Security+ ITProTV Practice Exam I Flashcards
** When connecting to a Website using SSL/TLS, the Client browser uses the Root CA’s Public Key to decrypt the Digital Signature of each Certificate until finally verifying the identity associated with the Website’s Certificate. Which term or phrase describes this PKI concept?
Key Escrow
Certificate Chaining
Key Pairing
Certificate Revocation
Certificate Chaining
Explanation:
Certificate chaining refers to the trust relationships between CAs and helps determine which certificate has the highest level trust. For example, if you get a certificate from “A,” and “A” trusts the root certificate, the highest level trust is the root certificate.
Key escrow addresses the issue that a key might be lost. It is a proactive approach where copies of the private keys are held in escrow (stored) by a third party. The third party (key recovery agent) manages access to and use of the private keys. Keys do not define trust relationships.
A certificate revocation refers to a certificate that has been revoked or is planning on being revoked, for one reason or another. A certificate revocation list (CRL) contains a list of serial numbers for digital certificates that have not expired, but that a certification authority (CA) has specified to be invalid. Typically, the serial number of a digital certificate is placed in a CRL because the digital certificate has been compromised in some way.
In public key cryptography, also known as asymmetric cryptography, every public key pairs to only one private key. Together, these key pairs are used to encrypt and decrypt messages and data that is sent over the internet and the network. Using key pairing can ensure both security and identity of the sender.
** A Hacktivist group claims responsibility for infecting a manufacturer’s systems by planting an infected USB drive at the company’s office. The manufacturer’s distributor, several vendors, and hundreds of customers were all eventually infected with the malware that stole important credential information for those infected.
Which term describes this attack strategy?
Direct Access
Cloud-based
Social Media
Supply Chain
Supply Chain
Explanation:
A supply chain attack is not an attack on a target directly but an attack on a more vulnerable company or resource within its supply chain that helps the organization conduct business or create a product. An increasing number of hacks are being carried out this way.
Direct access is the most straightforward type of attack and hopefully the most preventable. This type of attack is a physical or local attack, such as an attacker exploiting an unlocked workstation and using a boot disk to install malicious tools or simply stealing a device.
Similar to the supply chain attack, hackers may try and exploit vulnerabilities in cloud-based web service providers to gain access to an organization’s data.
Social media attacks occur when malware is attached to posts or presented as downloads on social media sites. At their most dangerous, hackers can make it so a compromised site automatically infects a vulnerable computer
** A man wearing a service provider’s coveralls and carrying a toolbox approaches your facility’s Security guard. He says that his work crew is running some new Ethernet cable inside your office, but he left his mobile phone at home, so he can’t call his crew to let him in. The Security guard admits the man through your Secured door. The following week, you find an undocumented Network device installed in a closet. Which Social Engineering attack techniques were used? (Choose ALL that Apply)
Eliciting Information
Influence Campaign
Impersonation
Identity Fraud
Pretexting
Impersonation
Pretexting
Explanation:
The attacker used pretexting and impersonation to commit physical social engineering. Pretexting (when referring to social engineering) is inventing a scenario that will engage the victim and provide the attacker with an excuse to be in the area. Impersonation is pretending to be an employee, vendor, IT help desk staff, delivery driver, or other individual with some level of legitimate access. Impersonation can occur on the phone or in person. In this scenario, the guard should have asked an employee inside the building to verify that an authorized work crew was on the grounds.
While this was an impersonation, it was not identity fraud. Identity fraud is stealing a specific individual’s PII or credentials to commit financial fraud, elicit information, gain access to confidential records, or penetrate a network. Impersonation is generic, while identity fraud is specific.
The attacker did not elicit information. Eliciting information is tricking the victim into revealing sensitive information, like shift times and manned desk hours, through friendly conversation.
An influence campaign is a multi-actor attack that uses social media accounts to post inflammatory rhetoric and unsubstantiated or fake news stories. The goal of the disinformation is to cause political, social, and economic instability in the target. Influence campaigns are usually conducted by APTs and hostile nation-states.
Physical social engineering uses in-person techniques to gather confidential information or gain access. Other physical social engineering tricks are dumpster diving, shoulder surfing, tailgating / piggybacking, and reconnaissance. Remember that in the CompTIA objectives, reconnaissance can mean visiting a target to observe security controls in person, but it can also refer to digital and remote intelligence gathering techniques using OSINT and automated tools.
** You have been authorized by management to use a Vulnerability Scanner once every three months. What is this tool?
An application that detects when Network intrusions occur and identifies the appropriate personnel.
An application that protects a system against viruses.
An application that identifies ports and services that are at risk on a Network.
An application that identifies Security issues on a Network and gives suggestions on how to prevent the issues.
An application that identifies Security issues on a Network and gives suggestions on how to prevent the issues.
Explanation:
A vulnerability scanner is an application that identifies security issues on a network and gives suggestions on how to prevent the issues. It is a management control type.
A port scanner is an application that identifies ports and services that are at risk on a network.
An intrusion detection system (IDS) is an application that detects when network intrusions occur and identifies the appropriate personnel.
A virus scanner is an application that protects a system against viruses.
** Your organization has decided to implement an Encryption algorithm to protect data. One IT staff member suggests that the organization use IDEA. Which strength Encryption Key is used in this Encryption algorithm?
256-bit
64-bit
56-bit
128-bit
128-bit
Explanation:
International Data Encryption Algorithm (IDEA) uses a 128-bit Encryption Key that encrypt 64-bit blocks of data.
Data Encryption Standard (DES) uses a 56-bit Key to encrypt 64-bit blocks of data.
Some Private Key Encryption standards support 256-bit Encryption Keys.
** Your organization has recently adopted a new organizational Security policy. As part of this new policy, management has decided to implement an Iris Scanner wanting access to the Secure data center. Which procedure does this use to authenticate users?
It takes a picture of the user’s eye and compares the picture with pictures on file.
It scans the shape of the user’s face and compares the face scan with faces on file.
It scans the user’s handwriting and compares the handwriting with a sample on file.
It scans the blood vessels in the user’s eye and compares the pattern with patterns on file.
It takes a picture of the user’s eye and compares the picture with pictures on file.
Explanation:
An iris scanner determines whether to authenticate a user by taking a picture of the iris of the user’s eye and comparing the picture with iris pictures on file.
A retinal scanner determines whether to authenticate a user by scanning the pattern of blood vessels in the user’s eye and comparing that pattern with patterns already on file. A retinal scanner has the lowest crossover error rate and is the most reliable biometric system.
A face recognition scanner determines whether to authenticate a user by scanning the user’s face and comparing that scan to face scans already on file. A facial scan is based on an individual’s bone structure, nose ridge, eye width, forehead structure, and chin shape. A signature scanner determines whether to authenticate a user by comparing the shapes and stroke-timing of a person writing their signature with a signature pattern already on file.
Biometric access control is a security mechanism that makes use of hand scanners, fingerprints, retinal scanners, or DNA structure to identify the user.
** Which of the following scenarios describes a Man-in-the-Browser (MitB) Attack?
When users click on a link in a seemingly legitimate email, malicious payload is downloaded and executed.
When users establish a Session with a legitimate Website, an attacker device eavesdrops on the conversation.
When users install a seemingly legitimate application, a Remote Access Backdoor is also installed.
When users attempt to access a legitimate Website, they are instead redirected to a malicious Website.
When users attempt to access a legitimate Website, they are instead redirected to a malicious Website.
Explanation:
The scenario of being redirected to a malicious website from a legitimate one is a man-in-the-browser attack. The man (or malware) in the browser redirects the user to a fake site rather than the intended site.
When users click on a link in a seemingly legitimate email, and a malicious payload is downloaded and executed, it is an example of malicious links in an email.
When users establish a session with a legitimate website and an attacker device eavesdrops on the conversation, it is a session hijacking attack.
When users install a seemingly legitimate application and a remote access backdoor is also installed, it is an example of a remote access trojan (RAT).
** You perform a Server Scan and find that you have a high amount of Telnet traffic. You have installed several new peripheral devices on the Server. Which newly installed peripheral device is most likely causing this problem?
Wireless Mouse
Printer
Digital Camera
Wireless Keyboard
Printer
Explanation:
Printers and multi-function devices (MFDs), particularly those with networking capability, have the same security concerns as any other device that can be remotely managed. For example, the printer may allow users to connect through Telnet or SSH. If those protocols are not used in your business, turn them off.
