Exam B Flashcards
A security administrator has performed an audit of the organization’s production web servers, and the results have identified default configurations, web services running from a privileged account, and inconsistencies with SSL certificates. Which would be the BEST way to resolve these issues?
Server hardening
Many applications and services include secure configuration guides to
assist in hardening the system. These hardening steps will make the system
as secure as possible while simultaneously allowing the application to run
efficiently.
A shipping company stores information in small regional warehouses around the country. The company maintains an IPS at each warehouse to watch for suspicious traffic patterns. Which would BEST describe the security control used at the warehouse?
Detective
An IPS can detect, alert, and log an intrusion attempt. The IPS could also be categorized as a preventive control, since it has the ability to actively block known attacks.
The Vice President of Sales has asked the IT team to create daily backups of the sales data. The Vice President is an example of a:
Data owner
The data owner is accountable for specific data, so this person is often a senior officer of the organization.
A security engineer is preparing to conduct a penetration test of a third-party website. Part of the preparation involves reading through social media posts for information about this site. Which describes this practice?
OSINT
OSINT (Open Source Intelligence) describes the process of obtaining information from open sources such as social media sites, corporate websites, online forums, and other publicly available locations.
A company would like to orchestrate the response when a virus is detected on company devices. Which would be the BEST way to implement this function?
Escalation scripting
Scripting and automation can provide methods to automate or orchestrate
the escalation response when a security issue is detected.
A user in the accounting department has received a text message from
the CEO. The message requests payment by cryptocurrency for a recently
purchased tablet. Which of the following would BEST describe this
attack?
Smishing
Smishing is phishing using SMS (Short Message Service), and is more commonly referenced as text messaging. A message allegedly from the CEO asking for an unusual payments using cryptocurrency or gift cards
would be categorized as smishing.
A company has been informed of a hypervisor vulnerability that could allow users on one virtual machine to access resources on another virtual machine. Which would BEST describe this vulnerability?
Escape
A VM (Virtual Machine) escape is a vulnerability that allows communication between separate VMs.
While working from home, users are attending a project meeting over
a web conference. When typing in the meeting link, the browser is
unexpectedly directed to a different website than the web conference. Users in the office do not have any issues accessing the conference site.
Which would be the MOST likely reason for this issue?
DNS poisoning
An attacker with access to a DNS (Domain Name System) server can modify the DNS configuration files and redirect users to a different website. Anyone using a different DNS server may not see any problems
with connectivity to the original site.
A company is launching a new internal application that will not start until a username and password is entered and a smart card is plugged into the computer. Which BEST describes this process?
Authentication
The process of proving who you say you are is authentication. In this example, the password and smart card are two factors of authentication, and both reasonably prove that the person with the login credentials is
authentic.
An online retailer is planning a penetration test as part of their PCI DSS validation. A third-party organization will be performing the test, and the online retailer has provided the Internet-facing IP addresses for their
public web servers. No other details were provided. What penetration testing methodology is the online retailer using?
Partially known environment
A partially known environment test is performed when the attacker knows
some information about the victim, but not all information is available.
A manufacturing company produces radar used by commercial and military organizations. A recently proposed policy change would allow the use of mobile devices inside the facility. Which would be the MOST significant threat vector issue associated with this change in policy?
Loss of intellectual property
The exfiltration of confidential information and intellectual property is relatively simple with an easily transportable mobile phone. Organizations associated with sensitive products or services must always be aware of the potential for information leaks using files, photos, or video.
Which would be the BEST way for an organization to verify the digital signature provided by an external email server?
Check the DKIM record
A DKIM (Domain Keys Identified Mail) record is a DNS (Domain Name System) entry that includes the public key associated with an email server’s digital signatures. A legitimate email server will digitally sign all outgoing emails and provide the public key in their DNS for third-party validation.
A company is using older operating systems for their web servers and are concerned of their stability during periods of high use. Which should the company use to maximize the uptime and availability of this service?
Load balancer
A load balancer maintains a pool of servers and can distribute the load across those devices. If a device fails, the other servers will continue to operate and provide the necessary services.
A user in the accounting department would like to email a spreadsheet with sensitive information to a list of third-party vendors. Which would be the BEST way to protect the data in this email?
Asymmetric encryption
Asymmetric encryption uses a recipient’s public key to encrypt data, and this data can only be decrypted with the recipient’s private key. This encryption method is commonly used with software such as PGP or GPG.
A system administrator would like to segment the network to give the marketing, accounting, and manufacturing departments their own private network. The network communication between departments would
be restricted for additional security. Which of the following should be configured on this network?
VLAN
A VLAN (Virtual Local Area Network) is a common method of using a switch to logically segment a network. The devices in each segmented VLAN can only communicate with other devices in the same VLAN. A router is used to connect VLANs, and this router can often be used to control traffic flows between the VLANs.
A technician at an MSP has been asked to manage devices on third-party private network. The technician needs command line access to internal routers, switches, and firewalls. Which of the following would provide the necessary access?
Jump server
A jump server is a highly secured device commonly used to access secure areas of another network. The technician would first connect to the jump server using SSH or a VPN tunnel, and then “jump” from the jump server to other devices on the inside of the protected network. This would allow
technicians at an MSP (Managed Service Provider) to securely access devices on their customer’s private networks.
A transportation company is installing new wireless access points in their corporate office. The manufacturer estimates the access points will operate an average of 100,000 hours before a hardware-related outage. Which describes this estimate?
MTBF
The MTBF (Mean Time Between Failures) is the average time expected between outages. This is usually an estimation based on the internal device components and their expected operational lifetime.
