Extras

Question 1

A server in your network’s DMZ was recently attacked. The firewall logs show that the server was attacked from an external IP address with the following socket: 72.52.206.134:5678. You need to check the server to see if it still has an active connection. Which of the following tools should you use?

A) netstat
B) tracert
C) dig
D) arp

Answer 1

A) netstat

The netstat command can be used to display a list of open connections, including both the IP address and the port. A socket is an established connection with both an IP address and port, such as an IP address of 72.82.206.134 and a port of 5678, displayed as 72.52.206.134:5678. None of the other commands display active connections. The tracert command lists the routers between two systems. The arp command shows the contents of the Address Resolution Protocol (ARP) cache. The dig command can be used on Linux systems to query Domain Name System (DNS) servers.

Question 2

You suspect that a computer in your network is connecting to a remote computer without any user interaction. You want to verify this and identify the remote computer. Additionally, you want to identify how this connection is being initiated. Which of the following will BEST meet this need?

A) netstat
B) tcpdump
C) tracert
D) netcat
E) nmap

Answer 2

A) netstat

The netstat -nab command can show connections (with the -a switch), addresses, and ports of these connections (with the -n switch) to identify the remote computer, and the executable that created the connection (with the -b switch).

Tcpdump is a command line packet analyzer user to capture packets. While it will show the IP address of the connection if it occurs during the packet capture, it won’t show how the connection is being initiated.

The tracert command will list the routers between two systems, but it won’t identify the remote computer unless you already know the remote computer’s IP address.

Nmap is a network scanner. While it can detect hosts, it doesn’t track connections.

Netcat is a command line tool used to connect to remote systems and often used in banner grabbing.

Question 3

Your organization hosts an ecommerce website. Lisa analyzed the computer utilization of this website and noted that the usage spikes at different times of the year. She wants to implement a cost-effective solution to handle the various capacity demand. Which of the following strategies is she pursuing?

A) Resiliency
B) Scalability
C) Elasticity
D) Persistence
E) Redundancy

Answer 3

C) Elasticity

She is pursuing an elasticity strategy. Elasticity refers to the ability of a system to resize computing capacity based on the load. This includes both expanding the computing ability to handle increased loads and reducing the computing ability when the load is reduced. Because elasticity strategies increase or decrease computing abilities based on loads, they reduce overall costs and are cost-effective.

Resiliency strategies help deploy systems securely and keep them in a secure state.

Scalability refers to the ability of a system to scale up to handle an increased load, but it doesn’t refer to reducing the computing ability when the load decreases.

Persistence refers to virtual desktops and is unrelated to this question. In a persistent virtual desktop, each user has a custom desktop image. Non-persistent virtual desktops server the same desktop for all users.

Redundancy adds duplication to critical system components and networks and provides fault tolerance.

Question 4

Sort Elements:

1) Something you are
2) Something you have
3) Something you know
4) Somewhere you are
5) Something you do

A) Retina Scan
B) Smart Card
C) Finger Swipe
D) Password
E) IP Address

Answer 4

1) Something you are – A) Retinal Scan
2) Something you have – B) Smart Card
3) Something you know – D) Password
4) Somewhere you are – E) IP Address
5) Something you do – C) Finger swipe

A retina scan is in the something you are factor.
A finger scan is in the something you do factor.
A token is in the something you have factor.
A password is in the something you know factor.
An iris scan is in the something you are factor.
A PIN is in the something you know factor.
An IP address is in the somewhere you are factor.
A fingerprint is in the something you are factor.
A smart card is in the something you have factor.

Question 5

Your organization plans to deploy a server in the DMZ that will perform the following functions:
- Identify mail servers
- Provide data integrity
- Prevent poisoning attacks
- Respond to requests for A and AAAA records
Which of the follow will BEST meet these requirements?

