Technologies and Tools (3)

Question 1

You are responsible for security at Acme Company. Recently, 20 new employee network accounts were created, with the default privileges for the network. You have discovered that eight of these have privileges that are not needed for their job tasks. Which security principle best describes how to avoid this problem in the future?

Least privileges

Separation of duties

Implicit deny

Answer 1

Implicit deny

The security concept of implicit deny states that any new access account will by default be denied all access. When a request is made for specific privileges for that account, then the privileges are explicitly applied. This means that by default all privileges are implicitly denied

Question 2

Mary is concerned that SIEM logs at her company are not being stored long enough, or securely enough. She is aware that it is possible a breach might not be discovered until long after it occurs. This would require the company to analyze older logs. It is important that Mary find an SIEM log backup solution that can a) handle all the aggregate logs of the SIEM, b) be maintained for a long period of time, and c) be secure. What solution would be best for her?

Back up to large-capacity external drives.

Back up to large-capacity backup tapes.

Back up to WORM storage.

Answer 2

Back up to WORM storage.

Write once, read many (WORM) storage is a type of high-capacity storage wherein once the data is written to the storage, it cannot be edited. It provides both high-capacity storage and secure storage, since the backups cannot be tampered with

Question 3

Elizabeth is responsible for SIEM systems in her company. She monitors the company’s SIEM screens every day, checking every hour. What, if any, would be a better approach for her to keep up with issues that appear in the logs?

Automatic alerts

Having logs forwarded to her email

Nothing, this is fine.

Answer 3

Automatic alerts

An SIEM aggregates logs from multiple servers and devices. It is difficult to review so many logs, and of course issues could occur when Elizabeth is away from the SIEM management console. Having automatic alerts is the best way to be made aware of issues that require Elizabeth’s attention

Question 4

You are responsible for network security at a university. Faculty members are issued laptops. However, many of the faculty members leave the laptops in their offices most of the time (sometimes even for weeks). You are concerned about theft of laptops. In this scenario, what would be the most cost-effective method of securing the laptops?

GPS tagging

Geofencing

Tethering

Answer 4

Tethering

Tethering is usually inexpensive, and simply tethering a portable device to a desk makes it difficult to steal the device. No antitheft method is foolproof, but tethering is simple, cost effective, and reasonably effective

Question 5

You work at a defense contracting company. You are responsible for mobile device security. Some researchers in your company use company-issued tablets for work. These tablets may contain sensitive, even classified data. What is the most important security measure for you to implement?

FDE

GPS tagging

Geofencing

Answer 5

FDE

Full-disk encryption (FDE) is the best way to protect data on any device. In this scenario, the sensitive data on the tablets is the most important concern; therefore, securing that data with FDE is the most important security measure to take

Question 6

When using any HIDS/HIPS or NIDS/NIPS, the output is specific to the vendor. However, what is the basic set of information that virtually all HIDSs/HIPSs or NIDSs/NIPSs provide?

IP addresses (sender and receiver), ports (sender and receiver), and protocol

IP addresses (sender and receiver), ports (sender and receiver), and attack type

IP addresses (sender and receiver), ports (sender and receiver), usernames, and machine names

Answer 6

IP addresses (sender and receiver), ports (sender and receiver), and protocol

HIDSs/HIPSs and NIDSs/NIPSs each have output that the vendor specifies. But all such devices will output what protocol the traffic was, the source and destination IP addresses, as well as the source and destination port. More information may be provided, but this is the essential basic information all IDSs/IPSs display

Question 7

You are responsible for firewalls in your company. You are reviewing the output of the gateway firewall. What basic information would any firewall have in its logs?

For all traffic: the source and destination IP and port, protocol, and whether it was allowed or denied

For only blocked traffic: the source and destination IP and port as well as the reason for the traffic being denied/blocked

For all traffic: the source and destination IP and port, whether it was allowed or denied, and the reason it was denied/blocked

Answer 7

For all traffic: the source and destination IP and port, protocol, and whether it was allowed or denied

The standard items in any firewall log are the source and destination IP address and port of all traffic, the protocol the traffic is using, and whether that traffic was allowed or denied

Question 8

Teresa is responsible for incident response at ACME Company. There was a recent breach of the network. The breach was widespread and affected many computers. As part of the incident response process, Teresa will collect the logs from the SIEM, which aggregates logs from 20 servers. Which of the following should she do first?

Event de-duplication

Log forwarding

Identify the nature of the attack

Answer 8

Event de-duplication

Since 20 servers send logs to the SIEM, de-duplicating events will be important

Question 9

Hector is responsible for NIDS/NIPS in his company. He is configuring a new NIPS solution. What part of the NIPS collects data?