Wireless keyboards are subject to keystroke injection. Wireless mice are subject to mouse spoofing. Digital cameras with wireless networking capability should be included in malware scans. However, these devices do not usually need to be remotely managed via Telnet.
Other peripheral devices that may be on the exam include wireless displays, Wi-Fi-enabled MicroSD cards, and external storage devices.
Wireless displays often connect to the Internet to pull in content. If they have a remote management feature, security professionals should determine if that feature uses Telnet or not.
Wi-Fi-enabled MicroSD cards should be included in malware scans.
External storage devices with wireless networking capability should be included in malware scans.
** An advanced user has recently had several new peripheral devices added to his desktop computer. You are concerned about peripheral devices becoming infected with malware. Which peripheral devices should you examine?
(Choose ALL that Apply)
WIFI Enabled MicroSD Cards
Digital Camera
Wireless Mouse
External Storage Devices
WIFI Enabled MicroSD Cards
Digital Camera
External Storage Devices
Explanation:
Malware scans should be performed on Wi-Fi-enabled MicroSD cards, external storage devices, and digital cameras with wireless network capability.
Wireless mice are subject to mouse spoofing, not malware infection. Mouse spoofing involves sending forged signals to the victim’s computer that match the wireless mouse’s protocol. Once the signals are accepted, the attacker can use mouse actions to command the computer to download other attack vectors or turn off anti-virus protection. However, no malware infects the mouse or the victim’s computer. Other peripherals of concern include printers, multifunction devices, wireless keyboards, and wireless displays.
Printers or multi-function devices (MFDs), particularly those with networking capability, have the same security concerns as any other device that can be remotely managed. For example, the printer may allow users to connect through Telnet or SSH. If those protocols are not used, turn them off.
Wireless keyboards are subject to keystroke injection.
Wireless displays often connect to the Internet to pull in content. If they have a remote management feature, security professionals should determine whether that feature uses Telnet. Because they pull content from the Internet, they could also be susceptible to malware attacks.
** Your company has recently started adopting formal Security policies to comply with several state regulations. One of the Security policies states that certain hardware is vital to the organization. As part of this Security policy, you must ensure that you have the required number of components plus one extra to plug into any system in case of a failure. Which strategy is this policy demonstrating?
Cold Site
Fault Tolerance
Clustering
Server Redundancy
Fault Tolerance
Explanation:
Fault tolerance ensures that you have the required number of components plus one extra to plug into any system in case of failure.
Clustering is the process of providing failover capabilities for servers by using multiple servers together. A cluster consists of several servers providing the same services. If one server in the cluster fails, the other servers will continue to operate.
A cold site for disaster recovery includes a basic room with raised flooring, electrical wiring, air conditioning, and telecommunications lines. To properly test disaster recovery procedures at the cold site, alternate telecommunications and computer equipment would need to be set up and configured.
Server redundancy ensures that each server has another server that can operate in its place should the original server fail. Clustering is a form of server redundancy.
As part of any disaster recovery plan, security professionals should ensure that the organization covers the following geographic considerations:
Off-site backups – This ensures that copies of backups are stored off-site in case the primary site is affected by a disaster.
Distance – This ensures that the off-site storage or restoration location is far enough away from the primary site that it is not affected by the same disaster as the primary site.
Location selection – This ensures that a location is assessed to ensure that it is the best location for a backup site. For example, you would want to ensure that the appropriate physical controls are in place to ensure that your backups are protected.
Legal implications – This ensures that any legal implications regarding the off-site storage of data are considered. An organization may be under regulations that prevent certain sites or geographic locations from being used.
Data sovereignty – This ensures that the data is subject to the laws of the location where it is stored. For some organizations, compliance with multiple data sovereignty laws may be necessary.
** You are performing a qualitative Risk Analysis by having experts fill out anonymous questionnaires. Which method are you using?
Pareto Principle
Monte Carlo
Delphi Technique
Decision Tree
Delphi Technique
Explanation:
In the Delphi technique, experts fill out anonymous questionnaires, which keeps one or more experts from dominating the discussion.
The Pareto principle is not a method. It is a principle that states that 80% of consequences come from 20% of the causes.
Monte Carlo analysis is a risk management technique, which project managers use to estimate the impacts of various risks on the project cost and project timeline. It does not have experts fill out anonymous questionnaires.
A decision tree is a decision support tool that uses a tree-like model of decisions and their possible consequences. It does not involve experts filling out anonymous questionnaires.
** You are researching the RSA Encryption algorithm. You need to provide some basic facts about this algorithm to your organization’s management team so they can decide if they want to implement it on the organization’s Network. Which statement is NOT true of this algorithm?
RSA provides both Encryption and Authentication.
An RSA algorithm is an example of symmetric cryptography.
RSA can prevent Man-in-the-Middle attacks.
RSA uses Public and Private Key signatures for integrity verification.
RSA Encryption algorithms do not deal with discrete logarithms.
An RSA algorithm is an example of symmetric cryptography.
Explanation:
RSA is an example of asymmetric cryptography, not symmetric cryptography.
RSA can prevent man-in-the-middle attacks by providing authentication before the exchange of public and private keys. A man-in-the-middle attack is a threat to all asymmetric encryption communications.
RSA does not deal with discrete logarithms. The security provided by RSA is based on the use of large prime numbers for encryption and decryption. It is difficult to factor large prime numbers. Therefore, it is difficult to break the encryption. RSA requires higher processing power due to the factorability of numbers but ensures efficient key management.
RSA is used as the worldwide de facto standard for digital signatures. RSA is a public key algorithm that provides both encryption and authentication. RSA uses public and private key signatures for integrity verification. With public key cryptography, the key is securely passed to the receiving machine. Therefore, public key cryptography is preferred to secure fax messages. When creating a public/private key pair, the RSA algorithm would need a user to specify the key strength.
** Your company needs to protect message integrity. Management decides that you need to implement an algorithm that uses 160-bit checksums. Which algorithm should you implement?
SHA
MD5
AES
DES
SHA (Secure Hashing Algorithm)
Explanation:
SHA = 16-bit checksums
AES = 128-bit checksums, 192-bit and 256-bit Encryption Keys.
MD5 = 128-bit checksums
DES = 56-bit Encryption Keys
** You are designing Security for a new e-commerce Website. You know that you will use HTTPS as the browser protocol. The legal team has asked you to validate using the name of the responsible legal entity in the Certificate, to supply other validation parameters, and to provide a higher level of trust than domain validation. Which certificate would you use?
Extended Validation Certificate
Machine/Computer Certificates
Root Certificates
Email Certificates
Extended Validation Certificates
Explanation:
Extended validation certificates, as the name suggests, provide additional validation for HTTPS web sites. The certificate provides the name of the legal entity responsible for the web site. These certificates require the most effort by the CA to validate and provide a higher level of trust than domain validation because they are validated using more than the domain information.
Machine/computer certificates are assigned to a designated machine. During authentication, the computer (or machine) requesting access must supply the certificate assigned to it. Email certificates are used to secure email. One such example is Secure Multipurpose Internet Mail Extensions (S/MIME), which provides a digital “signature” for that email. Root certificates define the root CA and validate all other certificates issued by that CA. They are at the top of the CA hierarchy. They are self-signed and are closely guarded.
You should also be familiar with wildcard certificates, SAN fields, code signing certificates, user certificates, self-signed certificates, root certificates, and domain validation certificates.
Wildcard certificates allow you to create a certificate in a domain and use that same certificate for multiple subdomains. For example, if you had mail.mysite.com, ftp.mysite.com, and www.mysite.com, you could issue a wildcard certificate for mysite.com, and have it cover all the subdomains. Without the wildcard certificate, you would have to issue a certificate for each subdomain. Subject Alternative Name (SAN) is a field in the certificate definition that allows you to stipulate additional information, such as an IP address or host name, associated with the certificate. Code signing certificates are used for code that is distributed over the Internet, including programs or applications. Code signing certificates verify the code’s origin and help the user trust that the claimed sender is indeed the originator.
Self-signed certificates are digitally signed by the user. This is often provided by Microsoft Internet Information Services (IIS). The self-signed certificate will transmit a public key, but that key will be rejected by browsers. User certificates are assigned to individual users, much like machine/computer certificates are assigned to individual machines. Users must provide their assigned certificate for authentication prior to accessing certain resources. Root certificates define the root CA and validate all other certificates issued by that CA. They are at the top of the CA hierarchy. They are self-signed and are closely guarded.
Domain validation certificates are very common. They are low-cost and are often used by web admins to offer TLS to a domain. They are validated using only the domain name.
