Ch 1-5

Question 1

Which security related phrase relates to the integrity of data?
Availability is authorized
Modification is authorized
Knowledge is authorized
Non-repudiation is authorized

Answer 1

Integrity means that any data is stored and transferred as intended and that any modification is authorized.
Integrity is part of the CIA triad.

Question 2

Define Availability

Answer 2

Information is accessible only to those authorized to view or modify it

Question 3

An engineer looks to implement security measures by following the five functions in the National Institute of Standards and Technology (NIST) Cybersecurity Framework. When documenting the “detect” function, what does the engineer focus on?

Answer 3

Detect refers to performing ongoing proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats.

Question 4

What does the Identity mean per NIST?

Answer 4

Identify covers developing security policies and capabilities, and evaluating risks, threats, and vulnerabilities and recommend security controls to mitigate them.

Question 5

What does protect mean according to NIST?

Answer 5

covers the processes to install, operate, and decommission IT hardware and software assets with security as an embedded requirement of every stage of an operations life cycle.

Question 6

What is recovery per NIST?

Answer 6

The implementation of cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks.

Question 7

What are the properties of a secure information processing system?

Answer 7

Confidentiality, Integrity, and Availability (and Non-repudiation)

Question 8

A multinational company manages a large amount of valuable intellectual property (IP) data, plus personal data for its customers and account holders. What type of business unit can be used to manage such important and complex security requirements?

Answer 8

A security operations center (SOC).

Question 9

A business is expanding rapidly and the owner is worried about tensions between its established IT and programming divisions. What type of security business unit or function could help to resolve these issues?

Answer 9

Development and operations (DevOps) is a cultural shift within an organization to encourage much more collaboration between developers and system administrators. DevSecOps embeds the security function within these teams as well.

Question 10

You have implemented a secure web gateway that blocks access to a social networking site. How would you categorize this type of security control?

Answer 10

It is a technical type of control (implemented in software) and acts as a preventive measure.

Question 11

A company has installed motion-activated floodlighting on the grounds around its premises. What class and function is this security control?

Answer 11

It would be classed as a physical control and its function is both detecting and deterring.

Question 12

A firewall appliance intercepts a packet that violates policy. It automatically updates its Access Control List to block all further packets from the source IP. What TWO functions is the security control performing?

Answer 12

Preventive and corrective.

Question 13

If a security control is described as operational and compensating, what can you determine about its nature and function?

Answer 13

That the control is enforced by a a person rather than a technical system, and that the control has been developed to replicate the functionality of a primary control, as required by a security standard.

Question 14

If a company wants to ensure it is following best practice in choosing security controls, what type of resource would provide guidance?

Answer 14

A cybersecurity framework and/or benchmark and secure configuration guides.

Question 15

Any external responsibility for an organization’s security lies mainly with which individuals?

Answer 15

External responsibility for security (due care or liability) lies mainly with directors or owners. It is important to note that all employees share some measure of responsibility.

Question 16

What does Defense in Depth mean?

Answer 16

Defense in depth means an attacker must get past multiple security controls to fully compromise a network. Since employees are the greatest security risk, user training is a critical component of defense in depth.

Question 17

What are 5 NIST properties?

Answer 17

Id, Protect, Detect, Respond, Recover

Question 18

Name the 3 types of security controls and their 6 functions.

Answer 18

Technical, Operative, Managerial

Preventive, Detective, Corrective, Physical, Deterrent, Compensating

Question 19

Which of the following would be assessed by likelihood and impact: vulnerability, threat, or risk?

Answer 19

Risk. To assess likelihood and impact, you must identify both the vulnerability and the threat posed by a potential exploit.

Question 20

True or false? Nation state actors primarily only pose a risk to other states.

Answer 20

False—nation state actors have targeted commercial interests for theft, espionage, and extortion.

Question 21

You receive an email with a screenshot showing a command prompt at one of your application servers. The email suggests you engage the hacker for a day’s consultancy to patch the vulnerability. How should you categorize this threat?

Answer 21

This is either gray hat hacking or black hat hacking. If the request for compensation via consultancy is an extortion threat (if refused, the hacker sells the exploit on the dark web), then the motivation is purely financial gain and can be categorized as black hat. If the consultancy is refused and the hacker takes no further action, it can be classed as gray hat.

Question 22

Which type of threat actor is primarily motivated by the desire for social change?

Answer 22

Hacktivist

Question 23

Which three types of threat actor are most likely to have high levels of funding?

