CompTIA Security+ Questions (Lesson 11-21) Flashcards
An attacker modifies the HOSTS file on a workstation to redirect traffic. Consider the types of attacks and deduce which type of attack has likely occurred.
DNS server cache poisoning
DNS spoofing
DNS client cache poisoning
Typosquatting
DNS client cache poisoning
The HOSTS file is checked before using Domain Name System (DNS). Its contents are loaded into a cache of known names and the client only contacts a DNS server if the name is not cached. If an attacker can place a false name, then the attacker will be able to direct traffic.
A system administrator is configuring a new Dynamic Host Configuration Protocol (DHCP) server. Consider the various types of attacks specific to DHCP and determine which steps the system administrator should take to protect the server. (Select all that apply.)
Use scanning and intrusion detection to pick up suspicious activity.
Disable DHCP snooping on switch access ports to block unauthorized servers.
Enable logging and review the logs for suspicious events.
Disable unused ports and perform regular physical inspections to look for unauthorized devices.
Use scanning and intrusion detection to pick up suspicious activity.
Enable logging and review the logs for suspicious events.
Disable unused ports and perform regular physical inspections to look for unauthorized devices.
An organization routinely communicates directly to a partner company via a domain name. The domain name now leads to a fraudulent site for all users. Systems administrators for the organization find incorrect host records in DNS. What do the administrators believe to be the root cause?
A server host has a poisoned arp cache.
Some user systems have invalid hosts file entries.
An attacker masquerades as an authoritative name server.
The domain servers have been hijacked.
An attacker masquerades as an authoritative name server.
DNS server cache poisoning aims to corrupt the records held by the DNS server itself. A DNS server queries an authoritative server for domain information. An attacker can masquerade as an authoritative name server and respond with fraudulent information.
An authoritative server for a zone creates an RRset signed with a Zone Signing Key. Another server requests a secure record exchange and the authoritative server returns the package along with the public key. Evaluate the scenario to determine what the authoritative server is demonstrating in this situation.
Domain Name System (DNS)
DNS Security Extension
DNS Footprinting
Dynamic Host Configuration Protocol (DHCP)
DNS Security Extension
When a company attempts to re-register their domain name, they find that an attacker has supplied false credentials to the domain registrar and redirected their host records to a different IP address. What type of attack has occurred?
Domain hijacking
Domain name system client cache (DNS) poisoning
Rogue dynamic host configuration protocol (DHCP)
Domain name system server cache (DNS) poisoning
Domain hijacking
A system administrator is setting up a new Simple Mail Transfer Protocol (SMTP) configuration. Make recommendations for how the administrator should configure the ports. (Select all that apply.)
Port 110 should be used by mail clients to submit messages for delivery.
Port 143 should be used to connect clients.
Port 25 should be used for message relay.
Port 465 should be used for message submission over implicit TLS.
Port 25 should be used for message relay.
Port 465 should be used for message submission over implicit TLS.
Port 25 is used for message relay between Simple Mail Transfer Protocol (SMTP) servers or Message Transfer Agents (MTA). If security is required and supported by both servers, the STARTTLS command can be used to set up the secure connection.
Port 465 is used by providers and mail clients for message submission over implicit Transport Layer Security (TLS).
A security engineer encrypted traffic between a client and a server. Which security protocol is the best for the engineer to configure if an ephemeral key agreement is used?
AES 256
TLS 1.2
TLS 1.3
SHA 384
TLS 1.3
Only ephemeral key agreement is supported in TLS 1.3. The signature type is supplied in the certificate, so the cipher suite only lists the bulk encryption key strength and mode of operation (AES_256_GCM), plus the cryptographic hash algorithm (SHA384).
Transport layer security (TLS) version 1.3 improves upon a vulnerability in TLS1.2. Which statement correctly describes a remedy for this vulnerability?
TLS version 1.3 is backward compatible with earlier versions of transport layer security.
TLS version 1.3 removes the ability to downgrade to weaker encryption ciphers and earlier versions of transport layer security.
TLS version 1.3 creates a secure link between the client and server using Secure Shell (SSH) over TCP port 22.
TLS1.3 can use more secure authentication and authorization methods, such as security assertion markup language (SAML) and open authorization (OAuth).
