Security Measure Up Final Flashcards
Pass the First Time
What are valid examples of multifactor authentication (MFA) requirements? Choose two.
A. Access token and smart card
B. Retina scan and password
C. Smart card and PIN
D. Retina Scan and voice analysis
E. Password and PIN
B. Retina scan and password
C. Smart card and PIN
A smart care and PIN require something you have and something you know. A retina scan and password are something you are and something you know.
A password and PIN do not qualify because both are something you know.
A retina scan and voice analysis do not qualify because both are something you are.
An access token and smart card do not qualify because both are something you have.
MFA is sometimes defined as including both authentication factors and attributes. Authentication attributes include:
Somewhere you are
Something you can do
Something you exhibit
Someone you know
Depending on how you define authentication attributes, they can overlap with authentication factors.
Malware has infected a server in a company. The security analyst makes a digital copy of the hard drive to analyze and places the original drive in a secure cabinet. Which aspect of incident response does this illustrate?
A. Loss control
B. Chain of custody
C. Incident isolation
D. Damage control
B. Chain of Custody
Chain of custody refers to the process of ensuring that there is documentation describing the seizure, custody, control, and analysis of evidence. By removing the drive, making a digital copy for analysis, and storing the original in a secure cabinet, you are helping establish the chain of custody. Documenting each step also an important part of maintaining the chain of custody.
This scenario does not illustrate damage or loss control. Damage and loss control refer to taking steps to limit the amount of damage or loss that is caused by an incident.
This does not illustrate incident isolation. Incident isolation is the process of limiting the exposure of other computers, services, or segments. One example of incident isolation is to quarantine an affected computer by removing it from the network.
To protect sensitive PHI, an organization plans to substitute random characters for original data, while maintaining the data’s format. Which of the following technologies or methods should they use?
A. Tokenization
B. Encryption
C. Masking
D. Hashing
The organization should use tokenization. Tokenization is designed to protect Personal Health Information (PHI) and other sensitive information by replacing the original data with data in the same format. Most tokenization methods use random character replacement and store the original-to-tokenized data mapping in an encrypted database or file. If the tokenized data is compromised, it is of little use to an attacker.
Masking permanently replaces the original data. The new data may be in the same format as the original data, but this is not a requirement. For example, a Social Security number may be masked with symbols: ***.
Encryption uses a reversible algorithm, unlike tokenization, which is meant to be random. Encrypted output would not retain the same data format.
Hashing algorithms produce fixed-length, irreversible output. Hases are often used to verify data integrity.
An attacker posing as a janitor is able to access a storage area where sensitive printed documents are kept. Which method should the organization use to implement a preventive physical control?
A. Install a locked fence that limits access to the storage area.
B. Install surveillance cameras throughout the storage area.
C. Define a policy that forbids unauthorized access to the storage area.
D. Install alarms on all doors leading to the storage area.
A. Install a locked fence that limits access to the storage area.
The organization should install a locked fence that limits access to the storage area. Security controls fall into three families or categories: managerial, operational, or technical. A control’s function defines what the control does, and includes detective, corrective, and preventative features, among others. A physical preventive control is a physical component, such as a lock, a wall, or a fence, that prevents access to a secure location.
The organization should not install surveillance cameras throughout the storage area. Cameras are physical detective controls.
The organization should not define a policy that forbids unauthorized access to the storage area. Such a policy is an administrative preventive control.
The organization should not install alarms on all doors leading to the storage area. Alarms are detective physical controls.
Following a breach, an organization implements awareness training to help users identify the risks associated with removable media. Which of the following attacks will this training help mitigate?
A. Baiting
B. Steganography
C. Injection
D. Side loading
A. Baiting
This training will help mitigate baiting attacks. In a baiting attack, an attacker leaves a malware-infected removable storage device in a conspicuous location. The premise of a baiting attack is that someone will find the device and be curious enough to attach it to their computer. Baiting can also use digital files, such as free music files to accomplish the same goal. The file or storage device serves as the bait. Users should be trained to be cautious when using removable media, especially when they find media placed by an undetermined source.
This training will not help to mitigate side loading. Side loading occurs when an app is installed on a mobile device from an unofficial source. For example, on an Android device, an app may be installed from a malicious website instead of the official Google Play Store. It is possible that side loading utilizes removable media, but side loading is not a risk created by using such media.
