D7 Systems and Application Security Flashcards
Tiffany needs to assess the patch level of a Windows 2012 server and wants to use a freely available tool to check the system for security issues. Which of the following tools will provide the most detail about specific patches installed or missing from her machine?
A. Nmap
B. Nessus
C. MBSA
D. Metasploit
C. MBSA
Explanation
The Microsoft Baseline Security Analyzer, or MBSA, is a tool provided by Microsoft that can identify installed or missing patches as well as common security misconfigurations. Since it is run with administrative rights, it will provide a better view than normal nmap and Nessus scans. MBSA provides more detailed information about specific patches that are installed. Metasploit provides some limited scanning capabilities but is not the best tool for the situation.
Maria wants to deploy an anti‐malware tool to detect zero‐day malware. What type of detection method should she look for in her selected tool?
A. Signature‐based
B. Heuristic‐based
C. Trend‐based
D. Availability‐based
B. Heuristic‐based
Explanation
Heuristic detection methods run the potential malware application and track what occurs. This can allow the anti‐malware tool to determine whether the behaviors and actions of the program match those common to malware, even if the file does not match the fingerprint of known malware packages.
Cameron is configuring his organization’s Internet router and would like to enable anti‐spoofing technology. Which one of the following source IP addresses on an inbound packet should trigger anti‐spoofing controls?
A. 192.168.163.109
B. 13.5.102.5
C. 124.70.14.100
D. 222.222.222.222
A. 192.168.163.109
Explanation
The 192.168.0.0/16 address range, which includes 192.168.163.109 is one of the address ranges reserved for use as private IP addresses. These addresses should not appear on packets inbound to a network from the Internet. The other addresses mentioned here are all normal public IP addresses.
The company that Lauren works for is making significant investments in infrastructure as a service hosting to replace its traditional data center. Members of her organization’s management have expressed concerns about data remanence when Lauren’s team moves from one virtual host to another in their cloud service provider’s environment. What should she instruct her team to do to avoid this concern?
A. Zero‐wipe drives before moving systems.
B. Use full disk encryption.
C. Use data masking.
D. Span multiple virtual disks to fragment data.
B. Use full disk encryption.
Explanation
Lauren’s team should use full disk encryption or volume encryption and should secure the encryption keys properly. This will ensure that any data that remains cannot be exposed to future users of the virtual infrastructure. While many cloud providers have implemented technology to ensure that this won’t happen, Lauren can avoid any potential issues by ensuring that she has taken proactive action to prevent data exposure. Using a zero wipe is often impossible because virtual environments may move without her team’s intervention, data masking will not prevent unmasked data or temporary data stored on the virtual disks from being exposed, and spanning multiple virtual disks will still leave data accessible, albeit possibly in fragmented form.
Geoff is responsible for hardening systems on his network and discovers that a number of network appliances have exposed services including telnet, FTP, and web servers. What is his best option to secure these systems?
A. Enable host firewalls.
B. Install patches for those services.
C. Turn off the services for each appliance.
D. Place a network firewall between the devices and the rest of the network.
D. Place a network firewall between the devices and the rest of the network.
Explanation
Geoff’s only sure bet to prevent these services from being accessed is to put a network firewall in front of them. Many appliances enable services by default, but since they are appliances, they may not have host firewalls available to enable. They also often don’t have patches available, and many appliances do not allow the services they provide to be disabled or modified.
Chris wants to prevent users from running a popular game on Windows workstations he is responsible for. How can Chris accomplish this for Windows 10 Pro workstations?
A. Using application whitelisting to prevent all unallowed programs from running
B. Using Windows Defender and adding the game to the blacklist file
C. By listing in the Blocked Programs list via secpol.msc
D. You cannot blacklist applications in Windows 10 without a third‐party application.
A. Using application whitelisting to prevent all unallowed programs from running
Explanation
Windows 10 Pro and Enterprise support application whitelisting. Chris can whitelist his allowed programs and then set the default mode to disallowed, preventing all other applications from running and thus blacklisting the application. This can be a bit of a maintenance hassle but can be useful for high security environments or those in which limiting what programs can run is critical.