TLS version 1.3 removes the ability to downgrade to weaker encryption ciphers and earlier versions of transport layer security.
If an administrator in an exchange server needs to send digitally signed and encrypted messages, what messaging implementation will best suit the administrator’s needs?
Secure/Multipurpose Internet Mail Extensions (S/MIME)
Secure Post Office Protocol v3 (POP3S)
Internet Message Access Protocol v4 (IMAP4)
Simple Mail Transfer Protocol (SMTP)
Secure/Multipurpose Internet Mail Extensions (S/MIME)
One means of applying authentication and confidentiality on a per-message basis is an email encryption standard called Secure/Multipurpose Internet Mail Extensions (S/MIME). S/MIME adds digital signatures and public key cryptography to mail communications. To use S/MIME, a sender and receiver exchange digital certificates signed by a certification authority (CA).
A technician is configuring Internet Protocol Security (IPSec) for communications over a Virtual Private Network (VPN). Evaluate the features of available modes and recommend the best option for implementation.
Tunnel mode because the whole IP packet is encrypted, and a new IP header is added.
Transport mode because the whole IP packet is encrypted, and a new IP header is added.
Tunnel mode because the payload is encrypted.
Transport mode because the payload is encrypted.
Tunnel mode because the whole IP packet is encrypted, and a new IP header is added.
A system administrator uses a Graphical User Interface (GUI) remote administration tool over TCP port 3389 to manage a server operating Windows 2016. Evaluate the types of remote administration tools to conclude which protocol the administrator is using.
Secure Shell
Telnet
Dynamic Host Configuration Protocol
Remote Desktop
Remote Desktop
A security administrator employs a security method that can operate at layer 3 of the OSI model. Which of the following secure communication methods could the security administrator be using?
(Select all that apply.)
ESP
AH
TLS
IKE
ESP
AH
Encapsulation Security Payload (ESP) provides confidentiality and/or authentication and integrity. ESP is one of the two core protocols of IPsec.
AH is another core protocol of IPsec. The Authentication Header (AH) protocol performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts), and adds this HMAC in its header as an Integrity Check Value (ICV).
A system administrator needs secure remote access into a Linux server. Evaluate the types of remote administration to recommend which protocol should be used in this situation.
Telnet
Secure Shell (SSH)
Remote Desktop Protocol (RDP)
Kerberos
Secure Shell (SSH)
Analyze the methods for authentication to a Secure Shell (SSH) and determine which statement best summarizes the host-based authentication method.
The user’s private key is configured with a passphrase that must be input to access the key.
The client submits credentials that are verified by the SSH server using RADIUS.
The client submits a Ticket Granting Ticket (TGT) that is obtained when the user logged onto the workstation.
The client sends a request for authentication and the server generates a challenge with the public key.
The client sends a request for authentication and the server generates a challenge with the public key.
In host-based authentication, the server is configured with a list of authorized client public keys. The client requests authentication using one of these keys and the server generates a challenge with the public key.
Analyze the features of a Full Disk Encryption (FDE) to select the statements that accurately reflect this type of security. (Select all that apply.)
FDE encrypts the files that are listed as critical with one encryption key.
The encryption key that is used for FDE can only be stored in a TPM on the disk for security.
A drawback of FDE is the cryptographic operations performed by the OS reduces performance.
FDE requires the secure storage of the key used to encrypt the drive contents.
A drawback of FDE is the cryptographic operations performed by the OS reduces performance.
FDE requires the secure storage of the key used to encrypt the drive contents.
Compare and evaluate the various levels and types of security found within a Trusted OS (TOS) to deduce which scenario is an example of a hardware Root of Trust (RoT).
A security system is designed to prevent a computer from being hijacked by a malicious operating system
The boot metrics and operating system files are checked, and signatures verified at logon.
Digital certificates, keys, and hashed passwords are maintained in hardware-based storage.
The industry standard program code that is designed to operate the essential components of a system.
The boot metrics and operating system files are checked, and signatures verified at logon.
Compare and evaluate the various levels and types of platform security to conclude which option applies to a hardware Trusted Platform Module (TPM).
A specification for a suite of high-level communication protocols used for network communication.
The boot metrics and operating system files are checked and signatures verified at logon.