Answer 23

State actors, criminal syndicates, and competitors

Question 24

You are assisting with writing an attack surface assessment report for a small company. Following the CompTIA syllabus, which two potential attack vectors have been omitted from the following headings in the report? Direct access, Email, Remote and wireless, Web and social media, Cloud.

Answer 24

Removable media and supply chain.

Question 25

You are consulting on threat intelligence solutions for a supplier of electronic voting machines. What type of threat intelligence source would produce the most relevant information at the lowest cost?

Answer 25

For critical infrastructure providers, threat data sharing via an Information Sharing and Analysis Center (ISAC) is likely to be the best option.

Question 26

Your CEO wants to know if the company’s threat intelligence platform makes effective use of OSINT.
What is OSINT?

Answer 26

Open-source intelligence (OSINT) is cybersecurity-relevant information harvested from public websites and data records. In terms of threat intelligence specifically, it refers to research and data feeds that are made publicly available.

Question 27

You are assessing whether to join AIS. What is AIS and what protocol should your SIEM support in order to connect to AIS servers?

Answer 27

Automated Indicator Sharing (AIS) is a service offered by the (DHS) for participating in threat intelligence sharing. AIS uses the (TAXII) protocol as a means of transmitting CTI data between servers and clients

Question 28

A contractor has been hired to conduct security reconnaissance on a company. The contractor browses the company’s website to identify employees and then finds their Facebook pages. Posts found on Facebook indicate a favorite bar that employees frequent. The contractor visits the bar and learns details of the company’s security infrastructure through small talk. What reconnaissance phase techniques does the contractor practice?

Answer 28

OSINT & Social Engineering
OSINT refers to using web search tools and social media to obtain information about the target.

Social engineering was used at the restaurant by learning about the vacant positions and the shortfall in information security

Question 29

What is a security policy?

Answer 29

The means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources

Question 30

How does scanning work?

Answer 30

Using software tools to obtain information about a host or network topology is considered scanning

Question 31

A security engineer investigates a recent system breach. When compiling a report of the incident, how does the engineer classify the actor and the vector?

Answer 31

A threat is the potential for something to exploit a vulnerability. The thing that poses the threat is called an actor, while the path used can be referred to as the vector.

Question 32

One aspect of threat modeling is to identify potential threat actors and the risks associated with each one. When assessing the risk that any one type of threat actor poses to an organization, what are the critical factors to profile?

Answer 32

Intent & motivation

Question 33

You suspect that a rogue host is acting as the default gateway for a subnet in a spoofing attack. What command-line tool(s) can you use from a Windows client PC in the same subnet to check the interface properties of the default gateway?

Answer 33

ipconfig, arp, route
Use ipconfig to check the IP addresses of the default gateway and the DHCP server. Use arp to check the MAC addresses associated with those IP addresses and investigate possible spoofing. You could also use the route command to verify the properties of the default route.

Question 34

You suspect the rogue host is modifying traffic before forwarding it, with the side effect of increasing network latency. Which tool could you use to measure latency on traffic routed from this subnet?

Answer 34

From a Windows host, the pathping tool can be used to measure latency along a route.

Question 35

What type of tool could you use to fingerprint the host acting as the default gateway?

Answer 35

Nmap is very widely used for this task, or you could use hping or Netcat.
This requires a tool that performs fingerprinting service and version detection—by examining responses to network probes and comparing them to known responses from common platforms.

Question 36

You are investigating a Linux server that is the source of suspicious network traffic. At a terminal on the server, which tool could you use to check which process is using a given TCP port?

Answer 36

netstat

Question 37

What is a zone transfer and which reconnaissance tools can be used to test whether a server will allow one?

Answer 37

nslookup, dig, dnsenum
A zone transfer is where a (DNS) allows a client to request all the name records for a domain. nslookup (Windows) and dig (principally Linux) can be used to test whether this query is allowed. You could also mention the dnsenum tool, which will check for zone transfers along with other enumeration tests on DNS infrastructure.

Question 38

What type of organizational security assessment is performed using Nessus?

Answer 38

Nessus (automated network vulnerability scanner) checks for software vulnerabilities & missing patches.

Question 39

You are developing new detection rules for a network security scanner. Which tool (command line) will be of use in testing whether the rules match a malicious traffic sample successfully?

Answer 39

tcpreplay tool can be used to stream captured traffic from a file to a monitored network interface.

Question 40

What security posture assessment could a penetration tester make using Netcat?

Answer 40

Whether it is possible to open a network connection to a remote host over a given port.

