Overall Flashcards
Trivial File Transfer Protocol (TFTP) port
Port 69
File Transfer Protol (FTP) port
Port 20/21
Network Time Protocol (NTP) port
Port 123
Simple Mail Transfer Protocol (SMTP) port
Port 25
Simple Network Management Protocol (SNMP) v3
Uses UDP port 161, 162
Remote Desktop Protocol (RDP)
UDP/TCP port 3389
File Transfer Protocol Secure or SSL (FTP/S) port
Port 989, 990
SSH or Secure File Transfer Protocol (S/FTP) port
Port 22
Terminal Access Controller Access Control System (TACACS) port
Port 49
Kerberos port
Port 88
Microsoft SQL Server port
1433
Lightweight Directory Access Protocol (LDAP)
port 389 (TCP/UDP)
Lighweight Directory Access Protocol SSL (LDAP/S) port
Port 636
HTTP port
port 80
HTTPS port
Port 443 (uses SSL/TLS)
Telnet port
port 23
SSH port
port 22
NetBIOS port
ports 137-139
Secure Copy Protocol (SCP) port
Port 22 (uses SSH)
Post Office Protocol (POP) port
port 110
A user notifies you that a software application displays advertisements while the application is executing. Of which security threat is this an example?
ADWARE- software application that displays advertisments while the application is executing.
A tunneling protocol that provides secure authentication and data encryption.
IPSEC (Internet Protocol Security)
A network management protocol that allows communications between network devices and management console.
SNMP (Simple Network Management Protocol)
A File transfer protocol that uses SSH for security
SFTP (SSH or Secure File Transfer Protocol)
A file transfer protocol that uses SSL for security
FTPS (File Transfer Protocol Secure/SSL)
Software that requires that your activites be monitored and tracked. Collect cookies and report on a users activities.
Spyware
A program that spreads itself through network connection.
WORM
Which condition might indicate that a hacker is hacking a network?
A MAJOR INCREASE IN ICMP TRAFFIC
*Hacking a network with a ping of death ‘Denial-of-Service’ (DOS) attack
What network devices can you use to connect two or more of the LANsegments together without collisions?
Bride, router and switches, connect LAN segments.
Whichevents should be considered as part of the business continuity plan?
Natural, disaster, hardware and failure
What would include ISO compliance, adhereing to NIST and Payment Card Industry DataSecurity Standard (PCI-DSS). “General” stating a wide range of standards covered.
General-Purpose-Guides
_______ is a key distrubution protocol & distribution protocol used for secure IP communications, such as IPSEC (Internet Protocol Security).
SKIP (Simple Key Management Protocol for Internet Protocols)
________ involves accepting the risk and leaving the security plan the same.
Acceptance
________ involves modifying the security plan to eliminate the risk or its impact.
Avoidance
________ involves transferring the risk and it’s consequiences to a third party.
Transference
________ involves reducing the probability or impact of a risk (taking action to minimize probability.
Mitigation
What can hide itself from antivirus software by distorting its own code. When spreading, it jumbles and garbles it’s own code to prevent antivirus software from detecting its presence.
self-garbling virus
What hides the changes it makes to the system files and boot records, making it difficult to detect its presence. Maintains a copy of a file before infecting it and presents the orginal copy to the monitoring sofware so that no changes are detected by the system.
Stealh virus
Virus progreams written in Word Basic, visual Basic and VBScript. Platfor independent, typically infects systems through microsoft office products.
macro virus
What detects data or files that are hidden within other files?
Steganagraphy tools
What tools are used to ensure that information is completely removed from a device beore it is descarded, sold or recycled.
Data Sanitization tools
What tools are used by a network administrator to test the security of a network, such as penetration test (metasploit).
Exploitation Frameworks
__________ is the general term for tools that help you locate weaknesses in your network before they are exploited by an attacker
Vulnerability Scanner
A password, PIN, name of a childhood friend, color of first car, similar questions are examples of which authentication?
