exam 2 Flashcards
What is this attack type:
Attacker obtains bank account number
and birth date by calling the victim.
Vishing
Social engineering over the telephone continues to be an effective attack vector,
and obtaining personal information such as a bank account or birth date would
be considered phishing over voice, or vishing.
What is this attack type:
Attacker modifies a legitimate DNS server to resolve the IP address of a malicious site.
Spoofing
Spoofing happens any time a device pretends to be another device. If a DNS
server has been modified to hand out the IP address of a different server, then
it’s spoofing the IP address of the attacker.
What is this attack type:
Attacker intercepts all communication between a client and a web server.
On-path attack (aka man-in-the-middle)
On-path attacks are quite effective because the attacker can often sit invisibly
between two devices and gather useful information or modify the data streams
in real-time.
what is this attack type:
A virus alert appears in your browser from Microsoft with a phone number to call for support.
Hoax
A threat that seems real but doesn’t actually exist is a hoax. In this example, a
fake web site message is trying to convince you that this fake threat is actually a real security issue.
You’ve hired a third-party to gather information about your company’s
servers and data. The third-party will not have direct access to your
internal network but can gather information from any other source.
Which of the following would BEST describe this approach?
❍ A. Backdoor testing
❍ B. Passive footprinting
❍ C. OS fingerprinting
❍ D. Partially known environment
The Answer: B. Passive footprinting
Passive footprinting focuses on learning as much information from
open sources such as social media, corporate websites, and business
organizations.
The incorrect answers:
A. Backdoor testing
Some active reconnaissance tests will directly query systems to see if a
backdoor has been installed.
C. OS fingerprinting
To fingerprint an operating system, you must actively query and receive
responses across the network.
D. Partially known environment
A partially known environment penetration test is a focused approach
that usually provides detailed information about specific systems or
applications.
Which of these protocols use TLS to provide secure communication? (Select TWO) ❍ A. HTTPS ❍ B. SSH ❍ C. FTPS ❍ D. SNMPv2 ❍ E. DNSSEC ❍ F. SRTP
The Answer: A. HTTPS and C. FTPS
TLS (Transport Layer Security) is a cryptographic protocol used to
encrypt network communication. HTTPS is the Hypertext Transfer
Protocol over TLS, and FTPS is the File Transfer Protocol over TLS.
An earlier version of TLS is SSL (Secure Sockets Layer). Although
we don’t commonly see SSL in use any longer, you may see TLS
communication referenced as SSL.
The incorrect answers:
B. SSH
SSH (Secure Shell) can use symmetric or asymmetric encryption, but
those ciphers are not associated with TLS.
D. SNMPv2
SNMPv2 (Simple Network Management Protocol version 2) does not
implement TLS, or any encryption, within the network communication.
E. DNSSEC
DNSSEC (DNS security extensions) do not provide any confidentiality
of data.
F. SRTP
SRTP (Secure Real-time Transport Protocol) is a VoIP (Voice over IP)
protocol used for encrypting conversations. SRTP protocol commonly uses
AES (Advanced Encryption Standard) for confidentiality
A security incident has occurred on a file server. Which of the following data sources should be gathered to address file storage volatility? (Select TWO) ❍ A. Partition data ❍ B. Kernel statistics ❍ C. ROM data ❍ D. Temporary file systems ❍ E. Process table
The Answer: A. Partition data and D. Temporary file systems
Both temporary file system data and partition data are part of the file
storage subsystem.
The incorrect answers:
B. Kernel statistics
Kernel statistics are stored in memory.
C. ROM data
ROM data is a type of memory storage.
E. Process table
The process table keeps track of system processes, and it stores this
information in RAM.
An IPS at your company has found a sharp increase in traffic from
all-in-one printers. After researching, your security team has found a
vulnerability associated with these devices that allows the device to be
remotely controlled by a third-party. Which category would BEST
describe these devices?
❍ A. IoT
❍ B. RTOS
❍ C. MFD
❍ D. SoC
The Answer: C. MFD
An all-in-one printer that can print, scan, and fax is often categorized as
an MFD (Multifunction Device).
The incorrect answers:
A. IoT
Wearable technology and home automation devices are commonly called
IoT (Internet of Things) devices.
B. RTOS
RTOS (Real-time Operating Systems) are commonly used in
manufacturing and automobiles.
D. SoC
Multiple components that run on a single chip are categorized as an SoC
(System on a Chip).
Which of the following standards provides information on privacy and managing PII? ❍ A. ISO 31000 ❍ B. ISO 27002 ❍ C. ISO 27701 ❍ D. ISO 27001
The Answer: C. ISO 27701
The ISO (International Organization for Standardization) 27701
standard extends the ISO 27001 and 27002 standards to include detailed
management of PII (Personally Identifiable Information) and data privacy.
