Topic 2 Flashcards
A portable data storage device has been determined to have malicious firmware.
Which of the following is the BEST course of action to ensure data confidentiality?
Format the device
Re-image the device
Perform virus scan in the device
Physically destroy the device
Perform virus scan in the device
Before an infection was detected, several of the infected devices attempted to access a URL that was similar to the company name but with two letters transposed. Which of the following BEST describes the attack vector used to infect the devices?
Cross-site scripting
DNS poisoning
Typo squatting
URL hijacking
Typo Squatting
An organization is comparing and contrasting migration from its standard desktop configuration to the newest
version of the platform. Before this can happen, the Chief Information Security Officer (CISO) voices the need to evaluate the functionality of the newer desktop platform to ensure interoperability with existing software in use by the organization. In which of the following principles of architecture and design is the CISO engaging?
Dynamic analysis
Change management
Baselining
Waterfalling
Change Management
An information security analyst needs to work with an employee who can answer QUESTION NO:s about
how data for a specific system is used in the business. The analyst should seek out an employee who has the
role of:
steward
owner
privacy officer
systems administrator
Owner
A new mobile application is being developed in-house. Security reviews did not pick up any major flaws,
however vulnerability scanning results show fundamental issues at the very end of the project cycle.
Which of the following security activities should also have been performed to discover vulnerabilities earlier
in the lifecycle?
Architecture review
Risk assessment
Protocol analysis
Code review
Code Review
A bank requires tellers to get manager approval when a customer wants to open a new account. A recent audit shows that there have been four cases in the previous year where tellers opened accounts without management approval. The bank president thought separation of duties would prevent this from happening.
In order to implement a true separation of duties approach the bank could:
Require the use of two different passwords held by two different individuals to open an account
Administer account creation on a role based access control approach
Require all new accounts to be handled by someone else other than a teller since they have different
duties
Administer account creation on a rule based access control approach
Require all new accounts to be handled by someone else other than a teller since they have different duties.
Which of the following must be intact for evidence to be admissible in court?
Chain of custody
Order of volatility
Legal hold
Preservation
Chain of Custody
A system’s administrator has finished configuring firewall ACL to allow access to a new web server.
The security administrator confirms form the following packet capture that there is network traffic from the
internet to the web server:
The company’s internal auditor issues a security finding and requests that immediate action be taken. With which of the following is the auditor MOST concerned?
Misconfigured firewall
Clear text credentials
Implicit deny
Default configuration
Clear text credentials
An audit takes place after company-wide restricting, in which several employees changed roles. The following
deficiencies are found during the audit regarding access to confidential data:
Which of the following would be the BEST method to prevent similar audit findings in the future?
Implement separation of duties for the payroll department.
Implement a DLP solution on the payroll and human resources servers.
Implement rule-based access controls on the human resources server.
Implement regular permission auditing and reviews.
Implement separation of duties for the payroll department.
Which of the following cryptographic algorithms is irreversible?
RC4
SHA-256
DES
AES
SHA-256
A workstation puts out a network request to locate another system. Joe, a hacker on the network, responds before the real system does, and he tricks the workstation into communicating with him. Which of the following BEST describes what occurred?
The hacker used a race condition.
The hacker used a pass-the-hash attack.
The hacker-exploited improper key management.
The hacker exploited weak switch configuration.
The hacker exploited weak switch configuration
A security administrator is trying to encrypt communication. For which of the following reasons should administrator take advantage of the Subject Alternative Name (SAM) attribute of a certificate?
It can protect multiple domains
It provides extended site validation
It does not require a trusted certificate authority
It protects unlimited subdomains
It provides extended site validation
A company was recently audited by a third party. The audit revealed the company’s network devices were
transferring files in the clear. Which of the following protocols should the company use to transfer files?
HTTPS
LDAPS
SCP
SNMPv3
SCP
An organization’s primary datacenter is experiencing a two-day outage due to an HVAC malfunction. The
node located in the datacenter has lost power and is no longer operational, impacting the ability of all users to connect to the alternate datacenter. Which of the following BIA concepts BEST represents the risk described in this scenario?
SPoF
RTO
MTBF
MTTR
SPoF (Single Point of Failure)
A Chief Executive Officer (CEO) suspects someone in the lab testing environment is stealing confidential
information after working hours when no one else is around. Which of the following actions can help to
prevent this specific threat?
Implement time-of-day restrictions.
Audit file access times.
Secretly install a hidden surveillance camera.
Require swipe-card access to enter the lab.
Require swipe-card access to enter the lab
An attacker discovers a new vulnerability in an enterprise application. The attacker takes advantage of the vulnerability by developing new malware. After installing the malware, the attacker is provided with access to the infected machine.
Which of the following is being described?