A) nslookup
B) TLS
C) DNS
D) DNSSEC

Answer 5

D) DNSSEC

Domain Name System Security Extensions (DNSSEC) add security to DNS systems. The functions in the list indicate that the server in the DMZ is a DNS server. DNS servers identify mail servers with MX records, provide IPv4 addresses of systems with A records, and provide IPv6 addresses with AAAA records. DNSSEC uses a Resource Record Signature (RRSIG), commonly referred to as a digital signature, to provide data integrity and authentication for DNS replies. While a DNS server responds to DNS queries with A and AAAA records, DNS without DNSSEC doesn’t prevent poisoning attacks. RRSIG can use Transport Layer Security (TLS) to create the signature, but TLS by itself doesn’t provide adequate protection. Nslookup is a command line tool used to test DNS, but it doesn’t provide any DNS services.

Question 6

Your organization wants to increase security for name resolution by implementing DNSSEC. Which of the following is the BEST choice to support the deployment of DNSSEC?

A) LDAPS
B) SRTP
C) SSH
D) TLS
E) SSL

Answer 6

D) TLS

Transport Layer Security (TLS) is the best choice. Domain Name System (DNS) provide name resolution services and DNS Security Extensions (DNSSEC) add security to DNS systems. DNSSEC uses a Resource Record Signature (RRSIG), commonly referred to as a digital signature, to provide data integrity and authentication for DNS replies. RRSIG can use Transport Layer Security (TLS) to create the signature.

SSL has been deprecated and should not be used.

Secure Shell (SSH) is commonly used to connect to remote systems and can be used to to send files in an encrypted format over a network, but RRSIG does not use SSH.

Secure Real-Time Transport Protocol (SRTP) provides encryption, message authentication, and integrity for video and voice data, but not documents.

Lightweight Directory Access Protocol (LDAP) specifies formats and methods to query directories. LDAP Secure (LDAPS) uses encryption to protect LDAP transmissions.

Question 7

An IDS sent an alert after correlating the following log events:
- 22:10:05 10.10.80.5:49154 > 192.168.1.15:21
- 22:10:05 10.10.80.5:49154 > 192.168.1.15:20
- 22:10:05 10.10.80.5:49154 > 192.168.1.15:25
- 22:10:05 10.10.80.5:49154 > 192.168.1.15:23
What is the most likely cause of this alert?

A) SYN stealth scan
B) Service scan
C) Port scan
D) Ping sweep

Answer 7

C) Port scan

This is a port scan. The key is to understand the log format. In this example, it is:

Time - Source IP : Port - Destination IP : Port

Each packet was sent

• At 10:10 PM (22:10 using a 24 hour clock format)
• From a source computer with the IP of 10.10.80.5
• From the source computer’s port 49154
• To the destination computer with an IP address of 192.168.1.15
• To the destination computer’s ports of 20, 21, 23, and 25

How do you know the source computer has an IP of 10.10.80.5?
The packets are always coming from the same port of 49154. Also, with the varied ports (20, 21, 23, and 25) on the destination computer helps you identify it as a port scan.

A ping sweep attempts to identify active IP addresses on a network. It typically uses Internet Control Message Protocol (ICMP) to check a range of IP addresses, but it doesn’t use different ports.

A service scan is typically done after a port scan. It checks to see if the system is actually running the service associated with the well-known port.

A SYN stealth scan uses part of the TCP three-way-handshake to see if a system responds and identify active IP addresses on a network. It sends the SYN packet and waits for the SYN/ACK packet. If it receives it, it typically responds with a RST packet to reset and close the connection.

Question 8

A coffee shop recently stopped broadcasting the SSID for their wireless network. Instead, paying customers can view it on their receipt and use it to connect to the coffee shop’s wireless network. Today, Lisa turned on her laptop computer and saw the SSID. Which of the following is the MOST likely reason why?

A) Evil actor
B) Rouge AP
C) Bluejacking
D) Jamming

Answer 8

B) Rouge AP

This describes a rogue access point (AP). More specifically, it is an evil twin, which is a rogue AP with the same SSID as a legitimate access point. While the person setting up the rogue AP may be evil, a CompTIA question won’t ask you to evaluate the character of an attacker. Jamming typically prevents anyone from connecting to a wireless network. Bluejacking is related to Bluetooth, not wireless networks.

Question 9

You are reviewing logs in Snort and see the following entry:
[] [1:2463:7] EXPLOIT IGMP IGAP message overflow attempt [] [Classification: Attempted Administrator Privilege Gain] [Priority:1]
09/01 - 18:12:34.12371 10.10.0.152 -> 10.10.0.88
IGMP TTL:255 TOS:0x0 ID:9744 IpLen:20 DGMLEN:502 MF
Frag Offset: 0x1FFF Frag Size: 0x01E2

What does this MOST likely indicate? Select TWO.

