Missed Test Questions Flashcards
3 Media Management / Control modes
- Simplex (one direction)
- Half-duplex (two way, but only one direction can send data at a time)
- Full-duplex (two way, in which data can be sent in both directions simultaneously)
Atomicity
Database principle that ensures transactions execute in an all or nothing fashion
First Thing a BCP Team should do
Business organization analysis
Best choice for an org that wants to enforce strong passwords, with most users having a single set of credentials
Single Sign On (SSO) - A mechanism that allows users to authenticate themselves only once and freely roam the network / access resources without having to be reauthenticated.
Disaster Recovery Plan
Full Interruption type of test
Test phase where the primary data center is shut down
Best choice for admin installing and app on a Windows server. The app needs to run in the context of an account with specific privileges.
Service Account
End-of-Service (EOS) vs. End-of-Life (EOL)
EOS - when a vendor will no longer support a product
EOL - when a vendor will no longer off a product for sale
Watermarking Digital Data
Method to embed unobtrusive labels in digital data. After they are embedded, other methods should be able to detect these labels
The process of digital watermarking hides information within a file that
is known only to the file’s creator. If someone later creates an unauthorized copy of the
content, the watermark can be used to detect the copy and (if uniquely watermarked files are
provided to each original recipient) trace the offending copy back to the source.
Why would a company’s security policy state that user accounts should be disabled during the exit interview for any employee leaving the company?
To retain the employee’s decryption key
Under HIPAA when is it permissible to share PHI with a 3rd party vendor?
If the service provider enters into a business associate agreement
Which technologies specifically defined as part of 802.11 wireless networking?
- WPA3
- SAE
- 802.11i
- WPS
Symmetric Encryption Table
AES/Rijndael
(Type, Algo Type, Block Size in bits, Key size in bits, Strength)
Type: Symmetric
Algo Type: Block Cypher
Block Size (bits): 128
Key Size (bits): 128, 192, 256
Strength: SKRONG
Network Controls
Quality of Service
QoS controls allow admins to prioritize different types of network traffic
What is a neccessary requirement for an IT network that ensures accountability?
Audit Trails
Audit trails provide a record of events in audit logs. They include what happened and who did it. Users can be held accountable for their actions when the logs show what they did. Authentication (not available as a possible answer) is also necessary.
Misuse Case Testing
Where you develop a list of possible ways that an attacker may exploit the app and then tries each scenario and seeing if the app is actually vulnerable to that exploit
PCI DSS
Payment Card Industry Data Security Standard
Applies to orgs involved in storing, transmitting, and processing credit card info
Privileged Account Management
Method to identify when personnel are using elevated privileges, and detect violation of the least privilege principle
Privileged account management ensures that personnel do not have more privileges than they need and do not misuse their privileges. It can identify whether users have excessive privileges violating the least privilege principle. Security logs would be used, but not alone.
IPT
Integrated Product Teams (IPTs)
Introduced by DoD in 1995 to bring together stakeholder and foster parallel decision making
Software Configuration Management (SCM)
Configuration Control
Portion of SCM process that ensures changes to software versions are made in accordance with the change control and configuration management policies
While traveling, a worker connects their company-issued computer to a hotel Wi-Fi network, rather than the cellular data service included with the system. After checking email, performing online research, posting a message to a company discussion forum, and updating his itinerary in the company scheduling service, he disconnects. A few days later, the company experiences an intrusion and trade secrets are stolen by an unknown attacker. The incident investigation revealed that the credentials used to gain access to company during the breach belonged to the remote worker. What was the cause of the company compromise?
Not using the 4G or 5G link
The most likely cause of this incident was an acceptable use policy violation of not using the 4G/5G cellular service included on the mobile system. If a company-issued computer has a cellular data service, it is likely there is a prohibition of using open Wi-Fi networks.
ARP poisoning might have been involved in the attack if the adversary was in the same hotel and on the same Wi-Fi network as the victim, but this is not the primary reason the attack occurred.
Social Engineering Attack
Hoax
(3 major indicators)
A hoax is a social engineering attack that is attempting to trick a user into taking actions that will harm them through the use of fear that not taking action would actually cause harm.