** Which of the following sources would provide a Threat Hunter with the most recent software and other Security Vulnerabilities discovered over the past week?
DHS Automated Indicator Sharing Database
US Cert Bulletin
Microsoft Security Response Center Blog
FBI InfraGard Portal
US Cert Bulletin
Explanation:
US CERT Bulletin is a major threat feed used in the security world. Created and maintained by CISA, they use weekly bulletins to provide summaries of new vulnerabilities and possible patch options if and when they become available.
None of the other options provides the most recent software and other security vulnerabilities discovered over the past week.
The Department of Homeland Security (DHS) maintains the free Automated Indicator Sharing (AIS) program that allows organizations to share and obtain machine-comprehensible defensive measures and cyber threat indicators, allowing monitoring and defense of their networks against known threats.
The FBI InfraGard is a partnership between the FBI and members of the private sector in the shared concern for the protection of U.S. Critical Infrastructure. Through unified collaboration, InfraGard unites owners and operators within critical infrastructure to the FBI, to provide education, information sharing, networking, and workshops on emerging technologies and threats that are developing within the US, and round the world.
The Microsoft Security Response Center Blog is created and maintained by Microsoft to help keep up with the ever-evolving threats and better safeguard customers against malicious attacks through timely security updates and authoritative assistance.
** You discover that a malicious program has been installed on several host computers on your Network. This program’s execution was remotely triggered. Of what is this an example of?
Virus
Botnet
Trapdoor
Worm
Botnet
Explanation:
A botnet is formed when a malicious program is installed on several host computers and is remotely triggered. For example, a hacker might install a malicious program on the computers on a network to form a botnet and then remotely trigger the botnet to cause a flood of network traffic. The infected computers then act as “zombies” by performing malicious acts on behalf of the perpetrator. Botnets result in distributed denial-of-service (DDoS) attacks. A good sign that a computer has become part of a botnet is if the browser behaves erratically, performance is slow, and hundreds of outbound connections exist. The most likely cause of a single computer communicating with an unknown IRC server and scanning other systems on the network is that the computer is infected with a botnet.
If a computer has been compromised with a botnet, you should shut down the computer. However, keep in mind that the memory, network processes, and system processes will be unavailable for later investigation once the computer is shut down. So, you may need to ensure that the contents of these are captured before shutting the computer down.
A trapdoor is an unreported method for entering a program. A trapdoor is typically created to debug a program, but sometimes hackers can find ways to exploit trapdoors for malicious purposes. A virus is a program that copies itself to files on a computer. A worm is a program that spreads itself through network connections. The main difference between a virus and a worm is that a worm is self-replicating.
** You have been hired as a Security consultant for a large corporation. During a meeting with the IT department, the IT manager indicates that one of their applications uses a Private Key Encryption standard that was developed in Russia and uses 256-bit Encryption Keys. Which Encryption standard does this application use?
RC5
GOST
CAST-128
IDEA
GOST
Explanation:
GOST is a Russian private key encryption standard that uses a 256-bit encryption key. GOST was developed as a counter to the Data Encryption Standard (DES).
CAST-128 is a private key encryption standard that is used in Pretty Good Privacy (PGP). International Data Encryption Algorithm (IDEA) is a private key encryption standard that was developed in Switzerland. IDEA is used in PGP and uses 128-bit encryption keys. RC5 is a private key encryption standard that was developed at the Massachusetts Institute of Technology. RC5 supports variable length encryption keys.
** You are evaluating several biometric authentication systems. Which is the BEST metric to use to quantify the effectiveness of the subject system?
FAR
CER
HOTP
FRR
CER (Crossover Error Rate)
Explanation:
Crossover error rate (CER) is the point where FAR and false FRR are equal. Generally, a lower CER value would indicate a more accurate system. CER is primarily used to compare biometric authentication systems.
False acceptance rate (FAR) is one way to measure the accuracy of a biometric authentication system. It measures how likely it would be that an unauthorized user is granted access to the system. Expressed as a ratio, it is the number of unauthorized users who were incorrectly allowed access to the protected system divided by the number of authentication attempts. A false acceptance can occur, for example, when an unauthorized individual with a dirty finger uses a fingerprint reader and is allowed access to the system. This could happen because the system was not precise enough when matching the authorized user.
By contrast, false rejection rate (FRR) measures how likely it would be that an authorized user is denied access to the system. It is also expressed as a ratio, calculated as the number of authorized users who were denied access to the protected system divided by the number of authentication attempts. False rejections can occur if the system settings are too precise, or if users are not trained properly on biometric login procedures.
HOTP and TOTP are two types of one-time passwords, i.e., they can only be used once. Hashed One Time Passwords (HOTP) are secure passwords used with hardware tokens. Time-based One Time Passwords (TOTP) are issued for a specific period of time. Once used, or once the time expires, the TOTP is no longer valid. As an example of a TOTP, a user forgets a password to a website. When the user clicks the “Forgot Password” link, the website would send a new temporary password to the user but would limit how long the temporary password would be valid. Other considerations include ABAC, proximity cards, smartcards, tokens, CAC, PIV, and file security.
Attribute-based access control (ABAC) goes beyond authentication based on username and password. It evaluates other factors, such as time of day and location of logons. ABAC would also be invoked if a user has read access to files but is attempting to edit or delete files remotely. Smartcards have permissions and access information stored on the card. The greatest concern with smart cards is theft. Once stolen, the thief can use the card in the same manner as the rightful owner. As an example, if the user has access to a highly secure area by using the smartcard, a thief will have the same access when using the stolen card. Proximity cards are a type of smartcard that incorporate Radio Frequency Identification (RFID) chips. These chips contain authentication information and transmit over a very short range. When the authentication device is within range of the proximity card, and the information transmitted is correct, authentication is granted. Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user. A common access card (CAC) is a smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.
A personal identity verification (PIV) smart card is issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two bar codes and a magnetic strip. They can be used for visual identification and for login.
File system security should always be set to only allow what is absolutely essential for the user to do their job. This is also known as the principle of least privilege.
** Management has asked you to implement MD5 to verify data integrity. However, you are concerned that MD5 is not strong enough. Which size checksum does this algorithm produce?
16-bit
56-bit
256-bit
128-bit
128-bit
Explanation:
MD5 = 128-bit
SHA = 160-bit
AES = 128-bit, 192-bit, 256-bit
DES = 56-bit
The MD5 algorithm produces 128-bit checksums to verify integrity of data from a remote user. When you are given the MD5 hash for a file, you can verify that the file has not been tampered with. MD5 derives the hashing function for the challenge response of the Challenge Handshake Authentication Protocol (CHAP). MD5 is a hashing algorithm. If the MD5 hash values of a file do not match, the file has been compromised. You should discard the compromised file. When two completely different files produce the same hash values, this is referred to as a collision. When using Secure Sockets Layer (SSL) to download a file for which you have the MD5 hash, you cannot verify the MD5 hash until after the file is downloaded.
Data Encryption Standard (DES) uses 56-bit encryption keys. Secure Hashing Algorithm (SHA) produces 160-bit checksums. Advanced Encryption Standard (AES) uses 128-bit, 192-bit, and 256-bit encryption keys.
All algorithms are ciphers. Some ciphers are stronger than others. You must consider strong versus weak ciphers and how they will affect your organization. Depending on your organizational needs, you may need to select a weaker cipher for performance reasons. As a security professional, you should ensure that you fully research any ciphers you consider and understand the advantages and disadvantages of each cipher.
** Your company has decided to implement a Biometric System to ensure that only authorized personnel are able to access several secure areas at the facility. However, management is concerned that users will have privacy concerns when the Biometric System is implemented. You have been asked to recommend the Least Intrusive Biometric System of the listed options. Which option is considered Least Intrusive?
Retinal Scan
Voice Print
Iris Scan
Fingerprint
Voice Print
Explanation:
A voice print is considered less intrusive than the other options given. A voice recognition scanner is used to capture a voice print.
Retinal scanners and iris scanners are used to scan the retina and iris, respectively. A fingerprint scanner is used to scan a fingerprint. Both an iris scan and a retinal scan are considered more intrusive because of the way in which the scan is completed. Most people are reluctant to have a scanner read any eye geometrics. A fingerprint scanner is used to scan a fingerprint. A fingerprint scan is more intrusive than a voice print. Most people are reluctant to give their fingerprints because fingerprints can be used by law enforcement. A voice print is very easy to obtain. Its primary purpose is to distinguish a person’s manner of speaking and voice patterns. Voice print systems are easy to implement compared to some other biometric methods. Voice prints are usually reliable and flexible.
