Lesson 8: Managing Security Settings Flashcards

Question 1

Q

Rules designed to enforce best-practice password selection, such as minimum length and use of multiple character types.

Answer

A

Complexity requirements

Question 2

Q

Rules designed to enforce best-practice password use by forcing regular selection of new passwords.

Answer

A

expiration requirement

Question 3

Q

Passwords set in system firmware to prevent unauthorized booting of a computer (user password) or changes to system setup (supervisor password).

Answer

A

basic input/output system (BIOS)
or
unified extensible firmware interface (UEFI)

Question 4

Q

PII

Answer

A

personally identifiable information

Question 5

Q

Process of determining what additional software may be installed on a client or server beyond its baseline to prevent the use of unauthorized software.

Answer

A

Execution control

Question 6

Q

Windows mechanisms for automatic actions to occur when a peripheral storage device is attached.

Answer

A

AutoPlay settings

Question 7

Q

Security scanner installed and enabled by default in Windows that provides protection against general malware types.

Answer

A

Windows Defender Antivirus

Question 8

Q

UDP

Answer

A

User Datagram Protocol

Question 9

Q

Information about new viruses and other malware used to update antivirus scanners.

Answer

A

Definition / pattern updates

Question 10

Q

TCP

Answer

A

Transmission Control Protocol

Question 11

Q

Microsoft’s file-level encryption feature available for use on NTFS. Feature of NTFS supports file and folder encryption.

Answer

A

Encrypting File System (EFS)

Question 12

Q

Fix problems or make improvements to the scan software itself.

Answer

A

Scan engine / component updates

Question 13

Q

What does blocking TCP/80 prevent clients from connecting to?

Answer

A

Blocking TCP/80 prevents clients from connecting to the default port for a web server.

Question 14

Q

FDE

Answer

A

Full Disk Encryption

Question 15

Q

You are completing a checklist of security features for workstation deployments. Following the CompTIA A+ objectives, what additional item should you add to the following list, and what recommendation for a built-in Windows feature or features can you recommend be used to implement it?

Password best practices
End-user best practices
Account management
Change default administrator’s user account/password
Disable AutoRun/AutoPlay
Enable Windows Update, Windows Defender Antivirus, and Windows Defender Firewall

Answer

A

Data-at-rest encryption.
In Windows, this can be configured at file level via the Encrypting File System (EFS) or at disk level via BitLocker.

Question 16

Q

What type of account management policy can protect against password-guessing attacks?

Answer

A

A lockout policy disables the account after a number of incorrect sign-in attempts.

Question 17

Q

True or false? An organization should rely on automatic screen savers to prevent lunchtime attacks.

Answer

A

False.
A lunchtime attack is where a threat actor gains access to a signed-in user account because the desktop has not locked. While an automatic screensaver lock provides some protection, there may still be a window of opportunity for a threat actor between the user leaving the workstation unattended and the screensaver activating. Users must lock the workstation manually when leaving it unattended.

Question 18

Q

A security consultant has recommended more frequent monitoring of the antivirus software on workstations. What sort of checks should this monitoring perform?

Answer

A

That the antivirus is enabled, is up to date with scan engine components and definitions, and has only authorized exclusions configured.

Question 19

Q

Installer package that can be verified by a digital signature or cryptographic hash.

Answer

A

Trusted source

Question 20

Q

Installer package whose authenticity and integrity cannot be verified.

Answer

A

Untrusted source

Question 21

Q

Add-on that uses the browser API to implement new functionality.

Answer

A

Extensions

Question 22

Q

API

Answer

A

application programming interface

Question 23

Q

TLS

Answer

A

Transport Layer Security

Question 24

Q

Software installed to a web browser to handle multimedia objects embedded in web pages. (Play or show some sort of content embedded in a web page, such as Flash, Silverlight, or another video/multimedia format.)

Question 25

Q

Identification and authentication information presented in the X.509 format and issued by a Certificate Authority (CA) as a guarantee that a key pair (as identified by the public key embedded in the certificate) is valid for a particular subject (user or host).

Answer

A

digital certificates

Question 26

Q

CA

Answer

A

Certificate authority

Question 27

Q

Browser feature or extension that prevents sites from creating new browser windows. (Prevent a website from creating dialogs or additional windows.)

Answer

A

Pop-up blockers

Question 28

Q

Using HTTPS to browse a site where the host has presented a valid digital certificate issued by a CA that is trusted by the browser.

