Messer Practice Exam 2

Question 1

A security administrator has performed an audit of the organizations web servers, and the results have identified banner information leakage, web services running from a privileged account, and inconsistencies with SSL certificates. Which of the following would be the BEST way to resolve these issues?

Answer 1

Server Hardening - Many applications and services include secure configuration guides that can assist in hardening the system. These hardening steps will make the system as secure as possible while simultaneously allowing the application to run efficiently. All of the identified issues were the result of server configurations.

Question 2

A shipping company stores information in small regional warehouses around the country. The company keeps an IPS online at each warehouse to watch for suspicious traffic patterns. Which of the following would BEST describe the security control used at the warehouse?

Answer 2

If preventative is not an option, default to the best available option. In this case it was Detective, because an IPS can detect and record any intrusion attempt.

Question 3

What is a “Compensating” security control?

Answer 3

It can’t prevent an attack, but it can compensate when an attack occurs.

For example, a compensating control would be the re-imaging process or a server restored from backup if an attack had been identified.

Question 4

Who is a “Data Owner”?

Answer 4

The data owner is accountable for specific data, and is often a senior officer of the organization.

Example: The Vice President of Sales is the Data Owner of the sales data.

Question 5

Who is a “Data Protection Officer”?

Answer 5

The Data Protection Officer (DPO) is responsible for the organization’s data privacy. The DPO commonly sets processes and procedures for maintaining the privacy of data.

Question 6

Who is a “Data Steward/Custodian”?

Answer 6

The Data Steward/Custodian manages access rights to the data.

Example: The IT team of a Company would be the Data Steward/Custodian.

Question 7

Who is a “Data Processor”?

Answer 7

The Data Processor is often a third-party that processess data on behalf of the data controller.

Question 8

Who is a “Data Controller”?

Answer 8

A Data Controller is responsible for data collection responsibilities.

These responsibilities include: collecting individuals’ consent, storing the data, managing consent-revoking, and enabling the right to access. They ensure all data processed within their organization is compliant with the GDPR.

Example: Lets look at the payroll process within an organization. There’s probably a payroll department within your company, and they’re considered to be the Data Controller. Because they’re the ones that define how much people get paid, and when they get paid. BUT it is very common for a company to work with a third party to actually process the payroll, and that would be a third-party payroll company. They’re considered to be the data processor.

Question 9

What does “GDPR” stand for?

Answer 9

General Data Protection Regulation

Question 10

What does “IaaS” provide?

Answer 10

It’s a type of cloud service that provides the basic hardware required to install an OS and application.

Question 11

What is a “Watering Hole Attack”?

Answer 11

A watering hole attack requires users to visit a central website or LOCATION.

Question 12

What is “SIAM”?

Answer 12

Service Integration and Management (SIAM) allows the integration of many different service providers into a single management system. This simplifies the application management and deployment process when using separate cloud providers.

Question 13

What is “SDN”?

Answer 13

Software-Defined Networking (SND) separates the control plane of networking devices from the data plane. This allows for more automation and dynamic changes to the infrastructure.

Example: Network virtualization

Question 14

What is “Federation”?

Answer 14

Federation provides a way to authenticate and authorize between two different roganizations.

Question 15

What is “Accounting” in cybersecurity?

Answer 15

Accounting will document information regarding a user’s session, such as login time, data sent and received, files transferred, and logout time.

Question 16

What is a “Ping Scan”?

Answer 16

A Pig Scan is a type of network scan that can identify devices connected to the network. It is not a penetration test.

Question 17

What is “Orchestration”?

Answer 17

The process of automating the configuration, maintenance, and operation of an application instance.

Question 18

What is “Wireshark”?

Answer 18

Wireshark is a protocol analyzer, and it can provide information about every frame that traverses the network. It can show the exploitation process and details about the payloads used during an attack attempt.

Question 19

What is “Nessus”?

Answer 19

Nessus is a vulnerability scanner that can help identify potential exploit vectors, but its not useful for showing active exploitation attempts.

