Lesson 19: Using Support and Scripting Tools

Question 1

You are updating a procedure that lists security considerations for remote access technologies. One of the precautions is to check that remote access ports have not been opened on the firewall without authorization. Which default port for VNC needs to be monitored?

Answer 1

‘Virtual Network Computing’ (VNC) uses TCP port 5200 by default.

Question 2

True or false? You can configure a web server running on Linux to accept remote terminal connections from clients without using passwords.

Answer 2

True. This can be configured using public key authentication with the ‘Secure Shell’ (SSH) protocol. The server can be installed with the public keys of authorized users.

Question 3

You are joining a new startup business that will perform outsourced IT management for client firms. You have been asked to identify an appropriate software solution for off-site support and
to ensure that ‘service level agreement’ (SLA) metrics for downtime incidents are adhered to. What general class of remote access technology will be most suitable?

Answer 3

‘Remote monitoring and management’ (RMM) tools are principally designed for use by ‘managed service providers’ (MSPs). As well as remote access and monitoring, this class of tools supports management of
multiple client accounts and billing / reporting.

Question 4

Users working from home need to be able to access a PC on the corporate network via RDP. What technology will enable this without having to open the RDP port to Internet access?

Answer 4

Configure a ‘virtual private network’ (VPN) so that remote users can connect to the corporate LAN and then launch the ‘remote desktop protocol’ (RDP) client to connect to the office PC.

Question 5

What backup issue does the synthetic job type address?

Answer 5

A synthetic full backup reduces data transfer requirements and, therefore, backup job time by synthesizing a
full backup from previous incremental backups rather than directly from the source data.

Question 6

You are documenting workstation backup and recovery methods and want to include the 3-2-1 backup rule. What is this rule?

Answer 6

It states that you should have three copies of your data across two media types, with one copy held offline and off site. The production data counts as one copy.

Question 7

For which backup / restore issue is a ‘cloud-based’ backup service an effective solution?

Answer 7

The issue of provisioning an off-site copy of a backup. Cloud storage can also provide extra capacity.

Question 8

What frequent tests should you perform to ensure the integrity of backup settings and media?

Answer 8

You can perform a test restore and validate the files. You can run an integrity check on the media by using, for example, ‘chkdsk’ on a hard drive used for backup. Backup software can often be configured to perform an integrity check on each file during a backup operation. You can also perform an audit of files included in a
backup against a list of source files to ensure that everything has been included.

Question 9

You are updating data handling guidance to help employees recognize different types of regulated data. What examples could you add to help identify healthcare data?

Answer 9

Personal healthcare data is medical records, insurance forms, hospital / laboratory test results, and so on.
Healthcare information is also present in de-identified or anonymized data sets.

Question 10

An employee has a private license for a graphics editing application that was bundled with the purchase of a digital camera. The employee needs to use this temporarily for a project and installs it on her computer at work. Is this a valid use of the license?

Answer 10

No. The license is likely to permit installation to only one computer at a time. It might or might not prohibit commercial use, but regardless of the license terms, any installation of software must be managed by the IT department.

Question 11

Why are the actions of a first responder critical in the context of a forensic investigation?

Answer 11

Digital evidence is difficult to capture in a form that demonstrates that it has not been tampered with. Documentation of the scene and proper procedures are crucial.

Question 12

What does chain-of-custody documentation prove?

Answer 12

Who has had access to evidence collected from a crime scene and where and how it has been stored.

Question 13

Your organization is donating workstations to a local college. The workstations have a mix of HDD and SSD fixed disks. There is a proposal to use a Windows boot disk to delete the partition information for each disk. What factors must be considered before proceeding with this method?

Answer 13

Using standard formatting tools will leave data remnants that could be recovered in some circumstances. This might not be considered high risk, but it would be safer to use a vendor low-level format tool with
support for ‘Secure Erase’ or ‘Crypto Erase’.

Question 14

You are auditing a file system for the presence of any unauthorized Windows shell script files. Which three extensions should you scan for?

