Security+ Mod 1 & 2

Question 1

ARP Poisoning

Answer 1

a network-based attack where an attacker with access to the target network redirects an IP address to the MAC address of a computer that is not the intended recipient

Question 2

Buffer Overflow-

Answer 2

an application attack that exploits fixed data buffer sizes in a target piece of software by sending data that is too large for that buffer.

Question 3

Clickjacking-

Answer 3

a type of hijacking attack that forces a user to unintentionally click a link that is embedded in or hidden by other web page elements

Question 4

Collision-

Answer 4

the act of two different plaintext inputs producing the same exact ciphertext output

Question 5

DDOS-

Answer 5

distributed denial of service attack) a network based attack where an attacker hijacks or manipulates multiple computers on networks to carry out a DoS attack

Question 6

DDoS (Distributed Denial of Service)

Answer 6

is an attack that uses multiple compromised computers (a “botnet” of “zombies”) to launch the attack.

Question 7

DLL injection-

Answer 7

a software vulnerability that can occur when a windows based application attempts to force another running application to load a dynamic link library in memory that could cause the victim application to experience instability or leak sensitive information

Question 8

DNS Poisoning-

Answer 8

Domain name system- a network based attack where an attacker exploits the traditionally open nature of the DNS system to redirect a domain name to an IP address of the attackers choosing.

Question 9

Domain hijacking-

Answer 9

a type of hijacking attack where the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity.

Question 10

DOS-denial of service attack-

Answer 10

a network based attack where the attacker disables systems that provide network services by consuming a networks links available bandwidth, consuming a single systems available resources or exploiting programming flaws in an application or OS.

Question 11

IV- initialization vector-

Answer 11

a technique used in cryptography to generate random numbers to be used along with a secret key to provide data encryption

Question 12

IV attack-

Answer 12

a wireless attack where the attacker is able to predict or control the IV of an encryption process, this giving the attacker access to view the encrypted data that is supposed to be hidden from everyone else except the user or network.

Question 13

Jamming-

Answer 13

In networking, the phenomenon by which radio waves from other devices interfere with the 802.11 wireless signals used by computing devices and other network devices.

Attackers may use a radio transceiver to intercept transmissions and inject jamming packets, disrupting the normal flow of traffic across a network.

Question 14

MAC Spoofing-

Answer 14

an attack in which an attacker falsifies the factory-assigned MAC address of a devices network interface.

Although the MAC address is hard coded on a network interface, there are tools that you can use to make an OS believe that the interface has a different MAC address. MAC spoofing attacks use the MAC address of another host to try and force the target switch to forward frames intended for the host to the attacker. B?C it operates at the Data Link Layer, MAC address spoofing is limited to the local broadcast domain.

Question 15

Man-in-browser-

Answer 15

a type of network attack that combines a man in the middle attack with the use of a trojan horse to intercept and modify web transitions in real time

Question 16

Man-in-the-middle-

Answer 16

a form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently.

Question 17

Memory Leak-

Answer 17

a software vulnerability that can occur when software does not release allocated memory when It is done using it, potentially leading to system instability

Question 18

Pass the Hash-

Answer 18

a network attack where the attacker steals hashed user credentials and uses them as is to try to authenticate to the same network the hashed credentials originated on.

Question 19

Pen Testing-

Answer 19

a method of evaluating security by simulating an attack on a system

Question 20

Pointer Dereference-

Answer 20

a software vulnerability that can occur when the code attempts to remove the relationship between a pointer and the thing it points to. If the pointee is not properly established, the dereferencing process may crash the application and corrupt memory.

Question 21

Privilege escalation-

Answer 21

exploiting flaws in an operating system or other application to gain greater level of access than was intended for the user or application

Question 22

Race Condition-

Answer 22

a software vulnerability that can occur when the outcome of the execution process is directly dependent on the order and timing of certain events and those events fail to execute in the order and timing intended by the developer.

Question 23

Refactoring-

Answer 23

the process of restructuring application code to improve its design without affecting the external behavior of the application or to enable it to handle particular situations.

Question 24

Shimming-

Answer 24

the process of developing and implementing additional code between an application and the operating system to enable functionality that would otherwise be unavailable.

