ALL Flashcards
<p>what is a public cloud?</p>
<p>the standard cloud computing model where a service provider makes resources available to the public over the internet</p>
<p>what does OS fingerprinting involve?</p>
<p>using active fingerprinting to look at the ports (open/closed and the types of responses) and passive fingerprinting to examine the traffic to and from the computer (looking for the default window size or TTL of packets)</p>
<p>what are the three main protocols that can be used for wireless networks?</p>
<p>wired equivalent privacy (WEP), WPAv1, WPAv2</p>
<p>what is the purpose of infrastructure as a service (IaaS) in cloud computing?</p>
<p>it provides computer and server infrastructure, typically through a virtualization environment</p>
<p>what do you use to control traffic from the internet to the LAN (local area network) by controlling the packets that are allowed to enter the LAN?</p>
<p>a firewall</p>
<p>what is the most common type of system used to detect intrusions into a computer network?</p>
<p>NIDS</p>
<p>what is the purpose of PaaS in cloud computing?</p>
<p>it provides not only a virtualized deployment platform but also a value-added solution stack and an application development platform</p>
<p>what is the term for an unauthorized access that a network-based intrusion detection system (NIDS) fails to detect?</p>
<p>missed detection or false positive</p>
<p>what does the acronym IDS denote?</p>
<p>Intrusion detection system</p>
<p>what is the main difference between an IDS and an IPS?</p>
<p>an IDS detects intrusions. an IPS prevents intrusions</p>
<p>what does the acronym ACL denote?</p>
<p>access control list</p>
<p>what devices can limit the effectiveness of sniffing attacks: switches or routers?</p>
<p>switches</p>
<p>what are the two major types of intrusion detection systems (IDS)?</p>
<p>network IDS (NIDS) and host IDS (HIDS)</p>
<p>which type of IDS detects attack on individual devices?</p>
<p>host intrusion detection system (HIDS)</p>
<p>which layer 3 device allows different logical networks to communicate?</p>
<p>router</p>
<p>what is the default rule found in a firewall's access control list (ACL)?</p>
<p>deny all</p>
<p>what does the acronym NIDS denote?</p>
<p>network-based intrusion detection system</p>
<p>which security control is lost when using cloud computing?</p>
<p>physical control of the data</p>
<p>what is the term for an authorized access that a network-based intrusion detection system (NIDS) incorrectly detects as an attack?</p>
<p>false positive</p>
<p>what are the four types of cloud computing based on management type?</p>
<p>public, private, hybrid, and community</p>
<p>what is hybrid cloud?</p>
<p>a cloud computing environment in which an organization provides and manages some resources in-house and has others provided externally via a public cloud</p>
<p>what is multi-tenancy cloud?</p>
<p>a cloud model where multiple tenants share the resources. this model allows the service providers to manage the resource utilization more efficiently</p>
<p>which type of system identifies suspicious patterns that may indicate a network or system attack?</p>
<p>intrusion detection system (IDS)</p>
<p>why is data isolation used in cloud environments?</p>
<p>to ensure that tenant data in a multi-tenant solution is isolated from other tenant' data using a tenant ID in the data labels</p>
<p>which information do routers use to forward packets to their destinations?</p>
<p>the network address and subnet mask</p>
<p>what does the acronym HIDS denote?</p>
<p>host-based intrusion detection system</p>
<p>what is a community cloud?</p>
<p>an infrastructure that is shared among several organizations from a specific group with common computing concerns</p>
<p>what is the purpose of software as a service (SaaS) in cloud computing?</p>
<p>it ensures on-demand, online access to an application suite without the need for local installation</p>
<p>what is a single-tenancy cloud?</p>
<p>a cloud model where a single client or organization uses a resource</p>
<p>what OS footprinting do?</p>
<p>it performs the fingerprinting steps as well as gathering additional information, such as polling DNS (check the status/survey), registrar queries, and so on</p>
<p>which type of IDS detects malicious packets on a network?</p>
<p>network intrusion detection system (NIDS)</p>
what is lightweight extensible authentication protocol (LEAP)?
a proprietary wireless LAN authentication method developed by Cisco Systems
which type of analysis involves identifying traffic that is abnormal?
anomaly analysis
which wireless protocol provides the best security: WEP, WAP, WPA, or WPA2?
WPA2 with CCMP
which category of IDS might increase logging activities, disable a service, or close a port as a response to a detected security breach?
active detection
what does the acronym SIEM denote?
security information and event management
what should you do to ensure that a wireless access point signal does not extend beyond it needed range?
reduce the power levels
which type of analysis involves examining information in the header of the packet?
protocol analysis
what is the purpose of MAC filtering?
to restrict the clients that can access a wireless network
what is protected extensible authentication protocol (PEAP)?
a protocol that encapsulates the EAP within an encrypted and authenticated TLS tunnel
what are the two modes of WAP and WPA2?
personal (also called preshared key or WPA-PSK / WPA2-PSK) and enterprise
what type of analysis focuses on the long term direction in the increase or decrease in a particular type of traffic?
trend analysis
which security protocol is the standard encryption protocol for use with the WPA2 standard?
counter mode cipher block chaining message authentication code protocol (CCMP)
which security protocol was designed as an interim solution to replace WEP without requiring the replacement of legacy hardware?
temporal key integrity protocol (TKIP)
which intrusion detection system (IDS) watches for intrusions that match a known identity?
signature-based IDS
which software can collect logs from specified devices, combine the logs, and analyze the combined logs for security issues?
security information and event management (SIEM)
what doe heuristic analysis do?
it determines the susceptibility of a system towards a particular threat/risk using decision rules or weighing methods
which protocol does the enterprise mode of WPA and WPA2 use for authentication?
extensible authentication protocol (EAP)
which wireless mode ensures that wireless clients can only communicate with the wireless access point and not with other wireless clients?
isolation mode
which type of IDS or IPS uses an initial database of known attack types but dynamically alters their signatures base on learned behavior?
heuristic
what doe packet analysis do?
it examines the entire packet, including the payload
what are the non-overlapping channels for 802.11g/n?
channels 1,6, and 11
what are the non-overlapping channels for 802.11b?
channels 1,6,11, and 14
what is the most secure implementation of file transfer protocol (FTP)?
secure file transfer protocol (SFTP)
what is the name for a hole in the security of an application deliberately left in place by a designer?
backdoor
which malicious software infects a system without relying upon other applications for its execution?
a worm
what does an anti-virus application signature file contain?
it contains identifying information about viruses
which application or services uses TCP/UDP port 3389?
remote desktop protocol (RDP)
which port number is used by TFTP?
