests for theft, espionage, and extortion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You receive an email with a screenshot showing a command prompt at one of your application
servers. The email suggests you engage the hacker for a day’s consultancy to patch the vulnerability.
How should you categorize this threat?

A

This is either gray hat (semi-authorized) hacking or black hat (non-authorized) hacking. If the request for
compensation via consultancy is an extortion threat (if refused, the hacker sells the exploit on the dark web),
then the motivation is purely financial gain and can be categorized as black hat. If the consultancy is refused and the hacker takes no further action, it can be classed as gray hat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which type of threat actor is primarily motivated by the desire for social change?

A

Hacktivist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which three types of threat actor are most likely to have high levels of funding?

A

State actors, criminal syndicates, and competitors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You are assisting with writing an attack surface assessment report for a small company. Following
the CompTIA syllabus, which two potential attack vectors have been omitted from the following
headings in the report? Direct access, Email, Remote and wireless, Web and social media, Cloud.

A

Removable media and supply chain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You are consulting on threat intelligence solutions for a supplier of electronic voting machines.
What type of threat intelligence source would produce the most relevant information at the lowest
cost?

A

For critical infrastructure providers, threat data sharing via an Information Sharing and Analysis Center (ISAC) is
likely to be the best option.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Your CEO wants to know if the company’s threat intelligence platform makes effective use of OSINT.
What is OSINT?

A

Open-source intelligence (OSINT) is cybersecurity-relevant information harvested from public websites and data records. In terms of threat intelligence specifically, it refers to research and data feeds that are made publicly available.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You are assessing whether to join AIS. What is AIS and what protocol should your SIEM support in
order to connect to AIS servers?

A

Automated Indicator Sharing (AIS) is a service offered by the Department of Homeland Security (DHS) for
participating in threat intelligence sharing. AIS uses the Trusted Automated eXchange of Indicator Information
(TAXII) protocol as a means of transmitting CTI data between servers and clients.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

You suspect that a rogue host is acting as the default gateway for a subnet in a spoofing attack.
What command-line tool(s) can you use from a Windows client PC in the same subnet to check the
interface properties of the default gateway?

A

Use ipconfig to check the IP addresses of the default gateway and the DHCP server. Use arp to check the MAC addresses associated with those IP addresses and investigate possible spoofing. You could also use the route command to verify the properties of the default route.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

You suspect the rogue host is modifying traffic before forwarding it, with the side effect of
increasing network latency. Which tool could you use to measure latency on traffic routed from this
subnet?

A

From a Windows host, the pathping tool can be used to measure latency along a route.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What type of tool could you use to fingerprint the host acting as the default gateway?

A

This requires a tool that performs fingerprinting—service and version detection—by examining responses to network probes and comparing them to known responses from common platforms. Nmap is very widely used for this task, or you could use hping or Netcat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

You are investigating a Linux server that is the source of suspicious network traffic. At a terminal on
the server, which tool could you use to check which process is using a given TCP port?

A

You can use the netstat command to do this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is a zone transfer and which reconnaissance tools can be used to test whether a server will
allow one?

A

A zone transfer is where a domain name server (DNS) allows a client to request all the name records for a
domain. nslookup (Windows) and dig (principally Linux) can be used to test whether this query is allowed. You
could also mention the dnsenum tool, which will check for zone transfers along with other enumeration tests on DNS infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What type of organizational security assessment is performed using Nessus?

A

Nessus is an automated network vulnerability scanner that checks for software vulnerabilities and missing
patches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

You are developing new detection rules for a network security scanner. Which tool will be of use in
testing whether the rules match a malicious traffic sample successfully?

A

The tcpreplay tool can be used to stream captured traffic from a file to a monitored network interface.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What security posture assessment could a pen tester make using Netcat?

A

Whether it is possible to open a network connection to a remote host over a given port.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

You are recommending that a business owner invest in patch management controls for PCs and
laptops. What is the main risk from weak patch management procedures on such devices?

