Lesson 17: Managing Security Settings

Question 1

True or false? An organization should rely on automatic screen savers to prevent ‘lunchtime’ attacks.

Answer 1

False.

A ‘lunchtime’ attack is where a threat actor gains access to a ‘signed-in user’ account because the desktop has not locked. While an automatic screensaver lock provides some protection, there may still be a window of opportunity for a threat actor between the user leaving the workstation unattended and the screensaver activating. Users must lock the workstation manually when leaving it unattended.

Question 2

What type of ‘account management’ policy can protect against ‘password-guessing’ attacks?

Answer 2

A ‘lockout’ policy.

A ‘lockout’ policy disables the account after a number of incorrect sign-in attempts.

Question 3

A security consultant has recommended more frequent monitoring of the antivirus software on workstations. What sort of checks should this monitoring perform?

Answer 3

That the antivirus is enabled, is up to date with scan engine components and definitions, and has only authorized exclusions configured.

Question 4

You are completing a checklist of security features for workstation deployments. Following the CompTIA A+ objectives, what additional item should you add to the following list, and what recommendation for a built-in Windows feature or features can you recommend be used to
implement it?

• Password best practices
• End-user best practices
• Account management
• Change default administrator’s user account/password
• Disable ‘AutoRun/AutoPlay’
• Enable ‘Windows Update’, ‘Windows Defender Antivirus’, and ‘Windows Defender Firewall’

Answer 4

‘Data-at-rest’ encryption.

Examples of data at rest might include vital corporate files stored on the hard drive of an employee’s computer, files on an External hard drive, data left in a storage area network (SAN) or files on the servers of an offsite backup service provider.

In Windows, this can be configured at file level via the ‘Encrypting File System’ (EFS) or at disk level via ‘BitLocker’.

Question 5

A company must deploy custom browser software to employees’ workstations. What method can be used to validate the download and installation of this custom software?

Answer 5

The package can be signed using a developer certificate issued by a trusted certificate authority. Alternatively, a cryptographic hash of the installer can be made, and this value can be given to each support technician. When installing the software, the technician can make his or her own hash of the downloaded installer and compare it to the reference hash.

Question 6

A security consultant has recommended blocking ‘end-user’ access to the ‘chrome://flags’ browser page. Does this prevent a user from changing any browser settings?

Answer 6

No.

The ‘chrome://flags’ page is for advanced configuration settings. General user, security, and privacy settings are configured via ‘chrome://settings’.

Question 7

What primary indicator must be verified in the browser before using a web form?

Answer 7

That the browser address bar displays the ‘lock’ icon to indicate that the site uses a trusted certificate.

This validates the site identity and protects information submitted via the form from interception.

Question 8

True or false? Using a browser’s incognito mode will prevent sites from recording the user’s IP address.

Answer 8

False.

Incognito mode can prevent the use of cookies but cannot conceal the user’s source IP address. You do not need to include this in your answer, but the main way to conceal the source IP address is to connect to sites via a ‘virtual private network’ (VPN).

Question 9

Why might a PC infected with malware display no obvious symptoms?

Answer 9

If the malware is used with the intent to steal information or record behavior, it will not try to make its presence obvious. A ‘rootkit’ may be very hard to detect even when a rigorous investigation is made.

Rootkits can enter computers when users open spam emails and inadvertently download malicious software. Rootkits also use keyloggers that capture user login information. Once installed, a rootkit can give hackers access to sensitive user information and take control of computer OSes.

Question 10

Why might you need to use a virus encyclopedia?

Answer 10

To verify symptoms of infection.

Also, if a virus cannot be removed automatically, you might want to find a manual removal method. You might also want to identify the consequences of infection whether the virus might have stolen passwords, and so on.

Question 11

Early in the day, a user called the help desk saying that his computer is running slowly and freezing up. Shortly after this user called, other help desk technicians who overheard your call also received calls from users who report similar symptoms. Is this likely to be a malware infection?

Answer 11

It is certainly possible.

Software updates are often applied when a computer is started in the morning, so that is another potential cause, but you should investigate and log a warning so that all support staff are alerted. It is very difficult to categorize malware when the only symptom is performance issues. However, performance issues could be a result of a badly written Trojan, or a Trojan / backdoor application might be using resources maliciously (for DDoS, Bitcoin mining, spam, and so on).