Question 41

You are recommending that a business owner invest in patch management controls for PCs and laptops. What is the main risk from weak patch management procedures on such devices?

Answer 41

Vulnerabilities in the OS and applications software such as web browsers and document readers or in PC and adapter firmware can allow threat actors to run malware and gain a foothold on the network.

Question 42

You are advising a business owner on security for a PC running Windows XP. The PC runs process management software that the owner cannot run on Windows 10. What are the risks arising from this, and how can they be mitigated?

Answer 42

Windows XP is a legacy platform that is no longer receiving security updates. This means that patch management cannot be used to reduce risks from software vulnerabilities. The workstation should be isolated from other systems to reduce the risk of compromise.

Question 43

As a security solutions provider, you are compiling a checklist for your customers to assess potential weak configuration vulnerabilities, based on the CompTIA Security+ syllabus. From the headings you have added so far, which is missing and what vulnerability does it relate to?
Default settings, Unsecured root accounts, Open ports & services, Unsecure protocols, Weak encryption, Errors

Answer 43

Open permissions refers to misconfigured access rights for data folders, network file shares, and cloud storage

Question 44

You are advising a customer on backup and disaster recovery solutions. The customer is confused between data breaches and data loss and whether the backup solution will protect against both. What explanation can you give?

Answer 44

Backup solutions mitigate risks from data loss, where files or information is deleted, corrupted, or otherwise destroyed. Backup does not mitigate risks from data breach, where confidential or private data is stolen (exfiltrated) and made public or sold for criminal profit. Mitigating risks of data breach requires effective secure processing, authorization, and authentication security controls.

Question 45

A system integrator is offering a turnkey solution for customer contact data storage and engagement analytics using several cloud services. Does this solution present any supply chain risks beyond those of the system integrator’s consulting company?

Answer 45

Yes, the system integrator is proposing the use of multiple vendors (the cloud service providers), with potentially complex issues for collecting, storing, and sharing customer personal data across these vendors. Each company in the supply chain should be assessed for risk and compliance with cybersecurity and privacy standards.

Question 46

You have received an urgent threat advisory and need to configure a network vulnerability scan to check for the presence of a related CVE on your network. What configuration check should you make in the vulnerability scanning software before running the scan?

Answer 46

Verify that the vulnerability feed/plug-in/test has been updated with the specific CVE that you need to test for.

Question 47

You have configured a network vulnerability scanner for an engineering company. When running a scan, multiple sensors within an embedded systems network became unresponsive, causing a production shutdown. What alternative method of vulnerability scanning should be used for the embedded systems network

Answer 47

A fully non-intrusive solution should be adopted, such as sniffing traffic using a network tap or mirror port. Using the network traffic to detect vulnerabilities rather than actively probing each device will not cause system stability issues (though there is greater risk of false positive and false negative results).

Question 48

A vulnerability scan reports that a CVE associated with CentOS Linux is present on a host, but you have established that the host is not running CentOS. What type of scanning error event is this?

Answer 48

False positive.

Question 49

A small company that you provide security consulting support to has resisted investing in an event management and threat intelligence platform. The CEO has become concerned about an APT risk known to target supply chains within the company’s industry sector and wants you to scan their systems for any sign that they have been targeted already. What are the additional challenges of meeting this request, given the lack of investment?

Answer 49

Collecting network traffic and log data from multiple sources and then analyzing it manually will require many hours of analyst time. The use of threat feeds and intelligence fusion to automate parts of this analysis effort would enable a much swifter response.

Question 50

What term relates to assessment techniques that avoid alerting threat actors?

Answer 50

This can be referred to as maneuver

Question 51

A website owner wants to evaluate whether the site security mitigates risks from criminal syndicates, assuming no risk of insider threat. What type of penetration testing engagement will most closely simulate this adversary capability and resources?

Answer 51

A threat actor has no privileged information about the website configuration or security controls. This is simulated in a black box (or blind) pen test engagement

Question 52

You are agreeing a proposal to run a series of team based exercises to test security controls under different scenarios. You propose using purple team testing, but the contracting company is only familiar with the concept of red and blue teams. What is the advantage of running a purple team exercise?

Answer 52

In a red versus blue team, there is no contact between the teams, and no opportunity to collaborate on improving security controls. In a purple team exercise, there is regular contact and knowledge sharing between the teams throughout the progression of the exercise.

Question 53

Why should an Internet service provider (ISP) be informed before pen testing on a hosted website takes place?

