Messer Practice Exam 3

Question 1

What is an “EDR”?

Answer 1

Endpoint Detection and Response (EDR) is a security solution for end-user devices to protect against malicious software and threats.

Question 2

What does an “Evil Twin” do?

Answer 2

An access point designed to look exactly like access points on the network.

Common characteristics: similar SSID name, configuration settings, or placing it where users would expect to see one.

Question 3

What is “Code Signing”?

Answer 3

When an application developer digitally signs his code.

Used to validate that nothing has changed with the application code since it has been published.

Question 4

What is “TOTP”?

Answer 4

Time-based One-Time Password

An algorithm that provides a pseudo-random number as an authentication factor.

Question 5

What is “HOTP”?

Answer 5

HMAC (Hash Message Authentication Code)-based One-Time Password

an algorithm that provides an authentication factor based on a one-time password.

Question 6

Difference between TOTP and HOTP

Answer 6

TOTP: You get a password based on the time-of-day.

HOTP: you get a password based on a counter.

Question 7

What does “MTTR” stand for?

Answer 7

Mean Time to Restore

EXAMPLE: It takes approx. 6 hours to restore the system.

Question 8

What is a relatively common occurrence with non-credentialed network scans?

Answer 8

It is relatively common for vulnerability scans to show vulnerabilities that don’t actually exist, especially if the scans are not credentialed.

Just make sure to confirm that it is in fact a false positive, before dismissing the vulnerability notification.

Question 9

What is “Minimization”?

Answer 9

A data collection policy that limits the amount of personal or private information that can be gathered.

Question 10

What is “PCI DSS”?

Answer 10

Payment Card Industry Data Security Standard (PCI DSS)

It is a set of security rules and guidelines for storing credit card information.

Question 11

What is “SSAE SOC 2”?

Answer 11

Statement on Standards for Attestation Engagements, System and Organization Controls 2 (SSAE SOC 2).

An auditing standard for IT systems.

Question 12

What is “CSA CCM”?

Answer 12

Cloud Security Alliance Cloud Controls Matrix (CSA CCM)

Provides security information and guidelines for cloud-based applications.

Question 13

What is the main perk of a RTOS?

Answer 13

Real-Time Operating System (RTOS)

It can instantly react to input without any significant delays or queuing in the operating systems.

Question 14

What is “ICS” (Aka “SCADA”)?

Answer 14

Industrial Control System (ICS)
Supervisory Control and Data Acquisition System (SCADA)

A dedicated network used to manage and control manufacturing equipment, power generation equipment, water management systems, and other industrial machines.

Question 15

What is a “MFD”?

Answer 15

Multi-function Device (MFD)

Commonly associated with a device that can print, scan, and fax.

Question 16

What is “Certificate Pinning”?

Answer 16

It involves embedding the fingerprint of a certificate inside of an APPLICATIONNN, ensure that communication only occurs with trusted servers.

This extra layer of protection reduces the risk of Man-in-the-Middle attacks.

Question 17

What is the point of an “Offline CA”?

Answer 17

Its a common way to prevent the exploitation of a root authority.

Question 18

A security administrator is concerned that a user may have installed a rogue access point on the corporate network. Which of the following could be used to confirm this suspicion?

Answer 18

Switch Log - An analysis of switch interface activity would be able to identify any new devices and their MAC Addresses.

Question 19

What is “Certificate Chaining”?

Answer 19

The process of verifying digital certificates in a hierarchical manner to establish trust. It involves checking the chain of certificates starting from the end-entity certificate to the root certificate authority.

By ensuring each certificate in the chain is valid and trusted, it establishes integrity and security with communication.

Question 20

What is a “UTM Gateway”?

Answer 20

A Unified Threat Management (UTM) Gateway is an all-in-one device that provides firewall services, URL filtering, spam filtering, and more.

NOTE: From the UTM perspective, traffic from a rogue access point would look similar to all other network traffic.

Question 21

What is “XSS”?

Answer 21

Cross-Site Scripting (XSS)

Step 1: Attacker injects the websites with malicious scripts that will execute in another user’s browser.

Step 2: The malicious script is activated with each visit to the website.

Step 3 (Occasionally): In some attacks, the victim’s cookies are stolen, or private credentials are revealed.

EXAMPLE: A url contains

Question 22

What does “CSRF” do?

Answer 22

Cross-Site Request Forgery (CRSF)

Example:
Step 1: Perpetrator forges a request for a fund transfer to a website.

Step 2: Perpetrator embeds the request into a hyperlink and sends it to visitors who may be logged into the site.

Step 3: A visitor clicks on the link, inadvertently sending the request to the website.