Answer

A

secure connection

Question 29

Q

Browser feature or add-in that prevents third-party content from being displayed when visiting a site. (Use more sophisticated techniques to prevent the display of anything that doesn’t seem to be part of the site’s main content or functionality. )

Answer

A

Ad-blockers

Question 30

Q

True or false? Using a browser’s incognito mode will prevent sites from recording the user’s IP address.

Answer

A

False.
Incognito mode can prevent the use of cookies but cannot conceal the user’s source IP address. You do not need to include this in your answer, but the main way to conceal the source IP address is to connect to sites via a virtual private network (VPN).

Question 31

Q

Cookies, site files, form data, passwords, and other information stored by a browser.

Question 32

Q

Browser mode in which all session data and cache is discarded and tracking protection features are enabled by default.

Answer

A

Private / incognito browsing mode

Question 33

Q

A security consultant has recommended blocking end-user access to the chrome://flags browser page. Does this prevent a user from changing any browser settings?

Answer

A

No.
The chrome://flags page is for advanced configuration settings. General user, security, and privacy settings are configured via chrome://settings.

Question 34

Q

What primary indicator must be verified in the browser before using a web form?

Answer

A

That the browser address bar displays the lock icon to indicate that the site uses a trusted certificate. This validates the site identity and protects information submitted via the form from interception.

Question 35

Q

A company must deploy custom browser software to employees’ workstations. What method can be used to validate the download and installation of this custom software?

Answer

A

The package can be signed using a developer certificate issued by a trusted certificate authority.
Alternatively, a cryptographic hash of the installer can be made, and this value can be given to each support technician. When installing the software, the technician can make his or her own hash of the downloaded installer and compare it to the reference hash.

Question 36

Q

Software that records information about a PC and its users, often installed without the user’s consent. (Malware that can perform browser reconfigurations, such as allowing tracking cookies, changing default search providers, opening arbitrary pages at startup, adding bookmarks, and so on.)

Question 37

Q

Malicious code inserted into the boot sector code or partition table of a storage device that attempts to execute when the device is attached. (These infect the boot sector code or partition table on a disk drive.)

Answer

A

Boot sector viruses

Question 38

Q

Malicious code inserted into an executable file image. The malicious code is executed when the file is run and can deliver a payload, such as attempting to infect other files.

Question 39

Q

Malicious software program hidden within an innocuous-seeming piece of software. (This is malware concealed within an installer package for software that appears to be legitimate.)

Question 40

Q

Type of malware that replicates between processes in system memory and can spread over client/server network connections. (These replicate between processes in system memory rather than infecting an executable file stored on disk.)

Question 41

Q

Mechanism for gaining access to a computer that bypasses or subverts the normal method of authentication.

Question 42

Q

Infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets.

Answer

A

command and control (C2 or C&C)

Question 43

Q

Exploit techniques that use the host’s scripting environment to create malicious processes. (This refers to malicious code that uses the host’s scripting environment, such as Windows PowerShell or PDF JavaScript, to create new malicious processes in memory.)

Answer

A

Fileless malware

Question 44

Q

Malware that creates a backdoor remote administration channel to allow a threat actor to access and control the infected host.

Answer

A

RAT (Remote Access Trojan)

Question 45

Q

IRC

Answer

A

Internet relay chat

Question 46

Q

Malicious software or hardware that can record user keystrokes. (A type of spyware that actively attempts to steal confidential information by recording keystrokes.)

Answer

A

keylogger

Question 47

Q

Class of malware that modifies system files, often at the kernel level, to conceal its presence.

Question 48

Q

Malware that hijacks computer resources to create cryptocurrency.

Answer

A

cryptominer / cryptojacking

Question 49

Q

Malware that tries to extort money from the victim by blocking normal operation of a computer and/or encrypting the victim’s files and demanding payment. (a type of malware that tries to extort money from the victim)

Answer

A

Ransomeware

Question 50

Q

When the computer is slow or “behaving oddly,” one of the things you should suspect is malware infection. Some specific symptoms associated with malware include: (3)

Answer

A

The computer fails to boot or experiences lockups.
Performance at startup or in general is very slow.
The host cannot access the network and/or Internet access or network performance is slow.

Question 51

Q

Software capable of detecting and removing virus infections and (in most cases) other types of malware, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, DoS tools, and so on.

Answer

A

Antivirus (scan)

Question 52

Q

Browser indication that a site connection is not secure because the certificate is invalid or the issuing CA is not trusted.

Answer

A

Certificate warnings

Question 53

Q

Spoofed desktop notifications and browser ads designed to alarm users and promote installation of Trojan malware.