Answer 53

ISPs monitor their networks for suspicious traffic and may block the test attempts. The pen test may also involve equipment owned and operated by the ISP.

Question 54

What tools are used for OSINT?

Answer 54

Open-source intelligence is a reconnaissance activity to gather information about the target from any public source. The basic tool is web searches/queries plus sites that scan/scrape/monitor vulnerabilities in Internet-facing services and devices. There are also specialist OSINT tools, such as theHarvester, that aggregate data from queries for different resources.

Question 55

In the context of penetration testing, what is persistence?

Answer 55

Persistence refers to the tester’s ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor.

Question 56

Identify the command that can be used to detect the presence of a host on a particular IP address.

Answer 56

ping
The ping command can be used to detect the presenc of a host on a particular IP address or that responds to a particular host name. This command is a fast and easy way to determine if a system can communicate over the network with another system

Question 57

What does ipconfig & ifconfig commands do?

Answer 57

The ipconfig command is used to report the configuration assigned to the network adapter in Windows.
The ifconfig command can be used to report the adapter configuration in Linux.

Question 58

Describe the ip command

Answer 58

The ip command is a more powerful command in Linux and gives options for managing routes as well as the local interface configuration.

Question 59

A network manager needs a map of the network’s topology. The network manager is using Network Mapper (Nmap) and will obtain the visual map with the Zenmap tool. If the target IP address is 192.168.1.1, determine the command within Nmap that will return the necessary data to build the visual map of the network topology.

Answer 59

nmap -sn –traceroute 192.168.1.1
The traceroute command is used to probe a path from one end system to another, and lists the intermediate systems providing the link. The Nmap combined with Zenmap tools will give a visual of the network topology.

Question 60

Why use nslookup?

Answer 60

Query the Domain Name System (DNS)

Question 61

A system administrator must scan the company’s web based application to identify which ports are open and which operating system can be seen from the outside world. Determine the syntax that should be used to yield the desired information if the administrator will be executing this task from a Linux command line.

Answer 61

nmap -O webapp.company.com

When the -O switch is used with nmap, it displays open ports and running software, but does not show the version.

Question 62

Why use netstat?
netstat -a
netstat -n

Answer 62

The netstat command checks the state of ports on the local machine.
In Linux, the -a switch displays ports in the listening state, it does not enable software and version detection.

Netstat shows the state of TCP/UDP ports on the local machine. Netstat -n suppresses name resolution, so host IP addresses and numeric ports are shown in the output.

Question 63

Name some the appropriate methods for packet capture.

Answer 63

Wireshark & tcpdump

Wireshark and tcpdump are packet sniffers. A sniffer is a tool that captures packets, or frames, moving over a network.

Wireshark is an open source graphical packet capture and analysis utility. Wireshark works with most operating systems, where tcpdump is a command line packet capture utility for Linux.

Question 64

Why use a packet analyzer?

What is another name for it?

Answer 64

A packet analyzer works in conjunction with a sniffer to perform traffic analysis. Protocol analyzers can decode a captured frame to reveal its contents in a readable format, but they do not capture packets.

Question 65

What does packet injection do?

Answer 65

A packet injection involves sending forged or spoofed network traffic by inserting (or injecting) frames into the network stream. Packets are not captured with packet injection.

Question 66

What are some reconnaissance techniques?

Answer 66

OSINT, social engineering, scanning
OSINT - web search tool & social media for info
Social engineering - art of persuasion
Scanning - software tools to get info

Question 67

Define scanning

Answer 67

using software tools to obtain information about a host or network topology. Scans may be launched against web hosts or against wired or wireless network segments, if the attacker can gain physical access to them.

Question 68

What is the difference between a zero-day vulnerability and a legacy platform vulnerability.?

Answer 68

A legacy platform vulnerability is unpatchable, while a zero-day vulnerability may be exploited before a developer can create a patch for it.

Legacy systems are highly likely to be vulnerable to exploits and must be protected by security controls other than patching, such as isolating them to networks that an attacker cannot physically connect to.

Question 69

Examine each attack vector. Which is most vulnerable to escalation of privileges?
Software, OS, Applications, Ports

Answer 69

OS
A vulnerability in an OS kernel file or shared library can allow privilege escalation, where the malware code runs with higher access rights (system or root). Root or system accounts are considered superuser accounts with administrative privileges.

Question 70

What is a software exploitation?

Answer 70

An attack that targets a vulnerability in software code

Question 71

What is an application vulnerability?

