Messer Practice Exam 2 Flashcards
A security administrator has performed an audit of the organizations web servers, and the results have identified banner information leakage, web services running from a privileged account, and inconsistencies with SSL certificates. Which of the following would be the BEST way to resolve these issues?
Server Hardening - Many applications and services include secure configuration guides that can assist in hardening the system. These hardening steps will make the system as secure as possible while simultaneously allowing the application to run efficiently. All of the identified issues were the result of server configurations.
A shipping company stores information in small regional warehouses around the country. The company keeps an IPS online at each warehouse to watch for suspicious traffic patterns. Which of the following would BEST describe the security control used at the warehouse?
If preventative is not an option, default to the best available option. In this case it was Detective, because an IPS can detect and record any intrusion attempt.
What is a “Compensating” security control?
It can’t prevent an attack, but it can compensate when an attack occurs.
For example, a compensating control would be the re-imaging process or a server restored from backup if an attack had been identified.
Who is a “Data Owner”?
The data owner is accountable for specific data, and is often a senior officer of the organization.
Example: The Vice President of Sales is the Data Owner of the sales data.
Who is a “Data Protection Officer”?
The Data Protection Officer (DPO) is responsible for the organization’s data privacy. The DPO commonly sets processes and procedures for maintaining the privacy of data.
Who is a “Data Steward/Custodian”?
The Data Steward/Custodian manages access rights to the data.
Example: The IT team of a Company would be the Data Steward/Custodian.
Who is a “Data Processor”?
The Data Processor is often a third-party that processess data on behalf of the data controller.
Who is a “Data Controller”?
A Data Controller is responsible for data collection responsibilities.
These responsibilities include: collecting individuals’ consent, storing the data, managing consent-revoking, and enabling the right to access. They ensure all data processed within their organization is compliant with the GDPR.
Example: Lets look at the payroll process within an organization. There’s probably a payroll department within your company, and they’re considered to be the Data Controller. Because they’re the ones that define how much people get paid, and when they get paid. BUT it is very common for a company to work with a third party to actually process the payroll, and that would be a third-party payroll company. They’re considered to be the data processor.
What does “GDPR” stand for?
General Data Protection Regulation
What does “IaaS” provide?
It’s a type of cloud service that provides the basic hardware required to install an OS and application.
What is a “Watering Hole Attack”?
A watering hole attack requires users to visit a central website or LOCATION.
What is “SIAM”?
Service Integration and Management (SIAM) allows the integration of many different service providers into a single management system. This simplifies the application management and deployment process when using separate cloud providers.
What is “SDN”?
Software-Defined Networking (SND) separates the control plane of networking devices from the data plane. This allows for more automation and dynamic changes to the infrastructure.
Example: Network virtualization
What is “Federation”?
Federation provides a way to authenticate and authorize between two different roganizations.
What is “Accounting” in cybersecurity?
Accounting will document information regarding a user’s session, such as login time, data sent and received, files transferred, and logout time.
What is a “Ping Scan”?
A Pig Scan is a type of network scan that can identify devices connected to the network. It is not a penetration test.
What is “Orchestration”?
The process of automating the configuration, maintenance, and operation of an application instance.
What is “Wireshark”?
Wireshark is a protocol analyzer, and it can provide information about every frame that traverses the network. It can show the exploitation process and details about the payloads used during an attack attempt.
What is “Nessus”?
Nessus is a vulnerability scanner that can help identify potential exploit vectors, but its not useful for showing active exploitation attempts.
What is “DNSSEC”?
Domain Name System Secure Extensions (DNSSEC) are used on DNS servers to validate DNS responses using public key cryptography.
What is “RBAC”?
Role-Based Access Control (RBAC) restricts access based on a person’s role within an organization.
What is “MAC”?
Mandatory Access Control (MAC) is when the operating system provides the limits on how much access someone will have to a particular object.
This is generally based on Clearance Levels!
What is “DAC”?
Discretionary Access Control (DAC). The person who creates the object get to set the controls for it.
Example: If you create an excel sheet, you get to determine exactly who has access.
What is “ABAC”?
Attribute-Based Access Control (ABAC) allows us to create very complex relationships between the applications we’re using and the data that is used by those applications.
Example: ABAC authorization may consider your IP Address, the time of day, your geographic locations, etc. to determine access.