Answer 14

.PS1 for ‘PowerShell scripts’, .VBS for ‘VBScript’, and .BAT for ‘cmd batch files’.

Question 15

You want to execute a block of statements based on the contents of an inventory list. What type of code construct is best suited to this task?

Answer 15

You can use any type of loop to iterate through the items in a list or collection, but a ‘For’ loop is probably the simplest.

Question 16

You are developing a Bash script to test whether a given host is up. Users will run the script in the following format: ‘./ping.sh 192.168.1.1’. Within the code, what identifier can you use to refer to the IP address passed to the script as an argument?

Answer 16

$1 will refer to the first positional argument.

Question 17

You are developing a script to ensure that the ‘M:’ drive is mapped consistently to the same network folder on all client workstations. What type of construct might you use to ensure the
script runs without errors?

Answer 17

Use a ‘conditional’ block (If statement) to check for an existing mapping, and remove it before applying the correct mapping.

Question 18

You are developing a script to scan server hosts to discover which ports are open and to identify which server software is operating the port. What considerations should you make before deploying this script?

Answer 18

While the risk is low, scanning activity could cause problems with the target and possibly even crash it. Test the script in a ‘sandbox’ environment before deploying it. Security software might block the operation of this script, and there is some risk from the script or its output being misused. Make sure that use of the script and its output are subject to access controls and that any system reconfiguration is properly change managed.

Question 19

A helpdesk operator formerly worked with Windows computers in the environment, but the company started rolling out test Mac computers. The operator needs to connect to a user’s Mac. What tool would the operator likely use?

A.VNC
B.RDP
C.mstsc
D.COBO

Answer 19

In macOS, users can use the Screen Sharing feature for remote desktop functionality. Screen Sharing is based on the Virtual Network Computing (VNC) protocol.

Windows uses the Remote Desktop Protocol (RDP) to implement terminal server and client functionality.

To connect to a server via Remote Desktop, open the Remote Desktop Connection shortcut or run mstsc.exe. Enter the server’s IP address or fully qualified domain name (FQDN).

Corporate-owned, business only (COBO) means that the device is the property of the company and may only be used for company business.

Question 20

A network administrator wants to remotely deploy firmware updates to their managed devices. This type of update usually occurs overnight while devices are turned off. Which of the following tools should the administrator set up in order to facilitate these updates?

A.EDR
B.WOL
C.RMM
D.MDM

Answer 20

Remote network boot capability is often referred to as wake on LAN (WOL) and allows devices to be remotely powered on over a network. This would allow the administrator to ensure all devices can be powered on to then start the update process.

Endpoint detection and response (EDR) security scanning is associated more with security monitoring than the ability to push firmware.

Remote monitoring and management (RMM) tools are principally designed for use by managed service providers (MSPs). An MSP is an outsourcing company that specializes in handling all IT support for its clients.

Mobile-device management (MDM) suites are designed for deployment by a single organization and focus primarily on access control and authorization.

Question 21

A database administrator is scheduled for a meeting with the security team to discuss compliance with the PCI DSS standards. What type of information does it safeguard?

A.Lab results
B.PINs
C.SSNs
D.Cell numbers

Answer 21

The Payment Card Industry Data Security Standard (PCI DSS) governs the processing of credit card transactions. It sets out protections that must be provided for data like names, addresses, account numbers, card numbers and expiry dates, and PINs.

Healthcare data refers to medical and insurance records plus associated hospital and laboratory test results.

Personal government-issued information (PII) is issued to individuals by federal or state governments. Examples include a social security number (SSN), passport, driving license, and birth/marriage certificates.

Personally identifiable information (PII) is data that can be used to identify, contact, or locate an individual or, in the case of identity theft, to impersonate an individual. A cell phone number is a good example of PII.

Question 22

A security engineer wants to learn how to code in Python but is running a Windows box. Which of the following is the easiest interpreter to set up for Windows?

A.Pypy
B.Wscript
C.Cscript
D.CPython

Answer 22

CPython is the simplest environment to set up for Windows. When using CPython in Windows, there is a console interpreter (python.exe) and a windowed interpreter (pythonw.exe).

