Security + Measure Up #4 Flashcards
Pass the First Time
A security administrator discovers that an employee is exfiltrating proprietary company information. The administrator is concerned that the user may try to cover their tracks. What should the administrator do first?
A. Install a keylogger on the employee’s workstation
B. Implement a legal hold on the user’s mailbox
C. Enable data loss prevention on email servers
D. Create a bit-stream image of the employee’s workstation
B: Implement a legal hold on the user’s mailbox. This ensures that all email data is preserved and prevents any deletions or alterations, maintaining the integrity of the evidence while the investigation is conducted. It’s an immediate step that helps to secure critical data.
A security analyst has completed forensics on a compromised server. The analyst suspects the server was breached using a buffer overflow attack. What is the BEST indicator of this attack?
A. User logon errors
B. System crashes
C. Directory traversal events
D. Corrupted system files
B: System crashes. Buffer overflow attacks often result in system instability and crashes because they manipulate memory, causing the system to behave unpredictably.
An organization plans to contract with a provider for a disaster recovery site that will host server hardware. When the primary data center fails, data will be restored, and the secondary site will be activated. Costs must be minimized. Which type of disaster recovery site should the organization deploy?
A. Hot site
B. Cold site
C. Warm site
D. Mobile site
C. Warm site
In that scenario, deploying a warm site (Option C) strikes a balance between cost and readiness. A warm site is partially equipped and has some pre-installed systems, making it quicker to activate than a cold site, yet more cost-effective than a fully operational hot site.
A server is the victim of a data breach. Customer password information is exposed to the attacker. Which step in the incident response process is necessary to mitigate the risk of a reoccurrence of the attack?
A. Notify the customers that their passwords should be changed
B. Conduct a post-mortem review to identify lessons learned
C. Escalate the incident to the CEO
D. Quarantine the server
B: Conduct a post-mortem review to identify lessons learned. This step is crucial for understanding what went wrong and implementing measures to prevent a similar attack in the future. It’s about learning from the incident and strengthening your defenses.
An organization discovers that some of its proprietary data is for sale on a dark web hacker site. As part of the incident response, a security administrator analyzes application and system logs on all Internet-facing servers. On one web server, the administrator observes the following text listed repeatedly in POST requests: “ or “”=”
Which type of application attack is MOST likely indicated by this finding?
A. Directory
B. XSS
C. SQL injection
D. CSRF
C: SQL injection. The repeated text “ or “”=” suggests that the attacker is attempting to exploit a vulnerability in the web server by injecting malicious SQL code. This kind of attack can manipulate the database by bypassing authentication or extracting data.
What is the MOST likely consequence of non-compliance with GDPR?
A. SLA breach
B. Reputational damage
C. BPA violation
D. Fines
Option D: Fines. Non-compliance with GDPR can result in significant financial penalties, which can be quite hefty depending on the severity of the violation. However, it’s worth noting that non-compliance can also lead to reputational damage (Option B), making both consequences highly likely. Fines are just the most immediate and tangible consequence.
Field sales personnel have product and price lists loaded on their smartphones. This is critical data for the business and must not be accidentally disclosed or compromised while salespeople are traveling or are at customer sites. What two steps should be taken? (Choose Two).
A. Disable unused device features
B. Keep product and price information on removable storage
C. Require Passwords on mobile devices
D. Install and enable remote wipe
E. Implement full device encryption
C: Require passwords on mobile devices, and D: Install and enable remote wipe. Ensuring that devices are protected by passwords helps prevent unauthorized access, while remote wipe allows data to be erased if a device is lost or stolen. Both are essential for protecting sensitive data in the field.
An organization wants to use source code inspections to identify vulnerabilities in custom-built applications. Which method should the organization choose?
A. Static Application Security Testing (SAST)
B. Extended detection and response (XDR)
C. Vulnerability scanning
D. Dynamic Application Security Testing (DAST)
A: Static Application Security Testing (SAST). SAST involves analyzing the source code to identify security vulnerabilities at an early stage, before the software is run. It’s an essential method for catching issues that could lead to security breaches if left unaddressed.
Following a breach investigation, a company is found negligent and in violation of due care requirements by a cybersecurity insurer. What BEST explains this finding?