UDP port 69
what is the name for a fix that addresses a specific windows system problem or set of problems?
hotfix
which firewall port should you enable to allow SMTP trafic to flow through the firewall?
port 25
how many TCP/UDP ports are vulnerable to malicious attacks?
65,536
which type of virus can change its signature to avoid detection?
polymorphic
what is the default PPTP port?
TCP port 1723
what is the purpose of NAC?
network access control (NAC) ensures that the computer on the network meets an organization’s security policies
using role-based access control (RBAC), which entities are assigned roles?
users or subjects
what is the name of the area that connects to a firewall and offers services to untrusted networks?
DMZ
which virus creates many variants by modifying its code to deceive antivirus scanners?
polymorphic virus
which port should you block at your network firewall to prevent telnet access?
port 23
what is a good solution if you need to separate two departments into separate networks?
VLAN segregation
which port number does LDAP use for communications encrypted using SSL/TLS?
port 636
which type of code performs malicious acts only when a certain set of conditions occurs?
a logic bomb
which firewall port should you enable to allow IMAP4 traffic to flow through the firewall?
TCP port 143
which two port does FTP use?
ports 20 and 21
what does VLAN segregation accomplish?
it protects each individual segment by isolating the segments
which port number does HTTP use?
port 80
which port numbers are used by NetBIOS?
ports 137, 138, 139
which type of malware appears to perform a valuable function, but actually performs malicious acts?
trojan horse
which port number does LDAP use when communications are not secured using SSL/TLS?
port 389
what does the acronym RBAC denote?
role-based access control
which viruses are written in macro language and typically infect operating systems?
macro viruses
who can change a resource’s category in a mandatory access control environment?
administrators only
which port number does NNTP (network news transfer protocol) use?
TCP port 119
what is a trojan horse?
malware that is disguised as a useful utility, but is embedded with a malicious code to infect computer systems
which port number does NTP use?
port 123
what does the acronym DAC denote?
discretionary access control
which firewall port should you enable to allow POP3 traffic to flow through the firewall?
TCP port 110
which port number does DHCP use?
port 67
which port number is used by SSL, FTPS, and HTTPS?
TCP port 443
which port number is used by SSH, SCP, and SFTP?
port 22
what is the default L2TP port?
UDP port 1701
which type of access control associates roles with each user?
role-based access control (RBAC)
why should you install a software firewall and the latest software patches and hotfixes on your computer?
to reduce security risks
what is the name for a collection of hotfixes that have been combined into a single patch?
a service pack
which type of access control is the multi-level security mechanism used by the department of defense (DoD)?
mandatory access control (MAC)
which port number does DNS use?
port 53
which port number is used by SMB?
tcp port 445
what is a file considered in a mandatory access control environment?
an object
what is the purpose of anti-spam application or filters?
to prevent unsolicited e-mail
which type of access control was originally developed for military use?
mandatory access control (MAC)
when should you install a software patch on a production server?
after the patch has been tested
which type of access control is most suitable for top-secret information?
mandatory access control (MAC)
which port number does SNMP use?
UDP port 161
in a secure network, what should be the default permission position?
implicit deny
which port number does SSH use?
port 22
which type of virus attempts to hide from antivirus software and from the operating system by remaining in memory?
stealth
which port is used for LDAP authentication?
port 389
which self-replicating computer program sends copies of itself to other devices on the network?
worm
which port number is used by microsoft SQL server?
tcp port 1433
which TCP port number does secure sockets layer (SSL) use?
port 443
according to the CySA+ objectives, what are the six rules of engagement for penetration testing?
timingscopeauthorizationexploitationcommunicationreporting
is a DHCP server normally placed inside a DMZ?
no
what is meant by the term exploitation in regards to rules of engagement in penetration testing?
all exploits that will be attempted during a scan
what is decomposition?
the process of breaking software or malware down to discover how it works
what is meant by the term scope in regards to vulnerability testing?
the devices or parts of the network that can be scanned and the types of scans to be performed
which technology enables a LAN to use one set of IP addresses for internal traffic and a second set of addresses for external traffic, while hiding internal addresses or address space?
NAT
which assessment determines whether network security is properly configured to rebuff hacker attacks?
penetration test
what is the purpose of network segmentation?
to isolate a group of devices
what can be used to run a possibly malicious program in a safe environment?
sandbox
which term is used for the process of verifying the integrity of a file by using a hashing algorithm?
fingerprinting or hashing
what is the purpose of the blue team in a training exercise?
defending the device or network
which documentation reduces the likelihood that you have received counterfeit equipment?
OEM (original equipment manufacturer) documentation
which type of connectivity provides a remote user the ability to safely connect to his or her corporate network while maintaining data confidentiality and integrity?
VPN
what is the purpose of the red team in a training exercise?
attacking the devices or network
what is meant by the term timing in regards to penetration testing?
the time when the test should occur and when it should not occur
what is the primary security advantage of using NAT?