This training will not help mitigate injection attacks. Injection attacks involve injecting potentially malicious code into a query or program. For example, a Structured Query Language (SQL) injection attack attempts to inject malicious commands in an SQL statement before it is sent to a database service. Injection attacks do not involve removable media.
This training will not help to mitigate steganography attacks. Steganography can be used to hide data in an image by manipulating the pixels in such a way that the message itself is not readily detectible. However, steganography is not limited to image files alone and can be used on any type of digital file, including video and audio files. The primary risk generate by this threat vector is that the base file is considered to be safe for sharing and my bypass security controls that attempt to detect data exfiltration. Steganography is not risk specifically associated with removable media.
An organization wants to minimize the risk of vulnerabilities created by accidental misconfigurations on servers and other networking nodes. Which of the following technologies should the organization use to automate configuration of newly deployed devices?
A. Unified threat management (UTM)
B. Infrastructure as code (IaC)
C. Secure Access Service Edge (SASE)
D. Supervisory Control and Data Acquistion (SCADA)
The organization should use Infrastructure as code (IaC) to automate configuration of newly deployed devices. IaC is used to store the configuration of devices such as servers or routers in a centralized database. These configuration templates can be customized with variables for node-specific details such as node names and IP addresses. When a new node, such as a sever, is deployed, the template ensures that the server is configured properly. This helps avoid configuration mistakes or oversights that can lead to vulnerabilities on devices. For example, IaC could be used to ensure that every Windows server is deployed with the host firewall enabled and configured for common network services.
The organization should not use Supervisory Control and Data Acquistion (SCADA). SCADA provides monitoring and controls for industrial systems such as manufacturing equipment or energy distribution systems.
The organization should not use Secure Access Service Edge (SASE). SASE is used to provide secure, distributed network services via the cloud. SASE can include firewall, Cloud Access Security Broker (CASB), zero trust, and other components.
The organization should not use unified threat management (UTM). UTM is designed to combine multiple security functions, such as intrusion prevention and antimalware in a single device. UTM functionality is most commonly associated with Next-Generation Firewalls (NGFWs).
A company is required to complete a SOC 2 Type 2 audit as part of external compliance reporting. How does this differ from a SOC 2 Type 1 audit?
A. A Type 2 audit does not inspect physical controls
B. A Type 1 audit is considered a point-in-time audit
C. A Type 2 audit covers a particular time frame
D. A Type 2 audit is focused on financial records
A type 2 audit covers a particular time frame. The American Institute of Certified Public Accountants (AICPA) developed the Service Organization Control 2 (SOC 2) framework to be used to evaluate an organization’s information security program. There are two primary types of SOC 2 audits - Type 1 and Type 2 - and each has a unique set of requirements. Among other differences, A Type 2 audit covers a time frame, usually 12 months. The purpose of a Type 2 audit is to determine an if an organization implements and maintains secure operations consistently over time.
A Type 2 audit is not considered a point-in-time audit. This describes a Type 1 audit.
A Type 2 audit does not differ from Type 1 by focusing on financial controls. This is true of both Type 1 and Type 2 audits.
A Type 2 audit may inspect physical controls. This is true of both Type 1 and Type 2 audits. Neither audit type excludes physical controls such as locked doors or badge readers.
A company’s recovery plan states that it will take, on average, three hours to restore services to an operational level after a catastrophic failure. What is this value is known as?
A. MTBF
B. RTO
C. RPO
D. MTTR
The average time needed to restore data is known as the mean to restore or mean time to recovery (MTTR or MTR). When disaster recovery services are delivered by an outside provider, the MTR is often specified in the service contract. This does not guarantee recovery within three hours in every situation, it is just the average value. Acronyms in a service contract should be clearly defined. MTTR can also be used to stand for mean time to repair. However, this repair time would not necessarily include the time needed to restore data.
The situation does not indicate the recovery time objective (RTO). RTO is the specification of the maximum time it should take to get back to operational status. There are ways to reduce the RTO, such as having hot sites with equipment ready and data loaded. However, the shorter the RTO, the more expensive the support is.