Question 25

URL Hijacking-

Answer 25

an attack in which an attacker registers a domain name with common misspelling of an existing domain so that a user who misspells a URL they enter into a browser is taken to the attackers website

Question 26

WPS-

Answer 26

Wi-Fi protected setup- an insecure feature of WPA and WPA2 that allows enrollment in a wireless network based on an 8-digit PIN

Question 27

SSID-

Answer 27

An SSID or service set identifier is used to help users identify the correct WAP they are connecting to. An extended SSID or ESSID is used when multiple SSIDs are grouped into one.

Question 28

MAC Filtering-

Answer 28

MAC (media access control) filtering specifies a list of valid MAC addresses of devices that will be allowed to connect to the WAP (wireless access point).

Question 29

ACL-

Answer 29

access control list- On a router, a list that is used to filter network traffic and implement anti-spoofing measures. In a DAC access control scheme, a list that is associated with each object, specifying the subjects that can access the object and their levels of access.

Question 30

Active-Active-

Answer 30

a redundancy mode used by load balancers to route traffic equally through two load balancers. An active/active cluster provides Enterprise services to clients from both virtual servers. All services will transparently transfer to the other server if one virtual host goes offline.

Question 31

Active-Passive-

Answer 31

a redundancy mode used by load balancers to route traffic through a primary (active) load balancer while the other (passive) load balancer is on standby in case of failure of the active device. An active/passive cluster provides Enterprise services to clients from only one virtual server . The other server comes online only when the currently active server goes offline.

Question 32

ANT-

Answer 32

a proprietary wireless network technology that is similar to Bluetooth implementations that consume a smaller amount of energy.

Question 33

Banner Grabbing-

Answer 33

the act of collecting information about network hosts by examining text-based welcome screens that are displayed by some hosts. involves opening random connections to common port or network protocols and gathering information from banner or error responses.

Question 34

OUI (Organizationally Unique Identifier) grabbing

Answer 34

is like banner grabbing or OS fingerprinting. The OUI can identify the manufacturer of the network adapter and therefore, conclude other assumptions related to system type and/or purpose.

Question 35

Ping-t

Answer 35

-t switch pings the specified server name or IP (Internet protocol) address until stopped. Typing CTL+C on the keyboard will stop the pings.

Question 36

Ping-n

Answer 36

-n switch sets the number of echo requests to send. The standard send count is four. The number can be specified after the -n switch.

Question 37

Ping-S

Answer 37

switch, which is a capital S, is used to specify a source address to use that is different from the server that the admin is initiating the ping command from.

Question 38

Ping-r

Answer 38

switch records route for count hops. This is used for IPv4 addresses.

Question 39

Netstat-

Answer 39

command allows the admin to check the state of ports on the local machine (Windows or Linux). He or she may also be able to identify suspect remote connections to services on the local host or from the host to remote IP (Internet protocol) addresses.

Question 40

Tracert-

Answer 40

The trace route (tracert) command can help discover where a network route ends when a ping fails. However, the server is responding to pings.

Question 41

Ipconfig-

Answer 41

only provides network adapter information such as the IP address of the server.

Question 42

OS (operating system) fingerprinting

Answer 42

is a method used by Nmap to probe hosts for running OS type and version, and even application names and device type (e.g., laptop or virtual machine).

Question 43

Zen map-

Answer 43

GUI for Nmap. Use traceroute command to map out network.

Question 44

Net cat-(or NC for short)

Answer 44

is a remote access software that is available for both Windows and Linux. It can be used as a backdoor to other servers.

Question 45

Data exfiltration –

Answer 45

the process by which an attacker takes data that is stored inside of a private network and moves it to an external network.

Question 46

DLP-

Answer 46

data loss/ leak prevention a software solution that detects and prevents sensitive info in a system or network from being stolen or otherwise falling into the wrong hands.

Question 47

DNSSEC-

Answer 47

Domain Name System Security Extensions- a security protocol that provides authentication of DNS data and upholds DNS data integrity

Question 48

File Integrity monitoring-

Answer 48

is a feature available in most antivirus software or HIPS (Host-based Intrusion Prevention System). HIPS can capture a baseline of the image, any radical change (like an image) using hashing algorithms, will flag the incident, and quarantine the files.

Question 49

Hardware Security module-

Answer 49

HSM- a physical device that provides root of trust capabilities

Question 50

IPSEC- Internet Protocol Security-

Answer 50

a set of open, non-proprietary standards that are used to secure data through authentication and encryption as the data travels across the network or the internet.

