Extras Flashcards
A server in your network’s DMZ was recently attacked. The firewall logs show that the server was attacked from an external IP address with the following socket: 72.52.206.134:5678. You need to check the server to see if it still has an active connection. Which of the following tools should you use?
A) netstat
B) tracert
C) dig
D) arp
A) netstat
The netstat command can be used to display a list of open connections, including both the IP address and the port. A socket is an established connection with both an IP address and port, such as an IP address of 72.82.206.134 and a port of 5678, displayed as 72.52.206.134:5678. None of the other commands display active connections. The tracert command lists the routers between two systems. The arp command shows the contents of the Address Resolution Protocol (ARP) cache. The dig command can be used on Linux systems to query Domain Name System (DNS) servers.
You suspect that a computer in your network is connecting to a remote computer without any user interaction. You want to verify this and identify the remote computer. Additionally, you want to identify how this connection is being initiated. Which of the following will BEST meet this need?
A) netstat B) tcpdump C) tracert D) netcat E) nmap
A) netstat
The netstat -nab command can show connections (with the -a switch), addresses, and ports of these connections (with the -n switch) to identify the remote computer, and the executable that created the connection (with the -b switch).
Tcpdump is a command line packet analyzer user to capture packets. While it will show the IP address of the connection if it occurs during the packet capture, it won’t show how the connection is being initiated.
The tracert command will list the routers between two systems, but it won’t identify the remote computer unless you already know the remote computer’s IP address.
Nmap is a network scanner. While it can detect hosts, it doesn’t track connections.
Netcat is a command line tool used to connect to remote systems and often used in banner grabbing.
Your organization hosts an ecommerce website. Lisa analyzed the computer utilization of this website and noted that the usage spikes at different times of the year. She wants to implement a cost-effective solution to handle the various capacity demand. Which of the following strategies is she pursuing?
A) Resiliency B) Scalability C) Elasticity D) Persistence E) Redundancy
C) Elasticity
She is pursuing an elasticity strategy. Elasticity refers to the ability of a system to resize computing capacity based on the load. This includes both expanding the computing ability to handle increased loads and reducing the computing ability when the load is reduced. Because elasticity strategies increase or decrease computing abilities based on loads, they reduce overall costs and are cost-effective.
Resiliency strategies help deploy systems securely and keep them in a secure state.
Scalability refers to the ability of a system to scale up to handle an increased load, but it doesn’t refer to reducing the computing ability when the load decreases.
Persistence refers to virtual desktops and is unrelated to this question. In a persistent virtual desktop, each user has a custom desktop image. Non-persistent virtual desktops server the same desktop for all users.
Redundancy adds duplication to critical system components and networks and provides fault tolerance.
Sort Elements:
1) Something you are
2) Something you have
3) Something you know
4) Somewhere you are
5) Something you do
A) Retina Scan B) Smart Card C) Finger Swipe D) Password E) IP Address
1) Something you are – A) Retinal Scan
2) Something you have – B) Smart Card
3) Something you know – D) Password
4) Somewhere you are – E) IP Address
5) Something you do – C) Finger swipe
A retina scan is in the something you are factor.
A finger scan is in the something you do factor.
A token is in the something you have factor.
A password is in the something you know factor.
An iris scan is in the something you are factor.
A PIN is in the something you know factor.
An IP address is in the somewhere you are factor.
A fingerprint is in the something you are factor.
A smart card is in the something you have factor.
Your organization plans to deploy a server in the DMZ that will perform the following functions:
- Identify mail servers
- Provide data integrity
- Prevent poisoning attacks
- Respond to requests for A and AAAA records
Which of the follow will BEST meet these requirements?
A) nslookup
B) TLS
C) DNS
D) DNSSEC
D) DNSSEC
Domain Name System Security Extensions (DNSSEC) add security to DNS systems. The functions in the list indicate that the server in the DMZ is a DNS server. DNS servers identify mail servers with MX records, provide IPv4 addresses of systems with A records, and provide IPv6 addresses with AAAA records. DNSSEC uses a Resource Record Signature (RRSIG), commonly referred to as a digital signature, to provide data integrity and authentication for DNS replies. While a DNS server responds to DNS queries with A and AAAA records, DNS without DNSSEC doesn’t prevent poisoning attacks. RRSIG can use Transport Layer Security (TLS) to create the signature, but TLS by itself doesn’t provide adequate protection. Nslookup is a command line tool used to test DNS, but it doesn’t provide any DNS services.
Your organization wants to increase security for name resolution by implementing DNSSEC. Which of the following is the BEST choice to support the deployment of DNSSEC?