The situation does not indicate the recovery point objective (RPO). The RPO refers to the maximum acceptable amount of data loss after recovery. For example, if your organization can accept losing the last hour before the failure, you have an RPO of one hour. Reducing RPO requires more frequent backups and often the use of redundant data storage. The shorter the RPO, the more expensive it is to support.
The situation does not indicate the mean time between failures (MTBF). The MTBF specifies how much time should pass, on average, between failures. You would use this in your disaster planning to determine frequency of occurrence.
Data custodian
Entity responsible for technical control of data including availability, security, scalability, technical standards, and backup and restore.
Data Owner
Entity who collects or creates the data and is legally responsible and accountable for the data and its protection.
Data controller
Entity responsible for protecting the rights and privacy of the data’s subject and controlling the procedures and purpose of data use.
Data processor
Entity that works with the data under the direction of a responsible party but does not control the data or its use.
An organization enters a contract with a third-party. Which of the following should occur NEXT as part of third-party risk management (TPRM)?
A. Continuous monitoring
B. Risk assessment
C. Due diligence
D. Data inventory and retention
A. Continuous monitoring
Continuous monitoring should occur next as part of third-party risk management (TPRM). TPRM involves applying the same processes and procedures that an organization would use internally as part of a sound information security program to vendors that the organization does business with. Prior to entering into a contract with a vendor changes that could impact risk.
Due diligence should not occur next. In the context provided by this question, due diligence involves researching, investigating, analyzing, and verifying that a third-party vendor meets an organization’s cybersecurity standards. This process should be completed before entering a contract with the vendor.
Risk assessment should not occur next. A risk assessment is used to identify and evaluate risks in an organization. In TRPM, this should be completed prior to entering a contract with a vendor.
Data inventory and retention should not occur next. This task usually occurs as part of privacy management and is often required for compliance with regulations such as General Data Protection Regulation (GDPR).
What is the Primary purpose of attestation?
A. To identify vulnerabilities or other weaknesses
B. To identify, document, an quantify risks
C. To simulate a cyber-attack against an organization
D. To demonstrate compliance with regulations
The primary purpose of attestation is to demonstrate compliance with regulations. Attestation involves an auditor or assessor that an organization meets certain cybersecurity guidelines. The resulting report can be used to show that an organization’s information security practices have been independently reviewed and found in compliance with a standard or regulation. The American Institue of Certified Public Accountants (AICPA) developed the widely known Service Organization Control 2 (SOC 2) framework to be used to evaluate an organization’s information security program.
The purpose of attestation is not to identify vulnerabilities or other weaknesses. This describes vulnerability scanning or threat hunting. Threat hunting involves proactively searching for indicators of compromise (IoC) of indicators of attack (IoA) in a network or system.
The purpose of attestation is not to identify, document, and quantify risks. This describes risk management. Once a risk is identified, it can be tracked using a risk register.
The purpose of attestation is not to simulate a cyber-attack against an organization. This describes penetration testing, which is an important part of cybersecurity program. Unlike vulnerability scanning, which primarily looks for available services on a target system, penetration testing attempts to mimic a real attack by exploiting vulnerabilities.
An organization plans to deploy a centrally managed wireless network that will require a PKI. The organization needs to ensure that user onboarding is as seamless as possible and error free as possible. What should the organization do first?
A. Obtain a certificate from a public CA
B. Generate a CSR
C. Install and configure a CA
D. Obtain a self-signed certificate
The organization should generate a Certificate Signing Request (CSR) first. CSRs are generated by applications, users, or services and are submitted to a publicly trusted Certificate Authority (CA) for validation. The CSR identifies the certificate owner and is used by the CA to generate an X.509 certificate. Certificates generate by public CAs are typically inherently trusted by client systems and browsers. Any certificates issued by one of these authorities or their subsidiaries are automatically trusted.
Once a CSR is generated, it can be submitted to a public CA for validation. The CA will then issue a Secure Sockets Layer (SSL) certificate to the client. Notably, although SSL is still commonly used when describing secure internet communications, it has been replaced by the more secure Transport Layer Security (TLS). The terms are often used interchangeably.
A self-signed certificate is generated by the certificate holder or a related entity, and its authenticity and validity is not independently verified. Since they are not inherently trusted, most client systems and browsers will display an alert to a user indicating that the certificate is not from a trusted source.