A

Vulnerabilities in the OS and applications software such as web browsers and document readers or in PC and adapter firmware can allow threat actors to run malware and gain a foothold on the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

You are advising a business owner on security for a PC running Windows XP. The PC runs process
management software that the owner cannot run on Windows 10. What are the risks arising from
this, and how can they be mitigated?

A

Windows XP is a legacy platform that is no longer receiving security updates. This means that patch management cannot be used to reduce risks from software vulnerabilities. The workstation should be isolated from other systems to reduce the risk of compromise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

As a security solutions provider, you are compiling a checklist for your customers to assess
potential weak configuration vulnerabilities, based on the CompTIA Security+ syllabus. From
the headings you have added so far, which is missing and what vulnerability does it relate to?
Default settings, Unsecured root accounts, Open ports and services, Unsecure protocols, Weak
encryption, Errors.

A

Open permissions refers to misconfigured access rights for data folders, network file shares, and cloud storage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

You are advising a customer on backup and disaster recovery solutions. The customer is confused
between data breaches and data loss and whether the backup solution will protect against both.
What explanation can you give?

A

Backup solutions mitigate risks from data loss, where files or information is deleted, corrupted, or otherwise

destroyed. Backup does not mitigate risks from data breach, where confidential or private data is stolen
(exfiltrated) and made public or sold for criminal profit. Mitigating risks of data breach requires effective secure processing, authorization, and authentication security controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

A system integrator is offering a turnkey solution for customer contact data storage and
engagement analytics using several cloud services. Does this solution present any supply chain risks
beyond those of the system integrator’s consulting company?

A

Yes, the system integrator is proposing the use of multiple vendors (the cloud service providers), with potentially complex issues for collecting, storing, and sharing customer personal data across these vendors. Each company in the supply chain should be assessed for risk and compliance with cybersecurity and privacy standards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

You have received an urgent threat advisory and need to configure a network vulnerability scan
to check for the presence of a related CVE on your network. What configuration check should you
make in the vulnerability scanning software before running the scan?

A

Verify that the vulnerability feed/plug-in/test has been updated with the specific CVE that you need to test for.

33
Q

You have configured a network vulnerability scanner for an engineering company. When running
a scan, multiple sensors within an embedded systems network became unresponsive, causing a
production shutdown. What alternative method of vulnerability scanning should be used for the
embedded systems network?

A

A fully non-intrusive solution should be adopted, such as sniffing traffic using a network tap or mirror port. Using the network traffic to detect vulnerabilities rather than actively probing each device will not cause system stability issues (though there is greater risk of false positive and false negative results).

34
Q

A vulnerability scan reports that a CVE associated with CentOS Linux is present on a host, but you
have established that the host is not running CentOS. What type of scanning error event is this?

A

False positive.

35
Q

A small company that you provide security consulting support to has resisted investing in an event
management and threat intelligence platform. The CEO has become concerned about an APT risk
known to target supply chains within the company’s industry sector and wants you to scan their
systems for any sign that they have been targeted already. What are the additional challenges of
meeting this request, given the lack of investment?

A

Collecting network traffic and log data from multiple sources and then analyzing it manually will require many
hours of analyst time. The use of threat feeds and intelligence fusion to automate parts of this analysis effort would enable a much swifter response.

36
Q

What term relates to assessment techniques that avoid alerting threat actors?

A

This can be referred to as maneuver.

37
Q

A website owner wants to evaluate whether the site security mitigates risks from criminal
syndicates, assuming no risk of insider threat. What type of penetration testing engagement will
most closely simulate this adversary capability and resources?

A

A threat actor has no privileged information about the website configuration or security controls. This is
simulated in a black box (or blind) pen test engagement.

38
Q

You are agreeing a proposal to run a series of team-based exercises to test security controls under
different scenarios. You propose using purple team testing, but the contracting company is only familiar
with the concept of red and blue teams. What is the advantage of running a purple team exercise?

A

In a red versus blue team, there is no contact between the teams, and no opportunity to collaborate on
improving security controls. In a purple team exercise, there is regular contact and knowledge sharing between
the teams throughout the progression of the exercise.

