Categories & Types of security controls Flashcards
Technology-based measures such as firewalls and encryption
Technical Controls
Policies, procedures, and guidelines for security management
Managerial controls
Day-to-day security practices such as monitoring and access management
Operational controls
Measures to safeguard physical assets and premises
Physical controls
Intended to discourage potential attackers
Deterrent controls
Aimed at preventing security incidents
Preventive controls
Focused on identifying and detecting security incidents
Detective controls
Implemented after an incident to mitigate the impact
Corrective controls
Alternative measures to compensate for inadequate primary controls
Compensating controls
Policies or regulations providing specific guidance
Directive controls
After conducting a vulnerability scan of her network, Wendy discovered the issue shown here on several servers. What is the most significant direct impact of this vulnerability?
A. Attackers may eavesdrop on network communications.
B. Attackers may use this information to gain administrative privileges.
C. Encryption will not protect credentials for this account.
D. Automated attacks are more likely to succeed.
D. Automated attacks are more likely to succeed.
D. Most automated attacks assume that a Windows system still contains a default account named Administrator and try to exploit that account. Changing the name makes it less likely that these attacks will stumble upon the account.
Which one of the following characters is the most important to restrict when performing input validation to protect against XSS attacks?
A. <
B. !
C. $
D. ‘
A. <
A. Cross-site scripting relies upon embedding HTML tags in stored or reflected input. The < and > characters are used to denote HTML tags and should be carefully managed when seen in user input.
During forensic analysis, Drew discovered that an attacker intercepted traffic headed to networked printers by modifying the printer drivers. His analysis revealed that the attacker modified the code of the driver to transmit copies of printed documents to a secure repository. What type of attack took place?
A. Refactoring
B. Shimming
C. Swapping
D. Recoding
A. Refactoring
A. The two major categories of attack against device drivers are shimming and refactoring. In a shimming attack, the attacker wraps his or her own malicious code around the legitimate driver. Shimming attacks do not require access to the driver’s source code. In a refactoring attack, such as this one, the attacker actually modifies the original driver’s source code.
Pete is investigating a domain hijacking attack against his company that successfully redirected web traffic to a third-party website. Which one of the following techniques is the most effective way to carry out a domain hijacking attack?
A. ARP poisoning
B. Network eavesdropping
C. DNS poisoning
D. Social engineering
D. Social engineering
D. In a domain hijacking attack, the attacker changes the registration of a domain with the registrar. DNS and ARP poisoning attacks may redirect web traffic, but they would do so by providing bogus address information, not by hijacking the domain. Network eavesdropping could theoretically be used to steal credentials that are used to alter information with a registrar, but this is unlikely. The most likely source of a domain hijacking attack is using social engineering with the registrar to gain access to the account being used to manage registration information.
Which one of the following technologies must be enabled on a wireless network for a Pixie Dust attack to succeed?
A. SSID broadcasting
B. WPS
C. WPA
D. WEP
B. WPS
B. Pixie Dust attacks are a specialized attack that’s used to retrieve the Wi-Fi Protected Setup (WPS) PIN code for a network. Pixie Dust attacks will not work if WPS is not enabled on the network.
Darren is investigating an attack that took place on his network. When he visits the victim’s machine and types www.mybank.com into the address bar, he is directed to a phishing site designed to look like a legitimate banking site. He then tries entering the IP address of the bank directly into the address bar and the legitimate site loads. What type of attack is likely taking place?
A. IP spoofing
B. DNS poisoning
C. ARP spoofing
D. Typosquatting
B. DNS poisoning
B. The fact that the legitimate server responds to requests made by an IP address indicates that the attacker is not performing IP spoofing or ARP spoofing. There is no indication that the URL is incorrect, so Darren can rule out typosquatting. The most likely attack in this scenario is DNS poisoning. Darren can verify this by manually changing the system to a different DNS server, clearing the system’s DNS cache, and attempting to resolve the name again.
What type of scan can best help identify cases of system sprawl in an organization?
A. Database scan
B. Web application scan
C. Detailed scan
D. Discovery scan
D. Discovery scan
D. Discovery scans are designed to identify systems on the network and can be used to detect undocumented assets that are the result of system sprawl.