NAT hides internal IP addresses from the public network
what is meant by the term authorization in regards to penetration testing?
the written agreement and legal authority to perform a vulnerability test
which type of test attempts to exploit vulnerabilities?
penetration test or pentest
which type of test ONLY identifies vulnerabilities?
vulnerability test
what is the purpose of rules of engagement for penetration testing?
they define how a penetration test should occur, including the factors that limit the penetration test
what does the acronym OEM denote?
original equipment manufacturer
which team acts as the referee during a training exercise?
white team
what is the purpose of the Trusted Foundry?
it identifies trusted vendors and ensures a trusted supply chain for the united states department of defense (DoD)
does each VLAN create its own collision domain or its own broadcast domain?
broadcast domain
what should you consult to identify all systems that need to have a vulnerability scan?
the company’s asset inventory
what is a flaw, loophole, or weakness in the system, software, or hardware?
vulnerabiltiy
which scan has less of an impact on the network: agent-based or server-based?
agent-based vulnerability scans because they run on the device and only send the report to the centralized server
what are the two main factors that CompTIA list as factors for prioritizing vulnerability remediation?
criticality and difficulty of implementation
how often should vulnerability scans be carried out based on PCI-DSS standards?
every three months and whenever systems are updated
which SCAP component provides standardized names for security-related software flaws?
common vulnerabilities and exposures (CVE)2
what does the acronym CCE denote?
common configuration enumeration
which systems provides CCE and CVE identifiers for vulnerability scans?
security content automation protocol (SCAP)
which term is used for an agreement that is signed by two partnering companies?
business partners agreement (BPA)
what does the acronym CVE denote?
common vulnerabilities and exposures
which term is used for an agreement between two or more parties where the parties cannot create a legally enforceable agreement?
memorandum of understanding (MoU)
what does the acronym SCAP denote?
security content automation protocol
which step of the vulnerability management process involves assessing the documented requirements and workflow to determine when scans should occur?
establish scanning frequency
why should you document workflow prior to setting up a vulnerability scan?
to help provide business constraints for the scan
which step of the vulnerability management process involves documenting the regulatory environment and corporate policy, classifying data, and obtaining an asset inventory?
identify requirements
in which situation will you accept a risk?
when the cost of the safeguard exceeds the amount of the potential loss
why should you deploy remediation in a sandbox environment?
to test the effects of the remediation to ensure that the devices will be able to function properly after deployment
what is the process for the vulnerability management process?
- identify requirements2. establish scanning frequency3. configure the tools to perform the scans according to specifications4. execute the scan5. generate scan reports6. provide remediation for discovered vulnerabilities
what does the acronym CVSS denote?
common vulnerability scoring system
what is a service level agreement (SLA)?
a contract between a network service provider and a customer that specifies the services the network service provider will furnish
which range of CVSS scores indicates low priority?
0.1 to 3.9
what is meant by the term vulnerability feed?
the updates to the vulnerability scanner that ensures that the scanner is able to recognize newly discovered vulnerabilities
which range of CVSS scores indicates high priority?
7.0 to 8.9
what happens with an agent-based vulnerability scan?
agents are installed on the devices to run the scan and send the report to a centralized server
which range of CVSS scores indicates medium priority?
4.0 to 6.9
what is the recommended action when the cost of the safeguard exceeds the amount of the potential loss for a given risk?
to accept the risk
which permissions should you assign the account used for the vulnerability scans?
read only
which SCAP component provides standard names for product names and versions?
common platform enumeration (CPE)
which step of the vulnerability management process includes scanning criteria, such as sensitivity levels, vulnerability feed, and scope?
configure the tools to perform the scans according to specifications
which range of CVSS scores indicates critical priority?
9.0 to 10.0
what is meant by the scope of a vulnerability scan?
the range of hosts or subnets included in the scan
what is the purpose of a discovery vulnerability scan?
to create an inventory of assets based on host or service discovery
which SCAP component provides a standardized metric that measures and describes the severity of security-related software flaws?
common vulnerability scoring system (CVSS)
what is the term Nessus uses for vulnerability feeds?
plug-ins
which type of vulnerability scan includes the appropriate permissions for the different data types?
credentialed scan
what does a CVSS score of 0 indicate?
no issues
what are the FIVE inhibitors to remediation after a vulnerability scan?
MOUsSLAsOrganizational GovernanceBusiness process interruptionDegrading functionality
what does the acronym CPE denote?
common platform enumeration (CPE)
what are the three possible values of the availability (A) metric of the CVSS vector, and what do they stand for?
N - NoneP - PartialC - Complete
which value of the authentication (Au) metric of the CVSS vector means no authentication mechanisms are in place to stop the exploitation of the vulnerability?
N
which CVSS metric describes the authentication on attacker would need to get through to exploit the vulnerability?
the authentication (Au) metric
which value of the access vector (AV) metric of the CVSS vector indicates that the attacker must have physical access to the affected system?
L
which value of the Access Vector (AV) metric of the CVSS vector indicates the attacker can cause the vulnerability from any network?
N
which value of the confidentiality (C) metric of the CVSS vector means all information on the system could be compromised?
C
which value of the Confidentiality (C) metric of the CVSS vector means some access to information would occur?
P
what are the three possible values of the Access Vector (AV) metric of the CVSS vector, and what do they stand for?
L - LocalA - AdjacentN - Network
which CVSS metric describes the difficulty of exploiting the vulnerability?
the access complexity (AC) metric
which CVSS metric describes the information disclosures that may occur if the vulnerability is exploited?
the confidentiality (C) metric
what are the three main possible values of the authentication (Au) metric of the CVSS vector, and what do they stand for?
M - MultipleS - SingleN - None
which value of the availability (A) metric of the CVSS vector means system performance is degraded?
P
which CVSS metric describes how the attacker would exploit the vulnerability?
the access vector (AV) metric
which value of the integrity (I) metric of the CVSS vector means some information modification would occur?
P
what are the three possible values of the confidentiality (C) metric of the CVSS vector, and what do they stand for?
N - NoneP - PartialC - Complete
which value of the integrity (I) metric of the CVSS vector means all information on the system could be compromised?
C
which value of the Access Complexity (AC) metric of the CVSS vector means the vulnerability does not require special conditions?
L
which value of the availability (A) metric of the CVSS vector means the system is completely shut down?
