Jason Dion - Security+ Udemy Course Flashcards
You are at the doctor’s office and waiting for the physician to enter the room to examine you. You look across the room and see a pile of patient records on the physician’s desk. There is no one in the room and your curiosity has gotten the better of you, so you walk across the room and start reading through the other patient records on the desk. Which tenent of security have you just violated?
Authentication
Confidentiality
Integrity
Availability
Confidentiality
Explanation:
Confidentiality ensures that data or information has not been disclosed to unauthorized people. In this case, you are not the doctor or the patient whose records you looked at, therefore, confidentiality has been breached.
You have just walked up to the bank teller and requested to withdraw $100 from checking account #7654123 (your account). The teller asks for your name and driver’s license before conducting this transaction. After she looks at your driver’s license, she thanks you for your business, pulls out $100 from the cash drawer, and hands you back the license and the $100 bill. What category best describes what the bank teller just did?
Accounting
Authorization
Authentication
Availability
Authentication
Explanation:
Authentication occurs when a person’s identity is established with proof and confirmed by a system. In this case, the bank teller verified you were the account holder by verifying your name and looking over your photo identification (driver’s license) prior to giving you the cash being withdrawn.
You are in the kitchen cooking dinner while your spouse is in the other room watching the news on the television. The top story is about how hackers have been able to gain access to one of the state’s election systems and tamper with the results. Unfortunately, you only heard a fraction of the story, but your spouse knows that you have been learning about hackers in your Security+ course and asks you, “Which type of hacker do you think would be able to do this?”
Hactivists
Organized Crime Groups
APTs
Script Kiddies
APTs (Advanced Persistant Threats)
Explanation:
APTs are highly organized, well-funded, and often part of a nation state’s larger foreign policy and influence campaigns. Hacktivists are usually political, but they are disorganized and don’t have the level of sophistication needed to hack into a well-defended government computer network like the election system. While organized crime groups may have the sophistication to conduct the hack, they are usually more interested in conducting criminal actions to make money instead of getting involved in politics. Script kiddies are low skilled hackers who can only use other people’s tools.
A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices a lot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have?
Rootkit
Trojan
Keylogger
Ransomware
Trojan
Explanation:
A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which is used to allow an attacker to remotely control a workstation or steal information from it. To operate, a trojan will create numerous processes that run in the background of the system.
On your lunch break, you walked down to the coffee shop on the corner. You open your laptop and connect to their wireless network. After a few minutes of surfing the Internet, a pop-up is displayed on your screen. You close the pop-up, finish your lunch break, shut down the laptop, and put it back into your backpack. When you get back to the office, you take out the laptop and turn it on, but instead of your normal desktop background, you are greeted by a full screen image with a padlock and a message stating you have to pay 1 BTC to regain access to your personal files. What type of malware has infected your laptop?
Trojan
Spyware
Ransomware
Rootkit
Ransomware
Explanation:
This scenario is describing a ransomware attack. Your personal files are being held hostage and will not be released unless you pay a ransom (in this case, 1 BTC). You should restore your machine from a known good backup and restore your personal files from the backup, as well. You should not pay the ransom since the attackers usually still will not unlock your files.
A computer is infected with a piece of malware that has infected the Windows kernel in an effort to hide. Which type of malware MOST likely infected this computer?
Ransomware
Trojan
Rootkit
Botnet
Rootkit
Explanation:
A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system.
Your company’s Security Operations Center (SOC) is currently detecting an ongoing DDoS attack against your network’s file server. One of the cybersecurity analysts has identified forty internal workstations on the network that are conducting the attack against your network’s file server. The cybersecurity analyst believes these internal workstations are infected with malware and places them into a quarantined area of the network. The analyst then submits a service desk ticket to have the workstations scanned and cleaned of the infection. What type of malware was the workstation likely a victim of based on the scenario provided?
Spyware
Botnet
Rootkit
Ransomware
Botnet
Explanation:
A botnet is a number of internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allows the attacker to access the device and its connection. A zombie (also known as a bot) is a computer or workstation that a remote attacker has accessed and set up to forward transmissions (including spam and viruses) to other computers on the internet.
The Security Operations Center Director for Dion Training received a pop-up message on his workstation that said, “You will regret firing me; just wait until Christmas!” He suspects the message came from a disgruntled former employee that may have set up a piece of software to create this pop-up on his machine. The director is now concerned that other code might be lurking within the network that could create a negative effect on Christmas. He directs his team of cybersecurity analysts to begin searching the network for this suspicious code. What type of malware should they be searching for?
Worm
Trojan
Adware
Logic Bomb
Logic Bomb
Explanation:
A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company. The director is concerned that a logic bomb may have been created and installed on his system or across the network before the analyst was fired.