Step 4: The website validates the request and transfers funds from the visitor’s account to the perpetrator.

Question 23

Main Reason to use “Tabletop exercise”?

Answer 23

It is a walk-through exercise where the disaster recovery process can be discussed in a conference room WITHOUT MAKING CHANGES TO EXISTING SYSTEMS/INFRASTRUCTURE!

Question 24

What does “HA” stand for and what does it mean?

Answer 24

High Availability (HA)

This means that the service should always be on an available.

Question 25

What does a “SIEM” do?

Answer 25

It consolidates data from devices on the network and provides log searching and reporting features.

Question 26

When do you use a “Static Code Analyzer”?

Answer 26

When evaluating the security of existing Source Code. It wouldn’t be useful for dynamic input validation. Manually writing input validation into your code is how you implement input validation.

Question 27

Sam, a user in the purchasing department, would like to send an email to Jack. Which of these would allow Jack to verify the sender of the email?

Answer 27

The sender of a message (Sam in this case_ digitally signs with their own private key to ensure integrity, authentication, and non-repudiation. The digital signature is validated with the sender’s public key.

Question 28

The contractor of a long-term temporary employee is ending. What would be one of the most critical part of the off-boarding process?

Answer 28

Archiving the decryption keys associated with the user’s account.

Without the decryption keys, it will be impossible to access any of the user’s protected files once they leave the company.

Question 29

What does a “Honeypot” do?

Answer 29

It simulates a production environment.

When attackers attempt to exploit the honeypot, their techniques and methods are logged. With these logs, administrators can gain additional insights into the attachks and processes used by attackers.

Question 30

What is a “Runbook”?

Answer 30

A runbook is like a bit of a cookbook that has detailed steps on how to perform a particular task.

Question 31

What is a “Playbook”?

Answer 31

A Playbook is the entire cookbook - it is a much broader description of tasks to follow should a particular event occur.

Example: If you want to recover from ransomware, there needs to be a playbook written that can describe all of the different steps that need to occur to remove that ransomware.

Question 32

What does “Zero Trust” mean?

Answer 32

Its a philosophy that considers all devices to be untrusted.

Question 33

Who labels objects when using Mandatory Access Control (MAC)?

Answer 33

The Administrator

Question 34

How does Role-Based Access Control (RBAC) work?

Answer 34

You assign rights and permissions to a group, then assign users to that group.

Question 35

Data-in-Transit

vs.

Data-in-Use

Answer 35

Data-In-Transit: This is data moving across the network.

Data-in-use: This is the memory of a system and is accessible to an application.

Question 36

What is a “MOU”?

Answer 36

Memorandum of Understanding (MOU)

An informal letter of intent. It is not a signed contract, and there are no contractual obligations associated with it.

Question 37

What is “Continuity Planning”?

Answer 37

It focuses on keeping the business running when a disruption occurs. Disaster recovery planning is a type of continuity plan.

ALWAYS go with the more specific option, if applicable.

Question 38

What is “Usage Auditing”?

Answer 38

It is used to determine how resources are used.

Example: A system administrator may perform a usage audit to determine which resources are used with a particular application or service.

Question 39

What does “SSO” offer?

Answer 39

It allows a user to authenticate one time and gain access to all assigned resources. No additional authentication is required after the SSO login process is complete.

Question 40

What is “Transitive Trust”?

Answer 40

If Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A trusts Domain C.

Question 41

What does a rootkit target?

Answer 41

A rootkit modifies operating system files to become part of the core OS.

Example: Targeting the kernel, user, and networking libraries in Windows are core operating system files.

Question 42

What is “Directory Traversal”?

Answer 42

It attempts to read or access files that are outside the scope of the web server’s file directory.

A giveaway is a pair of dots in a file path (..).

Example: http://example.com/show.asp?view=../../Windows/
system.ini HTTP/1.1

This example is an attempt to move back two parent directories before proceeding into the /Windows directory.

Question 43

What is “Continuous Deployment”?

Answer 43

Continuous Deployment automates every aspect of deploying software. After the developer creates the code, the testing and deployment process is completely hands-off and does not need any human intervention.

Question 44

What is “Continuous Integration”?

Answer 44

Code is constantly written and merged into the central repository many times each day.

Question 45

What is “Continuous Delivery”?

Answer 45

This automated the testing process, but it requires human intervention for the final deployment to production.

Question 46

What is a “Risk Heat Map” also known as?

Answer 46

Risk Heat Map

it is often presented as a graphical chart compairing the likelihood of risk with the consequence.

Question 47

What is a “Risk Register”?