Zero-day exploit
Remote code execution
Session hijacking
Command injection
Zero-day exploit
A technician is configuring a wireless guest network. After applying the most recent changes the technician
finds the new devices can no longer find the wireless network by name but existing devices are still able to use the wireless network.
Which of the following security measures did the technician MOST likely implement to cause this Scenario?
Deactivation of SSID broadcast Reduction of WAP signal output power Activation of 802.1X with RADIUS Implementation of MAC filtering Beacon interval was decreased
Deactivation of SSID broadcast
Technicians working with servers hosted at the company’s datacenter are increasingly complaining of electric shocks when touching metal items which have been linked to hard drive failures.
Which of the following should be implemented to correct this issue?
Decrease the room temperature
Increase humidity in the room
Utilize better hot/cold aisle configurations
Implement EMI shielding
Increase humidity in the room
A development team has adopted a new approach to projects in which feedback is iterative and multiple
iterations of deployments are provided within an application’s full life cycle. Which of the following software development methodologies is the development team using?
Waterfall
Agile
Rapid
Extreme
Agile
Audit logs from a small company’s vulnerability scanning software show the following findings:
Destinations scanned:
- Server001- Internal human resources payroll server
- Server101-Internet-facing web server
- Server201- SQL server for Server101
- Server301-Jumpbox used by systems administrators accessible from the internal network
Validated vulnerabilities found:
- Server001- Vulnerable to buffer overflow exploit that may allow attackers to install software
- Server101- Vulnerable to buffer overflow exploit that may allow attackers to install software
- Server201-OS updates not fully current
- Server301- Accessible from internal network without the use of jumpbox
- Server301-Vulnerable to highly publicized exploit that can elevate user privileges
Assuming external attackers who are gaining unauthorized information are of the highest concern, which of the following servers should be addressed FIRST?
Server001
Server101
Server201
Server301
Server101
A systems administrator wants to protect data stored on mobile devices that are used to scan and record assets in a warehouse. The control must automatically destroy the secure container of mobile devices if they leave the warehouse. Which of the following should the administrator implement? (Select two.)
Geofencing Remote wipe Near-field communication Push notification services Containerization
Geofencing
Containerization
A security analyst notices anomalous activity coming from several workstations in the organizations. Upon
identifying and containing the issue, which of the following should the security analyst do NEXT?
Document and lock the workstations in a secure area to establish chain of custody
Notify the IT department that the workstations are to be reimaged and the data restored for reuse
Notify the IT department that the workstations may be reconnected to the network for the users to
continue working
Document findings and processes in the after-action and lessons learned report
Document findings and processes in the after-action and lessions learned report
A security administrator is creating a subnet on one of the corporate firewall interfaces to use as a DMZ which
is expected to accommodate at most 14 physical hosts.
Which of the following subnets would BEST meet the requirements?
- 168.0.16 255.25.255.248
- 168.0.16/28
- 168.1.50 255.255.25.240
- 168.2.32/27
192.168.0.16/28
A security administrator returning from a short vacation receives an account lock-out message when
attempting to log into the computer. After getting the account unlocked the security administrator immediately notices a large amount of emails alerts pertaining to several different user accounts being locked out during the past three days. The security administrator uses system logs to determine that the lock-outs were due to a brute force attack on all accounts that has been previously logged into that machine.
Which of the following can be implemented to reduce the likelihood of this attack going undetected?
Password complexity rules
Continuous monitoring
User access reviews
Account lockout policies
Continuous monitoring
A group of non-profit agencies wants to implement a cloud service to share resources with each other and
minimize costs. Which of the following cloud deployment models BEST describes this type of effort?
Public
Hybrid
Community
Private
Community
Joe, a security administrator, needs to extend the organization’s remote access functionality to be used by staff while travelling. Joe needs to maintain separate access control functionalities for internal, external, and VOIP services. Which of the following represents the BEST access technology for Joe to use?
RADIUS
TACACS+
Diameter
Kerberos
TACAS+
An administrator has concerns regarding the traveling sales team who works primarily from smart phones.
Given the sensitive nature of their work, which of the following would BEST prevent access to the data in case of loss or theft?
Enable screensaver locks when the phones are not in use to prevent unauthorized access
Configure the smart phones so that the stored data can be destroyed from a centralized location
Configure the smart phones so that all data is saved to removable media and kept separate from the
device
Enable GPS tracking on all smart phones so that they can be quickly located and recovered
Configure the smart phones so that the stored data can be destroyed from a centralized location.
A company is developing a new system that will unlock a computer automatically when an authorized user sits
in front of it, and then lock the computer when the user leaves. The user does not have to perform any action for this process to occur. Which of the following technologies provides this capability?