Question 51

Load Balancer-

Answer 51

a network device that distributes the network traffic or computing workload among multiple devices in a network.

Question 52

An active/active

Answer 52

cluster provides Enterprise services to clients from both virtual servers. All services will transparently transfer to the other server if one virtual host goes offline.

Question 53

An active/passive

Answer 53

cluster provides Enterprise services to clients from only one virtual server. The other server comes online only when the currently active server goes offline.

Question 54

A URL filter

Answer 54

allows you to control access to websites by permitting or denying access to specific websites based on information contained in a URL list.

Question 55

NAC-

Answer 55

Network Access Control- the collection of protocols, policies and hardware that govern access of devices connecting to a network. Essentially a health policy that verifies each requesting node conforms to a healthy policy (patch level, antivirus/firewall configuration, and so on).

Question 56

NIDS-

Answer 56

Network Intrusion detection system- a system that uses passive hardware sensors to monitor traffic on a specific segment of the network. Uses Signature-based (or pattern-matching) detection.

Question 57

NIPS-

Answer 57

an active, in line security device that monitors suspicious network and or system traffic and reacts in real times to block it.

(Network Intrusion Prevention System) is an appliance placed on the network to provide an active response to any network threats that matches its policies or signatures.

Question 58

Out-of-Band link-

Answer 58

offers better security than in-band. You may use separate cabling or the same cabling and physical switches, but a separate VLAN for management.

Question 59

in-band

Answer 59

link is less secure, since the management channel is shared by the network being monitored. This will make alerts more detectable by an adversary and can also be blocked.

Question 60

Secure Post Office Protocol v3 (POP3)

Answer 60

is a mailbox protocol designed to allow mail to be stored on a server and downloaded to the recipient’s email client at their convenience.

Question 61

Secure Internet Message Access Protocol v4 (IMAP4)

Answer 61

is primarily designed for dial-up access and the client contacts the server to download its messages, then disconnects. IMAP supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously. Messages can be stored and organized on the server.

Question 62

Protocol Analyzer-

Answer 62

this type of diagnostic software can examine and display data packets that are being transmitted over a network. EX: Wireshark

Question 63

POP-

Answer 63

a protocol used to retrieve email from a mailbox on the mail server

Question 64

Proxy-

Answer 64

a device that acts on behalf of one end of a network connection when communicating with the other end of connection

device that acts on behalf of another service. A proxy examines the data and makes rule-based decisions about whether the request should be forwarded or refused.

A proxy examines the data and makes rule-based decisions about whether the request should be forwarded or refused.

A proxy server places information retrieved from the internet into a temporary storage area so that if the information is requested again by another client, the proxy already has it. This reduces the number of calls to the internet and speeds up performance.

Question 65

Router-

Answer 65

a device that connects multiple networks that use the same protocol.

Question 66

S/MIME-

Answer 66

Secure/multipurpose internet mail extensions- an email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications

the user is issued a digital certificate containing a public key that is signed by a CA (Certificate Authority) to establish its validity.

Question 67

SIEM-

Answer 67

a security information and event management- a solution that provides real time or near real time analysis of security alerts generated by network hardware and applications.

Question 68

Aggregation switches –

Answer 68

a network device that combines multiple ports into a single link in order to enhance redundancy and increase bandwidth

can connect multiple subnets to reduce the number of active ports. When aggregating subnets, the subnets are connected to the switch versus the router.

Question 69

SNMP

Answer 69

SNMP-simple network management protocol- an application layer services used to exchange information between network devices.

Question 70

SNMPv1

Answer 70

SNMPv1 uses community names that are sent in plaintext and should not be transmitted over the network, if there is any risk they could be intercepted. This protocol does not support encryption.

Question 71

SNMPv2c

Answer 71

SNMPv2c also uses community names that are sent in plaintext and should not be transmitted over the network, if there is any risk they could be intercepted. Like SNMPv1, this protocol does not support encryption

Question 72

correlation engine

Answer 72

correlation engine is part of a security information and event manager (SIEM). It captures and examines logged events to alert administrators of potential threats on a network.

Question 73

MIB

Answer 73

Management Information Base (MIB) is the database that the agent within SNMP utilizes. The agent is a process that runs on a switch, router, server or other SNMP compatible network device.