Sensor

Data source

Manager

Answer 9

Sensor

In any IDS (HIDS/HIPS; NIDS/NIPS), the sensors collect data from the network segment they are on and forward that information to the analyzer

Question 10

Gerald is a network administrator for a small financial services company. He is responsible for controlling access to resources on his network. What mechanism is responsible for blocking access to a resource based on the requesting IP address?

ACL

NIPS

HIPS

Answer 10

ACL

An access control list (ACL) has a list of which requestors are allowed access to which resources. Using an IP address to block or allow requests is a common technique

Question 11

Elizabeth is responsible for secure communications at her company. She wants to give administrators the option to log in remotely and to execute command-line functions, but she wants this to only be possible via a secure, encrypted connection. What action should she take on the firewall?

Block port 22 and allow ports 20 and 21.

Block port 22 and allow port 23.

Block port 23 and allow port 22.

Answer 11

Block port 23 and allow port 22.

Secure Shell (SSH) uses port 22 and provides a secure, encrypted command-line interface. Telnet uses port 23 and is not secure

Question 12

Mark is looking for a proxy server for his network. The purpose of the proxy server is to ensure that the web servers are hidden from outside clients. All of the different web servers should appear to the outside world as if they were the proxy server. What type of proxy server would be best for Mark to consider?

Forward

Reverse

Transparent

Answer 12

Reverse

A reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. The sources appear to the client as if they came from the proxy server. In other words, the entire outside world appears as the proxy server to the client

Question 13

Your company has hired an outside security firm to perform various tests of your network. During the vulnerability scan you will provide that company with logins for various systems (i.e., database server, application server, web server, etc.) to aid in their scan. What best describes this?

A white-box test

A credentialed scan

A logged-in scan

Answer 13

A credentialed scan

By giving the tester logins, you are allowing him to conduct a privilege scan (i.e., a scan with some privileges)

Question 14

Lars is responsible for incident response at ACME Company. He is particularly concerned about the network segment that hosts the corporate web servers. He wants a solution that will detect potential attacks and notify the administrator so the administrator can take whatever action he or she deems appropriate. Which of the following would be the best solution for Lars?

HIDS

HIPS

NIDS

Answer 14

NIDS

A network intrusion detection system (NIDS) will detect suspected attacks on a given network segment and notify the administrator. For example, in an anomaly detection, the administrator will be notified if there are any deviation from an expected pattern or behavior

Question 15

Mia is responsible for security devices at her company. She is concerned about detecting intrusions. She wants a solution that would work across entire network segments. However, she wants to ensure that false positives do not interrupt work flow. What would be the best solution for Mia to consider?

HIDS

HIPS

NIDS

Answer 15

NIDS

A network intrusion detection system (NIDS) will detect intrusions across a network segment, but it won’t block the possible attacks, thus not disrupting work due to false positives

Question 16

Abigail is a security manager for a small company. Many employees want to use handheld devices, such as smartphones and tablets. The employees want to use these devices both for work and outside of work. Abigail is concerned about security issues. Which of the following would be the most secure solution?

COPE

CYOD

Geotagging

Answer 16

COPE

Company-Provided Equipment provides the most security because the company owns and provides the equipment to employees. This allows the company to fully control security, such as preventing carrier unlocking, disable recording microphone, prevent WiFi direct and WiFi ad-hoc

Question 17

You are responsible for always-on VPN connectivity for your company. You have been told that you must use the most secure mode for IPSec that you can. Which of the following would be the best for you to select?

Tunneling

IKE

Transport

Answer 17

Tunneling

A tunneling mode is the mode wherein IPSec encrypts the entire packet, header, and data. This prevents someone sniffing traffic from gathering metadata about the traffic

Question 18

Debra is the network administrator for her company. Her company’s web servers are all in a cluster. Her concern is this: if one of the servers in the cluster fails, will the backup server be capable of running for a significant amount of time? She wants to make sure that the backup won’t soon fail. What would be her best choice in clustering?

Active-active

Affinity

Active-passive

Answer 18

Active-passive

An active-passive cluster has backup servers that are not handling any workload. They are brought into action if the primary server fails. This means the backup server will not have been subjected to any workload and is effectively a new machine

Question 19

Omar is responsible for wireless security in his company. He wants completely different WiFi access (i.e., a different SSID, different security levels, and different authentication methods) in different parts of the company. What would be the best choice for Omar to select in WAPs?

