Lesson 19: Using Support and Scripting Tools Flashcards

1
Q

You are updating a procedure that lists security considerations for remote access technologies. One of the precautions is to check that remote access ports have not been opened on the firewall without authorization. Which default port for VNC needs to be monitored?

A

‘Virtual Network Computing’ (VNC) uses TCP port 5200 by default.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

True or false? You can configure a web server running on Linux to accept remote terminal connections from clients without using passwords.

A

True. This can be configured using public key authentication with the ‘Secure Shell’ (SSH) protocol. The server can be installed with the public keys of authorized users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You are joining a new startup business that will perform outsourced IT management for client firms. You have been asked to identify an appropriate software solution for off-site support and
to ensure that ‘service level agreement’ (SLA) metrics for downtime incidents are adhered to. What general class of remote access technology will be most suitable?

A

‘Remote monitoring and management’ (RMM) tools are principally designed for use by ‘managed service providers’ (MSPs). As well as remote access and monitoring, this class of tools supports management of
multiple client accounts and billing / reporting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Users working from home need to be able to access a PC on the corporate network via RDP. What technology will enable this without having to open the RDP port to Internet access?

A

Configure a ‘virtual private network’ (VPN) so that remote users can connect to the corporate LAN and then launch the ‘remote desktop protocol’ (RDP) client to connect to the office PC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What backup issue does the synthetic job type address?

A

A synthetic full backup reduces data transfer requirements and, therefore, backup job time by synthesizing a
full backup from previous incremental backups rather than directly from the source data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You are documenting workstation backup and recovery methods and want to include the 3-2-1 backup rule. What is this rule?

A

It states that you should have three copies of your data across two media types, with one copy held offline and off site. The production data counts as one copy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

For which backup / restore issue is a ‘cloud-based’ backup service an effective solution?

A

The issue of provisioning an off-site copy of a backup. Cloud storage can also provide extra capacity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What frequent tests should you perform to ensure the integrity of backup settings and media?

A

You can perform a test restore and validate the files. You can run an integrity check on the media by using, for example, ‘chkdsk’ on a hard drive used for backup. Backup software can often be configured to perform an integrity check on each file during a backup operation. You can also perform an audit of files included in a
backup against a list of source files to ensure that everything has been included.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You are updating data handling guidance to help employees recognize different types of regulated data. What examples could you add to help identify healthcare data?

A

Personal healthcare data is medical records, insurance forms, hospital / laboratory test results, and so on.
Healthcare information is also present in de-identified or anonymized data sets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

An employee has a private license for a graphics editing application that was bundled with the purchase of a digital camera. The employee needs to use this temporarily for a project and installs it on her computer at work. Is this a valid use of the license?

A

No. The license is likely to permit installation to only one computer at a time. It might or might not prohibit commercial use, but regardless of the license terms, any installation of software must be managed by the IT department.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Why are the actions of a first responder critical in the context of a forensic investigation?

A

Digital evidence is difficult to capture in a form that demonstrates that it has not been tampered with. Documentation of the scene and proper procedures are crucial.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does chain-of-custody documentation prove?

A

Who has had access to evidence collected from a crime scene and where and how it has been stored.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Your organization is donating workstations to a local college. The workstations have a mix of HDD and SSD fixed disks. There is a proposal to use a Windows boot disk to delete the partition information for each disk. What factors must be considered before proceeding with this method?

A

Using standard formatting tools will leave data remnants that could be recovered in some circumstances. This might not be considered high risk, but it would be safer to use a vendor low-level format tool with
support for ‘Secure Erase’ or ‘Crypto Erase’.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are auditing a file system for the presence of any unauthorized Windows shell script files. Which three extensions should you scan for?

A

.PS1 for ‘PowerShell scripts’, .VBS for ‘VBScript’, and .BAT for ‘cmd batch files’.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You want to execute a block of statements based on the contents of an inventory list. What type of code construct is best suited to this task?

