ALL Flashcards
1
Q
<p>what is a public cloud?</p>
A
<p>the standard cloud computing model where a service provider makes resources available to the public over the internet</p>
2
Q
<p>what does OS fingerprinting involve?</p>
A
<p>using active fingerprinting to look at the ports (open/closed and the types of responses) and passive fingerprinting to examine the traffic to and from the computer (looking for the default window size or TTL of packets)</p>
3
Q
<p>what are the three main protocols that can be used for wireless networks?</p>
A
<p>wired equivalent privacy (WEP), WPAv1, WPAv2</p>
4
Q
<p>what is the purpose of infrastructure as a service (IaaS) in cloud computing?</p>
A
<p>it provides computer and server infrastructure, typically through a virtualization environment</p>
5
Q
<p>what do you use to control traffic from the internet to the LAN (local area network) by controlling the packets that are allowed to enter the LAN?</p>
A
<p>a firewall</p>
6
Q
<p>what is the most common type of system used to detect intrusions into a computer network?</p>
A
<p>NIDS</p>
7
Q
<p>what is the purpose of PaaS in cloud computing?</p>
A
<p>it provides not only a virtualized deployment platform but also a value-added solution stack and an application development platform</p>
8
Q
<p>what is the term for an unauthorized access that a network-based intrusion detection system (NIDS) fails to detect?</p>
A
<p>missed detection or false positive</p>
9
Q
<p>what does the acronym IDS denote?</p>
A
<p>Intrusion detection system</p>
10
Q
<p>what is the main difference between an IDS and an IPS?</p>
A
<p>an IDS detects intrusions. an IPS prevents intrusions</p>
11
Q
<p>what does the acronym ACL denote?</p>
A
<p>access control list</p>
12
Q
<p>what devices can limit the effectiveness of sniffing attacks: switches or routers?</p>
A
<p>switches</p>
13
Q
<p>what are the two major types of intrusion detection systems (IDS)?</p>
A
<p>network IDS (NIDS) and host IDS (HIDS)</p>
14
Q
<p>which type of IDS detects attack on individual devices?</p>
A
<p>host intrusion detection system (HIDS)</p>
15
Q
<p>which layer 3 device allows different logical networks to communicate?</p>
A
<p>router</p>
16
Q
<p>what is the default rule found in a firewall's access control list (ACL)?</p>
A
<p>deny all</p>
17
Q
<p>what does the acronym NIDS denote?</p>
A
<p>network-based intrusion detection system</p>
18
Q
<p>which security control is lost when using cloud computing?</p>
A
<p>physical control of the data</p>
19
Q
<p>what is the term for an authorized access that a network-based intrusion detection system (NIDS) incorrectly detects as an attack?</p>
A
<p>false positive</p>
20
Q
<p>what are the four types of cloud computing based on management type?</p>
A
<p>public, private, hybrid, and community</p>
21
Q
<p>what is hybrid cloud?</p>
A
<p>a cloud computing environment in which an organization provides and manages some resources in-house and has others provided externally via a public cloud</p>
22
Q
<p>what is multi-tenancy cloud?</p>
A
<p>a cloud model where multiple tenants share the resources. this model allows the service providers to manage the resource utilization more efficiently</p>
23
Q
<p>which type of system identifies suspicious patterns that may indicate a network or system attack?</p>
A
<p>intrusion detection system (IDS)</p>
24
Q
<p>why is data isolation used in cloud environments?</p>
A
<p>to ensure that tenant data in a multi-tenant solution is isolated from other tenant' data using a tenant ID in the data labels</p>
25
which information do routers use to forward packets to their destinations?
the network address and subnet mask
26
what does the acronym HIDS denote?
host-based intrusion detection system
27
what is a community cloud?
an infrastructure that is shared among several organizations from a specific group with common computing concerns
28
what is the purpose of software as a service (SaaS) in cloud computing?
it ensures on-demand, online access to an application suite without the need for local installation
29
what is a single-tenancy cloud?
a cloud model where a single client or organization uses a resource
30
what OS footprinting do?
it performs the fingerprinting steps as well as gathering additional information, such as polling DNS (check the status/survey), registrar queries, and so on
31
which type of IDS detects malicious packets on a network?
network intrusion detection system (NIDS)
32
what is lightweight extensible authentication protocol (LEAP)?
a proprietary wireless LAN authentication method developed by Cisco Systems
33
which type of analysis involves identifying traffic that is abnormal?
anomaly analysis
34
which wireless protocol provides the best security: WEP, WAP, WPA, or WPA2?
WPA2 with CCMP
35
which category of IDS might increase logging activities, disable a service, or close a port as a response to a detected security breach?
active detection
36
what does the acronym SIEM denote?
security information and event management
37
what should you do to ensure that a wireless access point signal does not extend beyond it needed range?
reduce the power levels
38
which type of analysis involves examining information in the header of the packet?
protocol analysis
39
what is the purpose of MAC filtering?
to restrict the clients that can access a wireless network
40
what is protected extensible authentication protocol (PEAP)?
a protocol that encapsulates the EAP within an encrypted and authenticated TLS tunnel
41
what are the two modes of WAP and WPA2?
personal (also called preshared key or WPA-PSK / WPA2-PSK) and enterprise
42
what type of analysis focuses on the long term direction in the increase or decrease in a particular type of traffic?
trend analysis
43
which security protocol is the standard encryption protocol for use with the WPA2 standard?
counter mode cipher block chaining message authentication code protocol (CCMP)
44
which security protocol was designed as an interim solution to replace WEP without requiring the replacement of legacy hardware?
temporal key integrity protocol (TKIP)
45
which intrusion detection system (IDS) watches for intrusions that match a known identity?
signature-based IDS
46
which software can collect logs from specified devices, combine the logs, and analyze the combined logs for security issues?
security information and event management (SIEM)
47
what doe heuristic analysis do?
it determines the susceptibility of a system towards a particular threat/risk using decision rules or weighing methods
48
which protocol does the enterprise mode of WPA and WPA2 use for authentication?
extensible authentication protocol (EAP)
49
which wireless mode ensures that wireless clients can only communicate with the wireless access point and not with other wireless clients?
isolation mode
50
which type of IDS or IPS uses an initial database of known attack types but dynamically alters their signatures base on learned behavior?
heuristic
51
what doe packet analysis do?
it examines the entire packet, including the payload
52
what are the non-overlapping channels for 802.11g/n?
channels 1,6, and 11
53
what are the non-overlapping channels for 802.11b?
channels 1,6,11, and 14
54
what is the most secure implementation of file transfer protocol (FTP)?
secure file transfer protocol (SFTP)
55
what is the name for a hole in the security of an application deliberately left in place by a designer?
backdoor
56
which malicious software infects a system without relying upon other applications for its execution?
a worm
57
what does an anti-virus application signature file contain?
it contains identifying information about viruses
58
which application or services uses TCP/UDP port 3389?
remote desktop protocol (RDP)
59
which port number is used by TFTP?