- Lack of digital signature
- Threat of damage to computer system
- Encouragement to take specific steps to resolve
Characteristics NOT attributed to Hoax specifically
- Use of poor grammar
- Lack of correct spelling
- Claim to be from trusted authority
- Inclusion of hyperlinks
Benefits of IPv6 vs IPv4
IPv6
- Uses 16 byte address
- Supports autoconfig without DHCP
- Supports QoS priority values
IPv4
- 32-bit address
- reserves a subnet for loopback
- requires NAT to convert between internal and external addresses
- Also supports QoS values, but it is call type of service in the header
East-West Traffic & North-South Traffic
East-West Traffic: Flow that occurs within a specific network, data center, or cloud
North-South Traffic: Flow that occurs inbound or outbound between internal systems and external systems
Type of protocol that replaces certificate revocation lists with a real-time method of verifying the status of a digital certificate?
Online Certificate Status Protocol (OCSP)
Provides real time query / response services to digital cert users. This overcomes the latency inherent in the traditional cert revocation list download and cross check process.
Hot Site
Type of alternate processing facility that contains a full complement of computing equipment in working order with copies of data ready to go
What is the most important consideration when identifying the classification of assets?
The Value of the data it holds or processes
Remote Access Technique Examples
- Remote node operation
- Remote control
- Screen scraping
- Service specific
Attackers have exploited the KRBTGT account in an org’s domain. What will this allow them to do?
Create golden tickets
Attackers can create golden tickets with access the the Kerberos Service Account (KRBTGT).
What is in the “something you have” factor of authentication and doesn’t generate a password?
Smartcard
- Synchronous dynamic tokens / asynchronous dynamic tokens create passwords
- Authentication apps make PINs used as passwords
Parol Evidence Rule
States that when an agreement between parties is put into written form, the written doc is assumed to contain all the terms of the agreement, and no verbal agreements may modify the written agreement
A security manager is implementing techniques to prohibit rogue devices from gaining network access. After they install a NAC, what additional tool would be able to ensure that only known and authenticated systems gain connectivity?
IEEE 802.1X
provides port-based access control and is useful both on wired and wireless connections to block access to systems and users that are unknown or that fail authentication. It is a common companion to NAC implementations.
A family of protocols that provides for wireless communications using radio
frequency transmissions. Wireless networks based on this standard use either 2.4 GHz or
5 GHz frequencies to support communications. The wireless networks made possible by this
standard are called Wi-Fi today.
Similarity between Network-based intrusion detection system (NIDSs) and Network-based Intrusion Prevention Systems (NIPSs)
NIDSs and NIPSs can both detect attacks using pattern-matching (also known as signature-based detection and knowledge-based detection).
A NIPS is placed inline with traffic and can prevent attacks from reaching an internal network. While a NIDS can be placed inline with the traffic, it isn’t placed inline by default.
Xavier has been tasked with redesigning the network in order to minimize the risk related to users in one department accessing the systems in another. Which of the following is not used to segment a network?
A. Screened subnet
B. VPN
C. VLAN
D. ISFW
A VPN is not a network segmentation; it is a secured encapsulation tunnel used to connect networks (or network segments) together.
Screened subnets, VLANs, and an internal segmentation firewalls (ISFW) are used to segment a network.
Which ports should be open to support TACACS+ and RADIUS?
UDP 1812 and TCP 49
Only with these ports open on the firewall between the WAP and the intranet will wireless endpoints be able to authenticate via ENT to one of these AAA services.
DREAD vs STRIDE
DREAD
Damage potential
Reproducibility
Exploitability
Affected users
Discoverability
STRIDE
- Elevation of privilege
- Repudiation
- Denial of Service
Development Methodologies
Spiral Model
Seeks to iteratively produce new prototypes of a system during the development process.
What is NOT a best practice when pen testing?
Performing the attacks without management’s consent
You should never conduct a formal or informal penetration test against any company without the advanced knowledge and express consent of management.
