Chapter 8 Test 2 Flashcards
During a system audit, Casey notices that the private key for her organization’s web server has been stored in a public Amazon S3 storage bucket for more than a year. What should she do?
Remove the key from the bucket.
Notify all customers that their data may have been exposed.
Request a new certificate using a new key.
Nothing, because the private key should be accessible for validation
C. The first thing Casey should do is notify her management, but after that, replacing the certificate and using proper key management practices with the new certificate’s key should be at the top of her list.
Which one of the following would be considered an example of infrastructure as a service cloud computing?
Payroll system managed by a vendor and delivered over the web
Application platform managed by a vendor that runs customer code
Servers provisioned by customers on a vendor-managed virtualization platform
Web-based email service provided by a vendor
C. One of the core capabilities of infrastructure as a service is providing servers on a vendor-managed virtualization platform. Web-based payroll and email systems are examples of software as a service. An application platform managed by a vendor that runs customer code is an example of platform as a service.
Which of the following is not a common threat to access control mechanisms?
Fake login pages
Phishing
Dictionary attacks
Man-in-the-middle attacks
B. Phishing is not an attack against an access control mechanism. While phishing can result in stolen credentials, the attack itself is not against the control system and is instead against the person being phished. Dictionary attacks and man-in-the-middle attacks both target access control systems.
The IP address 201.19.7.45 is what type of address?
A public IP address
An RFC 1918 address
An APIPA address
A loopback address
A. 201.19.7.45 is a public IP address.
RFC 1918 addresses are in the ranges 10.0.0.0 to 0.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255. APIPA addresses are assigned between 169.254.0.0 to 169.254.255.254, and 127.0.0.1 is a loopback address (although technically the entire 127.x.x.x network is reserved for loopback).
What type of alternate processing facility contains the hardware necessary to restore operations but does not have a current copy of data?
Hot site
Warm site
Cold site
Mobile site
B. Warm sites contain the hardware necessary to restore operations but do not have a current copy of data.
James has opted to implement a NAC solution that uses a post-admission philosophy for its control of network connectivity. What type of issues can’t a strictly post-admission policy handle?
Out-of-band monitoring
Preventing an unpatched laptop from being exploited immediately after connecting to the network
Denying access when user behavior doesn’t match an authorization matrix
Allowing user access when user behavior is allowed based on an authorization matrix
B. A post-admission philosophy allows or denies access based on user activity after connection. Since this doesn’t check the status of a machine before it connects, it can’t prevent the exploit of the system immediately after connection. This doesn’t preclude out-of-band or in-band monitoring, but it does mean that a strictly post-admission policy won’t handle system checks before the systems are admitted to the network.
What process adds a header and a footer to data received at each layer of the OSI model?
Attribution
Encapsulation
TCP wrapping
Data hiding
B. Encapsulation is a process that adds a header and possibly a footer to data received at each layer before handoff to the next layer. TCP wrappers are a host-based network access control system, attribution is determining who or what performed an action or sent data, and data hiding is a term from object-oriented programming that is not relevant here.
Which of the following is not one of the four canons of the (ISC)2 code of ethics?
Avoid conflicts of interest that may jeopardize impartiality.
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
A. The four canons of the (ISC)2 code of ethics are to protect society, the common good, necessary public trust and confidence, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.
Jim starts a new job as a system engineer, and his boss provides him with a document entitled “Forensic Response Guidelines.” Which one of the following statements is not true?
Jim must comply with the information in this document.
The document contains information about forensic examinations.
Jim should read the document thoroughly.
The document is likely based on industry best practices.
A. Guidelines provide advice based on best practices developed throughout industry and organizations, but they are not compulsory. Compliance with guidelines is optional.
Alex has been employed by his company for more than a decade and has held a number of positions in the company. During an audit, it is discovered that he has access to shared folders and applications because of his former roles. What issue has Alex’s company encountered?
Excessive provisioning
Unauthorized access
Privilege creep
Account review
C. Privilege creep occurs when users retain from roles they held previously rights they do not need to accomplish their current job. Unauthorized access occurs when an unauthorized user accesses files. Excessive provisioning is not a term used to describe permissions issues, and account review would help find issues like this.