Question 20

What is “DNSSEC”?

Answer 20

Domain Name System Secure Extensions (DNSSEC) are used on DNS servers to validate DNS responses using public key cryptography.

Question 21

What is “RBAC”?

Answer 21

Role-Based Access Control (RBAC) restricts access based on a person’s role within an organization.

Question 22

What is “MAC”?

Answer 22

Mandatory Access Control (MAC) is when the operating system provides the limits on how much access someone will have to a particular object.

This is generally based on Clearance Levels!

Question 23

What is “DAC”?

Answer 23

Discretionary Access Control (DAC). The person who creates the object get to set the controls for it.

Example: If you create an excel sheet, you get to determine exactly who has access.

Question 24

What is “ABAC”?

Answer 24

Attribute-Based Access Control (ABAC) allows us to create very complex relationships between the applications we’re using and the data that is used by those applications.

Example: ABAC authorization may consider your IP Address, the time of day, your geographic locations, etc. to determine access.

Question 25

What is “RuBAC”?

Answer 25

Rule-Based Access Control (RuBAC) manages access to areas, devices, or databases.

We often seen them used in firewalls.

Question 26

What is a “Jump Server”?

Answer 26

A Jump Server is a highly secured device commonly used to access secure areas of ANOTHER network.

A technician would first connect to the Jump Server using SSH or a VPN tunnel, and then “jump” from the Jump Server to other devices on the inside of the protected network.

Question 27

What is a “HSM”?

Answer 27

A Hardware Security Module (HSM) is a secure method of cryptographic key backup and hardware-based cryptographic offloading.

Question 28

What is “NAC”?

Answer 28

Network Access Control (NAC) is a broad term describing access control based on a heath check or posture assessment.

NAC will deny access to devices that don’t meet the minimum security requirements.

Question 29

What is “RTO”?

Answer 29

Recovery Time Objective (RTO) defines the minimum time to get up and running to a particular service level.

Example: System restored within 24 hours.

Question 30

What is “RPO”?

Answer 30

Recovery Point Objective (RPO) defines how much data loss would be acceptable during a recovery.

Example: We accept the lose of up to 48 hours of data.

Question 31

What is “MTTR”?

Answer 31

Mean Time to Repair (MTTR) is the time required to repair a product or system after a failure.

Question 32

What is “MTBF”?

Answer 32

Mean Time Between Failures (MTBF) is the average time expected between outages.

Usually and estimation based on the internal device components and their expected operational lifetime.

Question 33

What is a “WAF”?

Answer 33

Web Application Firewall (WAF) is used to protect exploits against web-based applications.

Question 34

What is a “Proxy”?

Answer 34

A proxy is used to make network or application requests on behalf of another person or device.

Question 35

What is “RADIUS”?

Answer 35

Remote Authentication Dial-In User Service (RADIUS) is a common method of centralizing authentication for users.

Instead of having separate local accounts on different devices, users can authenticate with account information that is maintained in a centralized database.

Question 36

What is the downfall of MS-CHAP?

Answer 36

The vulnerabilities related to the use of DES (Data Encryption Standard) make it relatively easy to brute force the hash used.

Question 37

What is “PAP”?

Answer 37

Password Authentication Protocol

Question 38

What is “IPsec”?

Answer 38

It is commonly used as an encrypted tunnel between sites or endpoints.

Question 39

A recent security audit has discovered email addresses and passwords located in a packet capture. What does this audit identify?

Answer 39

It identifies “Insecure Protocols”. An insecure protocol will transmit information “in the clear,” or without any type of encryption or protection.

Question 40

What security issue is associated with WPS?

Answer 40

Wi-Fi Protected Setup (WPS) is vulnerable to brute-force attacks because its PIN only has 11,000 possible iterations.

Question 41

What is “Threat Transfer”?

Answer 41

Assign or move the risk to a third-party.

Example: Cyber Liability Insurance

Question 42

What is “Threat Mitigation”?

Answer 42

Reduce the likelihood or impact of risk.