UDP port 69
60
what is the name for a fix that addresses a specific windows system problem or set of problems?
hotfix
61
which firewall port should you enable to allow SMTP trafic to flow through the firewall?
port 25
62
how many TCP/UDP ports are vulnerable to malicious attacks?
65,536
63
which type of virus can change its signature to avoid detection?
polymorphic
64
what is the default PPTP port?
TCP port 1723
65
what is the purpose of NAC?
network access control (NAC) ensures that the computer on the network meets an organization's security policies
66
using role-based access control (RBAC), which entities are assigned roles?
users or subjects
67
what is the name of the area that connects to a firewall and offers services to untrusted networks?
DMZ
68
which virus creates many variants by modifying its code to deceive antivirus scanners?
polymorphic virus
69
which port should you block at your network firewall to prevent telnet access?
port 23
70
what is a good solution if you need to separate two departments into separate networks?
VLAN segregation
71
which port number does LDAP use for communications encrypted using SSL/TLS?
port 636
72
which type of code performs malicious acts only when a certain set of conditions occurs?
a logic bomb
73
which firewall port should you enable to allow IMAP4 traffic to flow through the firewall?
TCP port 143
74
which two port does FTP use?
ports 20 and 21
75
what does VLAN segregation accomplish?
it protects each individual segment by isolating the segments
76
which port number does HTTP use?
port 80
77
which port numbers are used by NetBIOS?
ports 137, 138, 139
78
which type of malware appears to perform a valuable function, but actually performs malicious acts?
trojan horse
79
which port number does LDAP use when communications are not secured using SSL/TLS?
port 389
80
what does the acronym RBAC denote?
role-based access control
81
which viruses are written in macro language and typically infect operating systems?
macro viruses
82
who can change a resource's category in a mandatory access control environment?
administrators only
83
which port number does NNTP (network news transfer protocol) use?
TCP port 119
84
what is a trojan horse?
malware that is disguised as a useful utility, but is embedded with a malicious code to infect computer systems
85
which port number does NTP use?
port 123
86
what does the acronym DAC denote?
discretionary access control
87
which firewall port should you enable to allow POP3 traffic to flow through the firewall?
TCP port 110
88
which port number does DHCP use?
port 67
89
which port number is used by SSL, FTPS, and HTTPS?
TCP port 443
90
which port number is used by SSH, SCP, and SFTP?
port 22
91
what is the default L2TP port?
UDP port 1701
92
which type of access control associates roles with each user?
role-based access control (RBAC)
93
why should you install a software firewall and the latest software patches and hotfixes on your computer?
to reduce security risks
94
what is the name for a collection of hotfixes that have been combined into a single patch?
a service pack
95
which type of access control is the multi-level security mechanism used by the department of defense (DoD)?
mandatory access control (MAC)
96
which port number does DNS use?
port 53
97
which port number is used by SMB?
tcp port 445
98
what is a file considered in a mandatory access control environment?
an object
99
what is the purpose of anti-spam application or filters?
to prevent unsolicited e-mail
100
which type of access control was originally developed for military use?
mandatory access control (MAC)
101
when should you install a software patch on a production server?
after the patch has been tested
102
which type of access control is most suitable for top-secret information?
mandatory access control (MAC)
103
which port number does SNMP use?
UDP port 161
104
in a secure network, what should be the default permission position?
implicit deny
105
which port number does SSH use?
port 22
106
which type of virus attempts to hide from antivirus software and from the operating system by remaining in memory?
stealth
107
which port is used for LDAP authentication?
port 389
108
which self-replicating computer program sends copies of itself to other devices on the network?
worm
109
which port number is used by microsoft SQL server?
tcp port 1433
110
which TCP port number does secure sockets layer (SSL) use?
port 443
111
according to the CySA+ objectives, what are the six rules of engagement for penetration testing?
timingscopeauthorizationexploitationcommunicationreporting
112
is a DHCP server normally placed inside a DMZ?
no
113
what is meant by the term exploitation in regards to rules of engagement in penetration testing?
all exploits that will be attempted during a scan
114
what is decomposition?
the process of breaking software or malware down to discover how it works
115
what is meant by the term scope in regards to vulnerability testing?
the devices or parts of the network that can be scanned and the types of scans to be performed
116
which technology enables a LAN to use one set of IP addresses for internal traffic and a second set of addresses for external traffic, while hiding internal addresses or address space?
NAT
117
which assessment determines whether network security is properly configured to rebuff hacker attacks?
penetration test
118
what is the purpose of network segmentation?
to isolate a group of devices
119
what can be used to run a possibly malicious program in a safe environment?
sandbox
120
which term is used for the process of verifying the integrity of a file by using a hashing algorithm?
fingerprinting or hashing
121
what is the purpose of the blue team in a training exercise?
defending the device or network
122
which documentation reduces the likelihood that you have received counterfeit equipment?
OEM (original equipment manufacturer) documentation
123
which type of connectivity provides a remote user the ability to safely connect to his or her corporate network while maintaining data confidentiality and integrity?
VPN
124
what is the purpose of the red team in a training exercise?
attacking the devices or network
125
what is meant by the term timing in regards to penetration testing?
the time when the test should occur and when it should not occur
126
what is the primary security advantage of using NAT?
