Tricky Questions

Question 1

Users of a mobile app authenticate with username, password, and the app logs their location (from GPS). How many different authentication factors is this using?

Answer 1

ONE!
Username and password are both something you know. While the app logs the GPS location, it doesn’t say that the auth process even looks at it.

Question 2

A company has several contractors who work for about one week each quarter. What should be done with their accounts when they aren’t actively working for the company?

Answer 2

Disable the accounts. That leave the data there, and it’s easy to enable them again when the contractor is actively working again.

Question 3

A company needs a strong authentication and authorization system that protects privacy of data, and that allows employees to use SSO. What should they use? Choices are OpenID, SAML, Kerberos, RADIUS

Answer 3

Kerberos.

OpenID is for Internet, not internal networks. SAML is for web apps. RADIUS is for remote access clients.

Question 4

Which protocol is best for encrypting confidential data transferred over internal network? Choices are FTP, SSH, SNMPv3, SRTP

Answer 4

SSH

Question 5

Which protocol is best for collecting network device configuration and statistics while protecting the confidentiality of the credentials used to connect to the devices? Choices are SSH, FTPS, SNMPv3, TLS

Answer 5

SNMPv3
This is Simple Network Management Protocol version 3. It has strong authentication mechanisms. None of the other choices monitor network devices.

Question 6

Which type of device would be likely to use these as part of its configuration?
permit IP any any eq 80
permit IP any any eq 443
deny IP any any

Choices are firewall, proxy server, web server, jump server.

Answer 6

Firewall.

While this is a good configuration to protect a web server, it gets put on the firewall, not the web server itself.

Question 7

A firewall protects subnet 10.0.1.0/24. It needs to use only secure protocols for remote management. It needs to block cleartext web traffic.

Which of the following rules already on this firewall needs to be changed to do this?
HTTPS Outbound, Any, 10.0.1.0/24, HTTPS, allow
HTTP Outbound, Any, 10.0.1.0/24, HTTP, allow
DNS, Any, 10.0.1.0/24, DNS, allow
HTTPS Inbound, 10.0.1.0/24, HTTPS, allow
HTTP Inbound, 10.0.1.0/24, HTTP, block
Telnet, 10.0.3.0/24, Telnet, allow
SSH, 10.0.1.0/24, Any, SSH, allow

Answer 7

HTTP Outbound, because that is cleartext web traffic and it is set to allow. That should be blocked.

Yes, Telnet should not be allowed ANYWHERE, however since that rule is for 10.0.3.0/24 subnet, and this router is protecting 10.0.1.0/24, it won’t ever be handling that traffic. Tricky question indeed.

Question 8

A power plant has several standalone computers used to verify proper operation of various processes. Employees log into these computers using local accounts. We want to make sure these computers have no access to the internet, and cannot be connected to the organization’s network. What’s the best choice among:

• air gap the computers
• place the computers in a screened subnet
• create a separate isolated network for these computers
• place the computers in a VLAN

Answer 8

Air gap.
Both screened subnet and VLAN would add a risk of connections to the larger network and the internet. A separate isolated network would technically work however there is no stated need for the computers to communicate with each other, and that adds a risk of one getting infected somehow and then spreading it to the rest.

Question 9

A router on a corporate network provides a path to a limited access network that is not advertised. A net admin needs to access this limited access network regularly. How can he configure his computer to access it?

• Implement QoS technologies
• Add a VLAN
• Use the route command
• Open additional ports on the router

Answer 9

Use the route command.

None of the other choices can add a routing path.

Question 10

An admin places a file named passwords.txt with usernames of two accounts in it. This file was placed in the administrator account desktop on several servers. Why would this be done?

Answer 10

It’s a honeyfile. This distracts hackers from real documents. Since the file doesn’t contain passwords, just usernames, then it’s not a risk - and if the usernames are for accounts that don’t have access to anything important, even better.

Question 11

What wireless network protocol provides encrypted authentication of users over TLS? Choices are EAP, PEAP, WPA2, WPA3.

Answer 11

PEAP.

WPA2 and WPA3 don’t use TLS. EAP by itself doesn’t provide encryption at all.