In which type of attack does the attacker begin with a normal user account and then seeks to gain additional access rights?
Privilege Escalation
Cross-Site Scripting
Spear Phishing
Remote Code Execution
Privilege Escalation
Explanation:
Privilege escalation attacks seek to increase the level of access that an attacker has to a target system. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
You have been investigating how a malicious actor was able to exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that the web server’s BIOS had been modified by the installation of a rootkit. After you remove the rootkit and reflash the BIOS to a known good image, what should you do in order to prevent the malicious actor from affecting the BIOS again?
Install an Anti-Malware Application
Install a Host-Based IDS
Utilize Secure Boot
Utilize File Integrity Monitoring
Utilize Secure Boot
Explanation:
Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used.
Your company recently suffered a small data breach that was caused by an employee emailing themselves a copy of the current customer’s names, account numbers, and credit card limits. You are determined that something like this shall never happen again. Which of the following logical security concepts should you implement to prevent a trusted insider from stealing your corporate data?
Firewall
MDM
DLP
Strong Passwords
DLP (Data Loss Prevention)
Explanation:
Data loss prevention software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use (endpoint actions), in transit (network traffic), and at rest (data storage). Since the user was an authorized user (employee), changing your password policy, reconfiguring the firewall, or setting up a MDM solution would not solve this problem. Instead, a DLP solution must be implemented.
You are trying to select the best device to install in order to detect an outside attacker who is trying to reach into your internal network. The device should log the event, but it should not take any action to stop it. Which of the following devices would be the BEST for you to select?
Proxy Server
Authentication Server
IPS
IDS
IDS (Intrusion Detection System)
Explanation:
An intrusion detection system is a device or software application that monitors a network or system for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management system. Unlike an IPS, which can take action to stop malicious activity or policy violations, an IDS can only log these issues and not stop them.
Which mobile device strategy is most likely to result in the introduction of vulnerable devices to a corporate network?
COPE
CYOD
BYOD
MDM
BYOD (Bring Your Own Device)
Explanation:
The BYOD (bring your own device) strategy opens a network to many vulnerabilities. People are able to bring their personal devices to the corporate network, and their devices may contain vulnerabilities that could be allowed to roam free on a corporate network.
Your smartphone begins to receive unsolicited messages while you are eating lunch at the restaurant across the street from your office. What might cause this to occur?
Packet Sniffing
Bluesnarfing
Bluejacking
Geotagging
Bluejacking
Explanation:
Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as smartphones and tablets. Bluesnarfing, on the other hand, involves taking data from a smartphone or tablet over Bluetooth without permission. Bluetooth has a very limited range, so the attacker is likely within 10 meters of the victimized device. Geotagging involves embedded the geolocation coordinates into a piece of data (normally a photo or video). Packet sniffing is a passive method of collecting network traffic for follow-on analysis at a later time.
Tim, a help desk technician, receives a call from a frantic executive who states that their company-issued smartphone was stolen during their lunch meeting with a rival company’s executive. Tim quickly checks the MDM administration tool and identifies that the user’s smartphone is still communicating with the MDM and displays the location of the device on a map. What should Tim do next to ensure the data on the stolen device remains confidential and inaccessible to the thief?
Reset the device’s password.
Perform a Remote Wipe of the device.
Remotely encrypt the device.
Identify the IP Address of the Smartphone.
Perform a Remote Wipe of the device.
Explanation:
To ensure the data remains confidential and is not accessed by the thief, Tim should perform a remote wipe of the device from the MDM. This will ensure any and all corporate data is erased prior to anyone accessing it. Additionally, Tim could reset the device’s password, but if the thief is able to guess or crack the password, then they would have access to the data. Identifying the IP address of the smartphone is not a useful step in protecting the data on the device. Additionally, devices should be encrypted BEFORE they are lost or stolen, not after.
Which type of threat will patches NOT effectively combat as a security control?
Zero-Day Attacks
Known Vulnerabilities
Discovered Software Bugs
Malware with defined indicators of compromise
Zero-Day Attacks
Explanation:
Zero-day attacks have no known fix, so patches will not correct them. A zero-day vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software). If a discovered software bug or known vulnerability is found, there is normally a patch or mitigation available for it. If a piece of malware has well-defined indicators of compromise, a patch or signature can be created to defend against it, as well.
What should administrators perform to reduce the attack surface of a system and to remove unnecessary software, services, and insecure configuration settings?
Harvesting
Windowing
Hardening
Stealthing
Hardening
Explanation:
Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, the removal of unnecessary software, unnecessary usernames or logins, and the disabling or removal of unnecessary services.
Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across a large number of devices?
