Summary Q & A Flashcards
What are the properties of a secure information processing system?
[Security Concepts]
Confidentiality, Integrity, and Availability (and non-repudiation)
What term is used to describe the property of a secure network where a sender cannot deny having sent a message?
[Security Concepts]
Non-repudiation
A company provides a statement of deviations from framework best practices to a regulator.
What process has the company performed?
[Security Concepts]
Gap Analysis
What process within an access control framework logs actions performed by subjects?
[Security Concepts]
Accounting
What is the difference between authorization and authentication?
[Security Concepts]
Authorization means granting the account for the user access to the system/resource. It manages the privileges granted on the resource. (Are you authorized to do this)
Authentication is validating that the user is who they say they are. (Are you authentically you)
How does accounting provide non-repudiation?
[Security Concepts]
A user’s actions are logged on the system. Each user is associated with a unique computer account. As long as the logs were not tampered they cannot deny doing the action logged.
You have implemented a secure web gateway that blocks access to a social networking site.
How would you categorize this type of security control?
[Security Controls]
Technical control
It is implemented in software and acts as a preventive measure.
A company has installed motion-activated floodlighting on the grounds around its premises.
What class and function is this security control?
[Security Controls]
Physical control
Its function is both Detecting and Deterring
A firewall appliance intercepts a packet that violates policy. It automatically updates its access control list to block all further packets from the source IP. What TWO functions did the security control perform?
[Security Controls]
Preventive and Corrective
If a security control is described as operational and compensating, what can you determine about its nature and function?
[Security Controls]
The control is being done by a person, and replicates a primary function (is a second catch incase the first one fails), as required by a security standard
A multinational company manages a large amount of valuable intellectual property (IP) data, plus personal data for its customers and account holders. What type of business unit can be used to manage such important and complex security requirements?
[Security Controls]
A Security Operations Center (SOC)
A business is expanding rapidly, and the owner is worried about tensions between its established IT and programming divisions. What type of security business unit or function could help to resolve these issues?
[Security Controls]
DevOps or DevSecOps
Development and operations (DevOps) is a cultural shift within an organization to encourage more collaboration between developers and systems administrators.
DevSecOps embeds the security function within these teams as well.
Which of the following would be assessed by likelihood and impact: vulnerability, threat, or risk?
[Threat Actors]
Risk
True or false? Nation-state actors only pose a risk to other states.
[Threat Actors]
False.
Nation-state actors have targeted commercial interests for theft, espionage, and extortion.
You receive an email with a screenshot showing a command prompt at one of your application servers. The email suggests you engage the hacker for a day’s consultancy to patch the vulnerability. How should you categorize this threat?
[Threat Actors]
If the consultancy is refused and the hacker takes no further action, it can be classed as for financial gain only. If the offer is declined and the hacker then threatens to sell the exploit or to publicize the vulnerability, then the motivation is criminal.
Which type of threat actor is primarily motivated by the desire for political change?
[Threat Actors]
Hacktivist
Which three types of threat actor are most likely to have high levels of funding?
[Threat Actors]
State actors,
Organized Crime,
Competitors
A company uses stock photos from a site distributing copyright-free media to illustrate its websites and internal presentations. Subsequently, one of the company’s computers is found infected with malware that was downloaded by code embedded in the headers of a photo file obtained from the site. What threat vector(s) does this attack use?
[Threat Actors]
The transmission vector is image based.
Since the company is using an external site this a supply chain vulnerability.
A company’s systems are disrupted by a ransomware attack launched via a vulnerability in a network monitoring tool used by the company’s outsourced IT management. Aside from a software vulnerability, what part of the company’s attack surface has been used as a threat vector?
[Threat Actors]
This is a supply chain vulnerability, specifically arising from the company’s Managed Service Provider (MSP).
A company uses cell phones to provide IT support to its remote employees, but it does not maintain an authoritative directory of contact numbers for support staff. Risks from which specific threat vector are substantially increased by this oversight?
[Threat Actors]
Voice calls
The risk that threat actors could impersonate IT support personnel to trick employees into revealing confidential information or installing malware.
The help desk takes a call, and the caller states that she cannot connect to the e-commerce website to check her order status. She would also like a username and password. The user gives a valid customer company name but is not listed as a contact in the customer database. The user does not know the correct company code or customer ID. Is this likely to be a social engineering attempt, or is it a false alarm?
[Social Engineering]
This is likely to be a social engineering attempt.
The help desk should not give out any information or add an account without confirming the caller’s identity.
A purchasing manager is browsing a list of products on a vendor’s website when a window opens claiming that antimalware software has detected several thousand files on their computer that are infected with viruses. Instructions in the official-looking window indicate the user should click a link to install software that will remove these infections. What type of social engineering attempt is this, or is it a false alarm?
[Social Engineering]
This is a social engineering attempt utilizing a Watering Hole Attack and Brand Impersonation.
Your CEO calls to request market research data immediately be forwarded to their personal email address. You recognize their voice, but a proper request form has not been filled out and use of third-party email is prohibited. They state that normally they would fill out the form and should not be an exception, but they urgently need the data to prepare for a roundtable at a conference they are attending. What type of social engineering techniques could this use, or is it a false alarm?
[Social Engineering]
If social engineering, this is a CEO fraud phishing attack over a voice channel (vishing). It is possible that it uses deep fake technology for voice mimicry. The use of a sophisticated attack for a relatively low-value data asset seems unlikely, however. A fairly safe approach would be to contact the CEO back on a known mobile number.
A company policy states that any wire transfer above a certain value must be authorized by two employees, who must separately perform due diligence to verify invoice details. What specific type of social engineering is this policy designed to mitigate?
[Social Engineering]
Business Email Compromise
Which part of a simple cryptographic system must be kept secret—the cipher, the ciphertext, or the key?
[Cryptographic Algorithms]
The Key
In cryptography, the security of the message is guaranteed by the security of the key. The system does not depend on hiding the algorithm or the message (security by obscurity).
Considering that cryptographic hashing is one way and the digest cannot be reversed, what makes hashing a useful security technique?
[Cryptographic Algorithms]
Because two parties can hash the same data and compare digests to see if they match.
Hashing can be used for data verification in many ways, including Password Authentication.