A

You can use any type of loop to iterate through the items in a list or collection, but a ‘For’ loop is probably the simplest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You are developing a Bash script to test whether a given host is up. Users will run the script in the following format: ‘./ping.sh 192.168.1.1’. Within the code, what identifier can you use to refer to the IP address passed to the script as an argument?

A

$1 will refer to the first positional argument.

17
Q

You are developing a script to ensure that the ‘M:’ drive is mapped consistently to the same network folder on all client workstations. What type of construct might you use to ensure the
script runs without errors?

A

Use a ‘conditional’ block (If statement) to check for an existing mapping, and remove it before applying the correct mapping.

18
Q

You are developing a script to scan server hosts to discover which ports are open and to identify which server software is operating the port. What considerations should you make before deploying this script?

A

While the risk is low, scanning activity could cause problems with the target and possibly even crash it. Test the script in a ‘sandbox’ environment before deploying it. Security software might block the operation of this script, and there is some risk from the script or its output being misused. Make sure that use of the script and its output are subject to access controls and that any system reconfiguration is properly change managed.

19
Q

A helpdesk operator formerly worked with Windows computers in the environment, but the company started rolling out test Mac computers. The operator needs to connect to a user’s Mac. What tool would the operator likely use?

A.VNC
B.RDP
C.mstsc
D.COBO

A

In macOS, users can use the Screen Sharing feature for remote desktop functionality. Screen Sharing is based on the Virtual Network Computing (VNC) protocol.

Windows uses the Remote Desktop Protocol (RDP) to implement terminal server and client functionality.

To connect to a server via Remote Desktop, open the Remote Desktop Connection shortcut or run mstsc.exe. Enter the server’s IP address or fully qualified domain name (FQDN).

Corporate-owned, business only (COBO) means that the device is the property of the company and may only be used for company business.

20
Q

A network administrator wants to remotely deploy firmware updates to their managed devices. This type of update usually occurs overnight while devices are turned off. Which of the following tools should the administrator set up in order to facilitate these updates?

A.EDR
B.WOL
C.RMM
D.MDM

A

Remote network boot capability is often referred to as wake on LAN (WOL) and allows devices to be remotely powered on over a network. This would allow the administrator to ensure all devices can be powered on to then start the update process.

Endpoint detection and response (EDR) security scanning is associated more with security monitoring than the ability to push firmware.

Remote monitoring and management (RMM) tools are principally designed for use by managed service providers (MSPs). An MSP is an outsourcing company that specializes in handling all IT support for its clients.

Mobile-device management (MDM) suites are designed for deployment by a single organization and focus primarily on access control and authorization.

21
Q

A database administrator is scheduled for a meeting with the security team to discuss compliance with the PCI DSS standards. What type of information does it safeguard?

A.Lab results
B.PINs
C.SSNs
D.Cell numbers

A

The Payment Card Industry Data Security Standard (PCI DSS) governs the processing of credit card transactions. It sets out protections that must be provided for data like names, addresses, account numbers, card numbers and expiry dates, and PINs.

Healthcare data refers to medical and insurance records plus associated hospital and laboratory test results.

Personal government-issued information (PII) is issued to individuals by federal or state governments. Examples include a social security number (SSN), passport, driving license, and birth/marriage certificates.

Personally identifiable information (PII) is data that can be used to identify, contact, or locate an individual or, in the case of identity theft, to impersonate an individual. A cell phone number is a good example of PII.

22
Q

A security engineer wants to learn how to code in Python but is running a Windows box. Which of the following is the easiest interpreter to set up for Windows?

A.Pypy
B.Wscript
C.Cscript
D.CPython

A

CPython is the simplest environment to set up for Windows. When using CPython in Windows, there is a console interpreter (python.exe) and a windowed interpreter (pythonw.exe).

Pypy is another interpreter that will work, but CPython is easier to set up. A Python project can either be run via an interpreter or compiled as a binary executable.