What is “RuBAC”?
Rule-Based Access Control (RuBAC) manages access to areas, devices, or databases.
We often seen them used in firewalls.
What is a “Jump Server”?
A Jump Server is a highly secured device commonly used to access secure areas of ANOTHER network.
A technician would first connect to the Jump Server using SSH or a VPN tunnel, and then “jump” from the Jump Server to other devices on the inside of the protected network.
What is a “HSM”?
A Hardware Security Module (HSM) is a secure method of cryptographic key backup and hardware-based cryptographic offloading.
What is “NAC”?
Network Access Control (NAC) is a broad term describing access control based on a heath check or posture assessment.
NAC will deny access to devices that don’t meet the minimum security requirements.
What is “RTO”?
Recovery Time Objective (RTO) defines the minimum time to get up and running to a particular service level.
Example: System restored within 24 hours.
What is “RPO”?
Recovery Point Objective (RPO) defines how much data loss would be acceptable during a recovery.
Example: We accept the lose of up to 48 hours of data.
What is “MTTR”?
Mean Time to Repair (MTTR) is the time required to repair a product or system after a failure.
What is “MTBF”?
Mean Time Between Failures (MTBF) is the average time expected between outages.
Usually and estimation based on the internal device components and their expected operational lifetime.
What is a “WAF”?
Web Application Firewall (WAF) is used to protect exploits against web-based applications.
What is a “Proxy”?
A proxy is used to make network or application requests on behalf of another person or device.
What is “RADIUS”?
Remote Authentication Dial-In User Service (RADIUS) is a common method of centralizing authentication for users.
Instead of having separate local accounts on different devices, users can authenticate with account information that is maintained in a centralized database.
What is the downfall of MS-CHAP?
The vulnerabilities related to the use of DES (Data Encryption Standard) make it relatively easy to brute force the hash used.
What is “PAP”?
Password Authentication Protocol
What is “IPsec”?
It is commonly used as an encrypted tunnel between sites or endpoints.
A recent security audit has discovered email addresses and passwords located in a packet capture. What does this audit identify?
It identifies “Insecure Protocols”. An insecure protocol will transmit information “in the clear,” or without any type of encryption or protection.
What security issue is associated with WPS?
Wi-Fi Protected Setup (WPS) is vulnerable to brute-force attacks because its PIN only has 11,000 possible iterations.
What is “Threat Transfer”?
Assign or move the risk to a third-party.
Example: Cyber Liability Insurance
What is “Threat Mitigation”?
Reduce the likelihood or impact of risk.
Example: If an organization was to purchase additional backup facilities and update their backup processes to include offline backup storage, they would be mitigating the risk of a ransomware infection.
What is “Threat Avoidance/Reduction”?
Completely eliminate or forego risk.
What is “Threat Acceptance”?
Acknowledge the risk and choose not to resolve, transfer or mitigate.
An IPS report shows a series of exploit attempts were made against externally facing web servers. The system administrator of the web servers has identified a number of unusual log entries on each system. Which of the following would be the NEXT step in the incident response process.
Disconnect the web servers from the network. In this scenario, the unusual log entries on the web server indicate that the system may have been exploited. In this situation, the servers should be isolated to prevent access to or from those systems.
An IPS report shows a series of exploit attempts were made against externally facing web servers. The system administrator of the web servers has identified a number of unusual log entries on each system. Which of the following would be the NEXT step in the incident response process.
Disconnect the web servers from the network. In this scenario, the unusual log entries on the web server indicate that the system may have been exploited. In this situation, the FIRST step should be to prevent access to or from those systems.
What is “MMS Install”?
It is a text message that prompts to install and application, and links to either google play or the app store. It is definitely not sideloading.
What are “OTA Updates”?
Over the Air (OTA) updates are commonly provided from the carrier and are NOT part of mobile app installations.
Example: Apple OS update.
RAID 0
Min Number of Drives/Discs: (Mininum of 2)
Fault Tolerance: None
Striping: Yes
Mirroring: No
Parity Data: No
RAID 1
Min Number of Drives/Discs: (ONLY 2)
Fault Tolerance: RAID-1 continues to operate even if one drive fails.
Striping: No
Mirroring: Yes
Parity Data: No
RAID 5
Min Number of Drives/Discs: (Minimum 3)
Fault Tolerance: RAID-5 continues to operate even if one drive fails.