Answer

A

Rogue antivirus

Question 54

Q

Early in the day, a user called the help desk saying that his computer is running slowly and freezing up. Shortly after this user called, other help desk technicians who overheard your call also received calls from users who report similar symptoms. Is this likely to be a malware infection?

Answer

A

It is certainly possible.
Software updates are often applied when a computer is started in the morning, so that is another potential cause, but you should investigate and log a warning so that all support staff are alerted. It is very difficult to categorize malware when the only symptom is performance issues. However, performance issues could be a result of a badly written Trojan, or a Trojan/backdoor application might be using resources maliciously (for DDoS, Bitcoin mining, spam, and so on).

Question 55

Q

A developer is reading their email and comes across a new memorandum from the security department about a clean desk policy. Why does security need to publish this?

A.Personal identifiable information (PII) protection
B.Secure critical hardware
C.Prevent lunchtime attack
D.Protect UEFI

Answer

A

A. Personal Identifiable Information (PII) protection

Paper copies of personal and confidential data must not be left where they could be read or stolen. A clean desk policy ensures that all such information is not left in plain sight.

A clean desk policy does not help with securing critical assets. Portable computers can be secured though to a desk using a cable lock. When in public, users must keep laptop cases insight.

A lunchtime attack is where a threat actor is able to access a computer that has been left unlocked.

A system user password is one that is required before any operating system can boot. The system password can be configured by the basic input/output system (BIOS) or unified extensible firmware interface (UEFI) setup program.

Question 56

Q

The process of isolating a file, computer system, or computer network to prevent the spread of a virus or another cybersecurity incident.

Answer

A

Quarantine

Question 57

Q

Computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion.

Question 58

Q

CompTIA has identified a seven-step best practice procedure for malware removal: (7)

Answer

A

Investigate and verify malware symptoms.
Quarantine infected systems.
Disable System Restore in Windows.
Remediate infected systems:
Update anti-malware software.
Scanning and removal techniques (e.g., safe mode, preinstallation environment).
Schedule scans and run updates.
Enable System Restore and create a restore point in Windows.
Educate the end user.

Question 59

Q

Consequence of malware infection where DNS and/or search results are corrupted to redirect requests from legitimate site hosts to spoofed sites or ads. (where the user tries to open one page but gets sent to another.)

Answer

A

Redirection

Question 60

Q

You receive a support call from a user who is “stuck” on a web page. She is trying to use the Back button to return to her search results, but the page just displays again with a pop-up message. Is her computer infected with malware?

Answer

A

If it only occurs on certain sites, it is probably part of the site design.
A script running on the site can prevent use of the Back button. It could also be a sign of adware or spyware though, so it would be safest to scan the computer using up-to-date anti-malware software.

Question 61

Q

A manager is responsible for client laptops, and is concerned about exposing data on the disks to a different OS and the permissions becoming overridden. What will help prevent this possible attack?

A.Windows Defender Firewall
B.Windows Defender Antivirus
C.Encrypting File System
D.Execution control

Answer

A

C. Encrypting File System (EFS)

The Encrypting File System (EFS) feature of the New Technology File System (NTFS) supports file and folder encryption. EFS is not available in the Home edition of Windows.

The Windows Defender Firewall with Advanced Security console allows the configuration of a custom inbound and outbound filtering rule.

Antivirus is software that can detect malware and prevent it from executing. The primary means of detection is to use a database of known virus patterns called definitions, signatures, or patterns.

Execution control refers to logical security technologies designed to prevent malicious software from running on a host regardless of what the user account privileges allow.

Question 62

Q

Why is DNS configuration a step in the malware remediation process?

Answer

A

Compromising domain-name resolution is a very effective means of redirecting users to malicious websites. Following malware infection, it is important to ensure that DNS is being performed by valid servers.

Question 63

Q

A security analyst baselines web activity and notices several caveats with browsers. For example, they notice that when a user types in a query, a query is actually made after every typed key. The analyst is trying to group browser activity together. Which browser is based on the same code as Chrome?

A.Edge
B.Internet Explorer
C.Safari
D.FireFox

Answer

A

A. Edge

Edge, Microsoft’s replacement browser, now uses the same underlying Chromium codebase as Google Chrome.

IE itself is no longer supported. Microsoft’s Internet Explorer (IE) used to be dominant in the browser market. As the browser is a security-critical type of software, it is particularly important to use a trusted source, such as an app store.

Apple’s Safari browser is tightly integrated with macOS and iOS. In some scenarios, it might be appropriate to choose a browser that is different from these mainstream versions.

FireFox is a free and open-source modern web browser. It is currently developed by the Mozilla Foundation.

Question 64

Q

Why might a PC infected with malware display no obvious symptoms?