Hashes of passwords, rather than the password plaintext, can be stored securely or exchanged for authentication.
A hash of a file or a hash code in an electronic message can be verified by both parties. If they are not matching that means the file has been changed in some way, maliciously or not.
Which security property is assured by symmetric encryption?
[Cryptographic Algorithms]
Confidentiality—symmetric ciphers are generally fast and well suited to bulk encrypting large amounts of data.
What are the properties of a public/private key pair?
[Cryptographic Algorithms]
The keys cannot undo themselves (ex. A private key cant unlock what it locked, a public key cant unlock what it locked).
The private key must be kept secret by the owner, but the public key is designed to be widely distributed. The private key cannot be determined from the public key, given a sufficient key size.
What is the process of digitally signing a message?
[Cryptographic Algorithms]
A hashing function is used to create a message digest. The digest is then signed using the sender’s private key. The resulting signature can be verified by the recipient using the sender’s public key and cannot be modified by any other agency. The recipient can calculate their own digest of the message and compare it to the signed hash to validate that the message has not been altered.
How does a subject go about obtaining a certificate from a CA?
[Public Key Infrastructure]
In most cases, the subject generates a key pair, adds the public key along with subject information and certificate type in a Certificate Signing Request (CSR), and submits it to the CA. If the CA accepts the request, it generates a certificate with the appropriate key usage and validity, signs it, and transmits it to the subject.
What cryptographic information is stored in a digital certificate?
[Public Key Infrastructure]
The subject’s public key and the algorithms used for encryption and hashing. The certificate also stores a digital signature from the issuing CA, establishing the chain of trust.
What extension field is used with a web server certificate to support the identification of the server by multiple specific subdomain labels?
[Public Key Infrastructure]
The Subject Alternative Name (SAN) field.
A wildcard certificate will match any subdomain label.
What are the potential consequences if a company loses control of a private key?
[Public Key Infrastructure]
It puts both data confidentiality and identification and authentication systems at risk. Depending on the key usage, the key may be used to decrypt data with authorization. The key could also be used to impersonate a user or computer account.
You are advising a customer about encryption for data backup security and the key escrow services that you offer. How should you explain the risks of key escrow and potential mitigations?
[Public Key Infrastructure]
Escrow refers to archiving the key used to encrypt the customer’s backups with your company as a third party.
The risk is that an insider attack from your company may be able to decrypt the data backups.
This risk can be mitigated by requiring M-of-N access to the escrow keys, reducing the risk of a rogue administrator.
What mechanism informs clients about suspended or revoked keys?
[Public Key Infrastructure]
Either a published Certificate Revocation List (CRL) or an Online Certificate Status Protocol (OCSP) responder
You are providing consultancy to a firm to help them implement smart card authentication to premises networks and cloud services. What are the main advantages of using an HSM (Hardware Security Module) over server-based key and certificate management services?
[Public Key Infrastructure]
A Hardware Security Module (HSM) is optimized for this role and so presents a smaller attack surface. It is designed to be tamper evident to mitigate against insider threat risks. It is also likely to have a better implementation of a random number generator, improving the security properties of key material.
In an FDE (Full-disk Encryption) product, what type of cipher is used for a key encrypting key?
[Cryptographic Solutions]
Full-disk encryption (FDE) uses a secret symmetric key to perform bulk encryption of a disk.
This Data Encryption Key (DEK) is protected by a Key Encryption Key (KEK).
The KEK is an asymmetric cipher (RSA or ECC) private key.
True or False? Perfect Forward Secrecy (PFS) ensures that a compromise of a server’s private key will not also put copies of traffic sent to that server in the past at risk of decryption.
[Cryptographic Solutions]
True.
PFS ensures that ephemeral keys are used to encrypt each session. These keys are destroyed after use.
Why does Diffie-Hellman underpin Perfect Forward Secrecy (PFS)?
[Cryptographic Solutions]
Diffie-Hellman allows the sender and recipient to derive the same value (the session key) from some other pre-agreed values. Some of these are exchanged, and some kept private, but there is no way for a snooper to work out the secret just from the publicly exchanged values. This means session keys can be created without relying on the server’s private key and that it is easy to generate ephemeral keys that are different for each session.
True or false? It is essential to keep a salt value completely secret to prevent recovery of a password from its hash.
[Cryptographic Solutions]
False.
The salt does not have to be kept secret, though it should be generated randomly.
Which property of a plaintext password is most effective at defeating a brute force attack?
[Authentication]
The length of the password.
If the password does not have any complexity (if it is just two dictionary words, for instance), it may still be vulnerable to a dictionary-based attack.
A long password may still be vulnerable if the output space is small or if the mechanism used to hash the password is faulty.
A user maintains a list of commonly used passwords in a file located deep within the computer’s directory structure.
Is this secure password management?
[Authentication]
No.
This is security by obscurity. The file could probably be easily discovered using search tools.
What policy prevents users from choosing old passwords again?
[Authentication]
Enforce password history/block reuse and set a minimum age to prevent users from quickly cycling through password changes to revert to a preferred phrase.
True or false? An account requiring a password, PIN, and smart card is an example of three-factor authentication.
[Authentication]
False.
Three-factor authentication also includes a biometric, behavioral, or location-based element.
The password and PIN elements are the same factor (something you know).
What methods can be used to implement location-based authentication?
[Authentication]
You can query the location service running on a device or geolocation by IP. You could use location with the network, based on switch port, wireless network name, virtual LAN (VLAN), or IP subnet.
Apart from cost, what would you consider to be the major considerations for evaluating a biometric recognition technology?
[Authentication]
Error rates (false acceptance and false rejection), throughput, and whether users will accept the technology or reject it as too intrusive or threatening to privacy.
True or false? When implementing smart card login, the user’s private key is stored on the smart card.
[Authentication]
True.
The smart card implements a cryptoprocessor for secure generation and storage of key and certificate material.
How does OTP protect against password compromise?
[Authentication]
A one-time password mechanism generates a token that is valid only for a short period (usually 60 seconds), before it changes again. This can be sent to a registered device or generated by a hard token device. This sort of two-step verification means that a threat actor cannot simply use the compromised password to access the user’s account.