Answer 71

A design flaw that can cause the security system to be circumvented or that will cause the application to crash.

Question 72

An outside security consultant updates a company’s network, including data cloud storage solutions. The consultant leaves the manufacturer’s default settings when installing network switches, assuming the vendor shipped the switches in a default-secure configuration. What are possible vulnerabilities in this network?

Answer 72

The network is open to third-party risks from using an outside contractor to configure cloud storage settings.

The default settings in the network switches represent a weak configuration.

Question 73

Define unsecured protocols

Answer 73

An unsecure protocol transfers data as cleartext. It does not use encryption for data protection.

Question 74

Encryption vulnerabilities allow unauthorized access to protected data. Which component is subject to brute force enumeration?

Answer 74

Weak encryption vulnerabilities allow unauthorized access to data. An algorithm or cipher used for encryption has known weaknesses that allow brute force enumeration.

Question 75

How to fix a software vulnerability?

Answer 75

Software vulnerabilities affect all types of code. Operating system and firmware vulnerabilities may allow escalated permissions and unauthorized access. Software and security researchers discover most vulnerabilities and release patches to remedy them.

Question 76

Compare and contrast vulnerability scanning and penetration testing

Answer 76

Vulnerability scanning by eavesdropping is passive, while penetration testing with credentials is active

Vulnerability scanning and penetration testing can use passive or active reconnaissance techniques. A passive approach tries to discover issues without causing an impact to systems, whereas an active approach may cause instability on a scanned system.

Penetration testing is non-malicious; therefore, it is a “white hat” activity, not “black hat.”
Penetration testing is considered “ethical hacking,” but vulnerability scanning is not. Vulnerability scanning is used to uncover system weaknesses, not to try to hack into the system.
Both vulnerability scanning and penetration testing are forms of reconnaissance, or information gathering. The hacker likely has to find some way of escalating the privileges available to them

Question 77

An IT director reads about a new form of malware that targets a system widely utilized in the company’s network. The director wants to discover whether the network has been targeted, but also wants to conduct the scan without disrupting company operations or tipping off potential attackers to the investigation. Determine the best tool for the investigation

Answer 77

Threat Hunting
Where a pen test attempts to demonstrate a system’s weakness or achieve intrusion, threat hunting is based only on analysis of data within the system. It is potentially less disruptive than pen testing.

Question 78

What are credentialed scans?

Answer 78

A credentialed scan has a user account with logon rights to hosts and permissions appropriate for the testing routines. Credentialed scans are intrusive and allow in-depth analysis and insight to what an insider attack might achieve.

Question 79

What is a configuration review?

Answer 79

A configuration review assesses the configuration of security controls and application settings & permissions compared to established benchmarks.

Configuration reviews investigate how system misconfigurations make controls less effective or ineffective, such as antivirus software not being updated, or management passwords left configured to the default. Configuration reviews generally require a credentialed scan.

Question 80

What is Penetration testing?

Answer 80

Penetration testing, an intrusive, active scanning technique, does not stop at detection, but attempts to gain access to a system.

Question 81

A network administrator uses two different automated vulnerability scanners. They regularly update with the latest vulnerability feeds. If the system regularly performs active scans, what type of error is the system most likely to make?

Answer 81

False positive

something that is identified by a scanner or other assessment tool as being a vulnerability, when in fact it is not.

Question 82

Which scanning technique does not use system login?

Answer 82

A non-credentialed scan proceeds by directing test packets at a host without being able to log on to the OS or application.
A non-credentialed scan provides a view of what the host exposes to an unprivileged user on the network.

Question 83

Passive vs. Active Scanning

Answer 83

Scan intrusiveness is a measure of how much the scanner interacts with the target. Active scanning consumes more network bandwidth than passive scanning.

Active scanning means probing the device’s configuration using some type of network connection with the target. This type of scanning runs the risk of crashing the target of the scan or causing some other sort of outage.

Passive scanning has the least impact on the network and on hosts but is less likely to identify vulnerabilities comprehensively.

Question 84

Why use non-credential vulnerability scans?

Answer 84

Often the most appropriate technique for external assessment of the network perimeter or when performing web application scanning

Question 85

A contractor has been hired to conduct penetration testing on a company’s network. They have decided to try to crack the passwords on a percentage of systems within the company. They plan to annotate the type of data that is on the systems that they can successfully crack to prove the ease of access to data.
Determine which pen steps are being used.

