Security+ ITProTV Practice Exam I Flashcards

1
Q

** When connecting to a Website using SSL/TLS, the Client browser uses the Root CA’s Public Key to decrypt the Digital Signature of each Certificate until finally verifying the identity associated with the Website’s Certificate. Which term or phrase describes this PKI concept?

Key Escrow
Certificate Chaining
Key Pairing
Certificate Revocation

A

Certificate Chaining

Explanation:
Certificate chaining refers to the trust relationships between CAs and helps determine which certificate has the highest level trust. For example, if you get a certificate from “A,” and “A” trusts the root certificate, the highest level trust is the root certificate.

Key escrow addresses the issue that a key might be lost. It is a proactive approach where copies of the private keys are held in escrow (stored) by a third party. The third party (key recovery agent) manages access to and use of the private keys. Keys do not define trust relationships.

A certificate revocation refers to a certificate that has been revoked or is planning on being revoked, for one reason or another. A certificate revocation list (CRL) contains a list of serial numbers for digital certificates that have not expired, but that a certification authority (CA) has specified to be invalid. Typically, the serial number of a digital certificate is placed in a CRL because the digital certificate has been compromised in some way.

In public key cryptography, also known as asymmetric cryptography, every public key pairs to only one private key. Together, these key pairs are used to encrypt and decrypt messages and data that is sent over the internet and the network. Using key pairing can ensure both security and identity of the sender.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

** A Hacktivist group claims responsibility for infecting a manufacturer’s systems by planting an infected USB drive at the company’s office. The manufacturer’s distributor, several vendors, and hundreds of customers were all eventually infected with the malware that stole important credential information for those infected.

Which term describes this attack strategy?

Direct Access
Cloud-based
Social Media
Supply Chain

A

Supply Chain

Explanation:
A supply chain attack is not an attack on a target directly but an attack on a more vulnerable company or resource within its supply chain that helps the organization conduct business or create a product. An increasing number of hacks are being carried out this way.

Direct access is the most straightforward type of attack and hopefully the most preventable. This type of attack is a physical or local attack, such as an attacker exploiting an unlocked workstation and using a boot disk to install malicious tools or simply stealing a device.

Similar to the supply chain attack, hackers may try and exploit vulnerabilities in cloud-based web service providers to gain access to an organization’s data.

Social media attacks occur when malware is attached to posts or presented as downloads on social media sites. At their most dangerous, hackers can make it so a compromised site automatically infects a vulnerable computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

** A man wearing a service provider’s coveralls and carrying a toolbox approaches your facility’s Security guard. He says that his work crew is running some new Ethernet cable inside your office, but he left his mobile phone at home, so he can’t call his crew to let him in. The Security guard admits the man through your Secured door. The following week, you find an undocumented Network device installed in a closet. Which Social Engineering attack techniques were used? (Choose ALL that Apply)

Eliciting Information
Influence Campaign
Impersonation
Identity Fraud
Pretexting

A

Impersonation
Pretexting

Explanation:
The attacker used pretexting and impersonation to commit physical social engineering. Pretexting (when referring to social engineering) is inventing a scenario that will engage the victim and provide the attacker with an excuse to be in the area. Impersonation is pretending to be an employee, vendor, IT help desk staff, delivery driver, or other individual with some level of legitimate access. Impersonation can occur on the phone or in person. In this scenario, the guard should have asked an employee inside the building to verify that an authorized work crew was on the grounds.

While this was an impersonation, it was not identity fraud. Identity fraud is stealing a specific individual’s PII or credentials to commit financial fraud, elicit information, gain access to confidential records, or penetrate a network. Impersonation is generic, while identity fraud is specific.

The attacker did not elicit information. Eliciting information is tricking the victim into revealing sensitive information, like shift times and manned desk hours, through friendly conversation.

An influence campaign is a multi-actor attack that uses social media accounts to post inflammatory rhetoric and unsubstantiated or fake news stories. The goal of the disinformation is to cause political, social, and economic instability in the target. Influence campaigns are usually conducted by APTs and hostile nation-states.

Physical social engineering uses in-person techniques to gather confidential information or gain access. Other physical social engineering tricks are dumpster diving, shoulder surfing, tailgating / piggybacking, and reconnaissance. Remember that in the CompTIA objectives, reconnaissance can mean visiting a target to observe security controls in person, but it can also refer to digital and remote intelligence gathering techniques using OSINT and automated tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

** You have been authorized by management to use a Vulnerability Scanner once every three months. What is this tool?

An application that detects when Network intrusions occur and identifies the appropriate personnel.

An application that protects a system against viruses.

An application that identifies ports and services that are at risk on a Network.

An application that identifies Security issues on a Network and gives suggestions on how to prevent the issues.

A

An application that identifies Security issues on a Network and gives suggestions on how to prevent the issues.

Explanation:
A vulnerability scanner is an application that identifies security issues on a network and gives suggestions on how to prevent the issues. It is a management control type.

A port scanner is an application that identifies ports and services that are at risk on a network.

An intrusion detection system (IDS) is an application that detects when network intrusions occur and identifies the appropriate personnel.

A virus scanner is an application that protects a system against viruses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

** Your organization has decided to implement an Encryption algorithm to protect data. One IT staff member suggests that the organization use IDEA. Which strength Encryption Key is used in this Encryption algorithm?

256-bit
64-bit
56-bit
128-bit

A

128-bit

Explanation:
International Data Encryption Algorithm (IDEA) uses a 128-bit Encryption Key that encrypt 64-bit blocks of data.

Data Encryption Standard (DES) uses a 56-bit Key to encrypt 64-bit blocks of data.

Some Private Key Encryption standards support 256-bit Encryption Keys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

** Your organization has recently adopted a new organizational Security policy. As part of this new policy, management has decided to implement an Iris Scanner wanting access to the Secure data center. Which procedure does this use to authenticate users?

It takes a picture of the user’s eye and compares the picture with pictures on file.

It scans the shape of the user’s face and compares the face scan with faces on file.

It scans the user’s handwriting and compares the handwriting with a sample on file.

It scans the blood vessels in the user’s eye and compares the pattern with patterns on file.

A

It takes a picture of the user’s eye and compares the picture with pictures on file.

Explanation:
An iris scanner determines whether to authenticate a user by taking a picture of the iris of the user’s eye and comparing the picture with iris pictures on file.

A retinal scanner determines whether to authenticate a user by scanning the pattern of blood vessels in the user’s eye and comparing that pattern with patterns already on file. A retinal scanner has the lowest crossover error rate and is the most reliable biometric system.

A face recognition scanner determines whether to authenticate a user by scanning the user’s face and comparing that scan to face scans already on file. A facial scan is based on an individual’s bone structure, nose ridge, eye width, forehead structure, and chin shape. A signature scanner determines whether to authenticate a user by comparing the shapes and stroke-timing of a person writing their signature with a signature pattern already on file.

Biometric access control is a security mechanism that makes use of hand scanners, fingerprints, retinal scanners, or DNA structure to identify the user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

** Which of the following scenarios describes a Man-in-the-Browser (MitB) Attack?

When users click on a link in a seemingly legitimate email, malicious payload is downloaded and executed.

When users establish a Session with a legitimate Website, an attacker device eavesdrops on the conversation.

When users install a seemingly legitimate application, a Remote Access Backdoor is also installed.

When users attempt to access a legitimate Website, they are instead redirected to a malicious Website.

A

When users attempt to access a legitimate Website, they are instead redirected to a malicious Website.

Explanation:
The scenario of being redirected to a malicious website from a legitimate one is a man-in-the-browser attack. The man (or malware) in the browser redirects the user to a fake site rather than the intended site.

When users click on a link in a seemingly legitimate email, and a malicious payload is downloaded and executed, it is an example of malicious links in an email.

When users establish a session with a legitimate website and an attacker device eavesdrops on the conversation, it is a session hijacking attack.

When users install a seemingly legitimate application and a remote access backdoor is also installed, it is an example of a remote access trojan (RAT).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

** You perform a Server Scan and find that you have a high amount of Telnet traffic. You have installed several new peripheral devices on the Server. Which newly installed peripheral device is most likely causing this problem?

Wireless Mouse
Printer
Digital Camera
Wireless Keyboard

A

Printer

Explanation:
Printers and multi-function devices (MFDs), particularly those with networking capability, have the same security concerns as any other device that can be remotely managed. For example, the printer may allow users to connect through Telnet or SSH. If those protocols are not used in your business, turn them off.

Wireless keyboards are subject to keystroke injection. Wireless mice are subject to mouse spoofing. Digital cameras with wireless networking capability should be included in malware scans. However, these devices do not usually need to be remotely managed via Telnet.

Other peripheral devices that may be on the exam include wireless displays, Wi-Fi-enabled MicroSD cards, and external storage devices.

Wireless displays often connect to the Internet to pull in content. If they have a remote management feature, security professionals should determine if that feature uses Telnet or not.

Wi-Fi-enabled MicroSD cards should be included in malware scans.

External storage devices with wireless networking capability should be included in malware scans.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

** An advanced user has recently had several new peripheral devices added to his desktop computer. You are concerned about peripheral devices becoming infected with malware. Which peripheral devices should you examine?
(Choose ALL that Apply)

WIFI Enabled MicroSD Cards
Digital Camera
Wireless Mouse
External Storage Devices

A

WIFI Enabled MicroSD Cards
Digital Camera
External Storage Devices

Explanation:
Malware scans should be performed on Wi-Fi-enabled MicroSD cards, external storage devices, and digital cameras with wireless network capability.

Wireless mice are subject to mouse spoofing, not malware infection. Mouse spoofing involves sending forged signals to the victim’s computer that match the wireless mouse’s protocol. Once the signals are accepted, the attacker can use mouse actions to command the computer to download other attack vectors or turn off anti-virus protection. However, no malware infects the mouse or the victim’s computer. Other peripherals of concern include printers, multifunction devices, wireless keyboards, and wireless displays.

Printers or multi-function devices (MFDs), particularly those with networking capability, have the same security concerns as any other device that can be remotely managed. For example, the printer may allow users to connect through Telnet or SSH. If those protocols are not used, turn them off.

Wireless keyboards are subject to keystroke injection.

Wireless displays often connect to the Internet to pull in content. If they have a remote management feature, security professionals should determine whether that feature uses Telnet. Because they pull content from the Internet, they could also be susceptible to malware attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

** Your company has recently started adopting formal Security policies to comply with several state regulations. One of the Security policies states that certain hardware is vital to the organization. As part of this Security policy, you must ensure that you have the required number of components plus one extra to plug into any system in case of a failure. Which strategy is this policy demonstrating?

Cold Site
Fault Tolerance
Clustering
Server Redundancy

A

Fault Tolerance

Explanation:
Fault tolerance ensures that you have the required number of components plus one extra to plug into any system in case of failure.

Clustering is the process of providing failover capabilities for servers by using multiple servers together. A cluster consists of several servers providing the same services. If one server in the cluster fails, the other servers will continue to operate.

A cold site for disaster recovery includes a basic room with raised flooring, electrical wiring, air conditioning, and telecommunications lines. To properly test disaster recovery procedures at the cold site, alternate telecommunications and computer equipment would need to be set up and configured.

Server redundancy ensures that each server has another server that can operate in its place should the original server fail. Clustering is a form of server redundancy.

As part of any disaster recovery plan, security professionals should ensure that the organization covers the following geographic considerations:

Off-site backups – This ensures that copies of backups are stored off-site in case the primary site is affected by a disaster.

Distance – This ensures that the off-site storage or restoration location is far enough away from the primary site that it is not affected by the same disaster as the primary site.

Location selection – This ensures that a location is assessed to ensure that it is the best location for a backup site. For example, you would want to ensure that the appropriate physical controls are in place to ensure that your backups are protected.

Legal implications – This ensures that any legal implications regarding the off-site storage of data are considered. An organization may be under regulations that prevent certain sites or geographic locations from being used.

Data sovereignty – This ensures that the data is subject to the laws of the location where it is stored. For some organizations, compliance with multiple data sovereignty laws may be necessary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

** You are performing a qualitative Risk Analysis by having experts fill out anonymous questionnaires. Which method are you using?

Pareto Principle
Monte Carlo
Delphi Technique
Decision Tree

A

Delphi Technique

Explanation:
In the Delphi technique, experts fill out anonymous questionnaires, which keeps one or more experts from dominating the discussion.

The Pareto principle is not a method. It is a principle that states that 80% of consequences come from 20% of the causes.

Monte Carlo analysis is a risk management technique, which project managers use to estimate the impacts of various risks on the project cost and project timeline. It does not have experts fill out anonymous questionnaires.

A decision tree is a decision support tool that uses a tree-like model of decisions and their possible consequences. It does not involve experts filling out anonymous questionnaires.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

** You are researching the RSA Encryption algorithm. You need to provide some basic facts about this algorithm to your organization’s management team so they can decide if they want to implement it on the organization’s Network. Which statement is NOT true of this algorithm?

RSA provides both Encryption and Authentication.

An RSA algorithm is an example of symmetric cryptography.

RSA can prevent Man-in-the-Middle attacks.

RSA uses Public and Private Key signatures for integrity verification.

RSA Encryption algorithms do not deal with discrete logarithms.

A

An RSA algorithm is an example of symmetric cryptography.

Explanation:
RSA is an example of asymmetric cryptography, not symmetric cryptography.

RSA can prevent man-in-the-middle attacks by providing authentication before the exchange of public and private keys. A man-in-the-middle attack is a threat to all asymmetric encryption communications.

RSA does not deal with discrete logarithms. The security provided by RSA is based on the use of large prime numbers for encryption and decryption. It is difficult to factor large prime numbers. Therefore, it is difficult to break the encryption. RSA requires higher processing power due to the factorability of numbers but ensures efficient key management.

RSA is used as the worldwide de facto standard for digital signatures. RSA is a public key algorithm that provides both encryption and authentication. RSA uses public and private key signatures for integrity verification. With public key cryptography, the key is securely passed to the receiving machine. Therefore, public key cryptography is preferred to secure fax messages. When creating a public/private key pair, the RSA algorithm would need a user to specify the key strength.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

** Your company needs to protect message integrity. Management decides that you need to implement an algorithm that uses 160-bit checksums. Which algorithm should you implement?

SHA
MD5
AES
DES

A

SHA (Secure Hashing Algorithm)

Explanation:
SHA = 16-bit checksums

AES = 128-bit checksums, 192-bit and 256-bit Encryption Keys.

MD5 = 128-bit checksums

DES = 56-bit Encryption Keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

** You are designing Security for a new e-commerce Website. You know that you will use HTTPS as the browser protocol. The legal team has asked you to validate using the name of the responsible legal entity in the Certificate, to supply other validation parameters, and to provide a higher level of trust than domain validation. Which certificate would you use?

Extended Validation Certificate
Machine/Computer Certificates
Root Certificates
Email Certificates

A

Extended Validation Certificates

Explanation:
Extended validation certificates, as the name suggests, provide additional validation for HTTPS web sites. The certificate provides the name of the legal entity responsible for the web site. These certificates require the most effort by the CA to validate and provide a higher level of trust than domain validation because they are validated using more than the domain information.

Machine/computer certificates are assigned to a designated machine. During authentication, the computer (or machine) requesting access must supply the certificate assigned to it. Email certificates are used to secure email. One such example is Secure Multipurpose Internet Mail Extensions (S/MIME), which provides a digital “signature” for that email. Root certificates define the root CA and validate all other certificates issued by that CA. They are at the top of the CA hierarchy. They are self-signed and are closely guarded.

You should also be familiar with wildcard certificates, SAN fields, code signing certificates, user certificates, self-signed certificates, root certificates, and domain validation certificates.

Wildcard certificates allow you to create a certificate in a domain and use that same certificate for multiple subdomains. For example, if you had mail.mysite.com, ftp.mysite.com, and www.mysite.com, you could issue a wildcard certificate for mysite.com, and have it cover all the subdomains. Without the wildcard certificate, you would have to issue a certificate for each subdomain. Subject Alternative Name (SAN) is a field in the certificate definition that allows you to stipulate additional information, such as an IP address or host name, associated with the certificate. Code signing certificates are used for code that is distributed over the Internet, including programs or applications. Code signing certificates verify the code’s origin and help the user trust that the claimed sender is indeed the originator.

Self-signed certificates are digitally signed by the user. This is often provided by Microsoft Internet Information Services (IIS). The self-signed certificate will transmit a public key, but that key will be rejected by browsers. User certificates are assigned to individual users, much like machine/computer certificates are assigned to individual machines. Users must provide their assigned certificate for authentication prior to accessing certain resources. Root certificates define the root CA and validate all other certificates issued by that CA. They are at the top of the CA hierarchy. They are self-signed and are closely guarded.

Domain validation certificates are very common. They are low-cost and are often used by web admins to offer TLS to a domain. They are validated using only the domain name.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

** Which of the following sources would provide a Threat Hunter with the most recent software and other Security Vulnerabilities discovered over the past week?

DHS Automated Indicator Sharing Database
US Cert Bulletin
Microsoft Security Response Center Blog
FBI InfraGard Portal

A

US Cert Bulletin

Explanation:
US CERT Bulletin is a major threat feed used in the security world. Created and maintained by CISA, they use weekly bulletins to provide summaries of new vulnerabilities and possible patch options if and when they become available.

None of the other options provides the most recent software and other security vulnerabilities discovered over the past week.

The Department of Homeland Security (DHS) maintains the free Automated Indicator Sharing (AIS) program that allows organizations to share and obtain machine-comprehensible defensive measures and cyber threat indicators, allowing monitoring and defense of their networks against known threats.

The FBI InfraGard is a partnership between the FBI and members of the private sector in the shared concern for the protection of U.S. Critical Infrastructure. Through unified collaboration, InfraGard unites owners and operators within critical infrastructure to the FBI, to provide education, information sharing, networking, and workshops on emerging technologies and threats that are developing within the US, and round the world.

The Microsoft Security Response Center Blog is created and maintained by Microsoft to help keep up with the ever-evolving threats and better safeguard customers against malicious attacks through timely security updates and authoritative assistance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

** You discover that a malicious program has been installed on several host computers on your Network. This program’s execution was remotely triggered. Of what is this an example of?

Virus
Botnet
Trapdoor
Worm

A

Botnet

Explanation:
A botnet is formed when a malicious program is installed on several host computers and is remotely triggered. For example, a hacker might install a malicious program on the computers on a network to form a botnet and then remotely trigger the botnet to cause a flood of network traffic. The infected computers then act as “zombies” by performing malicious acts on behalf of the perpetrator. Botnets result in distributed denial-of-service (DDoS) attacks. A good sign that a computer has become part of a botnet is if the browser behaves erratically, performance is slow, and hundreds of outbound connections exist. The most likely cause of a single computer communicating with an unknown IRC server and scanning other systems on the network is that the computer is infected with a botnet.

If a computer has been compromised with a botnet, you should shut down the computer. However, keep in mind that the memory, network processes, and system processes will be unavailable for later investigation once the computer is shut down. So, you may need to ensure that the contents of these are captured before shutting the computer down.

A trapdoor is an unreported method for entering a program. A trapdoor is typically created to debug a program, but sometimes hackers can find ways to exploit trapdoors for malicious purposes. A virus is a program that copies itself to files on a computer. A worm is a program that spreads itself through network connections. The main difference between a virus and a worm is that a worm is self-replicating.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

** You have been hired as a Security consultant for a large corporation. During a meeting with the IT department, the IT manager indicates that one of their applications uses a Private Key Encryption standard that was developed in Russia and uses 256-bit Encryption Keys. Which Encryption standard does this application use?

RC5
GOST
CAST-128
IDEA

A

GOST

Explanation:
GOST is a Russian private key encryption standard that uses a 256-bit encryption key. GOST was developed as a counter to the Data Encryption Standard (DES).

CAST-128 is a private key encryption standard that is used in Pretty Good Privacy (PGP). International Data Encryption Algorithm (IDEA) is a private key encryption standard that was developed in Switzerland. IDEA is used in PGP and uses 128-bit encryption keys. RC5 is a private key encryption standard that was developed at the Massachusetts Institute of Technology. RC5 supports variable length encryption keys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

** You are evaluating several biometric authentication systems. Which is the BEST metric to use to quantify the effectiveness of the subject system?

FAR
CER
HOTP
FRR

A

CER (Crossover Error Rate)

Explanation:
Crossover error rate (CER) is the point where FAR and false FRR are equal. Generally, a lower CER value would indicate a more accurate system. CER is primarily used to compare biometric authentication systems.

False acceptance rate (FAR) is one way to measure the accuracy of a biometric authentication system. It measures how likely it would be that an unauthorized user is granted access to the system. Expressed as a ratio, it is the number of unauthorized users who were incorrectly allowed access to the protected system divided by the number of authentication attempts. A false acceptance can occur, for example, when an unauthorized individual with a dirty finger uses a fingerprint reader and is allowed access to the system. This could happen because the system was not precise enough when matching the authorized user.