RIP, OSPF, and BGP are all examples of protocols associated with what type of network device?
Switches
Bridges
Routers
Gateways
C. Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP) are all routing protocols and are associated with routers
If Susan’s organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct authentication factor types has she used?
One
Two
Three
Four
B. Susan has used two distinct types of factors: the PIN and password are both Type 1 factors, and the retina scan is a Type 3 factor. Her username is not a factor.
What process makes TCP a connection-oriented protocol?
It works via network connections.
It uses a handshake.
It monitors for dropped connections.
It uses a complex header.
B. TCP’s use of a handshake process to establish communications makes it a connection-oriented protocol. TCP does not monitor for dropped connections, nor does the fact that it works via network connections make it connection-oriented.
What is the goal of the BCP process?
RTO < MTD
MTD < RTO
RPO < MTD
MTD < RPO
A. The goal of the business continuity planning process is to ensure that your recovery time objectives are all less than your maximum tolerable downtimes.
Which one of the following is an example of an administrative control?
Intrusion detection system
Security awareness training
Firewalls
Security guards
B. Awareness training is an example of an administrative control. Firewalls and intrusion detection systems are technical controls. Security guards are physical controls.
What level of RAID is also known as disk mirroring?
RAID 0
RAID 1
RAID 5
RAID 10
B. RAID level 1 is also known as disk mirroring. RAID 0 is called disk striping. RAID 5 is called disk striping with parity. RAID 10 is known as a stripe of mirrors.
Lauren needs to send information about services she is provisioning to a third-party organization. What standards-based markup language should she choose to build the interface?
SAML
SOAP
SPML
XACML
C. Service Provisioning Markup Language, or SPML, is an XML-based language designed to allow platforms to generate and respond to provisioning requests. SAML is used to make authorization and authentication data, while XACML is used to describe access controls. SOAP, or Simple Object Access Protocol, is a messaging protocol and could be used for any XML messaging but is not a markup language itself.
TCP and UDP both operate at what layer of the OSI model?
Layer 2
Layer 3
Layer 4
Layer 5
C. TCP, UDP, and other transport layer protocols like SSL and TLS operate at the Transport layer.
Linda is selecting a disaster recovery facility for her organization, and she wants to retain independence from other organizations as much as possible. She would like to choose a facility that balances cost and recovery time, allowing activation in about one week after a disaster is declared. What type of facility should she choose?
Cold site
Warm site
Mutual assistance agreement
Hot site
B. Linda should choose a warm site. This approach balances cost and recovery time. Cold sites take a long time to activate, measured in weeks or months. Hot sites activate immediately but are quite expensive. Mutual assistance agreements depend on the support of another organization.
Which one of the following backup types does not alter the status of the archive bit on a file?
Full backup
Incremental backup
Partial backup
Differential backup
D. Differential backups do not alter the archive bit on a file, whereas incremental and full backups reset the archive bit to 0 after the backup completes. Partial backups are not a backup type.
During which phase of the incident response process would administrators design new security controls intended to prevent a recurrence of the incident?
Reporting
Recovery
Remediation
Lessons Learned
C. The Remediation phase of incident handling focuses on conducting a root-cause analysis to identify the factors contributing to an incident and implementing new security controls, as needed.
What type of Windows audit record describes events like an OS shutdown or a service being stopped?
An application log
A security log
A system log
A setup log
C. Windows system logs include reboots, shutdowns, and service state changes. Application logs record events generated by programs, security logs track events like logins and uses of rights, and setup logs track application setup.
Microsoft’s STRIDE threat assessment framework uses six categories for threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. If a penetration tester is able to modify audit logs, what STRIDE categories best describe this issue?
Tampering and information disclosure
Elevation of privilege and tampering
Repudiation and denial of service
Repudiation and tampering
D. Modification of audit logs will prevent repudiation because the data cannot be trusted, and thus actions cannot be provably denied. The modification of the logs is also a direct example of tampering. It might initially be tempting to answer elevation of privileges and tampering, as the attacker made changes to files that should be protected, but this is an unknown without more information. Similarly, the attacker may have accessed the files, resulting in information disclosure in addition to tampering, but again, this is not specified in the question. Finally, this did not cause a denial of service, and thus that answer can be ignored.
