Exam 6 Flashcards

1
Q

You have been hired as a consultant by Dion Training to review their current disaster recovery plans. The CEO has requested that the plans ensure that the company can limit downtime in the event of a disaster. Still, due to staffing concerns, he cannot approve the budget to implement or maintain a fully redundant offsite location to ensure 99.999% availability. Based on that limitation, what should you recommend to the CEO?

  • Retain their backups in their office building but install redundant services in a collocated data center within a different company
  • Retain all hardware at their office building but ship their backups to an offsite facility for storage
  • Install a set of redundant servers to another part of the company’s office building
  • redundant hardware be maintained at the offsite location and configured to be ready for the recovery of the company’s backup data when needed.
A
  • redundant hardware be maintained at the offsite location and configured to be ready for the recovery of the company’s backup data when needed.

A warm site provides some of a hot site’s capabilities, but it requires the customer to do more work to become operational. Warm sites provide computer systems and compatible media capabilities. If a warm site is used, administrators and other staff will need to install and configure systems to resume operations. For most organizations, a warm site could be a remote office, a leased facility, or another organization with which yours has a reciprocal agreement. By placing your redundant hardware at the offsite location and configuring it to be ready for recovery when needed, the company can have a higher availability level than a cold site but not have the full personnel costs involved with a hot site. A hot site would ensure that the offsite location has all the hardware, equipment, personnel, and data installed and ready to provide services at all times. Maintaining a hot site is much more expensive than a warm site. It is not recommended that your redundant servers are located within the same building since a fire, flood, or other disaster could destroy your primary and redundant capabilities. Retaining the hardware at the office building but shipping the backups offsite is more in line with a cold site description. This would also not provide high availability levels since the systems would need to be set up, configured, and made ready for use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following type of threats did the Stuxnet attack rely on to cross an air gap between a business and an industrial control system network?

cross site scripting
removable media
directory traversal
session hijacking

A

removable media

Air gaps are designed to remove connections between two networks to create a physical segmentation between them. The only way to cross an air gap is to have a physical device between these systems, such as using a removable media device to transfer files between them. A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an air gap.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What technology is NOT PKI x.509 compliant and cannot be used in various secure functions?

PKCS
AES
SSL/TLS
Blowfish

A

Blowfish
AES, PKCS, and SSL/TLS are all compatible with x.509 and can be used in a wide variety of functions and purposes. AES is used for symmetric encryption. PKCS is used as a digital signature algorithm. SSL/TLS is used for secure key exchange.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A web developer wants to protect their new web application from an on-path attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies?

  • hashing the cookie value
  • setting the secure attribute on the cookie
  • forcing the use of TLS for the web application
  • forcing the use of SSL for the web application
A

-setting the secure attribute on the cookie

When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if transmitted over a secure channel (typically HTTPS). Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie’s confidentiality. Forcing the web application to use TLS or SSL does not force the cookie to be sent over TLS/SSL, so you still need to set the cookie’s Secure attribute. Hashing the cookie provides the cookie’s integrity, not confidentiality; therefore, it will not solve the issue presented by this question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A supplier needs to connect several laptops to an organization’s network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the network’s security posture. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier’s laptops?

  • scan the laptops for vulnerabilities and patch them
  • require 2FA on the laptops
  • increase the encryption level of VPN used by the laptops
  • implement a jumpbox system
A

jumpbox system.
A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier’s laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier-provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an air gap, or using a jumpbox.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. Which of the following challenges do you now have to overcome as part of the recovery and remediation efforts?

  • file formats used by some hypervisors cannot be analyzed with traditional forensic tools
  • the attack widely fragmented the image across the host file system
  • you will need to roll back to an early snapshot and then merge any checkpoints to the main image
  • all log files are stored within the VM disk image, therefore they are lost
A
  • the attack widely fragmented the image across the host file system

Due to the VM disk image’s deletion, you will now have to conduct file carving or other data recovery techniques to recover and remediate the virtualized server. If the server’s host uses a proprietary file system, such as VMFS on ESXi, this can further limit support by data recovery tools. The attacker may have widely fragmented the image across the host file system when they deleted the disk image. VM instances are most useful when they are elastic (meaning they optimally spin up when needed) and then destroyed without preserving any local data when security has performed the task, but this can lead to the potential of lost system logs. To prevent this, most VMs also save their logs to an external Syslog server or file. Virtual machine file formats are image-based and written to a mass storage device. Depending on the configuration and VM state, security must merge any checkpoints to the main image, using a hypervisor tool, not recovery from an old snapshot, and then roll forward. It is possible to load VM data into a memory analysis tool, such as Volatility. However, some hypervisors’ file formats require conversion first, or they may not support the analysis tool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Your company is adopting a cloud-first architecture model. Management wants to decommission the on-premises SIEM your analysts use and migrate it to the cloud. Which of the following is an issue with using this approach?