39
Q

Why should an Internet service provider (ISP) be informed before pen testing on a hosted website
takes place?

A

ISPs monitor their networks for suspicious traffic and may block the test attempts. The pen test may also involve equipment owned and operated by the ISP.

40
Q

What tools are used for OSINT?

A

Open-source intelligence is a reconnaissance activity to gather information about the target from any public
source. The basic tool is web searches/queries plus sites that scan/scrape/monitor vulnerabilities in Internetfacing services and devices. There are also specialist OSINT tools, such as theHarvester, that aggregate data from queries for different resources.

41
Q

In the context of penetration testing, what is persistence?

A

Persistence refers to the tester’s ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor

42
Q

The help desk takes a call and the caller states that she cannot connect to the e-commerce website
to check her order status. She would also like a user name and password. The user gives a valid
customer company name but is not listed as a contact in the customer database. The user does not
know the correct company code or customer ID. Is this likely to be a social engineering attempt, or
is it a false alarm?

A

This is likely to be a social engineering attempt. The help desk should not give out any information or add an
account without confirming the caller’s identity.

43
Q

A purchasing manager is browsing a list of products on a vendor’s website when a window opens
claiming that anti-malware software has detected several thousand files on his computer that are
infected with viruses. Instructions in the official-looking window indicate the user should click a link
to install software that will remove these infections. What type of social engineering attempt is this,
or is it a false alarm?

A

This is a social engineering attempt utilizing a watering hole attack and/or malvertising.

44
Q

Your CEO calls to request market research data immediately be forwarded to her personal email
address. You recognize her voice, but a proper request form has not been filled out and use of thirdparty email is prohibited. She states that normally she would fill out the form and should not be
an exception, but she urgently needs the data to prepare for a round table at a conference she is
attending. What type of social engineering techniques could this use, or is it a false alarm?

A

If social engineering, this is spear phishing (the attack uses specific detail) over a voice channel (vishing). It is
possible that it uses deep fake technology for voice mimicry. The use of a sophisticated attack for a relatively lowvalue data asset seems unlikely, however. A fairly safe approach would be to contact the CEO back on a known mobile number.

45
Q

Your company manages marketing data and private information for many high-profile clients. You are
hosting an open day for prospective employees. With the possibility of social engineering attacks in
mind, what precautions should employees take when the guests are being shown around the office?

A

Employees should specifically be wary of shoulder surfing attempts to observe passwords and the like.

46
Q

You are troubleshooting a user’s workstation. At the computer, an app window displays on the
screen claiming that all of your files are encrypted. The app window demands that you make an
anonymous payment if you ever want to recover your data. What type of malware has infected the
computer?

A

This is some type of ransomware, but it will take more investigation whether it is actually crypto-malware or not.

47
Q

You are recommending different anti-virus products to the CEO of small travel services firm. The
CEO is confused, because they had heard that Trojans represent the biggest threat to computer
security these days. What explanation can you give?

A
While antivirus (A-V) remains a popular marketing description, all current security products worthy of
consideration will try to provide protection against a full range of malware and potentially unwanted program (PUP) threats.
48
Q

You are writing a security awareness blog for company CEOs subscribed to your threat platform.
Why are backdoors and Trojans different ways of classifying and identifying malware risks?

A

A Trojan means a malicious program masquerading as something else; a backdoor is a covert means of accessing a host or network. A Trojan need not necessarily operate a backdoor and a backdoor can be established by exploits other than using Trojans. The term remote access Trojan (RAT) is used for the specific combination of Trojan and backdoor.

49
Q

You are investigating a business email compromise (BEC) incident. The email account of a developer
has been accessed remotely over webmail. Investigating the developer’s workstation finds no
indication of a malicious process, but you do locate an unknown USB extension device attached
to one of the rear ports. Is this the most likely attack vector, and what type of malware would it
implement?

A

It is likely that the USB device implements a hardware-based keylogger. This would not necessarily require any
malware to be installed or leave any trace in the file system.