Question 12

A wireless user had been accessing his network shares one morning, but later when trying to access the Internet got a popup marked as from the same wireless SSID that prompted him to login again. After logging in he couldn’t access his network shares but could access Internet. What happened here?

Answer 12

An Evil Twin access point tricked him. Odds are it stole his login credentials as well and is now using them to hack the network.

Question 13

Your organization wants to upgrade VPN so that after the VPN client connects to the VPN server, all traffic from the VPN client is encrypted. What kind of VPN should you use?

Answer 13

Full tunnel. This encrypts that client’s Internet traffic too, not just the traffic to the organization’s network.

Question 14

A supplier needs to connect several laptops to our organization’s network, but we are concerned about possible vulnerabilities from the laptops. How do we mitigate this risk?

Answer 14

Implement a jumpbox system. The supplier’s laptops will connect to the jumpbox and from there connect to our network.

Question 15

We want to allow visiting business partners to be able to use an available Ethernet port in a conference room to be able to use VPN to connect to their headquarters. The same port should allow our own employees to connect to our own secure internal network. How can we do this?

Answer 15

Implement NAC.

Question 16

One of your network services becomes disabled and this affects production. What can be used to determine which service was interrupted and why it happened. Choices are firewall logs, NIDS, syslog, network mapping.

Answer 16

Syslog

Question 17

In storing passwords, some organizations will add a salt and a hash to the password, then repeat this several times before storing the result. What is the term for this process?

Answer 17

Key stretching

Question 18

Which of these is not a shared authentication protocol?

OpenID Connect, Facebook Connect, LDAP, OAuth

Answer 18

LDAP

While this allows SSO for a given organization, it is not a shared protocol.

Question 19

Tool used to collect wireless packet data

Answer 19

Aircrack-ng

Notice it specifies wireless. Wireshark is for wired packets.

Question 20

Secure way to erase data from old hard drives before donating to charity

Answer 20

Cryptographic erase

Question 21

Which key is used when sending an encrypted email?

Answer 21

Recipient’s public key

Question 22

How does a secure web server decrypt a client’s session key?

Answer 22

Using the private key for the website. Session keys are encrypted using the site’s public key.

Question 23

In which order should these three items be done?
Risk analysis
Business impact analysis
ALE

Answer 23

ALE, risk analysis, business impact analysis

Question 24

Give an example of implicit deny

Answer 24

User A is added to group G. When this is done, user A no longer has read access to items in folder F.

Question 25

What log lists failed login attempts on Windows?

Answer 25

Security log

Question 26

What is Fail Secure?

Answer 26

A system that is Fail Secure remains secure even in the event of failure. It doesn’t necessarily remain up. If log files running out of space means the server refuses connections, that is fail secure.

Question 27

What technique can reveal internal business procedures and computing configurations?

Answer 27

Dumpster diving

Question 28

List two things to configure to prevent users from reusing old passwords within a short period of time

Answer 28

Minimum password age

Password history

Question 29

You estimate it would take four technicians two days to remove an infection, at a total cost of $3200. What type of analysis is this dollar amount?

Answer 29

Business impact analysis

Question 30

When researching new rack mount servers to determine the max BTU value of all servers in the server room, what related item should also be considered?

Answer 30

HVAC

BTU measures heat. HVAC will need to be able to handle the additional heat provided by the new servers.

Question 31

You need to determine which TCP port a certain custom app uses, so that you can configure a firewall rule allowing it. Users connect to an internal web site, that in turn connects to this custom app. How do you find which port the custom app uses?

Answer 31

Generate activity on the custom app while capturing traffic.

Question 32

Name a tool commonly used to automate incident response.

Answer 32

SOAR

Question 33

Name a type of server that provides centralized authentication services for devices such as switches and wireless routers.

Answer 33

RADIUS

Question 34

List two items that are found in an IP header

Answer 34

Source IP address
TTL value
(other things as well I’m sure, such as Destination IP address. the question offered 4 options and said to pick 2)

Question 35

If you find a way to gain remote administrative access to a host without knowing the administrative credentials, what is the term for this technique?

Answer 35

Exploit

Question 36

What’s the best way to safeguard cryptographic keys that are used to communicate with a cloud service provider?

Answer 36

HSM (hardware security module). Some cloud providers will offer cloud-based HSM services to their customers, as an alternative to having local physical HSM on the network.

