Messer Practice Exam 3 Flashcards
What is an “EDR”?
Endpoint Detection and Response (EDR) is a security solution for end-user devices to protect against malicious software and threats.
What does an “Evil Twin” do?
An access point designed to look exactly like access points on the network.
Common characteristics: similar SSID name, configuration settings, or placing it where users would expect to see one.
What is “Code Signing”?
When an application developer digitally signs his code.
Used to validate that nothing has changed with the application code since it has been published.
What is “TOTP”?
Time-based One-Time Password
An algorithm that provides a pseudo-random number as an authentication factor.
What is “HOTP”?
HMAC (Hash Message Authentication Code)-based One-Time Password
an algorithm that provides an authentication factor based on a one-time password.
Difference between TOTP and HOTP
TOTP: You get a password based on the time-of-day.
HOTP: you get a password based on a counter.
What does “MTTR” stand for?
Mean Time to Restore
EXAMPLE: It takes approx. 6 hours to restore the system.
What is a relatively common occurrence with non-credentialed network scans?
It is relatively common for vulnerability scans to show vulnerabilities that don’t actually exist, especially if the scans are not credentialed.
Just make sure to confirm that it is in fact a false positive, before dismissing the vulnerability notification.
What is “Minimization”?
A data collection policy that limits the amount of personal or private information that can be gathered.
What is “PCI DSS”?
Payment Card Industry Data Security Standard (PCI DSS)
It is a set of security rules and guidelines for storing credit card information.
What is “SSAE SOC 2”?
Statement on Standards for Attestation Engagements, System and Organization Controls 2 (SSAE SOC 2).
An auditing standard for IT systems.
What is “CSA CCM”?
Cloud Security Alliance Cloud Controls Matrix (CSA CCM)
Provides security information and guidelines for cloud-based applications.
What is the main perk of a RTOS?
Real-Time Operating System (RTOS)
It can instantly react to input without any significant delays or queuing in the operating systems.
What is “ICS” (Aka “SCADA”)?
Industrial Control System (ICS)
Supervisory Control and Data Acquisition System (SCADA)
A dedicated network used to manage and control manufacturing equipment, power generation equipment, water management systems, and other industrial machines.
What is a “MFD”?
Multi-function Device (MFD)
Commonly associated with a device that can print, scan, and fax.
What is “Certificate Pinning”?
It involves embedding the fingerprint of a certificate inside of an APPLICATIONNN, ensure that communication only occurs with trusted servers.
This extra layer of protection reduces the risk of Man-in-the-Middle attacks.
What is the point of an “Offline CA”?
Its a common way to prevent the exploitation of a root authority.
A security administrator is concerned that a user may have installed a rogue access point on the corporate network. Which of the following could be used to confirm this suspicion?
Switch Log - An analysis of switch interface activity would be able to identify any new devices and their MAC Addresses.
What is “Certificate Chaining”?
The process of verifying digital certificates in a hierarchical manner to establish trust. It involves checking the chain of certificates starting from the end-entity certificate to the root certificate authority.
By ensuring each certificate in the chain is valid and trusted, it establishes integrity and security with communication.
What is a “UTM Gateway”?
A Unified Threat Management (UTM) Gateway is an all-in-one device that provides firewall services, URL filtering, spam filtering, and more.
NOTE: From the UTM perspective, traffic from a rogue access point would look similar to all other network traffic.
What is “XSS”?
Cross-Site Scripting (XSS)
Step 1: Attacker injects the websites with malicious scripts that will execute in another user’s browser.
Step 2: The malicious script is activated with each visit to the website.
Step 3 (Occasionally): In some attacks, the victim’s cookies are stolen, or private credentials are revealed.
EXAMPLE: A url contains
What does “CSRF” do?
Cross-Site Request Forgery (CRSF)
Example:
Step 1: Perpetrator forges a request for a fund transfer to a website.
Step 2: Perpetrator embeds the request into a hyperlink and sends it to visitors who may be logged into the site.