NAT hides internal IP addresses from the public network
127
what is meant by the term authorization in regards to penetration testing?
the written agreement and legal authority to perform a vulnerability test
128
which type of test attempts to exploit vulnerabilities?
penetration test or pentest
129
which type of test ONLY identifies vulnerabilities?
vulnerability test
130
what is the purpose of rules of engagement for penetration testing?
they define how a penetration test should occur, including the factors that limit the penetration test
131
what does the acronym OEM denote?
original equipment manufacturer
132
which team acts as the referee during a training exercise?
white team
133
what is the purpose of the Trusted Foundry?
it identifies trusted vendors and ensures a trusted supply chain for the united states department of defense (DoD)
134
does each VLAN create its own collision domain or its own broadcast domain?
broadcast domain
135
what should you consult to identify all systems that need to have a vulnerability scan?
the company's asset inventory
136
what is a flaw, loophole, or weakness in the system, software, or hardware?
vulnerabiltiy
137
which scan has less of an impact on the network: agent-based or server-based?
agent-based vulnerability scans because they run on the device and only send the report to the centralized server
138
what are the two main factors that CompTIA list as factors for prioritizing vulnerability remediation?
criticality and difficulty of implementation
139
how often should vulnerability scans be carried out based on PCI-DSS standards?
every three months and whenever systems are updated
140
which SCAP component provides standardized names for security-related software flaws?
common vulnerabilities and exposures (CVE)2
141
what does the acronym CCE denote?
common configuration enumeration
142
which systems provides CCE and CVE identifiers for vulnerability scans?
security content automation protocol (SCAP)
143
which term is used for an agreement that is signed by two partnering companies?
business partners agreement (BPA)
144
what does the acronym CVE denote?
common vulnerabilities and exposures
145
which term is used for an agreement between two or more parties where the parties cannot create a legally enforceable agreement?
memorandum of understanding (MoU)
146
what does the acronym SCAP denote?
security content automation protocol
147
which step of the vulnerability management process involves assessing the documented requirements and workflow to determine when scans should occur?
establish scanning frequency
148
why should you document workflow prior to setting up a vulnerability scan?
to help provide business constraints for the scan
149
which step of the vulnerability management process involves documenting the regulatory environment and corporate policy, classifying data, and obtaining an asset inventory?
identify requirements
150
in which situation will you accept a risk?
when the cost of the safeguard exceeds the amount of the potential loss
151
why should you deploy remediation in a sandbox environment?
to test the effects of the remediation to ensure that the devices will be able to function properly after deployment
152
what is the process for the vulnerability management process?
1. identify requirements2. establish scanning frequency3. configure the tools to perform the scans according to specifications4. execute the scan5. generate scan reports6. provide remediation for discovered vulnerabilities
153
what does the acronym CVSS denote?
common vulnerability scoring system
154
what is a service level agreement (SLA)?
a contract between a network service provider and a customer that specifies the services the network service provider will furnish
155
which range of CVSS scores indicates low priority?
0.1 to 3.9
156
what is meant by the term vulnerability feed?
the updates to the vulnerability scanner that ensures that the scanner is able to recognize newly discovered vulnerabilities
157
which range of CVSS scores indicates high priority?
7.0 to 8.9
158
what happens with an agent-based vulnerability scan?
agents are installed on the devices to run the scan and send the report to a centralized server
159
which range of CVSS scores indicates medium priority?
4.0 to 6.9
160
what is the recommended action when the cost of the safeguard exceeds the amount of the potential loss for a given risk?
to accept the risk
161
which permissions should you assign the account used for the vulnerability scans?
read only
162
which SCAP component provides standard names for product names and versions?
common platform enumeration (CPE)
163
which step of the vulnerability management process includes scanning criteria, such as sensitivity levels, vulnerability feed, and scope?
configure the tools to perform the scans according to specifications
164
which range of CVSS scores indicates critical priority?
9.0 to 10.0
165
what is meant by the scope of a vulnerability scan?
the range of hosts or subnets included in the scan
166
what is the purpose of a discovery vulnerability scan?
to create an inventory of assets based on host or service discovery
167
which SCAP component provides a standardized metric that measures and describes the severity of security-related software flaws?
common vulnerability scoring system (CVSS)
168
what is the term Nessus uses for vulnerability feeds?
plug-ins
169
which type of vulnerability scan includes the appropriate permissions for the different data types?
credentialed scan
170
what does a CVSS score of 0 indicate?
no issues
171
what are the FIVE inhibitors to remediation after a vulnerability scan?
MOUsSLAsOrganizational GovernanceBusiness process interruptionDegrading functionality
172
what does the acronym CPE denote?
common platform enumeration (CPE)
173
what are the three possible values of the availability (A) metric of the CVSS vector, and what do they stand for?
N - NoneP - PartialC - Complete
174
which value of the authentication (Au) metric of the CVSS vector means no authentication mechanisms are in place to stop the exploitation of the vulnerability?
N
175
which CVSS metric describes the authentication on attacker would need to get through to exploit the vulnerability?
the authentication (Au) metric
176
which value of the access vector (AV) metric of the CVSS vector indicates that the attacker must have physical access to the affected system?
L
177
which value of the Access Vector (AV) metric of the CVSS vector indicates the attacker can cause the vulnerability from any network?
N
178
which value of the confidentiality (C) metric of the CVSS vector means all information on the system could be compromised?
C
179
which value of the Confidentiality (C) metric of the CVSS vector means some access to information would occur?
P
180
what are the three possible values of the Access Vector (AV) metric of the CVSS vector, and what do they stand for?
L - LocalA - AdjacentN - Network
181
which CVSS metric describes the difficulty of exploiting the vulnerability?
the access complexity (AC) metric
182
which CVSS metric describes the information disclosures that may occur if the vulnerability is exploited?
the confidentiality (C) metric
183
what are the three main possible values of the authentication (Au) metric of the CVSS vector, and what do they stand for?
M - MultipleS - SingleN - None
184
which value of the availability (A) metric of the CVSS vector means system performance is degraded?
P
185
which CVSS metric describes how the attacker would exploit the vulnerability?
the access vector (AV) metric
186
which value of the integrity (I) metric of the CVSS vector means some information modification would occur?
P
187
what are the three possible values of the confidentiality (C) metric of the CVSS vector, and what do they stand for?
N - NoneP - PartialC - Complete
188
which value of the integrity (I) metric of the CVSS vector means all information on the system could be compromised?
C
189
which value of the Access Complexity (AC) metric of the CVSS vector means the vulnerability does not require special conditions?
L
190
which value of the availability (A) metric of the CVSS vector means the system is completely shut down?