C
which CVSS metric describes the disruption that might occur if the vulnerability is exploited?
the availability (A) metric
what should you do for the false positives in a vulnerability scanning report once you have verified that they are indeed false?
configure exceptions for the false positives in the vulnerability scanner
what is meant by the term false negative in a vulnerability scan?
when the vulnerability scan indicated no vulnerabilities existed when, in fact, one was present
which value of the access vector (AV) metric of the CVSS vector indicates the attacker must be on the local network?
A
which value of the integrity (I) metric of the CVSS vector means there is no integrity impact?
N
which CVSS metric describes the type of data alteration that might occur?
the integrity (I) metric
which value of the Confidentiality (C) metric of the CVSS vector means there is no confidentiality impact?
N
which value of the authentication (Au) metric of the CVSS vector means the attacker would need to get through two or more authentication mechanisms?
M
which value of the authentication (Au) metric of the CVSS vector means the attacker would need to get through one authentication mechanism?
S
what are the three possible values of the Access Complexity (AC) metric of the CVSS vector, and what do they stand for?
H - HighM - MediumL - Low
what are the three possible values of the integrity (I) metric of the CVSS vector, and what do they stand for?
N - NoneP - PartialC - Complete
which value of the Availability (A) metric of the CVSS vector means there is no availability impact?
N
which value of the Access Complexity (AC) metric of the CVSS vector means the vulnerability requires somewhat special conditions?
M
which value of the Access Complexity (AC) metric of the CVSS vector means the vulnerability requires special conditions that are hard to find?
H
what should you do if you expect that there are false positives in a vulnerability scanning report?
verify the false positives to ensure that you can eliminate them from the report
in which type of attack is a user connected to a different web server than the one intended by the user?
hyperlink spoofing attack
what is meant by VM escape?
viruses and malware can migrate multiple VMs on a single server
which type of system does a stuxnet attack target?
a supervisory control and data acquisition (SCADA) system
which type of attack involves flooding a recipient e-mail address with identical e-mails?
spamming attack
what is a replay attack?
an attack where an intruder records the communication between a user and a server, and later plays the recorded information back to impersonate the user
what is the purpose of GPS tracking on a mobile device?
it allows a mobile device to be located
what is a command injection?
when an operating system command is submitted in an HTML string
what is war chalking?
leaving signals about a wireless network on the outside of the building where it is housed
which attack is an extension of the denial-of-service (DoS) attack and uses multiple computers?
DDoS attack
which component of a computer use policy indicates that data stored on a company computer is not guaranteed to remain confidential?
a no expectation of privacy policy
how do you ensure that data is removed from a mobile device that has been stolen?
use a remote wipe or remote sanitation program
what is phishing?
when an e-mail request for confidential information that appears to originate from a bank or other trusted institution is received
what is click-jacking?
a technique that is used to trick users into revealing confidential information or taking over the user’s computer when clicking links
what does the acronym SCADA denote?
supervisory control and data acquisition
which type of attack allows an attacker to redirect internet traffic by setting up a fake DNS server to answer client requests?
DNS spoofing
what is the purpose of screen locks on mobile devices?
to prevent users from accessing the mobile device until a password or other factor is entered
which type of attack is characterized by an attacker who records an encrypted transmission between a client and a server computer so that he or she can then send it to the server to gain access?
a replay attack
why is it important to limit the use of flash drives and portable music devices by organization employees?
to prevent users from copying data to their personnel devices and possibly causing data leakage or from transferring malware to corporate computers
which type of attack is characterized by an attacker who situates himself or herself in such a way that he or she can intercept all traffic between two hosts?
man-in-the-middle
should virtual servers have the same information security requirements as physical servers?
Yes
what is a smurf attack?
an attack where a ping request is sent to a broadcast network address with the aim of overwhelming the system
what causes VM sprawl to occur?
when multiple VMs become difficult to manage
what is an Xmas attack?
an attack that looks for open ports
what is an XML injection?
when a user enters values in an XML query that takes advantage of security loopholes
what is the purpose of SCADA?
to collect data from factories, plants, or other remote locations, and send the data to a central computer that manages and controls the data
what does the acronym ICS denote?
industrial control system
which servers are susceptible to the same type of attacks as their hosts, including denial of service attacks, detection attack, and escape attacks?
virtual servers
what is spear phishing?
an e-mail request for confidential information that appears to come from your supervisor
what is the main difference between virtualization and cloud computing?
the location and ownership of the physical components
what is an evil twin?
an access point with the same SSID as the legitimate access point
what is vishing?
a special type of phishing that uses VoIP
where should you physically store mobile devices to prevent theft?
in a locked cabinet or safe
what is whaling?
a special type of phishing that targets a single power user, such as Chief Executive Officer (CEO)
what is the purpose of a remote sanitation application on a mobile device?
to ensure that the data on the mobile device can be erased remotely in the event the mobile device is lost or stolen
which address is faked with IP spoofing attacks?
the source IP address
what is bluesnarfing?
the act of gaining unauthorized access to a device (and the network it is connected to) through its bluetooth connection
which attack uses clients, handles, agents, and targets?
DDoS attack
when does path traversal occur?
when the ../ characters are entered into the URL to traverse directories that are not supposed to be available from the Web
what is war driving?
the act of discovering unprotected wireless network by driving around with a laptop
which type of attack does challenge handshake authentication protocol (CHAP) protect against?
replay
what does the acronym DDoS denote?
distributed denial of service
what is header manipulation?
when a hacker is able to manipulate a packet header to deface, hijack, or poison the packet
what is bluejacking?
an attack that sends unsolicited messages over a bluetooth connection
which attack requires that the hacker compromise as many computers as possible to initiate the attack?