Question 12

You receive a support call from a user who is ‘stuck’ on a web page. She is trying to use the Back button to return to her search results, but the page just displays again with a pop-up message. Is her computer infected with malware?

Answer 12

If it only occurs on certain sites, it is probably part of the site design. A script running on the site can prevent use of the Back button. It could also be a sign of ‘adware’ or ‘spyware’ though, so it would be safest to scan the computer using ‘up-to-date anti-malware’ software.

Question 13

Another user calls to say he is trying to sign-on to his online banking service, but the browser reports that the certificate is invalid. Should the bank update its certificate, or do you suspect another cause?

Answer 13

It would be highly unlikely for a commercial bank to allow its website certificates to run out of date or otherwise be misconfigured. You should strongly suspect redirection by malware or a ‘phishing / pharming’
scam.

Question 14

Why is DNS configuration a step in the ‘malware remediation’ process?

Answer 14

Compromising ‘domain-name’ resolution is a very effective means of redirecting users to malicious websites. Following malware infection, it is important to ensure that DNS is being performed by valid servers.

Question 15

A security manager wants to set up a program where they can proactively mitigate malware infection as much as possible. Which of the following is least helpful in this endeavor?

A. User training
B. Scheduled scans
C. Update trusted root certificates
D. On-access scanning

Answer 15

C. Update trusted root certificates

Updating trusted root certificates is helpful in the overall defense-in-depth security strategy, but is least helpful in this scenario in preventing malware. It does play its part though.

An essential malware prevention follow-up action is effective user training. Untrained users represent a serious vulnerability because they are susceptible to social engineering and phishing attacks.

All security software supports scheduled scans. These scans can impact performance, however, so it is best to run them when the computer is otherwise unused.

Almost all security software is now configured to scan on-access. On-access means that the antivirus (A-V) software intercepts an operating system (OS) call to open a file and scans the file before allowing or preventing it from being opened.

Question 16

A manager is responsible for client laptops, and is concerned about exposing data on the disks to a different OS and the permissions becoming overridden. What will help prevent this possible attack?

A.Windows Defender Firewall
B.Windows Defender Antivirus
C.Encrypting File System
D.Execution control

Answer 16

The Encrypting File System (EFS) feature of the New Technology File System (NTFS) supports file and folder encryption. EFS is not available in the Home edition of Windows.

The Windows Defender Firewall with Advanced Security console allows the configuration of a custom inbound and outbound filtering rule.

Antivirus is software that can detect malware and prevent it from executing. The primary means of detection is to use a database of known virus patterns called definitions, signatures, or patterns.

Execution control refers to logical security technologies designed to prevent malicious software from running on a host regardless of what the user account privileges allow.

Question 17

A security manager sets up a defense in depth mechanism and sets up monitoring to catch communications from the attacker to the malware. What is the manager monitoring for?

A. Spyware
B. C2
C. Keylogger
D. Rootkit

Answer 17

B. C2

Whether a backdoor is used as a standalone intrusion mechanism or to manage bots, the threat actor must establish a connection from the compromised host to a command and control (C2 or C&C) host or network.

Spyware is malware that can perform browser reconfigurations, such as allowing tracking cookies, changing default search providers, opening arbitrary pages at startup, adding bookmarks, and so on.

A keylogger is spyware that actively attempts to steal confidential information by recording keystrokes.

When dealing with a rootkit, administrators should be aware that there is the possibility that it can compromise system files and programming interfaces so that local shell processes no longer reveal their presence.

Question 18

A security analyst baselines web activity and notices several caveats with browsers. For example, they notice that when a user types in a query, a query is actually made after every typed key. The analyst is trying to group browser activity together. Which browser is based on the same code as Chrome?

A. Edge
B. Internet Explorer
C. Safari
D. FireFox

Answer 18

A. Edge

Edge, Microsoft’s replacement browser, now uses the same underlying Chromium codebase as Google Chrome.

IE itself is no longer supported. Microsoft’s Internet Explorer (IE) used to be dominant in the browser market. As the browser is a security-critical type of software, it is particularly important to use a trusted source, such as an app store.

Apple’s Safari browser is tightly integrated with macOS and iOS. In some scenarios, it might be appropriate to choose a browser that is different from these mainstream versions.