Something You Know
Fingerprints, voice prints, retina scan & Iris scans and biometrics are examples of which authentication?
Something You Are
Under _________, a set of organizational roles are defined and users are allocated to those roles. Under this system, the right to modifiy roles is reserved to admin accounts. The system is non-discretionary, as each user has no right to modify the ACL of a resooure, even though they can change the resoure in other ways.
Role-based Access Control (RBAC)
The owner is originally the creator of the resource, though ownership can be assigned to another user. The owner is granted FULL control over the resource, meaning the owner can modify it’s ACL to grant rights to others.
Discretionary Access Control (DAC)
_______ & _______ attacks target virtual machines. These attacks attempt to detect virtual servers and machines on a network. Once the virtual machines are identified, various techniques are used to attack the VM’s to breach the hos and eventually the netwrok.
Red Pill & Scooby Doo attacks
DES uses ______ encryption keys.
56-bit encryption keys
AES uses _____, _____, and ____ bit encryption keys.
128, 192 and 256 bit encryption keys.
MD5 produces _________ checksums
128-bit checksums
What produces 256-bit checksums?
SHA-256 aka SHA-2
___________ produces 160-bit checksums
SHA-1 (Secure Hashing Algorithm)
___________ - means identifying the risk and no longer engaging the activities associated with that risk. Example; no longer accept credit card information via email.
Risk Avoidance
______ uses a combination of conventional symmetric-key cryptography for speed and public-key cryptography for ease of secure key exchange. It supports the following algorithms: RSA, DSA, cipher, IDEA, 3DES, CAST5, Blowfish, AES-128/192/256, CAMELLIA, HASH: MD5, SHA-1, SHA-265, 384,/512/224, RIPEND-160. Is an alternative to the PGP suite of cryptographic software.
GNU Privacy Guard (GPG)
Is a symmetric-key block cipher, a streaming cipher. 1-bit at a time, 1-round. Developed at the Massachusetts Institute of Technology. Supports variable length encryption keys.
Rivest Cipher (RC4, RC5)
RC4 - is a streaming cipher
RC5/RC6 - are block ciphers
Protocol for transporting secure voice and video.
Secure Real-Time Transport Protocol (SRTP)
Types of commercial data classifications
Confidential, Private, Sensitive, Public
Types of military data classifications
Sensitive, Confidential, Secret, Top Secret
_____ is any information that can be used for the purpose of identifying, locating or contacting any specific individual, either combined with other easily accessible sources or by itself.
Can include data linked to any individual through medical, employment, financial, or educational records. Several of these information sets that might be utilized to identify a certain individual could consist of a name, email address, biometric data, telephone number, fingerprints or social security number.
PII (Personal Identifiable Information)
_____ is any information related to the health status, health care provision or health care payment that can further be linked to any specific individual. It can rather broadly interpreted and includes any sort of medical payment history or records of a patient.
PHI (Personal Health Information)
Org roles that deal with data classification?
Data custodian, data steward, data owner and privacy officer.
What is a another term for technical controls
logical controls
_____ to suppress fire that has magnesium, sodium and potassium as it’s elements.
Dry Powder
_____ are used when the fire involves electrical equipment and wires. They can also be used to surpress class B fires that include liquids.
Halon or carbon dioxide
_____ allows users to gain access to restricted directories. If an operating system command, like rm -rf/etc/passwords sent via HTML string.
command injection
_____ occurs when a user enters values in an XML query that takes advantage of security loopholes.
XML injections
_____ occurs when a user enters values in an LDAP query that takes advantage of a security loopholes
LDAP injection
_____ occurs when Hackers learn of a security vulnerability on the same day that it is discovered by the application vendor.
Zero day attack
_____ occurs when a hacker is able to manipulate a packet header to deface, hijack or poison the packet.
Header manipulation
An add-on that a user adds for a particular functionality, but reality serves as a way for a hacker to create a security breach.