Answer

A

If the malware is used with the intent to steal information or record behavior, it will not try to make its presence obvious.
A rootkit may be very hard to detect even when a rigorous investigation is made.

Answer 56

A

D. Quarantine

After verifying the symptoms of malware, the host should be placed in quarantine, where it is not able to communicate on the main network.

Once the infected system is isolated, the next step is to disable System Restore and other automated backup systems, such as File History.

Looking for missing or renamed files could be one of the many steps in investigating after a computer has been quarantined. Identification of these techniques could help scan the enterprise to see how far it spread.

Another good step after isolation is to look for additional executable files with names similar to those of authentic system files and utilities, such as scvhost.exe or ta5kmgr.exe.

Answer 57

A

It would be highly unlikely for a commercial bank to allow its website certificates to run out of date or otherwise be misconfigured. You should strongly suspect redirection by malware or a phishing/pharming scam.

Answer 58

A

D. about:preferences

Users can open the internal URL for Firefox by going to about:preferences. Each browser maintains its own settings that are accessed via its Meatball (…) or Hamburger (☰) menu button as well.

In Chrome, the setting option is listed under chrome://settings. Browsers also have advanced settings that are accessed via a URL such as chrome://flags or about:config.

In Edge, the URL for settings is at edge://settings. Internet Explorer (IE) should not be used for general web browsing or to access modern web applications.

firefox://settings is not the correct option for Firefox. A browser sign-in allows the user to synchronize settings between instances of the browser software on different devices.

Answer 59

A

You might need to verify symptoms of infection. Also, if a virus cannot be removed automatically, you might want to find a manual removal method. You might also want to identify the consequences of infection—whether the virus might have stolen passwords, and so on.

Answer 60

A

B. Length

Length is preferable to the use of highly cryptic mixing of character types. It will take an attacker significantly longer to crack a passphrase rather than a much shorter but complex password.

The latest National Institute of Standards and Technology (NIST) guidance also deprecates password expiration except when a breach is discovered.

Requiring a mix of character types forces users into selecting easily masked substitutions (zero for the letter O, for instance) or makes passwords difficult to remember and causes users to write them down.

Users should choose a memorable phrase but should not use any personal information in the password. Anything that a threat actor could discover or guess should not be used in a password.

Answer 61

A

D. Page is cached

By default, the browser will maintain a history of pages visited, cache files to speed up browsing, and save text typed into form fields. The page is most likely cached from the previous visit.

Private/incognito browsing mode disables the caching features of the browser so that no cookies, browsing history, form fields, passwords, or temp files will be stored when the session is closed.

Pop-up blockers prevent a website from creating dialogs or additional windows. The pop-up technique was often used to show fake antivirus and security warnings or other malicious and nuisance advertising.

While the user may be on a different switch than those complaining about not having internet, it is more likely that the user’s page is cached.

Answer 62

A

A. Failed attempts and B. Login times and C. Concurrent logins

Monitoring login times are typically used to see if an account is logging in at an unusual time of the day or night or during the weekend.

Concurrent logins are another behavioral-based monitoring mechanism. Most users should only need to sign in to one computer at a time, so this sort of policy can help to prevent or detect misuse of an account.

Failed attempts can be a sign of malicious activity.

The timeout/screen lock locks the desktop if the system detects no user-input device activity. This is a sensible, additional layer of protection.

Answer 63

A

A. Fileless malware

Fileless malware refers to malicious code that uses the host’s scripting environment, such as Windows PowerShell or PDF JavaScript, to create new malicious processes in memory.

Worms replicate between processes in system memory rather than infecting an executable file stored on a disk.

Boot sector viruses infect the boot sector code or partition table on a disk drive. While this could be a possible option, memory-based malware running inside the code of another program is quite common.

Viruses are concealed within the code of an executable process image stored as a file on a disk. In Windows, executable code has extensions such as .EXE, .MSI, .DLL, .COM, .SCR, and .JAR.

Answer 64

A

B. C2 (Command and Control)

Whether a backdoor is used as a standalone intrusion mechanism or to manage bots, the threat actor must establish a connection from the compromised host to a command and control (C2 or C&C) host or network.

Spyware is malware that can perform browser reconfigurations, such as allowing tracking cookies, changing default search providers, opening arbitrary pages at startup, adding bookmarks, and so on.

A keylogger is spyware that actively attempts to steal confidential information by recording keystrokes.

When dealing with a rootkit, administrators should be aware that there is the possibility that it can compromise system files and programming interfaces so that local shell processes no longer reveal their presence.