A) LDAPS B) SRTP C) SSH D) TLS E) SSL
D) TLS
Transport Layer Security (TLS) is the best choice. Domain Name System (DNS) provide name resolution services and DNS Security Extensions (DNSSEC) add security to DNS systems. DNSSEC uses a Resource Record Signature (RRSIG), commonly referred to as a digital signature, to provide data integrity and authentication for DNS replies. RRSIG can use Transport Layer Security (TLS) to create the signature.
SSL has been deprecated and should not be used.
Secure Shell (SSH) is commonly used to connect to remote systems and can be used to to send files in an encrypted format over a network, but RRSIG does not use SSH.
Secure Real-Time Transport Protocol (SRTP) provides encryption, message authentication, and integrity for video and voice data, but not documents.
Lightweight Directory Access Protocol (LDAP) specifies formats and methods to query directories. LDAP Secure (LDAPS) uses encryption to protect LDAP transmissions.
An IDS sent an alert after correlating the following log events:
- 22:10:05 10.10.80.5:49154 > 192.168.1.15:21
- 22:10:05 10.10.80.5:49154 > 192.168.1.15:20
- 22:10:05 10.10.80.5:49154 > 192.168.1.15:25
- 22:10:05 10.10.80.5:49154 > 192.168.1.15:23
What is the most likely cause of this alert?
A) SYN stealth scan
B) Service scan
C) Port scan
D) Ping sweep
C) Port scan
This is a port scan. The key is to understand the log format. In this example, it is:
Time - Source IP : Port - Destination IP : Port
Each packet was sent
- At 10:10 PM (22:10 using a 24 hour clock format)
- From a source computer with the IP of 10.10.80.5
- From the source computer’s port 49154
- To the destination computer with an IP address of 192.168.1.15
- To the destination computer’s ports of 20, 21, 23, and 25
How do you know the source computer has an IP of 10.10.80.5?
The packets are always coming from the same port of 49154. Also, with the varied ports (20, 21, 23, and 25) on the destination computer helps you identify it as a port scan.
A ping sweep attempts to identify active IP addresses on a network. It typically uses Internet Control Message Protocol (ICMP) to check a range of IP addresses, but it doesn’t use different ports.
A service scan is typically done after a port scan. It checks to see if the system is actually running the service associated with the well-known port.
A SYN stealth scan uses part of the TCP three-way-handshake to see if a system responds and identify active IP addresses on a network. It sends the SYN packet and waits for the SYN/ACK packet. If it receives it, it typically responds with a RST packet to reset and close the connection.
A coffee shop recently stopped broadcasting the SSID for their wireless network. Instead, paying customers can view it on their receipt and use it to connect to the coffee shop’s wireless network. Today, Lisa turned on her laptop computer and saw the SSID. Which of the following is the MOST likely reason why?
A) Evil actor
B) Rouge AP
C) Bluejacking
D) Jamming
B) Rouge AP
This describes a rogue access point (AP). More specifically, it is an evil twin, which is a rogue AP with the same SSID as a legitimate access point. While the person setting up the rogue AP may be evil, a CompTIA question won’t ask you to evaluate the character of an attacker. Jamming typically prevents anyone from connecting to a wireless network. Bluejacking is related to Bluetooth, not wireless networks.
You are reviewing logs in Snort and see the following entry:
[] [1:2463:7] EXPLOIT IGMP IGAP message overflow attempt [] [Classification: Attempted Administrator Privilege Gain] [Priority:1]
09/01 - 18:12:34.12371 10.10.0.152 -> 10.10.0.88
IGMP TTL:255 TOS:0x0 ID:9744 IpLen:20 DGMLEN:502 MF
Frag Offset: 0x1FFF Frag Size: 0x01E2
What does this MOST likely indicate? Select TWO.
A) The TOS value indicates a buffer overflow
B) The source IP 10.10.0.152, indicating the attach is coming from that IP address
C) The attacker sent a malformed TCP packet, triggering the alert
D) The TTL value is outside of the expected range, triggering the alert
E) The source IP 10.10.0.88, indicating that the attack is coming from that IP address
F) The attacker sent a malformed IGAP packet, triggering the alert
B) The source IP 10.10.0.152, indicating the attach is coming from that IP address
F) The attacker sent a malformed IGAP packet, triggering the alert
The source IP address is 10.10.0.152 indicating the attack is coming from that IP address. The IP before the arrow (->) is the source of the traffic. The attacker sent a malformed Internet Group Management Authentication Protocol (IGAP) packet, triggering the alert. This is apparent from the first line “EXPLOIT IGMP IGAP message overflow attempt”
Snort is an open-source intrusion detection system (IDS). IGAP is a variant of Internet Group Management Protocol version 2 (IGMPv2) that adds authentication.
The IP after the arrow (10.10.0.88) is the destination of the traffic, not the source.