A) The TOS value indicates a buffer overflow
B) The source IP 10.10.0.152, indicating the attach is coming from that IP address
C) The attacker sent a malformed TCP packet, triggering the alert
D) The TTL value is outside of the expected range, triggering the alert
E) The source IP 10.10.0.88, indicating that the attack is coming from that IP address
F) The attacker sent a malformed IGAP packet, triggering the alert

Answer 9

B) The source IP 10.10.0.152, indicating the attach is coming from that IP address
F) The attacker sent a malformed IGAP packet, triggering the alert

The source IP address is 10.10.0.152 indicating the attack is coming from that IP address. The IP before the arrow (->) is the source of the traffic. The attacker sent a malformed Internet Group Management Authentication Protocol (IGAP) packet, triggering the alert. This is apparent from the first line “EXPLOIT IGMP IGAP message overflow attempt”

Snort is an open-source intrusion detection system (IDS). IGAP is a variant of Internet Group Management Protocol version 2 (IGMPv2) that adds authentication.

The IP after the arrow (10.10.0.88) is the destination of the traffic, not the source.

The log entry indicates that the exploit is from IGMP IGAP, not Transmission Control Protocol (TCP).

A time to live (TTL) value of 255 is relatively common for a packet.

A type of service (TOS) value of 0x0 is relatively common and doesn’t indicate any problem.

Question 10

Lisa is setting up a secure web server. She needs the server’s cryptography to support perfect forward secrecy. Of the following choices, which cipher suite should she ensure is used by the server?

A) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
B) TLS_RSA_WITH_AES_128_CBC_SHA256
C) TLS_DH_WITH_AES_256_CBC_SHA256
D) SSL_RSA_WITH_AES_128_CBC_SHA256

Answer 10

A) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

The correct answer is TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA. Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) uses perfect forward secrecy using ephemeral keys and only one answer includes ECDHE. RSA uses static key pairs, so it doesn’t support perfect forward secrecy. Diffie-Hellman (DH) can use either static keys or ephemeral keys, so it wouldn’t ensure that perfect forward secrecy was always used. SSL has been replaced by TLS and should not be used.

Question 11

A coffee shop recently stopped broadcasting the SSID for their wireless network. Instead, paying customers can view it on their receipt and use it to connect to the coffee shop’s wireless network. Today, Lisa turned on her laptop computer and saw the SSID. Which of the following is the MOST likely reason why?

A) Jamming
B) Bluejacking
C) Evil attacker
D) Rogue AP

Answer 11

D) Rogue AP

This describes a rogue access point (AP). More specifically, it is an evil twin, which is a rogue AP with the same SSID as a legitimate access point. While the person setting up the rogue AP may be evil, a CompTIA question won’t ask you to evaluate the character of an attacker. Jamming typically prevents anyone from connecting to a wireless network. Bluejacking is related to Bluetooth, not wireless networks.

Question 12

You recently learned that attackers exploited the POODLE vulnerability on one of your organizations web servers. What type of attack is this?

A) Downgrade
B) Wireless
C) Pinning
D) Spoofing

Answer 12

A) Downgrade

The Padding Oracle on Downgraded Legacy Encryption (POODLE) attack is a downgrade attack that exploits Secure Socket Layer (SSL) weaknesses, even when the server is supporting the more secure Transport Layer Security (TLS) protocol. It is not a wireless attack. Public key pinning is not an attack, but rather a security mechanism designed to prevent attackers from impersonating a web site using fraudulent certificates. A spoofing attack occurs when an attacker attempts to impersonate or masquerade as someone or something else.

Question 13

Your network includes dozens of servers. Administrators in your organization are having problems aggregating and correlating the logs from these servers. Which of the following provides the BEST solution for these problems?

A) SIEM
B) Nmap
C) Network mapper
D) Network scanner

Answer 13

A) SIEM

A security information and event management (SIEM) system collects, aggregates, and correlates logs from multiple sources. A network mapper can detect all the devices on a network and a network scanner can detect more information about these devices, but neither of these tools aggregate and correlate logs. Nmap is a command line network scanner.