Striping: Yes
Mirroring: No
Parity Data: Yes
RAID 6
Min Number of Drives/Discs: (Minimum 4)
Fault Tolerance: RAID-6 continues to operate even if two drives fail.
Striping: Yes
Mirroring: No
Parity Data: Double Parity
RAID 10 (Combines RAID 1 and RAID 0)
Min Number of Drives/Discs: (Minimum 4)
Fault Tolerance: RAID-10 continues to operate even if two drives fail.
Striping: Yes
Mirroring: Yes
Parity Data: No
What does “Weak Cipher Suite” imply?
A weak cipher suite implies that the cryptography used in a system may be circumvented or decrypted.
What is a “NULL-pointer dereference”?
This take places when a pointer with a value of NULL is used as though it pointed to a valid memory area. This is a programming issue that causes application crashes and a potential denial of service.
What is “NIC teaming” used for?
Network Interface Card (NIC) teaming can be used for redundant network paths from a server.
Incremental Backup vs Differential Backup
Incremental Backup - Only includes the data that has changed since the previous incremental backup.
Differential Backup - contains all of the data that has changed since the last full backup.
What is “Load Balancing”?
Load balancers provide a way to manage busy services by increasing the number of available servers and balancing the load between them.
What does “CSR” stand for?
Certificate Signing Request
What is “OCSP Stapling”?
Online Certificate Status Protocol (OCSP) Stapling allows a certificate holder to verify their own status and avoid client Internet traffic by storing the status information on an internal server and “stapling” the OCSP status into the SSL/TLS handshake.
It lessens required bandwith by removing an unnecssary seperate “conversation”.
What does a “ESP” do?
Encapsulation Security Payload (ESP) protocol encrypts data that transverses an IPsec VPN tunnel.
What does an “AH” do?
Authentication Headers (AH) are used to hash packet data for additional data integrity.
What does “Diffie-Hellman” do?
Diffie-Hellman is an algorithm used for two devices to create identical shared keys without transferring those keys across the network.
Anonymization vs. Masking
Anonymization changes data to remove or replace identifiable information. For example, an anonymized purchase history database might change the first and last names to random values but keep the purchase information intact.
What does the “ARP” do?
The Address Resolution Protocol (ARP) command shows a mapping of IP addresses to local MAC addresses. This information doesn’t provide any detailed location information outside of the local IP subnet.
What does “Tracert (traceroute)” do?
It provides a summary of hops between two devices.
Example: tracert can be used to determine the local ISP’s IP addresses and more information about the physical location of the attacker.
What does “ipconfig” do?
It shows the IP address configuration of a local device, but doesn’t provide any information about a remote computer.
What is “Metasploit”?
Metasploit is an exploitation framework that can use known vulnerabilities to gain access to remote systems.
It performs penetration tests and can verify the existence of a vulnerability.
What is “FTK Imager”?
This is a third-party storage drive imaging tool and it can support many different drive types and encryption methods.
It DOES NOT identify vulnerabilities.
What is “Autopsy”?
Autopsy is a forensics tool that can view and recover data from storage devices.
It DOES NOT identify vulnerabilities.
What is a “SLA”?
Service Level Agreements (SLA) are contracts that specify the minimum terms for provides services.
It’s common to include uptime, response times, and other service metrics in an SLA.
What is “SAE”?
Simultaneous Authentication fo Equals (SAE) is a password-based authentication and password-authenticated key agreement method.
It is commonly used with WPA3 to provide enhanced security.
What is “802.1X”?
802.1X is a standard for authentication using AAA (Authentication, Authorization and Accounting) services.
It is commonly used in conjuction with LDAP or RADIUS.
What does “AAA” stand for?
Authentication, Authorization, and Accounting
What does the following error messageindicate?
“The Credentials provided by the server could not be validated.”
The client computer does not have the proper certificate installed.
This indicates that the CA that signed the server’s certificate is either different than the CA certificate installed on the client’s workstation, or the client workstation does not have an installed copy of the CA’s certificate.
This validation process ensures that the client is communicating to a trusted server and there are no man-in-the-middle attacks occurring.
What is a main point of using a Certificate?
If someone attempts an on-path attack, the certificate presented will not validate and a warning message will appear in the browser.