Malicious Add-ons
_____ is used in a Kerberos network authentication to distribute resource access keys.
Key Distribution Center (KDC)
_____ generates and validates digital certificates and verfiies the authenticity of the cerificate elements.
Certification Authority
Occurs when a hacker intercepts messages from a sender, modifies those messages and sends them to a legitimate receiver. This type of attack often inolves interrupting network traffic to insert malicious code.
Man-in-the-middle attack
Occurs when a script on a website is configured to manipulate a computer other than the we server.
cross-site scripting (XSS)
Management wants to protect all traffic on the company’s HTTP/HTTPS server. You have been asked to recommend a solution. Which device is the best solution?
Web Application Firewall – it can be implemented in hardware or software to protect a web server from a cross-site scripting attack.
- Best to protect HTTP/HTTPS server
- Security at Application Layer (layer 7) OSI model
Your organization has recently implemented a new security policy that includes the implementation of the principle of least privilege. You need to ensure that users understand this principle. What is the best implementation of this principle?
Issuing the “Run as” command to execute administrative tasks during a regular user session.
____ is a router funtion, where an application compares the incoming or outgoing IP address to an ACL. Other types of ______ perform similar functions on MAC addresses or switch port.
Anti-spoofing
*A NIDS/NIPS would not check IP addresses traffic for spoofing.
An attack that sends unsolicited messages over Bluetooth connection.
Bluejacking
The act of gaining unauthorized access to a device and the network it is connecting to through it’s bluetooth connection.
Bluesnarfing
Malicious code activated by a specific event is called?
- Backdoor
- Dropper
- Logic Bomb
- Retrovirus
Logic Bomb
Which of the following answers refers to an undocumented (and often legitimate) way of gaining access to a program, online service, or an entire computer system?
- logic bomb
- trojan horse
- rootkit
- backdoor
Backdoor
An unauthorized practice of obtaining confidential information by manipulating people into disclosing sensitive data is referred to as?
- shoulder surfing
- privilege escalation
- social engineering
- penetration testing
Social Engineering
A fraudulent email requesting its recipient to reveal sensitive information (e.g. username and password) used later by an attacker for the purpose of identity theft is an example of? (select all that apply)
- phishing
- social engineering
- bluejacking
- vishing
Phishing & Social Engineering
Phishing scams targeting a specific group of people are referred to as?
- vishing
- spear phishing
- spoofing
- whaling
Spear Phishing
Phishing scams targeting people holding high positions in an organization or business are known as?
- Vishing
- Bluesnarfing
- Whaling
- Bluejacking
- Pharming
Whaling
The practice of using a telephone system to manipulate user into disclosing confidential information is called?
- Whaling
- Spear Phishing
- Vishing
- Pharming
Vishing
What is tailgating?
Gaining unauthorized access to restricted areas by following another person
Which social engineering attack relies an identity theft?
Impersonation
A situation in which an unauthorized person can view another users displays or keyboard to learn their password or other confidential information is referred to as?
- Spear Phishing
- Tailgating
- Shoulder Surfing
- Spoofing
Shoulder Surfing
The actual key size of _____ is 64 bits, however 8 bits are used for parity check. Therefore, the effective key size of ______ is 56 bits. ______ users 16 rounds of computation.
DES (Data Encryption Standard)
What is the best method to avoid buffer overflows?
“Execute a well-written program” - a well written program is the best method to prevent buffer overflow errors. Buffer overlow is caused when input data is not verified for appropriate length at the time of input. Buffer overflow & boundary condition errors are examples of input validation errors.
What is typically part of an information policy?
Classification of Information: is typically part of an information policy. A company usually has two information classification: Public & Proprietary. Some companies also use the ‘restricted’ classification.
A social engineering technique where by attackers under disguise of legitimate request attempt to gain access to confidential information they shouldn’t have access to is commonly referred to as?
Phishing
You are training several IT professionals on security and access control. You need to explain to the professsionals the most common form of identification and authentication.
What identification and authentication mechanism should you explain?