A facial recognition scanner is used to scan facial characteristics. A facial scan is based on an individual’s bone structure, nose ridge, eye width, forehead structure, and chin shape.
** Recently, several confidential messages from your company have been intercepted. Your company has decided to implement PGP to encrypt files. Which type of model does this encryption use?
Ring
Web
Bus
Hierarchy
Web
Explanation:
Pretty Good Privacy (PGP) uses a web of trust to validate public key pairs. In a web of trust model, users sign their own key pairs. If a user wants to receive a file encrypted with PGP, the user must first supply the public key. In a public key infrastructure (PKI), certification authorities (CAs) are arranged in a hierarchy and sign public key pairs. Many older Ethernet networks used a bus model for their physical architecture. In a bus network, all computers on a network are connected to a central bus cable. A ring model is used to wire computers in token ring networks. In a ring network, all computers are connected to a physical ring of cable.
Bus and ring are types of networks. Hierarchy is not used by PGP. It can be used in a public key infrastructure (PKI).
GNU Privacy Guard (GPG) is an alternative to the PGP suite of cryptographic software. It uses a combination of conventional symmetric-key cryptography for speed, and public-key cryptography for ease of secure key exchange. GnuPG currently supports the following algorithms: Pubkey: RSA, ElGamal, DSA Cipher: IDEA (from 1.4.13/2.0.20), 3DES, CAST5, Blowfish, AES-128, AES-192, AES-256, Twofish, Camellia-128, Camellia-192, Camellia-256 (from 1.4.10/2.0.12) Hash: MD5, SHA-1, RIPEMD-160, SHA-256, SHA-384, SHA-512, SHA-224
** Your organization is using a STIX/TAXII client to review cyber threat indicators provided by an ISAC. What is the MOST likely source of this information?
Closed-source Intelligence
OSINT
AIS
IoC
AIS (Automated Indicator Sharing)
Explanation:
Automated Indicator Sharing (AIS) is a feed of threat indicators and defensive measures provided to the public by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Users can access it directly through CISA or indirectly through a third-party service.
Structured Threat Information Expression (STIX) defines a common language for discussion threat intelligence and serializes it into a coherent format.
OSINT is freely contributed by various non-profit groups and for-profit sources, including large corporations, and is available in variety of formats, including comma-delimited files (.csv), HTML, and text files (.txt).
Note: OSINT is also the term for a hacker reconnaissance wherein an attacker scans your public information, like websites and social media, to find possible weak points. CompTIA defines OSINT as a threat intelligence source.
Indicators of compromise (IoCs) are the digital signs left in the wake of an attack, such as altered registry keys and file signatures. IoCs are contained in threat feeds, whether they come from closed or open sources.
** You are comparing cryptographic solutions to implement at your organization. Which two items should you focus on when you are evaluating implementation verses algorithm selection? (Choose TWO)
Crypto Modules
Security Through Obscurity
Key Strength
Crypto Service Providers
Key Stretching
Crypto Modules
Crypto Service Providers
Explanation:
You should focus on crypto service providers and crypto modules when you are evaluating implementation versus algorithm selection. Crypto service providers should be able to answer questions regarding which algorithm(s) they use to generate keys and how they store keys. Crypto service providers are parties that provide cryptographic services. An example is Active Directory Certificate Services from Microsoft.
You should select crypto modules to match the type of data to be protected and the equipment on which the module will be deployed. For example, a module for a mobile device should not consume a substantial amount of processing power or battery life. An example is Microsoft Kernel Mode Cryptographic Module. None of the other options are factors that would affect the decision when evaluating a cryptographic solution based on implementation versus algorithm selection.
Key stretching takes a weak key and makes it stronger by adding additional characters. Often, a password is hashed, and a salt is used to make the password stronger. Salting is a form of key stretching.
Security through obscurity is the false confidence that the secret design or implementation is going to be sufficient to provide system safeguards. Often, the system is not all that secure, and the hope is that because no one knows about it, you are therefore protected. Key strength should reflect the sensitivity of the data it protects. Generally, as the need to secure the data increases, so should the strength of the key. Longer keys require more processing power (and time) to break.
** You have just installed a new FTP Server, but you do not know what information the FTP Server is transmitting when a user initially connects to it. Which tool could you use to discover that information, and consequently know what information an attacker could exploit?
Passive Scanner
Active Scanner
Backup Utilities
Banner Grabbing
Banner Grabbing
Explanation:
A network administrator could use banner grabbing to identify information to circumvent that exploit. Banner grabbing intercepts a text file sent by a server or a host. The text file includes OS information and in the case of a web server, perhaps the basic configuration info. The attacker can then exploit that information.
Backup utilities are critical components of network security. Whatever utility you deploy should allow for secure automation.
Passive scanners do not directly interact with the network. An example would be scanning a company’s website. Active scanners use tools like Nessus and Microsoft Baseline Security Analyzer that analyze the network itself. When comparing passive scans to active, passive scans are indirect, typically looking at sites that provide information, and active scans look at the actual network equipment. An active scan is also considered an intrusive scan, and usually provides more meaningful results.
** Which two suppression methods are recommended when paper, laminates, and wooden furniture are the elements of a fire in the facility? (Choose TWO)
Water
Soda Acid
Dry Powder
Halon
Water
Soda Acid
Explanation:
Water or soda acid should be used to suppress a fire that has wood products, laminates, and paper as its elements. The suppression method should be based on the type of fire in the facility. The suppression substance should interfere with the elements of the fire. For example, soda acid removes the fuel while water reduces the temperature. Water or soda acid are used to extinguish class A fires.
Electrical wiring and distribution boxes are the most probable cause of fires in data centers. Class C fire suppression agents, such as halon or carbon dioxide, are used when the fire involves electrical equipment and wires. They can also be used to suppress Class B fires that include liquids, such as petroleum products and coolants.
The production of halon gas was banned by the Montreal Protocol in 1987. Halon causes damage to the ozone layer and is harmful to humans. The treaty requires vendors who already have halon extinguishers to get the extinguishers refilled with replacements, such as FM-200, approved by the Environmental Protection Agency (EPA). Carbon dioxide, also used to extinguish class B and C fires, eliminates oxygen. Carbon dioxide is harmful to humans and should be used only in unattended facilities.
Dry powder is a suppression method for a fire that has magnesium, sodium, and potassium as its elements. Dry powder extinguishes class D fires. Although dry powder can also suppress Class B and C fires, companies commonly use other forms of suppression for Class B and C fires. The only suppression method for combustible metals is dry powder.
** Choose the STEPS that belong in the Information Life Cycle and place them in the Correct order?
Options:
Use
Legal Hold
Delete/Dispose
Acquire/Collect
Acquire/Collect
Use
Delete/Dispose
Explanation:
Legal Hold refers to an exceptional step that is taken after evidence is collected for a criminal investigation. It is NOT a standard component of the Data Life Cycle.
Data Life Cycle Steps:
- Acquire - Obtaining or Creating Data
- Store - Storing the Data in a Secure Location.
- Use - Reading/Editing the Data
- Share - Transmitting Data
- Archive - Backing Up the Data in a Secure manner.
- Dispose - Erasing, Deleting, Destroying the Data.
** After a recent Security Audit, several Security issues were found. The Auditor made suggestions on technologies that your organization should deploy. One of the suggestions made is to deploy SKIP. Which statement is true of SKIP?
SKIP works on a response-by-session basis.
SKIP deploys IKE for key distribution management.
SKIP is only a key storage protocol.
SKIP is a key distribution protocol.
SKIP is a key distribution protocol (Simple Key Internet Protocol)
Explanation:
Simple Key management protocol for Internet Protocols (SKIP) is a key management and distribution protocol used for secure IP communication, such as Internet Protocol Security (IPSec). SKIP uses hybrid encryption to convey session keys. These session keys are used to encrypt data in IP packets. SKIP uses a key exchange algorithm, such as the Diffie-Hellman algorithm, to generate a key-encrypting key that will be used between two parties. A session key is used with a symmetric algorithm to encrypt data. SKIP is not a key storage protocol. It is a key distribution and management protocol similar to Internet Key Exchange (IKE).SKIP works on a session-by-session basis, although it does not require prior communication for the establishment of sessions. SKIP employs encryption standards, such as Data Encryption Standard (DES) and Triple DES (3DES), to provide secure communication.
SKIP does not deploy IKE for key distribution and management. IKE is a separate framework used to securely exchange keys to establish an IPSec session.