Example: If an organization was to purchase additional backup facilities and update their backup processes to include offline backup storage, they would be mitigating the risk of a ransomware infection.

Question 43

What is “Threat Avoidance/Reduction”?

Answer 43

Completely eliminate or forego risk.

Question 44

What is “Threat Acceptance”?

Answer 44

Acknowledge the risk and choose not to resolve, transfer or mitigate.

Question 45

An IPS report shows a series of exploit attempts were made against externally facing web servers. The system administrator of the web servers has identified a number of unusual log entries on each system. Which of the following would be the NEXT step in the incident response process.

Answer 45

Disconnect the web servers from the network. In this scenario, the unusual log entries on the web server indicate that the system may have been exploited. In this situation, the servers should be isolated to prevent access to or from those systems.

Question 45

An IPS report shows a series of exploit attempts were made against externally facing web servers. The system administrator of the web servers has identified a number of unusual log entries on each system. Which of the following would be the NEXT step in the incident response process.

Answer 45

Disconnect the web servers from the network. In this scenario, the unusual log entries on the web server indicate that the system may have been exploited. In this situation, the FIRST step should be to prevent access to or from those systems.

Question 46

What is “MMS Install”?

Answer 46

It is a text message that prompts to install and application, and links to either google play or the app store. It is definitely not sideloading.

Question 47

What are “OTA Updates”?

Answer 47

Over the Air (OTA) updates are commonly provided from the carrier and are NOT part of mobile app installations.

Example: Apple OS update.

Question 48

RAID 0

Answer 48

Min Number of Drives/Discs: (Mininum of 2)

Fault Tolerance: None

Striping: Yes

Mirroring: No

Parity Data: No

Question 49

RAID 1

Answer 49

Min Number of Drives/Discs: (ONLY 2)

Fault Tolerance: RAID-1 continues to operate even if one drive fails.

Striping: No

Mirroring: Yes

Parity Data: No

Question 50

RAID 5

Answer 50

Min Number of Drives/Discs: (Minimum 3)

Fault Tolerance: RAID-5 continues to operate even if one drive fails.

Striping: Yes

Mirroring: No

Parity Data: Yes

Question 51

RAID 6

Answer 51

Min Number of Drives/Discs: (Minimum 4)

Fault Tolerance: RAID-6 continues to operate even if two drives fail.

Striping: Yes

Mirroring: No

Parity Data: Double Parity

Question 52

RAID 10 (Combines RAID 1 and RAID 0)

Answer 52

Min Number of Drives/Discs: (Minimum 4)

Fault Tolerance: RAID-10 continues to operate even if two drives fail.

Striping: Yes

Mirroring: Yes

Parity Data: No

Question 53

What does “Weak Cipher Suite” imply?

Answer 53

A weak cipher suite implies that the cryptography used in a system may be circumvented or decrypted.

Question 54

What is a “NULL-pointer dereference”?

Answer 54

This take places when a pointer with a value of NULL is used as though it pointed to a valid memory area. This is a programming issue that causes application crashes and a potential denial of service.

Question 55

What is “NIC teaming” used for?

Answer 55

Network Interface Card (NIC) teaming can be used for redundant network paths from a server.

Question 56

Incremental Backup vs Differential Backup

Answer 56

Incremental Backup - Only includes the data that has changed since the previous incremental backup.

Differential Backup - contains all of the data that has changed since the last full backup.

Question 57

What is “Load Balancing”?

Answer 57

Load balancers provide a way to manage busy services by increasing the number of available servers and balancing the load between them.

Question 58

What does “CSR” stand for?

Answer 58

Certificate Signing Request

Question 59

What is “OCSP Stapling”?

Answer 59

Online Certificate Status Protocol (OCSP) Stapling allows a certificate holder to verify their own status and avoid client Internet traffic by storing the status information on an internal server and “stapling” the OCSP status into the SSL/TLS handshake.

It lessens required bandwith by removing an unnecssary seperate “conversation”.

Question 60

What does a “ESP” do?