USER identification with usable password
You need to ensure that wireless clients can only communicate with the wireless access point and not with other wireless clients.
What should you implement?
Isolation Mode - This mode ensures that wireless clients can only communicate with the wireless access point and not with other wireless clients
What is another name for a cross-site request forgery? (XSRF)
Session riding - This application issue involves unauthorized commands coming from a trusted user to a user or website.
Your manager suspects that your network is under attack. You have been asked to provide information regarding traffic flow and statistical information for your network.
Which tool should you use?
Protocol Analyzer - provides information regarding traffic flow and statistical information for your network. A protocol analyzer is also referred to as a network analyzer or packet sniffer (wire-shark).
You have recently implemented a new Public Key Infrastructure (PKI) for your organization. You need to back up the entity that is responsible for certifying the public key pair of the roo CA. Which entity must you back up?
Root CA - You should backup the Root CA. The Root Certification Authority (CA) must certify its own public key pair
You suspect that several users are attempting to install unauthorized software. Upon researching, you discover that the attempts were unsuccessful. What tool did you implement that logged those attempts and indentified the users?
Application Whitelist - is a practice of denying all applications except for those that are approved. Those approved applications are designated as whitelisted.
You are responsible for managing your company’s virtualization environment. Which feature should NOT be allowed on a virtualization host?
Browsing the internet
–If the host has a security breach (spyware/malware) anything that affects a virtualization host also affects all virtual computers on the host.
You have a highly mobile workforce and they often work in airplanes, airports and other public places. Management is concerned that unauthorized users can obtain information when personnel are using the devices in public places. Which of these could be implemented to help mitigate risk?
- CAC logins
- set devices to isolation mode
- finger print readers
- screen filters
Screen Filters
Match the tools on the left with the descriptions given on the right.
- Nessus
- Wireshark
- SNORT
- Cain & Abbel
a. Password recovery tool
b. Network Protocol Analzyer
c. Network Intrusion Detection System
d. Vulnerability Scanner
Wireshark – Network Protocol Analyzer
Nessus – Vulnerability Scanner
Snort – Intrusion Detection System
Cain & Abel – Password Recovery Tool
During maintenance, you often discover unauthorized devices connected to your wireless network. You need to ensure that only authorized corporate devices can connect to the network. What should you configure to increase the security of this wireless network?
MAC filtering - with this filtering, the MAC address of each network interface card (NIC) that attempts to connect to the network is checked. Only MAC address that are specifically allowed connection are granted connection.
What preserves the existence and integrity of relevant electronic records (and paper records) when litigation is imminent?
Legal Hold - is the term for the preservation of information relevant to impending lawsuit. Personnel will be instructed not to destroy or alter information relating to the topic of the lawsuit.
Ensures that users have the appropriate permissions to complete the tasks that are part of their job. By implementing permission auditing and review, you ensure that privilege creep does not occur.
Permission Auditing and Review
Ensures that accounts are still being used. By implementing usage auditing and review, you ensure that accounts that are no longer in use are disabled.
Usage auditing and Review
Which Instrusion Detection System (IDS) uses a magnetic field to detect intrusions?
A proximity detector
Passphrase is easiest to remember (according to the test)
True – According to the test; Passphrase is easiest to remember
_________- A bit-level copy of the disk, refers to making a copy at the sector level to cover every part of the area that can store used data, such as slack space and free space. You should also perform forensic hashing of the disk contents, Before and after.
Forensic investigation
______ - is formed when a malicious program is installed on several host computers and is remotely triggered.
Botnet
_______ backups begin with a full backup. On each day thereafter you would backup all of the changes that occurred since your last full backup. It’s cumulative. The order to resotre is the last full backup and the most recent _______backup.
- *Does not reset archive bit.
- *They do not dependent on the other backups.
‘Differential’ backup
________ backups begin with a full backup. On each day thereafter you would backup that specific day’s changes only the order of restoration would be to resotre the last full backup first and then to resotre each day’s incremental backup in order from oldest to newest.