Key exchange can occur either in band or out of band. In-band key exchange occurs over the same transmission media that is used by data and voice transmissions. Out-of-band exchange occurs outside the data and voice transmission media. In-band key exchange is less secure than out-of-band key exchange.
** What is the purpose of the MITRE ATT&CK framework?
- Identify and Exploit system vulnerabilities using an attacker mindset.
- Identify and stop Advanced Persistent Threats (APT) before data exfiltration.
- Respond to tactics and techniques found in real-world attacks.
- Patch the most critical software vulnerabilities found by experts.
Respond to tactics and techniques found in real-world attacks.
Explanation:
The purpose of the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework is to learn how to respond to tactics and techniques found in real-world attacks. The Open Web Application Security Project (OWASP) Top 10 is meant for patching the most critical software vulnerabilities found by experts, some of which have yet to be exploited in the wild. The purpose of the Cyber Kill Chain is to identify and stop advanced persistent threats (APTs) before data is exfiltrated. In penetration testing, the goal is to identify and exploit system vulnerabilities using an attacker mindset.
** Which research source can help in discovering new vulnerabilities and potential threats in existing Internet standards?
STIX
TAXII
TTPs
RFCs
RFCs (Request for Comments)
Explanation:
A Request for Comments (RFC) is a numbered document, which includes appraisals, descriptions, and definitions of online protocols, concepts, methods, and programs. RFCs are administered by the IETF (Internet Engineering Task Force). RFCs occur when a new technology is accepted as a web standard, which become useful when discovering new vulnerabilities and potential threats in existing internet standards.
TTP stands for tactics, techniques, and procedures, and is a concept that is used to identify patterns of behavior which can be employed to defend against certain strategies and threat vectors utilized by malicious actors. TTP is not solely concerned with existing Internet standards.
Structured Threat Information Expression (STIX) defines a common language for discussion threat intelligence and serializes it into a coherent format. TAXII stands for Trusted automated exchange of indicator information and was designed to specifically support STIX information by defining how cyber threat information can be shared via services and message exchanges. STIX and TAXII are not solely concerned with existing Internet standards.
** Several users on your Network have complained about computer responsiveness, failing connections to common Websites, and some corporate application failures. Based on this pattern of complaints, you suspect a widespread malware infection. After determining the scope of the problem and isolating compromised systems, you are required to determine if any data was breached. Which log files should you investigate to determine if this malware has exfiltrated data?
DNS Logs
SMTP Logs
SSH Logs
SQL Logs
DNS Logs (Domain Name System)
Explanation:
There is a ton of security knowledge that can be discovered from within the logs of your organization’s internal DNS servers. It also helps to monitor the outbound DNS queries on your network. This potential wealth of information can help you find potentially compromised hosts on the network by searching for queries that are abnormal or known to be malicious.
An adversary may find that an internal DNS is an attractive method for performing malicious activities like network reconnaissance, communication with the command and control servers, data transfers out of the network, or malware downloads that are capable of all of these. Subsequently, it is critical that DNS traffic be monitored for proper threat protection.
** Your company has recently implemented a content inspection application on a perimeter Firewall. What is the purpose of content inspection?
to identify and block unwanted messages.
to filter and forward Web content anonymously.
to distribute the workload across multiple devices.
to search for malicious code or behavior.
to search for malicious code or behavior.
Explanation:
The purpose of content inspection is to search for malicious code or suspicious behavior.
The purpose of load balancing is to distribute the workload across multiple devices. Often DNS servers are load balanced to ensure that DNS clients can obtain DNS information as needed. Other services are load balanced as well. Load balancers optimize and distribute data workloads across multiple computers or networks.
The purpose of an Internet or Web proxy is to filter and forward Web content anonymously.
The purpose of a spam filter is to identify and block unwanted messages. Spam filters should be configured to prevent employees from receiving unsolicited e-mail messages.
Another type of hardware that is similar to a spam filter is an all-in-one security appliance. This device filters all types of malicious, wasteful, or otherwise unwanted traffic.
Many all-in-one security appliances include a component that performs content inspection and malware inspection. These appliances usually also include a URL filter feature that allows administrators to block and allow certain Websites. For example, the URL filter in an all-in-one security appliance could be configured to restrict access to peer-to-peer file sharing Websites.
** You need to include some additional information in the certificate definition. Specifically, you would like to include the Host Name associated with the Certificate. Which of the following would provide a solution?
Extended Validation Certificate
Domain Validation Certificate
Machine/Computer Certificate
SAN
SAN (Subject Alternate Name)
Explanation:
A Subject Alternative Name (SAN) is a field in the certificate definition that allows you to stipulate additional information, such as an IP address or host name, associated with the certificate. Machine/computer certificates are assigned to a designated machine. During authentication, the computer (or machine) requesting access must supply the certificate assigned to it. These certificates do not always include host name information.
Domain validation certificates are very common. They are low-cost and are often used by web admins to offer TLS to a domain. They are validated using only the domain name. However, they do not allow you to configure alternate information in the certificate. These certificates do not always include host name information.
Extended validation certificates, as the name suggests, provide additional validation for HTTPS web sites. The certificate provides the name of the legal entity responsible for the web site. These certificates require the most effort by the CA to validate and provide a higher level of trust than domain validation because they are validated using more than the domain information, including the host name.
You should also be familiar with email certificates, code signing certificates, user certificates, and root certificates.
User certificates are assigned to individual users, much like machine/computer certificates are assigned to individual machines. Users must provide their assigned certificate for authentication prior to accessing certain resources. Email certificates are used to secure email. One such example is Secure Multipurpose Internet Mail Extensions (S/MIME), which provides a digital “signature” for that email. Code signing certificates are used for code that is distributed over the Internet, including programs or applications. Code signing certificates verify the code’s origin and help the user trust that the claimed sender is indeed the originator.
Root certificates define the root CA and validate all other certificates issued by that CA. They are at the top of the CA hierarchy. They are self-signed and are closely guarded.
** You are explaining to a new employee the proper process of Evidence Collection. As part of this explanation, you need to ensure that the new employee understands the Evidence Life Cycle. Put the steps in the Evidence Life Cycle in the proper correct order starting with the first step at the top?
Analyze
Collect
Present
Return
Store
Collect
Analyze
Store
Present
Return
** Which cryptographic technique changes multiple output bits when you change a single input bit?
Salting
IV
Confusion
Diffusion
Diffusion
Explanation:
Diffusion is the cryptographic technique whereby a change of a single input bit results in a change of multiple output bits. Confusion is the technique where the relationship between the components of the message – the plain text, the key used, and the cipher text – is difficult to see. As a contrast, with ROT13, it is very easy to see the relationship between the components.
Salting is a countermeasure to protect against rainbow table attacks. With salting, additional bits are added before the text is hashed. For example, if the password is “OpenSesame,” salting will add additional characters prior to the hash, such as “Open00Salt99,” which changes the hash value of the password. When the rainbow table searches for a password that matches “OpenSesame,” the hash value will not match.
An initialization vector (IV) is a number that is used once (nonce). As an example of this technique, assume that one portion of a cryptographic key was encrypted with RC4, and another portion included the IV. In the event the RC4 portion of the key was cracked, the IV that is used only once would protect the message from unauthorized decryption. Weak or deprecated algorithms are to be avoided. Wired Equivalent Privacy (WEP), for example, is now considered a weak encryption algorithm, as well as Data Encryption Standard (DES).
** You need to incorporate SAML and SSO into a Web Application. Which of the following would you use?
OAuth
OpenID Connect
id_token
Shibboleth
Shibboleth
Explanation:
Shibboleth uses Security Assertion Markup Language (SAML), which defines security authorizations on web pages as opposed to web page elements in HTML. Shibboleth is a single sign-on (SSO) system that uses an identity provider and a service provider.
OAuth is Open Authorization. The current standard, OAuth 2.0, grants an application limited access to a user’s account on a third-party site, such as Facebook or Twitter. OAuth could grant the application access to a friend’s list or give the application the ability to post on the user’s behalf.
OpenID Connect provides the authentication necessary in OAuth. It authenticates the user and stores the user information in a token. OAuth does not work with SAML.
A secure token contains the user information and authentication information used by OpenID.
A huge customer data breach occurred at a retail store. It originated from the store’s Point-of-Sale system contractor, who did not have adequate malware protection. Which Risk Mitigation concept could the store have implemented to avoid the breach?