Answer 65

A

B. Extension

Answer 66

A

C. Update trusted root certificates

Updating trusted root certificates is helpful in the overall defense-in-depth security strategy, but is least helpful in this scenario in preventing malware. It does play its part though.

An essential malware prevention follow-up action is effective user training. Untrained users represent a serious vulnerability because they are susceptible to social engineering and phishing attacks.

All security software supports scheduled scans. These scans can impact performance, however, so it is best to run them when the computer is otherwise unused.

Almost all security software is now configured to scan on-access. On-access means that the antivirus (A-V) software intercepts an operating system (OS) call to open a file and scans the file before allowing or preventing it from being opened.

Answer 67

A

D. Trusted source

Mobile OS vendors use this “walled garden” model of software distribution as well. Apps are distributed from an approved store, such as Apple’s App Store or the Windows Store.

One of the problems with legacy versions of Windows is that when an optical disc is inserted or a USB drive is attached, Windows would automatically run commands defined in an autorun.inf file.

Antivirus is software that can detect malware and prevent it from executing. The primary means of detection is to use a database of known virus patterns called definitions, signatures, or patterns.

Concurrent logins are another behavioral-based monitoring mechanism. Most users should only need to sign in to one computer at a time.

Answer 68

A

B. Cryptomining software

A cryptominer hijacks the resources of the host to perform cryptocurrency mining. This is also referred to as cryptojacking.

Ransomware is a type of malware that tries to extort money from the victim. Crypto-ransomware attempts to encrypt files on any fixed, removable, and network drive.

Rogue antivirus is a particularly popular way to disguise a Trojan. In the early versions of this attack, a website would display a pop-up disguised as a normal Windows dialog box with a fake security alert.

Modern malware is usually designed to implement some type of backdoor, also referred to as a remote access Trojan (RAT).

Answer 69

A

C. Add trusted certificates

When using enterprise certificates for internal sites and a third-party browser, the administrator must ensure that the internal CA root certificate is added to the browser.

Unless the site is running a non-standard port, the firewall would not need to be adjusted. Normal web traffic operates off ports 80 and 443.

A browser sign-in allows the user to synchronize settings between instances of the browser software on different devices.

The site is internal so the administrator would not be able to adjust the training platform’s web application firewall. However, even if they could, this should not need to be configured.

Answer 70

A

Lesson 8
Summary
You should be able to configure workstation and Windows OS settings to meet best practices for security; install and configure secure browsers; and detect, remove, and prevent malware using the appropriate tools and best practice procedures.

Guidelines for Managing Security Settings

Follow these guidelines to support secure use of workstations and browsers:

Create checklists for deploying workstations in hardened configurations and monitoring continued compliance:
Password best practices (length and character complexity requirements, expiration requirements, and BIOS/UEFI passwords).
Account management policies (restrict user permissions, restrict login times, disable guest account, use failed attempts lockout, use timeout/screen lock, and disable AutoRun/AutoPlay).
Antivirus and firewall settings and updates, using built-in Windows Defender or third-party products.
File and/or disk encryption, using built-in EFS/BitLocker or third-party products.
Secure browser and extension/plug-in installation via trusted sources and configuration of security settings (pop-up blocker, clearing browsing data, clearing cache, private-browsing mode, sign-in/browser data synchronization, and ad blockers).
Develop training and awareness programs to support end-user best practices (use screensaver locks, log off when not in use, secure/protect critical hardware, and secure PII/passwords), threat awareness, and secure connection/certificates identification.
Develop a knowledge base to classify malware types (Trojans, rootkits, viruses, spyware, ransomware, keyloggers, boot sector viruses, and cryptominers).
Develop a knowledge base to document tools (recovery mode, antivirus/anti-malware, software firewalls, and OS reinstallation) and steps to resolve common security symptoms (unable to access the network, desktop alerts, false alerts regarding antivirus protection, altered system or personal files, missing/renamed files, unwanted notifications within the OS, OS update failures, random/frequent pop-ups, certificate warnings, and redirection).
Apply the CompTIA best practice model for malware removal: 1. Investigate and verify malware symptoms, 2. Quarantine infected systems, 3. Disable System Restore in Windows, 4. Remediate infected systems (a. Update anti-malware software and b. Scanning and removal techniques [safe mode/preinstallation environment]), 5. Schedule scans and run updates, 6. Enable System Restore and create a restore point Windows, and 7. Educate the end user.
Additional practice questions for the topics covered in this lesson are available on the CompTIA Learning Center.

Brainscape's Knowledge GenomeTM

Lesson 8: Managing Security Settings Flashcards

Brainscape's Knowledge Genome^TM