50
Q

A user’s computer is performing extremely slowly. Upon investigating, you find that a process
named n0tepad.exe is utilizing the CPU at rates of 80-90%. This is accompanied by continual small
disk reads and writes to a temporary folder. Should you suspect malware infection and is any
particular class of indicated?

A

Yes, this is malware as the process name is trying to masquerade as a legitimate process. It is not possible to
conclusively determine the type without more investigation, but you might initially suspect a crypto-miner/crypto-jacker.

51
Q

Is Cuckoo a type of malware or a security product?

A

Cuckoo is a security product designed to analyze malware as it runs in an isolated sandbox environment.

52
Q

Which part of a simple cryptographic system must be kept secret—the cipher, the ciphertext, or the
key?

A

In cryptography, the security of the message is guaranteed by the security of the key. The system does not depend on hiding the algorithm or the message (security by obscurity).

53
Q

Considering that cryptographic hashing is one-way and the digest cannot be reversed, what makes
hashing a useful security technique?

A

Because two parties can hash the same data and compare checksums to see if they match, hashing can be used for data verification in a variety of situations, including password authentication. Hashes of passwords, rather than the password plaintext, can be stored securely or exchanged for authentication. A hash of a file or a hash code in an electronic message can be verified by both parties.

54
Q

Which security property is assured by symmetric encryption?

A

Confidentiality—symmetric ciphers are generally fast and well suited to bulk encrypting large amounts of data.

55
Q

What are the properties of a public/private key pair?

A

Each key can reverse the cryptographic operation performed by its pair but cannot reverse an operation
performed by itself. The private key must be kept secret by the owner, but the public key is designed to be widely
distributed. The private key cannot be determined from the public key, given a sufficient key size.

56
Q

What is the process of digitally signing a message?

A

A hashing function is used to create a message digest. The digest is then signed using the sender’s private key.
The resulting signature can be decrypted by the recipient using the sender’s public key and cannot be modified
by any other agency. The recipient can calculate his or her own digest of the message and compare it to the
signed hash to validate that the message has not been altered.

57
Q

In a digital envelope, which key encrypts the session key?

A

The recipient’s public key (typically from the server’s key pair).

58
Q

True or False? Perfect forward secrecy (PFS) ensures that a compromise of a server’s private key will
not also put copies of traffic sent to that server in the past at risk of decryption.

A

True. PFS ensures that ephemeral keys are used to encrypt each session. These keys are destroyed after use.

59
Q

Why does Diffie-Hellman underpin perfect forward secrecy (PFS)?

A

Diffie-Hellman allows the sender and recipient to derive the same value (the session key) from some other preagreed values. Some of these are exchanged, and some kept private, but there is no way for a snooper to work out the secret just from the publicly exchanged values. This means session keys can be created without relying
on the server’s private key, and that it is easy to generate ephemeral keys that are different for each session.

60
Q

What type of bulk encryption cipher mode of operation offers the best security?

A

Generally, counter modes implementing Authenticated Encryption with Additional Data (AEAD). Specific examples include AES-GCM and ChaCha20-Poly1305.

61
Q

True or false? Cryptography is about keeping things secret so they cannot be used as the basis of a
non-repudiation system.

A

False—the usages are not exclusive. There are different types of cryptography and some can be used for nonrepudiation.
The principle is that if an encryption method (cipher and key) is known only to one person, that
person cannot then deny having composed a message. This depends on the algorithm design allowing recipients
to decrypt the message but not encrypt it.

62
Q

How can cryptography support high resiliency?

A

A complex system might have to support many inputs from devices installed to potentially unsecure locations. Such a system is resilient if compromise of a small part of the system is prevented from allowing compromise of the whole system. Cryptography assists this goal by ensuring the authentication and integrity of messages delivered over the control system.

63
Q

For which types of system will a cipher suite that exhibits high latency be problematic?

A

High latency is not desirable in any system really, but it will affect real time protocols that exchange voice or
video most. In network communications, latency makes the initial protocol handshake longer, meaning delay for users and possible application timeout issues

64
Q

What is the relevance of entropy to cryptographic functions?