Isaac wants to prevent hosts from connecting to known malware distribution domains. What type of solution can he use to do this without deploying endpoint protection software or an IPS?
A. Route poisoning
B. Anti‐malware router filters
C. Subdomain whitelisting
D. DNS blackholing
D. DNS blackholing
Explanation
DNS blackholing uses a list of known malicious domains or IP addresses and relies on listing the domains on an internal DNS server that provides a fake reply. Route poisoning prevents networks from sending data to a destination that is invalid. Routers do not typically have an anti‐malware filter feature, and subdomain whitelisting was made up for this question.
Senior management in Adam’s company recently read a number of articles about massive ransomware attacks that successfully targeted organizations like the one that Adam is part of. Adam’s organization already uses layered security solutions including a border IPS, firewalls between network zones, local host firewalls, antivirus software, and a configuration management system that applies recommended operating system best practice settings to their workstations. What should Adam recommend to minimize the impact of a similar ransomware outbreak at his organization?
A. Honeypots
B. Backups
C. Anti‐malware software
D. A next‐generation firewall appliance
B. Backups
Explanation
In many cases, backups are the best method to minimize the impact of a ransomware outbreak. While preventative measures can help, malware packages continue to change more quickly than detective controls like anti‐malware software and NGFW device manufacturers can react. A honeypot won’t help Adam prevent ransomware, so it can be easily dismissed when answering this question.
During a recent vulnerability scan, Ed discovered that a web server running on his network has access to a database server that should be restricted. Both servers are running on his organization’s VMware virtualization platform. Where should Ed look first to configure a security control to restrict this access?
A. VMware
B. Data center firewall
C. Perimeter (Internet) firewall
D. Intrusion prevention system
A. VMware
Explanation
Because both of these hosts are located on the same virtualization platform, it is likely that the network traffic never leaves that environment and would not be controlled by an external network firewall or intrusion prevention system. Ed should first look at the internal configuration of the virtual network to determine whether he can apply the restriction there.
While conducting a vulnerability scan of his organization’s data center, Renee discovers that the management interface for the organization’s virtualization platform is exposed to the scanner. In typical operating circumstances, what is the proper exposure for this interface?
A. Internet
B. Internal networks
C. No exposure
D. Management network
D. Management network
Explanation
The best practice for securing virtualization platforms is to expose the management interface only to a dedicated management network, accessible only to authorized engineers. This greatly reduces the likelihood of an attack against the virtualization platform.
Angela wants to understand what a malware package does and executes it in a virtual machine that is instrumented using tools that will track what the program does, what changes it makes, and what network traffic it sends while allowing her to make changes on the system or to click on files as needed. What type of analysis has Angela performed?
A. Manual code reversing
B. Interactive behavior analysis
C. Static property analysis
D. Dynamic code analysis
B. Interactive behavior analysis
Explanation
Angela has performed interactive behavior analysis. This process involves executing a file in a fully instrumented environment and then tracking what occurs. Angela’s ability to interact with the file is part of the interactive element and allows her to simulate normal user interactions as needed or to provide the malware with an environment where it can interact like it would in the wild.
While reviewing output from netstat, John sees the following output. What should his next action be?
[minesweeper.exe] TCP 127.0.0.1:62522 dynamo:0 LISTENING
[minesweeper.exe] TCP 192.168.1.100 151.101.2.69:https ESTABLISHED
A. To capture traffic to 151.101.2.69 using Wireshark
B. To initiate the organization’s incident response plan
C. To check to see whether 151.101.2.69 is a valid Microsoft address
D. To ignore it; this is a false positive.
B. To initiate the organization’s incident response plan
Explanation
John has discovered a program that is both accepting connections and has an open connection, neither of which are typical for the Minesweeper game. Attackers often disguise trojans as innocuous applications, so John should follow his organization’s incident response plan.
As Lauren prepares her organization’s security practices and policies, she wants to address as many threat vectors as she can using an awareness program. Which of the following threats can be most effectively dealt with via awareness?