Question 74

SSL Decryptor SSL inspector SSL interceptor-

Answer 74

SSL Decryptor SSL inspector SSL interceptor- is a type of proxy used to examine encrypted traffic before it enters or leaves the network. This ensures that traffic complies with data policies and strong cipher suites are used.

Question 75

Switch

Answer 75

Switch- a device that has multiple network ports and combines multiple physical network segments into a single logical network.

Question 76

TLS

Answer 76

TLS- Transport Layer Security- a security protocol that uses certificates and public key cryptography for mutual authentication and data encryption over a TCP/Ip connection

Question 77

Tunnel mode

Answer 77

Tunnel mode- is when the whole IP packet (header and payload) is encrypted and a new IP header added.

Question 78

UTM

Answer 78

UTM- Unified threat management- the practice of centralizing various security techniques into a single appliance. Unified Threat Management) systems include an application firewall to provide more complex network security.

An SSL interceptor is not found in a UTM.

The UTM (Unified Threat Management) is an all-in-one security appliance. Its ability to block specific URLs or websites comes from its content filtering feature. Even unknown websites that fit the description of having inappropriate images can be set to block.

Many UTM appliances include a malware scanner that scans the web traffic and compares the packet or heuristic behavior to determine if a network connection is malicious.

A UTM is like an intrusion prevent system (IPS) that can block network connections or prevent a file from being download.

Question 79

VDI-

Answer 79

VDI- virtual desktop infrastructure- a virtualation implementation that separates the personal computing environment from a user’s physical computer.

Question 80

Virtual IP-

Answer 80

VIP - A virtual IP address is an IP address that doesn’t correspond to an actual physical network interface. Uses for VIPs include network address translation, fault-tolerance, and mobility.

VIP- Each server node has its own IP address, but externally a load-balanced service is advertising a Virtual IP (VIP) address. A virtual IP address is an IP address that doesn’t correspond to an actual physical network interface. Uses for VIPs include network address translation, fault-tolerance, and mobility.

Uses for VIPs inclue network address translation, fault tolerance and mobility

Question 81

VPN Concentrator-

Answer 81

A single device that incorporates advanced encryption and authentication methods in order to handle a large number of VPN tunnels. This is ideal for telecommuters. If used with TLS or SSL VPN, port 443 will be used.

Question 82

VPN-

Answer 82

Virtual private network- a method of extending a private network by tunneling through a public network, such as the internet

Question 83

A site-to-site VPN

Answer 83

connects two or more local networks, each site running a VPN gateway. The gateway does all the work.

Question 84

A remote access virtual private network (VPN)

Answer 84

involves VPN client agents connecting to a VPN-enabled router concentrator at the company’s main network. This is ideal for telecommuters. If used with TLS or SSL VPN, port 443 will be used.

Like TLS VPN, SSL (Secure Sockets Layer) VPN will also pass through traffic over port 443. However, TLS is more secure than SSL.

Question 85

TLS (Transport Layer Security) VPN

Answer 85

will require a remote server listening on port 443 (so no changes to firewalls) and optionally, a set of client certificates for authenticating the device (transparent for users after simple set up).

Like TLS VPN, SSL (Secure Sockets Layer) VPN will also pass through traffic over port 443. However, TLS is more secure than SSL.

Question 86

Tunneling-

Answer 86

a data-transport technique in which data packet is encrypted and encapsulated in another data packet in order to conceal the information of the packet inside.

Question 87

Vulnerability assessment-

Answer 87

a security assessment that evaluates a systems security and its ability to meet compliance requirements based on the configuration state of the system.

Question 88

FQDN (fully qualified domain name)

Answer 88

will be routed accordingly between the servers in the cluster. can have multiple IP addresses using DNS records, and name resolution can route the sessions. However, only the first record will be active until it is unavailable.

Question 89

GLBP-

Answer 89

Gateway Load Balancing Protocol is Cisco’s proprietary service to providing a load-balanced service with a VIP. The infrastructure is Cisco-based, so this service will most likely be implemented.

Question 90

Common Address Redundancy Protocol

Answer 90

(CARP) is another commonly used network protocol that works in the same way as GLBP.

Question 91

multipurpose proxy server

Answer 91

can be configured with filters for multiple protocol types, such as HTTP (Hypertext Transfer Protocol), FTP (File Transfer Protocol), and SMTP (Simple Mail Transfer Protocol).