  • legal and regulatory issues may prevent data migration to the cloud
  • company will be dependent on cloud provider’s backup capabilities
  • VM escape exploit could allow an attacker to gain access to the SIEM
  • Company will have less control over the SIEM
A

legal and regulatory issues may prevent data migration to the cloud
If there are legal or regulatory requirements that require the company to host their security audit data on-premises, then moving to the cloud will not be possible without violating applicable laws. For example, some companies must host their data within their national borders, even if migrating to the cloud. The other options presented are all low risk and can be overcome with proper planning and mitigations. Most cloud providers have degrees of redundancy far above what any individual on-premises provider will be able to generate, making the concern over backups a minimal risk. If the SIEM is moved to a cloud-based server, it could still be operated and controlled in the same manner as the previous on-premise solution using a virtualized cloud-based server. While a VM or hypervisor escape is possible, they are rare and can be mitigated with additional controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A supplier needs to connect several laptops to an organization’s network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the network’s security posture. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier’s laptops?

  • require 2FA on the laptops
  • increase the encryption level of VPN used by the laptops
  • scan the laptops for vulnerabilities and patch them
  • Implement a jumpbox system
A

-Implement a jumpbox system
A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier’s laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier-provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an air gap, or using a jumpbox.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You have been asked to install a computer in a public workspace. Only an authorized user should use the computer. Which of the following security requirements should you implement to prevent unauthorized users from accessing the network with this computer?

  • issue the same strong and complex password for all users
  • disable single sign on
  • require authentication on wake-up
  • remove the guest account from the administrator group
A
  • require authentication on wake-up

To prevent the computer from being used inadvertently to access the network, the system should be configured to require authentication whenever the computer is woken up. Therefore, if an authorized user walks away from the computer and goes to sleep when another person tries to use the computer, it will ask for a username and password before granting them access to the network. A screen lock can secure the desktop with a password while leaving programs running if a user walks away, as well. Single sign-on (SSO) is a type of mutual authentication for multiple services that can accept the credential from one domain or service as authentication for other services. A guest account is a Microsoft Windows user account with limited capabilities, no privacy, and is disabled by default. Using the same password for all users is considered extremely poor security and should not be done.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a major security risk that could occur when you comingle hosts/servers with different security requirements in a single network?

  • password compromises
  • security policy violations
  • privilege creep
  • zombie attacks
A
  • security policy violations

A network is only as strong as its weakest link (or host/server). When you comingle hosts/servers, there is a large risk that security policy violations could occur. This is because users may be used to following a less stringent security policy for one set of machines and carry over those procedures to a machine that should have had stronger security policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You are analyzing the SIEM for your company’s e-commerce server when you notice the following URL in the logs of your SIEM: see img

based on this line what type of attack has been attempted?

  • Buffer overflow
  • XML injection
  • SQL injection
  • Session hijacking
A

XML injection
This is an example of an XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter an application’s intended logic. XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server’s XML structure. The original XML structure would be: . By using the URL above, this would be modified to the following: . The result would be that a new line was added in the XML document that could be processed by the server. This line would allow 10 of the product at $0.00 to be added to the shopping cart, while 0 of the product at $50.00 is added to the cart. This defeats the integrity of the e-commerce store’s add to cart functionality through this XML injection. A SQL injection occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. The real key to answering this question is identifying the XML structured code being entered as part of the URL, shown by the bracketed data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Riaan’s company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which of the following compensating controls should Riaan recommend using until the system can be remediated?

  • Encryption
  • IPS
  • vulnerability scanning
  • WAF
A
WAF
WAF (web application firewall) is the best option since it can serve as a compensating control and protect against web application vulnerabilities like an SQL injection until the application can be fully remediated. Vulnerability scanning could only be used to detect the issue. Therefore, it is a detective control, not a compensating control. Encryption would not be effective in stopping an SQL injection. An intrusion prevention system (IPS) is designed to protect network devices based on ports, protocols, and signatures. It would not be effective against an SQL injection and is not considered a compensating control for this vulnerability.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You are working as a security administrator and need to respond to an ongoing spearphishing campaign against your organization. Which of the following should be used as a checklist of actions to perform to detect and respond to this particular incident?

  • incident response plan
  • playbook
  • runbook
  • disaster recovery plan
A

playbook
A playbook is a checklist of actions to perform to detect and respond to a specific type of incident. Your organization will have playbooks for phishing attempts, privilege escalation, and other specific types of incidents. A runbook is an automated version of a playbook used by a SOAR to have the system conduct as many steps as possible. DRP is a disaster recovery plan focused on the response to a natural or manmade disaster, not an incident. An incident response plan is a generic document for the overall steps of incident response. Therefore it doesn’t apply to a specific type of incident. This is a hard question because all four terms are very closely related to incidents and disasters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are reviewing the logs in your HIDS and see that entries were showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred?