C
191
which CVSS metric describes the disruption that might occur if the vulnerability is exploited?
the availability (A) metric
192
what should you do for the false positives in a vulnerability scanning report once you have verified that they are indeed false?
configure exceptions for the false positives in the vulnerability scanner
193
what is meant by the term false negative in a vulnerability scan?
when the vulnerability scan indicated no vulnerabilities existed when, in fact, one was present
194
which value of the access vector (AV) metric of the CVSS vector indicates the attacker must be on the local network?
A
195
which value of the integrity (I) metric of the CVSS vector means there is no integrity impact?
N
196
which CVSS metric describes the type of data alteration that might occur?
the integrity (I) metric
197
which value of the Confidentiality (C) metric of the CVSS vector means there is no confidentiality impact?
N
198
which value of the authentication (Au) metric of the CVSS vector means the attacker would need to get through two or more authentication mechanisms?
M
199
which value of the authentication (Au) metric of the CVSS vector means the attacker would need to get through one authentication mechanism?
S
200
what are the three possible values of the Access Complexity (AC) metric of the CVSS vector, and what do they stand for?
H - HighM - MediumL - Low
201
what are the three possible values of the integrity (I) metric of the CVSS vector, and what do they stand for?
N - NoneP - PartialC - Complete
202
which value of the Availability (A) metric of the CVSS vector means there is no availability impact?
N
203
which value of the Access Complexity (AC) metric of the CVSS vector means the vulnerability requires somewhat special conditions?
M
204
which value of the Access Complexity (AC) metric of the CVSS vector means the vulnerability requires special conditions that are hard to find?
H
205
what should you do if you expect that there are false positives in a vulnerability scanning report?
verify the false positives to ensure that you can eliminate them from the report
206
in which type of attack is a user connected to a different web server than the one intended by the user?
hyperlink spoofing attack
207
what is meant by VM escape?
viruses and malware can migrate multiple VMs on a single server
208
which type of system does a stuxnet attack target?
a supervisory control and data acquisition (SCADA) system
209
which type of attack involves flooding a recipient e-mail address with identical e-mails?
spamming attack
210
what is a replay attack?
an attack where an intruder records the communication between a user and a server, and later plays the recorded information back to impersonate the user
211
what is the purpose of GPS tracking on a mobile device?
it allows a mobile device to be located
212
what is a command injection?
when an operating system command is submitted in an HTML string
213
what is war chalking?
leaving signals about a wireless network on the outside of the building where it is housed
214
which attack is an extension of the denial-of-service (DoS) attack and uses multiple computers?
DDoS attack
215
which component of a computer use policy indicates that data stored on a company computer is not guaranteed to remain confidential?
a no expectation of privacy policy
216
how do you ensure that data is removed from a mobile device that has been stolen?
use a remote wipe or remote sanitation program
217
what is phishing?
when an e-mail request for confidential information that appears to originate from a bank or other trusted institution is received
218
what is click-jacking?
a technique that is used to trick users into revealing confidential information or taking over the user's computer when clicking links
219
what does the acronym SCADA denote?
supervisory control and data acquisition
220
which type of attack allows an attacker to redirect internet traffic by setting up a fake DNS server to answer client requests?
DNS spoofing
221
what is the purpose of screen locks on mobile devices?
to prevent users from accessing the mobile device until a password or other factor is entered
222
which type of attack is characterized by an attacker who records an encrypted transmission between a client and a server computer so that he or she can then send it to the server to gain access?
a replay attack
223
why is it important to limit the use of flash drives and portable music devices by organization employees?
to prevent users from copying data to their personnel devices and possibly causing data leakage or from transferring malware to corporate computers
224
which type of attack is characterized by an attacker who situates himself or herself in such a way that he or she can intercept all traffic between two hosts?
man-in-the-middle
225
should virtual servers have the same information security requirements as physical servers?
Yes
226
what is a smurf attack?
an attack where a ping request is sent to a broadcast network address with the aim of overwhelming the system
227
what causes VM sprawl to occur?
when multiple VMs become difficult to manage
228
what is an Xmas attack?
an attack that looks for open ports
229
what is an XML injection?
when a user enters values in an XML query that takes advantage of security loopholes
230
what is the purpose of SCADA?
to collect data from factories, plants, or other remote locations, and send the data to a central computer that manages and controls the data
231
what does the acronym ICS denote?
industrial control system
232
which servers are susceptible to the same type of attacks as their hosts, including denial of service attacks, detection attack, and escape attacks?
virtual servers
233
what is spear phishing?
an e-mail request for confidential information that appears to come from your supervisor
234
what is the main difference between virtualization and cloud computing?
the location and ownership of the physical components
235
what is an evil twin?
an access point with the same SSID as the legitimate access point
236
what is vishing?
a special type of phishing that uses VoIP
237
where should you physically store mobile devices to prevent theft?
in a locked cabinet or safe
238
what is whaling?
a special type of phishing that targets a single power user, such as Chief Executive Officer (CEO)
239
what is the purpose of a remote sanitation application on a mobile device?
to ensure that the data on the mobile device can be erased remotely in the event the mobile device is lost or stolen
240
which address is faked with IP spoofing attacks?
the source IP address
241
what is bluesnarfing?
the act of gaining unauthorized access to a device (and the network it is connected to) through its bluetooth connection
242
which attack uses clients, handles, agents, and targets?
DDoS attack
243
when does path traversal occur?
when the ../ characters are entered into the URL to traverse directories that are not supposed to be available from the Web
244
what is war driving?
the act of discovering unprotected wireless network by driving around with a laptop
245
which type of attack does challenge handshake authentication protocol (CHAP) protect against?
replay
246
what does the acronym DDoS denote?
distributed denial of service
247
what is header manipulation?
when a hacker is able to manipulate a packet header to deface, hijack, or poison the packet
248
what is bluejacking?
an attack that sends unsolicited messages over a bluetooth connection
249
which attack requires that the hacker compromise as many computers as possible to initiate the attack?