A. Attrition
B. Impersonation
C. Improper usage
D. Web
C. Improper usage
Explanation
Improper usage, which results from violations of an organization’s acceptable use policies by authorized users can be reduced by implementing a strong awareness program. This will help ensure users know what they are permitted to do and what is prohibited. Attrition attacks focus on brute‐force methods of attacking services, impersonation attacks include spoofing, man‐in‐the‐middle attacks, and similar threats. Finally, web‐based attacks focus on websites or web applications. Awareness may help with some specific web‐based attacks like fake login sites, but many others would not be limited by Lauren’s awareness efforts.
Jennifer is an Active Directory domain administrator for her company and knows that a quickly spreading botnet relies on a series of domain names for command and control and that preventing access to those domain names will cause the malware infection that connects to the botnet to fail to take further action. Which of the following actions is her best option if she wants to prevent off‐site Windows users from connecting to botnet command‐and‐control systems?
A. Force a BGP update.
B. Set up a DNS sinkhole.
C. Modify the hosts file.
D. Install an anti‐malware application.
C. Modify the hosts file.
Explanation
Jennifer can push an updated hosts file to her domain‐connected systems that will direct traffic intended for known bad domains to the localhost or a safe system. She might want to work with a security analyst or other IT staff member to capture queries sent to that system to track any potentially infected workstations. A DNS sinkhole would work only if all the systems were using local DNS, and off‐site users are likely to have DNS settings set by the local networks they connect to. Anti‐malware applications may not have an update yet or may fail to detect the malware, and forcing a BGP update for third‐party networks is likely a bad idea!
Several employees will need to travel with sensitive information on their laptops. Martin is concerned that one of those laptops may be lost or stolen. Which one of the following controls would best protect the data on stolen devices?
A. FDE
B. Strong passwords
C. Cable lock
D. IPS
A. FDE
Explanation
Full disk encryption prevents anyone who gains possession of a device from accessing the data it contains, making it an ideal control to meet Martin’s goal. Strong passwords may be bypassed by directly accessing the disk. Cable locks are not effective for devices used by travelers. Intrusion prevention systems are technical controls that would not affect someone who gained physical access to a device.
Ben is an information security professional at an organization that is replacing its physical servers with virtual machines. As the organization builds its virtual environment, it is decreasing the number of physical servers it uses while purchasing more powerful servers to act as the virtualization platforms.
The IDS Ben is responsible for is used to monitor communications in the data center using a mirrored port on the data center switch. What traffic will Ben see once the majority of servers in the data center have been virtualized?
A. The same traffic he currently sees
B. All inter‐VM traffic
C. Only traffic sent outside the VM environment
D. All inter‐hypervisor traffic
C. Only traffic sent outside the VM environment
Explanation
One of the visibility risks of virtualization is that communication between servers and systems using virtual interfaces can occur “inside” the virtual environment. This means that visibility into traffic in the virtualization environment has to be purpose‐built as part of its design. Option D is correct but incomplete because inter‐hypervisor traffic isn’t the only traffic the IDS will see.
Ben is an information security professional at an organization that is replacing its physical servers with virtual machines. As the organization builds its virtual environment, it is decreasing the number of physical servers it uses while purchasing more powerful servers to act as the virtualization platforms.
Ben is concerned about exploits that allow VM escape. What option should Ben suggest to help limit the impact of VM escape exploits?
A. Separate virtual machines onto separate physical hardware based on task or data types.
B. Use VM escape detection tools on the underlying hypervisor.
C. Restore machines to their original snapshots on a regular basis.
D. Use a utility like Tripwire to look for changes in the virtual machines.
A. Separate virtual machines onto separate physical hardware based on task or data types.
Explanation
While virtual machine escape has been demonstrated only in laboratory environments, the threat is best dealt with by limiting what access to the underlying hypervisor can prove to a successful tracker. Segmenting by data types or access levels can limit the potential impact of a hypervisor compromise. If attackers can access the underlying system, restricting the breach to only similar data types or systems will limit the impact. Escape detection tools are not available on the market, restoring machines to their original snapshots will not prevent the exploit from occurring again, and Tripwire detects file changes and is unlikely to catch exploits that escape the virtual machines themselves.