Digital certificates, keys, and hashed passwords are maintained in hardware-based storage.
The industry standard program code that is designed to operate the essential components of a system.
Digital certificates, keys, and hashed passwords are maintained in hardware-based storage.
Given knowledge of secure firmware implementation, select the statement that describes the difference between secure boot and measured boot.
Secure boot requires a unified extensible firmware interface (UEFI) and trusted platform module (TPM), but measured boot requires only a unified extensible firmware interface (UEFI).
Secure boot provisions certificates for trusted operating systems (OSes) and blocks unauthorized OSes. Measured boot stores and compares hashes of critical boot files to detect the presence of unauthorized processes.
Secure boot is the process of sending a signed boot log or report to a remote server, while measured boot provisions certificates for trusted operating systems (OSes) and blocks unauthorized OSes.
Secure boot requires a unified extensible firmware interface (UEFI) but does not require a trusted platform module (TPM). Measured boot is the mechanism by which a system sends signed boot log or report to a remote server.
Secure boot provisions certificates for trusted operating systems (OSes) and blocks unauthorized OSes. Measured boot stores and compares hashes of critical boot files to detect the presence of unauthorized processes.
Contrast vendor support for products and services at the end of their life cycle. Which of the following statements describes the difference between support available during the end of life (EOL) phase and end of service life (EOSL) phase?
During the end of life (EOL) phase, manufacturers provide limited support, updates, and spare parts. In the end of service life (EOSL), developers or vendors no longer support the product and no longer push security updates.
During the end of service life (EOSL) phase, manufacturers provide limited support, updates, and spare parts. In the end of life (EOL), developers or vendors no longer support the product and no longer push security updates.
All vendors adhere to a policy of providing five years of mainstream support (end of life support) and five years of extended support (end of service life support), during which vendors only ship security updates.
A well-maintained piece of software is in its end of service life (EOSL) stage. Abandonware refers to a product during the end of life (EOL) stage, which no longer receives updates.
During the end of life (EOL) phase, manufacturers provide limited support, updates, and spare parts. In the end of service life (EOSL), developers or vendors no longer support the product and no longer push security updates.
A network manager is installing a new switch on the network. Which option does the manager use to harden network security after installation?
A Group Policy Object (GPO) should be configured to deploy custom settings.
The Server Core option should be used to limit the device to only using Hyper-V and DHCP.
Microsoft Baseline Security Analyzer (MBSA) is used on Windows networks and validates the security configuration of a Windows system.
The network manager should ensure all patches are applied and it is appropriately configured.
The network manager should ensure all patches are applied and it is appropriately configured.
Evaluate approaches to applying patch management updates to select the accurate statement.
Operating System major release updates can cause problems with software application compatibility.
Applying all patches as released is more time consuming than only applying patches as needed.
It is more costly to apply all patches, so most companies choose to apply patches on an as-needed basis.
It is best practice to install patches immediately to provide the highest level of security for workstations.
Operating System major release updates can cause problems with software application compatibility.
A system administrator has received new systems to deploy within a work center. Which of the following should the system administrator implement to ensure proper hardening without impacting functionality? (Select all that apply.)
Remove all third-party software.
Disable ports that allow client software to connect to applications.
Disable any network interfaces that are not required.
Disable all unused services.
Disable ports that allow client software to connect to applications.
Disable any network interfaces that are not required.
Disable all unused services.
Select the options that can be configured by Group Policy Objects (GPOs). (Select all that apply.)
Registry settings
Code signing
Access policies
Baseline deviation
Registry settings
Access policies
During a training event, an executive at a large company asks the security manager trainer why pushing automatic updates as a patch management solution is not ideal for their Enterprise network. How will the security manager most likely respond?
The security manager pushes updates individually, based on office hours.
Automatic updates can cause performance and availability issues.
A patch management suite is impractical for Enterprise networks.
Next-generation endpoint protection suites perform patch management.
Automatic updates can cause performance and availability issues.
You are asked to help design a security system. What are some methods that can be used to mitigate risks to embedded systems in security environments? (Select all that apply.)
Faraday cage
Firmware patching
Network Segmentation
Wrappers
Firmware patching
Network Segmentation
Wrappers
Evaluate the threats and vulnerabilities regarding medical devices and then select accurate statements. (Select all that apply.)