By contrast, false rejection rate (FRR) measures how likely it would be that an authorized user is denied access to the system. It is also expressed as a ratio, calculated as the number of authorized users who were denied access to the protected system divided by the number of authentication attempts. False rejections can occur if the system settings are too precise, or if users are not trained properly on biometric login procedures.

HOTP and TOTP are two types of one-time passwords, i.e., they can only be used once. Hashed One Time Passwords (HOTP) are secure passwords used with hardware tokens. Time-based One Time Passwords (TOTP) are issued for a specific period of time. Once used, or once the time expires, the TOTP is no longer valid. As an example of a TOTP, a user forgets a password to a website. When the user clicks the “Forgot Password” link, the website would send a new temporary password to the user but would limit how long the temporary password would be valid. Other considerations include ABAC, proximity cards, smartcards, tokens, CAC, PIV, and file security.

Attribute-based access control (ABAC) goes beyond authentication based on username and password. It evaluates other factors, such as time of day and location of logons. ABAC would also be invoked if a user has read access to files but is attempting to edit or delete files remotely. Smartcards have permissions and access information stored on the card. The greatest concern with smart cards is theft. Once stolen, the thief can use the card in the same manner as the rightful owner. As an example, if the user has access to a highly secure area by using the smartcard, a thief will have the same access when using the stolen card. Proximity cards are a type of smartcard that incorporate Radio Frequency Identification (RFID) chips. These chips contain authentication information and transmit over a very short range. When the authentication device is within range of the proximity card, and the information transmitted is correct, authentication is granted. Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user. A common access card (CAC) is a smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.

A personal identity verification (PIV) smart card is issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two bar codes and a magnetic strip. They can be used for visual identification and for login.

File system security should always be set to only allow what is absolutely essential for the user to do their job. This is also known as the principle of least privilege.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

** Management has asked you to implement MD5 to verify data integrity. However, you are concerned that MD5 is not strong enough. Which size checksum does this algorithm produce?

16-bit
56-bit
256-bit
128-bit

A

128-bit

Explanation:
MD5 = 128-bit
SHA = 160-bit
AES = 128-bit, 192-bit, 256-bit
DES = 56-bit

The MD5 algorithm produces 128-bit checksums to verify integrity of data from a remote user. When you are given the MD5 hash for a file, you can verify that the file has not been tampered with. MD5 derives the hashing function for the challenge response of the Challenge Handshake Authentication Protocol (CHAP). MD5 is a hashing algorithm. If the MD5 hash values of a file do not match, the file has been compromised. You should discard the compromised file. When two completely different files produce the same hash values, this is referred to as a collision. When using Secure Sockets Layer (SSL) to download a file for which you have the MD5 hash, you cannot verify the MD5 hash until after the file is downloaded.

Data Encryption Standard (DES) uses 56-bit encryption keys. Secure Hashing Algorithm (SHA) produces 160-bit checksums. Advanced Encryption Standard (AES) uses 128-bit, 192-bit, and 256-bit encryption keys.

All algorithms are ciphers. Some ciphers are stronger than others. You must consider strong versus weak ciphers and how they will affect your organization. Depending on your organizational needs, you may need to select a weaker cipher for performance reasons. As a security professional, you should ensure that you fully research any ciphers you consider and understand the advantages and disadvantages of each cipher.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

** Your company has decided to implement a Biometric System to ensure that only authorized personnel are able to access several secure areas at the facility. However, management is concerned that users will have privacy concerns when the Biometric System is implemented. You have been asked to recommend the Least Intrusive Biometric System of the listed options. Which option is considered Least Intrusive?

Retinal Scan
Voice Print
Iris Scan
Fingerprint

A

Voice Print

Explanation:
A voice print is considered less intrusive than the other options given. A voice recognition scanner is used to capture a voice print.

Retinal scanners and iris scanners are used to scan the retina and iris, respectively. A fingerprint scanner is used to scan a fingerprint. Both an iris scan and a retinal scan are considered more intrusive because of the way in which the scan is completed. Most people are reluctant to have a scanner read any eye geometrics. A fingerprint scanner is used to scan a fingerprint. A fingerprint scan is more intrusive than a voice print. Most people are reluctant to give their fingerprints because fingerprints can be used by law enforcement. A voice print is very easy to obtain. Its primary purpose is to distinguish a person’s manner of speaking and voice patterns. Voice print systems are easy to implement compared to some other biometric methods. Voice prints are usually reliable and flexible.

A facial recognition scanner is used to scan facial characteristics. A facial scan is based on an individual’s bone structure, nose ridge, eye width, forehead structure, and chin shape.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

** Recently, several confidential messages from your company have been intercepted. Your company has decided to implement PGP to encrypt files. Which type of model does this encryption use?

Ring
Web
Bus
Hierarchy

A

Web

Explanation:
Pretty Good Privacy (PGP) uses a web of trust to validate public key pairs. In a web of trust model, users sign their own key pairs. If a user wants to receive a file encrypted with PGP, the user must first supply the public key. In a public key infrastructure (PKI), certification authorities (CAs) are arranged in a hierarchy and sign public key pairs. Many older Ethernet networks used a bus model for their physical architecture. In a bus network, all computers on a network are connected to a central bus cable. A ring model is used to wire computers in token ring networks. In a ring network, all computers are connected to a physical ring of cable.

Bus and ring are types of networks. Hierarchy is not used by PGP. It can be used in a public key infrastructure (PKI).

GNU Privacy Guard (GPG) is an alternative to the PGP suite of cryptographic software. It uses a combination of conventional symmetric-key cryptography for speed, and public-key cryptography for ease of secure key exchange. GnuPG currently supports the following algorithms: Pubkey: RSA, ElGamal, DSA Cipher: IDEA (from 1.4.13/2.0.20), 3DES, CAST5, Blowfish, AES-128, AES-192, AES-256, Twofish, Camellia-128, Camellia-192, Camellia-256 (from 1.4.10/2.0.12) Hash: MD5, SHA-1, RIPEMD-160, SHA-256, SHA-384, SHA-512, SHA-224

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

** Your organization is using a STIX/TAXII client to review cyber threat indicators provided by an ISAC. What is the MOST likely source of this information?

Closed-source Intelligence
OSINT
AIS
IoC

A

AIS (Automated Indicator Sharing)

Explanation:
Automated Indicator Sharing (AIS) is a feed of threat indicators and defensive measures provided to the public by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Users can access it directly through CISA or indirectly through a third-party service.

Structured Threat Information Expression (STIX) defines a common language for discussion threat intelligence and serializes it into a coherent format.

OSINT is freely contributed by various non-profit groups and for-profit sources, including large corporations, and is available in variety of formats, including comma-delimited files (.csv), HTML, and text files (.txt).

Note: OSINT is also the term for a hacker reconnaissance wherein an attacker scans your public information, like websites and social media, to find possible weak points. CompTIA defines OSINT as a threat intelligence source.

Indicators of compromise (IoCs) are the digital signs left in the wake of an attack, such as altered registry keys and file signatures. IoCs are contained in threat feeds, whether they come from closed or open sources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

** You are comparing cryptographic solutions to implement at your organization. Which two items should you focus on when you are evaluating implementation verses algorithm selection? (Choose TWO)

Crypto Modules
Security Through Obscurity
Key Strength
Crypto Service Providers
Key Stretching

A

Crypto Modules
Crypto Service Providers

Explanation:
You should focus on crypto service providers and crypto modules when you are evaluating implementation versus algorithm selection. Crypto service providers should be able to answer questions regarding which algorithm(s) they use to generate keys and how they store keys. Crypto service providers are parties that provide cryptographic services. An example is Active Directory Certificate Services from Microsoft.

You should select crypto modules to match the type of data to be protected and the equipment on which the module will be deployed. For example, a module for a mobile device should not consume a substantial amount of processing power or battery life. An example is Microsoft Kernel Mode Cryptographic Module. None of the other options are factors that would affect the decision when evaluating a cryptographic solution based on implementation versus algorithm selection.

Key stretching takes a weak key and makes it stronger by adding additional characters. Often, a password is hashed, and a salt is used to make the password stronger. Salting is a form of key stretching.

Security through obscurity is the false confidence that the secret design or implementation is going to be sufficient to provide system safeguards. Often, the system is not all that secure, and the hope is that because no one knows about it, you are therefore protected. Key strength should reflect the sensitivity of the data it protects. Generally, as the need to secure the data increases, so should the strength of the key. Longer keys require more processing power (and time) to break.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

** You have just installed a new FTP Server, but you do not know what information the FTP Server is transmitting when a user initially connects to it. Which tool could you use to discover that information, and consequently know what information an attacker could exploit?

Passive Scanner
Active Scanner
Backup Utilities
Banner Grabbing

A

Banner Grabbing

Explanation:
A network administrator could use banner grabbing to identify information to circumvent that exploit. Banner grabbing intercepts a text file sent by a server or a host. The text file includes OS information and in the case of a web server, perhaps the basic configuration info. The attacker can then exploit that information.

Backup utilities are critical components of network security. Whatever utility you deploy should allow for secure automation.

Passive scanners do not directly interact with the network. An example would be scanning a company’s website. Active scanners use tools like Nessus and Microsoft Baseline Security Analyzer that analyze the network itself. When comparing passive scans to active, passive scans are indirect, typically looking at sites that provide information, and active scans look at the actual network equipment. An active scan is also considered an intrusive scan, and usually provides more meaningful results.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

** Which two suppression methods are recommended when paper, laminates, and wooden furniture are the elements of a fire in the facility? (Choose TWO)

Water
Soda Acid
Dry Powder
Halon

A

Water
Soda Acid

Explanation:
Water or soda acid should be used to suppress a fire that has wood products, laminates, and paper as its elements. The suppression method should be based on the type of fire in the facility. The suppression substance should interfere with the elements of the fire. For example, soda acid removes the fuel while water reduces the temperature. Water or soda acid are used to extinguish class A fires.

Electrical wiring and distribution boxes are the most probable cause of fires in data centers. Class C fire suppression agents, such as halon or carbon dioxide, are used when the fire involves electrical equipment and wires. They can also be used to suppress Class B fires that include liquids, such as petroleum products and coolants.

The production of halon gas was banned by the Montreal Protocol in 1987. Halon causes damage to the ozone layer and is harmful to humans. The treaty requires vendors who already have halon extinguishers to get the extinguishers refilled with replacements, such as FM-200, approved by the Environmental Protection Agency (EPA). Carbon dioxide, also used to extinguish class B and C fires, eliminates oxygen. Carbon dioxide is harmful to humans and should be used only in unattended facilities.

Dry powder is a suppression method for a fire that has magnesium, sodium, and potassium as its elements. Dry powder extinguishes class D fires. Although dry powder can also suppress Class B and C fires, companies commonly use other forms of suppression for Class B and C fires. The only suppression method for combustible metals is dry powder.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

** Choose the STEPS that belong in the Information Life Cycle and place them in the Correct order?

Options:
Use
Legal Hold
Delete/Dispose
Acquire/Collect

A

Acquire/Collect
Use
Delete/Dispose

Explanation:
Legal Hold refers to an exceptional step that is taken after evidence is collected for a criminal investigation. It is NOT a standard component of the Data Life Cycle.

Data Life Cycle Steps:
- Acquire - Obtaining or Creating Data
- Store - Storing the Data in a Secure Location.
- Use - Reading/Editing the Data
- Share - Transmitting Data
- Archive - Backing Up the Data in a Secure manner.
- Dispose - Erasing, Deleting, Destroying the Data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

** After a recent Security Audit, several Security issues were found. The Auditor made suggestions on technologies that your organization should deploy. One of the suggestions made is to deploy SKIP. Which statement is true of SKIP?

SKIP works on a response-by-session basis.
SKIP deploys IKE for key distribution management.
SKIP is only a key storage protocol.
SKIP is a key distribution protocol.

A

SKIP is a key distribution protocol (Simple Key Internet Protocol)

Explanation:
Simple Key management protocol for Internet Protocols (SKIP) is a key management and distribution protocol used for secure IP communication, such as Internet Protocol Security (IPSec). SKIP uses hybrid encryption to convey session keys. These session keys are used to encrypt data in IP packets. SKIP uses a key exchange algorithm, such as the Diffie-Hellman algorithm, to generate a key-encrypting key that will be used between two parties. A session key is used with a symmetric algorithm to encrypt data. SKIP is not a key storage protocol. It is a key distribution and management protocol similar to Internet Key Exchange (IKE).SKIP works on a session-by-session basis, although it does not require prior communication for the establishment of sessions. SKIP employs encryption standards, such as Data Encryption Standard (DES) and Triple DES (3DES), to provide secure communication.

SKIP does not deploy IKE for key distribution and management. IKE is a separate framework used to securely exchange keys to establish an IPSec session.

Key exchange can occur either in band or out of band. In-band key exchange occurs over the same transmission media that is used by data and voice transmissions. Out-of-band exchange occurs outside the data and voice transmission media. In-band key exchange is less secure than out-of-band key exchange.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

** What is the purpose of the MITRE ATT&CK framework?

  • Identify and Exploit system vulnerabilities using an attacker mindset.
  • Identify and stop Advanced Persistent Threats (APT) before data exfiltration.
  • Respond to tactics and techniques found in real-world attacks.
  • Patch the most critical software vulnerabilities found by experts.
A

Respond to tactics and techniques found in real-world attacks.

Explanation:
The purpose of the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework is to learn how to respond to tactics and techniques found in real-world attacks. The Open Web Application Security Project (OWASP) Top 10 is meant for patching the most critical software vulnerabilities found by experts, some of which have yet to be exploited in the wild. The purpose of the Cyber Kill Chain is to identify and stop advanced persistent threats (APTs) before data is exfiltrated. In penetration testing, the goal is to identify and exploit system vulnerabilities using an attacker mindset.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

** Which research source can help in discovering new vulnerabilities and potential threats in existing Internet standards?

STIX
TAXII
TTPs
RFCs

A

RFCs (Request for Comments)

Explanation:
A Request for Comments (RFC) is a numbered document, which includes appraisals, descriptions, and definitions of online protocols, concepts, methods, and programs. RFCs are administered by the IETF (Internet Engineering Task Force). RFCs occur when a new technology is accepted as a web standard, which become useful when discovering new vulnerabilities and potential threats in existing internet standards.

TTP stands for tactics, techniques, and procedures, and is a concept that is used to identify patterns of behavior which can be employed to defend against certain strategies and threat vectors utilized by malicious actors. TTP is not solely concerned with existing Internet standards.

Structured Threat Information Expression (STIX) defines a common language for discussion threat intelligence and serializes it into a coherent format. TAXII stands for Trusted automated exchange of indicator information and was designed to specifically support STIX information by defining how cyber threat information can be shared via services and message exchanges. STIX and TAXII are not solely concerned with existing Internet standards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

** Several users on your Network have complained about computer responsiveness, failing connections to common Websites, and some corporate application failures. Based on this pattern of complaints, you suspect a widespread malware infection. After determining the scope of the problem and isolating compromised systems, you are required to determine if any data was breached. Which log files should you investigate to determine if this malware has exfiltrated data?

DNS Logs
SMTP Logs
SSH Logs
SQL Logs

A

DNS Logs (Domain Name System)

Explanation:
There is a ton of security knowledge that can be discovered from within the logs of your organization’s internal DNS servers. It also helps to monitor the outbound DNS queries on your network. This potential wealth of information can help you find potentially compromised hosts on the network by searching for queries that are abnormal or known to be malicious.

An adversary may find that an internal DNS is an attractive method for performing malicious activities like network reconnaissance, communication with the command and control servers, data transfers out of the network, or malware downloads that are capable of all of these. Subsequently, it is critical that DNS traffic be monitored for proper threat protection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

** Your company has recently implemented a content inspection application on a perimeter Firewall. What is the purpose of content inspection?

to identify and block unwanted messages.
to filter and forward Web content anonymously.
to distribute the workload across multiple devices.
to search for malicious code or behavior.

A

to search for malicious code or behavior.

Explanation:
The purpose of content inspection is to search for malicious code or suspicious behavior.

The purpose of load balancing is to distribute the workload across multiple devices. Often DNS servers are load balanced to ensure that DNS clients can obtain DNS information as needed. Other services are load balanced as well. Load balancers optimize and distribute data workloads across multiple computers or networks.

The purpose of an Internet or Web proxy is to filter and forward Web content anonymously.

The purpose of a spam filter is to identify and block unwanted messages. Spam filters should be configured to prevent employees from receiving unsolicited e-mail messages.

Another type of hardware that is similar to a spam filter is an all-in-one security appliance. This device filters all types of malicious, wasteful, or otherwise unwanted traffic.

Many all-in-one security appliances include a component that performs content inspection and malware inspection. These appliances usually also include a URL filter feature that allows administrators to block and allow certain Websites. For example, the URL filter in an all-in-one security appliance could be configured to restrict access to peer-to-peer file sharing Websites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

** You need to include some additional information in the certificate definition. Specifically, you would like to include the Host Name associated with the Certificate. Which of the following would provide a solution?

Extended Validation Certificate
Domain Validation Certificate
Machine/Computer Certificate
SAN

A

SAN (Subject Alternate Name)

Explanation:
A Subject Alternative Name (SAN) is a field in the certificate definition that allows you to stipulate additional information, such as an IP address or host name, associated with the certificate. Machine/computer certificates are assigned to a designated machine. During authentication, the computer (or machine) requesting access must supply the certificate assigned to it. These certificates do not always include host name information.

Domain validation certificates are very common. They are low-cost and are often used by web admins to offer TLS to a domain. They are validated using only the domain name. However, they do not allow you to configure alternate information in the certificate. These certificates do not always include host name information.

Extended validation certificates, as the name suggests, provide additional validation for HTTPS web sites. The certificate provides the name of the legal entity responsible for the web site. These certificates require the most effort by the CA to validate and provide a higher level of trust than domain validation because they are validated using more than the domain information, including the host name.

You should also be familiar with email certificates, code signing certificates, user certificates, and root certificates.

User certificates are assigned to individual users, much like machine/computer certificates are assigned to individual machines. Users must provide their assigned certificate for authentication prior to accessing certain resources. Email certificates are used to secure email. One such example is Secure Multipurpose Internet Mail Extensions (S/MIME), which provides a digital “signature” for that email. Code signing certificates are used for code that is distributed over the Internet, including programs or applications. Code signing certificates verify the code’s origin and help the user trust that the claimed sender is indeed the originator.

Root certificates define the root CA and validate all other certificates issued by that CA. They are at the top of the CA hierarchy. They are self-signed and are closely guarded.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

** You are explaining to a new employee the proper process of Evidence Collection. As part of this explanation, you need to ensure that the new employee understands the Evidence Life Cycle. Put the steps in the Evidence Life Cycle in the proper correct order starting with the first step at the top?

Analyze
Collect
Present
Return
Store

A

Collect
Analyze
Store
Present
Return

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

** Which cryptographic technique changes multiple output bits when you change a single input bit?

Salting
IV
Confusion
Diffusion

A

Diffusion

Explanation:
Diffusion is the cryptographic technique whereby a change of a single input bit results in a change of multiple output bits. Confusion is the technique where the relationship between the components of the message – the plain text, the key used, and the cipher text – is difficult to see. As a contrast, with ROT13, it is very easy to see the relationship between the components.

Salting is a countermeasure to protect against rainbow table attacks. With salting, additional bits are added before the text is hashed. For example, if the password is “OpenSesame,” salting will add additional characters prior to the hash, such as “Open00Salt99,” which changes the hash value of the password. When the rainbow table searches for a password that matches “OpenSesame,” the hash value will not match.

An initialization vector (IV) is a number that is used once (nonce). As an example of this technique, assume that one portion of a cryptographic key was encrypted with RC4, and another portion included the IV. In the event the RC4 portion of the key was cracked, the IV that is used only once would protect the message from unauthorized decryption. Weak or deprecated algorithms are to be avoided. Wired Equivalent Privacy (WEP), for example, is now considered a weak encryption algorithm, as well as Data Encryption Standard (DES).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

** You need to incorporate SAML and SSO into a Web Application. Which of the following would you use?

OAuth
OpenID Connect
id_token
Shibboleth

A

Shibboleth

Explanation:
Shibboleth uses Security Assertion Markup Language (SAML), which defines security authorizations on web pages as opposed to web page elements in HTML. Shibboleth is a single sign-on (SSO) system that uses an identity provider and a service provider.

OAuth is Open Authorization. The current standard, OAuth 2.0, grants an application limited access to a user’s account on a third-party site, such as Facebook or Twitter. OAuth could grant the application access to a friend’s list or give the application the ability to post on the user’s behalf.