Question 37

When two users have a shared secret key (unknown to anybody else) and use symmetric cryptography, what common goal of cryptography is impossible for them to achieve?

Answer 37

Nonrepudiation.
Since messages are encrypted and decrypted they have confidentiality and integrity (if the message was altered then it would decrypt to garbage). They have authentication because they are the only two who know that key. They can’t get nonrepudiation because there is no way to prove to a 3rd party that the message wasn’t just forged by one of them who claims the other sent it.

Question 38

A wildcard certificate for *.mydomain.com can not be used for which of these sites?

www. mydomain.com
mydomain. com
dev. www.mydomain.com
mail. mydomain.com

Answer 38

dev.www.mydomain.com

wildcard certs don’t cover more than a single level of subdomain.

Question 39

A web application is not setting the Secure attribute on its cookies. What type of attack is at risk due to this?

Answer 39

Session replay, assuming that the web app uses cookies for session authentication.

Question 40

Name the five elements of the NIST CSF

Answer 40

identify, protect, detect, respond, recover

Question 41

Which environment should be used for UAT testing?

Answer 41

Officially, it’s supposed to be the Test environment. We use Staging. If you see this on the exam, remember it’s supposed to be Test.

Question 42

What encryption key is included in a DNSKEY record?

Answer 42

the organization’s public key

Question 43

Number of passwords to keep in a password history to prevent password reuse, according to currently accepted best practice

Answer 43

ZERO.
NIST currently advises that users should no longer be forced to change passwords periodically. Another one that is against our own current practice, so becomes tricky.

Question 44

At what point should a forensic investigator start tracking the chain of custody for evidence?

Answer 44

As soon as it is collected.

Question 45

Name a certificate file type that contains ASCII text.

Answer 45

PEM or CER

there may be others, but these are all binary: PFX, DER, P12.

Question 46

Which of these is NOT a common means of securing ML algorithms?
A. Understand the quality of the source code.
B. Build a secure working environment for ML developers.
C. Require 3rd party review for bias in ML algorithms.
D. Ensure changes to ML algorithms are reviewed and tested.

Answer 46

C. Require 3rd party review for bias in ML algorithms.

Question 47

What step should be taken to ensure that baseline data is not tainted, before using a ML algorithm?
A. Scan network for vulnerabilities and remediate them.
B. Only run after you are confident that the network is secure.
C. Disable outbound and inbound network access so only normal internal traffic is validated.
D. Disable all firewall rules so all potential traffic can be validated.

Answer 47

B. Only run after you are confident that the network is secure.

Question 48

After uploading a malware sample to a 3rd party scanning site, the result gives several different answers for what the malware package is. Why?

Answer 48

Different vendors use different names for malware packages. Most malware scanning sites use multiple antimalware and antivirus engines for the scan.

Question 49

You notice traffic between your systems and a known malicious host on TCP port 6667.  What type of traffic is this most likely to be?
A. Command and control
B. Hijacked web browser
C. RAT
D. Worm

Answer 49

A. Command and control

Port 6667 is commonly used for IRC which is often used by C&C for botnets.

Question 50

Which of the following is the most serious vulnerability for a public facing server?
A. An HTTP response that reveals an internal IP address
B. Cryptographically weak encryption cipher
C. Website using a self-signed SSL certificate
D. Buffer overflow known to allow remote code execution

Answer 50

D. Buffer overflow known to allow remote code execution

Question 51

While doing a pentest of a web application, you entered this into a search box and it was actually executed. What kind of vulnerability is this?

IMG SRC=vbscript:msgbox(“Vulnerable to Attack”);> originalAttribute=”SRC” originalPath=”vbscript:msgbox(“Vulnerable to Attack “);>”

Answer 51

Cross-site scripting, aka XSS.

Question 52

Which of the following vulnerabilities is the greatest threat to data confidentiality?
A. HTTP TRACE/TRACK methods enabled
B. Web application SQL injection 
C. SSL Server with SSLv3 enabled
D. phpinfo information disclosure

Answer 52

B. Web application SQL injection

Question 53

What Linux command will display the network address and subnet mask for a wired network connection?