What is the “NIST RMF” and what does it stand for?
National Institute of Standards and Technology (NIST) Risk Management Framework (RMF).
It is a guide to help understand, manage, and rate the risks found in an organization.
What is a “Replay Attack”?
An attacker captures the original non-encrypted (plaintext) content, then resends it to misdirect the receiver into doing what the hacker wants.
What are the common protocols used to support 802.1X authentication?
-LDAP
-RADIUS
-TACACS+
-Kerberos
When would you need to solely rely on host-based systems/software?
If a laptop/device is not communicating across the corporate network.
Example: An employee is using their laptop to circumvent the corporate Internet security controls through the use of a cellular hotspot.
What is the purpose of “Netflow logs”?
NetFlow information can provide a summary of network traffic, application usage, and details of network conversations.
The NetFlow logs will show all conversations from a device to any others in the network.
“In-Band” vs “Out-of-Band”
In-Band: Inside your network.
Out-of-Band: Outside your network.
What are the 6 Steps of the IR Process?
6 Steps of the Incident Response (IR) Process:
1) Preparation
2) Identification
3) Containment
4) Eradication
5) Recovery
6) Lessons Learned
What are TWO main reasons to use TPM when configuring full-disk encryption?
A TPM is physical hardware that is part of a motherboard:
-It uses burned-in cryptographic keys
-It includes built-in protections against brute-force attacks.
What is “Rule-based Access Control”
Access is determined based on a series of system-enforced rules.
Example: An access rule might require that a particular browser be used to complete a web page form, or that access to a file or system is only allowed during certain times of the day.
What is “Mandatory Access Control”?
Access is determined based on a series of security levels.
Example: Public, private, secret
What is “Discretionary Access Control”?
Allows the owner of an object to assign access.
Example: If a user creates a spreadsheet, the user can then assign users and groups to have a particular level of access to that spreadsheet.
What is “Role-based Access Control”?
Access is determined based on a users role within an organization.
What security control would prevent internal systems from connecting with servers in the data center network?
Access control lists, not IPS because they are INTERNAL SYSTEMS that are already on the network!
What is another term for “Unknown Environment”?
Black-Box
What is “ALE”?
Annual Loss Expectancy (ALE) is the expected cost for all events in a single year.
Example: If it costs $1,000 to replace a single laptop (the SLE) and you expect to lose seven laptops in a year (ARO), the ALE for laptop theft is $7,000.
What is “SLE”?
Single Loss Expectancy (SLE) is the monetary loss if a single event occurs.
Example: if one laptop is stolen, the cost to replace that single laptop is $1,000.
What is “ARO”?
Annualized Rate of Occurence (ARO) describes the number of instances that an event would occur in a year.
Example: If the organization expects to lose 7 laptops to theft in a year, the ARO for laptop theft is 7.
What is a general order for gathering evidence from a server that was part of a security breach? (and why?!)
1) CPU Registers: these can change millions of times a second.
2) Routing Table: these update themselves every 30 seconds.
3) Temporary Files: these are only stored while an application is in use - may only be available for a few minutes.
4) Event Logs: these are generally stored for a few hours.
5) Backup Tapes: these can be stored for years.
What is a common use of “hashing”?
To store a password on an authentication server.
What is a common use of a “digital signature”?
To verify a sender’s identity.
What is a common use of “encryption”?
To protect private information sent over a n insecure channel.
What is a common use of “key escrow”?
Use a secondary decryption key, storing it with a 3rd party.
What is a common use of a “Certificate Authority”?
Trust a website without prior contact with the site owner.
What is a common use of “Perfect Forward Secrecy”?
Use a different encryption key for each session.
What is a “Stateful Firewall”?
A Stateful firewall learns as it operates, which enables it to make protection decisions based on what has happened in the past.
It can log the behavior of attacks and then use that information to better prevent future attempts.
What is a “Stateless Firewall”?
This is an older style of firewall that doesn’t have any idea about flows of communication - Aka it doesn’t know that when you make a request to a web server, that there is going to be a response from that web server. It treats everything as a one way, one trip communication.
Cyber Kill Change Steps (In order)
1) Recon
2) Weaponize
3) Delivery
4) Exploit
5) Install
6) Command & Control (C2)
7) Action on Objectives