Exam 5 Flashcards

1
Q

Which of the following security policies could help detect fraudulent cases that occur even when other security controls are already in place?

lease privilege
separation of duties
mandatory vacations
dual control

A

Mandatory vacation policies require employees to take time away from their job and help to detect fraud or malicious activities. Even if other controls such as separation of duties, least privilege, and dual control are used, an employee could collude with others to conduct fraud. By utilizing mandatory vacation policies, this fraud can often be discovered since a new person will be conducting the duties assigned to the person on vacation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following is considered a form of regulated data?

AUP
DMCA
DRM
PII

A

The four forms of regulated data covered by the exam are PII (Personally Identifiable Information), PCI (Payment Card Industry), GDPR (General Data Protection Regulation), and PHI (Protected Health Information). Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Dion Training wants to implement technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST?

anti-malware solution
intrusion detection system
application allow list
host-based firewall

A

Application allow list will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation against a zero-day virus.
An intrusion detection system might detect the anomalous activity created by a piece of malware, but it will only log or alert based on the activity, not prevent it. A host-based firewall may prevent a piece of malware from establishing a network connection with a remote server. Still, again, it wouldn’t prevent infection or prevent it from executing. An anti-malware solution is a good investment towards improving your security. Since the threat is a zero-day virus, an anti-malware solution will not detect it using its signature database.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Ted, a file server administrator at Dion Training, has noticed that many sensitive files have been transferred from a corporate workstation to an IP address outside of the local area network. Ted looks up the IP address and determines that it is located in a foreign country. Ted contacts his company’s security analyst, verifying that the workstation’s anti-malware solution is up-to-date and the network’s firewall is properly configured. What type of attack most likely occurred to allow the exfiltration of the files from the workstation?

mac spoofing
session hijacking
impersonation
zero-day

A

Since the firewall is properly configured and the anti-malware solution is up-to-date, this signifies that a zero-day vulnerability may have been exploited. A zero-day vulnerability is an unknown vulnerability, so a patch or virus definition has not been released yet. A zero-day vulnerability refers to a hole in software that is unknown to the vendor. Hackers then exploit this security hole before the vendor becomes aware and hurries to fix it. This exploit is therefore called a zero-day attack. Zero-day attacks include infiltrating malware, spyware, or allowing unwanted access to user information. Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. Impersonation is the act of pretending to be someone or something else. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the webserver.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

During a penetration test, you find a hash value related to malware associated with an APT. What best describes what you have found?

botnet
sql injection
indicator of compromise
XSRF

A

An indicator of compromise is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or botnet command and control servers’ domain names. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge. A botnet consists of many Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Dion Training uses an authentication protocol to connect a network client to a networked file server by providing its authentication credentials. The file server then uses the authentication credentials to issue an authentication request to the server running this protocol. The server can then exchange authentication messages with the file server on behalf of the client. Throughout this process, a shared secret is used to protect the communication. Which of the following technologies relies upon the shared secret?

RADIUS
PKI
Kerberos
LDAP

A

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol operating on port 1812 that provides centralized Authentication, Authorization, and Accounting (AAA or Triple-A) management for users who connect and use a network service. The RADIUS protocol utilizes an obfuscated password created from the shared secret and creates an MD5 hash of the authentication request to protect the communications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following types of access control provides the strongest level of protection?

DAC
RBAC
ABAC
MAC

A

Mandatory Access Control (MAC) requires all access to be predefined based on system classification, configuration, and authentication. MAC is commonly used in highly centralized environments and usually relies on a series of labels, such as classification levels of the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacon’s behavior on the network?

beaconing interval
removal of known traffic
beacon’s persistence
beacon’s protocol

A

The beacon’s protocol is not typically a means of identifying a malware beacon. A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely. Other factors like the beacon’s persistence (if it remains after a reboot of the system) and the beacon’s interval (how much time elapses between beaconing)are much better indicators for fingerprinting a malicious beacon. The removal of known traffic by the script can also minimize the amount of data the cybersecurity analyst needs to analyze, making it easier to detect the malicious beacon without wasting their time reviewing non-malicious traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following vulnerabilities is the greatest threat to data confidentiality?

HTTP TRACE/TRACK methods enabled
phpinfo information disclosure vulnerability
SSL Server with SSLv3 enabled vulnerability
Web application SQL injection vulnerability

A

Each vulnerability mentioned poses a significant risk, but the greatest threat comes from the SQL injection. An SQL injection could allow an attacker to retrieve our data from the backend database directly. Using this technique, the attacker could also alter the data and put it back, and nobody would notice everything that had been changed, thereby also affecting our data integrity. The HTTP TRACE/TRACK methods are normally used to return the full HTTP request to the requesting client for proxy-debugging purposes and allow the attacker to access sensitive information in the HTTP headers. Since this only exposes information in the headers, it minimizes the risk to our system’s data confidentiality. An SSL server with SSLv3 enabled is not ideal since this is an older encryption type, but it still provides some confidentiality. The phpinfo information disclosure vulnerability prints out detailed information on both the system and the PHP configuration. This information by itself doesn’t disclose any information about the data stored within the system, though, so it isn’t a great threat to our data’s confidentiality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What tool can be used to scan a network to perform vulnerability checks and compliance auditing?