Answer 53

ip

The ip command will display IP address, subnet mask, and MAC address. Don’t confuse it with ipconfig which is Windows not Linux. Older versions of Linux used “ifconfig” for this.

Question 54

How can you identify a malware beacon is on your network?

Answer 54

Protocol used does NOT help. Persistence (remaining after rebooting the system) and Interval (time between beacon signals) are key indicators. It helps to remove known traffic on the network to reduce the amount of data that you have to analyze.

Question 55

The root cause of an incident was never determined. As part of your recovery and remediation, which of the following is LEAST likely to be helpful?
A. Disable unused user accounts
B. Sanitize and reimage all of your routers and switches
C. Review and enhance patch management policies
D. Restrict host access to peripheral protocols like USB or Bluetooth

Answer 55

B. Sanitize and reimage all of your routers and switches

This step is likely to have unwanted disruptive effects on the company, and waste a lot of time and money as well. Better to increase monitoring of the devices to ensure they were not compromised.

Question 56

During a pentest you use a vulnerability in an Apache webserver to gain access to it. What is the next step, that will help you pivot to a protected system outside the screened subnet?

Answer 56

Privilege escalation. Apache webservers are run as limited users, so your best chance of getting further into the system is to find a way to get admin rights.

Question 57

Name the four forms of regulated data

Answer 57

PII, PCI, GDPR, and PHI.
PII - personally identifiable
PCI - payment card industry
GDPR - EU's General Data Protection Regulation
PHI - protected health info

Question 58

What’s the best technology to implement when configuring better defenses for an ICS/SCADA system?

Answer 58

Intrusion Prevention System.
ICS/SCADA systems use a very specific set of commands to do their job, so configuring an IPS to only allow those specific commands will prevent a lot of problems.

Patching is likely to break ICS/SCADA systems because they don’t use standard operating systems. Antivirus/antimalware software is unlikely to run on the systems for the same reason. Logging is useful but won’t prevent anything.

Question 59

During a pentest you gain access to a hashed password file from the target site. This site does not have a strong password policy. What technique would work best to exploit this file?

Answer 59

Rainbow table attack.

Question 60

Diagram shows three guest operating systems on top of a hypervisor, on top of a host operating system, on top of hardware. What type of hypervisor is this?

Answer 60

Type 2 hypervisor, because it has a full host operating system. Type 1 runs on the bare metal hardware. There are no other types.

Question 61

You trying to diagnose a service that is not responding to user requests. The host firewall logs indicate that the traffic is allowed.  What is the likely cause?
A. Host firewall misconfiguration
B. Network firewall misconfiguration
C. Network IPS misconfiguration
D. Application failure

Answer 61

D. Application failure

Since the host firewall logs show the packets arriving and being acceptable, the two firewalls and IPS aren’t misconfigured. The application likely threw an exception or has stopped running for some reason.

Question 62

What type of account does a vulnerability scanner need in order to do a credentialed scan of the network?

Answer 62

Read-only

Question 63

What is the main difference between on-premises identity services and those used in a cloud-hosted environment?

Answer 63

The cloud service will provide account and identity management services.

Question 64

What should be done with the Administrator account on a Windows system, to reduce the chances of a brute force attack succeeding?

Answer 64

Rename the Administrator account, to something that doesn’t include “admin”. A nice touch is to create another account named Administrator with a super nasty password but don’t give it any permissions.

Question 65

What log should you examine to determine that a user has launched a privilege escalation attack on a database server?

Answer 65

Operating System log.

Question 66

You boot a laptop and get a plain blue dialog asking you to “Enter Current Password”, without any mention of a username. What is presenting this prompt?

Answer 66

BIOS, presented through the UEFI interface. This isn’t a particularly secure feature to enable, as there are many techniques to bypass BIOS passwords.

Question 67

While collecting evidence from a variety of sources, you notice from the logs that the clocks from the different systems don’t all agree. What should you do, so that you can create an accurate timeline of events?

Answer 67

Record the time offsets for each device. Since the evidence you are collecting is from events that already happened, that’s all you can do. To avoid future similar headaches, it is best to configure the systems to synch using an NTP server.

Question 68

Which of these authentication factors is the most difficult to implement?
A. something you have
B. something you know
C. something you do
D. something you are

Answer 68

C. something you do

Behavioral factors are difficult to measure and implement effectively.