What is the difference between security group- and role-based permissions management?
[Authorization]
A group is simply a container for several user objects. Any organizing principle can be applied.
In a role-based access control system, groups are tightly defined according to job functions. Also, a user should (logically) only possess the permissions of one role at a time.
In a rule-based access control model, can a subject negotiate with the data owner for access privileges? Why or why not?
[Authorization]
No, this sort of negotiation would not be permitted under rule-based access control; it is a feature of discretionary access control.
What is the process of ensuring accounts are only created for valid users, only assigned the appropriate privileges, and that the account credentials are known only to the valid user?
[Authorization]
Provisioning or onboarding
What is the policy that states users should be allocated the minimum sufficient permissions?
[Authorization]
Least privilege
A threat actor was able to compromise the account of a user whose employment had been terminated a week earlier. They used this account to access a network share and exfiltrate important files. What account vulnerability enabled this attack?
[Authorization]
The account did not have its permissions stripped.
While it’s possible that lax password requirements and incorrect privileges may have contributed to the account compromise, the most glaring problem is that the terminated employee’s account wasn’t deprovisioned. Since the account was no longer being used, it should not have been left active for a threat actor to exploit.
What is the purpose of implementing LDAP?
[Identity Management]
A Lightweight Directory Access Protocol (LDAP)-compatible directory stores information about network resources and users in a format that can be accessed and updated using standard queries.
True or false? The following string is an example of a distinguished name: CN=ad, DC=515support,DC=com.
[Identity Management]
True
True or false? In order to create a service ticket, Kerberos passes the user’s password to the target application server for authentication.
[Identity Management]
False.
Only the KDC verifies the user credential.
The Ticket Granting Service (TGS) sends the user’s account details (SID) to the target application for authorization (allocation of permissions), not authentication.
You are consulting with a company about a new approach to authenticating users. You suggest there could be cost savings and better support for multifactor authentication (MFA) if your employees create accounts with a cloud provider. That allows the company’s staff to focus on authorizations and privilege management. What type of service is the cloud vendor performing?
[Identity Management]
The cloud vendor is acting as the identity provider.
You are working on a cloud application that allows users to log on with social media accounts over the web and from a mobile application. Which protocols would you consider, and which would you choose as most suitable?
[Identity Management]
Security Assertion Markup Language (SAML) and OAuth. OAuth offers better support for standard mobile
apps so is probably the best choice.
A company’s network contains client workstations and database servers in the same subnet. Recently, this has enabled attackers to breach the security of the database servers from a workstation compromised by phishing malware. The company has improved threat awareness training and upgraded antivirus software on workstations. What other change will improve the security of the network’s design, and why?
[Enterprise Network Architecture]
The network architecture should implement network segmentation to put hosts with the same security requirements within segregated zones. At layer 2, the workstation and database servers should be placed on separate switches or placed in separate virtual LANs (VLANs). At layer 3, these segments can be identified as separate subnets.
Following a data breach perpetrated by an insider threat actor, a company has relocated its on-premises servers to a dedicated equipment room. The equipment room has a lockable door, and the servers are installed to lockable racks. Access to keys is restricted to privileged administrators and subject to sign-out procedures.
True or false? These security principles reduce the attack surface.
[Enterprise Network Architecture]
True.
The attack surface exists at different network layers and includes physical access. Physically restricting access to server hardware is an important element in reducing the attack surface and mitigating insider threat.
A company wants to upgrade switches to enforce device authentication. Which framework, standard, or protocol must the switch models support?
[Enterprise Network Architecture]
The switches must support the IEEE 802.1X standard. The Remote Authentication Dial-In User Service (RADIUS) protocol and Extensible Authentication Protocol (EAP) framework are used within this, but it is 802.1X that is specific to authenticating when connecting to a switch port (and Wi-Fi access points).
Two companies are merging and want to consolidate employees at a single site. Neither company’s on-premises networks have space to add the 100 desktops required. Which consideration factor does the current architecture model fail to address?
[Enterprise Network Architecture]
Scalability is the consideration that an architecture should be able to expand to meet additional requirements or workloads.
True or False? As they protect data at the highest layer of the protocol stack, application-based firewalls have no basic packet filtering functionality.
[Network Security Appliances]
False. All firewall types can perform basic packet filtering (by IP address, protocol type, port number, and so on).
A proxy server implements a gateway for employee web and email access and is regularly monitored for compromise. If any compromise is detected, the proxy must enter a fail state that prevents further access. What type of fail mode is required?
[Network Security Appliances]
A fail-closed mode is required. Fail-open mode preserves access and availability.
You need to deploy an appliance WAF to protect a web server farm without making any layer 3 addressing changes. Is WAF functionality supported by appliances and, if so, what device attribute should the appliance support?
[Network Security Appliances]
A web application firewall (WAF) can be implemented as an appliance or as software running on a general host. The device must support transparent mode. It could either use layer 2 bridging or a layer 1 inline (“bump-in-the-wire”) mode.
What IPS mechanism can be used to block traffic that violates policy without also blocking the traffic source?
[Network Security Appliances]
The intrusion prevention system (IPS) can be configured to reset connections that match rules for traffic that are not allowed on the network. This halts the potential attack without blocking the source address.
True or false? When deploying a non-transparent proxy, clients must be configured with the proxy address and port.
[Network Security Appliances]
True.
The clients must either be manually configured or use a technology such as proxy auto-configuration (PAC) to detect the appropriate settings.
What is meant by scheduling in the context of load balancing?
[Network Security Appliances]
The algorithm and metrics that determine which node a load balancer picks to handle a request
True or false? A TLS VPN can only provide access to web-based network resources.
[Secure Communications]
False.
A Transport Layer Security (TLS) VPN uses TLS to encapsulate the private network data and tunnel it over the network. The private network data could be frames or IP-level packets and is not constrained by application-layer protocol type.
What IPsec mode would you use for data confidentiality on a private network?
[Secure Communications]
Transport mode with Encapsulating Security Payload (ESP). Tunnel mode encrypts the IP header information, but this is unnecessary on a private network. Authentication Header (AH) provides message authentication and integrity but not confidentiality.
What value confirms the identity of an SSH server to a client?