OpenID Connect provides the authentication necessary in OAuth. It authenticates the user and stores the user information in a token. OAuth does not work with SAML.

A secure token contains the user information and authentication information used by OpenID.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

A huge customer data breach occurred at a retail store. It originated from the store’s Point-of-Sale system contractor, who did not have adequate malware protection. Which Risk Mitigation concept could the store have implemented to avoid the breach?

Risk Response Techniques
Supply Chain Assessment
Likelihood of Occurrence
Risk Register

A

Supply Chain Assessment

Explanation:
Supply chain assessment might have stopped the store’s data breach. The breach was initiated with the failure of a contractor to have adequate anti-malware protection. Supply chain assessment would include verifying that vendors and contractors have adequate safeguards in place before they can access your network.

A risk register is a scatter graph of problem areas identified in a business impact analysis.

Risk response techniques include avoidance, transference, mitigation, and acceptance.

Analyzing the likelihood of occurrence compares the potential threat with the probability that the threat will occur.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What preserves the existence and integrity of relevant electronic records (and paper records) when litigation is imminent?

Legal Hold
Chain of Custody
Data Sovereignty
Incident Response Plan

A

Legal Hold

Explanation:
Legal hold is the term for the preservation of information relevant to an impending lawsuit. Personnel will be instructed not to destroy or alter information relating to the topic of the lawsuit.

Chain of custody deals with how the evidence is handled once it has been collected and guarantees the identity and integrity of the evidence from the collection stage to its presentation in the court of law. There should be a log of who has had custody of the evidence, where it has been, and who has seen it. Active logging should also be used to document access to the evidence, including photographic or video records, showing the manner in which the evidence is secured. Preserving data for a legal hold just ensures that data is retained for the appropriate period and has nothing to do with chain of custody, although chain of custody is vital to preserving evidence.

An incident response plan describes how to respond to various types of security incidents. Incident response plans provides details on how to preserve data and logs related to an incident. Data sovereignty means that the data is subject to the laws of the location where it is stored. Different countries may differ in their laws for preserving the existence and integrity of records prior to litigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

You are working on a new Security system for a US Military installation that is only accessed by Military personnel. Which Certificate-based Authentication system should you integrate?

CAC
Hardware Tokens
Proximity Card
PIV

A

CAC (Common Access Card)

Explanation:
A Common Access Card (CAC) is a certificate-based smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.

None of the other options are implemented by the U.S. military.

Proximity cards are a type of smartcard that incorporate Radio Frequency Identification (RFID) chips. These chips contain authentication information and transmit over a very short range. When the authentication device is within range of the proximity card, and the information transmitted is correct, authentication is granted. A Personal Identity Verification (PIV) card is a certificate-based smart card issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.

Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Smartcards have permissions and access information stored on the card. The greatest concern with smart cards is theft. Once stolen, the thief can use the card in the same manner as the rightful owner. As an example, if the user has access to a highly secure area by using the smartcard, a thief will have the same access when using the stolen card. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

E-commerce payment systems, like PayPal and Google Checkout, allow the user to use a single identity across multiple platforms. Of which identity and access service is that an example of?

Biometrics
Transitive Trust
Keyboard Cadence
Federation

A

Federation

Explanation:
Federation and federated identity is the ability of a user to use a single identity across multiple businesses or networks. Federation differs from single sign-on, where a user has one password that grants access to all the permitted network resources. Federation relies on trust relationships that are established between the different businesses or networks. Another example of federated identity is allowing Microsoft users to sign into cloud services using their on-premises Active Directory domain credentials.

A transitive trust involves creating relationships between domains to grant authenticated users access to other domains. In Active Directory, for example, if the Sales domain trusts the Marketing domain, and the Marketing domain trusts the HR domain, then Sales trusts the HR domain through a transitive relationship. Transitive trusts are established within a single organization or between private organizations. PayPal and Google Checkout do not use transitive trusts.

Biometrics and keyboard cadence are both factors used in multi-factor authentication. Biometrics is something you are. Fingerprints, voiceprints, retina scans, and iris scans are all examples of biometrics. Keyboard cadence is an example of something you do. When the user enters a new password, the keystroke timing (cadence) is recorded as a signature pattern. Authentication factors may be part of the process of authenticating to your identity, but it has nothing to do with authorizing the identity to access multiple businesses or networks.

For the Security+ exam, you must understand the following authentication factors: something you are, something you have, and something you know. You also need to understand the following attributes: somewhere you are, something you exhibit, someone you know, and something you do.

Something you have is based on the user possessing some type of security device. These can include things such as smart cards, tokens, and key fobs. Something you know would be a password, a PIN, the name of a childhood sweetheart, the color of your first car, or the answer to a similar question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Management has asked that software developers take the appropriate actions to avoid Buffer Overflows. What is the BEST method to do so?

Perform a Check Digit
Run an Audit Trail
Perform a reasonableness check.
Execute a Well-Written Program

A

Execute a Well-Written Program

Explanation:
A well-written program is the best method to prevent buffer overflow errors. Buffer overflow occurs when the length of the input data is longer than the length processor buffers can handle. Buffer overflow is caused when input data is not verified for appropriate length at the time of input. Buffer overflow and boundary condition errors are examples of input validation errors.

Audit trails and file integrity checks are examples of security controls in a trusted application system. Security controls cannot control buffer overflow, but can assist in monitoring unauthorized activity on either an application or a system.

A check digit, also referred to as a checksum, provides data integrity by computing hash values. A checksum occurs when either a source application or a system uses a mathematical formula to compute a hash value against a standard input and sends the value to the destination. After receiving the data, the receiving application performs the same mathematical operation. If the hash values match, the data is considered acceptable. If the hash values do not match, the data is discarded. Check digits do not either prevent or detect buffer overflows.

A reasonableness check verifies whether the data within an application program lies within the predefined limits and format. For example, an application meant for processing numbers should not accept alphabetical characters as a valid input. Reasonableness checks monitor the data input format and not the buffer overflows.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Users are complaining that the new Biometric identification system is difficult to use. They are saying that even though the initial logon worked fine, they have difficulty logging in later. In addition to user training, what should you investigate?

FAR
HOTP
FRR
CER

A

FRR (False Rejection Rate)

Explanation:
You should investigate the device’s FRR to determine its accuracy. False rejection rate (FRR) measures how likely it would be that an authorized user is denied access to the system. Expressed as a ratio, it is the number of authorized users who were denied access to the protected system divided by the number of authentication attempts. False rejections can occur if the system settings are too precise, or if users are not trained properly on biometric login procedures.

By contrast, false acceptance rate (FAR) measures how likely it would be that an unauthorized user is granted access to the system. Its ratio is the number of unauthorized users who were incorrectly allowed access to the protected system divided by the number of authentication attempts. FAR could happen because the system was not precise enough when matching the authorized user.

Crossover error rate (CER) is the point where FAR and FRR are equal. Generally, a lower CER value would indicate a more accurate system. CER is primarily used to compare biometric authentication systems. HOTP/TOTP are two types of one-time passwords, (i.e., they can only be used once). Hashed One Time Passwords (HOTP) are secure passwords used with hardware tokens. Time-based One Time Passwords (TOTP) are issued for a specific period of time. Once used, or once the time expires, the TOTP is no longer valid.

Other considerations include ABAC, proximity cards, smartcards, tokens, CAC, PIV, and file security.

Attribute-based access control (ABAC) goes beyond authentication based on username and password. It evaluates other factors, such as time of day and location of logons. Another aspect would be if a user has read access to files but is attempting to edit or delete files remotely. Smartcards have permissions and access information stored on the card. The greatest concern with smart cards is theft. Once stolen, the thief can use the card in the same manner as the rightful owner. As an example, if the user has access to a highly secure area by using the smartcard, a thief will have the same access when using the stolen card. Proximity cards are a type of smartcard that incorporate Radio Frequency Identification (RFID) chips. These chips contain authentication information and transmit over a very short range. When the authentication device is within range of the proximity card, and the information transmitted is correct, authentication is granted. Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user. A Common Access Card (CAC) is a smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.

A Personal Identity Verification (PIV) smart card is issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two barcodes and a magnetic strip. They can be used for visual identification and for login.

File system security should always be set to only allow what is absolutely essential for the user to do their job. This is also known as the principle of least privilege.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Which of these options is particularly dangerous because it processes data with little or no latency?

RTOs
SoC
Home Automation
Wearable Technology

A

RTOs (Real Time Operating Systems)

Explanation:
Real Time Operating Systems (RTOs) are particularly dangerous because they process data with little or no latency. They are susceptible to code injection, exploiting shared memory, priority inversion, DoS attacks, and attacks on inter-process communication.

While the other options are security risks, none processes data with little or no latency.

Home automation devices, such as smart thermostats, lighting systems, and refrigerators, are susceptible to security issues. The security concerns are the same as for industrial controls, just at the home level. Wearable technology devices are at risk. Most transmit via Wi-Fi or Bluetooth to a host device, and as such are subject to attack. In addition to being subject to attack, wearable devices such as voice recorders, video recorders, and hidden cameras can also be used for an attacker to gain information. System on a chip (SOC) is often found in smart phones. Checks should be incorporated that ensure the system only boots with trusted code and builds a root of trust (RoT).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Your organization has asked the Security team to add terrorist attacks to the organization’s Business Continuity Plan. Which type of threat does this most likely represent?

Supply System Threat
Natural Environmental Threat
Internal Threat
Politically Motivated Threat

A

Politically Motivated Threat

Explanation:
A terrorist attack is most likely a politically motivated threat. A terrorist attack is usually an attack against a particular country view from a group that opposes that the political views of that country. Often, a particular group takes credit for a terrorist attack. Politically motivated threats include strikes, riots, civil disobedience, and terrorist attacks.

Natural environmental threats include floods, earthquakes, tornadoes, hurricanes, and extreme temperatures.

Supply system threats include power outages, communications interruptions, and water and gas interruption.

An internal threat is one that originates from within an organization. A terrorist attack is not most likely an internal threat.

A threat assessment is performed to determine the threats that threaten an organization and its assets. Internal threats are those that originate from within the organization, and external threats are those that originate from outside the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Which Social Engineering Attack can be conducted without any prior knowledge of the target’s habits, job, or personal information?

Spear Phishing
Whaling
Invoice Scam
Reconnaissance

A

Reconnaissance

Explanation:
Reconnaissance does not require prior knowledge of the target. It helps the attacker gather information for a later attack. Remember that reconnaissance can mean visiting a target to observe security controls in person, but it also can refer to digital and remote intelligence gathering techniques.

Spear phishing is a type of phishing aimed at a specific user or group, and appears to come from a trusted source. Spear phishing requires some inside knowledge of the target, which the attacker can gather from reconnaissance, open-source intelligence (OSINT), or other social engineering attacks.

Whaling is a type of spear phishing aimed at high-profile targets, such as board members and CEOs.

An invoice scam involves sending a fake invoice (by mail or electronically) to an accounts payable department in the hopes that it will be paid without being verified. It requires knowledge of the target’s email address or physical address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Which general mechanism is used by Cloud consumers to limit Security exposure and running expenses?

Container Security
Secrets Management
Resource Policies
Resource Clustering

A

Resource Policies

Explanation:
Cloud service providers can provide users with access to resources via policies. There are two ways to do this, role-based policies or resource based polices. You can use resource-based policies to provide access control where the user in a different cloud can be granted access to a resource in your account. You can also use role-based policies in which you assign a user to a role that has permission to use a resource.

Container security refers to the controls that apply to applications deployed to lightweight OS containers, while secrets management refers to the system used to control access to sensitive application data like keys and configuration settings.

Resource clustering describes how resources can be collected together to perform the same role in load balancing scenarios.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

As a Security professional, you have been asked to advise an organization on which access control model to use. You decide that Role-based Access Control (RBAC) is the best option for the organization. What are two advantages of implementing this access control model? (Choose TWO)

high Security environment
low Security cost
use friendly
discretionary in nature
easier to implement

A

low Security cost
easier to implement

Explanation:
Role-based access control (RBAC) has a low security cost because security is configured based on roles. For this reason, it is also easier to implement than the other access control models. During the information gathering stage of a deploying RBAC model, you will most likely need a matrix of job titles with their required access privileges.

RBAC is NOT the most user friendly option. Discretionary access control (DAC) is more user friendly than RBAC because it allows the data owner to determine user access rights. If a user needs access to a file, he only needs to contact the file owner.

RBAC is NOT discretionary in nature. DAC is discretionary, meaning access to objects is determined at the discretion of the owner.

RBAC is NOT a highly secure environment. Mandatory access control (MAC) is considered a highly secure environment because every subject and object is assigned a security label.

With RBAC, it is easy to enforce minimum privilege for general users. You would create the appropriate role, configure its permissions, and then add the users to the role. A role is defined based on the operations and tasks that the role should be granted. Roles are based on the structure of the organization and are usually hierarchical.

RBAC is a popular access control model used in commercial applications, especially large networked applications.

Rule-based access control is often confused with RBAC because their names are similar. With rule-based access control, access to resources is based on a set of rules. The user is given the permissions of the first rule that he matches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

An employee has reported their mobile device was stolen. Which of the following MDM options provides the BEST confidentiality for a mobile device, if it is stolen?

Automated Screen Locking
Geofencing
Full Device Encryption
Remote Wiping

A

Full Device Encryption (FDE)

Explanation:
Utilizing full device encryption on mobile devices through Mobile Device Management (MDM) will best provide confidentiality if the device were to be stolen. Full device encryption ensures that the contents of the mobile device are encrypted. With more organizations moving to a mobile-first workforce, each and every mobile device contains a lot of confidential corporate data which needs to be secured from unauthorized access. Encryption is the most common way to secure the data present on the devices, whereby unauthorized usage of corporate data is restricted.

Another option to ensure that any corporate data is not able to be accessed by an unauthorized source is to adopt a remote wipe policy for mobile devices. A remote wipe or sanitation process would erase all of the data on the mobile device in the event that the mobile device is lost or stolen. However, it would not provide the BEST confidentiality because the data is only erased once the device manager is notified that the device is lost or stolen. The device also would need to be online as well.

Other security mechanisms used for mobile devices include screen locks, strong passwords, voice encryption, and GPS tracking. Screen locks prevent users from accessing the mobile device until a password or other factor is entered. Strong passwords ensure that mobile devices cannot be accessed unless the password is entered. They also ensure that the password is hard to discover using a password attack. Voice encryption ensures that conversations cannot be eavesdropped. GPS tracking allows a mobile device to be located. However, GPS tracking can also be considered a security threat and is often disabled.

Geofencing can limit the effectiveness of devices within a confined geographic area, but if the device is stolen and moved outside of that area, its data would still be available to an attacker.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

You have been hired as a Security consultant for a new company named Verigon. Verigon needs guidance on which protocols to implement on the Network. Match each protocol option with the correct description?

Options:
Secure IMAP
SRTP
LDAPS
FTPS
SFTP

Descriptions:
File transfer over SSL
Secure Email
Secure Directory Services
File transfer over SSH
Secure Voice and Video

A

Secure IMAP – Secure Email
(Internet Mail Access Protocol)
Port 993

SRTP – Secure Voice and Video
(Secure Real Time Protocol) -

LDAPS – Secure Directory Services
(Lightweight Directory Access Protocol Secure)
Port 636

FTPS – File transfer over SSL
(File Transfer Protocol Secure)
Port 989/990

SFTP – File transfer over SSH
(Secure File Transfer Protocol)
Port 22 - SecureShell (SSH), SecureCopy (SCP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

You are the Security administrator for an organization. Management decides that ALL communications on the Network should be Encrypted using the Data Encryption Standard (DES) or Triple DES (3DES) algorithm. Which statement is TRUE of these algorithms?

The effective key size of DES is 64 bits.

A Triple DES (3DES) algorithm uses 48 rounds of computation.

A DES algorithm uses 32 rounds of computation.

A 56-bit DES Encryption is 256 times more secure than a 40-bit DES Encryption.

A

A Triple DES (3DES) algorithm uses 48 rounds of computation.

Explanation:
A Triple DES (3DES) algorithm uses 48 rounds of computation. It offers high resistance to differential cryptanalysis because it uses so many rounds. The encryption and decryption process performed by 3DES takes longer due to the higher processing power required.

The actual key size of the Data Encryption Standard (DES) is 64 bits. A key size of 8 bits is used for a parity check. Therefore, the effective key size of DES is 56 bits.

The DES algorithm uses 16 rounds of computation. The order and the type of computations performed depend upon the value supplied to the algorithm through the cipher blocks.

According to the following calculation, a 56-bit DES encryption is 65,536 times more secure than a 40-bit DES encryption:

240 = 1099511627776 and 256 = 72057594037927936

Therefore, 72057594037927936 divided by 1099511627776 = 65,536.

DES has many security issues. If a bank has a fleet of aging payment terminals used by merchants for transactional processing, and the terminals currently support single DES but require an upgrade to be compliant with security standards, the simplest solution to improve the in-transit protection of transactional data is to upgrade to 3DES.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Which automation or scripting concept can reduce the Risk that new equipment might not have all the same settings, applications, and drivers as your existing equipment without changing vital user settings?

Configuration Validation
Automated Courses of Action
Continuous Monitoring
Templates

A

Configuration Validation

Explanation:
Configuration validation through automation and scripting can ensure that new equipment has all the proper settings, applications, and drivers as existing equipment.

Continuous monitoring can be employed to ensure that any device on the network cannot have their configuration settings changed, but it will not ensure the configurations match.

Automated courses of action can be accomplished through scripting, so that certain events trigger a series of responses or actions. Automated courses of action can also be used to obtain updates and patches by scheduling the software to check for them at certain times. Automated courses of action usually cannot verify that equipment has the same settings, applications, and drivers as existing equipment.

Templates provide standardized documentation for several issues. Such issues can include security analysis reporting, threat and vulnerability identification, and impact assessment, among others. Templates can also be used to configure operating systems (OSs) to ensure that certain settings are automatically configured. Templates are usually used as a first time configuration measure, but often cannot be reapplied because doing so would result in loss of any user changes that have been made.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

You need to ensure that backdoor applications are not installed on any devices in your Network. Which tool is NOT a backdoor application?

NetBus
Masters Paradise
Nessus
Back Orifice

A

Nessus

Explanation:
Nessus is NOT a backdoor application. It is a network vulnerability scanner.

Back Orifice, NetBus, and Masters Paradise are all backdoor applications. These applications work by installing a client application on the attacked computer and then using a remote application to gain access to the attacked computer. Back Orifice is a famous rootkit that targets Windows systems and is sometimes used as a remote administration tool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

You have been hired as a Security consultant for a new company named Verigon. Verigon needs guidance on which protocols to implement on the Network. Match the protocol options with the correct description?

Options:
SSL/TLS
S/MIME
SNMPv3
SSH

Descriptions:
Routing and Switching Management
Secure Encryption and Digital Signatures for Email
Secure Remote Access
Cryptographic Communication Protocol

A

SSL/TLS – Cryptographic Communication Protocol

S/MIME – Secure Encryption and Digital Signatures for Email

SNMPv3 – Routing and Switching Management

SSH – Secure Remote Access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

When a large data breach occurs, which impact to the business is difficult to measure in monetary terms but influences how customers perceive the brand in the marketplace?

Security Awareness
Availability Disruption
Identity Theft
Reputation Loss

A

Reputation Loss

Explanation:
Reputation loss is intangible damage to the organization that occurs due to a company suffering a data breach.

Security awareness is a term used to describe the security sophistication of a user group or company.

Identity theft is the theft of certain personal information that allows for making financial transactions in the name of the targeted person.

Availability disruption is not a term used when discussing security or breaches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

When considering home or office alarm systems, which availability feature leaves them open to remote attacks?

Cloud-based storage of images
Convenient power plug standard
WIFI Protected Setup button
Internet Connection

A

Internet Connection

Explanation:
Alarm systems with a connection to the internet are a two-way street for connectivity. Not only does it make it more convenient when you are away from home, but it also can be a means for attackers to connect via a remote connection to your alarm system making them vulnerable to attack.

The best way to prevent these remote alarm system attacks is to use extremely strong passwords for both your home WiFi network, and your account you use to access the alarm system via the internet.

Having a convenient power plug or WPS button could only impact the local attack surface.

Although the cloud storage could be attacked to gain image files, the device itself is not open to attack through that vector.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

You have been hired as a Security consultant. One of your recommendations is that the organization should implement Encryption for all data, including data at rest, data in use, and data in transit. Which Security service does this provide?

Accountability
Integrity
Availability
Confidentiality

A

Confidentiality

Explanation:
Encryption provides confidentiality security services. An encrypted file is protected from being read by users who cannot decrypt the file. Users require digital keys to decrypt and read encrypted files. Confidentiality deals with ensuring that information is not intentionally or unintentionally disclosed.