Patch Management
GPO
HIPS
Anti-Malware
GPO (Group Policy Objectives)
Explanation:
Microsoft’s Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. It allows an administrator to create a policy and deploy it across a large number of devices in the domain or network. Patch management, host intrusion prevention systems (HIPS), and anti-malware software are different types of host security controls, but only GPOs have the ability to configure settings across multiple Windows devices efficiently.
Which of the following BEST describes when a third-party takes components produced by a legitimate manufacturer and assembles an unauthorized replica that is sold in the general marketplace?
Recycling
Capitalism
Counterfeiting
Entrepreneurship
Counterfeiting
Explanation:
While the unauthorized third-party may assemble a component that was legitimately made from OEM parts, the fact remains that those parts were never intended for distribution under the manufacturer’s legitimate label. Therefore, this is considered counterfeiting. As a cybersecurity analyst, you need to be concerned with your organization’s supply chain management. There have been documented cases of counterfeit hardware (like switches and routers) being sold with malware or lower mean time between failures, both of which affect the security of your network.
Which of the following programs was designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military?
Trusted Foundry (TF)
Supplies Assured (SA)
Supply Secure (SS)
Trusted Access Program (TAP)
Trusted Foundry (TF)
Explanation:
The Trusted Foundry program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military. Trusted Foundry was created to provide a chain of custody for classified/unclassified integrated circuits, ensure there is no reasonable threat related to supply disruption, prevent intentional/unintentional modification of integrated circuits, and protect integrated circuits from reverse engineering and vulnerability testing.
Following a root cause analysis of the unexpected failure of an edge router, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue?
Increase Network vulnerability scan frequency.
Ensure all Anti-Virus Signatures are up to date.
Conduct Secure Supply chain management training.
Verify that all Routers are patched to the latest release.
Conduct Secure Supply chain management training.
Explanation:
Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization’s supply chain. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences.
What is the lowest layer (bottom layer) of a bare-metal virtualization environment?
Hypervisor
Host Operating System
Guest Operating System
Physical Hardware
Physical Hardware
Explanation:
The bottom layer is physical hardware in this environment. It is what sits beneath the hypervisor and controls access to guest operating systems. The bare-metal approach doesn’t have a host operating system.
You need to determine the best way to test operating system patches in a lab environment prior to deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches prior to deployment?
Sandboxing
Virtualization
Purchase Additional Workstations
Bypass Testing and deploy patches directly into the production environment.
Virtualization
Explanation:
When you have a limited amount of hardware resources to utilized but have a required to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system prior to deployment. You should never deploy patches directly into production without testing them first in the lab.
Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor?
VM Escape
VM Migration
VM Sprawl
VM Data Remnant
VM Escape
Explanation:
Virtual machine escape vulnerabilities are the most severe issue that may exist in a virtualized environment. In this attack, the attacker has access to a single virtual host and then leverages that access to intrude on the resources assigned to different virtual machines.
A web developer wants to protect their new web application from a man-in-the-middle attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies?
Forcing the use of TLS for the Web App
Forcing the use of SSL for the Web App
Setting the secure attribute on the Cookie
Hashing the Cookie value
Setting the secure attribute on the Cookie
Explanation:
When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTPS). Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie’s confidentiality. Forcing the web application to use TLS or SSL does not force the cookie to be sent over TLS/SSL, so you still would need to set the Secure attribute on the cookie. Hashing the cookie provides integrity of the cookie, not confidentiality.
A user reports that every time they try to access https://www.diontraining.com, they receive an error stating “Invalid or Expired Security Certificate”. The technician attempts to connect to the same site from other computers on the network, and no errors or issues are observed. Which of the following settings needs to be changed on the user’s workstation to fix the “Invalid or Expired Security Certificate” error?
Logon Times
Date and Time
User Access Control
UEFI Boot Mode
Date and Time
Explanation:
There are two causes of the “Invalid or Expired Security Certificate”. The first is a problem with your computer, and the second occurs when the certificate itself has an issue. Since the technician can successfully connect to the website from other computers, it shows that the error is on the user’s computer. One of the common causes of an Invalid or Expired Security Certificate error is the clock on the user’s computer being wrong since the website security certificates are issued to be valid within a given date range.
Your company has created a baseline image for all of its workstations using Windows 10. Unfortunately, the image included a copy of Solitaire, and the CIO has created a policy to prevent anyone from playing the game on the company’s computers. You have been asked to create a technical control to enforce the policy (administrative control) that was recently published. What should you implement?
Application Whitelist
Disable Removable Media
Application Blacklist
Application Hardening
Application Blacklist
Explanation:
You should create and implement an application blacklist that includes the Solitaire game on it. This will prevent the application from being able to be run on any corporate workstation. Application whitelists will allow only authorized applications to be run, while application blacklists will prevent any application listed from being run.