Scott is a security administrator for a federal government agency. He recently learned of a website that advertises jobs for former government employees. When he accessed the site, the site launched code in his browser that attempted to install malicious software on his system. What type of attack took place?
A. Denial of service
B. Watering hole
C. Spyware
D. Trojan horse
B. Watering hole
B. This is an example of a watering hole attack. These attacks place malicious code on a website frequented by members of the target audience. There is not sufficient information to determine whether the malicious code was spyware or a Trojan horse, or whether it delivered a denial of service payload.
Scott is reviewing a list of cryptographic cipher suites supported by his organization’s website. Which one of the following algorithms is not secure and may expose traffic to eavesdropping attacks?
A. ECC
B. 3DES
C. AES
D. DES
D. DES
The Data Encryption Standard (DES) is an outdated, insecure algorithm that should not be used in modern applications. Triple DES (3DES) is a secure alternative that uses three rounds of DES encryption. The Advanced Encryption Standard (AES) and Elliptic Curve Cryptosystem (ECC) are also modern, secure cipher suites.
Brenda is selecting the tools that she will use in a penetration test and would like to begin with passive techniques. Which one of the following is not normally considered a passive reconnaissance technique?
A. Social engineering
B. Wireless network eavesdropping
C. Open source intelligence
D. Domain name searches
A. Social engineering
A. Social engineering is an active technique because it involves interaction with the target organization. Attackers may conduct open source intelligence gathering, including domain name searches, using only external resources that will not alert the target organization. Wireless network eavesdropping may also be conducted from a location outside of the organization’s facilities without alerting the organization to their presence or interacting with target systems.
Kristen conducts a vulnerability scan against her organization’s network and discovers a file server with the vulnerability shown here. Which one of the following actions is the best way to remediate this vulnerability?
FTP Supports Cleartext Authentication
Description
The remote FTP server allows the user’s name and password to be transmitted in cleartext, which could be intercepted by a network sniffer or a man-in-the-middle attack.
Figure 1.2
A. Discontinue the file transfer service
B. Require strong passwords
C. Switch to SFTP
D. Require multifactor authentication
C. Switch to SFTP
C. The root cause of this issue is that FTP is an insecure protocol and Kristen can resolve this problem by replacing it with a secure alternative, such as SFTP. Requiring strong passwords or multifactor authentication would not resolve this problem as an attacker could still eavesdrop on those connections and obtain user passwords. Discontinuing the file transfer service would resolve the vulnerability, but it is not a good solution because it would unnecessarily disrupt whatever business processes take place on this server.
Paul received an email warning him that a new virus is circulating on the internet and that he needs to apply a patch to correct the problem. The message is branded with a Microsoft header. The virus message is actually a hoax and the patch contains malicious code. What principle of social engineering best describes what the attacker is trying to exploit by including the Microsoft header?
A. Consensus
B. Scarcity
C. Trust
D. Intimidation
C. Trust
C. The social engineer is using the Microsoft header in an attempt to exploit the trust that the recipient has for Microsoft. This attack also exploits the principles of authority, familiarity, and urgency. There is no note of scarcity or consensus in the message. The attacker is indeed trying to intimidate the recipient, but the intimidation is contained within the virus hoax message, not the Microsoft header.
Frank is the new CISO at a mid-sized business. Upon entering his role, he learns that the organization has not conducted any security training for their sales team. Which one of the following attacks is most likely to be enabled by this control gap?
A. Buffer overflow
B. Social engineering
C. Denial of service
D. ARP poisoning
B. Social engineering
B. Social engineering attacks depend on user error, and training can dramatically reduce the success rate of these attacks. Buffer overflow attacks, denial of service attacks, and ARP poisoning attacks are not generally preventable by end users and, therefore, training the sales team would not be an effective defense against them.
After conducting security testing, Bruce identifies a memory leak issue on one of his servers that runs an internally developed application. Which one of the following team members is most likely able to correct this issue?
A. Developer
B. System administrator
C. Storage administrator
D. Security analyst
A. Developer
A. A memory leak is a software flaw and, since this is an internally developed application, the developer is the person who’s the most likely to be able to correct it. If the issue were in a commercially purchased application, a system administrator may be able to correct the issue by applying a patch, but that is not the case in this scenario.