Pypy is another interpreter that will work, but CPython is easier to set up. A Python project can either be run via an interpreter or compiled as a binary executable.

The Windows Script Host (wscript.exe and cscript.exe) supports JavaScript, but not Python. JavaScript is also supported on macOS for automation (along with AppleScript).

Cscript.exe does not support Python either. Python script files are identified by the .PY extension.

Question 23

A server administrator is setting up a backup program for the servers to ensure recovery. Which of the following are the two main principles of backing up? (Select all that apply.)

A.Confidentiality
B.Integrity
C.Frequency
D.Retention

Answer 23

Frequency is one of the two primary principles and is the period between backup jobs. The frequency configuration reflects how much lost work can be tolerated.

Retention is the other main principle and is the period that any given backup job is kept for. Short-term retention is important for version control and for recovering from malware infection.

Encryption encodes data using a key to give it the property of confidentiality. Confidentiality is not one of the two main principles of backing up.

Integrity means that the data is stored and transferred as intended and that any modification is authorized. This is a core concept of security.

Question 24

A company’s threat intelligence team determines that one of a threat actor’s techniques is to perform a denial of service against the Remote Desktop Protocol (RDP) functionality in servers. What can the company enable to help prevent this?

A.NLA
B.RDPRA
C.Remote credential guard
D.VNC

Answer 24

Network Level Authentication (NLA) protects the Remote Desktop Protocol (RDP) server against denial of service attacks. Without NLA, the system configures a desktop before the user logs on.

If remote desktop is used to connect to a server that has been compromised by malware, the credentials of the user account used to make the connection become highly vulnerable. RDP restricted admin (RDPRA) mode is one means of mitigating this risk.

Remote credential guard is also a means of mitigating the risk with compromised credentials of compromised user accounts.

In macOS, users can use the screen sharing feature for remote desktop functionality. Screen sharing is based on the Virtual Network Computing (VNC) protocol.

Question 25

A user experiences issues with their computer and has asked someone to remote desktop onto their computer to help resolve the issue. Unfortunately, the firewall only allows port 443 traffic. What should they use for assistance?

A.MSRA
B.mstsc
C.RDPRA
D.Quick Assist

Answer 25

Quick Assist works over the encrypted HTTPS port TCP/443. The helper must be signed in with a Microsoft account to offer assistance.

Microsoft Remote Assistance (MSRA) assigns a port dynamically from the ephemeral range (49152 to 65535). This makes it difficult to configure a firewall securely to allow the connection.

To connect to a server via Remote Desktop normally, open the Remote Desktop Connection shortcut or run mstsc.exe. This works over port 3389 though.

If remote desktop is used to connect to a server that has been compromised by malware, the credentials of the user account used to make the connection become highly vulnerable. RDP Restricted Admin (RDPRA) mode is one means of mitigating this risk.

Question 26

until ping -c1 “$1” &>/dev/null

A user is reviewing a script and comes across the code in one of the lines as follows. What is the line doing?

A.Set a variable.
B.Set a loop.
C.Nothing is executing.
D.Prevent from writing to the terminal.

Answer 26

A comment line is indicated by a special delimiter. In Bash and several other languages, the comment delimiter is the hash or pound sign ( # ).

In Bash, the values $1, $2, and so on are used to refer to arguments by position (the order in which they are entered when executing the script).

A loop allows a statement block to be repeated based on some type of condition.

The &>/dev/null part stops the usual ping output from being written to the terminal by redirecting it to a null device.

Question 27

A security analyst working on a monitoring team wants to implement new monitoring mechanisms around Secure Shell (SSH) authentication. Which of the following should the analyst focus on?

A.Monitor netflows for port 443 traffic.
B.Monitor netflows for port 3389 traffic.
C.Monitor for compromised keys.
D.Monitor the screen sharing service.

Answer 27

Monitoring for and removing compromised client public keys is a critical security task. Many recent attacks on web servers have exploited poor SSH key management.