DDoS attack
what is an IP spoofing attack?
an attack in which the source IP address in an IP datagram is modified to imitate the IP address of a packet originating from an authorized source
which type of attack searches long lists of words for a particular language to match them to an encrypted password?
dictionary attack
why is GPS tracking often disabled?
it is considered a security threat. as long as GPS tracking is enabled and the mobile device is powered on, the device (and possibly its user) can be located
what is spimming?
an instance of spam sent over an instant message application
what is malicious insider?
an employee who uses his access to the network and facility to obtain confidential information
what is the purpose of a screen lock on a mobile device?
to act as a deterrent if a mobile device is lost or stolen by requiring a key combination to activate the device
encrypting all files on a system hardens which major component of a server?
the file system
what is an IV attack?
cracking the WEP secret key using the initialization vector (IV)
what is pharming?
traffic redirection to a web site that looks identical to the intended web site
what is the purpose of mobile device encryption?
to ensure that the contents of the mobile device are confidential
which type of attack sequentially generates every possible password and checks them all against a password file?
brute force attack
which type of brute-force attack attempts to find any two hashed messages that have the same value?
a birthday attack
what does the acronym MTD denote?
maximum tolerable downtime
what is MTBF?
the estimated amount of time a device will operate before a failure occurs
what are the four types of personally identifiable information (PII)?
personal characteristics - such as full name, DoB, height, ethnicity, place of birth, mother’s maiden name, and biometric characteristicsa unique set of numbers assigned to an individual - such as government ID number, telephone number, driver’s license number, and PINdescriptions of events or points in time - such as arrest records, employment records, and medical recordsdescription of locations or places - such as GPS tracking information
what does the acronym RTO denote?
recovery time objective
what does the acronym MTBF denote?
mean time between failures
what does the acronym RPO denote?
recovery point objective
which two factors should contribute to incident severity and prioritization?
impact scope and the type of data affected
which attack is one discovered in live environments for which no current fix or patch exists?
zero-day attack
what is RTO?
the shortest time period after a disaster or disruptive event within which a resource or function must be restored to avoid unacceptable consequences
which impact scope factor refers to the amount of data corrupted or altered during the incident?
data integrity
what does the acronym PHI denote?
personal health information
what is meant by economic factor of an incident?
the cost of the incident to the organization
which impact scope factor refers to the amount of time taken to recover from the incident?
recovery time
which attack type targets a specific entity and is carried out over a long period of time?
advanced persistent threat (APT)
which impact scope factor refers to the amount of time access to resource were interrupted?
downtime
what is MTD?
the maximum amount of time that an organization can tolerate a single resource or function being down
what does the acronym PII denote?
personally identifiable information
what is RPO?
the point in time to which the disrupted resource or function must be returned
what is the best method to preserve evidence on a computer: bit stream backup or standard backup?
bit stream backup
what is the order of volatility from most volatile to least volatile?
registers, cacheswap spacerouting table, ARP cache, process table, kernel statistics, and memorytemporary file systemsdiskremote logging and monitoring data that is relevant to the system in question
what are the FOUR documents/forms that should be part of forensic kit?
chain of custody form, incident response plan, incident form, call list/escalation list
what is a write blocker?
a tool that permits read-only access to data storage devices without compromising the integrity of the data
what is the purpose of imaging utilities included in a forensic kit?
to create a bit-level copy of drives
what are the NINE components that should be included in a forensic kit?
- digital forensics workstation2. write blockers3. cables4. drive adaptors5. wiped removable media6. camera7. crime tape8. tamper-proof seals9. documentation/forms
what is the purpose of the chain of custody form?
it will indicate who has handled the evidence, when they handled it, and the order in which the handler was in possession of the evidence
which condition must be true of the hash values of a file to prove the file is unaltered?
the hash values must remain the same
what is a SCADA device?
a system operating with coded signals over communication channels that provides control of remote equipment
what is the purpose of tamper-proof seals?
to ensure that the chain of custody is maintained
what is the purpose of hashing utilities included in a forensic kit?
to create a hash value of files so that you can prove that certain evidence has not been altered during your possession of the evidence
what is the proper life cycle of evidence steps?
collection, analysis, storage, court presentation, and return to owner
what is a digital forensics workstation?
a dedicated workstation for processing an investigation that includes special tools and utilities that make the process easier and more productive
what is the purpose of an incident form?
it is used to describe the incident in detail
why should the proper chain of custody be ensured?
so that evidence will be admissible in court
what is the purpose of the analysis utilities included in a forensic kit?
to analyze the bit-level copy that is created for that purpose
what are the three basic questions answered by the chain of custody?
who controlled the evidencewho secured the evidencewho obtained the evidence
when evidence is seized, which principle should be emphasized?
chain of custody
what is indicated when the hash values on a file are different?
the file has been altered
which stakeholder in the incident response process communicates the importance of the incident response plan to all parts of the organization, creates agreements detailing the authority of the IR team to take over business systems if necessary, and creates decision systems for determining when key systems must be removed from the network?
upper management
which stakeholder in the incident response process creates newsletters and other educational materials to be used in employee response training and coordinates with the legal team to prepare media responses and internal communications regarding incidents before they occur?
marketing
what are the FOUR main stakeholder groups for the incident response process?
HR, Legal, Marketing, Management
which stakeholder in the incident response process reviews the NDA to ensure legal support for incident response efforts, develops the wording of documents used to contact sites and organizations possibly affected by an incident that originated with your company’s software, hardware, or services, and assesses site liability for illegal computer activity?
Legal
what is the role of law enforcement in the incident response process?
to assist the investigation and in some cases take over the investigation when a crime has been committed
which stakeholder in the incident response process develops job descriptions for those persons who will be hired for positions involved in incident response and creates policies and procedures that support the removal of employees found to be engaging in improper or illegal activity?