The incorrect answers:
A. ISO 31000
The ISO 31000 standard sets international standards for risk management
practices.
B. ISO 27002
Information security controls are the focus of the ISO 27002 standard.
D. ISO 27001
The ISO 27001 standard is the foundational standard for Information
Security Management Systems (ISMS).
More information:
SY0-601, Objective 5.2 - Security Frameworks
https://professormesser.link/601050202
Rodney, a security engineer, is viewing this record from the firewall logs:
UTC 04/05/2018 03:09:15809 AV Gateway Alert
136.127.92.171 80 -> 10.16.10.14 60818
Gateway Anti-Virus Alert:
XPACK.A_7854 (Trojan) blocked.
Which of the following can be observed from this log information?
❍ A. The victim’s IP address is 136.127.92.171
❍ B. A download was blocked from a web server
❍ C. A botnet DDoS attack was blocked
❍ D. The Trojan was blocked, but the file was not
The Answer: B. A download was blocked from a web server
A traffic flow from a web server port number (80) to a device port (60818)
indicates that this traffic flow originated on port 80 of the web server. A
file download is one of the most common ways to deliver a Trojan, and
this log entry shows that the file containing the XPACK.A_7854 Trojan
was blocked.
The incorrect answers:
A. The victim’s IP address is 136.127.92.171
The format for this log entry uses an arrow to differentiate between the
attacker and the victim. The attacker IP address is 136.127.92.171, and the
victim’s IP address is 10.16.10.14.
C. A botnet DDoS attack was blocked
A botnet attack would not commonly include a Trojan horse as part of a
distributed denial of service (DDoS) attack.
D. The Trojan was blocked, but the file was not
A Trojan horse attack involves malware that is disguised as legitimate
software. The Trojan malware and the file are the same entity, so there isn’t
a way to decouple the malware from the file
A user connects to a third-party website and receives this message: Your connection is not private. NET::ERR_CERT_INVALID Which of the following attacks would be the MOST likely reason for this message? ❍ A. Brute force ❍ B. DoS ❍ C. On-path ❍ D. Disassociation
The Answer: C. On-path
An on-path attack is often associated with a third-party who is actively
intercepting network traffic. This entity in the middle would not be able
to provide a valid SSL certificate for a third-party website, and this error
would appear in the browser as a warning.
The incorrect answers:
A. Brute force
A brute force attack is commonly associated with password hacks. Brute
force attacks would not cause the certificate on a website to be invalid.
B. DoS
A DoS (Denial of Service) attack would prevent communication to a
server and most likely provide a timeout error. This error is not related to a
service availability issue.
D. Disassociation
Disassociation attacks are commonly associated with wireless networks,
and they usually cause disconnects and lack of connectivity. The error
message in this example does not appear to be associated with a network
outage or disconnection.
An attacker calls into a company’s help desk and pretends to be the
director of the company’s manufacturing department. The attacker
states that they have forgotten their password and they need to have the
password reset quickly for an important meeting. What kind of attack
would BEST describe this phone call?
❍ A. Social engineering
❍ B. Tailgating
❍ C. Vishing
❍ D. On-path
The Answer: A. Social engineering
A social engineering attack takes advantage of authority and urgency
principles in an effort to convince someone else to circumvent normal
security controls.
The incorrect answers:
B. Tailgating
A tailgating attack follows someone else with proper credentials through a
door. This allows the attack to gain access to an area that’s normally locked.
C. Vishing
Vishing (voice phishing) attacks use the phone to obtain private
information from others. In this example, the attacker was not asking for
confidential information.
D. On-path
An on-path attack commonly occurs without any knowledge to the parties
involved, and there’s usually no additional notification that an attack is
underway. In this question, the attacker contacted the help desk engineer
directly.
A security administrator has been using EAP-FAST wireless
authentication since the migration from WEP to WPA2. The company’s
network team now needs to support additional authentication protocols
inside of an encrypted tunnel. Which of the following would meet the
network team’s requirements?
❍ A. EAP-TLS
❍ B. PEAP
❍ C. EAP-TTLS
❍ D. EAP-MSCHAPv2
The Answer: C. EAP-TTLS
EAP-TTLS (Extensible Authentication Protocol - Tunneled Transport
Layer Security) allows the use of multiple authentication protocols
transported inside of an encrypted TLS (Transport Layer Security) tunnel.
This allows the use of any authentication while maintaining confidentiality
with TLS.
The incorrect answers:
A. EAP-TLS
EAP-TLS does not provide a mechanism for using multiple
authentication types within a TLS tunnel.
B. PEAP
PEAP (Protected Extensible Authentication Protocol) encapsulates EAP
within a TLS tunnel, but does not provide a method of encapsulating
other authentication methods.