Accountability is a security service that is used to determine the identity of users. Authentication is an example of an accountability security service. Availability is a security service that protects hardware and data from loss by ensuring that any needed data is available when necessary. Backups are an example of availability. Integrity is a security service that ensures that digital files have not been changed. Digital signatures are an example of an integrity security method. A digital signature provides integrity and non-repudiation. Non-repudiation ensures that the data’s origin is known.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

The cafe in the student center of a university established contactless payment by printing QR codes on its menus. When scanned by a mobile device, the QR codes direct the students to an online payment system that deducts money from their student debit cards. One day the menus have new QR codes printed on stickers that are placed over the old ones. The following week, several students discover money is missing from their accounts. Which Social Engineering principle made this a successful attack?

Urgency
Trust
Scarcity
Authority

A

Trust

Explanation:
This was an example of trust. Even though the menus in the café had clearly been altered, they appeared to come from a trustworthy source and were part of an established pattern of use. QR codes can embed malicious links or direct users to compromised sessions. For these reasons, users should be taught never to scan QR codes placed in random public areas, or QR codes printed on stickers or other temporary media.

CompTIA lists seven principles that can make social engineering attacks effective:

Authority – The attacker impersonates someone with the power to request access to sensitive information, such as an IT support desk member or law enforcement.
Intimidation –The attacker bullies or belittles the victim to get access or sensitive information, such as an attacker who says he will have a security guard fired if the guard does not unlock a secured door for the attacker.
Consensus – The attacker convinces the victim that it is fine to reveal confidential information or perform a risky action because the victim’s peers or coworkers are doing it too.
Scarcity – The attacker wraps the attack in an offer that is limited, restricted, or expiring soon, such as an invitation to an exclusive LinkedIn group that the attacker will use to harvest confidential company information.
Familiarity – The attacker pretends to be someone who belongs in the victim’s environment, such as an employee in a neighboring office or a remote coworker.
Trust – The attacker gains the victim’s trust by pretending to be a sympathetic person who will help the victim, or who deserves to be helped by the victim.
Urgency – The attacker pretends there is an emergency that requires the victim to immediately release confidential information or grant access. Urgency is often combined with authority attacks that impersonate law enforcement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Management at your company has requested that you implement DLP. What is the purpose of this technology?

It protects against malware.

It monitors data on computers to ensure the data is not deleted or removed.

It implements hardware-based Encryption.

It allows organizations to use the Internet to host services and data remotely instead of locally.

A

It monitors data on computers to ensure the data is not deleted or removed.

Explanation:
Data Loss Prevention (DLP) is a network system that monitors data on computers to ensure the data is not deleted or removed. If your organization implements a DLP system, you can prevent users from transmitting confidential data to individuals outside the company.

Cloud computing is a technology that allows organizations to use the Internet to host services and data remotely instead of locally.

Microsoft Security Essentials is an application that protects against malware. It is included in Windows 7. Windows 8 and above use Windows Defender. Other applications are available that protect against malware.

Trusted Platform Module (TPM) and Hardware Security Module (HSM) are both chips that implement hardware-based encryption. The main difference between the two is that a TPM chip is usually mounted on the motherboard and HSM chips are PCI adapter cards.

DLP provides different solutions based on data location:

Network based – deals with data in motion and is usually located on the network perimeter.
Storage based – operates on long-term storage (archive)
Endpoint based – operates on a local device and focuses on data-in-use.
Cloud based – operates in “the cloud” data in use, motion, and at rest
DLP identifies and controls end-point ports as well as block access to removable media by providing the following services:

Identify removable connected to your network by type (USB thumb drive, DVD burner, mobile device), manufacturer, model number, and MAC address.
Control and manage removable devices through endpoint ports, including USB, Wi-Fi, and Bluetooth.
Require encryption, limit file types, and limit file size.
Provide detailed forensics on device usage and data transfer by person, time, file type, and amount.
DLP includes USB blocking, cloud-based, and email services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

A Web Server is located on a DMZ segment. The Web Server only serves HTTP pages, and there are no other computers on the DMZ segment. You need to configure the DMZ to ensure that communication can occur. Which PORT should be opened on the Internet side of the DMZ Firewall?

110
80
20
443

A

80

Explanation:
Only port 80 should be opened on the Internet side of the demilitarized zone (DMZ) firewall. The firewall will allow only HTTP traffic to enter the DMZ; all other port traffic will be prevented from entering the DMZ.

Port 20 is used by File Transfer Protocol (FTP) to send data. Port 110 is used by Post Office Protocol (POP), and port 443 is used by Secure Sockets Layer (SSL). The Web server on the DMZ only serves Web pages, so only HTTP services should be activated on the Web server. All other services on the Web server should be deactivated, which will strengthen security on the Web server.

Access control lists (ACLs) are used to configure rules on network devices. These ACLs determine which communication is allowed or denied. ACLs can be based on port numbers, IP addresses, MAC addresses, and other criteria.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Match each Linux Command option (with it’s default parameters) to the description?

Options:
tail
top
grep
dd

Descriptions:
Search a file for a text string or pattern.
Create an image of a disk.
Display the last 10 lines of a file.
Display running processes.

A

tail – Display the last 10 lines of a file.

top – Display running processes.

grep – Search a file for a text string or pattern.

dd – Create an image of a disk.

60
Q

Management is concerned that mobile device location information can be revealed to attackers. Which mobile device feature should you investigate?

Geotagging
Screen Lock
Remote Wiping
White Listing

A

Geotagging

Explanation:
Geotagging is the process of attaching location information in the form of geographical metadata to digital media like web sites, videos, and photographs. Geotagging is a security concern because it can reveal location information. This feature embeds unseen code into a picture that records the longitude/latitude information of where the picture was taken. Geotags may also be applied to digital output and communications such as tweets or status updates on social media.

The information included in a geotag may include place co-ordinates (latitude and longitude), bearings, altitude, distances, or even place names. This feature becomes a serious concern when it comes to protecting your privacy and data. Geotagging can give enough information about your current whereabouts (and where you’re not) which can allow thieves to target your home or workplace in your absence.

None of the other features is a security concern. They are all security solutions for mobile devices.

Remote wiping allows you to remotely wipe the contents of a mobile device. White-listing permits certain applications to be installed and run on mobile devices. Black-listing is the opposite of white-listing, and prevents the installation of certain applications. A screen lock prevents users from accessing the mobile device unless they know the code.

When considering applications that can be installed on mobile devices, you need to understand the following concepts for the Security+ exam:

Key management – You should take measures to ensure that all keys are protected. Measures that you can use include implementing device encryption to protect the keys while stored and using IPSec to protect the keys during transmission.

Credential management – You should implement solutions that allow you to manage credentials for users to ensure that mobile devices are only accessed by valid users. In addition, you should ensure that the protocols that you use do not transmit credential information in plaintext.

Authentication – If possible, you should require your mobile applications to authenticate users before allowing access. This ensures that applications are only accessed by valid users.

Geotagging – Geotagging attaches certain location information to pictures and videos. In most mobile devices, this feature can be disabled.

Encryption – Applications often request personally identifiable information (PII) that should be protected. In addition, they often transmit PII and other confidential information. Therefore, you should employ encryption to protect the data in storage and in transmission.

Application white-listing – Application white-listing allows administrators to configure a list of applications that are allowed to run on a mobile device. In some cases, it also includes a way of checking the hash value of the application to ensure data integrity.

Transitive trust/authentication – Transitive trust occurs when federated user identities allow users to access multiple applications, devices, and resources using a single authentication. A trusted computing base is established as the basis of federated user identity. Enterprises should ensure that any entities allowed into the trusted computing base are fully protected.

When deploying mobile devices securely, security professionals need to set policies and enforce them through monitoring all of the following features or practices: third-party app stores, rooting/jailbreaking, sideloading, custom firmware, carrier unlocking, firmware over-the-air (OTA) updates, camera use, SMS/MMS, external media, USB on-the-go (OTG), recording microphone, GPS tagging, Wi-Fi direct/ad hoc, tethering, and payment methods. Management should set the policy for each of these mobile device components. Policies are only effective if a plan for enforcement and monitoring is also established.

61
Q

Your organization has recently implemented a new Security policy that includes the implementation of the principle of Least Privilege. You need to ensure that users understand this principle and implement the appropriate procedures to adhere to this principle. What is the best implementation of this principle?

Issuing a single account to each user, regardless of his/her job function.

Completing administrative tasks at a computer that functions only as a Server.

Ensuring that ALL Services use the main administrative account to execute their processes.

Issuing the Run As command to execute administrative tasks during a regular user session.

A

Issuing the Run As command to execute administrative tasks during a regular user session.

Explanation:
The best implementation of the principle of least privilege is to issue the Run as command to execute administrative tasks during a regular user session. You should never use an administrative account to perform routine operations such as creating a document or checking your e-mail. Administrative accounts should only be used to perform an administrative task, such as configuring services or backing up the computer. By issuing the Run as command to execute administrative tasks during a regular user session, you execute the task as needed, but limit the administrative account to only running the particular task. If you logged off and back on using the administrative account, there is a possibility that you would forget to return to using your regular user account when performing routine tasks.

Completing administrative tasks at a computer that functions only as a server is not an implementation of the principle of least privilege. Users should be able to perform administrative tasks at servers and workstations.

Ensuring that all services use the main administrative account to execute their processes is an example of NOT ensuring the principle of least privilege. Services should use a service account specifically created for the service that is only configured with those rights, permissions, and privileges for the service to carry out its functions.

Issuing a single account to each user, regardless of his job functions, is an example of NOT ensuring the principle of least privilege. Those users charged with administrative duties should be issued a minimum of two accounts: one regular user account for performing normal user tasks and one administrative user account configured with those rights, permissions, and privileges for the user to carry out the administrative duties. A proper implementation of the principle of least privilege ensures users are given only the user rights they need to execute their authorized tasks. The concept of least privilege exists within the Trusted Computer System Evaluation Criteria (TCSEC), which is used to categorize and evaluate security in all computer software.

The principle of least privilege is usually implemented by limiting the number of administrative accounts. Tools that are likely to be used by hackers should have permissions that are as restrictive as possible.

62
Q

To justify the expenses of the forensic investigation, what is one thing that you should closely document?

Network Traffic and Logs
Chain of Custody
Man-Hours
Screenshots

A

Man-Hours

Explanation:
To justify the expenses of the forensic investigation, you should track man-hours. From security guards to overtime used by staff, to the hours spent by experts in evidence examination, man-hours should be tracked. Careful documentation may be required by accounting, human resource, the courts, or insurance companies. Capturing screenshots is an important part of forensic investigation.

Screenshots allow you to record what is displayed on a computer screen or a smartphone. If the computer is powered down, whatever is on the screen would be lost without a screenshot. Network traffic and logs analysis should be performed during forensic investigation and during incident response. Variations in baselines can indicate repeated attacks, and password hack attempts would show up in the logs. Chain of custody deals with how the evidence is handled once it has been collected. There should be a log of who has had custody of the evidence, where it has been, and who has seen it.

63
Q

Which two alternate data center facilities are the easiest to test? (Choose TWO)

redundant site
cold site
warm site
hot site

A

redundant site
hot site

Explanation:
The hot site and the redundant site are the easiest to test because they both contain all of the alternate computer and telecommunication equipment needed in a disaster. Usually, testing either of these environments is as simple as switching over to them after ensuring they contain the latest versions of your data.

A warm site is harder to test than a hot site or a redundant site, but easier to test than a cold site. It only contains telecommunications equipment. Therefore, to properly test disaster recovery procedures at the warm site, alternate computer equipment such as servers would need to be set up and configured.

A cold site is the hardest to test. It only includes a basic room with raised flooring, electrical wiring, air conditioning, and telecommunications lines. To properly test disaster recovery procedures at the cold site, alternate telecommunications and computer equipment would need to be set up and configured.

Hot sites and redundant sites are usually the most expensive to implement. Warm sites are less expensive than hot sites but more expensive than cold sites. Cold sites are the least expensive to implement.

64
Q

When you are hired as a Security practitioner for your company, the administrator informs you that the company’s Authentication system grants TGTs. Which protocol is being used?

ARP
Telnet
L2TP
Kerberos

A

Kerberos

Explanation:
Kerberos is a protocol that issues ticket-granting tickets (TGTs), which clients can then use to request session keys. A Kerberos client can use a session key to gain access to resources. Address Resolution Protocol (ARP) is used on TCP/IP networks to resolve Internet Protocol (IP) addresses to Media Access Control (MAC) addresses. MAC addresses are assigned to network interface cards (NICs) and are used to identify physical resources on a network. IP is used on TCP/IP networks to locate hosts.

ARP enables Ethernet and TCP/IP to interoperate.

Layer 2 Tunneling Protocol (L2TP) can be used to create secure virtual private network (VPN) connections.

Telnet is a TCP/IP protocol that enables a user to remotely connect to a server through a text-based interface. The user can then use Telnet to remotely issue commands on the server as if it were the local computer.

65
Q

Your company implements an Ethernet Network. During a recent analysis, you discover that Network throughput capacity has been wasted as a result of the lack of loop protection. What should you deploy to prevent this problem?

STP
TTL
Network Separation
Flood Guards

A

STP (Spanning Tree Protocol)

Explanation:
You should deploy spanning tree protocol (STP). The primary loop protection on an Ethernet network is STP. The problem with looping is the waste of network throughput capacity. STP can help mitigate the risk of Layer 2 switches in the network suffering from a DoS style attack caused by staff incorrectly cabling network connections between switches. Loop protection is also referred to as loop prevention.

Time To Live (TTL) is the primary loop protection on an IP network. Flood guards are devices that protect against denial-of-service (DoS) attacks.

Network separation is a technique that is used to prevent network bridging. Network bridging can cause performance issues in the network. You can employ network separation by using routers or firewalls to implement IP subnets.

Often routers or switches are the main network devices on an Ethernet network. Switches are considered more secure than routers. Secure router configuration is a must when routers are deployed. A secure router configuration is one where malicious or unauthorized route changes are prevented. To do this, complete the following steps:

Configure the router’s administrator password to something unique and secret.
Configure the router to ignore all Internet Control Message Protocol (ICMP) type 5 redirect messages.
Implement a secure routing protocol that requires authentication and data encryption to exchange route data.
Configure the router with the IP addresses of other trusted routers with which routing data can be exchanged.

66
Q

You need to set permissions for the Tablemaker File so that Users can - Read, Write, or Execute - it and Members of the user’s group can - Read or Execute - it. Which command will you run?

chown akaul -R /usr/data/Tablemaker
chgrp kaulgroup Tablemaker
chage -l -1 -m 0 -M 99999 -E -1 Tablemaker
chmod u=rwx,g=rx,o=r Tablemaker

A

chmod u=rwx,g=rx,o=r Tablemaker

Explanation:
chmod is the command and system call which is used to change the access permissions of file system objects (files and directories). The name of the command is an abbreviation of change mode.

The characters r, w, and x stand for read, write, and execute. The categories can have all three privileges, just specific ones, or none at all (represented by –, for denied). Users that have reading permission can see the content of a file (or files in a directory). However, they cannot modify it (nor add/remove files in a directory). On the other hand, those who have writing privileges can edit (add and remove) files. Finally, being able to execute means the user can run the file. This option is mainly used for running scripts.

The file owner’s permissions are indicated by everything after the u in the command. Then there are the permissions for members of the group indicated by g, and all others are indicated by an o. The permissions after each = dictate which privileges each type of user has access to.

67
Q

Which protocol is used to consolidate event information from multiple devices on a Network into a single storage location?

syslog
SIP
secure-authentication
cron

A

syslog

Explanation:
Syslog is a protocol that is used to consolidate event information from multiple devices on a network into a single storage location. Syslog works on an extremely wide variety of different types of devices and applications, allowing them to send text-formatted log messages to a central server known as a syslog server.

The syslog service itself relies greatly upon having a syslog server of some kind to receive, store, and interpret syslog messages. This is a necessity because a device or application being able to send log event messages is of little use if there’s nothing in place to receive and view them.

68
Q

Your organization will be launching a retail Website that will handle cardholder data. Which regulation should you recommend following to avoid any potential fines due to a data breach?

GDPR
HIPA
PCI-DSS
GLBA

A

PCI-DSS (Payment Card Industry - Data Security Standard)

Explanation:
PCI-DSS stands for the Payment Card Industry Data Security Standard, which applies to merchants, cardholder organizations, or any entity that stores, processes, or transmits cardholder data. The PCI-DSS aims to protect organizations and their customers from credit card fraud. Organizations should recognize that PCI-DSS requires that organizations that process cardholder information maintain confidentiality through data encryption, integrity through hashing, availability through fault tolerance and appropriate permissions to data, which makes up the CIA triad.

The Health Insurance Portability and Accountability Act (HIPAA) is a federal US act put in place in 1996. This law required the establishment of national standards to safeguard sensitive patient health information (PHI) from being disclosed without the patient’s consent or knowledge.

GLBA is the Gramm-Leach-Bliley Act, also known as the Financial Modernization Act of 1999. It is a federal act that applies to any financial organizations such as banks, investment companies, credit card companies, etc., along with insurance companies in the United States. This act makes it so these financial or insurance organizations have to explain their information sharing practices to their customers and maintain a safeguard of customer’s sensitive data.

GDPR is a European act that applies to any company that collects or processes personally identifiable information (PII) of the citizens of the EU. GDPR stands for the General Data Protection Regulation. The law also addresses the transfer of personal data outside of the EU and EEA areas.

69
Q

Which of these vulnerabilities is characterized by a user modifying a browser’s security settings to make it more convenient to visit Websites?

Improper Input Handling
Improper Error Handling
Default Configuration
Misconfiguration/Weak Configuration

A

Misconfiguration/Weak Configuration

Explanation:
If a user modifies a browser’s security settings to make it more convenient to visit web sites, such as turning off pop-up blockers and anti-phishing controls, this is an example of weak configuration. Misconfiguration and weak configuration can have a severe impact on the entire organization. Misconfiguration, such as not changing the default administrative user name or password, can also have a significant impact. A SQL injection is an example of improper input handling, and the impact can include data destruction or unfettered access to the database. Inputs should be checked for common SQL injection symbols. Other examples of improper input handling include failure to validate the type of data in an input field, the length of the data, and proper date ranges.

Improper error handling could allow an attacker to crash a program. Error checking should be built into every module or code function. An error should not result in a crashed application, but rather generate an error message. Systems and components, such as routers, should never be deployed with the default configuration enabled. As an example, many SOHO users are thrilled that they got their new wireless network to finally communicate “out of the box.” As a result, they do not change the default administrator information, leaving their network wide open for attack.

70
Q

Your organization recently experienced a Cross-Site Scripting (XSS) attack. In which situation does XSS pose the most danger?

A user accesses a static content Website

A user accesses a publicly accessible Website

A user accesses a knowledge-based site using his/her login credentials.

A user accesses a financial organization’s site using his/her login credentials.

A

A user accesses a financial organization’s site using his/her login credentials.

Explanation:
Cross-site scripting (XSS) poses the most danger when a user accesses a financial organization’s site using his or her login credentials. The problem is not that the hacker will take over the server. It is more likely that the hacker will take over the client’s session. This will allow the hacker to gain information about the legitimate user that is not publicly available. To prevent XSS, a programmer should validate input to remove hypertext. You can mitigate XSS by preventing the use of HTML tags or JavaScript image tags.

While the other situations can result in an XSS attack, these situations do not pose as much danger because it is unlikely that any real-world information will be obtained.

There are different steps organizations and security professionals can take to protect against XSS attacks. For regular users, you should restrict untrusted JavaScript, use built-in browser protections, restrict external Web sites from requesting internal resources, and maintain system updates and patches. Developers should use whitelisting/blacklisting, OWASP Enterprise Security API (ESAPI), Microsoft AntiXSS Library, and Web vulnerability scanners. Network administrators should White Trash Squid Web Proxy plug-ins and Web Application Firewalls (WAFs). Finally, another technique is to coordinate between the Web application and the client browser to separate user-supplied data from web application HTML using a content security policy (CSP).

71
Q

What is often the weakest link in the Security Chain and represents the largest vulnerability?

Embedded Systems
Untrained Users
End-of-Life Systems
Lack of Vendor support

A

Untrained Users

Explanation:
Untrained users are often the most vulnerable point in an organization’s security chain and represent the biggest vulnerability. It is impossible for users to adhere to an organization’s information security polices if they are not aware of them. It is also impossible for the user to implement a security procedure without being trained on how to do so. Without the proper user training, even the most sophisticated defense an organization can purchase may be rendered useless.