HR
what is the role of the technical IT staff in the incident response process?
to recognize, identify, and react to incidents, and to provide support in analyzing those incidents when an incident has occurred
what are the FOUR main purposes of the incident response communication process?
limit communication to trusted partiesdisclosure based on regulatory/legislative requirementsprevent inadvertent release of informationuse secure method of communication
what is data exfiltration?
the unauthorized copying, transfer or retrieval of data from a computer or server
what should you do if you discover rogue devices on the network?
locate and remove them
what happens in vertical privilege escalation?
the attacker obtains higher privileges by performing operations that allow the attacker to run unauthorized code
what are the SIX network-related symptoms of incidents?
bandwidth consumptionbeaconingirregular peer-to-peer communicationrogue devices on the networkscan sweepsunusual traffic spikes
what is meant by anomalous activity?
activity that is outside the norms
when does an escalation of privileges attack occur?
when an attacker has used a design flaw in an application to obtain unauthorized access to the application
what are scan sweeps?
an attempt by an unauthorized entity to map your network
what happens in horizontal privilege escalation?
the attacker obtains the same level of permissions as he already has but uses a different user account to do so
what are the eight host-related symptoms of an incident?
processor consumptionmemory consumptiondrive capacity consumptionunauthorized softwaremalicious processesunauthorized changes
what is beaconing?
when malware attempts to remotely connect to a command and control host or network
what are the SIX application-related symptoms of incidents?
anomalous activityintroduction of new accountsunexpected outputunexpected outbound communicationservice interruptionmemory overflows
what is the best way to determine the attack vector used by a hacker?
reverse engineering
why should a first responder be familiar with the incident response plan?
to ensure that the appropriate procedures are followed
which eradication technique reinstalling the operating system, applying all system updates, reinstalling the anti-malware software, and implementing any organizational security settings?
reconstruction or re-imaging
what are the FOUR validation techniques?
patching, verifying permissions, scanning, verifying logging/communication to security monitoring
what is the name of the security process that involves recognition, verification, classification, containment, and analysis?
incident response
what are the THREE eradication techniques?
sanitization, reconstruction or re-image, secure disposal
what are the FOUR containment techniques?
segmentation, isolation, removal, reverse engineering
which containment techniques involves limiting the scope of the incident by leveraging existing segments of the network as barriers to prevent the spread of the incident to other segments?
segmentation
which containment technique involves retracing the steps in the incident as seen from the logs in the affected devices or in logs of infrastructure devices that may have been involved?
reverse engineering
what is the name of the group of people appointed to respond to security incidents?
incident response team
which type of review should be completed last as part of incident response?
a post-mortem review
which containment technique involves either by blocking all traffic to and from the device or devices or shutting down the device or devices’ interfaces?
isolation
what are the SEVEN steps in a FORENSIC INVESTIGATION?
- identification2. preservation3. collection4. examination5. analysis6. presentation
which eradication technique removes all tracers of the threat by overwriting the drive multiple times to ensure all data is destroyed?
sanitization
in which location should all changes made to your organization’s network and computers be listed?
in the change management system
what are the FIVE steps in the INCIDENT RESPONSE PROCESS?
contain, eradicate, validate, corrective action, reporting
what is incident management?
the activities of an organization to identify, analyze, and correct risks as they are identified
which audit category will audit all instances of users exercising their rights?
the audit privilege use audit category
what is another term for logical controls?
technical controls
which type of controls dictates how security policies are implemented to fulfill the company’s security goals?
administrative or management control
what is the name of the process for removing only the incriminating data from the audit logs?
scrubbing
which type of controls is implemented to secure physical access to an object, such as building, a room, or a computer?
physical or operational control
which type of controls include developing policies and procedures, screening personnel, conducting security awareness training, and implementing change control?
administrative controls
what is the purpose of administrative controls?
to implement security policies based on procedures, standards, and guidelines
what is the purpose of password complexity rules?
to ensure that users do not use passwords that are easy to guess using dictionary attacks
what must you do for an effective security auditing policy, besides creating security logs?
analyze the logs
what is the purpose of physical controls?
to work with administrative and technical controls to enforce physical access control
which audit category tracks access to all objects outside active directory?
the audit object access audit category
which password attack does an account lockout policy protect against?
a brute force attack
if a user needs administrative-level access, how many user accounts should be issued to the user?
two - one for normal tasks, one for administrative-level tasks
which setting ensures that accounts are not used beyond a certain data and/or time?
account expiration
what are you trying to determine if you implement audit trails to ensure that users are not performing unauthorized functions?
accountability
which setting ensures that users periodically change their account passwords?
password expiration
what is the name for the process of tracking user activities by recording selected events in the server activity logs?
auditing
which document is used when it is necessary to invoke legal action against an employee for inappropriate use of computer resources?
acceptable use policy
which type of controls includes access control mechanisms, password management, identification methods, authentication methods, and security devices?
technical or logical controls
what are the FIVE stages in the life cycle of the evidence or the chain of custody?
- collection of evidence from the site2. analysis of the evidence by a team of experts3. storage of the evidence in a secure place to ensure that the evidence is not tampered with4. presentation of the evidence by legal experts in a court of law5. returning the evidence to the owner after the proceedings are over
what is the purpose of audit logs?
to document actions taken on a computer network and the party responsible for those actions
which type of controls work to protect system access, network architecture and access, control zones, auditing, and encryption and protocols?
technical controls
what is the purpose of technical controls?
to restrict access to objects and protect availability, confidentiality, and integrity
when should an administrative account be used?
when performing administrative-level tasks
which linux file contains encrypted user passwords that only the root user can read?