D. EAP-MSCHAPv2
EAP-MSCHAPv2 (EAP - Microsoft Challenge Handshake
Authentication Protocol v2) is a common implementation of PEAP.
Which of the following would be commonly provided
by a CASB? (Select TWO)
❍ A. List of all internal Windows devices that have not installed the
latest security patches
❍ B. List of applications in use
❍ C. Centralized log storage facility
❍ D. List of network outages for the previous month
❍ E. Verification of encrypted data transfers
❍ F. VPN connectivity for remote users
The Answer: B. A list of applications in use
E. Verification of encrypted data transfers
A CASB (Cloud Access Security Broker) can be used to apply security
policies to cloud-based implementations. Two common functions of a
CASB are visibility into application use and data security policy use. Other
common CASB functions are the verification of compliance with formal
standards and the monitoring and identification of threats.
The incorrect answers:
A. List of all internal Windows devices that have not installed the latest
security patches
A CASB focuses on policies associated with cloud-based services and not
internal devices.
C. Centralized log storage facility
Using Syslog to centralize log storage is most commonly associated with a
SIEM (Security Information and Event Manager).
D. List of network outages for the previous month
A network availability report would be outside the scope of a CASB.
F. VPN connectivity for remote users
VPN concentrators are commonly used to provide security connectivity
for remote users.
What kind of security control is associated with a login banner? ❍ A. Preventive ❍ B. Deterrent ❍ C. Corrective ❍ D. Detective ❍ E. Compensating ❍ F. Physical
The Answer: B. Deterrent
A deterrent control does not directly stop an attack, but it may discourage
an action.
The incorrect answers:
A. Preventive
A preventive control physically limits access to a device or area.
C. Corrective
A corrective control can actively work to mitigate any damage.
D. Detective
A detective control may not prevent access, but it can identify and record
any intrusion attempts.
E. Compensating
A compensating security control doesn’t prevent an attack, but it does
restore from an attack using other means.
F. Physical
A physical control is real-world security, such as a fence or door lock.
A security team has been provided with a non-credentialed vulnerability
scan report created by a third-party. Which of the following would they
expect to see on this report?
❍ A. A summary of all files with invalid group assignments
❍ B. A list of all unpatched operating system files
❍ C. The version of web server software in use
❍ D. A list of local user accounts
The Answer: C. The version of web server software in use
A scanner like Nmap can query services and determine version numbers
without any special rights or permissions, which makes it well suited for
non-credentialed scans.
The incorrect answers:
A. A summary of all files with invalid group assignments
Viewing file permissions and rights requires authentication to the
operating system, so you would not expect to see this information if the
scan did not have credentials.
B. A list of all unpatched operating system files
Viewing detailed information about the operating system files requires
authentication to the OS, and an uncredentialed scan does not have those
permissions.
D. A list of local user accounts
Local user accounts are usually protected by the operating system, so you
would need to have credentials to view this information.
A file server has a full backup performed each Monday at 1 AM.
Incremental backups are performed at 1 AM on Tuesday, Wednesday,
Thursday, and Friday. The system administrator needs to perform a full
recovery of the file server on Thursday afternoon. How many backup sets
would be required to complete the recovery?
❍ A. 2
❍ B. 3
❍ C. 4
❍ D. 1
The Answer: C. 4
Each incremental backup will archive all of the files that have changed
since the last full or incremental backup. To complete this full restore, the
administrator will need the full backup from Monday and the incremental
backups from Tuesday, Wednesday, and Thursday.
The incorrect answers:
A. 2
If the daily backup was differential, the administrator would only need the
full backup and the differential backup from Thursday.
B. 3
Since the incremental backup only archives files that have changed, he will
need all three daily incremental backups as well as Monday’s full backup.
D. 1
To recover incremental backups, you’ll need the full backup and all
incremental backups since the full backup.
A security engineer runs a monthly vulnerability scan. The scan doesn’t
list any vulnerabilities for Windows servers, but a significant vulnerability
was announced last week and none of the servers are patched yet. Which
of the following best describes this result?
❍ A. Exploit
❍ B. Credentialed
❍ C. Zero-day attack
❍ D. False negative
The Answer: D. False negative
A false negative is a result that fails to detect an issue when one
actually exists.
The incorrect answers:
A. Exploit
An exploit is an attack against a vulnerability. Vulnerability scans do not
commonly attempt to exploit the vulnerabilities that they identify.
B. Credentialed
A credentialed scan would authenticate to the operating system and have
access to files that would normally only be available to authorized users.
C. Zero-day attack
A zero-day attack focuses on previously unknown vulnerabilities. In this
example, the vulnerability scan isn’t an attack, and the vulnerabilities are
already known and patches are available.