Question 14

The new CIO at your organization has mandated the use of DMZ firewalls from different vendors as a method of implementing vendor diversity. Which of the following is a security advantage of this strategy?

A) Homogeneity
B) Redundancy
C) Configurability
D) Elasticity
E) Resiliency

Answer 14

E) Resiliency

Vendor diversity is a defense in depth strategy that provides resiliency. Resiliency includes the ability to withstand deliberate attacks. Using different vendor firewalls in the DMZ helps protect the internal network from attacks because it is unlikely that both vendor firewalls will be susceptible to new vulnerabilities at the same time.

Homogeneity refers to the sameness of things and is the opposite of diversity.

Elasticity refers to the ability of a system to increase and decrease computing capacity based on the load.

Because the firewalls are from different vendors, configurability becomes challenge because administrators must know how to configure each correctly.

Some people consider this a vulnerability rather than a security advantage.

Question 15

Management decided last year to allow employees to connect and use their personal mobile devices on the internal network. However, the organization is having problems with these devices including the following:

• Employees don’t keep their devices updated
• There is no standardization among the devices
• The organization doesn’t have adequate controls over the devices

Management wants to implement a mobile device deployment model to overcome these problems, while still allowing employees to use their own devices. Which of the following is the BEST choice?

A) SaaS
B) CYOD
C) BYOD
D) COPE

Answer 15

B) CYOD

A choose your own device mobile device model includes a list of acceptable devices that employees can purchase and connect to the network. IT management can then implement a mobile device management (MDM) system to provide standardized management for these devices.

The current policy is a bring your own device (BYOD) policy, but because of the lack of standardization, it’s extremely difficult for IT departments to adequately manage the devices and ensure they don’t introduce vulnerabilities to the network.

A corporate owned personally enabled (COPE) indicates the organization owns the device, not the employees.

Software as a Service (SaaS) is a cloud deployment model, not a mobile device deployment model.

Question 16

You are troubleshooting a computer that is displaying erratic behavior. You suspect that malicious software was installed when the user downloaded and installed a free software application. You wan to identify the name of the malware and you run the following netstat command from the command prompt:

C:\WINDOWS\system32>netstat -nab > netstat.txt

After opening the text file, you find the following information:

Proto Local Addr Foreign Addr State
TCP 0.0.0.0:135 0.0.0.0 Listening RpcSs[svchost.exe]
TCP 192.168.0.28:12405 72.52.230.233:443 Established [chrome.exe]
TCP 192.168.0.28:11304 72.52.206.134 Established winserver.exe
UDP 127.0.0.1:1900 . SSDPSRV [svchost.exe}
UDP 192.168.0.28:137 . ownership information

Based on the output, what type of malware was most likely installed on the user’s computer?

A) No malware is indicated
B) Worm
C) RAT
D) Logic bomb
E) Crypto-malware
F) Ransomware

Answer 16

C) RAT

The winserver.exe file is remote access Trojan (RAT). All of the other executable names displayed by netstat are valid.

A worm is a self-replicating malware that travels throughout a network without the assistance of a host application or user interaction.

A logic bomb is a string of code embedded into an application or script that will execute in response to an event.

Ransomware is a specific type of Trojan that typically encrypts the user’s data until the user pays a ransom.

Ransomware that encrypts data is often called crypt-malware.

Because winserver.exe is known malware, the netstat output does indicate malware is running.

Question 17

Lisa has been hired as an external consultant to review an organizations’s SDLC. After analyzing their methods, she realizes that the SDLC process does not include a phrase that allows team members to evaluate and provide critical feedback of other team member’s code. Which of the following should be added to the SDLC process?

A) Dynamic analysis
B) White box testing
C) Peer review
D) Sandboxing
E) Stress test

Answer 17

C) Peer review

During a peer review process of a software development lifecycle (SDLC), members of a development team review other team members code and provide feedback for other team members.

Stress testing methods attempt to simulate a live environment and determine how effective or efficient an application operates with a load.

Sandboxing is a method used for testing programs in an isolated environment.