Answer 60

Encapsulation Security Payload (ESP) protocol encrypts data that transverses an IPsec VPN tunnel.

Question 61

What does an “AH” do?

Answer 61

Authentication Headers (AH) are used to hash packet data for additional data integrity.

Question 62

What does “Diffie-Hellman” do?

Answer 62

Diffie-Hellman is an algorithm used for two devices to create identical shared keys without transferring those keys across the network.

Question 63

Anonymization vs. Masking

Answer 63

Anonymization changes data to remove or replace identifiable information. For example, an anonymized purchase history database might change the first and last names to random values but keep the purchase information intact.

Question 64

What does the “ARP” do?

Answer 64

The Address Resolution Protocol (ARP) command shows a mapping of IP addresses to local MAC addresses. This information doesn’t provide any detailed location information outside of the local IP subnet.

Question 65

What does “Tracert (traceroute)” do?

Answer 65

It provides a summary of hops between two devices.

Example: tracert can be used to determine the local ISP’s IP addresses and more information about the physical location of the attacker.

Question 66

What does “ipconfig” do?

Answer 66

It shows the IP address configuration of a local device, but doesn’t provide any information about a remote computer.

Question 67

What is “Metasploit”?

Answer 67

Metasploit is an exploitation framework that can use known vulnerabilities to gain access to remote systems.

It performs penetration tests and can verify the existence of a vulnerability.

Question 68

What is “FTK Imager”?

Answer 68

This is a third-party storage drive imaging tool and it can support many different drive types and encryption methods.

It DOES NOT identify vulnerabilities.

Question 69

What is “Autopsy”?

Answer 69

Autopsy is a forensics tool that can view and recover data from storage devices.

It DOES NOT identify vulnerabilities.

Question 70

What is a “SLA”?

Answer 70

Service Level Agreements (SLA) are contracts that specify the minimum terms for provides services.

It’s common to include uptime, response times, and other service metrics in an SLA.

Question 71

What is “SAE”?

Answer 71

Simultaneous Authentication fo Equals (SAE) is a password-based authentication and password-authenticated key agreement method.

It is commonly used with WPA3 to provide enhanced security.

Question 72

What is “802.1X”?

Answer 72

802.1X is a standard for authentication using AAA (Authentication, Authorization and Accounting) services.

It is commonly used in conjuction with LDAP or RADIUS.

Question 73

What does “AAA” stand for?

Answer 73

Authentication, Authorization, and Accounting

Question 74

What does the following error messageindicate?

“The Credentials provided by the server could not be validated.”

Answer 74

The client computer does not have the proper certificate installed.

This indicates that the CA that signed the server’s certificate is either different than the CA certificate installed on the client’s workstation, or the client workstation does not have an installed copy of the CA’s certificate.

This validation process ensures that the client is communicating to a trusted server and there are no man-in-the-middle attacks occurring.

Question 75

What is a main point of using a Certificate?

Answer 75

If someone attempts an on-path attack, the certificate presented will not validate and a warning message will appear in the browser.

Question 76

What is the “NIST RMF” and what does it stand for?

Answer 76

National Institute of Standards and Technology (NIST) Risk Management Framework (RMF).

It is a guide to help understand, manage, and rate the risks found in an organization.

Question 76

What is a “Replay Attack”?

Answer 76

An attacker captures the original non-encrypted (plaintext) content, then resends it to misdirect the receiver into doing what the hacker wants.

Question 77

What are the common protocols used to support 802.1X authentication?

Answer 77

-LDAP
-RADIUS
-TACACS+
-Kerberos

Question 78

When would you need to solely rely on host-based systems/software?

Answer 78

If a laptop/device is not communicating across the corporate network.

Example: An employee is using their laptop to circumvent the corporate Internet security controls through the use of a cellular hotspot.

Question 79

What is the purpose of “Netflow logs”?

Answer 79

NetFlow information can provide a summary of network traffic, application usage, and details of network conversations.

The NetFlow logs will show all conversations from a device to any others in the network.