A. A lack of reasonable cybersecurity policies and procedures
B. Failure of perform comprehensive vendor risk assessments
C. Missing attestation documentation from third-party auditors
D. Failure to honor customer requests to have their data deleted
A: A lack of reasonable cybersecurity policies and procedures. Due care requires that a company take necessary and reasonable precautions to protect its data and systems. If a company fails to establish and follow such policies, it can be deemed negligent in the eyes of a cybersecurity insurer.
A company stores sensitive identification numbers for its clients. Rather than store the numbers in an internet-accessible database, a security engineer has suggested that the sensitive IDs should be moved to an encrypted database and fake numbers used in their place. The original data will be retrievable, as needed. Which of the following methods is the engineer recommending?
A. Segmentation
B. Tokenization
C. Masking
D. Hashing
B: Tokenization. By replacing sensitive data with a token that stands in for the original data, tokenization ensures that the real data is stored securely in an encrypted database, while only the tokens are used in its place.
Following a breach, an organization implements awareness training to help users identify the risks associated with removable media. Which of the following attacks will this training help mitigate?
A. Injection
B. Steganography
C. Side loading
D. Baiting
D: Baiting. Awareness training about the risks associated with removable media can help users recognize and avoid baiting attacks, where malicious actors leave infected USB drives or other media in public places, hoping someone will pick them up and plug them into their system.
An organization plans to deploy a centrally managed wireless network that will require a PKI. The organization needs to ensure that user onboarding is as seamless and error free as possible. What should the organization do first?
A. Obtain a certificate from a public CA
B. Generate a CSR
C. Obtain a self-signed certificate
D. Install and configure a CA
The correct response would involve obtaining a CSR (Certificate Signing Request) from a public CA (Certificate Authority). This step ensures the necessary certificate for the wireless network, facilitating a smooth and error-free onboarding process by leveraging the trusted public CA infrastructure.
An nmap scan of open ports includes TCP ports 21, 22, 23, 80, 443, and 990. Which three ports indicate that unsecure protocols are in use on the computer? Select three.
A. 21
B. 23
C. 22
D. 80
E. 443
F. 990
A. 21, B. 23, and D. 80.
Port 21 is used for FTP (File Transfer Protocol), which is not secure.
Port 23 is used for Telnet, another unsecure protocol.
Port 80 is used for HTTP, which is unencrypted and hence not secure.
A security administrator discovers an attack that uses PowerShell to make unauthorized registry changes. What should the administrator do to prevent this attack on sensitive systems?
A. Configure each system’s firewall
B. Disable access to the CLI
C. Whitelist allowed applications
D. Install a HIDS on sensitive systems
C: Whitelist allowed applications. By creating a whitelist of permitted applications, the administrator can ensure that only authorized programs are allowed to run on the system, effectively blocking unauthorized use of PowerShell for making registry changes.
An employee brings a gaming server from home and plugs it into the corporate network. Which governance tool should be used to control this behavior?
A. Memorandum of understanding (MOU)
B. Service-level agreement (SLA)
C. Master service (MSA)
D. Acceptable use policy (AUP)
D: Acceptable Use Policy (AUP). This policy outlines the do’s and don’ts regarding the use of an organization’s IT resources, including the prohibition of unauthorized devices like a personal gaming server.
Following a breach, a security administrator is instructed to run a vulnerability scan against the affected servers. There is evidence that the attack was network-based, but the administrator is unsure which vulnerability was exploited. What should the administrator do to pinpoint the vulnerability?
A. Evaluate any vulnerabilities with a scope of unchanged.
B. Investigate the attack vector metric for all sever vulnerabilities
C. Evaluate all vulnerabilities with a CVSS score of 8 or higher
D. Investigate all services that use TCP ports between 1 and 1023
B: Investigate the attack vector metric for all server vulnerabilities. By focusing on the attack vector metric, the security administrator can determine how vulnerabilities are accessed or exploited, providing critical insights into how the network-based attack occurred.
An organization enters a contract with a third-party. Which of the following should occur NEXT as part of third-party risk management (TPRM)?
A. Continuous monitoring
B. Due diligence
C. Data inventory and retention
D. Risk assessment
A: Continuous monitoring is because ongoing surveillance of third-party activity and security measures ensures they continue to meet your organization’s standards throughout the contract duration. Continuous monitoring helps detect any security lapses or non-compliance issues in real time, mitigating potential risks more effectively.