The log entry indicates that the exploit is from IGMP IGAP, not Transmission Control Protocol (TCP).
A time to live (TTL) value of 255 is relatively common for a packet.
A type of service (TOS) value of 0x0 is relatively common and doesn’t indicate any problem.
Lisa is setting up a secure web server. She needs the server’s cryptography to support perfect forward secrecy. Of the following choices, which cipher suite should she ensure is used by the server?
A) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
B) TLS_RSA_WITH_AES_128_CBC_SHA256
C) TLS_DH_WITH_AES_256_CBC_SHA256
D) SSL_RSA_WITH_AES_128_CBC_SHA256
A) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
The correct answer is TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA. Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) uses perfect forward secrecy using ephemeral keys and only one answer includes ECDHE. RSA uses static key pairs, so it doesn’t support perfect forward secrecy. Diffie-Hellman (DH) can use either static keys or ephemeral keys, so it wouldn’t ensure that perfect forward secrecy was always used. SSL has been replaced by TLS and should not be used.
A coffee shop recently stopped broadcasting the SSID for their wireless network. Instead, paying customers can view it on their receipt and use it to connect to the coffee shop’s wireless network. Today, Lisa turned on her laptop computer and saw the SSID. Which of the following is the MOST likely reason why?
A) Jamming
B) Bluejacking
C) Evil attacker
D) Rogue AP
D) Rogue AP
This describes a rogue access point (AP). More specifically, it is an evil twin, which is a rogue AP with the same SSID as a legitimate access point. While the person setting up the rogue AP may be evil, a CompTIA question won’t ask you to evaluate the character of an attacker. Jamming typically prevents anyone from connecting to a wireless network. Bluejacking is related to Bluetooth, not wireless networks.
You recently learned that attackers exploited the POODLE vulnerability on one of your organizations web servers. What type of attack is this?
A) Downgrade
B) Wireless
C) Pinning
D) Spoofing
A) Downgrade
The Padding Oracle on Downgraded Legacy Encryption (POODLE) attack is a downgrade attack that exploits Secure Socket Layer (SSL) weaknesses, even when the server is supporting the more secure Transport Layer Security (TLS) protocol. It is not a wireless attack. Public key pinning is not an attack, but rather a security mechanism designed to prevent attackers from impersonating a web site using fraudulent certificates. A spoofing attack occurs when an attacker attempts to impersonate or masquerade as someone or something else.
Your network includes dozens of servers. Administrators in your organization are having problems aggregating and correlating the logs from these servers. Which of the following provides the BEST solution for these problems?
A) SIEM
B) Nmap
C) Network mapper
D) Network scanner
A) SIEM
A security information and event management (SIEM) system collects, aggregates, and correlates logs from multiple sources. A network mapper can detect all the devices on a network and a network scanner can detect more information about these devices, but neither of these tools aggregate and correlate logs. Nmap is a command line network scanner.
The new CIO at your organization has mandated the use of DMZ firewalls from different vendors as a method of implementing vendor diversity. Which of the following is a security advantage of this strategy?
A) Homogeneity B) Redundancy C) Configurability D) Elasticity E) Resiliency
E) Resiliency
Vendor diversity is a defense in depth strategy that provides resiliency. Resiliency includes the ability to withstand deliberate attacks. Using different vendor firewalls in the DMZ helps protect the internal network from attacks because it is unlikely that both vendor firewalls will be susceptible to new vulnerabilities at the same time.
Homogeneity refers to the sameness of things and is the opposite of diversity.
Elasticity refers to the ability of a system to increase and decrease computing capacity based on the load.
Because the firewalls are from different vendors, configurability becomes challenge because administrators must know how to configure each correctly.
Some people consider this a vulnerability rather than a security advantage.
Management decided last year to allow employees to connect and use their personal mobile devices on the internal network. However, the organization is having problems with these devices including the following:
- Employees don’t keep their devices updated
- There is no standardization among the devices
- The organization doesn’t have adequate controls over the devices
Management wants to implement a mobile device deployment model to overcome these problems, while still allowing employees to use their own devices. Which of the following is the BEST choice?
A) SaaS
B) CYOD
C) BYOD
D) COPE
B) CYOD
A choose your own device mobile device model includes a list of acceptable devices that employees can purchase and connect to the network. IT management can then implement a mobile device management (MDM) system to provide standardized management for these devices.
The current policy is a bring your own device (BYOD) policy, but because of the lack of standardization, it’s extremely difficult for IT departments to adequately manage the devices and ensure they don’t introduce vulnerabilities to the network.
A corporate owned personally enabled (COPE) indicates the organization owns the device, not the employees.
Software as a Service (SaaS) is a cloud deployment model, not a mobile device deployment model.