[Secure Communications]
The server’s public key. This is referred to as the host key. Note that this can only be trusted if the client trusts that the public key is valid. The client might confirm this manually or using a certificate authority.
What is the main advantage of IKEv2 over IKEv1?
[Secure Communications]
Rather than just providing mutual authentication of the host endpoints, IKEv2 supports a user account
authentication method, such as Extensible Authentication Protocol (EAP).
Server A is configured to forward commands over SSH to a pool of database servers. The database servers do not accept SSH connections from any other source.
What type of configuration does Server A implement?
[Secure Communications]
Server A is a jump server. A jump server is a specially hardened device designed as a single point of entry for management and administration traffic for a group of application or database servers in a secure zone.
This is designed to make monitoring and securing connections to the secure zone easier and more reliable.
What is a public cloud?
[Cloud Infrastructure]
A solution hosted by a third-party cloud service provider (CSP) and shared between subscribers (multi-tenant). This sort of cloud solution has the greatest security concerns.
What type of cloud solution could be used to implement a SAN?
[Cloud Infrastructure]
This would usually be described as infrastructure as a service (IaaS).
What is a Type II hypervisor?
[Cloud Infrastructure]
Software that manages virtual machines that has been installed to a guest OS. This is in contrast to a Type I (or “bare metal”) hypervisor, which interfaces directly with the host hardware.
What is IaC?
[Cloud Infrastructure]
IaC stands for Infrastructure as Code
This is a software engineering practice that manages computing infrastructure using machine-readable definition files.
This is closely related to the use of cloud computing infrastructures.
What is a purpose-specific operating system with designs heavily focused on high levels of stability and processing speed?
[Embedded System and Zero Trust Architecture]
Real-Time Operating System (RTOS). RTOS are designed for use in embedded systems and are designed to provide very specific types of functionality based on implementation.
What are the systems control machinery that is used in critical infrastructure, like power suppliers, water suppliers, health services, telecommunications, and national security services?
[Embedded System and Zero Trust Architecture]
Industrial Control Systems (ICS.) ICSs are specialized industrial computers designed to operate manufacturing and industrial sites. ICS systems are unique in that their failure can often result in significant physical damage and loss of life.
What are some factors contributing to the poor security characteristics of IoT devices?
[Embedded System and Zero Trust Architecture]
- IoT devices are designed to be low cost and focus on functionality rather than security.
- IoT devices have limited processing power and memory.
- IoT devices are rushed to market without proper security testing.
- There is low awareness among consumers and organizations about the security risks associated with IoT devices.
What is a network security approach that shifts the focus from defending a network’s boundaries to protecting individual resources and data within the network?
[Embedded System and Zero Trust Architecture]
Deperimeterization.
This security approach moves away from traditional “inside” and “outside” network security approaches and focuses on more granular methods of user and device analysis
How does configuration management support cybersecurity operations?
[Asset Management]
It ensures that each configurable element within an asset inventory has not diverged from its approved configuration.
What technology are snapshots most commonly associated with?
[Asset Management]
Virtual machines (virtualization). They provide quick, point-in-time copies of a virtual machine’s state.
True or false? Backup media can be on site, but offline.
[Asset Management]
True.
As a security precaution, backup media can be taken offline at the completion of a job to mitigate the risk of malware corrupting the backup.
You are advising a company about backup requirements for a few dozen application servers hosting tens of terabytes of data. The company requires online availability of short-term backups, plus off-site security media and long-term archive storage. The company cannot use a cloud solution.
What type of on-premises storage solution is best suited to the requirement?
[Asset Management]
The off-site and archive requirements are best met by a tape solution, but the online requirement may need a RAID array, depending on speed. The requirement is probably not large enough to demand a storage area network (SAN), but could be provisioned as part of one.
Define data sanitization.
[Asset Management]
The process of removing sensitive information from storage media to prevent unauthorized access or data breaches.
How does MTD relate to availability?
[Redundancy Strategies]
The maximum tolerable downtime (MTD) metric expresses the availability requirement for a particular business function
How does elasticity differ from scalability?
[Redundancy Strategies]
A scalable system is one that responds to increased workloads by adding resources without exponentially increasing costs. An elastic system is able to assign or unassign resources as needed to match either an increased workload or a decreased workload.
Which two components are required to ensure power redundancy for a power loss period extending over 24 hours?
[Redundancy Strategies]
An uninterruptible power supply (UPS) is required to provide failover for the initial power loss event, before switching over to a standby generator to supply power over a longer period.
How does RAID support fault tolerance?
[Redundancy Strategies]
RAID provides redundancy among a group of disks, so that if one disk were to fail, that data may be recoverable from the other disks in the array.
What physical site security controls act as deterrents?
[Physical Security]
Lighting is one of the most effective deterrents. Any highly visible security control (guards, fences, dogs, barricades, CCTV, signage, and so on) will act as a deterrent.
What type of sensor detects changes in heat patterns caused by moving objects?
[Physical Security]
Infrared
What use might a proximity reader be for site security?
[Physical Security]
What use might a proximity reader be for site security?
[Physical Security]
What is a bollard?
[Physical Security]
A short vertical post typically made of steel, concrete, or other similarly durable material and designed to restrict vehicular traffic into pedestrian areas.
You are recommending that a business owner invest in patch management controls for PCs and laptops.
What is the main risk from weak patch management procedures on such devices?
[Device and OS Vulnerabilities]
Vulnerabilities in the OS and applications software such as web browsers and document readers or in PC and adapter firmware can allow threat actors to run malware and gain a foothold on the network.
You are advising a business owner on security for a PC running Windows 7. The PC runs process management software that the owner cannot run on Windows 11. What are the risks arising from this, and how can they be mitigated?
[Device and OS Vulnerabilities]
Windows 7 is a legacy platform that is no longer receiving security updates. This means that patch management cannot be used to reduce risks from software vulnerabilities. The workstation should be isolated from other systems to reduce the risk of compromise.
As a security solution provider, you are compiling a checklist for your customers to assess potential vulnerabilities. What vulnerability do the following items relate to? Default settings, Unsecured root accounts, Open ports and services, Unsecure protocols, Weak encryption, Errors.
[Device and OS Vulnerabilities]
Misconfiguration refers to improper and default settings that introduce vulnerabilities.