Michael is responsible for forensic investigations and is investigating a medium‐severity security incident that involved the defacement of a corporate website. The web server in question ran on a virtualization platform, and the marketing team would like to get the website up and running as quickly as possible. What would be the most reasonable next step for Michael to take?
A. Keep the website offline until the investigation is complete.
B. Take the virtualization platform offline as evidence.
C. Take a snapshot of the compromised system and use that for the investigation.
D. Ignore the incident and focus on quickly restoring the website.
C. Take a snapshot of the compromised system and use that for the investigation.
Explanation
Michael should conduct his investigation, but there is a pressing business need to bring the website back online. The most reasonable course of action would be to take a snapshot of the compromised system and use the snapshot for the investigation, restoring the website to operation as quickly as possible while using the results of the investigation to improve the security of the site.
In a software as a service cloud computing environment, who is normally responsible for ensuring that appropriate firewall controls are in place to protect the application?
A. Customer’s security team
B. Vendor
C. Customer’s networking team
D. Customer’s infrastructure management team
B. Vendor
Explanation
In a software as a service environment, the customer has no access to any underlying infrastructure, so firewall management is a vendor responsibility under the cloud computing shared responsibility model.
Grace would like to implement application control technology in her organization. Users often need to install new applications for research and testing purposes, and she does not want to interfere with that process. At the same time, she would like to block the use of known malicious software. What type of application control would be appropriate in this situation?
A. Blacklisting
B. Graylisting
C. Whitelisting
A. Blacklisting
Explanation
The blacklisting approach to application control allows users to install any software they want except for packages specifically identified by the administrator as prohibited. This would be an appropriate approach in a scenario where users should be able to install any nonmalicious software they want to use.
In a virtualized computing environment, what component is responsible for enforcing separation between guest machines?
A. Guest operating system
B. Hypervisor
C. Kernel
D. Protection manager
B. Hypervisor
Explanation
The hypervisor is responsible for coordinating access to physical hardware and enforcing isolation between different virtual machines running on the same physical platform.
Henry wants to ensure resilience for data that is being actively processed in his organization’s cloud environment. Which of the following techniques is best suited to ensuring that transactions will not be lost if a cloud‐hosted system or container fails during processing?
A. Building retry operations into applications
B. Using a load balancer
C. Using a cluster
D. Using a CDN
A. Building retry operations into applications
Explanation
Resilience on a transactional level is best accomplished at the application level. Load balancers and clusters can ensure that a single failed container or system does not interrupt processing, but first the application or service must know to try again if it does not get a proper or timely response. A content delivery network (CDN) is useful for ensuring that failures of web servers or denial‐of‐service conditions do not prevent a site or service from responding.
Ben’s organization has had an issue with unauthorized access to applications and workstations during the lunch hour when employees aren’t at their desk. What are the best types of session management solutions for Ben to recommend to help prevent this type of access?
A. Use session IDs for all access and verify system IP addresses of all workstations.
B. Set session timeouts for applications and use password‐protected screensavers with inactivity time‐outs on workstations.
C. Use session IDs for all applications and use password protected screensavers with inactivity timeouts on workstations.
D. Set session timeouts for applications and verify system IP addresses of all workstations.
B. Set session timeouts for applications and use password‐protected screensavers with inactivity time‐outs on workstations.
Explanation
Since physical access to the workstations is part of the problem, setting application timeouts and password‐protected screensavers with relatively short inactivity timeouts can help prevent unauthorized access. Using session IDs for all applications and verifying system IP addresses would be helpful for online attacks against applications.
Which one of the following terms is often used to describe a collection of unrelated patches released in a large collection?
A. Hotfix
B. Update
C. Security fix
D. Service pack
D. Service pack
Explanation
Hotfixes, updates, and security fixes are all synonyms for single patches designed to correct a single problem. Service packs are collections of many different updates that serve as a major update to an operating system or application.