A security administrator is creating a policy to prevent the disclosure of credit card numbers in a customer support application. Users of the application would only be able to view the last four digits of a credit card number. Which of the following would provide this functionality?
Masking
Data masking hides data from being viewed. The full credit card numbers are stored in a database, but only a limited view of this data is available when accessing the information from the application.
A user is authenticating through the use of a PIN and a fingerprint. Which would describe these authentication factors?
Something you know, something you are A PIN (Personal Identification Number) is something you know, and a fingerprint is something you are.
A security administrator is configuring the authentication process used by technicians when logging into wireless access points and switches. Instead of using local accounts, the administrator would like to pass all login
requests to a centralized database. Which would be the BEST way to implement this requirement?
AAA
Using AAA (Authentication, Authorization, and Accounting) is a common method of centralizing authentication. Instead of having separate local accounts on different devices, users can authenticate with account information maintained in a centralized database.
A recent audit has determined that many IT department accounts have
been granted Administrator access. The audit recommends replacing these
permissions with limited access rights. Which of the following would
describe this policy?
Least privilege
The policy of least privilege limits the rights and permissions of a user account to only the access required to accomplish their objectives. This policy would limit the scope of an attack originating from a user in the IT department.
A recent security audit has discovered usernames and passwords which can be easily viewed in a packet capture. Which of the following did the audit identify?
Insecure protocols
An insecure authentication protocol will transmit information “in the clear,” or without any type of encryption or protection.
Before deploying a new application, a company is performing an internal audit to ensure all of their servers are configured with the appropriate security features. Which would BEST describe this process?
Due care
Due care describes a duty to act honestly and in good faith. Due diligence is often associated with third-party activities, and due care tends to refer to internal activities.
An organization has previously purchased insurance to cover a ransomware attack, but the costs of maintaining the policy have increased above the acceptable budget. The company has now decided to cancel the insurance policies and address potential ransomware issues internally. Which would best describe this action?
Acceptance
Risk acceptance is a business decision that places the responsibility of the risky activity on the organization itself.
Which of these threat actors would be MOST likely to install a
company’s internal application on a public cloud provider?
Shadow IT
Shadow IT is an internal organization within the company but is not part of the IT department. Shadow IT often circumvents or ignores existing IT policies to build their own infrastructure with company resources.
An IPS report shows a series of exploit attempts were made against externally facing web servers. The system administrator of the web servers has identified a number of unusual log entries on each system. Which would be the NEXT step in the incident response process?
Disconnect the web servers from the network
The unusual log entries on the web server indicate that the system may have been exploited. In that situation, the servers should be contained to prevent all connectivity to those systems.
A security administrator is viewing the logs on a laptop in the shipping and receiving department and identifies these events:
8:55:30 AM | D:\Downloads\ChangeLog-5.0.4.scr | Quarantine Success
9:22:54 AM | C:\Program Files\Photo Viewer\ViewerBase.dll | Quarantine Failure
9:44:05 AM | C:\Sales\Sample32.dat | Quarantine Success
Which would BEST describe the circumstances surrounding these events?
The antivirus application identified three viruses and
quarantined two viruses
The logs are showing the name of files on the local device and a quarantine disposition, which indicates that two of the files were moved (quarantined) to a separate area of the drive. This will prevent the malicious files from executing and will safely store the files for any future investigation. The second file in the list failed the quarantine process, and was most likely because the library was already in use by the operating system and could not be moved.
In the past, an organization has relied on the curated Apple App Store to avoid issues associated with malware and insecure applications. However, the IT department has discovered an iPhone in the shipping department
with applications not available on the Apple App Store. How did the shipping department user install these apps on their mobile device?
Side loading
If Apple’s iOS has been circumvented using jailbreaking, a user can install apps without using the Apple App Store. Circumventing a curated app store to install an app manually is called side loading.
A company has noticed an increase in support calls from attackers. These attackers are using social engineering to gain unauthorized access to customer data. Which would be the BEST way to prevent these attacks?
User training
Many social engineering attacks do not involve technology, so the best way to prevent the attack is to properly train users to watch for these techniques.
As part of an internal audit, each department of a company has been asked to compile a list of all devices, operating systems, and applications in use. Which would BEST describe this audit?
Self-assessment
A self-assessment describes an organization performing their own security checks.
A company is concerned about security issues at their remote sites. Which would provide the IT team with more information of potential shortcomings?
Gap analysis
A gap analysis is a formal process comparing the current security posture with where the company would like to be. This often examines many different aspects of the overall security environment.
An attacker has identified a number of devices on a corporate network with the username of “admin” and the password of “admin.” Which of the following describes this situation?
Default credentials
When a device is first installed, it will often have a default set of credentials such as admin/password or admin/admin. If these default credentials are never changed, they would allow access by anyone who knows the default configuration.
A security administrator attends an annual industry convention with other security professionals from around the world. Which attack would be MOST likely in this situation?
Watering hole
A watering hole attack infects a third-party visited by the intended victims. An industry convention would be a perfect location to attack security professionals.
A transportation company headquarters is located in an area with frequent power surges and outages. The security administrator is concerned about the potential for downtime and hardware failures. Which would provide the most protection against these issues? Select TWO.
❍ A. UPS
❍ B. Parallel processing
❍ C. Snapshots
❍ D. Multi-cloud system
❍ E. Load balancing
❍ F. Generator
A. UPS and F. Generator
A UPS (Uninterruptible Power Supply) can provide backup power for a limited time when the main power source is unavailable, and a generator can maintain uptime as long as a fuel source is available.