Benefits of containerization / virtualization
- Allow for multiple concurrent applications within a single container
- Offer customization of interaction between applications in separate containers
3 things to help reduce vulns against fraud from malicious employees:
- Job rotation
- Separation of duties
- Mandatory vacations
Federation
Can include 2+ networks and allow users in each network to share network resources. Can provide SSO
3 Common types of alarms
- Deterrent
- Repellent
- Notification
Your company is planning to launch an e-commerce website. Management wants to ensure this website has adequate security controls in place before the site goes live. Administrators started with a baseline of security controls. What else should be a primary consideration related to security controls?
A. Identifying the data controller
B. Identifying the data processor
C. Selecting a standard
D. Preventing data loss
C. Selecting a standard
like PCI DSS
One problem that can result from incomplete sanitization?
Personnel can perform sanitization steps improperly.
Sanitization can be unreliable because personnel can perform the purging, degaussing, or other processes improperly.
How can an org treat data so that it can be transferred without GDPR compliance problems
Anonymization techniques remove all data so that it is difficult to identify the original identities.
When done correctly, the GDPR no longer applies.
Pseudonymization is the process of replacing some data with an identifier, such as a pseudonym. An external dataset holds the original data along with the pseudonym. However, if applying pseudonymization techniques, the GDPR still applies.
What federal government agency has the authority to regulate the export of encryption software?
Bureau of Industry and Security (BIS) within the Department of Commerce sets regulations on the export of encryption products outside of the United States.
Benefits of NAT
- Hides internal IP addressing scheme
- Shares a few public internet address with a large number of internal clients
- Uses the private IP addresses from RFC 1918 on an internal network
Does NOT
prevent from brute-force attacks
Risk-based Access Control
It evaluates the environment and the situation and makes decisions to block traffic that is abnormal.
A risk-based access control model can be coded to block malicious traffic from infected IoT devices.
Write blocker
Hardware devices used to prevent the accidental writing of data to media that was collected as evidence
Ways to ensure effectiveness of security training
- Giving a quiz at the end
- Have workers take a test 6 months after
- Collect key security indicators that relate to insider security incidents over time
What is the most important concept in relation to layered security?
Series
When security restrictions are performed in a series, they are performed one after the other in a linear fashion. Therefore, a single failure of a security control does not render the entire solution ineffective. Multiple security controls are only important so you can use them in a series, rather than have only one protection.
Which of the following AAA services does Remote Authentication Dial-in User Service (RADIUS) provide?
RADIUS provides
- authentication,
- authorization
- accounting
What is the most important rule to follow when collecting evidence?
Avoid the modification of evidence during the collection process
Adam recently ran a network port scan of a web server running in his organization. He ran the scan from an external network to get an attacker’s perspective on the scan. Which one of the following results is the greatest cause for alarm?
A. 80/open
B. 22/filtered
C. 443/open
D. 1433/open
D. 1433/open
Company proprietary data are discovered on a public social media posting by the CEO. While investigating, a significant number of similar emails were discovered to have been sent to employees, which included links to malicious sites. Some employees report that they had received similar messages to their personal email accounts as well. What improvements should the company implement to address this issue? (Choose two.)
A. Deploy a web application firewall. B. Block access to personal email from the company network. C. Update the company email server. D. Implement multifactor authentication (MFA) on the company email server. E. Perform an access review of all company files. F. Prohibit access to social networks on company equipment.
B. Block access to personal email from the company network.
F. Prohibit access to social networks on company equipment.
There are many aspects of security controls you need to evaluate, but the primary issues include being able to process significant amounts of data in short periods of time, controlling which applications can access which assets, and being able to prohibit VM sprawl or repetition of operations. Which of the following is not relevant to this selection process?
A. Collections of entities, typically users, but can also be applications and devices, which can be granted or denied access to perform specific tasks or access certain resources or assets
B. A VDI or VMI instance that serves as a virtual endpoint for accessing cloud assets and services
C. The ability of a cloud process to use or consume more resources (such as compute, memory, storage, or networking) when needed
D. A management or security mechanism able to monitor and differentiate between numerous instances of the same VM, service, app, or resource
B. A VDI or VMI instance that serves as a virtual endpoint for accessing cloud assets and services
What is the minimum age a child must be before companies can collect personal identifying information from them without parental consent under COPPA?
13
Trademark Icons
®
® symbol is reserved for trademarks that have received official registration status by the U.S. Patent and Trademark Office.
Trademark Icons
™
The ™ symbol would be used before receiving USPTO approval.