Question 92

application-specific proxy,

Answer 92

like a web proxy, will only filter out content from the web. A proxy server is required for FTP services as well.

Question 93

non-transparent class of proxies

Answer 93

requires a client to be configured with the proxy server address and port settings.

Question 94

transparent class of proxies

Answer 94

requires no extra configuration of client computers. This proxy intercepts client traffic through a switch, router or other inline network appliance.

Question 95

web application firewall (WAF)

Answer 95

is mainly designed to protect software running on web servers by preventing denial of service (DoS) attacks, where thousands of connections are attempted to overwhelm the server.

A WAF may also prevent backend databases from being compromised using SQL injections, where a hacker issues SQL query commands into text fields of forms on the web server.

Question 96

Border firewalls

Answer 96

filter traffic between the trusted local network and untrusted external networks, such as the Internet. DMZ (Demilitarized Zone) configurations are established by border firewalls.

Question 97

network-based firewall

Answer 97

analyzes packets at the layer 2 or data link layer of the OSI (Open Systems Interconnection) model.

Question 98

Internal firewalls

Answer 98

can be placed anywhere within the network, either inline or as host firewalls, to filter traffic flows between different security zones.

Question 99

Whole network firewalls

Answer 99

are put into place to protect the whole network. They are placed inline in the network and inspect all traffic that passes through.

Question 100

Single host firewalls

Answer 100

are installed on the host and only inspect traffic destined for the host.

Question 101

application firewall

Answer 101

analyzes packets at layer 7 or the application layer. can be called by different names, such as application layer gateway firewall, stateful multilayer inspection firewall, or deep packet inspection firewall. mostly installed on a server as an application (e.g., Windows Firewall). However, it can also run on physical network appliances, like a UTM device.

Question 102

Layer 3 Firewall

Answer 102

The most basic is layer 3 where the firewall blocks traffic from specific IP ranges. In access control list (ACL), the final default rule is typically to block any traffic that has not matched a rule (implicit deny).

Question 103

Stateless firewall-

Answer 103

a firewall that does not track the active state of a connection as it reaches the firewall

Question 104

Stateful Firewall-

Answer 104

A firewall that tracks the active state of a connection and can make decisions based on the contents of a network packet as it relates to the state of the connection.

Question 105

layer 2 Firewall

Answer 105

of transparent firewall looks at bridged packets that run through a pair of locally-switched Ethernet ports. It can be placed into a network without having to re-subnet it.

Question 106

A state table

Answer 106

contains information about sessions between network hosts. This type of data is gathered by a stateful firewall.

Question 107

Signature-based (or pattern-matching)

Answer 107

detection uses a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident. Used by a NIDs.

Question 108

Anomaly-based

Answer 108

detection uses an engine that looks for irregularities in the use of protocols. For example, the engine may check packet headers or the exchange of packets in a session against RFC standards and generate an alert, if they deviate from strict RFC compliance.

Question 109

Heuristic-based

Answer 109

detection learns from experience to detect differences from the baseline. This type of detection is the same as behavioral-based detection.

Question 110

Behavioral-based

Answer 110

(statistical or profile-based) detection uses an engine to recognize baseline “normal” traffic or events. Any deviation from the baseline (outside a defined level of tolerance) generates an incident.

Question 111

Rulesets

Answer 111

are a configuration setting for the intrusion detection system (IDS). Content filtering, such as blocking URLs and applying keyword-sensitive blacklists or whitelists, are examples of a ruleset.

Question 112

STP (Spanning Tree Protocol)

Answer 112

is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming.

SWITCH LOOP on the network will cause network connections to drop, since the packet cannot make the appropriate hop to the next switch to its final destination. Switching loops also generates broadcast storms.

Question 113

Port security

Answer 113

is an advanced security feature that allows a certain amount of MAC addresses to access a physical port. After a certain number, new connections will be blocked.

Question 114

flood guard

Answer 114

is a feature of a circuit-level firewall that prevents maliciously open connections from forming. This is not applicable to switching loops.

SWITCH LOOP on the network will cause network connections to drop, since the packet cannot make the appropriate hop to the next switch to its final destination. Switching loops also generates broadcast storms.

Question 115

DHCP-

Answer 115

Dynamic Host Configuration Protocol- a protocol used to automatically assign IP addressing information to IP network computers.

provides an automatic method for network address allocation. As well, an IP address and subnet mask can include optional parameters.