DDoS attack
250
what is an IP spoofing attack?
an attack in which the source IP address in an IP datagram is modified to imitate the IP address of a packet originating from an authorized source
251
which type of attack searches long lists of words for a particular language to match them to an encrypted password?
dictionary attack
252
why is GPS tracking often disabled?
it is considered a security threat. as long as GPS tracking is enabled and the mobile device is powered on, the device (and possibly its user) can be located
253
what is spimming?
an instance of spam sent over an instant message application
254
what is malicious insider?
an employee who uses his access to the network and facility to obtain confidential information
255
what is the purpose of a screen lock on a mobile device?
to act as a deterrent if a mobile device is lost or stolen by requiring a key combination to activate the device
256
encrypting all files on a system hardens which major component of a server?
the file system
257
what is an IV attack?
cracking the WEP secret key using the initialization vector (IV)
258
what is pharming?
traffic redirection to a web site that looks identical to the intended web site
259
what is the purpose of mobile device encryption?
to ensure that the contents of the mobile device are confidential
260
which type of attack sequentially generates every possible password and checks them all against a password file?
brute force attack
261
which type of brute-force attack attempts to find any two hashed messages that have the same value?
a birthday attack
262
what does the acronym MTD denote?
maximum tolerable downtime
263
what is MTBF?
the estimated amount of time a device will operate before a failure occurs
264
what are the four types of personally identifiable information (PII)?
personal characteristics - such as full name, DoB, height, ethnicity, place of birth, mother's maiden name, and biometric characteristicsa unique set of numbers assigned to an individual - such as government ID number, telephone number, driver's license number, and PINdescriptions of events or points in time - such as arrest records, employment records, and medical recordsdescription of locations or places - such as GPS tracking information
265
what does the acronym RTO denote?
recovery time objective
266
what does the acronym MTBF denote?
mean time between failures
267
what does the acronym RPO denote?
recovery point objective
268
which two factors should contribute to incident severity and prioritization?
impact scope and the type of data affected
269
which attack is one discovered in live environments for which no current fix or patch exists?
zero-day attack
270
what is RTO?
the shortest time period after a disaster or disruptive event within which a resource or function must be restored to avoid unacceptable consequences
271
which impact scope factor refers to the amount of data corrupted or altered during the incident?
data integrity
272
what does the acronym PHI denote?
personal health information
273
what is meant by economic factor of an incident?
the cost of the incident to the organization
274
which impact scope factor refers to the amount of time taken to recover from the incident?
recovery time
275
which attack type targets a specific entity and is carried out over a long period of time?
advanced persistent threat (APT)
276
which impact scope factor refers to the amount of time access to resource were interrupted?
downtime
277
what is MTD?
the maximum amount of time that an organization can tolerate a single resource or function being down
278
what does the acronym PII denote?
personally identifiable information
279
what is RPO?
the point in time to which the disrupted resource or function must be returned
280
what is the best method to preserve evidence on a computer: bit stream backup or standard backup?
bit stream backup
281
what is the order of volatility from most volatile to least volatile?
registers, cacheswap spacerouting table, ARP cache, process table, kernel statistics, and memorytemporary file systemsdiskremote logging and monitoring data that is relevant to the system in question
282
what are the FOUR documents/forms that should be part of forensic kit?
chain of custody form, incident response plan, incident form, call list/escalation list
283
what is a write blocker?
a tool that permits read-only access to data storage devices without compromising the integrity of the data
284
what is the purpose of imaging utilities included in a forensic kit?
to create a bit-level copy of drives
285
what are the NINE components that should be included in a forensic kit?
1. digital forensics workstation2. write blockers3. cables4. drive adaptors5. wiped removable media6. camera7. crime tape8. tamper-proof seals9. documentation/forms
286
what is the purpose of the chain of custody form?
it will indicate who has handled the evidence, when they handled it, and the order in which the handler was in possession of the evidence
287
which condition must be true of the hash values of a file to prove the file is unaltered?
the hash values must remain the same
288
what is a SCADA device?
a system operating with coded signals over communication channels that provides control of remote equipment
289
what is the purpose of tamper-proof seals?
to ensure that the chain of custody is maintained
290
what is the purpose of hashing utilities included in a forensic kit?
to create a hash value of files so that you can prove that certain evidence has not been altered during your possession of the evidence
291
what is the proper life cycle of evidence steps?
collection, analysis, storage, court presentation, and return to owner
292
what is a digital forensics workstation?
a dedicated workstation for processing an investigation that includes special tools and utilities that make the process easier and more productive
293
what is the purpose of an incident form?
it is used to describe the incident in detail
294
why should the proper chain of custody be ensured?
so that evidence will be admissible in court
295
what is the purpose of the analysis utilities included in a forensic kit?
to analyze the bit-level copy that is created for that purpose
296
what are the three basic questions answered by the chain of custody?
who controlled the evidencewho secured the evidencewho obtained the evidence
297
when evidence is seized, which principle should be emphasized?
chain of custody
298
what is indicated when the hash values on a file are different?
the file has been altered
299
which stakeholder in the incident response process communicates the importance of the incident response plan to all parts of the organization, creates agreements detailing the authority of the IR team to take over business systems if necessary, and creates decision systems for determining when key systems must be removed from the network?
upper management
300
which stakeholder in the incident response process creates newsletters and other educational materials to be used in employee response training and coordinates with the legal team to prepare media responses and internal communications regarding incidents before they occur?
marketing
301
what are the FOUR main stakeholder groups for the incident response process?
HR, Legal, Marketing, Management
302
which stakeholder in the incident response process reviews the NDA to ensure legal support for incident response efforts, develops the wording of documents used to contact sites and organizations possibly affected by an incident that originated with your company's software, hardware, or services, and assesses site liability for illegal computer activity?
Legal
303
what is the role of law enforcement in the incident response process?
to assist the investigation and in some cases take over the investigation when a crime has been committed
304
which stakeholder in the incident response process develops job descriptions for those persons who will be hired for positions involved in incident response and creates policies and procedures that support the removal of employees found to be engaging in improper or illegal activity?