/etc/shadow
what is the purpose of password age rules?
to ensure that users change their passwords on a regular basis
which account should you rename immediately after installing a new operating system (OS) to harden the OS?
the administrator account
which assessment examines whether network security practices follow a company’s security policy?
an audit
which audit category monitors changes to user accounts and groups?
the audit account management audit category
what is the purpose of the password history settings?
to ensure that users do not keep reusing the same passwords
which setting ensures that repeated attempts to guess a user’s password is not possible beyond the configured value?
account lockout
which account should you disable immediately after installing a new operating system (OS) to harden the OS?
the guest account
which log in event viewer should you open to view events that are generated based on your auditing settings?
the security log
what is a good password complexity policy?
a mixture of numbers, uppercase and lowercase letters, and special characters, such as rObin3*nest
which audit category tracks all attempts to log on with a domain user account when enabled on domain controllers?
the audit account logon events audit category
which type of controls includes controlling access to different parts of a building, implementing locking systems, installing fencing, implementing environmental controls, and protecting the facility perimeter?
physical controls
what is the top-most level of the LDAP hierarchy?
root
what is the primary function of LDAP?
lightweight directory access protocol (LDAP) controls client access to directories
what are flood guards?
devices that protect denial of service (DoS) attacks
what does the acronym RADIUS denote?
remote authentication dial-in user service
what are the two types of eye scans?
iris scans and retinal scans
which type of authentication is accomplished by authenticating both the client and server sides of a concentration through the encrypted exchange of credentials?
mutual authentication
what does the acronym TACACS denote?
terminal access controller access control system
which function does a single sign-on (SSO) system provide?
it allows a user to present authentication credentials once and gain access to all computers within the SSO system
what is the purpose of federated identity management?
it allows single sign-on (SSO) between companies
what does the acronym KDC denote?
key distribution center
which authentication protocol uses UDP: TACACS+ or RADIUS?
RADIUS
which security-server application and protocol implements authentication and authorization of users from a central server over TCP?
terminal access controller access control system plus (TACACS+)
which authentication protocol is an open standard: TACACS+ or RADIUS?
RADIUS
which authentication system includes clients, servers, and a key distribution center (KDC)?
kerberos
which authentication protocol separates authentication and authorization: TACACS+ or RADIUS?
TACACS+
which Cisco implementation is similar to a RADIUS implementation?
TACACS
what are the two components of the kerberos key distribution center?
authentication server (AS) and ticket-granting server (TGS)
which access control model is based on the data’s owner implementing and administering access control?
discretionary access control (DAC)
which eye scan measures the pattern of blood vessels at the back of the eye?
retinal scan
scanning fingerprints is an example of which authentication technique
biometrics
using role-based access control (RBAC), which entities are assigned roles?
users or subjects
which kerberos component holds all users’ and services’ cryptographic keys and generates tickets?
key distribution center (KDC)
who has the responsibility for configuring access rights in discretionary access control (DAC)?
the data owner or data custodian
what is the most important biometric system characteristic?
accuracy
which type of attack can turn a switch into a hub?
MAC flooding
what does the acronym MAC denote?
mandatory access control
which type of eye scan is considered more intrusive than other eye scans?
retinal scan
which fingerprint scan will analyze fingerprint ridge direction?
minutiae matching
why is password disclosure a significant security issue in a single sign-on network?
it could compromise the entire system because authentication grants access to any systems on the network to which the actual user may have permission
which access control model has the lowest cost?
role-based access control (RBAC)
what does the acronym SSO denote?
single sign-on
which authentication protocol encrypts the entire packet (not just the password): TACACS+ or RADIUS?
TACACS+
which authentication protocol uses tickets to authenticate users?
Kerberos
which function does RADIUS provide?
centralized authentication, authorization, and accounting for remote dial-in users
which security-server application and protocol implement authentication of users from a central server over UDP?
remote authentication dial-in user service (RADIUS)
which directory protocol does directory-enabled networking (DEN) use?
lightweight directory access protocol (LDAP)
which access control model uses security labels for each resource?
mandatory access control (MAC)
what are the two advantages of single sign-on (SSO)?
convenience and centralized administration
which access control model requires assigning security clearance levels to users, such as secret, top-secret, and confidential?
mandatory access control (MAC)
which internet protocol based on X.500 is used to access the data stored in a network directory?
lightweight directory access protocol (LDAP)
what is the purpose of RADIUS?
remote access dial-in user service (RADIUS) enables remote access users to log on to a network through a shared authentication database
which ethernet standard uses a wireless access point with a remote authentication dial-in user service (RADIUS) server to authenticate wireless users?
802.1x
which type of authentication combines two or more authentication methods, like something that a person knows (such as password), something that a person owns (such as a smart card), and a characteristic about the person (such as a fingerprint)?
multi-factor authentication
which technique is used to prevent network bridging?
network separation
on which standard is lightweight directory access protocol (LDAP) based?
X.500
what are the two types of ciphers?
block and streaming
what is most commonly used to provide proof of message’s origin?
a digital signature
which key is used to decrypt a digital signature: public or private?
public
which cryptographic technique is based on a combination of two keys: a secret (private) key and a public key?
public-key cryptography
in asymmetric encryption for a digital signature, which key is used for encryption: public or private?
private
what are mandatory vacations?
administrative controls that ensure that employees take vacations at periodic intervals
what are two other names for single-key cryptography?
symmetric key encryption and secret-key encryption
which type of cryptography is more secure: symmetric or asymmetric?
asymmetric
which security measure prevents fraud by reducing the chances of collusion?
separation of duties
what are the three issues that symmetric data encryption fails to address?
data integrity, repudiation, scalable key distribution
to provide checks and balances and to prevent one person from gaining too much power over a system, which type of security policy should you implement?
separation of duties
what is the term for the process that applies a one-way mathematical function called a message digest function to an arbitrary amount of data?
hashing
what is a dual control?
when two operators work together to accomplish a sensitive task
what is segregation of duties?
when a sensitive activity is segregated into multiple activities and tasks are assigned to different individuals to achieve a common goal
what is another name for public-key encryption?
asymmetric encryption
what is another term used for layered security?
defense in depth
what is job rotation?
when an individual can fulfill the tasks of more than one position in the organization and duties are regularly rotated to prevent fraud
what is the opposite of confidentiality?
disclosure
what is the purpose of filters on a web server?
they limit the traffic that is allowed through
what is the purpose of sandbox in a java applet?
it prevents java applets from accessing unauthorized areas on a user’s computer
which error condition arises because data is not checked before input to ensure that it has an appropriate length?
buffer overflow errors
when does fuzzing occur?
when unexpected values are provided as input to an application to make the application crash
what are the FIVE phases of the system development life cycle (SDLC)?
