Section 17-18 Flashcards
A financial analyst is expecting an email containing sensitive information from a client. When the email arrives, the analyst receives an error and is unable to open the encrypted message. Which of the following is the most likely cause of the issue?
a.
The S/MIME plug-in is not enabled.
b.
The SSL certificate has expired.
c.
Secure IMAP was not implemented.
d.
POP3S is not supported.
a.
The S/MIME plug-in is not enabled.Correct
The most likely cause of the issue is that the S/MIME plug-in is not enabled. S/MIME is required to decrypt and view encrypted emails, so if it is not enabled or properly configured, the analyst would be unable to open the encrypted message.
A company recently suffered a breach in which an attacker was able to access the internal mail servers and directly access several user inboxes. A large number of email messages were later posted online. Which of the following would best prevent email contents from being released should another breach occur?
a.
Implement S/MIME to encrypt the emails at rest.
b.
Enable full disk encryption on the mail servers.
c.
Use digital certificates when accessing email via the web.
d.
Configure web traffic to only use TLS-enabled channels.
a.
Implement S/MIME to encrypt the emails at rest.Correct
Implementing S/MIME to encrypt the emails at rest ensures that the email contents are encrypted and protected even if the attacker gains access to the mail servers, preventing unauthorized access to the email contents.
A company recently experienced an attack during which the main website was redirected to the attacker’s web server, allowing the attacker to harvest credentials from unsuspecting customers. Which of the following should the company implement to prevent this type of attack from occurring in the future?
a.
IPSec.
b.
SSL/TLS.
c.
DNSSEC.
d.
S/MIME.
c.
DNSSEC.Your Answer: Correct
DNSSEC (Domain Name System Security Extensions) helps prevent attacks where DNS queries are redirected to malicious sites by ensuring that the responses to DNS queries are authenticated and have not been tampered with. This would prevent attackers from redirecting the company’s website to their own malicious server.
Which of the following best describes a use case for a DNS sinkhole?
a.
Attackers can see a DNS sinkhole as a highly valuable resource to identify a company’s domain structure.
b.
A DNS sinkhole can be used to draw employees away from known-good websites to malicious ones owned by the attacker.
c.
A DNS sinkhole can be used to capture traffic to known-malicious domains used by attackers.
d.
A DNS sinkhole can be set up to attract potential attackers away from a company’s network resources.
c.
A DNS sinkhole can be used to capture traffic to known-malicious domains used by attackers.Your Answer: Correct
A DNS sinkhole captures traffic to known-malicious domains used by attackers. It redirects malicious traffic to a controlled environment, allowing the organization to monitor and analyze the traffic without harm.
A security team has been alerted to a flood of incoming emails that have various subject lines and are addressed to multiple email inboxes. Each email contains a URL shortener link that is redirecting to a dead domain. Which of the following is the best step for the security team to take?
a.
Create a blocklist for all subject lines.
b.
Send the dead domain to a DNS sinkhole.
c.
Quarantine all emails received and notify all employees.
d.
Block the URL shortener domain in the email gateway.
b.
Send the dead domain to a DNS sinkhole.Your Answer: Correct
Sending the dead domain to a DNS sinkhole will prevent the emails from successfully redirecting to the malicious domain, effectively neutralizing the threat regardless of the various subject lines or email recipients.
Users at a company are reporting they are unable to access the URL for a new retail website because it is flagged as gambling and is being blocked. Which of the following changes would allow users to access the site?
a.
Creating a firewall rule to allow HTTPS traffic.
b.
Tuning the DLP rule that detects credit card data.
c.
Configuring the IPS to allow shopping.
d.
Updating the categorization in the content filter.
Updating the categorization in the content filter will allow users to access the new retail website by reclassifying it from gambling to the correct category, thus removing the block.
d.
Updating the categorization in the content filter.Your Answer: Correct
Updating the categorization in the content filter will allow users to access the new retail website by reclassifying it from gambling to the correct category, thus removing the block.
Which of the following would be most effective to contain a rapidly spreading attack that is affecting a large number of organizations?
a.
Machine learning.
b.
DNS sinkhole.
c.
Blocklist.
d.
Honey pot.
b.