What type of access control is being used in the following permission listing?
Storage Device X
User1: Can read, write, list
User2: Can read, list
User3: Can read, write, list, delete
User4: Can list
Resource-based access controls
Role-based access controls
Mandatory access controls
Rule-based access controls
A. Resource-based access controls match permissions to resources like a storage volume. Resource-based access controls are becoming increasingly common in cloud-based infrastructure as a service environments. The lack of roles, rules, or a classification system indicate that role-based, rule-based, and mandatory access controls are not in use here.
Fred’s company wants to ensure the integrity of email messages sent via its central email servers. If the confidentiality of the messages is not critical, what solution should Fred suggest?
Digitally sign and encrypt all messages to ensure integrity.
Digitally sign but don’t encrypt all messages.
Use TLS to protect messages, ensuring their integrity.
Use a hashing algorithm to provide a hash in each message to prove that it hasn’t changed.
B. Fred’s company needs to protect integrity, which can be accomplished by digitally signing messages. Any change will cause the signature to be invalid. Encrypting isn’t necessary because the company does not want to protect confidentiality. TLS can provide in-transit protection but won’t protect integrity of the messages, and of course a hash used without a way to verify that the hash wasn’t changed won’t ensure integrity either.
Which one of the following goals of physical security environments occurs first in the functional order of controls?
Delay
Detection
Deterrence
Denial
C. Deterrence is the first functional goal of physical security mechanisms. If a physical security control presents a formidable challenge to a potential attacker, they may not attempt the attack in the first place.
Lauren is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities?
Require users to create unique questions that only they will know.
Require new users to bring their driver’s license or passport in person to the bank.
Use information that both the bank and the user have such as questions pulled from their credit report.
Call the user on their registered phone number to verify that they are who they claim to be.
C. Identity proofing can be done by comparing user information that the organization already has, such as account numbers or personal information. Requiring users to create unique questions can help with future support by providing a way for them to do password resets. Using a phone call only verifies that the individual who created the account has the phone that they registered and won’t prove their identity. In-person verification would not fit the business needs of most websites.
Surveys, interviews, and audits are all examples of ways to measure what important part of an organization’s security posture?
Code quality
Service vulnerabilities
Awareness
Attack surface
C. Interviews, surveys, and audits are all useful for assessing awareness. Code quality is best judged by code review, service vulnerabilities are tested using vulnerability scanners and related tools, and the attack surface of an organization requires both technical and administrative review.
Which one of the following is not a valid key length for the Advanced Encryption Standard?
128 bits
192 bits
256 bits
384 bits
D. The Advanced Encryption Standard supports encryption with 128-bit keys, 192-bit keys, and 256-bit keys.
Which one of the following is not a technique used by virus authors to hide the existence of their virus from anti-malware software?
Stealth
Multipartitism
Polymorphism
Encryption
B. Multipartite viruses use multiple propagation mechanisms to defeat system security controls but do not necessarily include techniques designed to hide the malware from antivirus software. Stealth viruses tamper with the operating system to hide their existence. Polymorphic viruses alter their code on each system they infect to defeat signature detection. Encrypted viruses use a similar technique, employing encryption to alter their appearance and avoid signature detection mechanisms.
Which one of the following is an example of risk transference?
Building a guard shack
Purchasing insurance
Erecting fences
Relocating facilities
B. Risk transference involves actions that shift risk from one party to another. Purchasing insurance is an example of risk transference because it moves risk from the insured to the insurance company.
Kyle is being granted access to a military computer system that uses System High mode. What is not true about Kyle’s security clearance requirements?
Kyle must have a clearance for the highest level of classification processed by the system, regardless of his access.
Kyle must have access approval for all information processed by the system.
Kyle must have a valid need to know for all information processed by the system.
Kyle must have a valid security clearance.