- initiation2. development and acquisition3. implementation and assessment4. operations and maintenance5. disposal
what is the purpose of a decompiler?
to re-create the source code in some high-level language
which type of attack runs code within another process’s address space by making it load a dynamic link library?
a DLL injection attack
what is the purpose of fuzz testing?
to identify bugs and security flaws within an application
what are alternate terms for cross-site request forgery (XSRF)?
session riding or one-click attack
which application hardening method requires that your organization periodically checks with the application vendor?
patch management
what is the most significant misuse of cookies?
misuse of personal data
when does fuzzing occur?
when unexpected values are provided as input to an application in an effort to make the application crash
what does a race condition typically attack?
the delay between time of check (TOC) and time of use (TOU)
when does a cross-site scripting (XSS) attack occur?
it occurs when an attacker locates a vulnerability on a web site that allows the attacker to inject malicious code into a web application
what is the name for a small piece of information that is saved on a client machine on the hard disk to enable tracking of user information on future web visits?
a cookie
what is the purpose of an application disassembler?
to read and understand the raw language of the program
what is the purpose of a fail-safe error handler?
to ensure that the application stops working, reports the error, and closes down
what is an application backdoor?
lines of code that are inserted into an application to allow developers to enter the application and bypass the security mechanisms
what is cross-site request forgery (XSRF)?
unauthorized commands coming from a trusted user to a user or web site, usually through social networking
what should application developers do to prevent race condition attack?
create code that processes exclusive-lock resources in a certain sequence and unlocks them in reverse order
what is the best protection against cross-site scripting? (XSS)?
disable the running of scripts
what is the purpose of secure code review?
it examines all written code for any security holes that may exist
what is a cookie?
a web client test file that stores persistent settings for a web server
what is the purpose of input validation?
to ensure that data being entered into a database follows certain parameters
what is the purpose of application hardening?
it ensures that an application is secure and unnecessary services are disabled
which error occurs when the length of the input data is more than the length that processor buffers can handle?
buffer overflow
which type of attack is characterized by an attacker who takes over the session of an already authenticated user?
hijacking
what is a zero-day exploit?
an attack that exploits a security vulnerability on the day the vulnerability becomes generally known
when does a persistent XSS attack occur?
when data provided to the web application is first stored persistently on the server and later displayed to users without being encoded using HTML on the Web client
which type of attack intercepts an established TCP session?
TCP hijacking or session hijacking
which type of attack enables an intruder to capture and modify data traffic by rerouting the traffic from a network device to the intruder’s computer?
network address hijacking
what are the FIVE monitoring tools analyst need to know?
MRTG (multi router traffic grapher)NagiosSolarWindsCactiNetflow Analyzer
what is wireshark?
a protocol analyzer or packet sniffer
what are the THREE IPS tools?
sourcefiresnortbro
what is unit testing?
the debugging performed by the programmer while coding instructions
what are the THREE categories of exploit tools?
interception proxyexploit frameworkfuzzers
what error condition arises because data is not checked before input to ensure that it has an appropriate length?
buffer overflow errors
what is the purpose of content inspection?
to search for malicious code or behavior
what are the TWO exploit framework tools analyst need to know?
Metasploit, Nexpose
what are the six SIEM tools analyst need to know?
Arcsight, QRadar, Splunk, AlienVault, OSSIM, Kiwi Syslog
what is microsoft baseline security analyzer?
a microsoft application that creates security reports
what are TWO examples of input validation errors?
buffer overflow and boundary condition errors
what is a proxy server?
a server that caches and filters content
what are the seven categories of preventive tools?
IPSFirewallAnti-VirusAnti-malwareEnhanced Mitigation Experience Toolkit (EMET)Web proxyWeb application firewall
which error occurs when the length of the input data is more than the length that processor buffers can handle?
a buffer overflow
what is the most popular intrusion detection system (IDS)?
network-based IDS
what are the three interception proxy tools analyst need to know?
Burp SuiteZapVega
what does the acronym IDS denote?
intrusion detection system
what are the SEVEN command-line tools analyst need to know?
netstatpingtracert/tracerouteipconfig/ifconfignslookup/digSysinternalsOpenSSL
what is the difference between a password checker and a password cracker?
there is no difference. they are the same tools
what are the SIX vulnerability scanning tools analyst need to know?
QualysNessusOpenVASNexposeNiktoMicrosoft Baseline Security Analyzer
what are the TWO password cracking tools analyst need to know?
john the rippercain and abel
what are the five forensic suite tools analyst need to know?
EnCaseFTK (forensic toolkit)HelixSysinternalsCellebrite
which type of control is an intrusion detection system (IDS)?
detective technical
which type of vulnerability assessment is more likely to demonstrate the success or failure of a possible attack?
a double-blind test
what is Nessus?
a network vulnerability scanner
what are the THREE categories of analytical tools?
vulnerability scanningmonitoring toolsinterception proxy
what are the THREE web application firewalls (WAFs) analyst need to know?
ModSecurityNAXSIImperva
what is the imaging tool analysts need to know?
DD
what are the two hashing tools analyst need to know?
MD5sumSHAsum
what is the network scanning tool analyst need to know?
NMAP
what activity provides identification of security flaws and verification of levels of existing resistance?
penetration testing
what are the THREE fuzzer tools analyst need to know?
UntidyPeach FuzzerMicrosoft SDL File/Regex Fuzzer
what are the FOUR categories of forensics tools?
forensics suiteshashingpassword crackingimaging
what are the four packet capture tools analyst need to know?
wiresharktcpdumpnetwork generalaircrack-ng
which tool obtains a visual map of the topology of your network, including all devices on the network?
a network mapper, also referred to as a network enumerator
what are the THREE firewall vendors analyst need to understand?
Cisco, Palo Alto, Check Point
which tool should you use to retrieve the contents of a GET request: a protocol analyzer or port scanner?
protocol analyzer
what are the SIX categories of collective tools?
SIEMNetworking scanningVulnerability scanningPacket captureCommand-line utilitiesIDS