(where email=support@diontraining.com and password=‘ or 7==7’)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What type of attack is being performed?
XML Injection
SQL Injection
Header Manipulation
Cross-Site Scripting
SQL Injection
Explanation:
SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common technique in SQL injection is to insert a statement that is always true, such as 1 == 1, or in this example, 7 == 7.
alert(“This site is vulnerable to an attack!”)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Then, you clicked the search button, and a pop-up box appears on your screen showing the following text, “This site is vulnerable to an attack!” Based on this response, what vulnerability have you uncovered in the web application?
Buffer Overflow
Cross-Site Request Forgery
Distributed Denial of Service
Cross-Site Scripting
Cross-Site Scripting
Explanation:
This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
https://www.diontraining.com/add_to_cart.php?itemId=5”+perItemPrice=”0.00”+quantity=”100”+/>
XML Injection
Explanation:
This is an example of a XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of an application, and XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server’s XML structure. The real key to answering this question is identifying the XML structured code being entered as part of the URL, which is shown by the bracketed data.
A supplier needs to connect several laptops to an organization’s network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could potentially contain some vulnerabilities that could weaken the security posture of the network. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier’s laptops?
Scan the laptops for vulnerabilities and patch them.
Increase encryption level of VPN used by the laptops.
Implement a Jumpbox System
Require 2FA on the laptops.
Implement a Jumpbox System
Explanation:
jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier’s laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier provided laptop.
An analyst is reviewing the configuration of a triple-homed firewall that connects to the internet, a private network, and one other network. Which of the following would best describe the third network connected to this firewall?
DMZ
Subnet
NIDS
GPO
DMZ (Demilitarized Zone)
Explanation:
A triple-homed firewall connects to three networks internal (private), external (internet/public), and the demilitarized zone (DMZ). The demilitarized zone (DMZ) network hosts systems that require access from external hosts.
Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should be able to obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if a Dion Training employee uses the same Ethernet port in the conference room, they should be able to access Dion Training’s secure internal network. Which of the following technologies would allow you to configure this port and support both requirements?
Create an ACL to allow access.
Configure a SIEM
MAC Filtering
Implement NAC
Implement NAC (Network Access Control)
Explanation:
Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.
You have just received some unusual alerts on your SIEM dashboard and want to collect the payload associated with it. Which of the following should you implement to effectively collect these malicious payloads that the attackers are sending towards your systems without impacting your organization’s normal business operations?
Honeypot
Jumpbox
Sandbox
Containerization
Honeypot
Explanation:
A honeypot is a host set up with the purpose of luring attackers away from the actual network components and/or discovering attack strategies and weaknesses in the security configuration. A jumpbox is a hardened server that provides access to other hosts. A sandbox is a computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Containerization is a type of virtualization applied by a host operating system to provision an isolated execution environment for an application.
You are trying to select the best device to install in order to detect an outside attacker who is trying to reach into your internal network. The device should log the event, but it should not take any action to stop it. Which of the following devices would be the BEST for you to select?
Proxy Server
Authentication Server
IPS
IDS
IDS (Intrusion Detection System)
Explanation:
An intrusion detection system is a device or software application that monitors a network or system for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management system. Unlike an IPS, which can take action to stop malicious activity or policy violations, an IDS can only log these issues and not stop them.
During a security audit, you discovered that customer service employees have been sending unencrypted confidential information to their personal email accounts via email. What technology could you employ to detect these occurrences in the future and send an automated alert to the security team?
SSL
UTM
DLP
MDM
DLP (Data Loss Prevention)
Explanation:
Data loss prevention (DLP) software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in-use, in-motion, and at-rest. This can be configured to detect and alert on future occurrences of this issue.
The Pass Certs Fast corporation has recently been embarrassed by a number of high profile data breaches. The CIO proposes improving the cybersecurity posture of the company by migrating images of all the current servers and infrastructure into a cloud-based environment. What, if any, is the flaw in moving forward with this approach?
This approach assumes that the cloud will provide better security than is currently done on site.
This approach only changes the location of the Network and not the attack surface of it.
The company has already paid for the physical servers and will not fully realize their ROI on them due to the migration.
This is a reasonable approach that will increase the security of the servers and infrastructure.
This approach only changes the location of the Network and not the attack surface of it.
Explanation:
A poorly implemented security model at a physical location will still be a poorly implemented security model in a virtual location. Unless the fundamental causes of the security issues that caused the previous data breaches have been understood, mitigated, and remediated, then migrating the current images into the cloud will simply change the location of where the processing occurs without improving the security of the network. While the statement concerning unrealized ROI may be accurate, it simply demonstrates the fallacy of the sunk cost argument.