Trademark Icons
©
The © symbol is used to represent a copyright.
Trademark Icons
†
The † symbol is not associated with intellectual property protections.
Main action taken at remediation stage of incident response
Root Cause Analysis
OpenID Connect (OIDC)
uses the OAuth framework (described in RFC 6749) and is maintained by the OpenID Foundation. RFC 6749 describes OAuth and is maintained by the Internet Engineering Task Force (IETF).
authentication solution on a website allowing users to authenticate with a third party. The website doesn’t see or store the user’s credentials.
Test Coverage Analysis Technique
Branch Coverage
Evaluates whether every if statement has been executed under all if and else conditions.
Test Coverage Analysis Technique
Condition coverage
Condition coverage tests whether every logical test in the code has been executed under all sets of input.
Test Coverage Analysis Technique
Function coverage
Function coverage verifies that every function in the code has been called and returned results.
Test Coverage Analysis Technique
Loop coverage
Loop coverage verifies that every loop in the code has been executed under conditions that cause code execution multiple times, only once, and not at all.
Distributed Computing Environment Interface Definition Language (DCE IDL)
There are numerous examples DCE IDL or frameworks, such as
- remote procedure calls (RPC),
- the Common Object Request Broker Architecture (CORBA),
- and the Distributed Component Object Model (DCOM)
Control Objectives for Information and Related Technologies (COBIT)
a documented set of best IT security practices crafted by ISACA and the IT Governance Institute (ITGI).
With Agile , how often should business users be involved in development?
Daily
What is the purpose of a Kerberos Ticket-Granting Ticket (TGT)?
A TGT provides proof that a subject has authenticated with a key distribution center (KDC) and can request network service access.
- The TGT does verify the existence of a user account, but it does much more.
- It proves the user has authenticated and can request a ticket.
- A ticket (not a ticket-granting ticket) is an encrypted message that proves a user can access an object.
VM Escape Protection
M escaping occurs when software within a guest OS is able to breach the isolation protection provided by the hypervisor in order to violate the container of other guest OSs or to infiltrate a host OS.
- This is a serious concern that must be addressed before full deployment into production of this new infrastructure solution.
Distributed Data Model
The distributed data model has data stored in more than one database, but the data is still logically connected.
- The user perceives the database as a single entity, even though it comprises numerous parts interconnected over a network.
Open Database Connectivity (ODBC)
a database feature that allows applications to communicate with different types of databases without having to be directly programmed for interaction with each type.
- ODBC acts as a proxy between applications and backend database drivers, giving application programmers greater freedom in creating solutions without having to worry about the backend database system.
Attribute-Based Access Control (ABAC)
ABAC model can require user devices to meet specific requirements, such as being up-to-date with a current operating system.
Commonly used for SDNs
Internet Security Association and Key Management Protocol (ISAKMP)
an element of Internet Key Exchange (IKE), is used to organize and manage the encryption keys that have been generated and exchanged by OAKLEY and SKEME.
- A security association is the agreed-on method of authentication and encryption used by two entities (a bit like a digital keyring).
- ISAKMPs’ use of security associations is what enables IPsec to support multiple simultaneous VPNs from each host.
Encapsulating Security Payload (ESP)
provides confidentiality and integrity of packet contents. ESP provides encryption and limited authentication, and prevents replay attacks.
Secure Key Exchange Mechanism (SKEME)
an element of Internet Key Exchange (IKE), is a means of exchanging keys securely.
Authentication Header (AH)
provides assurances of message integrity and nonrepudiation.
- AH also provides authentication and access control, and prevents replay attacks.
Jen is conducting a review of privileged account activity and does not have time to review 100% of accounts. What technique would be the best way to conduct this review?
A. Review the first 20% of accounts alphabetically
B. Review the 20% of accounts most recently used
C. Review a random sample of 20% of accounts
D. Review the 20% of accounts least recently used
C. Review a random sample of 20% of accounts
Temporary internet files or the internet files cache is the temporary storage of files downloaded from internet sites that are being held by the client’s utility (typically a browser) for current and possibly future use. What type of attack is possible if an adversary is able to gain access to this cache? (Choose all that apply.)