The Windows Script Host (wscript.exe and cscript.exe) supports JavaScript, but not Python. JavaScript is also supported on macOS for automation (along with AppleScript).

Cscript.exe does not support Python either. Python script files are identified by the .PY extension.

23
Q

A server administrator is setting up a backup program for the servers to ensure recovery. Which of the following are the two main principles of backing up? (Select all that apply.)

A.Confidentiality
B.Integrity
C.Frequency
D.Retention

A

Frequency is one of the two primary principles and is the period between backup jobs. The frequency configuration reflects how much lost work can be tolerated.

Retention is the other main principle and is the period that any given backup job is kept for. Short-term retention is important for version control and for recovering from malware infection.

Encryption encodes data using a key to give it the property of confidentiality. Confidentiality is not one of the two main principles of backing up.

Integrity means that the data is stored and transferred as intended and that any modification is authorized. This is a core concept of security.

24
Q

A company’s threat intelligence team determines that one of a threat actor’s techniques is to perform a denial of service against the Remote Desktop Protocol (RDP) functionality in servers. What can the company enable to help prevent this?

A.NLA
B.RDPRA
C.Remote credential guard
D.VNC

A

Network Level Authentication (NLA) protects the Remote Desktop Protocol (RDP) server against denial of service attacks. Without NLA, the system configures a desktop before the user logs on.

If remote desktop is used to connect to a server that has been compromised by malware, the credentials of the user account used to make the connection become highly vulnerable. RDP restricted admin (RDPRA) mode is one means of mitigating this risk.

Remote credential guard is also a means of mitigating the risk with compromised credentials of compromised user accounts.

In macOS, users can use the screen sharing feature for remote desktop functionality. Screen sharing is based on the Virtual Network Computing (VNC) protocol.

25
Q

A user experiences issues with their computer and has asked someone to remote desktop onto their computer to help resolve the issue. Unfortunately, the firewall only allows port 443 traffic. What should they use for assistance?

A.MSRA
B.mstsc
C.RDPRA
D.Quick Assist

A

Quick Assist works over the encrypted HTTPS port TCP/443. The helper must be signed in with a Microsoft account to offer assistance.

Microsoft Remote Assistance (MSRA) assigns a port dynamically from the ephemeral range (49152 to 65535). This makes it difficult to configure a firewall securely to allow the connection.

To connect to a server via Remote Desktop normally, open the Remote Desktop Connection shortcut or run mstsc.exe. This works over port 3389 though.

If remote desktop is used to connect to a server that has been compromised by malware, the credentials of the user account used to make the connection become highly vulnerable. RDP Restricted Admin (RDPRA) mode is one means of mitigating this risk.

26
Q

until ping -c1 “$1” &>/dev/null

A user is reviewing a script and comes across the code in one of the lines as follows. What is the line doing?

A.Set a variable.
B.Set a loop.
C.Nothing is executing.
D.Prevent from writing to the terminal.

A

A comment line is indicated by a special delimiter. In Bash and several other languages, the comment delimiter is the hash or pound sign ( # ).

In Bash, the values $1, $2, and so on are used to refer to arguments by position (the order in which they are entered when executing the script).

A loop allows a statement block to be repeated based on some type of condition.

The &>/dev/null part stops the usual ping output from being written to the terminal by redirecting it to a null device.

27
Q

A security analyst working on a monitoring team wants to implement new monitoring mechanisms around Secure Shell (SSH) authentication. Which of the following should the analyst focus on?

A.Monitor netflows for port 443 traffic.
B.Monitor netflows for port 3389 traffic.
C.Monitor for compromised keys.
D.Monitor the screen sharing service.

A

Monitoring for and removing compromised client public keys is a critical security task. Many recent attacks on web servers have exploited poor SSH key management.

SSH works over port 22. Quick Assist works over the encrypted HTTPS port TCP/443. The helper must be signed in with a Microsoft account to offer assistance.