  • port scan
  • SYN flood
  • remote host cannot find the right service port
  • UDP probe
A

port scan
Based on the description provided, this is most likely a port scan. Using a tool like nmap, an attacker can create an SYN scan across every port in the range against the desired target. A port scan or SYN scan may trigger an alert in your IDS. While scanners support more stealthy scans, default scans may connect to each port sequentially. The other options are incorrect because a remote host will typically connect to only a single port associated with a service. An SYN flood normally sends many SYNs to a single system. Still, it doesn’t send them to unused ports, and a UDP probe will not send SYN packets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which type of monitoring would utilize a network tap?

  • active
  • passive
  • router-based
  • SNMP
A

passive
Network taps are devices that allow a copy of network traffic to be captured for analysis. They conduct passive network monitoring and visibility without interfering with the network traffic itself. Active monitoring relies on scanning targeted systems, not a network tap. Router-based monitoring would involve looking over the router’s logs and configuration files. SNMP is used to monitor network devices but is considered active monitoring and doesn’t rely on network taps.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You have been asked to help conduct a known environment penetration test. As part of your preparations, you have been given the source code for the organization’s custom web application.

see image

Which type of vulnerability might be able to exploit the code shown in this image?

  • SQL injection
  • remote code execution
  • buffer overflow
  • javascript injection
A

The function DionCode may be subject to a buffer overflow as the user enters something over 20 characters as their input. In defining the char (character) type array, the programmer only allocated 20 characters worth of memory storage. To solve this problem, the programmer should create proper input validation to ensure that the input is less than 20 characters before passing the user_input variable to the strcpy (string copy) function.

17
Q

A cybersecurity analyst just finished conducting an initial vulnerability scan and is reviewing their results. To avoid wasting time on results that are not related to actual vulnerabilities, the analyst wants to remove any false positives before remediating the findings. Which of the following is an indicator that something in their results would be a false positive?

  • items classified by the system as Low or as For Informational Purposes Only
  • an HTTPS entry that indications the web page is securely encrypted
  • a finding that shows the scanner compliance plug-ins are not up to date
  • a scan result that shows a version that is different from the automated asset inventory
A

-items classified by the system as Low or as For Informational Purposes Only
When conducting a vulnerability scan, it is common for the report to include some findings that are classified as “low” priority or “for informational purposes only.” These are most likely false positives and can be ignored by the analyst when starting their remediation efforts. “An HTTPS entry that indicates the web page is securely encrypted” is not a false positive but a true negative (a non-issue). A scan result showing a different version from the automated asset inventory should be investigated and is likely a true positive. A finding that shows the scanner compliance plug-ins are not up-to-date would likely also be a true positive that should be investigated.

18
Q

You want to provide controlled remote access to the remote administration interfaces of multiple servers hosted on a private cloud. What type of segmentation security solution is the best choice for this scenario?

  • jumpbox
  • airgap
  • bastion host
  • physical
A

Installing a jumpbox as a single point of entry for the administration of servers within the cloud is the best choice for this requirement. The jumpbox only runs the necessary administrative port and protocol (typically SSH). Administrators connect to the jumpbox then use the jumpbox to connect to the admin interface on the application server. The application server’s admin interface has a single entry in its ACL (the jumpbox) and denies any other hosts’ connection attempts. A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application. For example, a proxy server and all other services are removed or limited to reduce the threat to the computer. An airgap system is a network or single host computer with unique security requirements that may physically be separated from any other network. Physical separation would prevent a system from accessing the remote administration interface directly and require an airgap system to reach the private cloud.

19
Q

Jack is assessing the likelihood of reconnaissance activities being performed against his organization. Which of the following would best classify the likelihood of a port scan being conducted against his DMZ?

  • Low
  • High
  • Medium
  • None
A

High
Since Jack’s DMZ would contain systems and servers exposed to the Internet, there is a high likelihood that they are constantly being scanned by potential attackers performing reconnaissance.

20
Q

Raj is working to deploy a new vulnerability scanner for an organization. He wants to verify the information he gets is the most accurate view of the configurations on the organization’s traveling salespeople’s laptops to determine if any configuration issues could lead to new vulnerabilities. Which of the following technologies would work BEST to collect the configuration information in this situation?

  • non-credentialed scan
  • agent-based scanning
  • passive network monitoring
  • server-based scanning
A

Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization’s network. These agent-based scans can be conducted when the laptop is offline and then sent to a centralized server the next time it is connected to the network. Server-based scanning, non-credentialed scanning, and passive network monitoring require a continuous network connection to collect the devices’ configurations accurately.