A. Split-response attack
B. Cache poisoning
C. Identity theft
D. DOM XSS
A. Split-response attack
B. Cache poisoning
D. DOM XSS
Split-response attacks
cause the client to download content and store it in the cache that was not an intended element of a requested web page. Once files have been poisoned in the cache, then even when a legitimate web document calls on a cached item, the malicious item will be activated.
Radio Frequency Identification (RFID)
is effectively a field-powered proximity device.
- RFID does not use a magnet, but an antenna to generate current from a magnet field provided by an external source.
Alan conducted a vulnerability scan of a system and discovered that it is susceptible to a SQL injection attack. Which one of the following ports would an attacker most likely use to carry out this attack?
A. 443
B. 565
C. 1433
D. 1521
A. 443
While SQL injection attacks do target databases, they do so by using web servers as intermediaries. Therefore, SQL injection attacks take place over web ports, such as 80 and 443, and not database ports, such as 1433 and 1521.
OpenVAS
network vulnerability scanning tool that searches systems for known vulnerabilities while minimizing damage caused during the assessment.
DevSecOps
DevSecOps approach integrates software development, cybersecurity, and operations into a single approach where the teams work closely together.
Network Time Protocol (NTP)
may be used to synchronize the clocks of all devices in an organization with a centralized source, improving the ability to correlate log entries from different sources.
Security governance
Type of security management that should include acquisitions, divestitures, and governance committees.
IPsec
a security protocol that automatically performs reauthentication of the client system throughout the connected session in order to detect session hijacking.
What evidence standard do most civil investigations follow?
A. Beyond a reasonable doubt B. Beyond the shadow of a doubt C. Preponderance of the evidence D. Clear and convincing evidence
C. Preponderance of the evidence
primary purpose of information classification processes?
To identify security classifications for sensitive data and define the requirements to protect it.
- Information classification processes will typically include requirements to protect sensitive data at rest (in backups and stored on media), but not requirements for backing up and storing all data.
A security auditor recently completed an account access review. Which of the following privileged accounts did they most likely include? (Choose two.)
A. User accounts
B. Root accounts
C. Service accounts
D. Guest accounts
B. Root accounts
C. Service accounts
- Regular user accounts and guest accounts aren’t granted elevated privileges.
cold site
is any facility that provides only the physical space for recovery operations while the organization using the space provides its own hardware and software systems.
- backup facility is large enough to support current operational capacity and load but lacks the supportive infrastructure
scoping process
removes controls from a list of controls from a suggested baseline.
Primary benefit of job rotation and separation of duties policies
Preventing Fraud
When you install a new wireless access point to extend your company’s network into a newly opened portion of the building, someone raises the concern of interference between the existing Wi-Fi network and the new extension. What media access technology is used by 802.11 networks to manage collisions?
A. Token passing
B. CSMA/CD
C. CSMA/CA
D. Polling
C. CSMA/CA
- IEEE 802.11 wireless networks use Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA) to manage (technically avoid) collisions. Ethernet (IEEE 802.3) uses Carrier-Sense Multiple Access with Collision Detection (CSMA/CD). Token Ring networks used token passing. Polling is used by some mainframe systems.
Which of the following algorithms/protocols provides inherent support for nonrepudiation?
A. HMAC
B. ECDSA
C. MD5
D. SHA-1
B. ECDSA
Elliptic Curve Digital Signature Algorithm (ECDSA) is the only one of the algorithms listed here that supports true digital signatures, providing integrity verification and nonrepudiation.
Which one of the following disaster types is not usually covered by standard business insurance?
A. Earthquake
B. Flood
C. Fire
D. Theft
B. Flood
- Most general business insurance and homeowner’s insurance policies do not provide any protection against the risk of flooding or flash floods. If floods pose a risk to your organization, you should consider purchasing supplemental flood insurance under FEMA’s National Flood Insurance Program.
You’ve performed a standard quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change?
A countermeasure primary affects the annualized rate of occurrence (ARO), because the countermeasure is designed to prevent (or mitigate or reduce) the occurrence of the risk, thus reducing its frequency per year.
Familiarity (attacks)
Familiarity or liking as a social engineering principle attempts to exploit a person’s native trust in that which is familiar.