HR
305
what is the role of the technical IT staff in the incident response process?
to recognize, identify, and react to incidents, and to provide support in analyzing those incidents when an incident has occurred
306
what are the FOUR main purposes of the incident response communication process?
limit communication to trusted partiesdisclosure based on regulatory/legislative requirementsprevent inadvertent release of informationuse secure method of communication
307
what is data exfiltration?
the unauthorized copying, transfer or retrieval of data from a computer or server
308
what should you do if you discover rogue devices on the network?
locate and remove them
309
what happens in vertical privilege escalation?
the attacker obtains higher privileges by performing operations that allow the attacker to run unauthorized code
310
what are the SIX network-related symptoms of incidents?
bandwidth consumptionbeaconingirregular peer-to-peer communicationrogue devices on the networkscan sweepsunusual traffic spikes
311
what is meant by anomalous activity?
activity that is outside the norms
312
when does an escalation of privileges attack occur?
when an attacker has used a design flaw in an application to obtain unauthorized access to the application
313
what are scan sweeps?
an attempt by an unauthorized entity to map your network
314
what happens in horizontal privilege escalation?
the attacker obtains the same level of permissions as he already has but uses a different user account to do so
315
what are the eight host-related symptoms of an incident?
processor consumptionmemory consumptiondrive capacity consumptionunauthorized softwaremalicious processesunauthorized changes
316
what is beaconing?
when malware attempts to remotely connect to a command and control host or network
317
what are the SIX application-related symptoms of incidents?
anomalous activityintroduction of new accountsunexpected outputunexpected outbound communicationservice interruptionmemory overflows
318
what is the best way to determine the attack vector used by a hacker?
reverse engineering
319
why should a first responder be familiar with the incident response plan?
to ensure that the appropriate procedures are followed
320
which eradication technique reinstalling the operating system, applying all system updates, reinstalling the anti-malware software, and implementing any organizational security settings?
reconstruction or re-imaging
321
what are the FOUR validation techniques?
patching, verifying permissions, scanning, verifying logging/communication to security monitoring
322
what is the name of the security process that involves recognition, verification, classification, containment, and analysis?
incident response
323
what are the THREE eradication techniques?
sanitization, reconstruction or re-image, secure disposal
324
what are the FOUR containment techniques?
segmentation, isolation, removal, reverse engineering
325
which containment techniques involves limiting the scope of the incident by leveraging existing segments of the network as barriers to prevent the spread of the incident to other segments?
segmentation
326
which containment technique involves retracing the steps in the incident as seen from the logs in the affected devices or in logs of infrastructure devices that may have been involved?
reverse engineering
327
what is the name of the group of people appointed to respond to security incidents?
incident response team
328
which type of review should be completed last as part of incident response?
a post-mortem review
329
which containment technique involves either by blocking all traffic to and from the device or devices or shutting down the device or devices' interfaces?
isolation
330
what are the SEVEN steps in a FORENSIC INVESTIGATION?
1. identification2. preservation3. collection4. examination5. analysis6. presentation
331
which eradication technique removes all tracers of the threat by overwriting the drive multiple times to ensure all data is destroyed?
sanitization
332
in which location should all changes made to your organization's network and computers be listed?
in the change management system
333
what are the FIVE steps in the INCIDENT RESPONSE PROCESS?
contain, eradicate, validate, corrective action, reporting
334
what is incident management?
the activities of an organization to identify, analyze, and correct risks as they are identified
335
which audit category will audit all instances of users exercising their rights?
the audit privilege use audit category
336
what is another term for logical controls?
technical controls
337
which type of controls dictates how security policies are implemented to fulfill the company's security goals?
administrative or management control
338
what is the name of the process for removing only the incriminating data from the audit logs?
scrubbing
339
which type of controls is implemented to secure physical access to an object, such as building, a room, or a computer?
physical or operational control
340
which type of controls include developing policies and procedures, screening personnel, conducting security awareness training, and implementing change control?
administrative controls
341
what is the purpose of administrative controls?
to implement security policies based on procedures, standards, and guidelines
342
what is the purpose of password complexity rules?
to ensure that users do not use passwords that are easy to guess using dictionary attacks
343
what must you do for an effective security auditing policy, besides creating security logs?
analyze the logs
344
what is the purpose of physical controls?
to work with administrative and technical controls to enforce physical access control
345
which audit category tracks access to all objects outside active directory?
the audit object access audit category
346
which password attack does an account lockout policy protect against?
a brute force attack
347
if a user needs administrative-level access, how many user accounts should be issued to the user?
two - one for normal tasks, one for administrative-level tasks
348
which setting ensures that accounts are not used beyond a certain data and/or time?
account expiration
349
what are you trying to determine if you implement audit trails to ensure that users are not performing unauthorized functions?
accountability
350
which setting ensures that users periodically change their account passwords?
password expiration
351
what is the name for the process of tracking user activities by recording selected events in the server activity logs?
auditing
352
which document is used when it is necessary to invoke legal action against an employee for inappropriate use of computer resources?
acceptable use policy
353
which type of controls includes access control mechanisms, password management, identification methods, authentication methods, and security devices?
technical or logical controls
354
what are the FIVE stages in the life cycle of the evidence or the chain of custody?
1. collection of evidence from the site2. analysis of the evidence by a team of experts3. storage of the evidence in a secure place to ensure that the evidence is not tampered with4. presentation of the evidence by legal experts in a court of law5. returning the evidence to the owner after the proceedings are over
355
what is the purpose of audit logs?
to document actions taken on a computer network and the party responsible for those actions
356
which type of controls work to protect system access, network architecture and access, control zones, auditing, and encryption and protocols?
technical controls
357
what is the purpose of technical controls?
to restrict access to objects and protect availability, confidentiality, and integrity
358
when should an administrative account be used?
when performing administrative-level tasks
359
which linux file contains encrypted user passwords that only the root user can read?