Your log shows that the Notepad process on a workstation running as the local administrator account has started an unknown process on an application server running as the SYSTEM account. What type of attack(s) are represented in this intrusion event?
[Application and Cloud Vulnerabilities]
The Notepad process has been compromised, possibly using buffer overflow or a DLL/process injection attack. The threat actor has then performed lateral movement and privilege escalation, gaining higher privileges through remote code execution on the application server.
How do malicious updates introduce malware?
[Application and Cloud Vulnerabilities]
Malicious updates describe updates typically downloaded from the trusted hardware or software vendor that include malware. This is a result of the vendor’s environment being exploited.
What type of attack is focused on exploiting the database access provided to a web application?
[Application and Cloud Vulnerabilities]
SQL injection.
SQLi (SQL Injection) attacks manipulate the way web applications handle inputs to gain access to protected resources stored in a database or manipulate web application behavior.
You have received an urgent threat advisory and need to configure a network vulnerability scan to check for the presence of a related CVE on your network.
What configuration check should you make in the vulnerability scanning software before running the scan?
[Vulnerability Identification Methods]
Verify that the vulnerability feed/plug-in/test has been updated with the specific CVE that you need to test for.
Your CEO wants to know if the company’s threat intelligence platform makes effective use of OSINT.
What is OSINT?
[Vulnerability Identification Methods]
Open-source intelligence (OSINT) is cybersecurity-relevant information harvested from public websites and data records. In terms of threat intelligence specifically, it refers to research and data feeds that are made publicly available.
A small company that you provide security consulting support to has resisted investing in an event management and threat intelligence platform. The CEO has become concerned about an APT risk known to target supply chains within the company’s industry sector and wants you to scan their systems for any sign that they have been targeted already.
What are the additional challenges of meeting this request, given the lack of investment?
[Vulnerability Identification Methods]
Collecting network traffic and log data from multiple sources and then analyzing it manually will require many hours of analyst time. The use of threat feeds and intelligence fusion to automate parts of this analysis effort would enable a much swifter response.
This is a dictionary of vulnerabilities in published operating systems and applications software.
[Vulnerability Analysis and Remediation]
CVE, or Common Vulnerabilities and Exposures
A vulnerability scan reports that a CVE associated with CentOS Linux is present on a host, but you have established that the host is not running CentOS.
What type of scanning error event is this?
[Vulnerability Analysis and Remediation]
False positive
This type of protection can provide financial protection in case of a security breach resulting from a vulnerability.
[Vulnerability Analysis and Remediation]
Cybersecurity insurance. These policies are designed to cover a majority of the expenses related to remediating and recovering from a cyber incident.
What is a pre-shared key?
[Network Security Baselines]
This is a type of group authentication used when the infrastructure for authenticating securely (via RADIUS, for instance) is not available. The system depends on the strength of the passphrase used for the key.
Is WPS a suitable authentication method for enterprise networks?
[Network Security Baselines]
No, an enterprise network will use RADIUS authentication. WPS uses PSK, and there are weaknesses in the protocol.
You want to deploy a wireless network where only clients with domain-issued digital certificates can join the network. What type of authentication mechanism is suitable?
[Network Security Baselines]
EAP-TLS is the best choice because it requires that both server and client be installed with valid certificates.
What is a dissolvable agent?
[Network Security Baselines]
Some network access control (NAC) solutions perform host health checks via a local agent, running on the host. A dissolvable agent is one that is executed in the host’s memory and CPU but not installed to a local disk.
How can a screened subnet be implemented?
[Network Security Capability Enhancement]
By using two firewalls (external and internal) around a screened subnet, or by using a triple-homed firewall (one with three network interfaces
What is the common purpose of the default rule on a firewall?
[Network Security Capability Enhancement]
Block any traffic not specifically allowed (implicit deny)
What sort of maintenance must be performed on signature-based monitoring software?
[Network Security Capability Enhancement]
Installing definition/signature updates and removing definitions that are not relevant to the hosts or services running on your network.
What is the principal risk of deploying an intrusion prevention system with behavior-based detection?
[Network Security Capability Enhancement]
Behavior-based detection can exhibit high false positive rates, where legitimate activity is wrongly identified as malicious. With automatic prevention, this will block many legitimate users and hosts from the network, causing availability and support issues.
What is a hardened configuration?
[Endpoint Security]
A basic principle of security is to run only services that are needed. A hardened system is configured to perform a role as client or application server with the minimal possible attack surface in terms of interfaces, ports, services, storage, system/registry permissions, lack of security controls, and vulnerabilities.
True or false? Only Microsoft’s operating systems and applications require security patches.
[Endpoint Security]
False.
Any vendor’s or open source software or firmware can contain vulnerabilities that need patching.
Why are OS-enforced file access controls not sufficient in the event of the loss or theft of a computer or mobile device?
[Endpoint Security]
The disk (or other storage) could be attached to a foreign system, and the administrator could take ownership of the files. File-level, full disk encryption (FDE), or self-encrypting drives (SED) mitigate this by requiring the presence of the user’s decryption key to read the data.
What type of deployment model(s) allow users to select the mobile device make and model?
[Mobile Device Hardening]
Bring your own device (BYOD) and choose your own device (CYOD)
Company policy requires that you ensure your smartphone is secured from unauthorized access in case it is lost or stolen. To prevent someone from accessing data on the device immediately after it has been turned on, what security control should be used?
[Mobile Device Hardening]
Screen lock
True or false? A maliciously designed USB battery charger could be used to exploit a mobile device on connection.
[Mobile Device Hardening]
True.
Though the vector is known to the mobile OS and handset vendors, the exploit often requires user interaction.
Why might enforcement policies be used to prevent USB tethering when a smartphone is brought to the workplace?
[Mobile Device Hardening]
This would allow a PC or laptop to connect to the Internet via the smartphone’s cellular data connection. This could be used to evade network security mechanisms, such as data loss prevention or content filtering.
What type of attack against HTTPS aims to force the server to negotiate weak ciphers?
[Application Protocol Security Baselines]
A downgrade attack
When using S/MIME, which key is used to protect the confidentiality of a message?