DNS sinkhole.Your Answer: Correct
A DNS sinkhole is effective at containing rapidly spreading attacks by redirecting malicious traffic to a controlled environment, preventing the malware from communicating with its command-and-control servers.
An analyst is generating a security report for the management team. Security guidelines recommend disabling all listening unencrypted services. Given this output from Nmap ‘PORT STATE 21/tcp filtered 22/tcp open 23/tcp open 443/tcp open’ Which of the following should the analyst recommend to disable?
a.
21/tcp.
b.
22/tcp.
c.
23/tcp.
d.
443/tcp.
c.
23/tcp.Correct Answer
Port 23/tcp corresponds to Telnet, which is an unencrypted service. Disabling it will align with the security guidelines to disable all listening unencrypted services.
A new vulnerability in the SMB protocol on the Windows systems was recently discovered, but no patches are currently available to resolve the issue. The security administrator is concerned that servers in the company’s DMZ will be vulnerable to external attack; however, the administrator cannot disable the service on the servers, as SMB is used by a number of internal systems and applications on the LAN. Which of the following TCP ports should be blocked for all external inbound connections to the DMZ as a workaround to protect the servers? (Select TWO).
a. 135.
b. 445.
c. 139.
d. 143.
e. 161.
f. 443.
b. 445.Your Answer: Correct
Blocking TCP port 445 will prevent external inbound connections to the SMB services, thus protecting the servers in the DMZ from being attacked through the SMB protocol.
c. 139.
A security consultant needs secure, remote access to a client environment. Which of the following should the security consultant most likely use to gain access?
a.
EAP.
b.
DHCP.
c.
IPSec.
d.
NAT.
c.
IPSec.Correct Answer
IPSec (Internet Protocol Security) provides secure, encrypted communication over a network, making it ideal for secure remote access to a client environment.
An enterprise is trying to limit outbound DNS traffic originating from its internal network. Outbound DNS requests will only be allowed from one device with the IP address 10.50.10.25. Which of the following firewall ACLs will accomplish this goal?
a.
‘Access list outbound permit 0.0.0.0/0 0.0.0.0/0 port 53 Access list outbound deny 10.50.10.25/32 0.0.0.0/0 port 53.’
b.
‘Access list outbound permit 0.0.0.0/0 10.50.10.25/32 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53.’
c.
‘Access list outbound permit 0.0.0.0/0 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 10.50.10.25/32 port 53.’
d.
‘Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53.’
d.
‘Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53.’Correct
This rule permits outbound DNS requests from the specific IP address (10.50.10.25) and denies all other outbound DNS traffic, effectively limiting outbound DNS traffic to the specified device.
After reviewing the following vulnerability scanning report Server 192.168.14.6 Service Telnet Port 23 Protocol TCP Status Open Severity High Vulnerability Use of an insecure network protocol A security analyst performs the following test Nmap test results Port 23/tcp State open Service telnet Telnet server supports encryption Which of the following would the security analyst conclude for this reported vulnerability?
a.
It is a false positive.
b.
A rescan is required.
c.
It is considered noise.
d.
Compensating controls exist.
a.
It is a false positive.Correct
The nmap scan indicates that the Telnet server supports encryption, which means the use of an insecure network protocol (Telnet without encryption) is not present. Thus, the reported vulnerability is a false positive.
A company is experiencing a web services outage on the public network. The services are up and available but inaccessible. The network logs show a sudden increase in network traffic that is causing the outage. Which of the following attacks is the organization experiencing?
a.
ARP poisoning.
b.
Brute force.
c.
Buffer overflow.
d.
DDoS.
d.
DDoS.Correct Answer
A sudden increase in network traffic causing services to become inaccessible is a classic symptom of a DDoS (Distributed Denial of Service) attack.
A company’s web filter is configured to scan the URL for strings and deny access when matches are found. Which of the following search strings should an analyst employ to prohibit access to non-‘encrypted websites?
a.
‘encryption off’
b.
‘http//’.
c.
‘www.*.com’.
d.
‘443’.
b.
‘http//’.Correct Answer
By filtering for ‘http//’, the web filter can block access to websites that do not use HTTPS, ensuring that only encrypted, secure connections are allowed.