Question 80

“In-Band” vs “Out-of-Band”

Answer 80

In-Band: Inside your network.

Out-of-Band: Outside your network.

Question 81

What are the 6 Steps of the IR Process?

Answer 81

6 Steps of the Incident Response (IR) Process:

1) Preparation
2) Identification
3) Containment
4) Eradication
5) Recovery
6) Lessons Learned

Question 82

What are TWO main reasons to use TPM when configuring full-disk encryption?

Answer 82

A TPM is physical hardware that is part of a motherboard:

-It uses burned-in cryptographic keys
-It includes built-in protections against brute-force attacks.

Question 83

What is “Rule-based Access Control”

Answer 83

Access is determined based on a series of system-enforced rules.

Example: An access rule might require that a particular browser be used to complete a web page form, or that access to a file or system is only allowed during certain times of the day.

Question 84

What is “Mandatory Access Control”?

Answer 84

Access is determined based on a series of security levels.

Example: Public, private, secret

Question 85

What is “Discretionary Access Control”?

Answer 85

Allows the owner of an object to assign access.

Example: If a user creates a spreadsheet, the user can then assign users and groups to have a particular level of access to that spreadsheet.

Question 86

What is “Role-based Access Control”?

Answer 86

Access is determined based on a users role within an organization.

Question 87

What security control would prevent internal systems from connecting with servers in the data center network?

Answer 87

Access control lists, not IPS because they are INTERNAL SYSTEMS that are already on the network!

Question 88

What is another term for “Unknown Environment”?

Answer 88

Black-Box

Question 89

What is “ALE”?

Answer 89

Annual Loss Expectancy (ALE) is the expected cost for all events in a single year.

Example: If it costs $1,000 to replace a single laptop (the SLE) and you expect to lose seven laptops in a year (ARO), the ALE for laptop theft is $7,000.

Question 90

What is “SLE”?

Answer 90

Single Loss Expectancy (SLE) is the monetary loss if a single event occurs.

Example: if one laptop is stolen, the cost to replace that single laptop is $1,000.

Question 91

What is “ARO”?

Answer 91

Annualized Rate of Occurence (ARO) describes the number of instances that an event would occur in a year.

Example: If the organization expects to lose 7 laptops to theft in a year, the ARO for laptop theft is 7.

Question 92

What is a general order for gathering evidence from a server that was part of a security breach? (and why?!)

Answer 92

1) CPU Registers: these can change millions of times a second.

2) Routing Table: these update themselves every 30 seconds.

3) Temporary Files: these are only stored while an application is in use - may only be available for a few minutes.

4) Event Logs: these are generally stored for a few hours.

5) Backup Tapes: these can be stored for years.

Question 93

What is a common use of “hashing”?

Answer 93

To store a password on an authentication server.

Question 94

What is a common use of a “digital signature”?

Answer 94

To verify a sender’s identity.

Question 95

What is a common use of “encryption”?

Answer 95

To protect private information sent over a n insecure channel.

Question 96

What is a common use of “key escrow”?

Answer 96

Use a secondary decryption key, storing it with a 3rd party.

Question 97

What is a common use of a “Certificate Authority”?

Answer 97

Trust a website without prior contact with the site owner.

Question 98

What is a common use of “Perfect Forward Secrecy”?

Answer 98

Use a different encryption key for each session.

Question 99

What is a “Stateful Firewall”?

Answer 99

A Stateful firewall learns as it operates, which enables it to make protection decisions based on what has happened in the past.

It can log the behavior of attacks and then use that information to better prevent future attempts.

Question 100

What is a “Stateless Firewall”?

Answer 100

This is an older style of firewall that doesn’t have any idea about flows of communication - Aka it doesn’t know that when you make a request to a web server, that there is going to be a response from that web server. It treats everything as a one way, one trip communication.

Question 101

Cyber Kill Change Steps (In order)

Answer 101

1) Recon
2) Weaponize
3) Delivery
4) Exploit
5) Install
6) Command & Control (C2)
7) Action on Objectives