** Resets archive bit, dependent on each backup.
‘Incremental’ Backup
______ - a testing environment isolated from a live or production environment.
______ - mechanism for safely running untrusted programs
Sandbox - a testing environment isolated from a live or production environment.
Sandboxing - mechanism for safely running untrusted programs.
In a ___________, Certification Authorities (CA’s) are arranged in a heirarchy and sign public key pairs.
“PKI infrastructure” Public Key Infrastructure (PKI)
What is cross-site request forgery (XRSF)?
When a script on a website is configured to manipulate a computer other than the web server.
Cross-site Request Forgery (XSRF) occurs when unauthorized commands are executed on a web server by a trusted user.
Which SIEM feature would be best for long-term storage and security?
Logs/WORM - provides the best option for longer-term storage and security. WORM is an acronym for “Write Once, Read Many” and the data cannot be modified once it has been written.
What is SIEM?
SIEM is a subsection within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware.
Your organization is a subcontractor for a major government defense contractor. While writing an incident response plan, you must determine the circumstances under which to bring in an outside contractor. Which portion of the incident response plan includes this information?
Reporting and escalation guidelines – The reporting requirements would indicate how incidents are reported, what documentation is required, and what outside agencies (if any) should be indentified.
Escalation guidelines would indicate udner what circumstances you need to ask for additional assistance.
Your client is migrating from a windows based server to an apache server. You need to convert X.509 certificate on the new Apache server. What is the original file extension for the X.509 certificate?
PFX - a PFX certificate file is used by Microsoft, and contains both the public and private keys. The container is fully encrypted. You should use OpenSSL to convert this into a PEM encoded file. The two most common file types for exporting the private key are PFX and P12 (can contain certificates, certificate chains and private keys).
Recently, several confidential messages from your company have been intercepted. Your company has decided to implement PGP to encrypt files. Which type of model does the encryption use?
a. bus
b. web
c. heirarchy
d. ring
web
PGP uses a ‘web of trust’ to validate public key pairs. Web of trust model users sign their own key pairs. If a user wants to receive a file enctrypted with PFP, the user must first supply the public key.
Which memory vulnerability is associated with multithreaded applications?
a. DLL injection
b. Race Condition
c. Resource exhaustion
d. Pointer dereferencing
Race condition
it occurs when you have a variable that is accessed by several threads of an application. Improper handling of that varialbe can lead to unexpected values associated with the variable in question.
Your client is developing a new wesite. The web administrator has indicated that she would like to use a low-cost certificate to offer Transport Layer Security (TLS) to the new domain.
What type of certificate should you recommend?
Domain validation - are very common. They are low-cost and are often used by web admins to offer TLS to a domain. They are validated using only the domain name.
Users are complaining that the new biometric identification system is difficult to use. They are saying that even though the initial login worked fine, they have difficulty logging in later. In addition to user training, what should you investigate?
FRR (False Rejection Rate) - You should investigate the devices FRR to determine its accuracy. FRR measures how likely it would be that an authorized user is denied acess to the system. Express as a ratio.
You want to ensure that cerificates that have expired, been replaced or were revoked are no longer used. You discover that updates to the list of invalid certificates may take 24-48 hrs to circulate. Leaving a window of vulnerabiility in which invalid keys may be accepted.
Which of these solutions is the BEST to use if you want to avoid accepting invalid keys?
a. OCSP
b. OID
c. CSR
d. CRL
OCSP (Online Certificate Status Protocol)
-is a real-time protocol for validating keys. OCSP is replacing CRL, which takes 24-48 hrs to broadcast.
What is STP and what is it used for?
STIP is “Spanning Tree Protocol”. It is the primary loop protection on an ethernet network.
What system will provide an alert in the event of a breach on a “single” server or computer?
a. HIPS
b. DNS
c. OCSP
d. HIDS
HIDS (Host-based Intrusion Detection System)
Note: Intrusion “detection” system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on it’s network interface.