Step 3: A visitor clicks on the link, inadvertently sending the request to the website.
Step 4: The website validates the request and transfers funds from the visitor’s account to the perpetrator.
Main Reason to use “Tabletop exercise”?
It is a walk-through exercise where the disaster recovery process can be discussed in a conference room WITHOUT MAKING CHANGES TO EXISTING SYSTEMS/INFRASTRUCTURE!
What does “HA” stand for and what does it mean?
High Availability (HA)
This means that the service should always be on an available.
What does a “SIEM” do?
It consolidates data from devices on the network and provides log searching and reporting features.
When do you use a “Static Code Analyzer”?
When evaluating the security of existing Source Code. It wouldn’t be useful for dynamic input validation. Manually writing input validation into your code is how you implement input validation.
Sam, a user in the purchasing department, would like to send an email to Jack. Which of these would allow Jack to verify the sender of the email?
The sender of a message (Sam in this case_ digitally signs with their own private key to ensure integrity, authentication, and non-repudiation. The digital signature is validated with the sender’s public key.
The contractor of a long-term temporary employee is ending. What would be one of the most critical part of the off-boarding process?
Archiving the decryption keys associated with the user’s account.
Without the decryption keys, it will be impossible to access any of the user’s protected files once they leave the company.
What does a “Honeypot” do?
It simulates a production environment.
When attackers attempt to exploit the honeypot, their techniques and methods are logged. With these logs, administrators can gain additional insights into the attachks and processes used by attackers.
What is a “Runbook”?
A runbook is like a bit of a cookbook that has detailed steps on how to perform a particular task.
What is a “Playbook”?
A Playbook is the entire cookbook - it is a much broader description of tasks to follow should a particular event occur.
Example: If you want to recover from ransomware, there needs to be a playbook written that can describe all of the different steps that need to occur to remove that ransomware.
What does “Zero Trust” mean?
Its a philosophy that considers all devices to be untrusted.
Who labels objects when using Mandatory Access Control (MAC)?
The Administrator
How does Role-Based Access Control (RBAC) work?
You assign rights and permissions to a group, then assign users to that group.
Data-in-Transit
vs.
Data-in-Use
Data-In-Transit: This is data moving across the network.
Data-in-use: This is the memory of a system and is accessible to an application.
What is a “MOU”?
Memorandum of Understanding (MOU)
An informal letter of intent. It is not a signed contract, and there are no contractual obligations associated with it.
What is “Continuity Planning”?
It focuses on keeping the business running when a disruption occurs. Disaster recovery planning is a type of continuity plan.
ALWAYS go with the more specific option, if applicable.
What is “Usage Auditing”?
It is used to determine how resources are used.
Example: A system administrator may perform a usage audit to determine which resources are used with a particular application or service.
What does “SSO” offer?
It allows a user to authenticate one time and gain access to all assigned resources. No additional authentication is required after the SSO login process is complete.
What is “Transitive Trust”?
If Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A trusts Domain C.
What does a rootkit target?
A rootkit modifies operating system files to become part of the core OS.
Example: Targeting the kernel, user, and networking libraries in Windows are core operating system files.
What is “Directory Traversal”?
It attempts to read or access files that are outside the scope of the web server’s file directory.
A giveaway is a pair of dots in a file path (..).
Example: http://example.com/show.asp?view=../../Windows/
system.ini HTTP/1.1
This example is an attempt to move back two parent directories before proceeding into the /Windows directory.
What is “Continuous Deployment”?
Continuous Deployment automates every aspect of deploying software. After the developer creates the code, the testing and deployment process is completely hands-off and does not need any human intervention.
What is “Continuous Integration”?
Code is constantly written and merged into the central repository many times each day.
What is “Continuous Delivery”?
This automated the testing process, but it requires human intervention for the final deployment to production.
What is a “Risk Heat Map” also known as?