[Application Protocol Security Baselines]
The recipient’s public key (principally). The public key is used to encrypt a symmetric session key, and (for performance reasons) the session key does the actual data encoding. The session key and, therefore, the message text can then only be recovered by the recipient, who uses the linked private key to decrypt it.
Which protocol should be used to replace TELNET?
[Application Protocol Security Baselines]
Secure Shell (SSH) provides the same functionality as TELNET and incorporates encryption protections by default.
True or false? DNSSEC depends on a chain of trust from the root servers down.
[Application Protocol Security Baselines]
True.
The authoritative server for the zone creates a “package” of resource records (called an RRset) signed with a private key (the Zone Signing Key). When another server requests a secure record exchange, the authoritative server returns the package along with its public key, which can be used to verify the signature.
What type of programming practice defends against injection-style attacks, such as inserting SQL commands into a database application from a site search form?
[Cloud and Web Application Security Concepts]
Input validation provides some mitigation against this type of input being passed to an application via a user form. Output encoding could provide another layer of protection by checking that the query that the script passes to the database is safe.
Which response header provides protection against SSL stripping attacks?
[Cloud and Web Application Security Concepts]
HTTP Strict Transport Security (HSTS)
What vulnerabilities might default error messages reveal?
[Cloud and Web Application Security Concepts]
A default error message might reveal platform information and the workings of the code to an attacker.
How does static code analysis support secure development?
[Cloud and Web Application Security Concepts]
Static code analysis is designed to inspect software at the source-code level to identify and report on insecure coding practices. Static code analysis tools are often incorporated into software development environments to automatically flag insecure code and encourage developers to focus on secure
development practices.
What are the seven processes in the CompTIA incident response lifecycle?
[Incident Response]
Preparation, detection, analysis, containment, eradication, recovery, and lessons learned
True or false? The “first responder” is whoever first reports an incident to the CIRT.
[Incident Response]
False.
The first responder would be the member of the computer incident response team (CIRT) to handle the report.
True or false? It is important to publish all security alerts to all members of staff.
[Incident Response]
False.
Security alerts should be sent to those able to deal with them at a given level of security awareness and on a need-to-know basis
You are providing security consultancy to assist a company with improving incident response procedures. The business manager wants to know why an out-of-band contact mechanism for responders is necessary. What do you say?
[Incident Response]
The response team needs a secure channel to communicate over without alerting the threat actor. There may also be availability issues with the main communication network if it has been affected by the incident.
Your consultancy includes a training segment. What type of incident response exercise will best represent a practical incident handling scenario?
[Incident Response]
A simulation exercise creates an actual intrusion scenario, with a red team performing the intrusion and a blue team attempting to identify, contain, and eradicate it.
What is the significance of the fact that digital evidence is latent?
[Digital Forensics]
The evidence cannot be seen directly but must be interpreted so the validity of the interpreting process must be unquestionable.
You’ve fulfilled your role in the forensic process, and now you plan on handing the evidence over to an analysis team. What important process should you observe during this transition, and why?
[Digital Forensics]
It’s important to uphold a record of how evidence is handled in a chain of custody. The chain of custody will help verify that everyone who handled the evidence is accounted for, including when the evidence was in each person’s custody. This is an important tool in validating the evidence’s integrity.
True or false? To ensure evidence integrity, you must make a hash of the media before making an image.
[Digital Forensics]
True
You must recover the contents of the ARP cache as vital evidence of an on-path attack. Should you shut down the PC and image the hard drive to preserve it?
[Digital Forensics]
No, the ARP cache is stored in memory and will be discarded when the computer is powered off. You can either dump the system memory or run the ARP utility and make a screenshot. In either case, make sure that you record the process and explain your actions.
Your manager has asked you to prepare a summary of the usefulness of different kinds of log data. You have sections for firewall, application, OS-specific security, IPS/IDS, and network logs plus metadata. Following the CompTIA Security+ exam objectives, which additional log data type should you cover?
[Data Sources]
Endpoint logs. These are typically security logs from detection suites that perform antivirus scanning and enforce policies.
You must assess a security monitoring suite for its dashboard functionality. What is the general use of dashboards?
[Data Sources]
A dashboard provides a console to work from for day-to-day incident response. It provides a summary of information drawn from the underlying data sources to support some work task. Most tools allow the configuration of different dashboards for different tasks. A dashboard can show uncategorized events and visualizations of key metrics and status indicators.
True or false? It is not possible to set custom file system audit settings when using security log data.
[Data Sources]
False.
File system audit settings are always configurable. This type of auditing can generate a large amount of data, so the appropriate settings are often different from one context to another.
What type of data source supports frame-by-frame analysis of an event that generated an IDS alert?
[Data Sources]
Packet capture means that the frames of network traffic that triggered an intrusion detection system (IDS) alert are recorded and stored in the monitoring system. The analyst can pivot from the alert to view the frames in a protocol analyzer.
What is the purpose of SIEM?
[Alerting and Monitoring Tools]
Security information and event management (SIEM) products aggregate IDS alerts and host logs from multiple sources, then perform correlation analysis on the observables collected to identify indicators of compromise and alert administrators to potential incidents.
What is the difference between a sensor and a collector, in the context of SIEM?
[Alerting and Monitoring Tools]
A SIEM collector receives log data from a remote host and parses it into a standard format that can be recorded within the SIEM and interpreted for event correlation. A sensor (or sniffer) copies data frames from the network, using either a mirror port on a switch or some type of media tap.
Your company has implemented a SIEM but found that there is no parser for logs generated by the network’s UTM gateway.
Why is a parser necessary?
[Alerting and Monitoring Tools]
Security information and event management (SIEM) aggregates data sources from multiple hosts and appliances, including unified threat management (UTM). A parser translates the event attributes and data used by the UTM to standard fields in the SIEM’s event database. This normalization process is necessary for the correlation of event data generated by different sources.
Your manager has asked you to prepare a summary of the activities that support alerting and monitoring. You have sections for log aggregation, alerting, scanning, reporting, and alert response and remediation/validation (including quarantine and alert tuning).
Following the CompTIA Security+ exam objectives, which additional activity should you cover?