Question 116

MAC

Answer 116

Media Access Control) filters can block data coming from specific MAC addresses to drop. However, “dummy” client switches were deployed, which normally means no advanced configurations have been made.

Question 117

Meterpreter er.

Answer 117

is an exploit module that uses in-memory DLL injection stagers. Stagers create a network connection between the hacker and the target. Since the stagers are in memory and never written to disk, any trace can be removed with a restart of the serv

Question 118

Nexpose

Answer 118

is a vulnerability scanner. When integrated with Metasploit Pro, Metasploit can then read the scan report and confirm vulnerabilities to rule out false positives.

Question 119

Kali or Kali Linux

Answer 119

is a Debian-derived Linux distribution designed for system forensics and penetration testing. Simply loading onto a laptop does nothing.

Question 120

Nessus

Answer 120

is a vulnerability scanner from Tenable. A hacker may use a vulnerability scanner to seek out easy targets (e.g., open ports) to plan for an attack.

It is not a NIPS (Network Intrusion Prevention System).

It does not perform any changes to the application or computer operating system.

Commonly deployed solution for application vulnerability assessments.

Question 121

Metasploit

Answer 121

is an exploitation framework with tools for exploiting vulnerabilities.

Question 122

Sysinternals-

Answer 122

suite of tools designed to assist with troubleshooting issues with Windows.

Process Explorer (tool in Sysinternals) can reveal all the processes and its details on the system. It can filter out the legitimate activity generated by normal operation of the computer, which is what the admin used to find the rogue service. These tools are not useful for a networking issue. Unknown processes are easily seen in the Process Explorer view. These unknown processes may have an unrecognized name or no icon.

The Autoruns tool, which is part of Windows Sysinternals, can help with hunting down malware on a computer. Autoruns’ ability to identify the startup services and their locations, can lead to researching ways to remove the malware and its rogue services.

Question 123

Process Explorer

Answer 123

(tool in Sysinternals) can reveal all the processes and its details on the system. It can filter out the legitimate activity generated by normal operation of the computer, which is what the admin used to find the rogue service. These tools are not useful for a networking issue. Unknown processes are easily seen in the Process Explorer view. These unknown processes may have an unrecognized name or no icon.

Question 124

The Autoruns tool,

Answer 124

which is part of Windows Sysinternals, can help with hunting down malware on a computer. Autoruns’ ability to identify the startup services and their locations, can lead to researching ways to remove the malware and its rogue services.

Question 125

Cain and Abel

Answer 125

is used to recover Windows passwords and includes a password sniffing utility.

Question 126

John the Ripper

Answer 126

is compatible with multiple platforms such as Windows, MAC OS X, Solaris, and Android, and is primarily used as a password hash cracker.

Question 127

THC Hydra

Answer 127

is often used against remote authentication using protocols such as Telnet, FTP (file transfer protocol), HTTPS (hypertext transfer protocol secure), SMB (server message protocol), etc.

Question 128

Aircrack

Answer 128

is used to sniff and decrypt WEP (wired equivalent privacy) and WPA (wireless protected access) wireless traffic.

Question 129

Microsoft Security Compliance Toolkit (SCT)

Answer 129

compares scanned hosts with a template of controls and configuration settings to determine system compliance. Any findings of non-compliance can be used to determine actions for a WSUS (Windows Server Update Services) server to handle. (Microsoft’s Security Compliance Toolkit) Does not patch systems. includes the Policy Analyzer Tool and the Local Group Policy Object (LGPO) Tool.

Question 130

WSUS- (Windows Server Update Service)

Answer 130

server is a central repository for updates related to OS and applications like Microsoft Office. Once downloaded locally, WSUS distributes the updates to the client computers.

Question 131

The local group policy object (LGPO) Tool,

Answer 131

on its own, automates the process of change of local GPOs on a computer. This tool is helpful in managing systems that are not part of the domain. This tool is best used in conjunction with the policy analyzer tool.

Question 132

Microsoft System Center Configuration Manager (SCCM)

Answer 132

is a software management suite to manage a large amount of systems on multiple platforms. It does not include a policy analyzer tool and a LGPO tool.

Question 133

CVEs

Answer 133

(Common Vulnerabilities and Exposures) can be used by Nessus scanner to compare and find vulnerabilities in commonly used systems. Vulnerability scans and security compliance audits can be gathered all at once with Nessus.