Question 69

What’s the best way to detect missing operating system patches?

Answer 69

Configuration management tool.

Question 70

In a typical wireless authentication scenario using 802.1x, what device creates the RADIUS request?

Answer 70

Wireless access point

Question 71

Ten employees use symmetric encryption to communicate with each other, with complete confidentiality between any two. If we hire an eleventh employee, how many new keys must be added to the system?

Answer 71

10.
Each pair of users needs a unique shared secret key, so it’s one less than the total number of users. Clearly not a good option for a large company, as the number of keys will increase factorially with the number of users. Compare this to asymmetric encryption which would add just two keys (public and private for the new guy).

Question 72

Which employee would be most in need of awareness training about wire transfer fraud schemes?
A. system administrator
B. accounts payable clerk
C. sales director
D. executive user

Answer 72

B. accounts payable clerk

Since this is the person who would initiate any wire transfer, it is most crucial that this person get this training.

Question 73

What is the minimum fence height to slow down a determined intruder?

Answer 73

8 feet.

Question 74

What authentication protocol provides port based authentication for wired networks?

Answer 74

802.1x

Yes this is the same one we use for wireless networks.

Question 75

You are creating a digital certificate for a web server. The certificate will use an intermediate CA that is validated by a trusted root CA. Who creates the CSR?

Answer 75

You create the CSR on the web server, submitting it to the intermediate CA.

Question 76

What’s the best way to address issues on a WiFi network with interference between access points?

Answer 76

Use a WiFi controller. This allows automated modification of access point settings.

Question 77

Which CASB approach interacts with the cloud provider directly?

Answer 77

API-based CASB. Inline CASB intercepts requests between the user and provider.

Question 78

What technology is able to link networks in an on-prem datacenter with cloud VPCs securely?

Answer 78

Transit gateway

Question 79

SSH key security concerns

Answer 79

NOT: Weak encryption
YES: weak passwords, SSH key sprawl, inadvertant exposure of the private key

Question 80

What type of one time password does Google Authenticator use in its default mode?

Answer 80

Time-based one-time password

Question 81

Which of the following security controls is most effective against zero-day attacks?
A. Vulnerability scans
B. Application control
C. Intrusion Prevention Systems
D. Signature-based antivirus software

Answer 81

B. Application control

Use whitelisting of applications. That prevents unknown apps from being installed. Zero-day attacks don’t have signatures yet.

Question 82

A web server has the following characteristics.  Which poses the greatest security risk?
A. Server supports access on port 80
B. Server runs Apache and MySQL
C. Server uses TLS 1.2
D. Server supports access on port 443

Answer 82

B. Server runs Apache and MySQL

Each server should support a single primary function. Having both Apache and MySQL on the same server gives attackers two different apps to be attacked.

Question 83

What type of control will let you limit the ability of users in your org to provision cloud server instances without permission?

Answer 83

Resource policy

This is offered by cloud providers.

Question 84

Who should perform the exit interview for an employee who voluntarily resigns?

Answer 84

Second-level supervisor.
HR doesn’t know much about this person’s job, and if it’s the immediate supervisor then the employee can’t complain about him if that’s the issue.

Question 85

Which of these file types is normally shared publicly?
A. CRT
B. KEY
C. PEM
D. CSR

Answer 85

A. CRT

This contains the org’s public X.509 certificate.

Question 86

At a web hosting company, which of the following is the highest mission critical system?
A. Firewall
B. Web server for company’s own site
C. Billing system
D. Web server for one of the company’s clients

Answer 86

A. Firewall

None of this will work if the firewall is down. Of the rest, client web servers should come before the company’s own website, and the clients won’t mind if their bills are a few days late.

Question 87

Your SIEM has been sending you hundreds of alerts each night when scheduled jobs run. What should you do to reduce the false positive rate?

Answer 87

Change the sensitivity for the alerts. Adjust the alerts to ignore safe or expected events. Correlation rules may need to be adjusted if they are matching unrelated items, but the primary action is changing the sensitivity.

Question 88

You want to deploy an encrypted, WPA2 secured wireless for a small business. What’s the best option for wireless authentication?

Answer 88

PSK (pre-shared key).

Question 89

What’s the best tool for analyzing a VoIP conversation?