Keeping end-of-life systems active in the network, such as running an outdated operating system, can create system-wide vulnerabilities. As an example, new malware attacks would be particularly effective on systems that are running Windows 7 after Microsoft discontinued security updates for it.

Embedded systems are smaller computer systems, perhaps even a chip, that are used as component of a larger system. They may be used in industrial controls, smart homes, manufacturing, and even printers. Consider the impact of a networked printer that does not have the appropriate security controls updated on the firmware.

Lack of vendor support can be particularly harmful. A vendor should be responsible for providing security updates for issues that are discovered. Failure of the vendor to do so provides an attacker with the opportunity to exploit a system vulnerability.

72
Q

Recently, an attacker tricked a user into believing he was selecting a button to direct him to a legitimate Website, but that button actually took him to another site. Which type of attack occurred?

Amplification
Driver Manipulation
Pass the Hash
Clickjacking

A

Clickjacking

Explanation:
Clickjacking involves putting a transparent button over an existing button (or image) on a web page. When the victim clicks the button, instead of going to the website they intended, they are routed to a different site where the attacker captures personal information. Amplification attacks are often part of a DDoS attack, usually associated with UDP protocols. The goal of this attack is to turn a simple query, such as DNS or NTP, into a flood of responses that overwhelms the victim’s network resources.

Pass the hash attacks exploit authentication protocol weaknesses, where the password hash remains the same between sessions until the password value changes.

Driver manipulation attacks change the information provided to a device driver. This results in the driver not being used at all or performing with unexpected results.

Other types of application/service attacks include shimming, refactoring, and MAC spoofing.

Shimming is a form of driver manipulation. An API library is created that changes the arguments (parameters) passed to the driver, bypasses the driver, or has the API deal with the driver operation.

Refactoring identifies the flow within an application’s code and changes the code without changing how the code appears to function. This is often used to identify exploitation opportunities in a weak area of an application’s code. MAC spoofing involves manipulating the MAC address, or unique identifier, of the network interface card on a device. The attacker substitutes a MAC address of his choosing instead of using the hard-coded MAC address. This can often be done through NIC adapter settings, or through a registry entry.

73
Q

What is the different between production Honeypots and Research Honeypots?

Production Honeypots mitigate Risks to production systems by aiding in attack prevention, detection, and response. Research Honeypots are information-gathering resources.

Production Honeypots protect data produced by artificial means. Research Honeypots protect data that is used solely for research purposes.

Production Honeypots are only utilized in production environments. Research Honeypots are only used in research-based environments.

Production Honeypots are a disruptive strategy that allows you to maximize the effectiveness of decoys. Research Honeypots use open-source strategies to learn attackers’ techniques.

A

Production Honeypots mitigate Risks to production systems by aiding in attack prevention, detection, and response. Research Honeypots are information-gathering resources.

Explanation:
Production honeypots are the most common type of honeypot, especially among businesses and organizations. They mitigate risks to production systems by aiding in attack prevention, detection, and response within the organization’s production network. Research honeypots are information-gathering resources that are used to gather information about the specific methods and tactics hackers use. Research honeypots collect information about attacks and vulnerabilities as well.

74
Q

You must configure the Routers on your Network to ensure that appropriate communication is allowed between Subnetworks. Your configuration must allow multiple protocols to communicate across the Routers. Match the Protocol option with the default Port it uses?

Options:
Telnet
FTP
DNS
HTTP
SMTP

Ports:
Port 25
Port 20
Port 53
Port 80
Port 23

A

Telnet – Port 23

FTP – Port 20 (File Transfer Protocol)

DNS – Port 53 (Domain Name System)

HTTP – Port 80 (Hyper Text Transfer Protocol)

SMTP – Port 25 (Simple Mail Transfer Protocol)

FTP also uses Port 21.

75
Q

A Windows computer is located on a TCP/IP Network that uses DHCP. You want the computer to Release its Lease on the TCP/IP configuration that it received from the DHCP Server. Which command should you use to release the configurations?

ping command
ipconfig command
arp command
tracert command

A

ipconfig command

Explanation:
ipconfig /release - to release your computer’s DHCP lease
ipconfig /renew - to renew your computer’s DHCP lease.

Other commands that you need to be familiar with include:

Netstat – displays network connections, routing tables, and protocol statistics

Nslookup – queries DNS servers on Windows computers.

Dig – queries DNS servers on Linux/Unix computers

Tcpdump – allows the user to display packets being transmitted or received over a network

Nmap – discovers hosts and services on a computer network and builds a map of the network

Netcat – reads and writes from TCP and UDP sockets

76
Q

Bob manages the sales department. Most of his sales representatives travel among several client sites. He wants to enable these sales representatives to check the shipping status of their orders online. This information currently resides on the company intranet, but it is not accessible to anyone outside the company Firewall. Bob has asked you to make the information available to traveling sales representatives. You decide to create an extranet to allow these employees to view their customers’ order status and history. Which technique could you use to secure communications between Network segments sending order-status data via the Internet?

Extranet
VPN
Certificate Server
VLAN

A

VPN (Virtual Private Network)

Explanation:
A virtual private network (VPN) is not a physical network. In a VPN, a public network, such as the Internet, is used to allow secure communication between companies that are not located together or between private networks. A VPN transports encrypted data.

A Virtual LAN (VLAN) allows networks to be segmented logically without physically rewiring the network. A VLAN is an excellent way to provide an added layer of security by isolating resources into separate subnets. If a small company purchases an all-in-one wireless router/switch and has two Web servers, and it needs to protect from access by BYOD, you could create a server VLAN and place an ACL on the Web servers.

An extranet enables two or more companies to share information and resources. While an extranet should be configured to provide the shared data, an extranet is only a Web page. It is not actually responsible for data transmission. An extranet has a wider boundary than an intranet.

A certificate server provides certificate services to users. Certificates are used to verify user identity and protect data communication.

VPNs use what is known as a tunneling protocol for the secure transfer of data using the Internet. A common tunneling protocol for this purpose is Point-to-Point Tunneling Protocol (PPTP). The term “tunnel” refers to how the information is privately sent. Data being sent is encapsulated into what are called network packets. Packets are encrypted from where they originate before they are sent via the Internet. The information travels in an encrypted, or non-readable, form. Once the information arrives at its destination, it is then decrypted.

By using a VPN, a company avoids the expense of leased lines for secure communication, but instead can use public networks to transfer data in a secure way. Client computers can connect to the VPN by dial-up, DSL, ISDN, or cable modems.

An intranet is a local area network (LAN) add-on that is restricted to certain users, usually a company’s employees. The data contained on it is usually private in nature.

77
Q

You are designing a Website that allows customers to set their payment options for a subscription service. Which of the following authentication management methods is recommended for a new account holder?

Password Key
Dynamic KBA
Static KBA
Password Vault

A

Dynamic KBA (Knowledge-based Authentication)

Explanation:
Dynamic KBA (Knowledge-based authentication) comes in two forms. The most basic is static KBA, also called shared secrets. This is what you commonly deal with when you forget your email password. The user verifies their identity through the use of a security question with a static answer that the user supplied when they made their account.

Dynamic KBA is a bit more invasive. Just like with static KBA, the user’s identity is verified with questions, but rather than those questions being pre supplied, these questions are generated based on the user’s public and private data such as credit reports or transaction history. Therefore, the answers to these dynamic questions could not be found in a stolen wallet or purse, making it difficult for anyone other than the actual person to know the correct answer.

78
Q

You have deployed several different Network types and techniques. Match the Options with the Descriptions that BEST matches?

Options:
DMZ
VLAN
NAT
NAC

Descriptions:
A Network Server that ensures that all Network devices comply with an organization’s Security policy.

A Network that is isolated from other Networks using a Firewall.

A Network that is isolated from other Networks using a Switch.

A transparent Firewall solution between Networks that allows multiple internal computers to share a single internet interface and IP address.

A

NAC – (Network Access Control) A Network Server that ensures that all Network devices comply with an organization’s Security policy.

DMZ – (Demilitarized Zone) A Network that is isolated from other Networks using a Firewall.

VLAN – (Virtual Local Area Network) A Network that is isolated from other Networks using a Switch.

NAT – (Network Address Translation) A transparent Firewall solution between Networks that allows multiple internal computers to share a single internet interface and IP address.

79
Q

Microsoft releases a notification to all users that a vulnerability has been recently discovered in SQL Server 2017 (Version 14.0) that could allow an attacker to control your computer remotely. They are working on a fix, but do not have a workaround available. Which term best describes this Risk?

DDoS
Botnet
Zero-Day Vulnerability
SQL Injection

A

Zero-Day Vulnerability

Explanation:
Zero-day vulnerabilities are often unknown or known only to an attacker who is able to exploit that vulnerability. Patches are not readily available until the manufacturer can develop a solution.

A SQL injection describes an input validation issue in the front-end of an application that allows attackers to directly manipulate the underlying data source using structured query language (SQL).

A distributed denial-of-service (DDoS) attack uses multiple sending devices to take a single host or group of hosts offline. The sending devices are typically a group of compromised devices, known as a botnet, that are controlled by central Command and Control (C&C) server.

80
Q

You have decided to attach a digital timestamp to a document that is shared on the Network. Which attack does this prevent?

a Known-Plaintext Attack
a Side Channel Attack
A Replay Attack
A Ciphertext-Only Attack

A

A Replay Attack

Explanation:
Digital timestamps prove helpful in preventing replay attacks. In a replay attack, the attacker monitors the traffic stream in a network. The attacker maliciously repeats or delays the transmission of valid data over the network. Setting a threshold time value on each system ensures that the computer only accepts packets within a specified time frame. A packet received after the specified time will indicate the chances of a replay attack. Digital timestamps are attached to a document at document creation.

In a side channel attack, the attacker gains information about the encryption algorithms from the cryptosystem that is implemented in the network. The attacker can use information, such as power consumption, electromagnetic radiations, and sound to break into a system. The side channel attack can also be based on the measurement of time taken to perform a computation.

A ciphertext-only attack is primarily focused on discovering the encryption key by gathering multiple encrypted messages and then trying to deduce a pattern from the encrypted messages. A known-plaintext attack primarily focuses on the discovery of the key used to encrypt the messages. The key can be used to decrypt and read messages. The attacker has access to multiple instances of plaintext and ciphertext for several messages.

81
Q

You have found that your system for validating keys has a latency period of 24-48 hours. As a result, a key that had been breached was accepted. You want to provide a Real-Time solution that will reduce this latency period. Which technology should you implement?

CRL
CSR
OCSP
OID

A

OCSP (Online Certificate Status Protocol)

Explanation:
Online Certificate Status Protocol (OCSP) is a real-time protocol for validating keys. OCSP is replacing CRL, which takes 24-48 hours to broadcast.

Object identifiers (OID) are optional extensions for X.509 certificates. They are dotted decimal numbers that would assist with identifying objects.

A certificate signing request (CSR) is typically one of the first steps in getting a certificate for authentication from a certificate authority (CA).

A certificate revocation list (CRL) is a method for listing certificates that have expired, been replaced, or were revoked. A web browser, for example, would check a CRL to verify whether or not the responding server is authentic. A CRL takes 24-48 hours to broadcast, which could cause an invalid key to be accepted.

82
Q

How is syslog used?

Holds event messages that are valuable for viewing time and scheduling maintenance on Network computers

Holds event messages that are valuable for troubleshooting both Security and performance issues

Synchronizes all computers throughout the internet

Records the time and logs the information to synchronize world computer clocks

A

Holds event messages that are valuable for troubleshooting both Security and performance issues.

Explanation:
Syslog stands for System Logging Protocol and is a standard computing protocol used to send system log or event messages to a specific server, which is referred a syslog server. It is primarily used to collect and store a variety of device logs, such as security and performance events from several different machines, in a central location for monitoring and review purposes.

Microsoft scheduler and cron on Unix-like systems can be used to schedule maintenance tasks, while their logs can be used to verify when those tasks were performed.

The Internet time service (ITS) and network time protocol (NTP) are used to synchronize world clocks.

83
Q

Which principle stipulates that multiple modifications to a computer system should NOT be made at the same time?

Change Management
Due Diligence
Due Care
Acceptable Use

A

Change Management

Explanation:
Change management stipulates that multiple modifications to a computer system should NOT be made at the same time. This makes tracking any problems that can occur much simpler. Change management includes the following rules:

Distinguish between your system types.
Document your change process.
Develop your changes based on the current configuration.
Always test your changes.
Do NOT make more than one change at a time.
Document your fallback plan.
Assign a person who is responsible for change management.
Regularly report on the status of change management.
All changes made to your network and computers should be documented in the change management system. An appropriate change management system can help to prevent against ad-hoc configuration mistakes.

Due diligence is the investigation of a business, person, or act prior to signing a contract or committing the act.

Due care is the normal care that a reasonable entity would exercise over that entity’s property. As part of due care, an organization is responsible for implementing policies and procedures to prevent data loss or theft.

Acceptable use is employee or customer usage of company resources that is allowed and defined in a contractually binding document, referred to as an acceptable use policy.

Incident management is a facet of risk management that is similar to change management. Incident management refers to the activities of an organization to identify, analyze, and correct risks as they are identified.

84
Q

Why are asymmetric Encryption algorithms particularly vulnerable to cryptanalysis by Quantum computers?

Quantum computers can operate on larger data sets than classical computers with comparable resources.

Quantum computers can perform complex mathematical operations faster than classical computers with comparable resources.

Quantum computers can be upgraded more easily and less expensively than classical computers with comparable budgets.

Quantum computers can perform simple mathematical operations faster than classical computers with comparable resources.

A

Quantum computers can perform complex mathematical operations faster than classical computers with comparable resources.

Explanation:
Quantum computers are able to perform complex mathematical operations much faster than classical computers can, even with comparable resources. Security experts believe that all public-key encryption schemes can be defeated by a quantum computer with reasonable computational resources. It is important to note that quantum computing does not impact the strength of hashing or symmetric encryption algorithms, because those algorithms do not rely on complexity the way that asymmetric encryption does.

85
Q

Your organization has asked you to design a strategy for documenting actions that users take on a computer Network. This solution should provide user accountability. What should you implement?

Audit Logs
Encryption Algorithms
Backup Tapes
Smart Cards

A

Audit Logs

Explanation:
You should implement audit logs to document actions taken on a computer network, along with the parties responsible for those actions. In order to ensure the integrity of audit logs, proper identification and authentication should be required on a network. If an audit log is lost or compromised, then a company might not be able to prosecute hackers who attack or attempt to attack a network.

Regular backups on backup tapes can help protect a company against data loss. Encryption algorithms can be used to encrypt files to protect the confidentiality of the information contained in encrypted files. Smart cards are physical cards that contain digital authentication information and encryption keys that can be used to gain entry to restricted areas and computer systems.

For the Security+ exam, you need to understand permission auditing and review and usage auditing and review. Permission auditing and review ensures that users have the appropriate permissions to complete the tasks that are part of their job. By implementing permission auditing and review, you ensure that privilege creep does not occur. Usage auditing and review ensures that accounts are still being used. By implementing usage auditing and review, you ensure that accounts that are no longer in use are disabled.

86
Q

You have been hired as a Security administrator for a large business. The previous Security administrator left behind documentation on the Security policies and measures that the company implements. The Network includes several Security devices, including a Honeypot. Which active response to a hacker attack describes this device?

Deception
Termination of a Process
Termination of a Connection
Network Reconfiguration

A

Deception

Explanation:
A honeypot is a deception method of active response to a hacker attack. In a deception response, a hacker is led to believe that he or she has infiltrated a network while information is being gathered about the attack. A honeypot is a computer on a network that is configured to lure hacker attacks so that the attacks can be studied, and the intruder can be caught. Another term that you need to understand is a honeynet. A honeynet is a network that is configured to lure hackers so that attacks can be studied. Honeynets usually contain honeypots. An administrator should implement honeypots and honeynets to research current attack methodologies. A honeynet is more efficient than penetration tests, firewall logs, and IDSs when gathering intelligence about the types of attacks being launched against an organization.

Reconfiguration of a network can be used to close potential avenues of attack. Termination of a process or connection that a hacker is currently using might also counteract a hacker attack.

An active response to an attack prevents or contains the attack. A passive response to an attack just collects data about the attack for later review. Active tools are better for handling the attacks but are often more expensive than passive tools.

87
Q

Which Integrity strategy is used to ensure that application code has not been tampered with since it was checked in by a Developer?

Monitoring Control
Unit Testing
Integration Testing
Versioning Control

A

Versioning Control

Explanation:
In all stages of application development, version control is essential. Version control allows you to manage changes to files over time and store these revisions in a database. Changes one developer made should not necessarily be wiped out by the changes another developer presents, especially if it was meant to be only a temporary modification for testing purposes. Any integration errors should be rolled back, so that they do not cause the entire application to fail. The resolution is to have a version control system that manages those changes across the development team and process stages.

Unit testing occurs on each component of an application to ensure that the expected outputs occur based on given inputs.

Integration testing verifies that each component works together in the overall application.

After deployment to a staging or production environment, monitoring will assist in tracking performance requirements and runtime issues.

88
Q

You need to ensure that a set of users can access information regarding departmental expenses. However, each user should only be able to view the expenses for the department in which they work. Senior managers should be able to view the expenses for all departments. Which database Security feature provides this granular Access Control?

Save Point
Noise and Perturbation
Partitioning
Database View

A

Database View

Explanation:
The database security feature that provides this granular access control are database views. Database views are used to limit user and group access to certain information based on the user privileges and the need to know. Views can be used to restrict information based on group membership, user rights, and security labels. Views implement least privilege and need-to-know and provide content-dependent access restrictions. Views do not provide referential integrity, which is provided by constraints or rules.

A save point does not provide granular access control. Save points ensure data integrity and availability but are not a database security feature. Save points are used to ensure that a database can return to a point when the system crashes. This further ensures the availability of the data prior to the database failure. Save points can be initiated either at a scheduled time or by a user action during data processing. Database integrity can also be provided through the implementation of referential integrity, where all the foreign keys reference the existing primary keys to identify the resource records in a table. Referential integrity requires that for any foreign key attribute, the referenced relation must have a tuple with the same value for its primary key.

Partitioning does not provide granular access control. Partitioning is another protection technique of ensuring database security. Partitioning involves splitting the database into many parts. Partitioning makes it difficult for an intruder to collect and combine confidential information and deduce relevant facts. Noise and perturbation do not provide granular access control. The noise and perturbation technique deploys the insertion of bogus data to mislead attackers and protect database confidentiality and integrity. The noise and perturbation technique involves inserting randomized bogus information along with valid records of the database. This technique alters the data but allows the users to access relevant information from the database. This technique creates enough confusion for the attacker to extract confidential information.

Database views are an example of content-dependent access control in which the access control is based on the sensitivity of information and the user privileges granted. This leads to a higher overhead in terms of processing because the data is granularly controlled by the content and the privileges of users. Database views can limit user access to portions of data instead of to the entire database. For example, during database processing in an organization, a department manager might have access only to the data of employees belonging to that department.

89
Q

You instruct a user to issue the ipconfig command with the /release and /renew options. In which two situations would it be appropriate to ask a user to do this? (Choose TWO)

when the no IP directed-broadcast command has been issued in the Router interface local to the client, and no IP helper address has been configured on the Router between the client and the DHCP server

when no IP helper address has been configured on the Router between the client and the DHCP server

when the result of running the ipconfig /all command indicates a 169.254.163.6 address

when recent scope changes have been made on the DHCP server

A

when the result of running the ipconfig /all command indicates a 169.254.163.6 address

when recent scope changes have been made on the DHCP server

Explanation:
It would it be appropriate to issue the ipconfig command with the /release and /renew options in the following situations:

When the result of running the ipconfig /all command indicates a 169.254.163.6 address
When recent scope changes have been made on the DHCP server
When a computer has an address in the 169.254.0.0 network, it indicates that the computer has not been issued an address from the DHCP server. Instead, the computer has utilized Automatic Private IP Addressing (APIPA) to issue itself an address. If the reason for this assignment is a temporary problem with the DHCP server or some other transitory network problem, issuing the ipconfig /release command followed by the ipconfig /renew command could allow the computer to receive the address from the DHCP sever.

Similarly, if changes have been made to the settings on the DHCP server, such as a change in the scope options (such as gateway or DNS server), issuing this pair of commands would update the DHCP client with the new settings when this address is renewed.

These commands will have no effect if no IP helper address has been configured on the router between the client and the DHCP server. An IP helper address can be configured on the local interface of a router when no DHCP server exists on that subnet and you would like to allow the router to forward DHCP DISCOVER packets to the DHCP server on a remote subnet. DHCP DISCOVER packets are broadcast, and routers do not pass on broadcast traffic by default. These commands will have no effect if the no ip directed-broadcast command has been issued in the router interface that is local to the client, and an IP helper address has not been configured on the router between the client and the DHCP server. The no ip directed-broadcast command instructs the router to deny broadcast traffic, which is the default behavior. Under those conditions, the command will not result in finding the DHCP server or receiving an address.