To connect to a server via Remote Desktop normally, open the Remote Desktop Connection shortcut or run mstsc.exe. This works over port 3389 though.

In macOS, users can use the screen sharing feature for remote desktop functionality. Screen sharing is based on the Virtual Network Computing (VNC) protocol.

28
Q

A user accidentally deleted the presentation they were working on for an important upcoming meeting. Where should the user go for help?

A.Backup and Restore Center
B.File History
C.MSRA
D.NLA

A

In Windows, user data backup options are implemented via the File History feature, which is accessed through Settings > Update & Security > Backup.

The Backup and Restore Center control panel tool provides an alternative backup manager. It can also be used to make image backups of the entire operating system, rather than just data file backups.

Microsoft Remote Assistance (MSRA) assigns a port dynamically from the ephemeral range (49152 to 65535). This makes it difficult to configure a firewall securely to allow the connection.

Network Level Authentication (NLA) protects the Remote Desktop Protocol (RDP) server against denial of service attacks. Without NLA, the system configures a desktop before the user logs on.

29
Q

A penetration tester wants to perform drive mapping on an engagement on a Windows-based OS but suspects that the security is monitoring PowerShell commands. What could the tester use to map a network drive while remaining unnoticed?

A.net use
B.New-PSDrive
C.mount
D.echo “New-PSDrive”

A

In a Windows batch file, the net use command performs drive mapping. Network drive mapping is a Windows-only concept.

Mapping a drive can be done with PowerShell using the New-PSDrive cmdlet. This demonstrates the need for error handling. If users try to map a drive using a letter that has been assigned already, the script will return an error.

In Linux, a file system is made available by mounting it within the root file system, using the mount and umount commands.

Using the echo command simply outputs something specified to the terminal.

30
Q

A server technician reviews backup solutions and comes across the 3-2-1 rule. Which of the following holds true regarding this rule?

A.Two copies of data
B.Three media types
C.One copy held on-premise
D.Three copies of data

A

The 3-2-1 backup rule is a best-practice maxim that administrators can apply to their backup procedures to verify that they are implementing a solution that can mitigate the widest possible range of disaster scenarios. It states that there should be three copies of the data.

It states that the administrator should have three copies of the data (including the production copy), not that there should only be two copies.

It states that data should be across two media types, not on three different media types.

The one statement is that one copy should be held offline and off-site, not on-premise.

31
Q

A server administrator downloads a particular software that helps them troubleshoot issues on devices. However, the software is free for personal use and not for commercial use. What did the administrator violate?

A.PCI DSS
B.DRM
C.EULA
D.Product key

A

When the administrator installed software, they must accept the license governing its use, often called the end-user license agreement (EULA).

The Payment Card Industry Data Security Standard (PCI DSS) governs the processing of credit card transactions. It sets out protections that must be provided for data like names, addresses, account numbers, card numbers and expiry dates, and PINs.

Digital music and video are often subject to copy protection and digital rights management (DRM).

Software is often activated using a product key, which will be a long string of characters and numbers printed on the box or disk case.

32
Q

An administrator wants to test their backups to ensure that in the event of a real emergency there will not be any unforeseen problems. Which of the following is NOT a common validation?

A.Restore data to a test directory.
B.Check job hashes.
C.Wipe all backups.
D.Run chkdsk.

A

Wiping all backups would not be a recommended strategy for testing backup integrity. Three recommended methods for backup testing are hashing, restoring data to validate directories, and using a virtual machine to restore backups without overwriting a primary system.

One technique is to try restoring some of the backed-up data into a test directory, making sure to not overwrite any data when doing so.

Most backup software can use hashing to verify that each job is a valid copy of the source data.

It is also important to verify media integrity regularly, such as by running chkdsk on hard drives used for backup.

33
Q

A security architect sets up a policy for the secure destruction of optical media. Which of the following is NOT an effective method?