Answer 47

it is Detailed identification and documentation of risk, the application of possible solutions, and ongoing monitoring of the risk at EACH STEP of a project.

Question 48

What is “Risk Control”?

Answer 48

it is an assessment that provides a Security Administrator with the information needed to build proper security controls for the documented risk.

Question 49

What is “Risk Awareness”?

Answer 49

It involves ongoing group discussions regarding cybersecurity.

Question 50

What is a interesting aspect of “TACACS”?

Answer 50

It is a flexible remote authentication protocol.

Question 51

What are two examples of weak encryption?

Answer 51

-DES (Data Encryption Standard)
-WEP (Wired Equivalent Privacy)

Question 52

What is “White Box” testing?

Answer 52

When all of the devices in the scope of the penetration test are made available to the attacker.

Question 53

What is an example of “Persistence”?

Answer 53

If a system has been exploited, it’s common for the attacker to create a normal user account or backdoor to maintain access if the vulnerability becomes patched.

Question 54

What is an “ECB”?

Answer 54

Electronic Code Book (ECB)

The “simplest encryption mode”. Its a block cipher mode where each block is encrypted with the same key.

Question 55

What is “HMAC”?

Answer 55

Hash-Based Message Authentication Code (HMAC)

A hashing algorithm commonly used with the AH field of IPsec.

Question 56

When should you use TCP?

Answer 56

For direction communication in which a reliable connection is needed.

Example: Web browsing, email, text messaging, and file transfers.

Question 57

When should you use UDP?

Answer 57

For situations where some data loss is acceptable, like live video/audio, or where speed is a critical factor like online gaming.

Question 58

What is the “Hybrid Cloud Model”?

Answer 58

It combines both private and public cloud infrastructures.

Question 59

What is a “Heuristic IPS”?

Answer 59

Uses artificial intelligence to identify attacks that have no prior signature.

Question 60

What is a “Behavior-based IPS”?

Answer 60

It will alert if a particular type of bad behavior occurs.

Example: signs of SQL injection, or someone trying to view
/etc/shadow” would indicate an attempt to gain access to a protected part of the file system.

Question 61

What is a “Signature-based IPS”?

Answer 61

It looks for a specific trafflic flow pattern, and once that traffic matches the signature the traffic can be blocked.

Question 62

What is SOMETHING that the “netstat” command be used for?

Answer 62

It can view inbound and outbound statistics for all connections to a device.

Question 63

In addition to read/write to a network, what else can the “netcat” command do?

Answer 63

It can be used to create an open connection on a device or to access a connection on a remote machine.

Question 64

What is SOMETHING that the “nmap” utility is used for?

Answer 64

It is commonly used to locate open ports and services running on a remote device.

Question 65

MITRE ATT&CK framework

Answer 65

It is a knowledge base that contains points of intrusions, methods used for attackers to move around, and a list of security techniques to prevent future attacks.

Question 66

Diamond Model

Answer 66

A way to summarize the AFTERMATH of an intrusion. It includes info about the adversary, capability, infrastructure, and the victim.

Question 67

What does ISO 27701 focus on?

Answer 67

What you already know, but also focuses on proceses associated with Privacy Information Management System (PIMS).

Question 68

Does the “Diffie-Hellman” process use symmetric or asymmetric encryption?

Answer 68

Asymmetric encryption

Question 69

What does “Memdump” do?

Answer 69

It is used to make a copy of everything stored in LOCAL system memory not local storage drives.

Question 70

What does “chmod” do?

Answer 70

The Linux chmod (change mode) command is used to modify the access rights and permissions of files stored on the system.

Question 71

What does “tcpdump” do?

Answer 71

It is used to capture and store network packets.

Question 72

What happens when 802.1X is enabled?

Answer 72

Devices connecting to the network do not gain access until they provide the correct authentication credentials.

It uses: Supplicants, Authenticators, and Authentication Servers.

Question 73

Another way to Summarize what a “Proxy” does

Answer 73

Proxys are commonly installed between the users and the external network. The proxy will intercept the user requests, make the requests on their behalf, and CACHE the results.

Question 74

What does a “WAF” really do?

Answer 74

A Web Application Firewall (WAF) examines user input to a browser-based application and allows or denies traffic based on the expected input. This is commonly used to prevent SQL injections, XSS and similar attacks.

Question 75

What CAN you use to configure a group of redundant web servers?

Answer 75

A Load Balancer

Question 76

What is “Obfuscation”?

Answer 76

The process of making something unclear and difficult to understand.

Question 77

What is “Confusion”?

Answer 77

The randomization of the encryption process should provide a very different result than the original plaintext. Confusion describes the drastic differences between the plaintext and the encrypted data.