Medical devices are only those devices located outside of the hospital setting, including defibrillators and insulin pumps.
Attackers may attempt to gain access in order to kill or injure patients, or hold medical units ransom.
Medical devices are updated regularly to secure them against vulnerabilities and protect patient safety.
Many portable devices, such as cardiac monitors and insulin pumps, run on unsupported operating systems.
Attackers may attempt to gain access in order to kill or injure patients, or hold medical units ransom.
Many portable devices, such as cardiac monitors and insulin pumps, run on unsupported operating systems.
Compare the features of static and dynamic computing environments and then select the accurate statements. (Select all that apply.)
Embedded systems are typically static computing environments, while most personal computers are dynamic computing environments.
Dynamic computing environments are easier to update than static computing environments.
Dynamic computing environments give less control to users than static computing environments.
Dynamic computing environments are easier to secure than static computing environments.
Embedded systems are typically static computing environments, while most personal computers are dynamic computing environments.
Dynamic computing environments are easier to update than static computing environments.
Examine the differences between general purpose personal computer hosts and embedded systems and select the true statements regarding embedded system constraints. (Select all that apply.)
Many embedded systems work on battery power, so they cannot require significant processing overhead.
Many embedded systems rely on a root of trust established at the hardware level by a trusted platform module (TPM).
Embedded systems often use the system on chip (SoC) design to save space and increase power efficiency.
Most embedded systems are based on a common but customizable design, such as FPGA.
Many embedded systems work on battery power, so they cannot require significant processing overhead.
Embedded systems often use the system on chip (SoC) design to save space and increase power efficiency.
A company security manager takes steps to increase security on Internet of Things (IoT) devices and embedded systems throughout a company’s network and office spaces. What measures can the security manager use to implement secure configurations for these systems? (Select all that apply.)
Isolate hosts that are using legacy versions of operating systems (OSes) from other network devices through network segmentation.
Use wrappers, such as Internet Protocol Security (IPSec) for embedded systems’ data in transit.
Increase network connectivity for embedded systems so they receive regular updates.
Maintain vendor-specific software configuration on Internet of Things (IoT) devices that users operate at home and in the office.
Isolate hosts that are using legacy versions of operating systems (OSes) from other network devices through network segmentation.
Use wrappers, such as Internet Protocol Security (IPSec) for embedded systems’ data in transit.
A system administrator is deploying a new web server. Which hardening procedures should the administrator consider? (Select all that apply.)
The administrator should use SFTP to transfer files to and from the server remotely.
Any guest web access that exist on the webserver should be disabled or removed.
The administrator should assign a digital certificate and enable the use of TLS 1.3.
The configuration templates contain vulnerabilities, and the administrator should not utilize them.
The administrator should use SFTP to transfer files to and from the server remotely.
The administrator should assign a digital certificate and enable the use of TLS 1.3.
A system administrator needs to implement a secure remote administration protocol and would like more information on Telnet. Evaluate and select the features of Telnet that the administrator should consider to accomplish this task. (Select all that apply.)
Question 1 options:
Telnet uses encryption to send passwords.
Telnet does not support direct file transfer.
FTP supports both direct file transfer and encryption
Telnet uses TCP port 23.
Telnet is a secure option.
Telnet does not support direct file transfer.
Telnet uses TCP port 23.
The owner of a company asks a network manager to recommend a mobile device deployment model for implementation across the company. The owner states security is the number one priority. Which deployment model should the network manager recommend for implementation?
BYOD since the company can restrict the usage to business only applications.
CYOD because even though the employee picks the device, the employee only conducts official business on it.
COPE because the device is chosen and supplied by the company, retaining ownership, but allows employee usage for personal email, public web browsing, and social media.
COBO because the device is the property of the company and can only be used for company business.
COBO because the device is the property of the company and can only be used for company business.
Corporate Owned, Business Only (COBO) devices provide the greatest security of the four mobile device deployment models. The device is the property of the company and may only be used for company business.
A user would like to install an application on a mobile device that is not authorized by the vendor. The user decides the best way to accomplish the install is to perform rooting on the device. Compare methods for obtaining access to conclude which type of device the user has, and what actions the user has taken.