An X.509 certificate can be generated by private or public CAs. A public CA is a trusted entity that uses its own methods for validating a certificate requestor prior to issuing the certificate. This allows an entity to present a certificate from a trusted third party as a form of authentication. If the organization installs and configures their own CA, the certificates issued by this CA will not be inherently trusted.
An organization determines that their working production control is susceptible to attack. What should the organization implement to mitigate the risk of compromised code integrity?
A. Obfuscation
B. Elasticity
C. Version control
D. Normalization
The organization should implement version control. Version control systems store master code files in repositories or repos. There are two flavors of version control systems: local and remote. In a centralized version control system (CVCS), a developer checks out a code file, which retrieves a working copy from the central code repo and locks the master copy. If code is accidentally or maliciously changed, a saved version of the code can be easily recoverd.
Since it relates to secure coding, normalization ensures that all data input is in a known and expected format. This can protect an application from buffer overflow and other similar attacks.
Code obfuscation is meant to make code harder to reverse engineer. This makes it more difficult for an attacker to find weaknesses in an application logic or processes.
An elastic application can scale up or down based on workload. This feature has become popular with the advent cloud-based application hosting, which supports easy scaling of compute resources.
Which of the following statements correctly describes data sanitization?
A. Storage devices holding data must be physically destroyed
B. All unnecessary permissions assigned to the data must be removed
C. Data must be permanently deleted from storage devices
D. Data located on storage media or devices must be obfuscated
C. Data must be Permanently deleted from storage devices
In data sanitization, data must be permanently deleted from storage devices. Data sanitization uses several methods to ensure that the data on a device is destroyed and cannot be recovered. One method involves physically destroying the device. However, data sanitization can also be completed without destroying the device. For example, the data on the device could be irreversibly encrypted. Another method of sanitization involves using software to overwrite the data until it cannot be recovered even with advanced forensics tools. These methods are sometimes referred to as logical sanitization.
In data sanitization, storage devices holding data do not need to be physically destroyed. There are many methods used to physically destroy storage devices, including shredding. However, while sanitized devices may be destroyed, this is not a requirement.
In data sanitization, data located on storage media or devices does not need to be obfuscated. Hackers and security professionals sometimes use obfuscation to make malicious scripts or other code difficult for people to read or understand. For example, a hacker might rename variables or create unnecessary code structures to make reverse engin/ering a malicious script difficult.
In data sanitization, unnecessary permissions are not removed. Permissions audits should be performed regularly to avoid permissions creep, which occurs as users change roles within an organization while retaining permissions they no longer need.
Which statement describes a social engineering attack?
A. An attacker scans users’ personal social media accounts for useful information.
B. An attacker defaces a company’s website in support of an environmental cause.
C. An attacker enters false DNS entries to try and hijack users’ social media accounts.
D. An attacker impersonates a utility worker and gains access to a secure data center.
An attacker impersonating a utility worker to gain access to a secure data center is an example of a social engineering attack. With impersonation, an attacker pretends to be an employee, vendor, or other trusted entity in order to trick users into providing access to data, a secure location, or other resource. This type of attack is considered social engineering because it relies on trust and other social mechanisms to deceive or defraud a target victim.
An attacker scanning users’ personal social media accounts for useful information is not an example of a social engineering attack. This type of activity, known as reconnaissance, typically precludes an attack on an organization. While an attacker could later use this information as part of a social engineering attack, it is not a requirement.
An attacker entering false Domain Name System (DNS) entries to try and hijack users’ social media accounts is not an example of a social engineering attack. This describes DNS poisoning. The purpose of this attack is to redirect legitimate user requests to malicious sites that are often clones of valid sites. For example, an attacker may use this method to direct requests to a fake banking site where users will enter their logon credentials.
An attacker defacing a company’s website in support of an environmental cause is not an example of a social engineering attack. This activity describes hacktivism, where an attacker is trying to promote a cause or political agenda.
A company’s systems engineer is devising an incident management plan.
What should be the primary goal of the incident management plan for a Dos attack on the company’s ecommerce servers?
A. Implement DPI on the firewall.
B. Identify the vulnerabilities that the attacker exploited.
C. Discover the identity of the attacker.
D. Restore normal operations as quickly as possible.
The primary goal of incident management is to restore normal operations as quickly as possible. Often this is accomplished by replacing the compromised server or servers with new devices.