Answer 89

Wireshark.

tcpdump can capture the data but Wireshark has built-in VoIP analysis.

Question 90

What’s a good way to detect that an attacker has created a new service?

Answer 90

Vulnerability scans are the best way to detect new services, and often they will flag new services when they appear.

Question 91

Symptom: Systems are infected by malware exploiting an OS vulnerability and critical data is encrypted. What type of attack is this, and how can we control against it in the future?

Answer 91

Ransomware. Regular patch management.

Question 92

Symptom: Scripts included in message board posts are compromising systems belonging to site visitors. What type of attack is this, and how do we control it?

Answer 92

XSS attack. Proper input validation, or a WAF (Web Application Firewall) protects against this.

Question 93

Symptom: A former employee configures a system to delete all data when it notices that the person is no longer an employee. What type of attack is this, and what can protect against it?

Answer 93

Logic bomb. Code reviews should catch it.

Question 94

Symptom: An attacker posing as a help desk tech calls an employee and tricks them into revealing a password. What type of attack is this, and what can prevent it?

Answer 94

Social engineering. User education is the only way to defend against this.

Question 95

Symptom: A switch begins sending all network traffic to all devices connected to the switch. What type of attack is this, and how do we prevent it in the future?

Answer 95

MAC flooding. Port security should prevent this.

Question 96

On a Linux system, you use “chmod 740” on a file. What permissions does that file have now?

Answer 96

Owner has read, write, and execute. The group for the file has read only. Nobody else has any access (unless they have sudo privileges of course).

Read this as three octal digits. Owner is the first digit, group is the second, others is the third. For each octal digit, look at the binary equivalent, RWX. Or just sum the permissions, with Read being 4, Write being 2, and Execute being 1, so full rights = 7, read only = 4, etc.

Question 97

When a CA creates a digital certificate for a web server, what key is used to apply the digital signature to the certificate?

Answer 97

The CA’s private key. Everybody else can verify that the certificate is validly signed by the CA by using the CA’s public key.

Question 98

What is the maximum scope of a single ARP spoofing attack?

Answer 98

The attacker and the victim must be attached to the same switch, but do not need to be sharing the same switch port.

Question 99

Which RAID configuration provides redundancy while it maximizes read performance, for a server where data is read often but written rarely?

Answer 99

RAID 1, aka mirroring.

Question 100

Which of the following is not an appropriate use of MD5?
A. creating digital signatures
B. Verifying file checksums against corruption
C. Identifying duplicate records
D. Partitioning database keys

Answer 100

A. creating digital signatures

MD5 is cryptographically broken, so should never be used for secure purposes. It is perfectly fine to use it as a hash function for other purposes.

Question 101

You need a new security control for use in a multicloud environment, and want to minimize the admin work that will be required for this.  What type of control do you choose?
A. Third party
B. Internally developed
C. Cloud-native
D. Any of the above

Answer 101

A. Third party

Since it is multicloud, the best choice is third party, which are usually designed to work with multiple types of clouds. Cloud-native would only work with a single one of the clouds, and internally developed will require a lot of work to set up.

Question 102

You need to keep a system online but limit the impact of malware found on it while the investigation occurs.  Which method should you use?
A. Containment
B. Isolation
C. Segmentation
D. Black holing

Answer 102

A. Containment

Isolation walls off a system from the rest of the network. Segmentation walls off a portion of a network. Containment works to prevent further malicious actions or attacks. No clue what Black Holing is supposed to be - likely nonsense.

Question 103

In a Kerberos authentication scheme, who provides the client with the TGS session key?

Answer 103

Authentication server

Question 104

You need to choose a card-based control system for physical access to a facility, where the primary concern is the speed of the authentication. What’s the best type of card?

Answer 104

Proximity card has a very fast scanning time. Smart cards and magnetic stripe cards take a bit longer. Photo ID cards are longest of all of these.

Question 105

What method can be used to acquire the firmware from a running device for analysis?

Answer 105

Use forensic memory acquisition techniques, or in a few cases direct hardware interface access will work. Firmware is typically stored in BIOS or UEFI chip, which isn’t removable. Firmware is likely to allow updates but usually won’t allow downloads or copying.

Question 106

Does forensic information require a timestamp?