Question 134

inSSIDer

Answer 134

is a software that can survey Wi-Fi networks to determine SSID, BSSID (wireless access point MAC address), frequency band, and radio channel.

Question 135

Aircrack-ng

Answer 135

is a suite of utilities designed for wireless network security testing. The principal tools include airmon-ng (monitor mode), airodump-ng (frame capture), aireplay-ng (frame injection), and aircrack-ng (decode authentication key).

the specific tool, which is also called aircrack-ng, can decode the authentication pre-shared key or password for WEP, WPA, and WPA2 using a dictionary word or a relatively short key.

Question 136

AirPcap-

Answer 136

Wireless adapter driver that supports monitor mode. Designed specifically for packet capture. Sniffs non-unicase wireless traffic.

Question 137

BitLocker keys

Answer 137

are stored along with the associated computer account object in Active Directory. It is viewable in the object’s properties view. This is a different location than the NTDS.DIT file.

Question 138

BitLocker

Answer 138

is a full drive encryption technology. It does not have a process for encrypting passwords, nor the sending and receiving of passwords from node to node.

Question 139

%SystemRoot%\NTDS\NTDS.DIT file

Answer 139

stores domain user passwords and credentials. Employees commonly use their domain credentials to login to do work and gain access to corporate information.

Question 140

Wireshark-

Answer 140

A protocol analyzer tool- Packets that are analyzed or decoded will provide information, such as protocol used and at what port. If a port is open, it will be listed in the analyzed information.

Question 141

Order of restoration –

Answer 141

In general, the first step in restoring services involves enabling and testing power delivery systems, such as a power grid, generators, and even UPSs (uninterruptible power supplies). Without power, IT systems and network equipment cannot run.

In general, the second step in restoring services involves enabling and testing switch infrastructure,

then routing appliances and systems.

Other important network servers include domain controllers so that users may log in to their computers and reach Enterprise services.

In general, the sixth step in restoring services involves enabling and testing front-end applications like a web server.

Workstations

Question 142

Key performance indicators (KPI)

Answer 142

can be used to determine the reliability of each asset.

Question 143

Business impact analysis (BIA)

Answer 143

is the process of assessing what losses might occur for each threat scenario.

Question 144

Single Loss Expectancy (SLE)

Answer 144

is the amount that would be lost in a single occurrence of the risk factor. This is determined by multiplying the value of the asset by an Exposure Factor (EF).

Question 145

EF Exposure Factor

Answer 145

is the percentage of the asset value that would be lost.

Question 146

Annual Loss Expectancy (ALE)—

Answer 146

the amount that would be lost over the course of a year.

Question 147

input validation attack

Answer 147

passes invalid data to the application, and since the input handling on the routine is inadequate, it causes the application (or even the OS) to behave in an unexpected way.

Question 148

SEP

Answer 148

(Symantec Endpoint Protection) – Symantec Endpoint Protection, developed by Broadcom Inc., is a security software suite that consists of anti-malware, intrusion prevention and firewall features for server and desktop computers. It has the largest market-share of any product for endpoint security.

The proactive threat protection feature of SEP provides a behavioral approach to protecting the system against unknown threats. For example, a process utilizing high levels of CPU for a long time is a possible threat that will be stopped by the software eventually.

The virus and spyware protection feature of SEP (Symantec Endpoint Protection) is the commonly known anti-virus software that should be on every client image.

The network and host exploitation mitigation feature of SEP protects the system against exploits on the web, network, and any zero-day attacks.

Question 149

Remote access

Answer 149

refers to the user’s device connecting over or through an intermediate network, usually a public Wide Area Network (WAN). It does not make a direct cabled or wireless connection to the network.

Question 150

The Domain Name System

Answer 150

(DNS) is a system for resolving host names and domain labels to IP addresses. It uses a distributed database system that contains information on domains and hosts within those domains.

Question 151

DNS server cache poisoning

Answer 151

is a redirection attack that aims to corrupt the records held by the DNS server itself.

instead of trying to subvert the name service used by the client, it aims to corrupt the records held by the DNS server itself.

Question 152

DNS spoofing

Answer 152

is an attack that compromises the name resolution process. The attacker may compromise the process of DNS resolution by replacing the valid IP address for a trusted website.