White box testing is a penetration testing concept where the testers have full knowledge of the environment before starting a test.

Dynamic analysis (also known as fuzzing) Dynamic analysis checks the code as it’s running. A common method is to use fuzzing. Fuzzing uses a computer program to send random data to an application.

Question 18

Developers in your organization recently created a web application served by an Apache web server, However, testing shows that the site is susceptible to an attack allowing an attacker to create an HTML iframe within a web browser using JavaScript. Of the following choices, what best describes the attack in this scenario?

A) DDos
B) Poisoning
C) XSS
D) SQL injection
E) Buffer overflow

Answer 18

C) XSS

This describes a cross-site scripting (XSS) attack. An HTML iframe allows a developer to embed an HTML document within an HTML page. If an attacker combines malicious JavaScript with the iframe, users can be tricked into thinking they are accessing content from the site, instead of malicious code and click on a malicious link.

A distributed denial of service (DDoS) attack is launched from many systems against a single system. A poisoning attack typically refers to Domain Name System (DNS) or Address Resolution Protocol (ARP) poisoning, but isn’t relevant to this question. A buffer overflow occurs when an application receives more data than it can handle, and exposes memory that is otherwise protected. A SQL injection attack attempts to inject SQL code into a query and is unrelated to this question.

Note: the use of iframes is highly debated among developers. Some developers recommend they never be used. Other developers say that they can be used as long as developers take adequate precautions. The challenge is that all developers don’t know what precautions to take so iframes are often looked at with suspicion.

Question 19

You are reviewing some Java code for an application and come across the following snippet:
public class donuts {
public static void main (String [] args) {
object stuffed = null;
stuffed.heat ();
_
}
}
You suspect that this will cause a problem. Which of the following BEST describes the problem?

A) Pointer dereference
B) NullPointerException
C) Buffer overflow
D) Invalid null assignment

Answer 19

A) Pointer dereference

Admittedly, this is much deeper than I would expect for a Security+ exam. However, based on the objectives, test item writers that are also developers may consider it a valid question to ask.

Here is the simplest explanation:
- This is a pointer deference issue, or more
specifically, a null-pointer deference issue.
- The object stuffed = null line creates an object
called stuffed, and assigns it a value of null
(nothing)
- The stuffed.heat (); line attempts to execute a
method within a non-existent (null) object and
causes a null-pointer deference error (or
exception)
- If code attempts to use an object with a value
of null, it assumes the object reference points
to a valid memory error, but it doesn’t

Programming languages allow you to assign null to objects when creating them so the code doesn’t describe an invalid null assignment.

While this will throw a NullPointerException error, the error isn’t the problem. The code that causes the pointer deference is the problem.
- If the code is configured to handle exceptions
(errors) gracefully, ti doesn’t cause a significant
vulnerability
- However, if the code doesn’t handle the
exception gracefully, an attacker may be able
to exploit the exception
NOTE: the difference between the code causing a null-pointer dereference error, and the NullPointerException error that it causes is subtle. Think of it this way- Bart is driving down the road at 100 MPH on his new Harley. Chief Wiggum witnesses this and gives him a ticket. While Bart may think that the ticket is the problem, the actual cause is him speeding at 100 MPH.

This exception doesn’t necessarily cause a buffer overflow vulnerability. However, depending on how the application handles the exception (or doesn’t handle the exception), an attacker may be able to use the exception to cause a buffer overflow.

Question 20

You expect that an attacker is performing a reconnaissance attack against servers in your organization’s DMZ. The attacker is attempting to gather as much information as possible on these servers. You decide to check the logs of these servers to determine if the attacker is attempting a banner grabbing attack. Which of the following commands MOST likely indicate that the attacker is launching a banner grabbing attack? (Select 4)