SSH works over port 22. Quick Assist works over the encrypted HTTPS port TCP/443. The helper must be signed in with a Microsoft account to offer assistance.

To connect to a server via Remote Desktop normally, open the Remote Desktop Connection shortcut or run mstsc.exe. This works over port 3389 though.

In macOS, users can use the screen sharing feature for remote desktop functionality. Screen sharing is based on the Virtual Network Computing (VNC) protocol.

Question 28

A user accidentally deleted the presentation they were working on for an important upcoming meeting. Where should the user go for help?

A.Backup and Restore Center
B.File History
C.MSRA
D.NLA

Answer 28

In Windows, user data backup options are implemented via the File History feature, which is accessed through Settings > Update & Security > Backup.

The Backup and Restore Center control panel tool provides an alternative backup manager. It can also be used to make image backups of the entire operating system, rather than just data file backups.

Microsoft Remote Assistance (MSRA) assigns a port dynamically from the ephemeral range (49152 to 65535). This makes it difficult to configure a firewall securely to allow the connection.

Network Level Authentication (NLA) protects the Remote Desktop Protocol (RDP) server against denial of service attacks. Without NLA, the system configures a desktop before the user logs on.

Question 29

A penetration tester wants to perform drive mapping on an engagement on a Windows-based OS but suspects that the security is monitoring PowerShell commands. What could the tester use to map a network drive while remaining unnoticed?

A.net use
B.New-PSDrive
C.mount
D.echo “New-PSDrive”

Answer 29

In a Windows batch file, the net use command performs drive mapping. Network drive mapping is a Windows-only concept.

Mapping a drive can be done with PowerShell using the New-PSDrive cmdlet. This demonstrates the need for error handling. If users try to map a drive using a letter that has been assigned already, the script will return an error.

In Linux, a file system is made available by mounting it within the root file system, using the mount and umount commands.

Using the echo command simply outputs something specified to the terminal.

Question 30

A server technician reviews backup solutions and comes across the 3-2-1 rule. Which of the following holds true regarding this rule?

A.Two copies of data
B.Three media types
C.One copy held on-premise
D.Three copies of data

Answer 30

The 3-2-1 backup rule is a best-practice maxim that administrators can apply to their backup procedures to verify that they are implementing a solution that can mitigate the widest possible range of disaster scenarios. It states that there should be three copies of the data.

It states that the administrator should have three copies of the data (including the production copy), not that there should only be two copies.

It states that data should be across two media types, not on three different media types.

The one statement is that one copy should be held offline and off-site, not on-premise.

Question 31

A server administrator downloads a particular software that helps them troubleshoot issues on devices. However, the software is free for personal use and not for commercial use. What did the administrator violate?

A.PCI DSS
B.DRM
C.EULA
D.Product key

Answer 31

When the administrator installed software, they must accept the license governing its use, often called the end-user license agreement (EULA).

The Payment Card Industry Data Security Standard (PCI DSS) governs the processing of credit card transactions. It sets out protections that must be provided for data like names, addresses, account numbers, card numbers and expiry dates, and PINs.

Digital music and video are often subject to copy protection and digital rights management (DRM).

Software is often activated using a product key, which will be a long string of characters and numbers printed on the box or disk case.

Question 32

An administrator wants to test their backups to ensure that in the event of a real emergency there will not be any unforeseen problems. Which of the following is NOT a common validation?

A.Restore data to a test directory.
B.Check job hashes.
C.Wipe all backups.
D.Run chkdsk.

Answer 32

Wiping all backups would not be a recommended strategy for testing backup integrity. Three recommended methods for backup testing are hashing, restoring data to validate directories, and using a virtual machine to restore backups without overwriting a primary system.

One technique is to try restoring some of the backed-up data into a test directory, making sure to not overwrite any data when doing so.

Most backup software can use hashing to verify that each job is a valid copy of the source data.

It is also important to verify media integrity regularly, such as by running chkdsk on hard drives used for backup.