A

Entropy is a measure of how disordered something is. A disordered ciphertext is desirable, because remaining features of order from the plaintext make the ciphertext vulnerable to analysis. Identical plaintexts need to be initialized with random or counter values when encrypted by the same key, and the cryptosystem needs a source of randomness to generate strong keys.

65
Q

Your company creates software that requires a database of stored encrypted passwords. What security control could you use to make the password database more resistant to brute force attacks?

A

Using a key stretching password storage library, such as PBKDF2, improves resistance to brute-force cracking methods. You might also mention that you could use policies to make users choose longer, non-trivial passwords.

66
Q

Which cryptographic technology is most useful for sharing medical records with an analytics
company?

A

Homomorphic encryption allows calculations to be performed while preserving privacy and confidentiality by keeping the data encrypted.

67
Q

You are assisting a customer with implementing data loss prevention (DLP) software. Of the two
products left in consideration, one supports steganalysis of image data, but the other does not.
What is the risk of omitting this capability?

A

A threat actor could conceal information within an image file and use that to bypass the DLP system. One thing to note is that attackers could find other ways to implement covertexts (audio or video, for instance) or abuse protocol coding. There are many things that steganalysis needs to be able to scan for! You might also note that steganography
is not only a data exfiltration risk. It can also be used to smuggle malicious code into a host system.

68
Q

What is the main weakness of a hierarchical trust model?

A

The structure depends on the integrity of the root CA.

69
Q

How does a subject go about obtaining a certificate from a CA?

A

In most cases, the subject generates a key pair then adds the public key along with subject information and
certificate type in a certificate signing request (CSR) and submits it to the CA. If the CA accepts the request, it generates a certificate with the appropriate key usage and validity, signs it, and transmits it to the subject.

70
Q

What cryptographic information is stored in a digital certificate?

A

The subject’s public key and the algorithms used for encryption and hashing. The certificate also stores a digital signature from the issuing CA, establishing the chain of trust.

71
Q

What does it mean if a certificate extension attribute is marked as critical?

A

That the application processing the certificate must be able to interpret the extension correctly. Otherwise, it
should reject the certificate.

72
Q

You are developing a secure web application. What sort of certificate should you request to show
that you are the publisher of a program?

A

A code signing certificate. Certificates are issued for specific purposes. A certificate issued for one purpose
should not be reused for other functions.

73
Q

What extension field is used with a web server certificate to support the identification of the server
by multiple specific subdomain labels?

A

The subject alternative name (SAN) field. A wildcard certificate will match any subdomain label.

74
Q

What are the potential consequences if a company loses control of a private key?

A

It puts both data confidentiality and identification and authentication systems at risk. Depending on the key
usage, the key may be used to decrypt data with authorization. The key could also be used to impersonate a user
or computer account.

75
Q

You are advising a customer about encryption for data backup security and the key escrow services
that you offer. How should you explain the risks of key escrow and potential mitigations

A

Escrow refers to archiving the key used to encrypt the customer’s backups with your company as a third party. The risk is that an insider attack from your company may be able to decrypt the data backups. This risk can be mitigated by requiring M-of-N access to the escrow keys, reducing the risk of a rogue administrator

76
Q

What mechanism informs clients about suspended or revoked keys?

A

Either a published Certificate Revocation List (CRL) or an Online Certificate Status Protocol (OCSP) responder.

77
Q

What mechanism does HPKP implement?

A

HTTP Public Key Pinning (HPKP) ensures that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate by submitting one or more public keys to an HTTP browser via an HTTP header.

78
Q

What type of certificate format can be used if you want to transfer your private key and certificate
from one Windows host computer to another?

A

PKCS #12 / .PFX / .P12.

79
Q

What type of operation is being performed by the following command?
openssl req -nodes -new -newkey rsa:2048 -out my.csr -keyout mykey.pem

A

This generates a new RSA key pair plus a certificate signing request.