/etc/shadow
360
what is the purpose of password age rules?
to ensure that users change their passwords on a regular basis
361
which account should you rename immediately after installing a new operating system (OS) to harden the OS?
the administrator account
362
which assessment examines whether network security practices follow a company's security policy?
an audit
363
which audit category monitors changes to user accounts and groups?
the audit account management audit category
364
what is the purpose of the password history settings?
to ensure that users do not keep reusing the same passwords
365
which setting ensures that repeated attempts to guess a user's password is not possible beyond the configured value?
account lockout
366
which account should you disable immediately after installing a new operating system (OS) to harden the OS?
the guest account
367
which log in event viewer should you open to view events that are generated based on your auditing settings?
the security log
368
what is a good password complexity policy?
a mixture of numbers, uppercase and lowercase letters, and special characters, such as rObin3*nest
369
which audit category tracks all attempts to log on with a domain user account when enabled on domain controllers?
the audit account logon events audit category
370
which type of controls includes controlling access to different parts of a building, implementing locking systems, installing fencing, implementing environmental controls, and protecting the facility perimeter?
physical controls
371
what is the top-most level of the LDAP hierarchy?
root
372
what is the primary function of LDAP?
lightweight directory access protocol (LDAP) controls client access to directories
373
what are flood guards?
devices that protect denial of service (DoS) attacks
374
what does the acronym RADIUS denote?
remote authentication dial-in user service
375
what are the two types of eye scans?
iris scans and retinal scans
376
which type of authentication is accomplished by authenticating both the client and server sides of a concentration through the encrypted exchange of credentials?
mutual authentication
377
what does the acronym TACACS denote?
terminal access controller access control system
378
which function does a single sign-on (SSO) system provide?
it allows a user to present authentication credentials once and gain access to all computers within the SSO system
379
what is the purpose of federated identity management?
it allows single sign-on (SSO) between companies
380
what does the acronym KDC denote?
key distribution center
381
which authentication protocol uses UDP: TACACS+ or RADIUS?
RADIUS
382
which security-server application and protocol implements authentication and authorization of users from a central server over TCP?
terminal access controller access control system plus (TACACS+)
383
which authentication protocol is an open standard: TACACS+ or RADIUS?
RADIUS
384
which authentication system includes clients, servers, and a key distribution center (KDC)?
kerberos
385
which authentication protocol separates authentication and authorization: TACACS+ or RADIUS?
TACACS+
386
which Cisco implementation is similar to a RADIUS implementation?
TACACS
387
what are the two components of the kerberos key distribution center?
authentication server (AS) and ticket-granting server (TGS)
388
which access control model is based on the data's owner implementing and administering access control?
discretionary access control (DAC)
389
which eye scan measures the pattern of blood vessels at the back of the eye?
retinal scan
390
scanning fingerprints is an example of which authentication technique
biometrics
391
using role-based access control (RBAC), which entities are assigned roles?
users or subjects
392
which kerberos component holds all users' and services' cryptographic keys and generates tickets?
key distribution center (KDC)
393
who has the responsibility for configuring access rights in discretionary access control (DAC)?
the data owner or data custodian
394
what is the most important biometric system characteristic?
accuracy
395
which type of attack can turn a switch into a hub?
MAC flooding
396
what does the acronym MAC denote?
mandatory access control
397
which type of eye scan is considered more intrusive than other eye scans?
retinal scan
398
which fingerprint scan will analyze fingerprint ridge direction?
minutiae matching
399
why is password disclosure a significant security issue in a single sign-on network?
it could compromise the entire system because authentication grants access to any systems on the network to which the actual user may have permission
400
which access control model has the lowest cost?
role-based access control (RBAC)
401
what does the acronym SSO denote?
single sign-on
402
which authentication protocol encrypts the entire packet (not just the password): TACACS+ or RADIUS?
TACACS+
403
which authentication protocol uses tickets to authenticate users?
Kerberos
404
which function does RADIUS provide?
centralized authentication, authorization, and accounting for remote dial-in users
405
which security-server application and protocol implement authentication of users from a central server over UDP?
remote authentication dial-in user service (RADIUS)
406
which directory protocol does directory-enabled networking (DEN) use?
lightweight directory access protocol (LDAP)
407
which access control model uses security labels for each resource?
mandatory access control (MAC)
408
what are the two advantages of single sign-on (SSO)?
convenience and centralized administration
409
which access control model requires assigning security clearance levels to users, such as secret, top-secret, and confidential?
mandatory access control (MAC)
410
which internet protocol based on X.500 is used to access the data stored in a network directory?
lightweight directory access protocol (LDAP)
411
what is the purpose of RADIUS?
remote access dial-in user service (RADIUS) enables remote access users to log on to a network through a shared authentication database
412
which ethernet standard uses a wireless access point with a remote authentication dial-in user service (RADIUS) server to authenticate wireless users?
802.1x
413
which type of authentication combines two or more authentication methods, like something that a person knows (such as password), something that a person owns (such as a smart card), and a characteristic about the person (such as a fingerprint)?
multi-factor authentication
414
which technique is used to prevent network bridging?
network separation
415
on which standard is lightweight directory access protocol (LDAP) based?
X.500
416
what are the two types of ciphers?
block and streaming
417
what is most commonly used to provide proof of message's origin?
a digital signature
418
which key is used to decrypt a digital signature: public or private?
public
419
which cryptographic technique is based on a combination of two keys: a secret (private) key and a public key?
public-key cryptography
420
in asymmetric encryption for a digital signature, which key is used for encryption: public or private?
private
421
what are mandatory vacations?
administrative controls that ensure that employees take vacations at periodic intervals
422
what are two other names for single-key cryptography?
symmetric key encryption and secret-key encryption
423
which type of cryptography is more secure: symmetric or asymmetric?
asymmetric
424
which security measure prevents fraud by reducing the chances of collusion?
separation of duties
425
what are the three issues that symmetric data encryption fails to address?
data integrity, repudiation, scalable key distribution
426
to provide checks and balances and to prevent one person from gaining too much power over a system, which type of security policy should you implement?
separation of duties
427
what is the term for the process that applies a one-way mathematical function called a message digest function to an arbitrary amount of data?
hashing
428
what is a dual control?
when two operators work together to accomplish a sensitive task
429
what is segregation of duties?
when a sensitive activity is segregated into multiple activities and tasks are assigned to different individuals to achieve a common goal
430
what is another name for public-key encryption?
asymmetric encryption
431
what is another term used for layered security?
defense in depth
432
what is job rotation?
when an individual can fulfill the tasks of more than one position in the organization and duties are regularly rotated to prevent fraud
433
what is the opposite of confidentiality?
disclosure
434
what is the purpose of filters on a web server?
they limit the traffic that is allowed through
435
what is the purpose of sandbox in a java applet?
it prevents java applets from accessing unauthorized areas on a user's computer
436
which error condition arises because data is not checked before input to ensure that it has an appropriate length?
buffer overflow errors
437
when does fuzzing occur?
when unexpected values are provided as input to an application to make the application crash
438
what are the FIVE phases of the system development life cycle (SDLC)?