Risk Response Techniques
Supply Chain Assessment
Likelihood of Occurrence
Risk Register
Supply Chain Assessment
Explanation:
Supply chain assessment might have stopped the store’s data breach. The breach was initiated with the failure of a contractor to have adequate anti-malware protection. Supply chain assessment would include verifying that vendors and contractors have adequate safeguards in place before they can access your network.
A risk register is a scatter graph of problem areas identified in a business impact analysis.
Risk response techniques include avoidance, transference, mitigation, and acceptance.
Analyzing the likelihood of occurrence compares the potential threat with the probability that the threat will occur.
What preserves the existence and integrity of relevant electronic records (and paper records) when litigation is imminent?
Legal Hold
Chain of Custody
Data Sovereignty
Incident Response Plan
Legal Hold
Explanation:
Legal hold is the term for the preservation of information relevant to an impending lawsuit. Personnel will be instructed not to destroy or alter information relating to the topic of the lawsuit.
Chain of custody deals with how the evidence is handled once it has been collected and guarantees the identity and integrity of the evidence from the collection stage to its presentation in the court of law. There should be a log of who has had custody of the evidence, where it has been, and who has seen it. Active logging should also be used to document access to the evidence, including photographic or video records, showing the manner in which the evidence is secured. Preserving data for a legal hold just ensures that data is retained for the appropriate period and has nothing to do with chain of custody, although chain of custody is vital to preserving evidence.
An incident response plan describes how to respond to various types of security incidents. Incident response plans provides details on how to preserve data and logs related to an incident. Data sovereignty means that the data is subject to the laws of the location where it is stored. Different countries may differ in their laws for preserving the existence and integrity of records prior to litigation.
You are working on a new Security system for a US Military installation that is only accessed by Military personnel. Which Certificate-based Authentication system should you integrate?
CAC
Hardware Tokens
Proximity Card
PIV
CAC (Common Access Card)
Explanation:
A Common Access Card (CAC) is a certificate-based smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.
None of the other options are implemented by the U.S. military.
Proximity cards are a type of smartcard that incorporate Radio Frequency Identification (RFID) chips. These chips contain authentication information and transmit over a very short range. When the authentication device is within range of the proximity card, and the information transmitted is correct, authentication is granted. A Personal Identity Verification (PIV) card is a certificate-based smart card issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.
Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Smartcards have permissions and access information stored on the card. The greatest concern with smart cards is theft. Once stolen, the thief can use the card in the same manner as the rightful owner. As an example, if the user has access to a highly secure area by using the smartcard, a thief will have the same access when using the stolen card. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user.
E-commerce payment systems, like PayPal and Google Checkout, allow the user to use a single identity across multiple platforms. Of which identity and access service is that an example of?
Biometrics
Transitive Trust
Keyboard Cadence
Federation
Federation
Explanation:
Federation and federated identity is the ability of a user to use a single identity across multiple businesses or networks. Federation differs from single sign-on, where a user has one password that grants access to all the permitted network resources. Federation relies on trust relationships that are established between the different businesses or networks. Another example of federated identity is allowing Microsoft users to sign into cloud services using their on-premises Active Directory domain credentials.
A transitive trust involves creating relationships between domains to grant authenticated users access to other domains. In Active Directory, for example, if the Sales domain trusts the Marketing domain, and the Marketing domain trusts the HR domain, then Sales trusts the HR domain through a transitive relationship. Transitive trusts are established within a single organization or between private organizations. PayPal and Google Checkout do not use transitive trusts.
Biometrics and keyboard cadence are both factors used in multi-factor authentication. Biometrics is something you are. Fingerprints, voiceprints, retina scans, and iris scans are all examples of biometrics. Keyboard cadence is an example of something you do. When the user enters a new password, the keystroke timing (cadence) is recorded as a signature pattern. Authentication factors may be part of the process of authenticating to your identity, but it has nothing to do with authorizing the identity to access multiple businesses or networks.
For the Security+ exam, you must understand the following authentication factors: something you are, something you have, and something you know. You also need to understand the following attributes: somewhere you are, something you exhibit, someone you know, and something you do.
Something you have is based on the user possessing some type of security device. These can include things such as smart cards, tokens, and key fobs. Something you know would be a password, a PIN, the name of a childhood sweetheart, the color of your first car, or the answer to a similar question.
Management has asked that software developers take the appropriate actions to avoid Buffer Overflows. What is the BEST method to do so?
Perform a Check Digit
Run an Audit Trail
Perform a reasonableness check.
Execute a Well-Written Program
Execute a Well-Written Program
Explanation:
A well-written program is the best method to prevent buffer overflow errors. Buffer overflow occurs when the length of the input data is longer than the length processor buffers can handle. Buffer overflow is caused when input data is not verified for appropriate length at the time of input. Buffer overflow and boundary condition errors are examples of input validation errors.
Audit trails and file integrity checks are examples of security controls in a trusted application system. Security controls cannot control buffer overflow, but can assist in monitoring unauthorized activity on either an application or a system.
A check digit, also referred to as a checksum, provides data integrity by computing hash values. A checksum occurs when either a source application or a system uses a mathematical formula to compute a hash value against a standard input and sends the value to the destination. After receiving the data, the receiving application performs the same mathematical operation. If the hash values match, the data is considered acceptable. If the hash values do not match, the data is discarded. Check digits do not either prevent or detect buffer overflows.
A reasonableness check verifies whether the data within an application program lies within the predefined limits and format. For example, an application meant for processing numbers should not accept alphabetical characters as a valid input. Reasonableness checks monitor the data input format and not the buffer overflows.
Users are complaining that the new Biometric identification system is difficult to use. They are saying that even though the initial logon worked fine, they have difficulty logging in later. In addition to user training, what should you investigate?
FAR
HOTP
FRR
CER
FRR (False Rejection Rate)
Explanation:
You should investigate the device’s FRR to determine its accuracy. False rejection rate (FRR) measures how likely it would be that an authorized user is denied access to the system. Expressed as a ratio, it is the number of authorized users who were denied access to the protected system divided by the number of authentication attempts. False rejections can occur if the system settings are too precise, or if users are not trained properly on biometric login procedures.
By contrast, false acceptance rate (FAR) measures how likely it would be that an unauthorized user is granted access to the system. Its ratio is the number of unauthorized users who were incorrectly allowed access to the protected system divided by the number of authentication attempts. FAR could happen because the system was not precise enough when matching the authorized user.
Crossover error rate (CER) is the point where FAR and FRR are equal. Generally, a lower CER value would indicate a more accurate system. CER is primarily used to compare biometric authentication systems. HOTP/TOTP are two types of one-time passwords, (i.e., they can only be used once). Hashed One Time Passwords (HOTP) are secure passwords used with hardware tokens. Time-based One Time Passwords (TOTP) are issued for a specific period of time. Once used, or once the time expires, the TOTP is no longer valid.
Other considerations include ABAC, proximity cards, smartcards, tokens, CAC, PIV, and file security.
Attribute-based access control (ABAC) goes beyond authentication based on username and password. It evaluates other factors, such as time of day and location of logons. Another aspect would be if a user has read access to files but is attempting to edit or delete files remotely. Smartcards have permissions and access information stored on the card. The greatest concern with smart cards is theft. Once stolen, the thief can use the card in the same manner as the rightful owner. As an example, if the user has access to a highly secure area by using the smartcard, a thief will have the same access when using the stolen card. Proximity cards are a type of smartcard that incorporate Radio Frequency Identification (RFID) chips. These chips contain authentication information and transmit over a very short range. When the authentication device is within range of the proximity card, and the information transmitted is correct, authentication is granted. Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user. A Common Access Card (CAC) is a smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.
A Personal Identity Verification (PIV) smart card is issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two barcodes and a magnetic strip. They can be used for visual identification and for login.
File system security should always be set to only allow what is absolutely essential for the user to do their job. This is also known as the principle of least privilege.
Which of these options is particularly dangerous because it processes data with little or no latency?
RTOs
SoC
Home Automation
Wearable Technology
RTOs (Real Time Operating Systems)
Explanation:
Real Time Operating Systems (RTOs) are particularly dangerous because they process data with little or no latency. They are susceptible to code injection, exploiting shared memory, priority inversion, DoS attacks, and attacks on inter-process communication.
While the other options are security risks, none processes data with little or no latency.