The user has an iOS device and has used custom firmware to gain access to the administrator account.
The user has an Android device and has used custom firmware to gain access to the administrator account.
The user has an iOS device and has booted the device with a patched kernel.
The user has an Android device and has booted the device with a patched kernel.
The user has an Android device and has used custom firmware to gain access to the administrator account.
Analyze mobile device deployment models to select the best explanation of the Corporate Owned, Personally-Enabled (COPE) deployment model.
The employee may use the mobile device to access personal email and social media accounts. The device is chosen and supplied by the company.
The employee may use the mobile device to access personal email and social media accounts. The device is chosen and supplied by the employee.
The device is the property of the company and may only be used for company business.
The employee may use the mobile device to access personal email and social media accounts. The device is chosen by the employee and supplied by the company.
The employee may use the mobile device to access personal email and social media accounts. The device is chosen and supplied by the company.
Analyze and compare iOS and Android operating systems (OS) to accurately differentiate between the two. (Select all that apply.)
Android releases updates often, while iOS is more sporadically released.
iOS is limited to Apple products, while Android has multiple hardware vendors.
Android is an open source OS based on Linux, unlike iOS, which is a closed and proprietary system.
iOS is more vulnerable to attack due to being a closed source, while Android is more secure with multiple partners working to secure the OS.
iOS is limited to Apple products, while Android has multiple hardware vendors.
Android is an open source OS based on Linux, unlike iOS, which is a closed and proprietary system.
Pilots in an Air Force unit utilize government-issued tablet devices loaded with navigational charts and aviation publications, with all other applications disabled. This illustrates which type of mobile device deployment?
BYOD
COBO
COPE
CYOD
COBO
An attacker uses spoofed GPS coordinates on a stolen mobile device, attempting to gain access to an enterprise network. Which statement best describes the attack vector?
The attacker uses the spoofed coordinates to defeat containerization on the target network.
The attacker uses spoofed coordinates to perform a bluesnarfing attack.
The attacker uses spoofed coordinates to establish a rogue wireless access point.
The attacker uses spoofed coordinates to defeat geofencing on the target network.
The attacker uses spoofed coordinates to defeat geofencing on the target network.
Analyze the following scenarios and determine which accurately describes the use of an ad hoc Wi-Fi network.
Two or more wireless devices connect to each other on a temporary basis.
A smartphone shares its Internet connection with a PC.
Mobile device connects with a wireless speaker and keyboard.
A smartphone connects to a PC via Bluetooth.
Two or more wireless devices connect to each other on a temporary basis.
A user facing a tight deadline at work experiences difficulties logging in to a network workstation, so the user activates a smartphone hotspot and connects a company laptop to save time. Which of the following vulnerabilities has the user potentially created for the enterprise environment?
A device in “discoverable” mode can exploit outdated software patches.
The device may be vulnerable to a skimming attack.
The device may be able to defeat geofencing mechanisms.
The device may circumvent data loss prevention and web content filtering policies.
The device may circumvent data loss prevention and web content filtering policies.
An attacker steals personal data from a user device with an outdated Bluetooth authentication mechanism. What type of attack has occurred?
Bluejacking
Bluesnarfing
Bluetooth jamming
Jailbreaking
Bluesnarfing
Which microwave connection mode is most appropriate for forming a strong connection between two sites?
P2P
P2M
OTA
OTG
P2P
A point-to-point topology occurs when two nodes have a dedicated connection to one another. In a point-to-multipoint topology, a central node mediates links between remote nodes.
Point-to-multipoint (P2M) microwave uses smaller sectoral antennas, each covering a separate quadrant. Where P2P is between two sites, P2M links multiple sites or subscriber nodes to a single hub.
Over-the-air (OTA) firmware updates are delivered to radio devices via a cellular data connection.
The USB on the go (OTG) specification allows a mobile device to act as a host when a device, such as an external drive or keyboard, is attached. USB OTG allows a port to function either as a host or as a device.
Identify the type of attack that occurs when the outcome from execution process are directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.
Stack overflow
Race conditions
Dynamic Link Library (DLL) injection
Integer overflow
Race conditions
Analyze types of vulnerabilities and summarize a zero-day exploit.