90
Q

Your company must implement a Subnetwork that is highly secure. Management asks you to implement an Encryption method that is used only once for a single document. Which Encryption method should you use?

OTP
DES
Caesar Cipher
Substitution Cipher

A

OTP (One-Time Pad)

Explanation:
A one-time pad (OTP) is an encryption method designed to be used only once. An OTP is a random number that is used to encrypt only one document. The OTP must be used to decrypt a file that was encrypted with the OTP.

Data Encryption Standard (DES) is a private key encryption algorithm.
A substitution cipher is an encryption method that substitutes one character with another character in a particular pattern. For example, the Caesar cipher is a substitution cipher that replaces a letter with a letter that appears three letters later in the alphabet. For example, in the Caesar cipher, the letter J is replaced with the letter M.

91
Q

Which of the following transmit data via WIFI or Bluetooth only to a host device and are vulnerable to data interception and attack?

Medical Devices
Wearable Technology
UAV
Personal Vehicles

A

Wearable Technology

Explanation:
Wearable technology transmits data via Wi-Fi or Bluetooth to a host device, and as such is subject to data interception and attack. In addition to being subject to attack, wearable devices such as voice recorders, video recorders, and hidden cameras can also be used by an attacker to gain information. Unmanned Aerial Vehicles (UAVs) or drones are often controlled remotely, which is an inherent security risk. Aircraft/UAVs have multiple embedded systems, ranging from navigation to fuel control and ordnance delivery. Significant security systems must be incorporated to prevent these airborne vehicles from being compromised. UAVs only use Wi-Fi to communicate.

Medical devices are a risk. They can be manipulated to report false data, resulting in harm to the patient. They can also be manipulated to provide the wrong level of service to a patient, such as the flaw that was announced by the FDA with pacemakers whereby unauthorized users could manipulate the heartbeat rate or cause the battery to drain at a faster rate. Medical devices usually only use Wi-Fi. Bluetooth, or a wired connection to communicate.

Personal vehicles with embedded technology are susceptible to hackers. As an example, an air pressure sensor on a tire can be manipulated to show a low-pressure alert. When the consumer fills the tire sufficiently so that the alert stops, the tire is now overinflated. This can cause the tire to explode at highway speeds. Recently, security professionals have even demonstrated hacking into an automobile and driving it. Personal vehicles usually use satellite or cellular communication.

92
Q

Which type of data would be targeted by a malicious insider for the intent of corporate espionage?

Secret
Confidential
Proprietary
Private

A

Proprietary

Explanation:
Proprietary data is data that an organization owns that gives the organization a competitive advantage. This classification is used most in the private sector. Proprietary information are things like company secrets, like a famous recipe or a process that a company has developed and maintains on its own. It is information developed, created, conveyed to, or discovered by the organization, that has commercial value in the organization’s business.

93
Q

You decide to implement a Key-based Authentication method for an internal SFTP Server. The IT department has a large inventory of existing client machines without Cryptoprocessors that must be supported. Which of the following components should be installed on existing machines to support the new Authentication method?

TSM
DRM
HSM
KBA

A

HSM (Hardware Security Module)

Explanation:
An HSM, or a hardware security module, is a specialized, highly trusted physical device which performs all major cryptographic operations, including encryption, decryption, authentication, key management, key exchange, and more. HSMs are dedicated security devices, with the sole objective of hiding and protecting cryptographic objects. If the existing client machines do not currently have any cryptoprocessors, they need to have an HSM installed to be able to implement the key-based authentication method for the SFTP server.

94
Q

Your company has recently decided to create a custom application instead of purchasing a commercial alternative. As the Security administrator, you have been asked to develop Security policies and procedures on examining the written code to discover any Security holes that may exist. Which assessment type will be performed as a result of this new policy?

Secure Code Review
Vulnerability Scanning
Review Design
Baseline Reporting

A

Secure Code Review

Explanation:
Secure code review examines all written code for any security holes that may exist. Secure code review should occur initially in software development. Secure coding concepts include exception handling, error handling, and input validation. During the system development life cycle (SDLC), secure coding concepts are included as part of application hardening.

Baseline reporting ensures that security policies are being implemented properly. By providing baselines, gap analysis can determine if the current configuration has been changed in any way.

Review design includes any steps you take to review the design of your network, devices, and applications. It often involves examining the ports and protocols used and the access control practices implemented. Vulnerability scanning looks for weaknesses in applications, devices, and networks.

You can also determine the attack surface and review architecture to help with the assessment. While both of these will allow you to identify areas where attacks may occur, they each assess different aspects. Determining the attack surface will help you identify the different components that can be attacked and reviewing the architecture will help you identify network architecture security issues.

For the Security+ exam, you must understand that all environments that you work in must be secured. All security patches and controls should be deployed in all physical and virtual environments, including the development, test, staging, and production environments. If you use smart card authentication in your production environment, you should also deploy it in the development, test, and staging environment so that all development, testing, and staging occurs in an environment that is identical to the production environment.

95
Q

You need to ensure that several confidential files are not changed. You decide to use an algorithm to create message digests for the confidential files. Which algorithm should you use?

SHA-1
IDEA
DES
AES

A

SHA-1 (Secure Hash Algorithm-1)

Explanation:
Secure hash algorithm (SHA)-1 is a hashing algorithm that creates a message digest, which can be used to determine whether a file has been changed since the message digest was created. An unchanged message should create the same message digest on multiple passes through a hashing algorithm.

Advanced Encryption Standard (AES), Data Encryption Standard (DES), and International Data Encryption Algorithm (IDEA) are secret key encryption standards that are used to encrypt files.

96
Q

You need to design a backup plan for your company’s file Server. You are most concerned with the restoration time. Which of the following would take the LEAST amount of time to restore?

Incremental Backups
Snapshots
Differential Backups
Full Backups

A

Snapshots

Explanation:
A snapshot is an image of the system at a given point in time. If a system crashed, restoring the snapshot would be the fastest way to restore the system. Differential backups begin with a full backup. On each day thereafter, you would back up all of the changes that had occurred since the last full backup. The order of restoration would be to restore the last full backup first, and then to restore the most recent differential backup.

Incremental backups begin with a full backup. On each day thereafter, you would back up that day’s changes. The order of restoration would be to restore the last full backup first, and then to restore each day’s incremental backup in order from oldest to newest.

Performing a full restoration using a full backup takes longer than restoring from a snapshot. The order of restoration if you did not have the appropriate backups would be to reinstall the OS, reinstall the applications, and then reinstall the user data.

97
Q

You are tasked with choosing a Mail Gateway for your organization. Which of the following is a consideration for this deployment?

Encryption
DLP
Spam Filter
All of these options.

A

All of these options.

Explanation:
You should consider all of these requirements when choosing a mail gateway: spam filters, data loss prevention (DLP), and encryption.

Spam filters trap undesirable email before it reaches the user’s inbox. Such filters could include country of origin, key words in the subject line, specific IP addresses, or blacklisted mail domains.

If your organization implements a DLP system, you can prevent users from transmitting confidential data to individuals outside the company. DLP systems incorporate a number of data protection processes. These processes can include prevention from unauthorized access, protecting data from modification or destruction, or keeping data from leaving the network. Encryption can be a critical component and feature of a mail gateway. Encryption on a mail gateway would scramble the outgoing message, making it unreadable to someone who intercepts the message. For the Security+ exam, you should also understand the installation and configuration of media gateways, SSL/TLS accelerators, and SSL decryptors.

Media gateways perform the same function as mail gateways but work with multimedia communication.

SSL/TLS accelerators alleviate the load on the processor during encryption. They transfer the encryption process to a separate device, typically a PCI card, for encryption.

SSL decryptors decrypt incoming traffic, examine that traffic, and re-encrypt it before it goes back out on the network. While this does put extra load on the processor, it prevents the instance where a problem was not intercepted due to an encrypted packet.

98
Q

What is meant by MTBF?

the average amount of time from one failure to the next

the estimated amount of time that it will take to repair a piece of equipment when failure occurs

the estimated amount of time that a piece of equipment will be used before it should be replaced

the estimated amount of time that it will take to replace a piece of equipment

A

the average amount of time from one failure to the next.

Explanation:
The mean time between failures (MTBF) is the average amount of time from one failure to the next. The MTBF is usually supplied by the hardware vendor or a third party.

The mean time to repair (MTTR) is the estimated amount of time that it will take to repair a piece of equipment when failure occurs.

None of the other options is correct.

99
Q

Which Penetration-Testing concept is used to detect vulnerabilities that are found by means other than testing the system directly?

Active Reconnaissance
Pivot
Initial Exploitation
Passive Reconnaissance

A

Passive Reconnaissance

Explanation:
Passive reconnaissance detects vulnerabilities through techniques such as social engineering, accessing supposedly confidential information on publicly available databases, dumpster diving, and shoulder surfing.

Active reconnaissance accesses the system directly to detect vulnerabilities. Tools and techniques such as network mapping, port scans, and network sniffing are used to test the system and identify potential sources of attack.

Pivots use a compromised system to attack another system. Initial exploitation compromises one system so that it can be used in a pivot test against another system.

Persistence is when the compromised system is used in an attack at some point after the initial exploitation occurred. An example of persistence would be when a student’s notebook computer contracts malware at a coffee shop, but the school network is not affected until the student logs in to the school network.

100
Q

Quantified Harm caused when a vulnerability is exploited is known as what?

Likelihood
Risk
Threat
Impact

A

Impact

Explanation:
Impact is a description of the cost to an organization due to an adverse event, such as the harm caused from an exploited vulnerability.

Risk is the probability of an adverse incident occurring and its impact.

A threat is an adverse action made possible by the presence of a vulnerability.

Likelihood is a description of the probability of an adverse event.

101
Q

You need to ensure that improper data is not allowed into the executed program. Which of the following should you use?

Stored Procedures
Input Validation
Encryption
Provisioning

A

Input Validation

Explanation:
Input handling means that every input is validated against a range of acceptable values. If the input does not match that range of values, the input is rejected, and an error message is generated. Program crashes occur when an invalid input produces unexpected results. Proper input validation is essential in any application development project.

Stored procedures are a series of SQL statements that are executed as a group and are similar to scripts. Using properly written stored procedures protects the database from damage caused by poorly written SQL statements and SQL injection attacks, not invalid input.

Encryption should be used in software development, as well as network traffic, to protect data being stored or transmitted. Encryption protects existing data, but does not guard against improper input.

Provisioning and deprovisioning allocate resources based on demand for those resources. Neither concept is related to input validation.

Other secure coding techniques and issues include code signing, obfuscation, camouflage, code reuse, dead code, server-side versus client-side execution and validation, memory management, third-party SDKs, and data exposure.

Code signing embeds a digital signature into a piece of software, and is often used with device drivers. Validating the signature would verify that you are installing software that is from the vendor and not lookalike malware.

Obfuscation and camouflage are closely related. Obfuscation means to make something difficult to understand, and camouflage means to hide something among its surroundings and make it more difficult to detect. The purpose of both is to make it more difficult for someone to tamper with code or reverse engineer the code.

Code reuse and dead code are closely related. Attackers can reuse code that was developed for another purpose. In some cases, the code being reused is no longer valid or outdated. If the code is outdated, it is called dead code.

When comparing server-side versus client-side execution and validation, server-side execution and validation happen on the server when the data returns to the server. Client-side validation occurs on the browser on the client machine. Client-side validation provides a quicker response than server-side validation and does not generate a lot of overhead on the server. With that said, however, the browser needs to monitor for malicious code.

Memory management watches for things like memory leaks. Memory leaks can be caused by a programmer failing to free up memory once the process using that memory has been completed. C and C++ are particularly prone to memory leaks. Use of third-party libraries and software development kits (SDKs), while common, present security vulnerabilities. A flaw in an SDK can result in issues in every application that SDK was used to develop. Data exposure occurs when there are not sufficient safeguards on a database. Failure to protect your database can result in data hijacking and injection attacks.

102
Q

You need a tool that can aggregate logs from multiple Firewalls, send alerts when certain behaviors are detected in the Network, provide trend analysis, and analyze user behaviors. What should you choose?

NIPS
SIEM
NIDS
SCADA

A

SIEM (Security Information and Event Management)

Explanation:
A Security Information and Event Management (SIEM) system collects data from the different security devices in the system, such as firewalls and IPSs, and then aggregates the log files for analysis. It provides predictive trend analysis, behavior analytics, alerts, and even helps you comply with regulations like SOX and HIPAA.

Automated alerting and triggers are a SIEM feature that allow the system to react based on predetermined criteria.

A network intrusion detection system (NIDS) is a system that operates on the network and detects attacks on that network. A network intrusion prevention system (NIPS) is a system that also operates on the network and detects attacks but can also prevent them before an attack can be executed on the network.

103
Q

During maintenance, you often discover unauthorized devices connected to your Wireless Network. You need to ensure that only Authorized corporate devices can connect to the Network. What should you configure to increase the Security of this Wireless Network?

Rogue Access Points
War Driving
SSID Broadcast
MAC Filtering

A

MAC Filtering

Explanation:
To increase the security of this wireless network, you should configure Media Access Control (MAC) filtering. With this filtering, the MAC address of each network interface card (NIC) that attempts to connect to the network is checked. Only MAC addresses that are specifically allowed connection are granted connection. When configuring MAC filtering, you should set up an access control list (ACL). Some access points also allow you to configure MAC filtering for those addresses that should be denied access. But always keep in mind that the MAC addresses will need to be entered manually. MAC filtering is easily vulnerable to spoofing because MAC address information is sent unencrypted. An attacker then discovers the address and impersonates an approved device. If a user is able to connect to a wireless network using one mobile device but not another, the most likely cause is that MAC filtering is enabled. MAC filtering can be used to both allow access and deny access. The following examples are both types of entries on a router: PERMIT 0A:1:FA:B1:03:37 and DENY 01:33:7F:AB:10:AB.

A service-set identifier (SSID) broadcast actually decreases security in a wireless network. If the SSID is broadcast, any wireless NICs in the proximity can locate the network. If you disable SSID broadcast, you increase the security of your network, and users will have to type the SSID to connect. However, it does not prevent invalid devices from connecting to the network.

War driving is a technique used to discover wireless networks. Once intruders locate your wireless network, they attempt to hack into your system.

Rogue access points are wireless access points that have been connected to your network without authorization. This decreases the security of your network. A site scan can be used to determine if you have rogue access points. For example, if your company is located in a building with three wireless networks, you have a rogue access point if a quarterly scan showed the following results:

CorpPrivate – Connected Channel 1 - 70dbm
CorpPublic – Connected Channel 5 - 80dbm
CorpResearch – Connected Channel 3 - 75dbm
CorpDev – Connected Channel 6 - 95dbm
Radio frequency interference (RFI) can cause wireless network problems. It can come from cordless phones, microwaves, and other equipment. For example, if your wireless network is frequently dropping connections, you could have a cordless phone interfering with the wireless access point.

104
Q

Your company has recently purchased several computers that have Trusted Platform Module (TPM) hardware. Which technology works with this hardware?

EFS
BitLocker
IPsec
NTFS

A

BitLocker

Explanation:
BitLocker drive encryption works with TPM hardware. TPM is a hardware chip that stores encryption keys. The BitLocker technology encrypts drive contents so that data cannot be stolen. BitLocker can encrypt both user and system files. BitLocker is enabled or disabled by an administrator for all computer users and provides full disk encryption. TPM and hardware security module (HSM) both provide storage for the Rivest, Shamir, and Adleman (RSA) algorithm and may assist in user authentication. TPM is usually included with computers and can be deployed easier than HSM.

None of the other options works with TPM hardware. Encrypting File System (EFS) encrypts the contents of a disk. However, EFS is enabled on a per-user basis and can only encrypt files belonging to the user that enabled EFS. EFS does not require any special hardware or administrative configuration.

New Technology File System (NTFS) is the 32-bit file system used by Windows operating systems.

Internet Protocol Security (IPSec) is a protocol that protects communication over a network.

105
Q

You have been asked to research the Encryption algorithms available and make recommendations to management about which to implement. One of the Encryption algorithms that you are researching is RSA. Which type of Encryption algorithm does this algorithm represent?

Asymmetric with Authentication
Asymmetric with Authorization
Symmetric with Authentication
Symmetric with Authorization

A

Asymmetric with Authentication

Explanation:
RSA is an example of asymmetric cryptography with authentication. RSA is used as the worldwide de facto standard for digital signatures. RSA is a public key algorithm that provides both encryption and authentication. It relies on the hacker’s inability to factor large prime numbers.

Asymmetric algorithms include Diffie-Hellman, RSA, ElGamal, Elliptic Curve Cryptosystem (ECC), CAST, and Knapsack.

Symmetric algorithms include Data Encryption Standard (DES), Triple DES (3DES), Advanced Encryption Standard (AES), International Data Encryption Algorithm (IDEA), Blowfish, RC4, RC5, and RC6. Symmetric algorithms are sometimes called block ciphers.

RSA does not deal with discrete logarithms. The security that RSA provides is based on the use of large prime numbers for encryption and decryption. It is difficult to factor large prime numbers. Therefore, it is difficult to break the encryption. RSA can prevent man-in-the-middle attacks by providing authentication before the exchange of public and private keys. The key is securely passed to the receiving machine. Therefore, public key cryptography is preferably used to secure fax messages. RSA requires higher processing power due to the factorability of its numbers but provides efficient key management.

106
Q

You decide to implement a Key-based Authentication method for an internal SFTP Server. The IT department has a large inventory of existing client machines without cryptoprocessors that must be supported. Which of the following components should be installed on existing machines to support the new Authentication method?

KBA
HSM
DRM
TSM

A

HSM (Hardware Security Module)

Explanation:
An HSM, or a hardware security module, is a specialized, highly trusted physical device which performs all major cryptographic operations, including encryption, decryption, authentication, key management, key exchange, and more. HSMs are dedicated security devices, with the sole objective of hiding and protecting cryptographic objects. If the existing client machines do not currently have any cryptoprocessors, they need to have an HSM installed to be able to implement the key-based authentication method for the SFTP server.

107
Q

You are choosing a Wireless Access Point (WAP) to install. You need to manage several WAPs from a single location. Which of the following should you implement?

Standalone
Controller-based
Thin
Fat

A

Controller-based

Explanation:
A controller-based WAP allows you to manage all the WAPs in the network from a centralized location. This would allow you to configure consistent settings for updates and policies.

When comparing fat vs. thin access points, thin access points allow for configuration from a switch or router, and fat access points are typically stand alone and require manual configuration. While a standalone WAP might allow you to manage it remotely, it does not allow management of several WAPs from a single location. Each standalone WAP has its own management interface.

When comparing controller-based vs. stand-alone WAPs, controller-based WAPs are easier to configure remotely and do not require manual configuration.

108
Q

You have been hired as a Security consultant for a new company named Verigon. Verigon needs guidance on which protocols to implement on the Network. Match the protocol options with the correct descriptions?

Options:
DNSSEC
DHCP
HTTPS
Secure NTP
Secure POP3

Descriptions:
Secure Web Access
Secure Time Synchronization
Secure Email Download
Secure Domain Name Resolution
Network Address Allocation

A

DNSSEC – Secure Domain Name Resolution

DHCP – Network Address Allocation

HTTPS – Secure Web Access

Secure NTP – Secure Time Synchronization

Secure POP3 – Secure Email Download

109
Q

Which type of computers are targeted by RedPill and Scooby Doo Attacks?

Windows Server 2016 Servers
Terminal Servers
Window 10 Clients
Virtual Machines

A

Virtual Machines

Explanation:
RedPill and Scooby Doo attacks target virtual machines. These attacks attempt to detect virtual servers and machines on a network. Once the virtual machines are identified, various techniques are used to attack the virtual machines to breach the host and eventually the network.

RedPill and Scooby Doo attacks do not target Windows Server 2016 computers, Windows 10 clients, or terminal servers, unless these computers are virtualized.

Virtual machines are usually implemented within an organization so that the organization can internally manage them. Cloud computing differs from virtual computing in that cloud computing is usually physically managed by an outside entity. An organization pays the cloud computing organization for rights to use portions of the organization’s cloud. However, the organization that is leasing the cloud is never really in physical control of the data.

110
Q

You have been hired as the Security administrator for a company. During your first weeks, you discover that most of the client and server computers are NOT protected from intrusions in any way. For the Servers, management wants you to implement a solution that will prevent intrusions on a single Server. Which system should you implement to satisfy management’s request?

NIDS
NIPS
HIDS
HIPS

A

HIPS (Host Intrusion Prevention System)

Explanation:
You should implement a Host Intrusion Prevention System (HIPS) to prevent intrusions on a single server or computer.