Fat

Thin

Repeater

Answer 19

Fat

A fat wireless access point (WAP) is one that has all the functionality needed, such as; ability to traffic forwarded between wired interfaces like a layer 2 or layer 3 switch and MAC filtering, and no other servers or devices are required. In this case, since each WAP might have completely different needs, a fat WAP is preferred

Question 20

Lilly is a network administrator for a medium-sized financial services company. She wants to implement company-wide encryption and digital signing of emails. But she is concerned about cost, since there is a very limited budget for this. What would be her best choice?

S/MIME

IMAPS

PGP

Answer 20

PGP

Pretty Good Privacy (PGP) is very appropriate for email security. It provides self-signed certificates for email signing and encrypting. It is also very low cost

Question 21

Edward is a security manager for a bank. He has recently been reading a great deal about malware that accesses system memory. He wants to find a solution that would stop programs from utilizing system memory. Which of the following would be the best solution?

DEP

FDE

UTM

Answer 21

DEP

Date Execution Prevention (DEP) specifically monitors programs accessing system memory and prevents that. Note that the Microsoft implementation of DEP simply requires the end user to authorize all program execution

Question 22

Sarah is the CIO for a small company. She recently had the entire company’s voice calls moved to VoIP. Her new VoIP system is using SIP with RTP. What might be the concern with this?

SIP is not secure.

RTP is not secure.

RTP is too slow.

Answer 22

RTP is not secure.

Real-time Transport Protocol (RTP) is used to transport VoIP and video signals, but it is not encrypted. Secure Real-time Transport Protocol (SRTP) should be used

Question 23

Emiliano is a network administrator for a large web-hosting company. His company also issues digital certificates to web-hosting clients. He wants to ensure that a digital certificate will not be used once it has been revoked. He also wants to ensure that there will be no delay between when the certificate is revoked and when browsers are made aware that it is revoked. What solution would be best for this?

OCSP

X.509

CRL

Answer 23

OCSP

Online Certificate Status Protocol (OCSP) checks the status of a certificate in real time. So when the browser is about to download a certificate, it first gets a real-time update if the certificate is valid or not

Question 24

Elizabeth is responsible for security at a defense contracting company. She is concerned about users within her network exfiltrating data by attaching sensitive documents to emails. What solution would best address this concern?

Email encryption

USB blocking

Content filtering

Answer 24

Content filtering

While most people think of content filtering in regard to filtering content you view, it can also be thought of in terms of content that is sent out. Implementing content filtering ensures that the problem of data exfiltration via email will be mitigated

Question 25

Victor is concerned about data security on BYOD and COPE. He is concerned specifically about data exposure should the device become lost or stolen. Which of the following would be most effective in countering this concern?

Screen lock

GPS tagging

Device encryption

Answer 25

Device encryption

Encrypting a mobile device is the best way to ensure the data on the device is secure. If the device is stolen or simply misplaced, then the data cannot be retrieved

Question 26

Mary is a network administrator for ACME Company. She sometimes needs to run a packet sniffer so that she can view the network traffic. She wants to find a well-known packet sniffer that works on Linux. Which of the following would be her best choice?

Ophcrack

Wireshark

Tcpdump

Answer 26

Tcpdump

Tcpdump is a widely used packet sniffer, made for Linux but ported to Windows. It works from the shell in Linux (the command line in Windows) and allows the user to dump current network traffic

Question 27

Daryll has been using a packet sniffer to observe traffic on his company’s network. He has noticed that traffic between the web server and the database server is sent in clear text. He wants a solution that will not only encrypt that traffic, but also leverage the existing digital certificate infrastructure his company has. Which of the following would be the best solution for Daryll?

TLS

SSL

IPSec

Answer 27

TLS

Transport Layer Security (TLS) can be used to secure any network communication (HTTP, LDAP, SMTP, etc.) and it uses digital certificates

Question 28

Jarod is concerned about DLP in his organization. Employees all have cloud-based solutions for data storage. What DLP-related security hazard, if any, might this create?

No security hazard

Malware from the cloud

Data exfiltration through the cloud

Answer 28

Data exfiltration through the cloud

Using cloud storage means that data is placed in the cloud, and can be accessed from outside the network. This presents a problem for data loss prevention (DLP) since it provides a convenient way to exfiltrate data from the network

Question 29

Derrick is a network administrator for a large company. The company network is segmented into zones of high security, medium security, low security, and the DMZ. He is concerned about external intruders and wishes to install a honeypot. Which is the most important zone to put the honeypot in?

High security

Low security

DMZ

Answer 29

DMZ

The DMZ is the best location for a honeypot, if the concern is outside intruders. An intruder is likely to first breach the outer firewall of the DMZ. A honeypot could conceivably catch the intruder there and prevent him or her from going further into the network