Home automation devices, such as smart thermostats, lighting systems, and refrigerators, are susceptible to security issues. The security concerns are the same as for industrial controls, just at the home level. Wearable technology devices are at risk. Most transmit via Wi-Fi or Bluetooth to a host device, and as such are subject to attack. In addition to being subject to attack, wearable devices such as voice recorders, video recorders, and hidden cameras can also be used for an attacker to gain information. System on a chip (SOC) is often found in smart phones. Checks should be incorporated that ensure the system only boots with trusted code and builds a root of trust (RoT).
Your organization has asked the Security team to add terrorist attacks to the organization’s Business Continuity Plan. Which type of threat does this most likely represent?
Supply System Threat
Natural Environmental Threat
Internal Threat
Politically Motivated Threat
Politically Motivated Threat
Explanation:
A terrorist attack is most likely a politically motivated threat. A terrorist attack is usually an attack against a particular country view from a group that opposes that the political views of that country. Often, a particular group takes credit for a terrorist attack. Politically motivated threats include strikes, riots, civil disobedience, and terrorist attacks.
Natural environmental threats include floods, earthquakes, tornadoes, hurricanes, and extreme temperatures.
Supply system threats include power outages, communications interruptions, and water and gas interruption.
An internal threat is one that originates from within an organization. A terrorist attack is not most likely an internal threat.
A threat assessment is performed to determine the threats that threaten an organization and its assets. Internal threats are those that originate from within the organization, and external threats are those that originate from outside the organization.
Which Social Engineering Attack can be conducted without any prior knowledge of the target’s habits, job, or personal information?
Spear Phishing
Whaling
Invoice Scam
Reconnaissance
Reconnaissance
Explanation:
Reconnaissance does not require prior knowledge of the target. It helps the attacker gather information for a later attack. Remember that reconnaissance can mean visiting a target to observe security controls in person, but it also can refer to digital and remote intelligence gathering techniques.
Spear phishing is a type of phishing aimed at a specific user or group, and appears to come from a trusted source. Spear phishing requires some inside knowledge of the target, which the attacker can gather from reconnaissance, open-source intelligence (OSINT), or other social engineering attacks.
Whaling is a type of spear phishing aimed at high-profile targets, such as board members and CEOs.
An invoice scam involves sending a fake invoice (by mail or electronically) to an accounts payable department in the hopes that it will be paid without being verified. It requires knowledge of the target’s email address or physical address.
Which general mechanism is used by Cloud consumers to limit Security exposure and running expenses?
Container Security
Secrets Management
Resource Policies
Resource Clustering
Resource Policies
Explanation:
Cloud service providers can provide users with access to resources via policies. There are two ways to do this, role-based policies or resource based polices. You can use resource-based policies to provide access control where the user in a different cloud can be granted access to a resource in your account. You can also use role-based policies in which you assign a user to a role that has permission to use a resource.
Container security refers to the controls that apply to applications deployed to lightweight OS containers, while secrets management refers to the system used to control access to sensitive application data like keys and configuration settings.
Resource clustering describes how resources can be collected together to perform the same role in load balancing scenarios.
As a Security professional, you have been asked to advise an organization on which access control model to use. You decide that Role-based Access Control (RBAC) is the best option for the organization. What are two advantages of implementing this access control model? (Choose TWO)
high Security environment
low Security cost
use friendly
discretionary in nature
easier to implement
low Security cost
easier to implement
Explanation:
Role-based access control (RBAC) has a low security cost because security is configured based on roles. For this reason, it is also easier to implement than the other access control models. During the information gathering stage of a deploying RBAC model, you will most likely need a matrix of job titles with their required access privileges.
RBAC is NOT the most user friendly option. Discretionary access control (DAC) is more user friendly than RBAC because it allows the data owner to determine user access rights. If a user needs access to a file, he only needs to contact the file owner.
RBAC is NOT discretionary in nature. DAC is discretionary, meaning access to objects is determined at the discretion of the owner.
RBAC is NOT a highly secure environment. Mandatory access control (MAC) is considered a highly secure environment because every subject and object is assigned a security label.
With RBAC, it is easy to enforce minimum privilege for general users. You would create the appropriate role, configure its permissions, and then add the users to the role. A role is defined based on the operations and tasks that the role should be granted. Roles are based on the structure of the organization and are usually hierarchical.
RBAC is a popular access control model used in commercial applications, especially large networked applications.
Rule-based access control is often confused with RBAC because their names are similar. With rule-based access control, access to resources is based on a set of rules. The user is given the permissions of the first rule that he matches.
An employee has reported their mobile device was stolen. Which of the following MDM options provides the BEST confidentiality for a mobile device, if it is stolen?
Automated Screen Locking
Geofencing
Full Device Encryption
Remote Wiping
Full Device Encryption (FDE)
Explanation:
Utilizing full device encryption on mobile devices through Mobile Device Management (MDM) will best provide confidentiality if the device were to be stolen. Full device encryption ensures that the contents of the mobile device are encrypted. With more organizations moving to a mobile-first workforce, each and every mobile device contains a lot of confidential corporate data which needs to be secured from unauthorized access. Encryption is the most common way to secure the data present on the devices, whereby unauthorized usage of corporate data is restricted.
Another option to ensure that any corporate data is not able to be accessed by an unauthorized source is to adopt a remote wipe policy for mobile devices. A remote wipe or sanitation process would erase all of the data on the mobile device in the event that the mobile device is lost or stolen. However, it would not provide the BEST confidentiality because the data is only erased once the device manager is notified that the device is lost or stolen. The device also would need to be online as well.
Other security mechanisms used for mobile devices include screen locks, strong passwords, voice encryption, and GPS tracking. Screen locks prevent users from accessing the mobile device until a password or other factor is entered. Strong passwords ensure that mobile devices cannot be accessed unless the password is entered. They also ensure that the password is hard to discover using a password attack. Voice encryption ensures that conversations cannot be eavesdropped. GPS tracking allows a mobile device to be located. However, GPS tracking can also be considered a security threat and is often disabled.
Geofencing can limit the effectiveness of devices within a confined geographic area, but if the device is stolen and moved outside of that area, its data would still be available to an attacker.
You have been hired as a Security consultant for a new company named Verigon. Verigon needs guidance on which protocols to implement on the Network. Match each protocol option with the correct description?
Options:
Secure IMAP
SRTP
LDAPS
FTPS
SFTP
Descriptions:
File transfer over SSL
Secure Email
Secure Directory Services
File transfer over SSH
Secure Voice and Video
Secure IMAP – Secure Email
(Internet Mail Access Protocol)
Port 993
SRTP – Secure Voice and Video
(Secure Real Time Protocol) -
LDAPS – Secure Directory Services
(Lightweight Directory Access Protocol Secure)
Port 636
FTPS – File transfer over SSL
(File Transfer Protocol Secure)
Port 989/990
SFTP – File transfer over SSH
(Secure File Transfer Protocol)
Port 22 - SecureShell (SSH), SecureCopy (SCP)
You are the Security administrator for an organization. Management decides that ALL communications on the Network should be Encrypted using the Data Encryption Standard (DES) or Triple DES (3DES) algorithm. Which statement is TRUE of these algorithms?
The effective key size of DES is 64 bits.
A Triple DES (3DES) algorithm uses 48 rounds of computation.
A DES algorithm uses 32 rounds of computation.
A 56-bit DES Encryption is 256 times more secure than a 40-bit DES Encryption.
A Triple DES (3DES) algorithm uses 48 rounds of computation.
Explanation:
A Triple DES (3DES) algorithm uses 48 rounds of computation. It offers high resistance to differential cryptanalysis because it uses so many rounds. The encryption and decryption process performed by 3DES takes longer due to the higher processing power required.
The actual key size of the Data Encryption Standard (DES) is 64 bits. A key size of 8 bits is used for a parity check. Therefore, the effective key size of DES is 56 bits.
The DES algorithm uses 16 rounds of computation. The order and the type of computations performed depend upon the value supplied to the algorithm through the cipher blocks.
According to the following calculation, a 56-bit DES encryption is 65,536 times more secure than a 40-bit DES encryption:
240 = 1099511627776 and 256 = 72057594037927936
Therefore, 72057594037927936 divided by 1099511627776 = 65,536.
DES has many security issues. If a bank has a fleet of aging payment terminals used by merchants for transactional processing, and the terminals currently support single DES but require an upgrade to be compliant with security standards, the simplest solution to improve the in-transit protection of transactional data is to upgrade to 3DES.
Which automation or scripting concept can reduce the Risk that new equipment might not have all the same settings, applications, and drivers as your existing equipment without changing vital user settings?