Facial recognition
Fingerprint scanner
Motion detector
Smart cards
Facial recognition
After a merger between two companies a security analyst has been asked to ensure that the organization’s systems are secured against infiltration by any former employees that were terminated during the transition.
Which of the following actions are MOST appropriate to harden applications against infiltration by former
employees? (Select TWO)
Monitor VPN client access
Reduce failed login out settings
Develop and implement updated access control policies
Review and address invalid login attempts
Increase password complexity requirements
Assess and eliminate inactive accounts
Develop and implement updated access control policies
Assess and eliminate inactive accounts
A chief Financial Officer (CFO) has asked the Chief Information Officer (CISO) to provide responses to a
recent audit report detailing deficiencies in the organization security controls. The CFO would like to know ways in which the organization can improve its authorization controls. Given the request by the CFO, which of the following controls should the CISO focus on in the report? (Select
Three)
Password complexity policies Hardware tokens Biometric systems Role-based permissions One time passwords Separation of duties Multifactor authentication Single sign-on Lease privilege
Role-based permissions
Seperation of duties
Lease privilege
A copy of a highly confidential salary report was recently found on a printer in the IT department. The human resources department does not have this specific printer mapped to its devices, and it is suspected that an employee in the IT department browsed to the share where the report was located and printed it without authorization. Which of the following technical controls would be the BEST choice to immediately prevent this from happening again?
Implement a DLP solution and classify the report as confidential, restricting access only to human
resources staff
Restrict access to the share where the report resides to only human resources employees and enable
auditing
Have all members of the IT department review and sign the AUP and disciplinary policies
Place the human resources computers on a restricted VLAN and configure the ACL to prevent access
from the IT department
Restrict access to the share where the report resides to only human resources employees and enable auditing.
Which of the following types of attacks precedes the installation of a rootkit on a server?
Pharming
DDoS
Privilege escalation
DoS
Privilege escalation
A dumpster diver recovers several hard drives from a company and is able to obtain confidential data from one of the hard drives. The company then discovers its information is posted online. Which of the following
methods would have MOST likely prevented the data from being exposed?
Removing the hard drive from its enclosure
Using software to repeatedly rewrite over the disk space
Using Blowfish encryption on the hard drives
Using magnetic fields to erase the data
Using magnetic fields to erase the data
A financial analyst is expecting an email containing sensitive information from a client. When the email
arrives, the analyst receives an error and is unable to open the encrypted message. Which of the following is
the MOST likely cause of the issue?
The S/MIME plug-in is not enabled
The SSL certificate has expired
Secure IMAP was not implemented
POP3S is not supported
Secure IMAP was not implemented
An organization uses SSO authentication for employee access to network resources. When an employee
resigns, as per the organization’s security policy, the employee’s access to all network resources is terminated immediately. Two weeks later, the former employee sends an email to the help desk for a password reset to access payroll information from the human resources server. Which of the following represents the BEST course of action?
Approve the former employee’s request, as a password reset would give the former employee access to only the human resources server.
Deny the former employee’s request, since the password reset request came from an external email
address.
Deny the former employee’s request, as a password reset would give the employee access to all network
resources.
Approve the former employee’s request, as there would not be a security issue with the former employee
gaining access to network resources.
Deny the former employee’s request, as a password reset would give the employee access to all network resources.
A Chief Information Officer (CIO) drafts an agreement between the organization and its employees. The
agreement outlines ramifications for releasing information without consent and/or approvals. Which of the following BEST describes this type of agreement?
ISA
NDA
MOU
SLA
NDA
During a routine audit, it is discovered that someone has been using a stale administrator account to log into a seldom used server. The person has been using the server to view inappropriate websites that are prohibited to end users.
Which of the following could best prevent this from occurring again?
Credential management
Group policy management
Acceptable use policy
Account expiration policy
Group policy management
Which of the following should identify critical systems and components?
MOU
BPA
ITCP
BCP
BCP (business continuity plan)
A manager suspects that an IT employee with elevated database access may be knowingly modifying financial
transactions for the benefit of a competitor. Which of the following practices should the manager implement to validate the concern?
Separation of duties
Mandatory vacations
Background checks
Security awareness training
Seperation of duties
A user of the wireless network is unable to gain access to the network. The symptoms are:
1.) Unable to connect to both internal and Internet resources
2.) The wireless icon shows connectivity but has no network access
The wireless network is WPA2 Enterprise and users must be a member of the wireless security group to
authenticate.
Which of the following is the MOST likely cause of the connectivity issues?
The wireless signal is not strong enough
A remote DDoS attack against the RADIUS server is taking place
The user’s laptop only supports WPA and WEP
The DHCP scope is full
The dynamic encryption key did not update while the user was offline
The wireless signal is not strong enough