Passwords based on some personal fact or opinion. They are things like you mothers maiden name, your favorite color or school where you graduated.
a. static password
b. software-generated password
c. dynamic password
d. cognitive password
e. biometric login
Cognitive passwords
Occurs when an attacker exploits the three-packet Transmission Control Protocol (TCP) handshake? A _____ attack is a type of denial-of-service (DOS) attack?
a. man in the middle
b. SYN flood
c. smurf
d. brute force
SYN flood attack
-is a form of denial-of-service attack in which an attacker sends a succession of SYN (synchronize) requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic
Occurs when unexpected values are provided as input to an application to make the application crash.
a. Fuzzing
b. XSRF
c. XSS
d. Footprinting
Fuzzing
-hackers will use thousands of commands to crash a program and watch the crash log to find a way to input code where that commands might be stored and get the program to do it’s bidding (example).
_____ is a “system” or a program employed to protect critical computer systems containing crucial data against viruses and other internal malware. _____ will go a step further and stop the attack, to help “prevent” data loss. Logs inbound traffic.
a. HIPS
b. DNS
c. OCSP
d. HIDS
HIPS (Host-based Intrusion Prevention System
You are researching the different types of firewalls that you can install to protect your company’s network and assets. Which type of firewall is most detrimental to network performance?
a. circuit-level proxy firewall
b. packet filtering firewall
c. stateful inspection firewall
d. application-level proxy firewall
Application-level proxy firewall - is most detrimental to the network performance because it requires more processing per packet.
You need to ensure that a set of users can access information regarding departmental expenses. However, each user should only be able to view the expenses for the department in which they work. Senior Managers should be able to view the expenses for all departments. Which database security feature provides this granular access control?
Database view - content dependent access control is based on sensitivity of information and the user privilege.
You have decided to install a proxy server on your network. Which type of proxy is also called a “surrogate proxy”?
Reverse Proxy - It faces the internal network and is used for several purposes, including web page caching, decryptioin, authentication, and load-balancing.
You have just installed a new PTP server, but you do not know what information the FTP server is transmitting when a user initially connects to it. Which tool could you use to discover that information and consequiently know hwat information an attacker could exploit?
Banner Grabbing - a network administrator could use banner grabbing to identify information to circumvent that exploit. Banner grabbing intercepts a text file sent by a server or a host. The text file includes OS information and in the case of a web server, perhaps the basic configuration info. The attacker can then exploit that information.
Your company has recently adopted a new security policy that states that all confidential emails must be signed using a digital signature. Which three elements are provided by implementation of this technology. (Choose three)
a. Non-repudiation
b. identification
c. authentication
d. authorization
e. integrity
non-repudiation
authentication
integrity
You have been hired as the security administrator for a company. During your first weeks, you discover that most of the client and server computers are not protected from intrusions in any way. For the servers, management wants you to implement a solution that will prevent intrusions on a single server.
Which system should you implement to satisfy management requiest?
a. IDS
b. HIPS
c. IPS
d. HIDS
HIPS - implement “Host Intrusion Prevention System” to prevent intrusions on a single server or computer.
You have setup an auditing system for the servers on your network. Which three statements regarding an audit trail are not true?
a. An audit trail logs service access.
b. An audit trail shows unsuccessful login attempts.
c. An audit trail is reviewed only when an intrusion is detected.
d. An audit trail does not record successful login attempts.
e. An audit trail is a preventative control.
An audit trail is reviewed only when an intrusion is detected.
An audit trail does not record successful login attempts.
An audit trail is a preventative control.
The new anti-virus application that your company purchased claims that it protects against all types of viruses, including multipart viruses. Which statement correctly defines this type of virus?
a. A multipart virus can infect executable files and boot sectors of hard disk drives.
b. A multipart virus can hide itself from anti-virus software by distorting it’s own code
c. A multipart virus can change some of it’s characteristics while it replicates
d. A multipart virus is encoded in a macro
A multipart virus can infect executable files and boot sectors of hard disk drives.