Configuration Validation
Automated Courses of Action
Continuous Monitoring
Templates
Configuration Validation
Explanation:
Configuration validation through automation and scripting can ensure that new equipment has all the proper settings, applications, and drivers as existing equipment.
Continuous monitoring can be employed to ensure that any device on the network cannot have their configuration settings changed, but it will not ensure the configurations match.
Automated courses of action can be accomplished through scripting, so that certain events trigger a series of responses or actions. Automated courses of action can also be used to obtain updates and patches by scheduling the software to check for them at certain times. Automated courses of action usually cannot verify that equipment has the same settings, applications, and drivers as existing equipment.
Templates provide standardized documentation for several issues. Such issues can include security analysis reporting, threat and vulnerability identification, and impact assessment, among others. Templates can also be used to configure operating systems (OSs) to ensure that certain settings are automatically configured. Templates are usually used as a first time configuration measure, but often cannot be reapplied because doing so would result in loss of any user changes that have been made.
You need to ensure that backdoor applications are not installed on any devices in your Network. Which tool is NOT a backdoor application?
NetBus
Masters Paradise
Nessus
Back Orifice
Nessus
Explanation:
Nessus is NOT a backdoor application. It is a network vulnerability scanner.
Back Orifice, NetBus, and Masters Paradise are all backdoor applications. These applications work by installing a client application on the attacked computer and then using a remote application to gain access to the attacked computer. Back Orifice is a famous rootkit that targets Windows systems and is sometimes used as a remote administration tool.
You have been hired as a Security consultant for a new company named Verigon. Verigon needs guidance on which protocols to implement on the Network. Match the protocol options with the correct description?
Options:
SSL/TLS
S/MIME
SNMPv3
SSH
Descriptions:
Routing and Switching Management
Secure Encryption and Digital Signatures for Email
Secure Remote Access
Cryptographic Communication Protocol
SSL/TLS – Cryptographic Communication Protocol
S/MIME – Secure Encryption and Digital Signatures for Email
SNMPv3 – Routing and Switching Management
SSH – Secure Remote Access
When a large data breach occurs, which impact to the business is difficult to measure in monetary terms but influences how customers perceive the brand in the marketplace?
Security Awareness
Availability Disruption
Identity Theft
Reputation Loss
Reputation Loss
Explanation:
Reputation loss is intangible damage to the organization that occurs due to a company suffering a data breach.
Security awareness is a term used to describe the security sophistication of a user group or company.
Identity theft is the theft of certain personal information that allows for making financial transactions in the name of the targeted person.
Availability disruption is not a term used when discussing security or breaches.
When considering home or office alarm systems, which availability feature leaves them open to remote attacks?
Cloud-based storage of images
Convenient power plug standard
WIFI Protected Setup button
Internet Connection
Internet Connection
Explanation:
Alarm systems with a connection to the internet are a two-way street for connectivity. Not only does it make it more convenient when you are away from home, but it also can be a means for attackers to connect via a remote connection to your alarm system making them vulnerable to attack.
The best way to prevent these remote alarm system attacks is to use extremely strong passwords for both your home WiFi network, and your account you use to access the alarm system via the internet.
Having a convenient power plug or WPS button could only impact the local attack surface.
Although the cloud storage could be attacked to gain image files, the device itself is not open to attack through that vector.
You have been hired as a Security consultant. One of your recommendations is that the organization should implement Encryption for all data, including data at rest, data in use, and data in transit. Which Security service does this provide?
Accountability
Integrity
Availability
Confidentiality
Confidentiality
Explanation:
Encryption provides confidentiality security services. An encrypted file is protected from being read by users who cannot decrypt the file. Users require digital keys to decrypt and read encrypted files. Confidentiality deals with ensuring that information is not intentionally or unintentionally disclosed.
Accountability is a security service that is used to determine the identity of users. Authentication is an example of an accountability security service. Availability is a security service that protects hardware and data from loss by ensuring that any needed data is available when necessary. Backups are an example of availability. Integrity is a security service that ensures that digital files have not been changed. Digital signatures are an example of an integrity security method. A digital signature provides integrity and non-repudiation. Non-repudiation ensures that the data’s origin is known.
The cafe in the student center of a university established contactless payment by printing QR codes on its menus. When scanned by a mobile device, the QR codes direct the students to an online payment system that deducts money from their student debit cards. One day the menus have new QR codes printed on stickers that are placed over the old ones. The following week, several students discover money is missing from their accounts. Which Social Engineering principle made this a successful attack?
Urgency
Trust
Scarcity
Authority
Trust
Explanation:
This was an example of trust. Even though the menus in the café had clearly been altered, they appeared to come from a trustworthy source and were part of an established pattern of use. QR codes can embed malicious links or direct users to compromised sessions. For these reasons, users should be taught never to scan QR codes placed in random public areas, or QR codes printed on stickers or other temporary media.
CompTIA lists seven principles that can make social engineering attacks effective:
Authority – The attacker impersonates someone with the power to request access to sensitive information, such as an IT support desk member or law enforcement.
Intimidation –The attacker bullies or belittles the victim to get access or sensitive information, such as an attacker who says he will have a security guard fired if the guard does not unlock a secured door for the attacker.
Consensus – The attacker convinces the victim that it is fine to reveal confidential information or perform a risky action because the victim’s peers or coworkers are doing it too.
Scarcity – The attacker wraps the attack in an offer that is limited, restricted, or expiring soon, such as an invitation to an exclusive LinkedIn group that the attacker will use to harvest confidential company information.
Familiarity – The attacker pretends to be someone who belongs in the victim’s environment, such as an employee in a neighboring office or a remote coworker.
Trust – The attacker gains the victim’s trust by pretending to be a sympathetic person who will help the victim, or who deserves to be helped by the victim.
Urgency – The attacker pretends there is an emergency that requires the victim to immediately release confidential information or grant access. Urgency is often combined with authority attacks that impersonate law enforcement.
Management at your company has requested that you implement DLP. What is the purpose of this technology?
It protects against malware.
It monitors data on computers to ensure the data is not deleted or removed.
It implements hardware-based Encryption.
It allows organizations to use the Internet to host services and data remotely instead of locally.
It monitors data on computers to ensure the data is not deleted or removed.
Explanation:
Data Loss Prevention (DLP) is a network system that monitors data on computers to ensure the data is not deleted or removed. If your organization implements a DLP system, you can prevent users from transmitting confidential data to individuals outside the company.
Cloud computing is a technology that allows organizations to use the Internet to host services and data remotely instead of locally.
Microsoft Security Essentials is an application that protects against malware. It is included in Windows 7. Windows 8 and above use Windows Defender. Other applications are available that protect against malware.
Trusted Platform Module (TPM) and Hardware Security Module (HSM) are both chips that implement hardware-based encryption. The main difference between the two is that a TPM chip is usually mounted on the motherboard and HSM chips are PCI adapter cards.
DLP provides different solutions based on data location:
Network based – deals with data in motion and is usually located on the network perimeter.
Storage based – operates on long-term storage (archive)
Endpoint based – operates on a local device and focuses on data-in-use.
Cloud based – operates in “the cloud” data in use, motion, and at rest
DLP identifies and controls end-point ports as well as block access to removable media by providing the following services:
Identify removable connected to your network by type (USB thumb drive, DVD burner, mobile device), manufacturer, model number, and MAC address.
Control and manage removable devices through endpoint ports, including USB, Wi-Fi, and Bluetooth.
Require encryption, limit file types, and limit file size.
Provide detailed forensics on device usage and data transfer by person, time, file type, and amount.
DLP includes USB blocking, cloud-based, and email services.
A Web Server is located on a DMZ segment. The Web Server only serves HTTP pages, and there are no other computers on the DMZ segment. You need to configure the DMZ to ensure that communication can occur. Which PORT should be opened on the Internet side of the DMZ Firewall?
110
80
20
443
80
Explanation:
Only port 80 should be opened on the Internet side of the demilitarized zone (DMZ) firewall. The firewall will allow only HTTP traffic to enter the DMZ; all other port traffic will be prevented from entering the DMZ.
Port 20 is used by File Transfer Protocol (FTP) to send data. Port 110 is used by Post Office Protocol (POP), and port 443 is used by Secure Sockets Layer (SSL). The Web server on the DMZ only serves Web pages, so only HTTP services should be activated on the Web server. All other services on the Web server should be deactivated, which will strengthen security on the Web server.
Access control lists (ACLs) are used to configure rules on network devices. These ACLs determine which communication is allowed or denied. ACLs can be based on port numbers, IP addresses, MAC addresses, and other criteria.