Brian recently joined an organization that runs the majority of its services on a virtualization platform located in its own data center but also leverages an IaaS provider for hosting its web services and an SaaS email system. What term best describes the type of cloud environment this organization uses?
A. Public cloud
B. Dedicated cloud
C. Private cloud
D. Hybrid cloud
D. Hybrid cloud
Explanation
The scenario describes a mix of public cloud and private cloud services. This is an example of a hybrid cloud environment.
Melanie suspects that someone is using malicious software to steal computing cycles from her company. Which one of the following security tools would be in the best position to detect this type of incident?
A. NIDS
B. Firewall
C. HIDS
D. DLP
C. HIDS
xplanation
A host‐based intrusion detection system (HIDS) may be able to detect unauthorized processes running on a system. The other controls mentioned, network intrusion detection systems (NIDSs), firewalls, and DLP systems, are network‐based and may not notice rogue processes.
Renee is a software developer who writes code in Node.js for her organization. The company is considering moving from a self‐hosted Node.js environment to one where Renee will run her code on application servers managed by a cloud vendor. What type of cloud solution is Renee’s company considering?
A. IaaS
B. CaaS
C. PaaS
D. SaaS
C. PaaS
Explanation
In a platform as a service solution, the customer supplies application code that the vendor then executes on its own infrastructure.
Which one of the following files is most likely to contain a macro virus?
A. projections.doc
B. command.com
C. command.exe
D. loopmaster.exe
A. projections.doc
Explanation
Macro viruses are most commonly found in office productivity documents, such as Microsoft Word documents that end in the .doc or .docx extension. They are not commonly found in executable files with the .com or .exe extensions.
Martin is inspecting a system where the user reported unusual activity, including disk activity when the system is idle, and abnormal CPU and network usage. He suspects that the machine is infected by a virus but scans come up clean. What malware technique might be in use here that would explain the clean scan results?
A. File infector virus
B. MBR virus
C. Service injection virus
D. Stealth virus
D. Stealth virus
Explanation
One possibility for the clean scan results is that the virus is using stealth techniques, such as intercepting read requests from the antivirus software and returning a correct‐looking version of the infected file. The system may also be the victim of a zero‐day attack, using a virus that is not yet included in the signature definition files provided by the antivirus vendor.
Sara has been asked to explain to her organization what an endpoint detection and response (EDR) system could help the organization do. Which of the following functions is not a typical function for an EDR system?
A. Endpoint data collection and central analysis
B. Automated responses to threats
C. Forensic analysis to help with threat response and detection
D. Cloud and network data collection and central analysis
D. Cloud and network data collection and central analysis
Explanation
Endpoint detection and response (EDR) tools do not collect data like network traffic or cloud infrastructure. They do collect data from endpoints and centralize it for analysis and response, including forensic and threat detection capabilities.
Murali wants to ensure that if one of his organization’s laptops is stolen, the data on it cannot be accessed. If he uses whole‐disk encryption, when could data on the drives on his organization’s laptops be accessed?
A. When the systems are off, if the drives are removed and accessed using an external enclosure.
B. When the laptops are booted and users are logged in.
C. When the laptops are booted up but users are not logged in.
D. The data is encrypted both at rest and when the user is logged in.
B. When the laptops are booted and users are logged in.
Explanation
Whole‐disk (often also called full‐disk) encryption protects data at rest. When a user logs in, data from the drive can be accessed in unencrypted form.
Murali also wants to ensure that data is protected on his organization’s mobile devices. His organization uses iPhones and iPads as their corporate devices. When can he expect data to be encrypted on his corporate mobile devices?
A. When the phone is unlocked
B. When the phone is locked if he enables encryption on the iPhones and iPads
C. When the phone is locked, with or without a passcode
D. When the phone is locked with a passcode, FaceID, or TouchID
D. When the phone is locked with a passcode, FaceID, or TouchID
Explanation
By default, modern versions of iOS encrypt data when the device is locked using a passcode, TouchID, or FaceID. Locked devices that do not have a code set up will not be encrypted, and data can be accessed in unencrypted form on unlocked devices.