FireFox is a free and open-source modern web browser. It is currently developed by the Mozilla Foundation.

Question 19

A security manager in charge of the vulnerability program for the enterprise is looking at mobile security. They are reading about a ‘walled garden’ approach. What does this entail?

A. Autorun
B. Antivirus
C. Concurrent logins
D. Trusted source

Answer 19

D. Trusted source

Mobile OS vendors use this ‘walled garden’ model of software distribution as well. Apps are distributed from an approved store, such as Apple’s App Store or the Windows Store.

One of the problems with legacy versions of Windows is that when an optical disc is inserted or a USB drive is attached, Windows would automatically run commands defined in an autorun.inf file.

Antivirus is software that can detect malware and prevent it from executing. The primary means of detection is to use a database of known virus patterns called definitions, signatures, or patterns.

Concurrent logins are another behavioral-based monitoring mechanism. Most users should only need to sign in to one computer at a time.

Question 20

A server administrator helps the human resources department network a new internal website for their new training platform that needs to remain secure. What will the administrator need to do to ensure the web page shows up as secure?

A. Adjust the firewall.
B. Configure browser sign-in.
C. Add trusted certificates.
D. Whitelist in the web application firewall.

Answer 20

C. Add trusted certificates.

When using enterprise certificates for internal sites and a third-party browser, the administrator must ensure that the internal CA root certificate is added to the browser.

Unless the site is running a non-standard port, the firewall would not need to be adjusted. Normal web traffic operates off ports 80 and 443.

A browser sign-in allows the user to synchronize settings between instances of the browser software on different devices.

The site is internal so the administrator would not be able to adjust the training platform’s web application firewall. However, even if they could, this should not need to be configured.

Question 21

A helpdesk operator is reviewing a notification that a user clicked links in a very suspicious email. After verifying there are symptoms of malware, what is the next step the operator should take?

A.Disable System Restore.
B.Look for missing or renamed files.
C.Look for services masquerading as legitimate services.
D.Quarantine.

Answer 21

After verifying the symptoms of malware, the host should be placed in quarantine, where it is not able to communicate on the main network.

Once the infected system is isolated, the next step is to disable System Restore and other automated backup systems, such as File History.

Looking for missing or renamed files could be one of the many steps in investigating after a computer has been quarantined. Identification of these techniques could help scan the enterprise to see how far it spread.

Another good step after isolation is to look for additional executable files with names similar to those of authentic system files and utilities, such as scvhost.exe or ta5kmgr.exe.

Question 22

A server administrator notices that a few servers in their screened subnet (demilitarized zone) went from around 5% central processing unit (CPU) utilization to 95%. They also notice the machines lack many patches. If malware infects the servers, what is the likely cause of the high CPU utilization?

A.Crypto-ransomware
B.Cryptomining software
C.Rogue antivirus
D.RAT

Answer 22

A cryptominer hijacks the resources of the host to perform cryptocurrency mining. This is also referred to as cryptojacking.

Ransomware is a type of malware that tries to extort money from the victim. Crypto-ransomware attempts to encrypt files on any fixed, removable, and network drive.

Rogue antivirus is a particularly popular way to disguise a Trojan. In the early versions of this attack, a website would display a pop-up disguised as a normal Windows dialog box with a fake security alert.

Modern malware is usually designed to implement some type of backdoor, also referred to as a remote access Trojan (RAT).

Question 23

A user visits a news site that they go to frequently, and the news articles are not updated but are the same as the day before. The user also hears complaints about people not having internet, which is odd since they are on their normal news site. What is most likely going on?

A.User is in private mode.
B.There are pop-up blockers.
C.User is on a different switch.
D.Page is cached.

Answer 23

By default, the browser will maintain a history of pages visited, cache files to speed up browsing, and save text typed into form fields. The page is most likely cached from the previous visit.

Private/incognito browsing mode disables the caching features of the browser so that no cookies, browsing history, form fields, passwords, or temp files will be stored when the session is closed.

Pop-up blockers prevent a website from creating dialogs or additional windows. The pop-up technique was often used to show fake antivirus and security warnings or other malicious and nuisance advertising.

While the user may be on a different switch than those complaining about not having internet, it is more likely that the user’s page is cached.

Question 24

A developer wants to create functionality for a web browser by making API calls on the back end. What should the developer build?