Risk Heat Map
it is often presented as a graphical chart compairing the likelihood of risk with the consequence.
What is a “Risk Register”?
it is Detailed identification and documentation of risk, the application of possible solutions, and ongoing monitoring of the risk at EACH STEP of a project.
What is “Risk Control”?
it is an assessment that provides a Security Administrator with the information needed to build proper security controls for the documented risk.
What is “Risk Awareness”?
It involves ongoing group discussions regarding cybersecurity.
What is a interesting aspect of “TACACS”?
It is a flexible remote authentication protocol.
What are two examples of weak encryption?
-DES (Data Encryption Standard)
-WEP (Wired Equivalent Privacy)
What is “White Box” testing?
When all of the devices in the scope of the penetration test are made available to the attacker.
What is an example of “Persistence”?
If a system has been exploited, it’s common for the attacker to create a normal user account or backdoor to maintain access if the vulnerability becomes patched.
What is an “ECB”?
Electronic Code Book (ECB)
The “simplest encryption mode”. Its a block cipher mode where each block is encrypted with the same key.
What is “HMAC”?
Hash-Based Message Authentication Code (HMAC)
A hashing algorithm commonly used with the AH field of IPsec.
When should you use TCP?
For direction communication in which a reliable connection is needed.
Example: Web browsing, email, text messaging, and file transfers.
When should you use UDP?
For situations where some data loss is acceptable, like live video/audio, or where speed is a critical factor like online gaming.
What is the “Hybrid Cloud Model”?
It combines both private and public cloud infrastructures.
What is a “Heuristic IPS”?
Uses artificial intelligence to identify attacks that have no prior signature.
What is a “Behavior-based IPS”?
It will alert if a particular type of bad behavior occurs.
Example: signs of SQL injection, or someone trying to view
/etc/shadow” would indicate an attempt to gain access to a protected part of the file system.
What is a “Signature-based IPS”?
It looks for a specific trafflic flow pattern, and once that traffic matches the signature the traffic can be blocked.
What is SOMETHING that the “netstat” command be used for?
It can view inbound and outbound statistics for all connections to a device.
In addition to read/write to a network, what else can the “netcat” command do?
It can be used to create an open connection on a device or to access a connection on a remote machine.
What is SOMETHING that the “nmap” utility is used for?
It is commonly used to locate open ports and services running on a remote device.
MITRE ATT&CK framework
It is a knowledge base that contains points of intrusions, methods used for attackers to move around, and a list of security techniques to prevent future attacks.
Diamond Model
A way to summarize the AFTERMATH of an intrusion. It includes info about the adversary, capability, infrastructure, and the victim.
What does ISO 27701 focus on?
What you already know, but also focuses on proceses associated with Privacy Information Management System (PIMS).
Does the “Diffie-Hellman” process use symmetric or asymmetric encryption?
Asymmetric encryption
What does “Memdump” do?
It is used to make a copy of everything stored in LOCAL system memory not local storage drives.
What does “chmod” do?
The Linux chmod (change mode) command is used to modify the access rights and permissions of files stored on the system.
What does “tcpdump” do?
It is used to capture and store network packets.
What happens when 802.1X is enabled?
Devices connecting to the network do not gain access until they provide the correct authentication credentials.
It uses: Supplicants, Authenticators, and Authentication Servers.
Another way to Summarize what a “Proxy” does
Proxys are commonly installed between the users and the external network. The proxy will intercept the user requests, make the requests on their behalf, and CACHE the results.
What does a “WAF” really do?
A Web Application Firewall (WAF) examines user input to a browser-based application and allows or denies traffic based on the expected input. This is commonly used to prevent SQL injections, XSS and similar attacks.
What CAN you use to configure a group of redundant web servers?
A Load Balancer
What is “Obfuscation”?
The process of making something unclear and difficult to understand.
What is “Confusion”?
The randomization of the encryption process should provide a very different result than the original plaintext. Confusion describes the drastic differences between the plaintext and the encrypted data.