A design flaw that can cause the application security system to be circumvented.
A vulnerability that is capitalized on before the developer knows about it.
An attack that passes invalid data to an application.
An attack that passes data to deliberately overflow the buffer, that the application reserves to store the expected data.
A vulnerability that is capitalized on before the developer knows about it.
Which of the following is a common solution that protects an application from behaving in an unexpected way when passing invalid data through an attack?
Buffer overflow
Race conditions
Zero-day exploit
Input Validation
Input Validation
A system administrator is working to restore a system affected by a stack overflow. Analyze the given choices and determine which overflow vulnerability the attacker exploited.
An attacker changes the return address of an area of memory used by a program subroutine.
An attacker overwrites an area of memory allocated by an application to store variables.
An attacker exploits unsecure code with more values than an array expects.
An attacker causes the target software to calculate a value that exceeds the set bounds.
An attacker changes the return address of an area of memory used by a program subroutine.
A stack is an area of memory used by a program subroutine. It includes a return address, which is the location of the program that is called the subroutine. An attacker could use a buffer overflow to change the return address, which is called a stack overflow.
A threat actor programs an attack designed to invalidate memory locations to crash target systems. Which statement best describes the nature of this attack?
The attacker created a null pointer file to conduct a dereferencing attack.
The attacker programmed a dereferencing attack.
The attacker programmed a null pointer dereferencing exception.
The attacker created a race condition to perform a null pointer dereferencing attack.
The attacker programmed a null pointer dereferencing exception.
Dereferencing occurs when a pointer variable stores a memory location, which is attempting to read or write that memory address via the pointer. If the memory location is invalid or null, this creates a null pointer dereference type of exception and the process may crash.
Dereferencing does not mean deleting or removing; it means read or resolve.
Which method might an attacker use to redirect login via information gained by implementing JavaScript on a webpage the user believes is legitimate?
Man-in-the-Browser (MitB)
Confused deputy
Reflected
Clickjacking
Clickjacking
A security analyst is assessing the security of their company’s web application. They have determined multiple occurrences of XSS attacks and need to identify what type of XSS attacks occurred in order to apply the proper remediation. Which of the following accurately distinguishes between Reflected XSS, Stored XSS, and DOM XSS attacks?
Reflected XSS attacks exploit client-side scripts by capturing user input and reflecting it back to the client, while Stored XSS attacks exploit vulnerabilities in client-side scripts by storing malicious code in a database. DOM XSS attacks exploit vulnerabilities in server-side scripts by manipulating the Document Object Model (DOM).
Reflected XSS attacks exploit server-side scripts by capturing user input and reflecting it back to the client, while Stored XSS attacks exploit vulnerabilities in server-side scripts by storing malicious code in a database. DOM XSS attacks exploit vulnerabilities in client-side scripts by manipulating the Document Object Model (DOM).
Reflected XSS attacks exploit client-side scripts by capturing user input and reflecting it back to the client, while Stored XSS attacks exploit vulnerabilities in server-side scripts by storing malicious code in a database. DOM XSS attacks exploit vulnerabilities in server-side scripts by manipulating the Document Object Model (DOM).
Nonpersistent XSS and Persistent XSS attacks exploit client-side scripts, while the DOM is used to exploit vulnerabilities in server-side scripts by manipulating the Document Object Model
Reflected XSS attacks exploit server-side scripts by capturing user input and reflecting it back to the client, while Stored XSS attacks exploit vulnerabilities in server-side scripts by storing malicious code in a database. DOM XSS attacks exploit vulnerabilities in client-side scripts by manipulating the Document Object Model (DOM).
An attacker finds a way to exploit a vulnerability in a target application that allows the attacker to bypass a password requirement. Which method did the attacker most likely use?
The attacker added LDAP filters as unsanitized input by creating a condition that is always true.
The attacker inserted code into a back-end database by submitting a post to a bulletin board with a malicious script embedded in the message.
The attacker embedded a request for a local resource via XML with no encryption.
The attacker modified a basic SQL function, adding code to some input that an app accepts, causing it to execute the attacker’s query.
The attacker added LDAP filters as unsanitized input by creating a condition that is always true.