Nessus
Nmap
Metasploit
BeEF

A

Nessus is a popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You have been asked to provide some training to Dion Training’s system administrators about the importance of proper patching of a system before deployment. To demonstrate the effects of deploying a new system without patching it first, you ask the system administrators to provide you with an image of a brand-new server they plan to deploy. How should you deploy the image to demonstrate the vulnerabilities exposed while maintaining the security of the corporate network?

  • Deploy the vulnerable image to a virtual machine on a physical server, create an ACL to restrict all incoming connections to the system, then scan it for all vulnerabilities
  • Deploy the image to a brand new physical server, connect it to the corporate network, then conduct a vulnerability scan to demonstrate many vulnerabilities are now on the network
  • deploy the system image within a virtual machine, ensure it is in an isolated sandbox environment, scan for vulnerabilities
  • utilize a server with multiple virtual machine snapshots installed to it, restore from a known compromised image, then scan it for vulnerabilities
A

To ensure your corporate network’s safety, any vulnerable image you deploy should be done within a sandboxed environment. This will ensure that an outside attacker cannot exploit the vulnerabilities but will still allow you to show the vulnerabilities found during a scan to demonstrate how important patching is to the security of the server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Dion Training performed an assessment as part of its disaster recovery planning. The assessment found that the organization can only tolerate a maximum of 60 minutes worth of data loss in the event of a disaster. Therefore, the organization has implemented a system of database snapshots that are backed up every hour. Which of the following metrics would best represent this timeframe?

MTBF
RTO
RPO
MTTR

A

Recovery point objective (RPO) describes the timeframe in which an enterprise’s operations must be restored following a disruptive event, e.g., a cyberattack, natural disaster, or communications failure. RPO is about how much data you afford to lose before it impacts business operations. For example, at Dion Training, if 1 hour of data loss occurred, that means that any student progress within the last hour would be lost once the organization restored a server from a known good backup.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following is NOT considered part of the Internet of Things?

Smart television
SCADA
ICS
Laptop

A

laptop
Supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS), internet-connected televisions, thermostats, and many other things examples of devices classified as the Internet of Things (IoT). A laptop would be better classified as a computer or host than part of the Internet of Things. The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs), and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are in the recovery steps of an incident response. Throughout the incident, your team never successfully determined the root cause of the network compromise. Which of the following options would you LEAST likely perform as part of your recovery and remediation actions?

  • restrict host access to peripheral protocols like USB/bluetooth
  • proactively sanitize and reimage all of your routers and switches
  • review and enhance patch mgmt policies
  • disable unused user accnts
A

proactive sanitize reimage all of your routers/switches

Since your team could not determine the root cause of the compromise, you would most likely conduct system and network hardening actions as part of the recovery and remediation. The only option that is not considered a hardening action is proactively sanitizing and reimaging your routers and switches. If you performed this action, you could have unwanted disruptive effects on the company. Instead, it would be more beneficial to increase monitoring of the devices to ensure they are not compromised. Proactively sanitizing and reimaging all of the routers and switches would be a large undertaking. Without evidence suggesting that such an approach is warranted, you would be wasting a lot of time and money. The other options presented are the best security practices to prevent future compromises. Reimaging the network devices without knowing the root cause will likely be ineffective in securing the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which command would be used to display the network address and subnet mask for the wired network connection on a Linux system?

netstat
nslookup
ipconfig
ip

A

The ip command is used to display information about the current wired network connection on a Linux system, including its IP address, subnet mask, and MAC address. The nslookup command is used to display and troubleshoot DNS records. The netstat command is used to display the network statistics. The ipconfig tool displays all current TCP/IP network configuration values on a Windows system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A cybersecurity analyst has received an alert that sensors continuously observe well-known call home messages at their network boundary. Still, the organization’s proxy firewall is properly configured to successfully drop the messages before leaving the network. Which of the following is MOST likely the cause of the call home messages being sent?