Question 153

Secure File Transfer Protocol (SFTP)

Answer 153

is a secure version of File Transfer Protocol (FTP), which facilitates data access and data transfer over a Secure Shell (SSH) data stream. It is part of the SSH Protocol.

Question 154

Implicit Transport Layer Security (FTPS)

Answer 154

negotiates a Secure Sockets Layer/Transport Layer Security (SSl/TLS) tunnel before the exchange of any File Transfer Protocol (FTP) commands.

Question 155

Explicit TLS (FTPES)

Answer 155

uses the AUTH TLS command to upgrade an unsecure connection.

Question 156

Secure Shell (SSH) FTP (SFTP)

Answer 156

encrypted the authentication and data transfer between the client and server and a secure link is created between the client and server using SSH.

Question 157

Trivial File Transfer Protocol (TFTP)

Answer 157

is a connectionless protocol that provides file transfer services. It does not provide the guaranteed delivery offered by FTP.

Question 158

Directory services

Answer 158

is a network service that stores identity information in a particular network, including users, groups, servers, client computers, and printers.

Question 159

Unified Communications-

Answer 159

These solutions are messaging applications that combine multiple communications channels and technologies into a single platform. These communications channels can include voice, messaging, interactive whiteboards, data sharing, email and social media.

Question 160

Secure Post Office Protocol v3 (POP3)

Answer 160

is a mailbox protocol designed to allow mail to be stored on a server and downloaded to the recipient’s email client at their convenience.

Question 161

Simple Mail Transfer Protocol (SMTP)

Answer 161

specifies how mail is delivered from one system to another.

Question 162

Session control

Answer 162

is used to establish, manage, and disestablish communications sessions. They handle tasks such as user discovery (locating a user on the network), availability advertising (whether a user is prepared to receive calls), negotiating session parameters (such as use of audio/video), and session management and termination.

Question 163

Session Initiation Protocol

Answer 163

(SIP) is one of the most widely used session control protocols. SIP endpoints are the end-user devices (also known as user agents).

Question 164

Quality of Service (QoS)

Answer 164

provides information about the connection to a QoS system, which in turn, ensures that voice or video communications are free from problems such as dropped packets, delay, or jitter.

Question 165

Top level Network Time Protocol

Answer 165

(NTP) servers (stratum 1) obtain the Coordinated Universal Time (UTC) from a highly accurate clock source, such as an atomic clock.

AStratum 1 Time Serveris a network appliance that receives precisetimefrom a hardware reference clock to provide atimeresource to client computers. NetworkTimeProtocol (NTP) implements a hierarchical system oftimereferences.

Question 166

Route injection

Answer 166

means that traffic is misdirected to a monitoring port (sniffing), sent to a blackhole (non-existent address), or continuously looped around the network, causing DoS.

Question 167

Vulnerability scanner

Answer 167

Assess systems, networks and applications for weaknesses

Also considered in the context of credentialed v. non-credentialed

Credentialed scan uses specific permissions set by the security personnel when it scans a system.

A non-credentialed scan only assess what a normal user sees. Advantage is that allows focus on the most glaring weaknesses that any user can see, regardless of their privileges. Also less intrusive and tend to consume less resources than credentialed scan.

Question 168

Port Scanner

Answer 168

Assess the current state of all ports on network and detect potential open ports that may pose risk to organization

Question 169

Protocol/packet Analyzer

Answer 169

Assess traffic on a network and what it reveals about its contents and the protocols being used.

Question 170

Fingerprinting tools

Answer 170

Identify a targets operating system information and running services, also called banner granning

Question 171

Network enumerator

Answer 171

Map the logical structure of the network and ID rouge systems on the network.

Question 172

Password Cracker

Answer 172

Recover secret password from data stored or transmitted by a computer.

Question 173

Backup utilites

Answer 173

Create copies of scanned data

Question 174

Command-Line Tools

Ping-

tracert/traceroute-

netstat-

arp-

nslookup/dig-

ipconfig-

nmap-

netcat-

Answer 174

Ping- see if a host is responding to basic network requests.

tracert/traceroute- See the route and delays of packets across a network

netstat- See current network connection info on a host

arp- See ARP entries on a host.

nslookup/dig- Query DNS servers

ipconfig- See network interface info on a host.

nmap- Scan ports and fingerprint systems

netcat- Monitor and modify network traffic