A.Degaussing
B.Shredding
C.Incinerating
D.Smashing

A

Degaussing is when a hard disk is exposed to a powerful electromagnet that disrupts the magnetic pattern that stores the data on the disk surface. Note that degaussing does not work with SSDs or optical media.

With shredding, the disk is ground into little pieces. A mechanical shredder works in much the same way as a paper shredder.

With incinerating, the disk is exposed to high heat to melt its components. This should be performed in a furnace designed for media sanitization. Municipal incinerators may leave remnants.

Smashing will work with optical media.

34
Q

A manager for a server team is creating a backup strategy for full backups but with lower data transfer requirements. Which technique should the manager use?

A.Synthetic
B.Full only
C.Full with incremental
D.Full with differential

A

A synthetic backup is an option for creating full backups with lower data transfer requirements. A synthetic full backup is not generated directly from the original data but instead assembled from other backup jobs.

“Full only” means that the backup job produces a file that contains all the data from the source.

“Full with incremental” means that the chain starts with a full backup and then runs incremental jobs that select only new files and files modified since the previous job.

“Full with differential” means that the chain starts with a full backup and then runs differential jobs that select new files and files modified since the original full job.

35
Q

A user at a large organization notices that their computer is extremely sluggish. This happened shortly after the user clicked on a link in an email that seemed suspicious. Where should the user most likely report this to?

A.CSIRT
B.EULA
C.Forensics team
D.Help desk

A

Larger organizations will provide a dedicated Computer Security Incident Response Team (CSIRT) as a single point of contact so that a security incident can be reported through the proper channels.

When a user installs software, they must accept the license governing its use, often called the end-user license agreement (EULA).

It is unlikely that a computer forensic professional will be retained by an organization, so such investigations are normally handled by law enforcement agencies.

While it is possible the security team may want tickets to route through the help desk, the CSIRT team will typically be the actual ones that it is ultimately reported to.

36
Q

A soldier at a government facility accidentally typed up a report on the wrong system and needs to ensure that the file is not recoverable. What should be done?

A.Delete the file.
B.Format the file system.
C.Delete the file and empty the garbage bin.
D.Perform a secure erase.

A

Secure erase (SE) performs zero-filling on hard disk drives (HDDs) and marks all blocks as empty on solid state drives (SSDs).

Data “deleted” from a file on a disk is not erased. Rather, the HDD sector or SSD block is marked as available for writing.

Using the OS standard formatting tool to delete partitions and write a new file system will only remove references to files and mark all sectors as useable.

Emptying the garbage bin still does not truly erase the data from the disk. The information contained at that storage location will only be removed when new file data is written.

37
Q

A Linux administrator is looking at the bash history and sees the command chmod u+x file.sh. What was trying to be done with this command?

A.Execute a script.
B.Set permissions.
C.Designate which interpreter to use.
D.Create a script.

A

Permissions were being set on the script. Remember that in Linux, the script file must have the execute permission set to run.

A Linux shell script uses the .SH extension by convention. Each statement comprising the actions that the script will perform is then typically added on separate lines.

Every shell script starts with a shebang line that designates which interpreter to use, such as Bash or Ksh.

Users can develop a script in any basic text editor, but using an editor with script support is the most productive way.

38
Q

A Windows administrator is combing through server logs and sees that a wscript.exe executed a script. What type of script is executed by default?

A..BAT
B..PS1
C..VBS
D..SH

A

VBScript files are identified by the .VBS extension. VBScript is executed by the wscript.exe interpreter by default.

A shell script written for the basic Windows CMD interpreter is often described as a batch file. Batch files use the .BAT extension.

Microsoft provides the Windows PowerShell Integrated Scripting Environment (ISE) for rapid development. PowerShell script files are identified by the .PS1 extension.

A Linux shell script is a file that contains a list of commands to be read and executed by the shell. Every shell script starts with a line that designates the interpreter.