A.Plug-ins
B.Extension
C.Apps
D.Themes

Answer 24

Extensions add or change a browser feature via its application programming interface (API). The extension must be granted specific permissions to make configuration changes. With sufficient permissions, they can run scripts to interact with the pages the developer is looking at.

Plug-ins play or show some sort of content embedded in a web page, such as Flash, Silverlight, or other video/multimedia format.

Apps support document editing in the context of the browser. They are essentially a means of opening a document within a cloud app version of a word processor or spreadsheet.

Themes change the appearance of the browser using custom images and color schemes.

Question 25

A security manager is setting up a password policy for users. Which of the following is the best security practice when it comes to passwords?

A.Password expiration
B.Length
C.Character mix
D.Memorable

Answer 25

Length is preferable to the use of highly cryptic mixing of character types. It will take an attacker significantly longer to crack a passphrase rather than a much shorter but complex password.

The latest National Institute of Standards and Technology (NIST) guidance also deprecates password expiration except when a breach is discovered.

Requiring a mix of character types forces users into selecting easily masked substitutions (zero for the letter O, for instance) or makes passwords difficult to remember and causes users to write them down.

Users should choose a memorable phrase, but should not use any personal information in the password.

Question 26

A security administrator wants to set up anomalistic monitoring around behavioral-based user activity. Which of the following could the administrator implement for monitoring? (Select all that apply.)

A.Failed attempts
B.Login times
C.Concurrent logins
D.Screen lock

Answer 26

Monitoring login times are typically used to see if an account is logging in at an unusual time of the day or night or during the weekend.

Concurrent logins are another behavioral-based monitoring mechanism. Most users should only need to sign in to one computer at a time, so this sort of policy can help to prevent or detect misuse of an account.

Failed attempts can be a sign of malicious activity.

The timeout/screen lock locks the desktop if the system detects no user-input device activity. This is a sensible, additional layer of protection.

Question 27

A developer is reading their email and comes across a new memorandum from the security department about a clean desk policy. Why does security need to publish this?

A.Personal identifiable information (PII) protection
B.Secure critical hardware
C.Prevent lunchtime attack
D.Protect UEFI

Answer 27

Paper copies of personal and confidential data must not be left where they could be read or stolen. A clean desk policy ensures that all such information is not left in plain sight.

A clean desk policy does not help with securing critical assets. Portable computers can be secured though to a desk using a cable lock. When in public, users must keep laptop cases insight.

A lunchtime attack is where a threat actor is able to access a computer that has been left unlocked.

A system user password is one that is required before any operating system can boot. The system password can be configured by the basic input/output system (BIOS) or unified extensible firmware interface (UEFI) setup program.

Question 28

A Firefox user wants to open up their browser settings to configure their intranet as the home page. How can the Firefox user access the settings?

A.chrome://settings
B.edge://settings
C.firefox://settings
D.about:preferences

Answer 28

Users can open the internal URL for Firefox by going to about:preferences. Each browser maintains its own settings that are accessed via its Meatball (…) or Hamburger (☰) menu button as well.

In Chrome, the setting option is listed under chrome://settings. Browsers also have advanced settings that are accessed via a URL such as chrome://flags or about:config.

In Edge, the URL for settings is at edge://settings. Internet Explorer (IE) should not be used for general web browsing or to access modern web applications.

firefox://settings is not the correct option for Firefox. A browser sign-in allows the user to synchronize settings between instances of the browser software on different devices.

Question 29

A security analyst receives a notification of possible malware based on common indicators. After conducting several analyses, the analyst learns the malware used Windows PowerShell to create new malicious processes in the computer’s memory. What is the analyst’s computer likely infected with?

A.Fileless malware
B.Worm
C.Boot sector virus
D.Viruses

Answer 29

Fileless malware refers to malicious code that uses the host’s scripting environment, such as Windows PowerShell or PDF JavaScript, to create new malicious processes in memory.

Worms replicate between processes in system memory rather than infecting an executable file stored on a disk.

Boot sector viruses infect the boot sector code or partition table on a disk drive. While this could be a possible option, memory-based malware running inside the code of another program is quite common.

Viruses are concealed within the code of an executable process image stored as a file on a disk. In Windows, executable code has extensions such as .EXE, .MSI, .DLL, .COM, .SCR, and .JAR.