Performing research to discover the identity of the attacker could be one of the goals included in the incident respose plan, but it is not the primary goal of incident management.
Identifying the vulnerabilities the attacker exploited is an important part of the incident response plan, but this part of the plan will be performed after normal operations are restored.
Although during the course of researching the attack the engineer may discover that deep packet inspection
(DPI) is necessary on the firewalls, this is not the primary goal of incident management.
The company CSO has ordered that all emails sent or received by senior management personnel be preserved. Managers should not be able to delete emails. If changes are made to an email, both the original and modified versions should be preserved. Managers should still have access to their email accounts.
Security personnel are tasked with ensuring this. What should the security personnel use?
A. Legal hold
B. Principle of least privilege
C. Forensic hashing
D. Chain of custody
To carry out the chief security officer’s request (CSO), the security personnel should place managers’ email accounts on legal hold. Legal precedent in the United States and many other countries requires that relevant information be preserved when there is a reasonable anticipation of legal action.
Most email systems support placing accounts on legal hold. The way it is implemented can vary by the specific email system. Users may be prevented from deleting emails or deleted emails may be placed on hold and remain availaule. Similarly, users may either be prevented from modifying emails or both the original and modified versions of any emails are maintained
The security personnel should not use hashing to protect the emails. Hashing is used to preserve the integrity of data by generating a value based on the data content. It would let personnel know when data has changed but does not protect the original data or provide a way to retrieve the original content. It also does not prevent deletion.
The security personnel would not use chain of custody to protect the emails. Chain of custody is used to document any activity relating to seized artifacts, and records the sequence of custody, control, transfer, analysis, and disposition of any artifact that might be used as evidence.
The security personnel should not apply the principal of least privilege as a way to protect the emails.
Protections put in place via rights assignments would limit the managers’ access to their email accounts.
What should an organization do to identify open service ports on its core servers? Server impact must be minimized.
A. Perform threat hunting.
B. Perform a penetration test.
C. Perform protocol analysis.
D. Perform a vulnerability scan.
The organization should perform a vulnerability scan. A vulnerability scanner is used to identify open service ports, potential misconfigurations, and vulnerabilities on a target system. Most vulnerability scanners can be configured to perform non-intrusive scans and can send simple requests to each potential listening port. Each open port represents a network endpoint backed by a service or application that is listening for client requests. Identifying open ports can help the organization determine which services or applications should be enabled or disabled, as attackers can use each port to attempt to access the server by exploiting vulnerabilities or misconfigurations.
The organization should not perform protocol analysis. Protocol analysis involves capturing and analyzing network packets using a protocol analyzer. In this question, protocol analysis could possibly be used to identify open ports. However, if the port in question is not sending or receiving traffic, this approach will not meet the stated requirement.
The organization should not perform a penetration test. Penetration testing is used to emulate a hacker attacking an application, system, or network. This includes using the same tools, tactics, and procedures (TTPs) an attacker would use, which could potentially cause performance or stability issues on the target servers.
(TTPs) an attacker would use, which could potentially cause performance or stability issues on the target servers.
The organization should not perform threat hunting. Threat hunting involves proactively searching for indicators of compromise (loC) or indicators of attack (loA) in a network or system. This process may or may not involve identifying open service ports on target systems.
A company is deploying a PK. They want to use a hardware device separate from their Windows servers to manage and maintain cryptographic keys.
What should the company use?
A. TACACS+
B. HSM
C. TPM
D. DLP
You should use a hardware security module (HSM). An HSM is a hardware device that can function as a cryptographic service provider (CSP) device. A CSP can help improve key generation and management by providing secure key generation and secure onboard storage, whether or not the key was initially generated by the CSP. When using an HSM, secure key backup is typically designed into the device. When setting up a certificate authority (CA) that uses an HSM to store certificates, you must install and configure the HSM before the CA.
You would not use DLP. DLP refers to data loss prevention, an umbrella term that refers to protecting data.
You would not use a trusted platform module (TPM). A TPM is hardware component that provides cryptographic functions. It works with the computer’s BIOS and encryption software to provide high-level encryption support. This does not meet the solution requirements because it does not provide the key management needed as part of the solution.
You should not use Terminal Access Controller Access-Control System Plus (TACACS+). TACACS is an authentication protocol.