- This could include claiming to know a coworker even when that person doesn’t exist.
How many threads can run on a dual core processor?
2
You need to run networking cables between two office buildings. Between the buildings are several electrical boxes that manage the primary power for the entire business park. Which of the following cable is the worst option to use?
A. Wireless
B. UTP
C. STP
D. Fiber
B. UTP
- UTP is the least resistant to EMI because it is unshielded. STP is a shielded form of twisted pair that resists EMI. Fiber is not affected by terrestrial EMI. Wireless is not a cable, but it could be affected by EMI if the interference occurred in the wireless transmission frequencies.
Playbook vs Runbook
A playbook is a document or checklist that defines steps taken to validate an incident and steps taken in response to an incident. A runbook implements the checklists from a playbook.
VLAN (virtual LAN)
is a hardware-imposed network segmentation created by switches that requires a routing function to support communication between different segments.
John is configuring a router that will stand between the network 10.8.6.0/24 and the internet. He would like to configure egress filtering rules to minimize the potential of malicious hackers originating a DDoS attack from his network. What type of traffic should be filtered out to help achieve this goal?
A. Inbound traffic with a source private IP address
B. Outbound traffic with a destination private IP address
C. Inbound traffic with a source address in the range 10.8.6.0/24
D. Outbound traffic with a source address outside the range 10.8.6.0/24
D. Outbound traffic with a source address outside the range 10.8.6.0/24
Although it is true that John would probably want to filter out all of these types of traffic for various reasons, he would be specifically interested in filtering out outbound traffic with an address not belonging to his network (10.8.6.0/24) to achieve his stated goal of stopping malicious hackers originating a DDoS attack from his network. The other options are all forms of false addressing or spoofing filtering, but they don’t address the issue in this scenario.
SOC 3 audit engagements
SOC 3 engagements assess the organization’s controls that affect the security and privacy of information stored in a system. The results of a SOC 3 audit are intended for public disclosure.
What type of attack can be used against cryptographic algorithms that do not incorporate temporal protections?
A. Chosen plaintext attack
B. Meet-in-the-middle attack
C. Man-in-the-middle attack
D. Replay attack
D. Replay attack
In a replay attack, the malicious individual intercepts an encrypted message between two parties (often a request for authentication) and then later replays the captured message to open a new session. Challenge-response protocols and the use of ephemeral session keys also provide protection against replay attacks.
Mutual authentication
ensures that a server provides authentication before the client provides authentication.
- This prevents employees from revealing their credentials to rogue servers.
A mission-critical server has experienced a compromise that caused it to go offline for seven hours. This nearly caused the organization to go out of business. After the attack, investigations revealed malicious code that would have corrupted the core database, but it was coded poorly and did not execute. This incident has caused the organization to rethink their security precautions against compromise, downtime, and disaster events. In order to prevent future downtime or at least reduce it significantly, which of the following technologies should be deployed? (Choose all that apply.)
A. FDE
B. RAID
C. UPS
D. Dual power supplies
E. Offsite backups of system images and snapshots
F. MFA
G. SIEM
H. Replication
I. Clustering
B. RAID
C. UPS
D. Dual power supplies
E. Offsite backups of system images and snapshots
H. Replication
I. Clustering
For this scenario, many different redundancy, resiliency, or uptime management options should be considered. This includes option B: Redundant array of inexpensive disks (RAID) to maintain data availability; option C: Uninterruptible power supply (UPS) to protect against power issues; option D: Dual power supplies to provide redundancy against power supply failures; option E: Offsite backups to provide a recovery path in the event of a major disaster’ option H: Replication to ensure multiple similar servers are hosting cloned material so that no matter which server is accessed the most current version of data is available; and option I: Clustering that is used to operate numerous servers as a collective to support a single or primary resource and provide high availability. The following options are incorrect for this scenario: option A: Full-disk encryption (FDE), though a good security practice, is not related to redundancy, resiliency, or uptime management; option F: Multifactor authentication (MFA), though a good security practice, is not related to redundancy, resiliency, or uptime management; and option G: Security information and event management (SIEM) is a centralized application to automate the monitoring of network systems, which a good security practice, but is not related to redundancy, resiliency, or uptime management.