Answer 85

Test security controls & exploit vulnerabilities
Identifying weak passwords is actively testing security controls.
exploiting vulnerabilities is being used by proving that a vulnerability is high risk. The list of critical data obtained will prove that the weak passwords can allow access to critical information.

Question 86

A hacker set up a Command and Control network to control a compromised host. What is the ability of the hacker to use this remote connection method as needed known as?

Answer 86

Persistence refers to the hacker’s ability to reconnect to the compromised host and use it as a Remote Access Tool (RAT) or backdoor. To do this, the hacker must establish a Command and Control (C2 or C&C) network.

Question 87

What is pivoting?

Answer 87

Pivoting follows persistence. It involves a system and/or set of privileges that allow the hacker to compromise other network systems (lateral spread). The hacker likely has to find some way of escalating the privileges available to him/her.

Question 88

Define weaponization

Answer 88

Weaponization is an exploit used to gain some sort o access to a target’s network, but it doesn’t involve being able to reconnect.

Question 89

What threat actors are white box, gray box, and black box used for?

Answer 89

White box tests are useful for simulating the behavior of a privileged insider threat. Gray box tests are useful for simulating the behavior of an unprivileged insider threat. Black box external threat

Question 90

A purchasing manager is browsing a list of products on a vendor’s website when a window opens claiming that anti-malware software has detected several thousand files on his computer that are infected with viruses. Instructions in the official-looking window indicate the user should click a link to install software that will remove these infections. What type of social engineering attempt is this, or is it a false alarm?

Answer 90

This is a social engineering attempt utilizing a watering hole attack and/or malvertising.

Question 91

Your CEO calls to request market research data immediately be forwarded to her personal email address. You recognize her voice, but a proper request form has not been filled out and use of third-party email is prohibited. She states that normally she would fill out the form and should not be an exception, but she urgently needs the data to prepare for a round table at a conference she is attending. What type of social engineering techniques could this use, or is it a false alarm?

Answer 91

Spear phishing + Vishing
If social engineering, this is spear phishing (the attack uses specific detail) over a voice channel (vishing). It is possible that it uses deep fake technology for voice mimicry. The use of a sophisticated attack for a relatively low value data asset seems unlikely, however. A fairly safe approach would be to contact the CEO back on a known mobile number.

Question 92

Your company manages marketing data and private information for many high-profile clients. You are
hosting an open day for prospective employees. With the possibility of social engineering attacks in
mind, what precautions should employees take when the guests are being shown around the office?

Answer 92

Employees should specifically be wary of shoulder surfing attempts to observe passwords and the like.

Question 93

A system administrator has just entered their credentials to enter a secure server room. As the administrator is entering the door, someone is walking up to the door with their hands full of equipment and appears to be struggling to move items around while searching for their credentials. The system administrator quickly begins to assist by getting items out of the person’s hands, and they walk into the room together. This person is not an employee, but someone attempting to gain unauthorized access to the server room. What type of social engineering has occurred?

Answer 93

Consensus/social proof revolves around the belief that without an explicit instruction to behave in a certain way, people will follow social norms. It is typically polite to assist someone with their hands full.

DIFFERENT FROM:
(Familiarity/Liking is when an attacker uses charisma to persuade others to do as requested. They downplay their requests to make it seem like their request is not out of the ordinary.)

Question 94

Before leaving for lunch, an employee receives a phone call, but there is no one on the line. Distracted by the odd interruption, the employee forgets to log out of the computer. Earlier that day, a person from the building across the street watched the employee entering login credentials using high-powered binoculars. Which form of social engineering is being used in this situation?

Answer 94

Shoulder surfing is stealing a password by watching the user type it. Although the attacker was not looking over the employee’s shoulder, the login credentials were obtained through observation.

Question 95

What are social engineering ways a malicious attacker can gain access to a target’s network?

Answer 95

Phishing and shoulder surfing are social engineering attacks. Phishing occurs when an attacker sends a legitimate-looking, spoofed email to a user of the spoofed site to trick the user into revealing private information.

Question 96

What is a pharming attack?

Answer 96

Pharming is a means of redirecting users from a legitimate website to a malicious one that relies on corrupting the way the victim’s computer performs IP address resolution.
A customer enters the correct URL address of their bank, which should point to the IP address 172.1.24.4. However, the browser goes to 168.254.1.1, which is a fake site designed to look exactly like the real bank site.

Question 97

An individual receives a text message that appears to be a warning from a well-known order fulfillment company, informing them that the carrier has tried to deliver his package twice, and that if the individual does not contact them to claim it, the package will not be delivered. Analyze the scenario and select the social engineering technique being used.