[Alerting and Monitoring Tools]
Archiving means that there is a store of event data that can be called upon for retrospective investigations, such as threat hunting. Archiving also meets compliance requirements to preserve information. As the volume of live data can pose problems for SIEM performance, archived data is often moved to a separate long-term storage area.
You are supporting a SIEM deployment at a customer’s location. The customer wants to know whether flow records can be ingested. What type of monitoring tool generates flow records?
[Alerting and Monitoring Tools]
Flow records are generated by NetFlow or IP Flow Information Export (IPFIX) probes. A flow record is data that matches a flow label, which is a particular combination of keys (IP endpoints and protocol/port types).
You are troubleshooting a user’s workstation. At the computer, an app window displays on the screen claiming that all of your files are encrypted. The app window demands that you make an anonymous payment if you ever want to recover your data.
What type of malware has infected the computer?
[Malware Attack Indicators]
This is some type of ransomware, but you will have to investigate resource inaccessibility to determine whether it is actually crypto-ransomware, or a “scareware” variant that is easier to remediate.
You are recommending different antivirus products to the CEO of a small travel services firm. The CEO is confused because they had heard that Trojans represent the biggest threat to computer security these days.
What explanation can you give?
[Malware Attack Indicators]
While antivirus (A-V) scanner remains a popular marketing description, all current security products worthy of consideration will try to provide protection against a full range of malware and bloatware threats.
You are writing a security awareness blog for company CEOs subscribed to your threat platform.
Why are backdoors and Trojans different ways of classifying and identifying malware risks?
[Malware Attack Indicators]
A Trojan means a malicious program masquerading as something else; a backdoor is a covert means of
accessing a host or network. A Trojan need not necessarily operate a backdoor, and a backdoor can be established by exploits other than using Trojans. The term “remote access Trojan (RAT)” is used for the specific combination of Trojan and backdoor.
You are investigating a business email compromise (BEC) incident. The email account of a developer has been accessed remotely over webmail. Investigating the developer’s workstation finds no indication of a malicious process, but you do locate an unknown USB extension device attached to one of the rear ports. Is this the most likely attack vector, and what type of
malware would it implement?
[Malware Attack Indicators]
It is likely that the USB device implements a hardware-based keylogger. This would not necessarily require any malware to be installed or leave any trace in the file system.
A user’s computer is performing extremely slowly. Upon investigating, you find that a process named n0tepad.exe is utilizing the CPU at rates of 80%-90%. This is accompanied by continual small disk reads and writes to a temporary folder. Should you suspect malware infection, and is any particular class of malware indicated?
[Malware Attack Indicators]
Yes, this is malware as the process name is trying to masquerade as a legitimate process. It is not possible to conclusively determine the type without more investigation, but you might initially suspect a cryptominer/cryptojacker.
Which attack framework provides descriptions of specific TTPs?
[Malware Attack Indicators]
MITRE’s ATT&CK framework
What is an amplification attack?
[Network Attack Indicators]
Where the attacker spoofs the victim’s IP in requests to several reflecting servers (often DNS or NTP servers). The attacker crafts the request so that the reflecting servers respond to the victim’s IP with a large message, overwhelming the victim’s bandwidth.
Why are many network DoS attacks distributed?
[Network Attack Indicators]
Most attacks depend on overwhelming the victim. This typically requires a large number of hosts, or bots.
Users in a particular wireless network segment are complaining that websites are frequently slow to load or unavailable or filled with advertising. On investigation, each host in the segment is set to use an unauthorized DNS resolver. Which attack type is the likely cause for this?
[Network Attack Indicators]
The hosts are likely to be receiving their configuration from a malicious Dynamic Host Configuration Protocol (DHCP) server. This is likely to have been achieved via an on-path attack, such as a rogue access point or evil twin access point.
The security log on a domain controller has recorded numerous unsuccessful attempts to read the NTDS.DIT file by three different client workstation computer accounts. What specific type of attack is this a precursor for?
[Network Attack Indicators]
NTDS.DIT stores credentials for an Active Directory network. Obtaining a copy of it allows a threat actor to perpetrate offline password attacks. An offline password attack could use brute force, dictionary, or hybrid cracking techniques.
How does a replay attack work in the context of session hijacking?
[Application Attack Indicators]
The attacker captures some data, such as a cookie, used to log on or start a session legitimately. The attacker then resends the captured data to re-enable the connection.
You are reviewing access logs on a web server and notice repeated requests for URLs containing the strings %3C and %3E. Is this an event that should be investigated further, and why?
[Application Attack Indicators]
Those strings represent percent encoding (for HTML tag delimiters < and >). This could be an injection attack so should be investigated.
You are improving back-end database security to ensure that requests deriving from front-end web servers are authenticated. What general class of attack is this designed to mitigate?
[Application Attack Indicators]
Server-side request forgery (SSRF) causes a public server to make an arbitrary request to a back-end server. This is made much harder if the threat actor has to defeat an authentication or authorization mechanism between the web server and the database server.
A technician is seeing high volumes of 403 Forbidden errors in a log. What type of network appliance or server is producing these logs?
[Application Attack Indicators]
403 Forbidden is an HTTP status code, so most likely a web server. Another possibility is a web proxy or gateway.
This policy outlines the acceptable ways in which network and computer systems may be used.
[Policies, Standards, and Procedures]
An acceptable use policy defines what constitutes acceptable behavior by users.
Describe the difference between change management and configuration management.
[Policies, Standards, and Procedures]
Change management describes the policies and procedures dictating how changes can be made in the environment. Configuration management describes the technical tools used to manage, enforce, and deploy changes to software and endpoints.
What are a few examples of the types of capabilities that may be included in a password standard?
[Policies, Standards, and Procedures]
Approved hashing algorithms, password salting methods, secure password transmission methods, password reset methods, password manager requirements.
What is the purpose of a backout plan?
[Change Management]
A backout plan is a contingency plan for reversing changes and returning systems and software to their original state if the implementation plan fails.
How are standard operating procedures related to change management?
[Change Management]
SOPs ensure that changes are implemented consistently and effectively.
How do system dependencies impact change management?
[Change Management]
System dependencies describe the interconnection of systems and software. Dependencies may cause an otherwise simple change to have severe and widespread impacts attributed to the fact that a single changed component may break functionality in other systems.