An administrator sets up a VM for testing different versions of an application. The administrator wants to be able to return to the baseline state as quickly as possible between each test. What should the administrator do?
A. Configure a sandbox environment
B. Create a snapshot of the VM
C. Run a full backup of the host
D. Implement automatic change management
B: Create a snapshot of the VM. Snapshots allow the administrator to quickly revert the VM to its previous state, making it easy to return to a baseline after each test without having to set up everything again.
In the context of General Data Protection Regulation (GDPR), which statement regarding data controllers and data processors is correct?
A. Controllers store and process data, while processors only store data.
B. Controllers are based in the European Union (EU), while processors are not.
C. Controllers only collect data, while processors only process data.
D. Controllers determine how data will be processed, while processors process data.
D: Controllers determine how data will be processed, while processors process data. Under GDPR, data controllers make decisions regarding the collection and use of personal data, whereas data processors handle the actual processing of data on behalf of the controller.
Refer to the messages below:
LOG 1, Aug 17:36:34.303: Sig: 3051 Subsig:1 Sev: 4 TCP Connection Window Size DoS [1.1.100.11: 19223 - > 172.16.1.10:80]
LOG 2 Aug 12 11: 13:44 Inbound TCP connection denied from 1.1.1.1/21 to 10.10.10.1/51172 flags SYN ACK on interface outside
A consultant is asked to analyze logs from a couple of network devices. Which MOST likely generated these messages?
A. LOG 1- Firewall, LOG 2 - IPS
B. LOG 1 - Firewall, LOG 2 - DLP
C. LOG 1 IPS, LOG 2 - Firewall
D. LOG 1 - AP, LOG 2 - DLP
E. LOG 1 - DLP, LOG 2 - AP
F. LOG 1 - DLP, LOG 2 - Firewall
C. LOG 1 IPS, LOG 2 - Firewall
LOG 1 seems to describe a denial of service (DoS) attack based on TCP connection window size. This is typical of an Intrusion Prevention System (IPS) alerting you to suspicious behavior.
LOG 2 indicates an inbound TCP connection being denied with flags SYN ACK, which sounds like a firewall blocking an unauthorized connection attempt.
A company hosts a customer feedback forum on its website. Visitors are redirected to a different website after opening a recently posted comment. What kind of attack does this MOST likely indicate?
A. Code injection
B. Cross-site scripting (XSS)
C. Directory transversal
D. SQL injection
B: Cross-site scripting (XSS). This attack involves injecting malicious scripts into web pages viewed by others. When visitors open the compromised comment, the script executes and redirects them to a different website.
A security administrator learns that sensitive information has been exfiltrated using DNS tunneling. What should the administrator do FIRST to investigate the incident?
A. Investigate web logs for logons from untrusted IP addresses
B. Check the firewall for evidence of outbound C&C communications
C. Check the NetFlow traffic metrics for a sudden spike in UDP traffic
D. Investigate DNS server logs for the registration of unauthorized domains
C. Check the NetFlow traffic metrics for a sudden spike in UDP traffic
By checking the NetFlow traffic metrics for a sudden spike in UDP traffic (Option C), the administrator can identify unusual patterns that might indicate DNS tunneling activities. Since DNS tunneling often involves the use of DNS over UDP, this would be a revealing sign of such an attack.
A security consultant is brought into test recent changes made to a company’s network by its in-house security personnel. The consultant discovered a file named passwd.csv that was located at the disk root on a web server deployed in the company’s perimeter network. The web server runs Linux. What is the MOST likely reason for this file?
A. The file was left there by an external attacker to help configure persistence
B. The file was placed there as a honeyfile by in-house security
C. The file is evidence that the web server is a staging point for an active data exfiltration effort
D. The file is an optional Linux configuration file
B: The file was placed there as a honeyfile by in-house security. Honeyfiles are decoy files intentionally placed in locations where an attacker might find them. They help detect unauthorized access and activity. Given that this is a perimeter network server and a well-named file, it’s likely a deliberate trap set by the in-house security to monitor potential breaches.
Which key is used to encrypt data in an asymmetric encryption system?
A. The recipient’s public key
B. The sender’s private key
C. The recipient’s private key
D. The sender’s public key
A: The recipient’s public key. In asymmetric encryption, the sender uses the recipient’s public key to encrypt the data. This ensures that only the recipient, who has the corresponding private key, can decrypt and access the data.
