Exam 3 Flashcards
Which of the following does a User-Agent request a resource from when conducting a SAML transaction?
Service Provider (SP) Single sign-on (SSO) Relying Party (RP) Identity Provider (IdP)
Service Provider
Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal’s User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal’s credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.
An internet marketing company decided that they didn’t want to follow the rules for GDPR because it would create too much work for them. They wanted to buy insurance, but no insurance company would write them a policy to cover any fines received. They considered how much the fines might be and decided to ignore the regulation and its requirements. Which of the following risk strategies did the company choose?
Transference
Acceptance
Avoidance
Mitigation
Acceptance
The internet marketing company initially tried to transfer the risk (buy insurance) but then decided to accept the risk. To avoid the risk, the company would have changed how it did business or would prevent European customers from signing up on their mailing list using geolocation blocks.
You are in the recovery steps of an incident response. Your analysis revealed that the attacker exploited an unpatched vulnerability on a public-facing web server as the initial intrusion vector in this incident. Which of the following mitigations should be implemented first during the recovery?
- restrict shell commands by user or host to ensure least privilege is followed
- restrict host access to peripheral protocols like USB and bluetooth
- disable unused user accnt and reset the admin creds
- scan the network for additional instances of this vulnerability and patch the affected assets
- scan the network for additional instances of this vulnerability and patch the affected assets
All of the options listed are the best security practices to implement before and after a detected intrusion, but scanning for additional instances of this vulnerability should be performed first. Often, an enterprise network uses the same baseline configuration for all servers and workstations. Therefore, if a vulnerability is exploited on one device (such as an insecure configuration), that same vulnerability could exist on many other assets across the network. During your recovery, you must identify if any other network systems share the same vulnerability and mitigate them. If you don’t, the attacker could quickly reinfect your network by simply attacking another machine using the same techniques used during this intrusion. The other options listed are all examples of additional device hardening that should be conducted during recovery after you have identified the exploited vulnerability across the rest of the network.
Which of the following categories would contain information about a French citizen’s race or ethnic origin?
SPI
PII
DLP
PHI
SPI
According to the GDPR, information about an individual’s race or ethnic origin is classified as Sensitive Personal Information (SPI). Sensitive personal information (SPI) is information about a subject’s opinions, beliefs, and nature afforded specially protected status by privacy legislation. As it cannot be used to identify somebody or make any relevant assertions about health uniquely, it is neither PII nor PHI. Data loss prevention (DLP) is a software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.
Which of the following would a virtual private cloud (VPC) infrastructure be classified as?
IaaS
SaaS
PaaS
FaaS
IaaS
Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. In a VPC environment, an organization may provision virtual servers in a cloud-hosted network. The service consumer is still responsible for maintaining the IP address space and routing internally to the cloud. Platform as a Service (PaaS) is a computing method that uses the cloud to provide any platform-type services. Software as a Service (SaaS) is a computing method that uses the cloud to provide users with application services. Function as a Service (FaaS) is a cloud service model that supports serverless software architecture by provisioning runtime containers to execute code in a particular programming language.
What is FM-200?
FM-200 is a fire extinguishing system commonly used in data centers and server rooms to protect the servers from fire.
An independent cybersecurity researcher has contacted your company to prove a buffer overflow vulnerability exists in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development?
static code analysis
pair programming
dynamic code analysis
manual peer review
Static code analysis
: Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on human-to-human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively.
The digital certificate on the Dion Training web server is about to expire. Which of the following should Jason submit to the CA to renew the server’s certificate?
CRL
Key escrow
CSR
OCSP
CSR A CSR (certificate signing request) is what is submitted to the CA (certificate authority) to request a digital certificate. Key escrow stores keys, CRL is a list of revoked certificates, and the OCSP is a status of certificates that provides validity such as good, revoked, or unknown.
Which type of media sanitization would you classify degaussing as?