A Host Intrusion Detection System (HIDS) detects intrusions on a single server or computer.

A Network-based Intrusion Detection System (NIDS) detects intrusions on a network.

A Network-based Intrusion Prevention System (NIPS) prevents intrusions on a network.

Intrusion prevention systems (IPS) and intrusion detection systems (IDS) work together to complement each other. IPS systems can block activities on certain Web sites. Users may be allowed to access the sites but may be prevented from accessing certain features within the site. In other cases, the entire site may be blocked, depending on the security requirements for the organization. IDS systems detect security breaches and alert administrators of the breaches. They cannot block access to any specific site or entity.

111
Q

Your client provides application software that can be downloaded over the Internet. The client wants customers to trust that they are purchasing and downloading the application from a validated source. What type of certificate should you consider?

Email
Root
User
Code Signing

A

Code Signing

Explanation:
You should use a code signing certificate. Code signing certificates are used for code that is distributed over the Internet, including programs or applications. Code signing certificates verify the code’s origin and help the user trust that the claimed sender is indeed the originator.

Email certificates are used to secure email. One such example is Secure Multipurpose Internet Mail Extensions (S/MIME), which provides a digital “signature” for that email. User certificates are assigned to individual users, much like machine/computer certificates are assigned to individual machines. Users must provide their assigned certificate for authentication prior to accessing certain resources. Root certificates define the root CA and validate all other certificates issued by that CA. They are at the top of the CA hierarchy. They are self-signed and are closely guarded.

You should also be familiar with SAN fields, machine/computer certificates, domain validation certificates, and extended validation certificates.

Subject Alternative Name (SAN) is a field in the certificate definition that allows you to stipulate additional information, such as an IP address or host name, associated with the certificate. Machine/computer certificates are assigned to a designated machine. During authentication, the computer (or machine) requesting access must supply the certificate assigned to it. Domain validation certificates are very common. They are low-cost and are often used by web admins to offer TLS to a domain. They are validated using only the domain name.

Extended validation certificates, as the name suggests, provide additional validation for HTTPS web sites. The certificate provides the name of the legal entity responsible for the web site. These certificates provide a higher level of trust than domain validation and require the most effort by the CA to validate. They are validated using more information than just the domain.

112
Q

Management is concerned that applications have been developed using poor programming processes. Which of these issues may result from this? (Choose ALL that Apply)

Memory Leak
Integer Overflow
Pointer Dereference
Buffer Overflow

A

Memory Leak
Integer Overflow
Pointer Dereference
Buffer Overflow

Explanation:
All of the listed options may result from poor programming processes.

Memory leaks can be caused by a programmer failing to free up memory once the process using that memory has been completed. C and C++ are particularly prone to memory leaks. Integer overflows happen when a number too large to fit into the data type “integer” is not rejected and is allowed to corrupt the program. Dangling pointer dereferences occur when a pointer (which points to the proper memory location) has the reference changed. This results in the pointer pointing to an inaccurate value.

A buffer overflow is an example of improper input handling being allowed by the application code, and the impact can include crashing the application. Other examples of improper input handling include failure to validate the type of data in an input field, the length of the data, proper date ranges.

113
Q

How does using a syslog Server make processing more efficient?

  • A syslog Server makes it easier to coordinate events and combine information into a single log.
  • A syslog Server makes it easier to combine TCP/IP and FTP uploads.
  • A syslog Server makes it easier to compare events and separate and send information into different logs.
  • A syslog Server makes it efficient for the Network administrator when tracking host information.
A

A syslog Server makes it easier to coordinate events and combine information into a single log.

Explanation:
Syslog stands for System Logging Protocol and is a standard computing protocol used to send system log or event messages to a specific server which is referred a syslog server. It is primarily used to collect and store a variety of device logs such as security and performance events from several different machines in a central location for monitoring and review purposes. Using a syslog server makes it much easier to coordinate events and combine information into a single comprehensive log.

A syslog does provide the other features, but only because it coordinates events across multiple systems into a central log.

114
Q

Management has decided to install a Network-based Intrusion Detection System (NIDS). What is the primary advantage of using this device?

It is low maintenance.

It has the ability to analyze Encrypted information.

It has a high throughput of the individual workstations on the Network.

It launches no counterattack on the intruder.

A

It is low maintenance.

Explanation:
The primary advantage of an NIDS is the low maintenance involved in analyzing traffic in the network. An NIDS is easy and economical to manage because the signatures are not configured on all the hosts in a network segment. Configuration usually occurs at a single system, rather than on multiple systems. By contrast, host-based intrusion detection systems (HIDSs) are difficult to configure and monitor because the intrusion detection agent should be installed on each individual workstation of a given network segment. HIDSs are configured to use the operating system audit logs and system logs, while NIDSs actually examine the network packets.

Individual hosts do not need real-time monitoring because intrusion is monitored on the network segment on which the NIDS is placed, and not on individual workstations. An NIDS is not capable of analyzing encrypted information. For example, the packets that travel through a Virtual Private Network tunnel (VPN) cannot be analyzed by the NIDS. The lack of this capability is a primary disadvantage of an NIDS.

The high throughput of the workstations in a network does not depend on the NIDS installed in the network. Factors such as the processor speed, memory, and bandwidth allocated affect the throughput of workstations.

The performance of an NIDS can be affected in a switched network environment because the NIDS will not be able to properly analyze all the traffic that occurs on the network on which it does not reside. An HIDS is not adversely affected by a switched network because it is primarily concerned with monitoring traffic on individual computers.

115
Q

Match the Cloud options with the descriptions of each?

Options:
Platform as a Service (PaaS)
Software as a Service (PaaS)
Infrastructure as a Service (IaaS)

Descriptions:
Allows orgs to run applications in the Cloud.

Allows orgs to deploy Web Servers, Databases, and Development Tools in a Cloud.

Allows orgs to deploy Virtual Machines, Servers, and Storage in a Cloud.

A

Platform as a Service (PaaS) – Allows orgs to deploy Web Servers, Databases, and Development Tools in a Cloud.

Software as a Service (PaaS) – Allows orgs to run applications in a Cloud.

Infrastructure as a Service (IaaS) – Allows orgs to deploy Virtual Machines, Servers, and Storage in a Cloud.

116
Q

Your client allows the users to choose their own logon names for their account. You have seen opsboss, vpgal, and domainadm used as logons. You are very concerned about these obvious Administrative Accounts. What security control should you implement?

Standard Naming Conventions
File System Security
Account Maintenance
Recertification

A

Standard Naming Conventions

Explanation:
Creating a standard naming convention would resolve the issue of obvious account names. Account names should not identify job roles. Recertification is the process of examining a user’s permissions and determining if they still need access to what was previously granted. For example, if an employee were transferred from the Chicago, IL office to the Charlotte, NC, it would be reasonable to revoke the user’s Chicago permissions. Account maintenance is maintaining user accounts with the appropriate permissions. This includes onboarding and offboarding, adding and removing permissions, and auditing user accounts.

File system security should always be set to only allow what is absolutely essential for the user to do their job. This is also known as the principle of least privilege.

117
Q

You are responsible for code quality and testing. What should you incorporate to ensure that memory allocations have corresponding deallocations?

Model Verification
Static Code Analyzers
Stress Testing
Sandboxing

A

Static Code Analyzers

Explanation:
Static code analyzers look for memory allocation commands have corresponding deallocation commands. Stress testing puts a load on the system much higher than what is normally expected. For example, testing a website with 100x the normal amount of traffic will identify how the system will respond to the stress. They will not check for memory deallocations, although stress test results may indicate that memory is not being released.

Sandboxing is developing an application outside of the production environment. Sandboxing can also be useful to test a legacy operating system that may not have security patches. Virtual machines are often used to create the sandbox. Memory allocation issues may be discovered during sandbox testing but are not directly a part of the sandbox functionality.

Model verification is important. There are many types of simulation model, and it is critical that you examine whatever model you use for accuracy. Any incorrect data or configuration settings in the model will yield inaccurate results. This will not check for memory deallocation.

You should also keep in mind that when comparing compiled versus runtime code, compiled code is more secure. In runtime applications (Java and .NET, for example), the runtime execution environment may have vulnerabilities, so checking for the most current version is a concern.

118
Q

Your company has recently adopted a new Security policy that states that ALL Confidential Emails must be signed using a Digital Signature. Which three elements are provided by implementing this technology? (Choose THREE)

Encryption
Integrity
Availability
Non-Repudiation
Authentication

A

Integrity
Non-Repudiation
Authentication

Explanation:
My Take – Digital Signatures don’t Encrypt, they provide Integrity, Non-Repudiation, and Authentication to prove who someone is, that the a transaction being sent from 1 user to another are the users involved that were intended to be involved and that the transaction was not modified from the original as it goes to the destination.

A digital signature provides integrity, authentication, and non-repudiation in electronic mail. The public key of the signer is used to verify a digital signature. Non-repudiation ensures that the sender cannot deny the previous actions or message. Integrity involves providing assurance that a message was not modified during transmission. Authentication is the process of verifying that the sender is who he says he is.

Digital signatures do not provide encryption and cannot ensure availability.

A digital signature is a hash value that is encrypted with the sender’s private key. For example, a file on Windows 98 that has been digitally signed indicates that the file has passed quality testing by Microsoft. The message is digitally signed. Therefore, it provides authentication, non-repudiation, and integrity. If a recipient wants to verify a digital signature, the public key of the signer must be used in conjunction with the hash value.

Digital Signature Standard (DSS) defines digital signatures. It provides integrity and authentication. It is not a symmetric key algorithm. A digital signature cannot be spoofed. Therefore, attacks, such as man-in-the-middle attacks, cannot harm the integrity of the message.

Microsoft uses digital signing to ensure the integrity of driver files.

119
Q

Your company has deployed an application that requires access to a user’s Google account. What would OpenID Connect provide in this deployment?

Authentication of the user’s Google Account
Markup Language
Authorization to access the Google Account
None of These.

A

Authentication of the user’s Google Account

Explanation:
OpenID Connect provides the authentication necessary in OAuth 2.0. It authenticates the user and stores the user information in a secure token. A secure token contains the user information and authentication information used by OpenID.

OAuth is Open Authorization. The current standard, OAuth 2.0, grants an application limited access to a user’s account on a third-party site, such as Facebook or Twitter. OAuth could grant the application access to a friend’s list or give the application the ability to post on the user’s behalf. Shibboleth uses Security Assertion Markup Language (SAML), which defines security authorizations on web pages, as opposed to web page elements in HTML. Shibboleth is a single sign-on (SSO) system but does allow the usage of Facebook, Google, or Twitter credentials

120
Q

You are implementing a new VPN for your organization. You need to use an Encrypted Tunneling protocol that protects transmitted traffic and supports the transmission of multiple protocols. Which protocol should you use?

HTTPS
HTTP
FTP
L2TP over IPsec

A

L2TP over IPsec (Layer Two Tunneling Protocol over Internet Protocol Security)

Explanation:
You should use Layer 2 Tunneling Protocol (L2TP) over Internet Protocol Security (IPsec). When you implement L2TP over IPsec, it encrypts transmitted traffic on virtual private network (VPN) connections. L2TP supports multiple protocols, such as Transmission Control Protocol (TCP), Internet Protocol (IP), Internetwork Packet Exchange (IPX), and Systems Network Architecture (SNA). L2TP is based on two older tunneling protocols: Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F).Hypertext Transfer Protocol (HTTP) transmits information in clear text. Hypertext Transfer Protocol Secure (HTTPS) uses Secure Sockets Layer (SSL) to encrypt HTTP traffic. HTTPS only supports the encryption of HTTP traffic. File Transfer Protocol (FTP) transmits data in clear text.

HTTP uses port 80, and HTTPS uses port 443.

121
Q

You have just been hired as the systems administrator for a research and development firm. Your organization allows the employees to use Social Media at work. What particular concern should you voice to management?

Weak Security Configurations
Access Points
Data Exfiltration
Content Filters

A

Data Exfiltration

Explanation:
You should voice your concern over data exfiltration. It would be very easy for a picture of something confidential to be posted to a social media site or for someone to discuss a new intellectual property project in a public forum. None of the other concerns would be affected by employee use of social media.

Content filters on firewalls and routers must be configured properly. Proper configuration is often an iterative process, blocking undesirable traffic while allowing appropriate traffic. Access points must also be configured properly. Wireless networks have their own security issues, but none that are affected by social media. Weak security configurations can arise from neglecting to implement a specific security device, or not configuring security settings properly.

122
Q

Your organization has recently adopted a new Security policy. As part of this policy, you must implement the appropriate technologies to provide Confidentiality. Which technology provides this?

Authentication
a Disk Array
a Digital Signature
Asymmetric Encryption

A

Asymmetric Encryption

Explanation:
My Take – Confidentiality is Encryption, making sure Data is Confidential, protecting Data via Encryption.

Asymmetric encryption provides confidentiality because encryption protects the contents of a file from being viewed by unauthorized users. Authentication provides accountability by establishing an individual’s identity and defining that individual’s access to resources. Some disk arrays, such as Redundant Array of Independent Disks (RAID)-1 and RAID-5 arrays, are implemented to provide fault tolerance for the data stored on those disks. If a user signs a file with a digital signature before sending the file to another user, the recipient can then use the digital signature to ensure that the file was not changed during transmission.

123
Q

Which policy defines the sensitivity of a company’s data?

a Backup Policy
a Use Policy
an Information Policy
a Security Policy

A

an Information Policy

Explanation:
An information policy defines the sensitivity of a company’s data and the proper procedures for storage, transmission, disposal, and marking of a company’s data. The cornerstone practice of a company’s information policy, as with all security-related policies, is to grant only the level of access that is required to allow particular individuals to fulfill their responsibilities. Accordingly, a well-developed information policy will rely on information about separation of duties to establish different levels of access by group role or individual responsibility. Individuals will be granted access only to that information for which they have a ‘need to know’ to accomplish the goals of their position.

A backup policy defines the procedures that should be used to back up information stored on a company’s network. A security policy defines the technical means that are used to protect data on a network. A use policy, sometimes referred to as an acceptable use policy, defines the manner in which employees are allowed to use a company’s network equipment and resources, such as bandwidth, Internet access, and e-mail services.

Policies contain conditions of expected performance and the consequences of non-compliance. An access control policy details guidelines on the rights, privileges, and restrictions for using company equipment and assets.

124
Q

You have been hired by a small company to ensure that their internal Network is protected against attacks. You must implement a Secure Network. As part of this implementation, what should be the default permission position?

Implicit Allow
Explicit Allow
Implicit Deny
Explicit Deny

A

Implicit Deny

Explanation:
The default permission position in a secure network should be implicit deny. This will ensure that if a user or group does not have an explicit allow permission configured, the access will default to an implicit deny. An implicit deny should be the last rule contained on any firewall because most firewalls do not default to this setting. This firewall rule is often defined with a Drop All statement. On Windows servers, the access control list (ACL) defaults to an implicit deny.

None of the other permissions should be the default position in a secure network. An explicit allow is an allowed permission that is configured explicitly for that resource. An implicit allow is an allowed permission that is implied for that resource based on another explicit or implicit permission. An explicit deny is a denied permission that is configured explicitly for that resource.

125
Q

Which of the following comprises principles that build Security into a facility BY Design?

UAV
Industrial Camouflage
Two-Person Control
Object Detection

A

Industrial Camouflage

Explanation:
Industrial camouflage or Crime Prevention Through Environmental Design (CPTED) are principles used to design facilities in a way that enhances rather than complicates physical security.

Unmanned aerial vehicle technology (UAV) covers everything from the aerodynamics of the drone, materials in the manufacture of the physical UAV, to the circuit boards, chipset, and software, which are the brains of the drone.

Two-person integrity control prescribes that multiple persons should do a job so they can monitor one another. Job rotation and separation of duties are both examples of two-person integrity controls.

Object detection is the capability of some cameras to scan a scene for items or persons and report on it.

126
Q

You have been hired by a law firm to create a Demilitarized Zone (DMZ) on their Network. Which Network device should you use to create this type of Network?

a Router
a Bridge
a Hub
a Switch
a Firewall

A

a Firewall

Explanation:
An administrator can install a firewall on a network to create a demilitarized zone (DMZ). A DMZ separates a public network from a private network. A DMZ can be implemented with one firewall that is connected to the DMZ segment, the private network, and the Internet. A DMZ can also be implemented with two firewalls. In this configuration, one firewall is connected to a private network and a DMZ segment, and the other firewall is connected to the Internet and the DMZ segment.

To implement a firewall, you should first develop and implement a firewall policy. When configuring a firewall policy, the default setting should deny all traffic not explicitly allowed. Firewalls implement stateful inspection by inspecting every packet and allowing or denying the packet based on the firewall policy.

A bridge is a device that separates a network into distinct collision domains to control network traffic. A network divided by a bridge is considered to be a single network. A hub is a central connection device used on Ethernet networks. A router is a device that is designed to transmit data between networks on a TCP/IP internetwork. Bridges, hubs, and routers are not used to create DMZs.

127
Q

Provisioning requests for the IT department have been backlogged for months. You are concerned that employees are using unauthorized Cloud services to deploy VMs and store company data. Which of the following services can be used to bring this Shadow IT back under the corporate security policy?

VPN
CASB
SWG
RDP/VNC

A

CASB (Cloud Access Security Broker)

Explanation:
A cloud access security broker (CASB) enforces proper security measures between a cloud solution and a customer organization. A CASB monitors user activities, notifies administrators about significant events, performs malware prevention and detection, and enforces compliance with security policies.

Besides ensuring compliance with your security policy and reporting compliance issues in real-time, a CASB should report risks, see any shadow IT, and do it all from one platform. A CASB uses an array of strategies to protect an organization from cyberattacks. A CASB uses data loss prevention to protect against critical data leaks by labeling, tracking, and restricting access to files and specific information as it travels from a device to the cloud and beyond.

128
Q

Your client is developing a new Website. The Web administrator has indicated that she would like to use a low-cost certificate to offer Transport Layer Security (TLS) to the new domain. What type of certificate should you recommend?

Wildcard
Email
Document Validation
Extended Validation

A

Domain Validation

Explanation:
Domain validation certificates are very common. They are low-cost and are often used by web admins to offer TLS to a domain. They are validated using only the domain name.

Extended validation certificates, as the name suggests, provide additional validation for HTTPS web sites. The certificate provides the name of the legal entity responsible for the web site. These certificates provide a higher level of trust than domain validation and require the most effort by the CA to validate. They are validated using more information than just the domain. Extended validation certificates require much more effort to deploy than domain validation certificates.

Email certificates are used to secure email. One such example is Secure Multipurpose Internet Mail Extensions (S/MIME), which provides a digital “signature” for that email. Wildcard certificates allow you to create a certificate in a domain and use that same certificate for multiple subdomains. For example, if you had mail.mysite.com, ftp.mysite.com, and www.mysite.com, you could issue a wildcard certificate for mysite.com, and have it cover all the subdomains. Without the wildcard certificate, you would have to issue a certificate for each subdomain.

129
Q

** Your company implements Kerberos 5 to provide Authentication Services. Which entity in this deployment Authenticates Users?

CS
TGS
AS
TGT

A

AS (Authentication Service)

Explanation:
TGT = Ticket Granting Ticket
TGS = Ticket Granting Service
AS = Authentication Service
CS = Client-Server

In Kerberos 5, Authentication Service (AS) Exchange authenticates users and provides users with a ticket-granting ticket (TGT).

When a user wants to gain access to a network resource, that user’s TGT is sent to a computer that provides Kerberos Ticket Granting Service (TGS) Exchange.

A TGS server uses a TGT to create a session key for the client requesting service and the server providing service.

A client requesting service sends a session key to a server, and Client-Server (CS) exchange is used to enable a client and a server to authenticate one another. After these processes are completed, a client can gain access to services on a server.

AS, CS, and TGS are the three main protocols used on a Kerberos network to provide authentication and authorization for use of resources.

130
Q

You are responsible for managing the Security for a Network that supports multiple protocols. You need to understand the purpose of each of the protocols that are implemented on the Network. Match each Protocol Option with the Description that BEST fits?

Options:
SSH
SSL
SCP
ICMP

Descriptions:
- Protocol that allows files to be copied over a secure connection.
- Protocol that uses a secure channel to connect a server and a client.
- Protocol used to test and report on path information between Network devices.
- Protocol that secures messages between the Application and Transport Layer.

A

SSH – Protocol that uses a secure channel to connect a server and a client. (SecureShell - Port 22)

SSL – Protocol that secures messages between the Application and Transport Layers. (Secure Socket Layer)

SCP – Protocol that allows files to be copied over a secure connection. (SecureCopy - uses SSH Port 22 to accomplish this.)