Answer 97

SMiShing attempts use short message service (SMS) text communications as the vector.

Question 98

Why would someone require keyboard encryption software be installed on a computer?

Answer 98

To protect against spyware
Keyboard encryption software is used to protect against keyloggers, which record keystrokes for the purpose of stealing data. Keyloggers are spyware.

Question 99

A gaming company decides to add software on each title it releases. The company’s objective is to require the CD to be inserted during use. This software will gain administrative rights, change system files, and hide from detection without the knowledge or consent of the user. Consider the malware characteristics and determine which is being used.

Answer 99

A rootkit is characterized by its ability to hide itself by changing core system files and programming interfaces and to escalate privileges. The gaming company accomplished this.

Trojans cannot conceal their presence entirely and will surface as a running process or service. While a rootkit is a type of Trojan or spyware, it differs in its ability to hide itself.

Question 100

A user’s PC is infected with a virus that appears to be a memory resident and loads anytime an external universal serial bus (USB) thumb drive is attached. What is this infection type?

Answer 100

With a boot virus, code is written to the disk boot sector or the partition table of a fixed disk or USB media. The code executes as a memory resident process when the OS starts.

Question 101

An employee calls IT personnel and states that they received an email with a PDF document to review. After the PDF was opened, the system has not been performing correctly. An IT admin conducted a scan and found a virus. Determine the two classes of viruses the computer most likely has.

Answer 101

Both a program and script virus can use a PDF as a vector. The user stated that a PDF file was recently opened. A program virus is executed when an application is executed. Executable objects can also be embedded or attached within other file types such as Microsoft Word and Rich Text Format.

Question 102

You are troubleshooting a user’s workstation. At the computer, an app window displays on the screen claiming that all of your files are encrypted. The app window demands that you make an anonymous payment if you ever want to recover your data. What type of malware has infected the computer?

Answer 102

This is some type of ransomware, but it will take more investigation whether it is actually crypto-malware or not.

Question 103

You are recommending different anti-virus products to the CEO of small travel services firm. The CEO is confused, because they had heard that Trojans represent the biggest threat to computer security these days. What explanation can you give?

Answer 103

While antivirus (A-V) remains a popular marketing description, all current security products try to provide protection against a full range of malware and potentially unwanted program (PUP) threats.

Question 104

You are writing a security awareness blog for company CEOs subscribed to your threat platform. Why are backdoors and Trojans different ways of classifying and identifying malware risks?

Answer 104

A Trojan means a malicious program masquerading as something else; a backdoor is a covert means of accessing a host or network. A Trojan need not necessarily operate a backdoor and a backdoor can be established by exploits other than using Trojans. The term remote access Trojan (RAT) is used for the specific combination of Trojan and backdoor.

Question 105

You are investigating a business email compromise (BEC) incident. The email account of a developer has been accessed remotely over webmail. Investigating the developer’s workstation finds no indication of a malicious process, but you do locate an unknown USB extension device attached to one of the rear ports. Is this the most likely attack vector, and what type of malware would it implement?

Answer 105

It is likely that the USB device implements a hardware-based keylogger. This would not necessarily require any malware to be installed or leave any trace in the file system.

Question 106

A user’s computer is performing extremely slowly. Upon investigating, you find that a process named n0tepad.exe is utilizing the CPU at rates of 80-90%. This is accompanied by continual small disk reads and writes to a temporary folder. Should you suspect malware infection and is any particular class of indicated?

Answer 106

Yes, this is malware as the process name is trying to masquerade as a legitimate process. It is not possible to conclusively determine the type without more investigation, but you might initially suspect a crypto miner/ crypto-jacker.

Question 107

Is Cuckoo a type of malware or a security product?

Answer 107

Cuckoo is a security product designed to analyze malware as it runs in an isolated sandbox environment.

Question 108

Which part of a simple cryptographic system must be kept secret—the cipher, the ciphertext, or the key?

Answer 108

In cryptography, the security of the message is guaranteed by the security of the key. The system does not depend on hiding the algorithm or the message (security by obscurity).

Question 109

Considering that cryptographic hashing is one-way and the digest cannot be reversed, what makes hashing a useful security technique

Answer 109

Because two parties can hash the same data and compare checksums to see if they match, hashing can be used for data verification in a variety of situations, including password authentication. Hashes of passwords, rather than the password plaintext, can be stored securely or exchanged for authentication. A hash of a file or a hash code in an electronic message can be verified by both parties.