Erasing
Destruction
Purging
Clearing
Purging
Degaussing is classified as a form of purging. Purging eliminates information from being feasibly recovered even in a laboratory environment. Purging includes degaussing, encryption of the data with the destruction of its encryption key, and other non-destructive techniques. Some generic magnetic storage devices can be reused after the degaussing process has finished, such as VHS tapes and some older backup tapes. For this reason, though, the technique of degaussing is classified as purging and not destruction, even though hard drives are rendered unusable after being degaussed. Clearing data prevents data from being retrieved without the use of state-of-the-art laboratory techniques. Clearing often involves overwriting data one or more times with repetitive or randomized data. Destroying data is designed not merely to render the information unrecoverable but also to hinder any reuse of the media itself. Destruction is a physical process that may involve shredding media to pieces, disintegrating it into parts, pulverizing it to powder, or incinerating it to ash. Erasing or deleting is considered a normal operation of a computer, which erases the data file’s pointer on a storage device. Erasing and deleting are easily reversed, and the data can be recovered with commercially available or open-source tools.
During which incident response phase is the preservation of evidence performed?
containment, eradication, recovery
post incident activity
preparation
detection and analysis
containment, eradication, recovery
A cybersecurity analyst must preserve evidence during the containment, eradication, and recovery phase. They must preserve forensic and incident information for future needs, prevent future attacks or bring up an attacker on criminal charges. Restoration and recovery are often prioritized over analysis by business operations personnel, but taking time to create a forensic image is crucial to preserve the evidence for further analysis and investigation. During the preparation phase, the incident response team conducts training, prepares their incident response kits, and researches threats and intelligence. During the detection and analysis phase, an organization focuses on monitoring and detecting any possible malicious events or attacks. During the post-incident activity phase, the organization conducts after-action reports, creates lessons learned, and conducts follow-up actions to better prevent another incident from occurring.
You want to create a website for your new technical support business. You decide to purchase an on-demand cloud-based server and install Linux, Apache, and WordPress on it to run your website. Which of the following best describes which type of service you have just purchased?
SaaS
DaaS
PaaS
IaaS
Infrastructure as a Service (Iaas) is focused on moving your servers and computers into the cloud. If you purchase a server in the cloud and then install and manage the operating system and software on it, this is Iaas. Platform as a Service (PaaS) is a cloud computing service that enables consumers to rent fully configured systems that are set up for specific purposes. Software as a Service (SaaS) is ca loud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Desktop as a Service (DaaS) provides a full virtualized desktop environment from within a cloud-based service. This is also known as VDI (Virtualized Desktop Infrastructure) and is coming in large enterprise businesses focused on increasing their security and minimizing their operational expenses.
What containment technique is the strongest possible response to an incident?
segmentation
isolating the attacker
enumeration
isolating affected systems
isolating affected systems
Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. Isolating the attacker would only stop their direct two-way communication and control of the affected system. However, it would not be the strongest possible response since there could be malicious code still running on your victimized machine.
Which of the following proprietary tools is used to create forensic disk images without making changes to the original evidence?
dd
Autopsy
Memdump
FTK Imager
FTK Imager can create perfect copies or forensic images of computer data without making changes to the original evidence. The forensic image is identical in every way to the original, including copying the slack, unallocated, and free space on a given drive. The dd tool can also create forensic images, but it is not a proprietary tool since it is open-source. Memdump is used to collect the content within RAM on a given host. Autopsy is a cross-platform, open-source forensic tool suite.
A macOS user is browsing the internet in Google Chrome when they see a notification that says, “Windows Enterprise Defender: Your computer is infected with a virus, please click here to remove it!” What type of threat is this user experiencing?
pharming
rogue anti-virus
worm
phishing
Rogue anti-virus is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and to pay money for a fake malware removal tool (that actually introduces malware to the computer). It is a form of scareware that manipulates users through fear and a form of ransomware. Since the alert is being displayed on a macOS system but appears to be meant for a Windows system, it is obviously a scam or fake alert and most likely a rogue anti-virus attempting to infect the system. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Phishing attacks target an indiscriminate large group of random people. A worm is a standalone malware computer program that replicates itself to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. A worm can spread on its own, whereas a virus needs a host program or user interaction to propagate itself. Pharming is a type of social engineering attack that redirects a request for a website, typically an e-commerce site, to a similar-looking, but fake, website. The attacker uses DNS spoofing to redirect the user to the fake site.
What is the lowest layer (bottom layer) of a bare-metal virtualization environment?
physical hardware
host operating system
guest operating system
hypervisor
physical hardware
The bottom layer is physical hardware in this environment. It is what sits beneath the hypervisor and controls access to guest operating systems. The bare-metal approach doesn’t have a host operating system. A hypervisor is a program used to run and manage one or more virtual machines on a computer. A host operating system is an operating system that is running the hypervisor.