  • malicious insider is trying to exfiltrate info to a remote network
  • malware is running on a company workstation/server
  • attacker is performing reconnaissance of teh organization’s workstations
  • an infected workstation is attempting to reach a command and control server
A

-an infected workstation is attempting to reach a command and control server
A call home message is an indicator of compromise known as beaconing. Beaconing usually occurs after a stage 1 malware program has been implanted on an organization’s workstation or server, but that isn’t the most correct answer to this question. Instead, beaconing indicates that a workstation or server is infected and tries to communicate with the attacker’s command and control server. This beaconing will continue until the infected system (workstation or server) is found and cleared of the malware or until the botnet gives the infected host further instructions to perform (such as to attack). “Malware is running on a company workstation or server” is incorrect because we do not have positive verification of that based on this scenario. A beacon does not have to be malware. For example, it can simply be a single ping packet or DNS request being sent out every day at a certain time using the Windows task scheduler. Be careful on the exam to answer the question being asked and choose the “most” accurate answer. Since the call home signal is coming from the internal network and attempting to connect to an external server, it cannot be evidence of an attacker performing reconnaissance on your workstations. Also, nothing in the question is indicative of an insider threat trying to exfiltrate information since a call home message is generally minimal in size and not large enough to exfiltrate data.

17
Q

A recent vulnerability scan found several vulnerabilities on an organization’s public-facing IP addresses. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation?

  • website utilizing a self signed SSL certificate
  • buffer overflow that is known to allow remote code execution
  • An HTTP response that reveals an internal IP address
  • a cryptographically weak encryption cipher
A
  • buffer overflow that is known to allow remote code execution
    The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to prevent a security breach most effectively. While the other issues should be addressed eventually, you need to prioritize the most critical one (remote code execution) on a public-facing IP address. A public-facing IP address means the device is accessible from the internet.
18
Q

You are analyzing logs of forensic analysts workstation and see the following:
root@DionTraining:/home# dd if=/dev/sdc of=/dev/sdb bs=1M count=1000

What does the bs=1M signify ?

  • Sets the block size
  • Sets the beginning sector
  • sends output to a blank sector
  • removes error messages and other incorrect data
A
  • Sets the block size

The dd command is used in forensic data acquisition to forensically create a bit by bit copy of a hard drive to a disk image. The bs operator sets the block size when using the Linux dd command. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!

19
Q

Which type of authentication method is commonly used with physical access control systems and relies upon RFID devices embedded into a token?

HOTP
TOTP
Smart Cards
Proximity Cards

A

A proximity card is a contactless card that usually utilizes RFID to communicate with the reader on a physical access system. These are commonly used to access secured rooms (such as server rooms) or even a building itself (such as at an access control vestibule). Some smart cards contain proximity cards within them, but the best answer to this question is proximity cards since that is the function of the smart card would be the device used to meet this scenario’s requirements. An HMAC-based one-time password (HOTP) is a one-time password algorithm based on hash-based message authentication codes. A Time-based one-time password (TOTP) is a computer algorithm that generates a one-time password that uses the current time as a source of uniqueness.

20
Q

What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes?

purge
clear
destroy
degauss

A

Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings. Purging data is meant to eliminate information from being feasibly recovered even in a laboratory environment. Destroy requires physical destruction of the media, such as pulverization, melting, incineration, and disintegration. Degaussing is the process of decreasing or eliminating a remnant magnetic field. Degaussing is an effective method of sanitization for magnetic media, such as hard drives and floppy disks.

21
Q

You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first?

ARP cache
L3 cache
Image of the server’s SSD
Backup tapes

A

L3 cache
When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first and the least volatile (least likely to change) last. You should always begin collecting the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move on to the collection of data storage devices like hard drives, SSDs, and flash memory devices. After that, you would move onto less volatile data such as backup tapes, external media devices (hard drives, DVDs, etc.), and even configuration data or network diagrams.

22
Q

Which of the following identity and access management controls relies upon using a certificate-based authentication mechanism?

proximity card
TOTP
HOTP
smart card

A

: Smart cards, PIV, and CAC devices are used as an identity and access management control. These devices contain a digital certificate embedded within the smart card (PIV/CAC) presented to the system when it is inserted into the smart card reader. When combined with a PIN, the smart card can be used as a multi-factor authentication mechanism. The PIN unlocks the card and allows the digital certificate to be presented to the system.

23
Q

What type of malware is designed to be difficult for malware analysts to reverse engineer?

trojan
armored virus
logic bomb
rootkit

A

: Armored viruses are a type of virus that use various techniques to protect it from being reverse engineered. This includes changing its code during execution and encrypting its payloads.

24
Q

Which authentication mechanism does 802.1x usually rely upon?

HOTP
RSA
TOTP
EAP

A

EAP
The IEEE 802.1X Port-based Network Access Control framework establishes several ways for devices and users to be securely authenticated before they are permitted full network access. The actual authentication mechanism will be some variant of the Extensible Authentication Protocol (EAP). EAP allows lots of different authentication methods, but many use a digital certificate on the server and/or client machines. This allows the machines to establish a trust relationship and create a secure tunnel to transmit the user authentication credential.