A) netcat
B) grep
C) ipconfig
D) arp
E) nmap
F) ping
G) telnet
H) tcpdump

Answer 20

A) netcat
E) nmap
F) ping
G) telnet

Some tools used for banner grabbing are ping, netcat, nmap, and telnet. The ping command resolves the hostname to an IP address. If you already know the IP address, you wouldn’t need to use the ping command. Netcat (often abbreviated as nc), nmap, and telnet can use the IP address to grab a banner from a system. Due to it’s vulnerabilities, telnet is often disabled on servers so it may not work. The ipconfig command (short for Internet Protocol configuration) shows the Transmission Control Protocol/Internet Protocol (TCP/IP) configuration information for the local system. The arp command is used to resolve the IP address of a computer to it’s media access control (MAC) address, also known as its physical address. The grep command (short for global regular expression in print) is used to search plaintext files fir words or phrases. The tcpdump command is a command-line packet analyzer (sometimes called a protocol analyzer). It can capture live traffic, but not traffic that occurred in the past. Two other tools that can help perform banner grabbing are Zenmap and Zmap. Zenmap is the Windows-based version of nmap.

Question 21

Your network includes dozens of servers. Administrators in your organization are having problems aggregating and correlating the logs from these servers. Which of the following provides the BEST solution for these problems?

A) SIEM
B) Network mapper
C) Nmap
D) Network scanner

Answer 21

A) SIEM

A security information and event management (SIEM) system collects, aggregates, and correlates logs from multiple sources. A network mapper can detect all the devices on a network and a network scanner can detect more information about these devices, but neither of these tools aggregates and correlates logs. Nmap is a command-line network scanner.

Question 22

All of the disks within a redundant array of inexpensive disks (RAID) are 400 GB in size.

How much usable space for data is within a 4 disk RAID 5?

Answer 22

1200 GB

A RAID 5 (striping with parity) reserves the equivalent of one drive for parity. With 4 400 GB drives, you have 12 GB of actual storage space.

Question 23

Sort Elements
1) RAID 6
2) RAID 5
3) RAID 1
4 RAID 0

A) If one drive fails, all the data is retained on the second drive
B) Can survive the failure of two drives
C) Can survive the failure of one drive
D) No fault tolerance

Answer 23

1) RAID 6 - B) Can survive the failure of two drives
2) RAID 5 - C) Can survive the failure of one drive
3) RAID 1 - A) If one drive fails, all the data is retained on the second drive
4) RAID 0 - D) No fault tolerance

RAID 0 (striping) does not provide fault tolerance
RAID 1 (mirroring) stores all of the same data on each of the disks. If one drive fails, all the data is retained on the second drive
RAID 5 (striping with parity) can survive the failure of one drive
RAID 6 (striping with parity) can survive the failure of two drives

Question 24

All of the disks within a redundant array of inexpensive disks (RAID) are 400 GB in size.

How much usable space for data is within a 4 disk RAID 6?

Answer 24

800 GB

A RAID 6 (striping with parity) reserves the equivalent of two drives for parity. With 4 400 GB drives, you have 800 GB of actual storage space.

Question 25

All of the disks within a redundant array of inexpensive disks (RAID) are 400 GB in size.

How much usable space for data is within a 2 disk RAID 0?

Answer 25

800 GB

A RAID 0 does not provide fault tolerance so all the space is available for data storage. With 2 400 GB drives, you have 800 GB of storage.

Question 26

Sort elements

1) 3
2) 2
3) 4

A) RAID 1
B) RAID 5
C) RAID 6

Answer 26

1) 3 - B) RAID 5
2) 2 - A) RAID 1
3) 4 - C) RAID 6

RAID 1 (mirroring) requires a minimum of two disks
RAID 5 (striping with parity) requires a minimum of 3 disks
RAID 6 (striping with parity) requires a minimum of 4 disks

Question 27

All of the disks within a redundant array of inexpensive disks (RAID) are 400 GB in size.

How much usable space for data is within a RAID 1?

Answer 27

400 GB

A RAID 1 (mirror) stores the same data on both drives. With 2 400 GB drives, you have 400 GB of actual storage space.

Question 28

A company is hosting an ecommerce site that uses certificates for HTTPS. Management wants to ensure that users can verify the validity of these certificates even if elements of the internet suffer an extended outage. Which of the following provides the BEST solution?

A) PEM
B) CRL
C) SAN
D) OCSP

Answer 28

B) CRL

A certificate revocation list (CRL) provides the best solution in this scenario. After a CRL is retrieved, systems hold a copy of it for a period of time (in a cache) and instead of downloading the same CRL every time a system needs to validate a certificate, they just look at the cached copy of the CRL.