Question 33

A security architect sets up a policy for the secure destruction of optical media. Which of the following is NOT an effective method?

A.Degaussing
B.Shredding
C.Incinerating
D.Smashing

Answer 33

Degaussing is when a hard disk is exposed to a powerful electromagnet that disrupts the magnetic pattern that stores the data on the disk surface. Note that degaussing does not work with SSDs or optical media.

With shredding, the disk is ground into little pieces. A mechanical shredder works in much the same way as a paper shredder.

With incinerating, the disk is exposed to high heat to melt its components. This should be performed in a furnace designed for media sanitization. Municipal incinerators may leave remnants.

Smashing will work with optical media.

Question 34

A manager for a server team is creating a backup strategy for full backups but with lower data transfer requirements. Which technique should the manager use?

A.Synthetic
B.Full only
C.Full with incremental
D.Full with differential

Answer 34

A synthetic backup is an option for creating full backups with lower data transfer requirements. A synthetic full backup is not generated directly from the original data but instead assembled from other backup jobs.

“Full only” means that the backup job produces a file that contains all the data from the source.

“Full with incremental” means that the chain starts with a full backup and then runs incremental jobs that select only new files and files modified since the previous job.

“Full with differential” means that the chain starts with a full backup and then runs differential jobs that select new files and files modified since the original full job.

Question 35

A user at a large organization notices that their computer is extremely sluggish. This happened shortly after the user clicked on a link in an email that seemed suspicious. Where should the user most likely report this to?

A.CSIRT
B.EULA
C.Forensics team
D.Help desk

Answer 35

Larger organizations will provide a dedicated Computer Security Incident Response Team (CSIRT) as a single point of contact so that a security incident can be reported through the proper channels.

When a user installs software, they must accept the license governing its use, often called the end-user license agreement (EULA).

It is unlikely that a computer forensic professional will be retained by an organization, so such investigations are normally handled by law enforcement agencies.

While it is possible the security team may want tickets to route through the help desk, the CSIRT team will typically be the actual ones that it is ultimately reported to.

Question 36

A soldier at a government facility accidentally typed up a report on the wrong system and needs to ensure that the file is not recoverable. What should be done?

A.Delete the file.
B.Format the file system.
C.Delete the file and empty the garbage bin.
D.Perform a secure erase.

Answer 36

Secure erase (SE) performs zero-filling on hard disk drives (HDDs) and marks all blocks as empty on solid state drives (SSDs).

Data “deleted” from a file on a disk is not erased. Rather, the HDD sector or SSD block is marked as available for writing.

Using the OS standard formatting tool to delete partitions and write a new file system will only remove references to files and mark all sectors as useable.

Emptying the garbage bin still does not truly erase the data from the disk. The information contained at that storage location will only be removed when new file data is written.

Question 37

A Linux administrator is looking at the bash history and sees the command chmod u+x file.sh. What was trying to be done with this command?

A.Execute a script.
B.Set permissions.
C.Designate which interpreter to use.
D.Create a script.

Answer 37

Permissions were being set on the script. Remember that in Linux, the script file must have the execute permission set to run.

A Linux shell script uses the .SH extension by convention. Each statement comprising the actions that the script will perform is then typically added on separate lines.

Every shell script starts with a shebang line that designates which interpreter to use, such as Bash or Ksh.

Users can develop a script in any basic text editor, but using an editor with script support is the most productive way.

Question 38

A Windows administrator is combing through server logs and sees that a wscript.exe executed a script. What type of script is executed by default?

A..BAT
B..PS1
C..VBS
D..SH

Answer 38

VBScript files are identified by the .VBS extension. VBScript is executed by the wscript.exe interpreter by default.

A shell script written for the basic Windows CMD interpreter is often described as a batch file. Batch files use the .BAT extension.

Microsoft provides the Windows PowerShell Integrated Scripting Environment (ISE) for rapid development. PowerShell script files are identified by the .PS1 extension.

A Linux shell script is a file that contains a list of commands to be read and executed by the shell. Every shell script starts with a line that designates the interpreter.