1. initiation2. development and acquisition3. implementation and assessment4. operations and maintenance5. disposal
439
what is the purpose of a decompiler?
to re-create the source code in some high-level language
440
which type of attack runs code within another process's address space by making it load a dynamic link library?
a DLL injection attack
441
what is the purpose of fuzz testing?
to identify bugs and security flaws within an application
442
what are alternate terms for cross-site request forgery (XSRF)?
session riding or one-click attack
443
which application hardening method requires that your organization periodically checks with the application vendor?
patch management
444
what is the most significant misuse of cookies?
misuse of personal data
445
when does fuzzing occur?
when unexpected values are provided as input to an application in an effort to make the application crash
446
what does a race condition typically attack?
the delay between time of check (TOC) and time of use (TOU)
447
when does a cross-site scripting (XSS) attack occur?
it occurs when an attacker locates a vulnerability on a web site that allows the attacker to inject malicious code into a web application
448
what is the name for a small piece of information that is saved on a client machine on the hard disk to enable tracking of user information on future web visits?
a cookie
449
what is the purpose of an application disassembler?
to read and understand the raw language of the program
450
what is the purpose of a fail-safe error handler?
to ensure that the application stops working, reports the error, and closes down
451
what is an application backdoor?
lines of code that are inserted into an application to allow developers to enter the application and bypass the security mechanisms
452
what is cross-site request forgery (XSRF)?
unauthorized commands coming from a trusted user to a user or web site, usually through social networking
453
what should application developers do to prevent race condition attack?
create code that processes exclusive-lock resources in a certain sequence and unlocks them in reverse order
454
what is the best protection against cross-site scripting? (XSS)?
disable the running of scripts
455
what is the purpose of secure code review?
it examines all written code for any security holes that may exist
456
what is a cookie?
a web client test file that stores persistent settings for a web server
457
what is the purpose of input validation?
to ensure that data being entered into a database follows certain parameters
458
what is the purpose of application hardening?
it ensures that an application is secure and unnecessary services are disabled
459
which error occurs when the length of the input data is more than the length that processor buffers can handle?
buffer overflow
460
which type of attack is characterized by an attacker who takes over the session of an already authenticated user?
hijacking
461
what is a zero-day exploit?
an attack that exploits a security vulnerability on the day the vulnerability becomes generally known
462
when does a persistent XSS attack occur?
when data provided to the web application is first stored persistently on the server and later displayed to users without being encoded using HTML on the Web client
463
which type of attack intercepts an established TCP session?
TCP hijacking or session hijacking
464
which type of attack enables an intruder to capture and modify data traffic by rerouting the traffic from a network device to the intruder's computer?
network address hijacking
465
what are the FIVE monitoring tools analyst need to know?
MRTG (multi router traffic grapher)NagiosSolarWindsCactiNetflow Analyzer
466
what is wireshark?
a protocol analyzer or packet sniffer
467
what are the THREE IPS tools?
sourcefiresnortbro
468
what is unit testing?
the debugging performed by the programmer while coding instructions
469
what are the THREE categories of exploit tools?
interception proxyexploit frameworkfuzzers
470
what error condition arises because data is not checked before input to ensure that it has an appropriate length?
buffer overflow errors
471
what is the purpose of content inspection?
to search for malicious code or behavior
472
what are the TWO exploit framework tools analyst need to know?
Metasploit, Nexpose
473
what are the six SIEM tools analyst need to know?
Arcsight, QRadar, Splunk, AlienVault, OSSIM, Kiwi Syslog
474
what is microsoft baseline security analyzer?
a microsoft application that creates security reports
475
what are TWO examples of input validation errors?
buffer overflow and boundary condition errors
476
what is a proxy server?
a server that caches and filters content
477
what are the seven categories of preventive tools?
IPSFirewallAnti-VirusAnti-malwareEnhanced Mitigation Experience Toolkit (EMET)Web proxyWeb application firewall
478
which error occurs when the length of the input data is more than the length that processor buffers can handle?
a buffer overflow
479
what is the most popular intrusion detection system (IDS)?
network-based IDS
480
what are the three interception proxy tools analyst need to know?
Burp SuiteZapVega
481
what does the acronym IDS denote?
intrusion detection system
482
what are the SEVEN command-line tools analyst need to know?
netstatpingtracert/tracerouteipconfig/ifconfignslookup/digSysinternalsOpenSSL
483
what is the difference between a password checker and a password cracker?
there is no difference. they are the same tools
484
what are the SIX vulnerability scanning tools analyst need to know?
QualysNessusOpenVASNexposeNiktoMicrosoft Baseline Security Analyzer
485
what are the TWO password cracking tools analyst need to know?
john the rippercain and abel
486
what are the five forensic suite tools analyst need to know?
EnCaseFTK (forensic toolkit)HelixSysinternalsCellebrite
487
which type of control is an intrusion detection system (IDS)?
detective technical
488
which type of vulnerability assessment is more likely to demonstrate the success or failure of a possible attack?
a double-blind test
489
what is Nessus?
a network vulnerability scanner
490
what are the THREE categories of analytical tools?
vulnerability scanningmonitoring toolsinterception proxy
491
what are the THREE web application firewalls (WAFs) analyst need to know?
ModSecurityNAXSIImperva
492
what is the imaging tool analysts need to know?
DD
493
what are the two hashing tools analyst need to know?
MD5sumSHAsum
494
what is the network scanning tool analyst need to know?
NMAP
495
what activity provides identification of security flaws and verification of levels of existing resistance?
penetration testing
496
what are the THREE fuzzer tools analyst need to know?
UntidyPeach FuzzerMicrosoft SDL File/Regex Fuzzer
497
what are the FOUR categories of forensics tools?
forensics suiteshashingpassword crackingimaging
498
what are the four packet capture tools analyst need to know?
wiresharktcpdumpnetwork generalaircrack-ng
499
which tool obtains a visual map of the topology of your network, including all devices on the network?
a network mapper, also referred to as a network enumerator
500
what are the THREE firewall vendors analyst need to understand?
Cisco, Palo Alto, Check Point
501
which tool should you use to retrieve the contents of a GET request: a protocol analyzer or port scanner?
protocol analyzer
502
what are the SIX categories of collective tools?
SIEMNetworking scanningVulnerability scanningPacket captureCommand-line utilitiesIDS