ICMP – Protocol used to test and report on path information between Network devices. (Internet Control Message Protocol)

131
Q

You are building a public-access WIFI system for a new hotel. You want to require the users to accept a fair use policy before connecting the Internet. Which of the following should you implement?

WPS
Captive Portal
802.1x
RADIUS Federation

A

Captive Portal

Explanation:
Captive portals are associated with public-access Wi-Fi networks. Once you select the network, you are directed to a web page. There, you typically have to sign on and agree to a policy such as an acceptable use or fair use policy. Once your agreement is accepted, you can use the network. These portals are typically found in a public place, such as a hotel, coffee shop, or airport. None of the other options would force users to accept a fair use policy before connecting to the Internet.

Wi-Fi Protected Setup (WPS) allows a wireless access point to broadcast a PIN, which connecting devices use for authentication. It is not a difficult task to break the PIN using a packet sniffer. IEEE 802.1x is standard for network access control. It allows you to apply security to an individual port on a switch with the result of only allowing authenticated users access to that port.

RADIUS Federation is a group of RADIUS servers that assist with network roaming and will validate the login credentials of a user belonging to another RADIUS server’s network. For the Security+ exam, you also need to understand EAP-FAST, EAP-TLS, and EAP-TTLS.

Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) is used in wireless and point-to-point networks. EAP manages key transmissions, and FAST creates a TLS tunnel to be used in authentication through a protected access credential.

In Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), EAP manages key transmissions, and TLS uses X.509 digital certificates for authentication. In Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS), EAP manages key transmissions, and TTLS is an extension of TLS (which authenticates the server). TTLS encapsulates the TLS session, allowing for authentication of the client.

132
Q

Management has requested that you ensure ALL Firewalls are securely configured against attacks. You examine one of your company’s packet-filtering Firewalls. You have configured the following rules on the Firewall:

Permit all traffic to and from local hosts.
Permit all inbound TCP connections.
Permit all SSH traffic to linux1.cybervista.net.
Permit all SMTP traffic to smtp.cybervista.net.

Which rule will most likely result in a Security breach?

Permit ALL Traffic to and from Local Hosts.
Permit ALL SSH Traffic to linux.1.cybervista.net
Permit ALL SMTP Traffic to smtp.cybervista.net
Permit ALL inbound TCP connections.

A

Permit ALL inbound TCP connections.

Explanation:
The Permit all inbound TCP connections filter will most likely result in a security breach. This rule is one you will not see in most firewall configurations. By simply allowing all inbound TCP connections, you are not limiting remote hosts to certain protocols. Security breaches will occur because of this misconfiguration. You should only allow those protocols that are needed by remote hosts and drop all others.

In most cases, permitting all traffic to and from local hosts is a common firewall rule. If you configure firewall rules regarding local host traffic, you should use extreme caution. It is hard to predict the type of traffic originating with your local hosts. If you decide to drop certain types of traffic, users may complain about being unable to reach remote hosts.

Limiting certain types of traffic, such as SSH and SMTP traffic, to certain computers is a common firewall configuration. By using this type of rule, you can protect the other computers on your network from security breaches using those protocols or ports. Other common firewall packet filters include dropping inbound packets with the Source Routing option set, dropping router information exchange protocols, and dropping inbound packets with an internal source IP address. For the most part, filters blocking outbound packets with a specific external destination IP address are not used.

Any time rules are implemented on a network, you are using rules-based management. With these rules, you specifically allow or deny traffic based on IP address, MAC address, protocol used, or some other factor.

Keep in mind that misconfiguration of devices is one of the most common reasons that security issues occur. Make sure to consult vendor documentation to discover all best practices and recommended procedures. In addition, security professionals should ensure that all devices are patched in a timely manner.

133
Q

You are configuring a Wireless Guest Network, but you need to prevent guests from accessing the corporate intranet, while informing them of the Acceptable Use Policy (AUP). Which access method should you use?

WPA2-Personal
WPS
WPA2-Enterprise
Captive Portal

A

Captive Portal

Explanation:
A captive portal is used to display a webpage to the user upon connection. It may or may not require authentication and may also post permissible activities.

WPS is a method for sending credentials from an AP to a system rather than manually configuring the system.

WPA2 Enterprise is a version of EAP that uses AES encryption and requires the use of a RADIUS server.

WPA2 Personal is a version of EAP that uses either TKIP or AES encryption and can use passwords.

134
Q

You have implemented a backup plan that includes both FULL and Incremental Backups. What does an Incremental Backup do?

It backs up ALL new files and any files that have changed since the last full or Incremental Backup and resets the Archive Bit.

It backs up ALL files.

It backs up ALL new files and any files that have changed since the last Full Backup without resetting the Archive Bit.

It backs up ALL files in a compressed format.

A

It backs up ALL new files and any files that have changed since the last full or Incremental Backup and resets the Archive Bit.

Explanation:
An incremental backup backs up all new files and files that have changed since the last full or incremental backup, and also resets the archive bit. When restoring the data, the full backup must be restored first, followed by each incremental backup in order. Incremental backups build on each other; for example, the second incremental backup contains all of the changes made since the first incremental backup.

A full backup backs up all files every time it runs. Because of the amount of data that is backed up, full backups can take a long time to complete. A full backup is used as the baseline for any backup strategy and most appropriate when using offsite archiving.

A compressed full backup backs up all files in compressed format.

A differential backup backs up all new files and files that have changed since the last full backup without resetting the archive bit. When restoring the data, the full backup must be restored first, followed by the most recent differential backup. Differential backups are not dependent on each other. For example, each differential backup contains the changes made since the last full backup. Therefore, differential backups can take a significantly longer time than incremental backups.

A continuous backup system is one that performs backups on a regular basis to ensure that data can be restored to a particular point-in-time. SQL Server is an application that provides this feature. If a continuous backup plan is not used, any data changes that occurred since the last backup must be recreated after the restore is completed.

Working copies are used to store data that consists of partial or full backups that are stored at the computer center for immediate recovery purposes, if necessary.

135
Q

Which penetration-testing concept is used to detect vulnerabilities that are found by means other than testing the system directly?

Pivot
Active Reconnaissance
Passive Reconnaissance
Initial Exploitation

A

Passive Reconnaissance

Explanation:
Passive reconnaissance detects vulnerabilities through techniques such as social engineering, accessing supposedly confidential information on publicly available databases, dumpster diving, and shoulder surfing. Active reconnaissance accesses the system directly to detect vulnerabilities. Tools and techniques such as network mapping, port scans, and network sniffing are used to test the system and identify potential sources of attack.

Pivots use a compromised system to attack another system. Initial exploitation compromises one system so that it can be used in a pivot test against another system.

Persistence is when the compromised system is used in an attack at some point after the initial exploitation occurred. An example of persistence would be when a student’s notebook computer contracts malware at a coffee shop, but the school network is not affected until the student logs in to the school network.

136
Q

Given the following IP header in a Wireshark capture:

0100 .... = Version: 4

.... 0101 = Header Length: 20 bytes (5)

Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)

    0000 00.. = Differentiated Services Codepoint: Default (0)

    .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)

Total Length: 150

Identification: 0x6131 (24881)

Flags: 0x4000, Don't fragment

    0... .... .... .... = Reserved bit: Not set

    .1.. .... .... .... = Don't fragment: Set

    ..0. .... .... .... = More fragments: Not set

    ...0 0000 0000 0000 = Fragment offset: 0

Time to live: 128

Protocol: TCP (6)

Header checksum: 0x15cd [validation disabled]

[Header checksum status: Unverified]

Source: 192.168.1.14

Destination: 192.168.1.5

Which version of IP addressing is used by the packet?

IPv6
IPv4
UDP
TCP

A

IPv4

Explanation:
The version of addressing used by the packet is IPv4. The version is specified explicitly in the header as the first four bits. The first four bits of an IP header identifies its version. Version 6 is represented in binary as 0110 while version 4 is 0100. The source and destination addresses are also in the dotted quad format associated with IPv4.

137
Q

Your users often forget their passwords and ask for assistance. You send a link to reset the password. You would like to incorporate a Time Limit for the user to respond to the link. Which would you incorporate?

HOTP
FRR
TOTP
ABAC

A

TOTP (Timed One-Time Password or Time-based One Time Password)

Explanation:
Time-based One Time Passwords (TOTP) are issued for a specific period of time. Once it is used or its time expires, the TOTP is no longer valid. HOTP and TOTP are both types of one-time passwords, (i.e., they can only be used once).

Hashed One Time Passwords (HOTP) are secure passwords used with hardware tokens. They do not include a time limit for usage.

Attribute-based access control (ABAC) goes beyond authentication based on username and password. It evaluates other factors, such as time of day and location of logons. Another aspect would be if a user has read access to files but is attempting to edit or delete files remotely.

False rejection rate (FRR) is one way to measure the accuracy of a biometric authentication system. It measures how likely it would be that an authorized user is denied access to the system. Expressed as a ratio, it is the number of authorized users who were denied access to the protected system divided by the number of authentication attempts. False rejections can occur if the system settings are too precise, or if users are not trained properly on biometric login procedures. By contrast, false acceptance rate (FAR) measures how likely it would be that an unauthorized user is granted access to the system. Its ratio is the number of unauthorized users who were incorrectly allowed access to the protected system divided by the number of authentication attempts. FAR could happen because the system was not precise enough when matching the authorized user.

Crossover error rate (CER) is the point where FAR and FRR are equal. Generally, a lower CER value would indicate a more accurate system. CER is primarily used to compare biometric authentication systems. Other considerations include proximity cards, smartcards, tokens, CAC, PIV, and file security.

Smartcards have permissions and access information stored on the card. The greatest concern with smart cards is theft. Once stolen, the thief can use the card in the same manner as the rightful owner. As an example, if the user has access to a highly secure area by using the smartcard, a thief will have the same access when using the stolen card. Proximity cards are a type of smartcard that incorporate Radio Frequency Identification (RFID) chips. These chips contain authentication information and transmit over a very short range. When the authentication device is within range of the proximity card, and the information transmitted is correct, authentication is granted. Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user. A common access card (CAC) is a smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two barcodes and a magnetic strip. They can be used for visual identification and for login.

A Personal Identity Verification (PIV) smart card is issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two barcodes and a magnetic strip. They can be used for visual identification and for login.

File system security should always be set to only allow what is absolutely essential for the user to do their job. This is also known as the principle of least privilege.

138
Q

Which technique can tip off an investigator that data files have been altered from a previous version?

Sandbox
Salting
Hashing
Nonce

A

Hashing

Explanation:
Hashing is a cryptographic process that maintains the integrity of data. Hashes are created using hashing algorithms, which is a one-way process that converts the data of any size into a fixed length unique output. Once you create a hash, the only way to reproduce the same exact hash is to input the exact same text. If you change even just one character in the data, the hash value will completely change as well. This is how investigators can determine if a file has been altered. If the hash is different from the one created by the original version, the investigator knows that the data has been tampered with. If the hash is the same, that indicates that the integrity of the data was maintained and is safe to investigate.

139
Q

Which of these options simulates a disaster and allows you to check the thoroughness of your Disaster Recovery Plan (DRP)?

Business Continuity Plan (BCP)
Tabletop Exercises
After-Action Report (AAR)
Critical Business Functions

A

Tabletop Exercises

Explanation:
A tabletop exercise simulates a disaster and allows you to check the thoroughness of your disaster recovery plan. You should perform a document review during all exercises. Apart from a tabletop exercise, you can also perform a walkthrough, simulation, parallel testing, and cutover testing to test your disaster recovery plans. If your plan has a weakness, it is better to discover it during an exercise as opposed to discovering it during a live event.

After-action reports documents how well or how poorly the exercise went. It will also indicate action items for follow-up, as well as any necessary modifications that should be made to improve the disaster recovery response.

A business continuity plan ensures that the business stays running in the event that interferes with normal business functions. It is a separate plan from the disaster recovery plan and only needs review and revision. It does not usually require any testing.

Critical business functions are those items that are identified as the most crucial. They are the first to be restored after a disaster. A continuity of operations plan (COOP) is a document that explains how critical operations will be maintained in the event a disaster occurs.

140
Q

Your client’s HR practices include promotion from within and transferring people between offices on a regular basis. It seems like the most common question you hear when employees talk on the phone is “What office are you working at now, and what are you doing?” What practice will ensure that a user’s permissions are relevant and current?

Transitive Trusts
Standard Naming Conventions
Federation
Recertification

A

Recertification

Explanation:
Recertification is the process of examining a user’s permissions and determining if they still need access to what was previously granted. For example, if someone were transferred from the Chicago, IL office to the Charlotte, NC office, it would be reasonable to revoke the user’s Chicago permissions. Likewise, a promotion would most likely require new privileges, and it is important to examine whether the privileges from the old position are still necessary. Federation and federated identity is the ability of a user to use a single identity across multiple businesses or networks. It differs from single sign-on, where a user has one password that grants access to all the permitted network resources. Federation would address enabling user’s logon from office to office but would not address the issue of current and relevant permissions related to users’ job roles.

Creating a standard naming convention would resolve an issue relating to account names that identify job roles or locations. However, it would not address the issue of current and relevant permissions.

Transitive trust involves creating relationships between domains to grant authenticated users access to other domains. In Active Directory, for example, if the Sales domain trusts the Marketing domain, and the Marketing domain trusts the HR domain, then Sales trusts the HR domain, through a transitive relationship.

141
Q

You have recently been notified by an application vendor that the application includes a Rootkit. The manufacturer has released a patch that will remove the vulnerability from the application. What is a Rootkit?

a software application that displays advertisements while the application is executing.

a program that spreads itself through Network connections.

an application that uses tracking cookies to collect and report a user’s activities.

a collection of programs that grants a hacker administrative access to a computer or Network.

A

a collection of programs that grants a hacker administrative access to a computer or Network.

Explanation:
A rootkit is a collection of programs that grants a hacker administrative access to a computer or network. The hacker first gains access to a single system, and then uploads the rootkit to the hacked system. An example of a rootkit is a system-level kernel module that modifies file system operations. If a server dedicated to the storage and processing of sensitive information is compromised with a rootkit and sensitive data was exfiltrated, you should wipe the storage, reinstall the OS from original media, and restore the data from the last known good backup.

Adware is a software application that displays advertisements while the application is executing. Some adware is also spyware if it monitors your Internet usage and personal information. Some adware will even allow credit card information theft. It is possible for spyware to inject malicious code into otherwise benign adware, especially pop-up ads.

Adware displays unwanted browser ads, leaves persistent tracking cookies, and gathers information on user’s browser activities for the adware owner’s use. Adware is not itself malware, but the ads it displays can contain injected third-party malware.

Spyware often uses tracking cookies to collect and report a user’s activities. Not all spyware is adware, and not all adware is spyware. To define a program as spyware requires that your activities are monitored and tracked; to define a program as adware requires that advertisements are displayed.

A worm is a program that spreads itself through network connections.

Another malware that you need to be familiar with is ransomware, which restricts access to a computer that it infects. The ransomware then demands a ransom paid to the creator of the malware for the restriction to be removed.

142
Q

You have a mobile sales force that must regularly access customer records from remote sites. You are concerned about Security in the event a laptop or tablet is stolen. You want to implement measures that would not only include user Authentication via username and password, but also evaluate other factors such as time of day, and location. What should you implement?

Proximity Card
Smartcard
ABAC
FAR

A

ABAC (Attribute-based Access Control)

Explanation:
Attribute-based access control (ABAC) goes beyond authentication based on username and password. It evaluates other factors, such as time of day and location of logons. It would also control behavior based on location, such as if a user has read access to files but is attempting to edit or delete files remotely.

Proximity cards are a type of smartcard that incorporate Radio Frequency Identification (RFID) chips. These chips contain authentication information and transmit over a very short range. When the authentication device is within range of the proximity card, and the information transmitted is correct, authentication is granted.

Smartcards have permissions and access information stored on the card. The greatest concern with smart cards is theft. Once the card is stolen, the thief can use it in the same manner as the rightful owner. For example, if the user has access to a highly secure area by using the smartcard, a thief will have the same access when using the stolen card.

False acceptance rate (FAR) is one way to measure the accuracy of a biometric authentication system. It measures how likely it would be that an unauthorized user is granted access to the system. Expressed as a ratio, it is the number of unauthorized users who were incorrectly allowed access to the protected system divided by the number of authentication attempts. A false acceptance can occur, for example, when an unauthorized individual with a dirty finger uses a fingerprint reader and is allowed access to the system. This could happen because the system was not precise enough when matching the authorized user. By contrast, false rejection rate (FRR) measures how likely it would be that an authorized user is denied access to the system. It is also expressed as a ratio, calculated as the number of authorized users who were denied access to the protected system divided by the number of authentication attempts. False rejections can occur if the system settings are too precise, or if users are not trained properly on biometric login procedures.

Other considerations include CER, tokens, HOTP, TOTP, CAC, PIV, and file system security.

Crossover error rate (CER) is the point where FAR and FRR are equal. Generally, a lower CER value would indicate a more accurate system. CER is primarily used to compare biometric authentication systems. Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user. HOTP and TOTP are two types of one-time passwords, i.e., they can only be used once. Hashed One Time Passwords (HOTP) are secure passwords used with hardware tokens. Time-based One Time Passwords (TOTP) are issued for a specific period of time. Once it is used or its time expires, the TOTP is no longer valid. As an example of a TOTP, a user forgets a password to a website. When the user clicks the “Forgot Password” link, the website would send a new temporary password to the user but would limit how long the temporary password would be valid. A Common Access Card (CAC) is a smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.

A Personal Identity Verification (PIV) smart card is issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.

File system security should always be set to only allow what is absolutely essential for the user to do their job. This is also known as the principle of least privilege.

143
Q

During the recent development of a new application, the customer requested a change. You must implement this change according to the change control process. What is the first step you should implement?

Analyze the change request.
Submit the change results to management.
Record the change request.
Acquire management approval.

A

Analyze the change request.

Explanation:
You should analyze the change request. The change control procedures ensure that all modifications are authorized, tested, and recorded. Therefore, these procedures serve the primary aim of auditing and review by the management. The necessary steps in a change control process are as follows:

  • Make a formal request.
  • Analyze the request. This step includes developing the implementation strategy, calculating the costs of the implementation, and reviewing the security implication of implementing the change.
  • Record the change request.
  • Submit the change request for approval. This step involves getting approval of the actual change once all the work necessary to complete the change has been analyzed.
  • Make changes. The changes are implemented, and the version is updated in this step.
  • Submit results to management: In this step, the change results are reported to management for review.
144
Q

Your company is investing several password controls to decide which ones to implement. Match the Password Control option to the Descriptions?

Options:
Salting
Lockout
History
Age

Descriptions:
- allows you to configure the number of invalid logon attempts that can occur before an account is inaccessible for a pre-determined amount of time.

  • allow you to configure how many new passwords must be created before an old one can be reused.
  • adds text to each password before the password is hashed to prevent stored passwords from being decrypted.
  • allows you to configure the minimum or maximum number of days that must pass before a user is required to change the password.
A

Salting – adds text to each password before the password is hashed to prevent stored passwords from being decrypted

Lockout – allows you to configure the number of invalid logon attempts that can occur before an account is inaccessible for a pre-determined amount of time

History – allows you to configure how many new passwords must be created before an old one can be reused

Age – allows you to configure the minimum or maximum number of days that must pass before a user is required to change the password

145
Q

You have been hired as a Security administrator by your company. You have recommended that the organization implement a biometric system to control access to the Server room. You recommend implementing a system that identifies an employee by the pattern of blood vessels at the back of the employee’s eyes. Which biometric system are you recommending?

eye recognition
retina scan
facial scan
iris scan

A

retina scan

Explanation:
A retina scan is a biometric system that examines the unique pattern of the blood vessels at the back of an individual’s eye. In a retina scan, a beam is projected inside the eye to capture the pattern and compare it with the reference records of the individual. The employee is authenticated only if a match is found. Retina scans provide better accuracy than iris scans.

There are some disadvantages of using a retina scan. Employees are sometimes reluctant to pass through a retina scan because the test is considered too intrusive. Also, retina scan results can alter over time. Other disadvantages are the expense, the enrollment time, and the complexity involved in its implementation. An iris scan is based on the examination of unique patterns, colors, rings, and coronas of an individual’s eye. Each characteristic is captured by a camera and compared with the reference records of an employee gathered during the enrollment process. Iris scanning provides better accuracy than fingerprinting, voice recognition, or facial recognition.

A facial scan is based on an individual’s bone structure, nose ridge, eye width, forehead structure, and chin shape. Such characteristics are captured by a camera and compared with the reference records of an employee gathered during the enrollment process.

Eye recognition is not a biometric scan technology used for the authentication of an individual.