Online Certificate Status Protocol (OCSP) is an alternative to a CRL and provides a real-time response to validate certificates. Because OCSP responds in real-time, it is susceptible to internet outages.

A Subject Alternative Name (SAN) certificate is used for multiple domains that have different names but are owned by the same organization.

PEM-based certificates can be used fr just about anything. They can be formatted as Canonical Encoding Rules (CER, binary files) or Distinguished Encoding Rules (DER, ASCII files). They are often used as a Base64 encoded DER certificate.

Question 29

Lisa and Bart need to exchange emails over the internet, an unsecured channel. These emails need to provide non-repudiation. They decided to use certificates on each of their computers. What would they use to sign their certificates?

A) CA
B) User private keys
C) CRL
D) OID
E) CSR
F) OCSP

Answer 29

E) CSR

A certificate authority (CA) manages certificates and would sign certificates issues to users. Note that non-repudiation would be provided with digital signatures and each user would need a certificate assigned to them that they would used to create digital signatures.

A certificate revocation list (CRL) is a list of revoked certificates.

Online Certificate Status Protocol (OCSP) is an alternative to CRL and provides a real-time response indicating the validity of a certificate.

The certificate signing request (CSR) is used to request a certificate.

An object identifier (OID) is a dot-separated series of numbers such as 2.23.140.1.2.1 that identifies the purpose of the certificate.

While the user private keys would be used to create the digital signatures, the user private keys are not used to sign their certificates.

Question 30

Lisa is setting up a secure web server. She needs the server’s cryptography to support perfect forward secrecy. Of the following choices, which cipher suite should she ensure is used by the server?

A) SSL_RSA_WITH_AES_128_CBC_SHA256
B) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
C) TLS_RSA_WITH_AES_128_CBC_SHA256
D) TLS_DH_WITH_AES_256_CBC_SHA256

Answer 30

B) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

The correct answer is TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA. Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) uses perfect forward secrecy using ephemeral keys and only one answer includes ECDHE. RSA uses static key pairs, so it doesn’t support perfect forward secrecy. Diffie-Hellman (DH) can use either static keys or ephemeral keys, so it would not ensure that perfect forward secrecy was always used. SSL has been replaced by TLS and should not be used.

Question 31

You recently learned that attackers exploited POODLE vulnerability on one of your organizations websites. What type of attack is this?

A) Spoofing
B) Pinning
C) Wireless
D) Downgrade

Answer 31

D) Downgrade

The Padding Oracle On Downgraded Legacy Encryption (POODLE) attack is a downgrade attack that exploits Secure Sockets Layer (SSL) weaknesses, even when the server is supporting the more secure Transport Layer Security (TLS) protocol. It is not a wireless attack. Public key pinning is not an attack, but rather a security mechanism designed to prevent attackers from impersonating a web site using fraudulent certificates. A spoofing attack occurs when an attacker attempts to impersonate or masquerade as someone or something else.

Question 32

A database server is currently under attack and you want to ensure that you are able to preserve all the data for forensic analysis.

Place the following items in the correct order from most volatile to least volatile.

A) Swap file
B) RAM
C) Hard drive
D) CPU cache
E) Remote logs

Answer 32

D) CPU cache
B) RAM
A) Swap file
C) Hard drive
E) Remote logs

Cache memory is the most volatile of all items listed and it should be collected first. This includes central processor (CPU) cache or any other time of cache used in the system. It typically includes recently used data and information used by applications. It is more volatile than regular RAM because a system has significantly less cache memory than regular RAM so it will likely be overwritten quicker than regular RAM.

Random Access Memory (RAM) is slightly less volatile than cache memory. It can include information used by the system and network processes. It will be lost if the system is powered down (as will the cache memory).

Swap (or paging file) is an extension of RAM but it is stored on the hard drive. The paging file is rebuilt each time the system is rebooted so it is more volatile than regular data stored on a hard drive.

Data on the hard drive is semi-permanent. It remains on the hard drive even after the system is powered down and rebooted.

Remote logs (or logs stored on remote systems) is less volatile than data stored on the target system. For this reason, many servers send log data to a remote system for centralized collection. Even if the server is completely destroyed, the centralized logs still have key data.