How are APIs important to automation and orchestration?
[Automation and Orchestration]
APIs are the enabling feature allowing different platforms and tools to interact with each other. APIs allow security tools to work together and perform rule-based actions to perform tasks previously handled by security analysts.
What is operator fatigue?
[Automation and Orchestration]
Operator fatigue refers to the mental exhaustion experienced by cybersecurity professionals due to their work’s continuous, high-intensity nature.
Identify a few of the potential issues associated with automation and orchestration.
[Automation and Orchestration]
Complexity, cost, single point of failure, technical debt, and ongoing support burdens
What metric(s) could be used to make a quantitative calculation of risk due to a specific threat to a specific function or asset?
[Risk Management Processes and Concepts]
Single Loss Expectancy (SLE) or Annual Loss Expectancy (ALE). ALE is SLE multiplied by ARO (annual rate of occurrence).
What type of risk mitigation option is offered by purchasing insurance?
[Risk Management Processes and Concepts]
Risk transference
What is a risk register?
[Risk Management Processes and Concepts]
A document highlighting the results of risk assessments in an easily comprehensible format (such as a heat map or “traffic light” grid). Its purpose is for department managers and technicians to understand risks associated with the workflows that they manage.
This describes a contractual provision that grants an organization the authority to conduct audits or assessments of vendor operational practices, information systems, and security controls.
[Vendor Management Concepts]
A right-to-audit clause. The right-to-audit clause supports vendor assessment practices by allowing organizations to validate and verify the vendor’s compliance with contractual obligations, security standards, and regulatory requirements.
Describe the concept of conflict of interest in relationship with vendor management practices.
[Vendor Management Concepts]
A conflict of interest arises when an individual or organization has competing interests or obligations that could compromise their ability to act objectively, impartially, or in the best interest of another party.
This legal contract is a nonbinding agreement that outlines the intentions, shared goals, and general terms of cooperation between parties.
[Vendor Management Concepts]
Memorandum of understanding (MOU). MOUs serve as a preliminary step to establish a common understanding before proceeding with a more formal agreement.
This legal document establishes clear guidelines for the vendor’s behavior, activities, and access to sensitive information.
[Vendor Management Concepts]
Rules of engagement.
These rules define the parameters and expectations for vendor relationships.
These rules outline the responsibilities, communication methods, reporting mechanisms, security requirements,
and compliance obligations that vendors must adhere to.
A website owner wants to evaluate whether the site security mitigates risks from criminal syndicates, assuming no risk of insider threat. What type of penetration testing engagement will most closely simulate this adversary capability and resources?
[Penetration Testing Concepts]
A threat actor has no privileged information about the website configuration or security controls.
This is simulated in an unknown environment penetration test engagement.
Why should an Internet service provider (ISP) be informed before pen testing on a hosted website takes place?
[Penetration Testing Concepts]
ISPs monitor their networks for suspicious traffic and may block the test attempts. The pen test may also involve equipment owned and operated by the ISP and not authorized to be included as part of the assessment.
This type of assessment allows individuals or organizations to evaluate their performance, practices, and adherence to established criteria against predetermined metrics and measures.
[Penetration Testing Concepts]
Self-assessments. Self-assessments help identify strengths, weaknesses, and areas for improvement, enabling individuals or organizations to take proactive measures to enhance their effectiveness and outcomes.
Why are third-party assessments important?
[Penetration Testing Concepts]
The importance of independent third-party audits lies in their ability to offer an external perspective, free from any conflicts of interest or bias.
What range of information classifications could you implement in a data labeling project?
[Data Classification and Compliance]
One set of tags could indicate the degree of confidentiality (public, confidential/secret, or critical/top secret).
Another tagging schema could distinguish proprietary from private/sensitive personal data.
What is meant by privacy information?
[Data Classification and Compliance]
Privacy information is any data that could be used to identify, contact, or locate an individual.
You are reviewing security and privacy issues relating to a membership database for a hobbyist site with a global audience. The site currently collects account details with no further information.
What should be added to be in compliance with data protection regulations?
[Data Classification and Compliance]
The site should add a privacy notice explaining the purposes the personal information is collected and used for. The form should provide a means for the user to give explicit and informed consent to this privacy notice.
You are preparing a briefing paper for customers on the organizational consequences of data and privacy breaches. You have completed sections for reputation damage, identity theft, and IP theft. Following the CompTIA Security+ objectives, what other section should you add?
[Data Classification and Compliance]
Data and privacy breaches can lead legislators or regulators to impose fines. In some cases, these fines can be substantial (calculated as a percentage of turnover).
This state means that the data is in some sort of persistent storage media.
[Data Classification and Compliance]
Data at rest. In this state, it is usually possible to encrypt the data, using techniques such as whole disk encryption, database encryption, and file- or folder-level encryption.
This method of data protection is often associated with payment processing systems.
[Data Classification and Compliance]
Tokenization.
Tokenization replaces sensitive data (such as a credit card number) with a randomly generated token while securely storing the original data in a separate location.
You take an incident report from a user trying to access a REPORT.docx file on a SharePoint site. The file has been replaced by a REPORT.docx.QUARANTINE.txt file containing a policy violation notice.
What is the most likely cause?
[Data Classification and Compliance]
This is typical of a data loss prevention (DLP) policy replacing a file involved in a policy violation with a tombstone file.
Your company has been the victim of several successful phishing attempts over the past year. Attackers managed to steal credentials from these attacks and use them to compromise key systems.
What vulnerability contributed to the success of these social engineers, and why?
[Importance of Personnel Policies]
A lack of proper user training directly contributes to the success of social engineering attempts. Attackers can easily trick users when those users are unfamiliar with the characteristics and ramifications of such deception.
Why should an organization design role-based training programs?
[Importance of Personnel Policies]
Employees have different levels of technical knowledge and different work priorities. This means that a “one size fits all” approach to security training is impractical.
You are planning a security awareness program for a manufacturer. Is a pamphlet likely to be sufficient in terms of resources?
[Importance of Personnel Policies]
Using a diversity of training techniques will boost engagement and retention. Practical tasks, such as phishing simulations, will give attendees more direct experience. Workshops or computer-based training will make it easier to assess whether the training has been completed.