Question 110

Which security property is assured by symmetric encryption?

Answer 110

Confidentiality—symmetric ciphers are generally fast and well suited to bulk encrypting large amounts of data.

Question 111

What are the properties of a public/private key pair?

Answer 111

Each key can reverse the cryptographic operation performed by its pair but cannot reverse an operation performed by itself. The private key must be kept secret by the owner, but the public key is designed to be widely distributed. The private key cannot be determined from the public key, given a sufficient key size.

Question 112

What is the process of digitally signing a message?

Answer 112

A hashing function is used to create a message digest. The digest is then signed using the sender’s private key. The resulting signature can be decrypted by the recipient using the sender’s public key and cannot be modified by any other agency. The recipient can calculate his or her own digest of the message and compare it to the signed hash to validate that the message has not been altered.

Question 113

In a digital envelope, which key encrypts the session key?

Answer 113

The recipient’s public key (typically from the server’s key pair).

Question 114

True or False? Perfect forward secrecy (PFS) ensures that a compromise of a server’s private key will not also put copies of traffic sent to that server in the past at risk of decryption.

Answer 114

True. PFS ensures that ephemeral keys are used to encrypt each session. These keys are destroyed after use.

Question 115

Why does Diffie-Hellman underpin perfect forward secrecy (PFS)?

Answer 115

Diffie-Hellman allows the sender and recipient to derive the same value (the session key) from some other preagreed values. Some of these are exchanged, and some kept private, but there is no way for a snooper to work out the secret just from the publicly exchanged values. This means session keys can be created without relying on the server’s private key, and that it is easy to generate ephemeral keys that are different for each session.

Question 116

What type of bulk encryption cipher mode of operation offers the best security?

Answer 116

Generally, counter modes implementing Authenticated Encryption with Additional Data (AEAD). Specific examples include AES-GCM and ChaCha20-Poly1305.

Question 117

True or false? Cryptography is about keeping things secret so they cannot be used as the basis of a
non-repudiation system.

Answer 117

False—the usages are not exclusive. There are different types of cryptography and some can be used for nonrepudiation. The principle is that if an encryption method (cipher and key) is known only to one person, that person cannot then deny having composed a message. This depends on the algorithm design allowing recipients to decrypt the message but not encrypt it.

Question 118

How can cryptography support high resiliency?

Answer 118

A complex system might have to support many inputs from devices installed to potentially unsecure locations. Such a system is resilient if compromise of a small part of the system is prevented from allowing compromise of the whole system. Cryptography assists this goal by ensuring the authentication and integrity of messages delivered over the control system.

Question 119

For which types of system will a cipher suite that exhibits high latency be problematic?

Answer 119

High latency is not desirable in any system really, but it will affect real time protocols that exchange voice or
video most. In network communications, latency makes the initial protocol handshake longer, meaning delay for
users and possible application timeout issues.

Question 120

What is the relevance of entropy to cryptographic functions?

Answer 120

Entropy is a measure of how disordered something is. A disordered ciphertext is desirable, because remaining features of order from the plaintext make the ciphertext vulnerable to analysis. Identical plaintexts need to be initialized with random or counter values when encrypted by the same key, and the cryptosystem needs a source of randomness to generate strong keys.

Question 121

Your company creates software that requires a database of stored encrypted passwords. What security control could you use to make the password database more resistant to brute force attacks?

Answer 121

Using a key stretching password storage library, such as PBKDF2, improves resistance to brute-force cracking methods. You might also mention that you could use policies to make users choose longer, non trivial passwords.

Question 122

Which cryptographic technology is most useful for sharing medical records with an analytics
company?

Answer 122

Homomorphic encryption allows calculations to be performed while preserving privacy and confidentiality by keeping the data encrypted.

Question 123

You are assisting a customer with implementing data loss prevention (DLP) software. Of the two products left in consideration, one supports steganalysis of image data, but the other does not. What is the risk of omitting this capability?

Answer 123

A threat actor could conceal information within an image file and use that to bypass the DLP system. One thing to note is that attackers could find other ways to implement covertexts (audio or video, for instance) or abuse protocol coding. There are many things that steganalysis needs to be able to scan for! You might also note that steganography is not only a data exfiltration risk. It can also be used to smuggle malicious code into a host system.

Question 124

A security technician needs to transfer a large file to another user in a data center. What type of encryption the technician should use to perform the task?

Answer 124

The technician should use Asymmetric encryption to verify the data center user’s identity and agree on a Symmetric encryption algorithm for the data transfer.