Analyze the following statements and select the statement which correctly explains the difference between cross-site scripting (XSS) and cross-site request forgery (XSRF).
XSRF spoofs a specific request against the web application, while XSS is a means of running any arbitrary code.
XSS is not an attack vector, but the means by which an attacker can perform XSRF, the attack vector.
XSRF requires a user to click an embedded malicious link, whereas the attacker embeds an XSS attack in the document object module (DOM) script.
XSRF is a server-side exploit, while XSS is a client-side exploit.
XSRF spoofs a specific request against the web application, while XSS is a means of running any arbitrary code.
Which type of attack disguises the nature of malicious input, preventing normalization from stripping illegal characters?
Fuzzing
Canonicalization
Code reuse
Code signing
Canonicalization
The threat actor might use a canonicalization attack to disguise the nature of the malicious input. Canonicalization refers to the way the server converts between the different methods by which a resource (such as a file path or URL) may be represented and submitted to the simplest (or canonical) method used by the server to process the input.
Which scenario best describes provisioning?
A developer removes an application from packages or instances.
A developer deploys an application to the target environment.
A developer sets up ID system for each iteration of a software product.
A developer commits and tests updates.
A developer deploys an application to the target environment.
Which of the following statements differentiates between input validation and output encoding?
Input validation ensures that data input into an application is in a compatible format for the application, while output encoding re-encodes data that transfers between scripts.
Input validation is a server-side validation method, while output encoding is a client-side validation method.
Output encoding is a server-side validation method, while input validation encoding is a client-side validation method.
Input validation forces the browser to connect using HTTPS only, while output encoding sets whether the browser can cache responses.
Input validation ensures that data input into an application is in a compatible format for the application, while output encoding re-encodes data that transfers between scripts.
Which cookie attribute can a security admin configure to help mitigate a request forgery attack?
Secure
HttpOnly
SameSite
Cache-Control
SameSite
Cookies can be a vector for session hijacking and data exposure if not configured correctly. Use the SameSite attribute to control where a cookie may be sent, mitigating request forgery attacks.
A network user calls the help desk after receiving an error message. The caller complains that the error message does not indicate whether the username or password input was incorrect but simply states there was an authentication error. What does this situation illustrate?
Effective exception handling
Dynamic code analysis
Minimizing data exposure
Web application validation
Effective exception handling
An employee is attempting to install new software they believe will help them perform their duties faster. When the employee tries to install the software, an error message is received, stating they are not authorized to install the software. The employee calls the help desk for assistance. Evaluate the principles of execution control to conclude what has most likely occurred in this scenario.
The company is utilizing allow list control, and the software is included in the list.
The software is malicious, and execution control has identified the virus and is blocking the installation.
The company is utilizing allow list control, and the software is not included in the list.
The company is utilizing block list control, and the software is not included in the list.
The company is utilizing allow list control, and the software is not included in the list.
Which of the following is NOT a scripting language?
regex
PowerShell
JavaScript
Python
regex
Examine each of the following statements and determine which most accurately compares an allow and block list control practices.
An allow list depends on security clearance levels, while a block list depends on the primacy of the resource owner.
A block list operates on a default-deny policy, while an allow list is a default-allow policy.
A block list depends on the primacy of the resource owner, while an allow list depends on security clearance levels.
An allow list operates on a default-deny policy, while a block list is a default-allow policy.
An allow list operates on a default-deny policy, while a block list is a default-allow policy.
Execution control is the process of determining what additional software or scripts a host can run or install beyond its baseline. An allow list is a default-deny policy that means only running authorized processes and scripts. An allow list may impede accessibility and increase support time and costs.
A hacker compromises a web browser and uses access to harvest credentials users input when logging in to banking websites. What type of attack has occurred?
Evil twin
Man-in-the-Browser
Session hijacking
Clickjacking
Man-in-the-Browser
An attacker compromises a Linux host, installing a web shell as a backdoor. If the attacker gained access to the host through a connection the host established, what type of attack has occurred?
Man-in-the-Browser (MitB)
Reverse shell
Rootkit
Session hijacking
Reverse shell
A reverse shell is a common attack vector against a Linux host, where a victim host opens a connection to the attacking host through a maliciously spawned remote command shell.