C. For systems running in System High mode, the user must have a valid security clearance for all information processed by the system, access approval for all information processed by the system, and a valid need to know for some, but not necessarily all, information processed by the system.
Tom is conducting a business continuity planning effort for Orange Blossoms, a fruit orchard located in Central Florida. During the assessment process, the committee determined that there is a small risk of snow in the region but that the cost of implementing controls to reduce the impact of that risk is not warranted. They elect to not take any specific action in response to the risk. What risk management strategy is Orange Blossoms pursuing?
Risk mitigation
Risk transference
Risk avoidance
Risk acceptance
D. Risk acceptance occurs when an organization determines that the costs involved in pursuing other risk management strategies are not justified and they choose not to pursue any action.
Carla has worked for her company for 15 years and has held a variety of different positions. Each time she changed positions, she gained new privileges associated with that position, but no privileges were ever taken away. What concept describes the sets of privileges she has accumulated?
Entitlement
Aggregation
Transitivity
Isolation
B. Carla’s account has experienced aggregation, where privileges accumulated over time. This condition is also known as privilege creep and likely constitutes a violation of the least privilege principle.
Which one of the following types of agreements is the most formal document that contains expectations about availability and other performance parameters between a service provider and a customer?
Service-level agreement (SLA)
Operational-level agreement (OLA)
Memorandum of understanding (MOU)
Statement of work (SOW)
A. The service-level agreement (SLA) is between a service provider and a customer and documents in a formal manner expectations around availability, performance, and other parameters. An MOU may cover the same items but is not as formal a document. An OLA is between internal service organizations and does not involve customers. An SOW is an addendum to a contract describing work to be performed.
Chris has been assigned to scan a system on all of its possible TCP and UDP ports. How many ports of each type must he scan to complete his assignment?
65,536 TCP ports and 32,768 UDP ports
1,024 common TCP ports and 32,768 ephemeral UDP ports
65,536 TCP and 65,536 UDP ports
16,384 TCP ports and 16,384 UDP ports
C. Both TCP and UDP port numbers are a 16-digit binary number, which means there can be 216 ports, or 65,536 ports, numbered from 0 to 65,535.
Lauren starts at her new job and finds that she has access to a variety of systems that she does not need to accomplish her job. What problem has she encountered?
Privilege creep
Rights collision
Least privilege
Excessive privileges
D. When users have more rights than they need to accomplish their job, they have excessive privileges. This is a violation of the concept of least privilege. Unlike creeping privileges, this is a provisioning or rights management issue rather than a problem of retention of rights the user needed but no longer requires. Rights collision is a made-up term and thus is not an issue here.
Jim has been contracted to perform a penetration test of a bank’s primary branch. To make the test as real as possible, he has not been given any information about the bank other than its name and address. What type of penetration test has Jim agreed to perform?
A crystal-box penetration test
A gray-box penetration test
A black-box penetration test
A white-box penetration test
C. Jim has agreed to a black-box penetration test, which provides no information about the organization, its systems, or its defenses. A crystal- or white-box penetration test provides all of the information an attacker needs, whereas a gray-box penetration test provides some, but not all, information.
Lauren builds a table that includes assigned privileges, objects, and subjects to manage access control for the systems she is responsible for. Each time a subject attempts to access an object, the systems check the table to ensure that the subject has the appropriate rights to the objects. What type of access control system is Lauren using?
A capability table
An access control list
An access control matrix
A subject/object rights management system
C. An access control matrix is a table that lists objects, subjects, and their privileges. Access control lists focus on objects and which subjects can access them. Capability tables list subjects and what objects they can access. Subject/object rights management systems are not based on an access control model.
A cloud-based service that provides account provisioning, management, authentication, authorization, reporting, and monitoring capabilities is known as what type of service?
PaaS
IDaaS
IaaS
SaaS
B. Identity as a service (IDaaS) provides capabilities such as account provisioning, management, authentication, authorization, reporting, and monitoring. Platform as a service (PaaS), infrastructure as a service (IaaS), and software as a service (SaaS) are other types of cloud computing capabilities that are not specialized identity management services.