Answer 106

Timestamps are not required. They can help build a case that shows when events occurred, so it’s better if there are timestamps on the artifacts.

(this was reworded from a multiple choice question that asked for which item isn’t something to be concerned about)

Question 107

What is the best practice for handling repeated failed authentication attempts, for a password based authentication system?

Answer 107

Impose an exponentially increasing timeout period between login attempts. Doubling the timeout after each successive failure would fit this, with a very short timeout for the first one. This will get quite large rather quickly. Using a larger exponent (such as 10x for each failure) grows even faster.

Question 108

You are running two load balancers in active/active mode. What is the most significant risk to doing this?

Answer 108

The load balancers may not have capacity to survive the failure of one device.

Question 109

A vulnerability scan reports these issues with the certificate for an internal web application: it is self-signed, the common name doesn’t match the server name, and the signature failed. How should you fix this?

Answer 109

Replace the certificate with a certificate from the same source.
Since this is an internal web app, it’s fine to use a self signed cert. Using a cert with an incorrect domain name is not safe, so it should be replaced.

Question 110

What is the best defense against a rainbow table attack?

Answer 110

Salting prior to hashing.

Question 111

In a Kerberos system, the client sends an authenticator to the TGS when requesting a service ticket. How does the client encrypt this authenticator?

Answer 111

The client encrypts the authenticator with the TGS session key, which the client had received earlier from the authentication server. The authenticator itself consists of the client’s ID and a timestamp.

Question 112

Which of these protocols does not take advantage of TLS?

EAP-FAST, EAP-TTLS, EAP-IKEv2, EAP-TLS

Answer 112

EAP-IKEv2 uses Internet Key Exchange (IKE) instead of TLS.

Question 113

Which of these RADIUS messages is normally only found when the organization requires MFA?
Access-Request
Access-Accept
Access-Reject
Access-Challenge

Answer 113

Access-Challenge
The access-request is sent by the client. When not using MFA, the server responds by sending either access-accept or access-reject. With MFA, if the first request is accepted, the server responds with access-challenge which asks the client for the second authentication.

Question 114

You are configuring your network firewall for correct access to the email server. Internet users should be allowed to send email to this email server, but only internal users will be allowed to access email on the server. What protocol(s) should be allowed through the firewall?

Answer 114

SMTP only (of the various types of email protocols, likely both port 25 and the secure ports). SMTP is used to relay inbound email. IMAP and POP3 are used to retrieve messages from an email server, so they shouldn’t be allowed through the firewall.

Question 115

You identified a missing patch on a server that would allow an attacker to gain remote control, and patched it. In risk management terms, what did patching it do? (Remove/reduce; threat/vulnerability)

Answer 115

Removed the vulnerability.

Question 116

You need to know about the actions an individual performed on a PC. What’s the best starting point to identify those actions?

Answer 116

Ask the individual. AFTER that, check various logs for clues. None of those logs will mention everything that was done.

Question 117

Which of the following is the least volatile?

RAM, data on a hard drive, backups, remote logs

Answer 117

Backups

Question 118

What does this Linux command do?

grep -vi example /home/me/myfile.txt

Answer 118

Scans myfile.txt and finds each line that does NOT contain “example”, regardless of capitalization.

• v flag looks for lines without the search term
• i flag uses case insensitive matching

Question 119

Scenario: You are trying to determine the risk associated with a DoS attack. No permanent damage is expected from such an attack. Company would lose $75,000 in lost revenue in the event of a successful DoS attack. There is a 10% chance of such an attack succeeding in the next 12 months.

What is the SLE?

Answer 119

$75,000

SLE is single loss expectancy. The 10% is a distraction.

Question 120

What file would an attacker need in order to conduct an offline brute force attack against a Linux system?
A. John the Ripper
B. /etc/passwd
C. /etc/shadow
D. No file needed, just use SSH

Answer 120

/etc/shadow contains the password hashes in most types of Linux.

/etc/passwd is just a pointer to etc/shadow.

Question 121

Which of these does S/MIME not provide when it is used to protect attachments for email?
A. Authentication
B. Nonrepudiation of the sender
C. Message integrity
D. Data security for the email headers

Answer 121

D. Data security for the email headers

Question 122

You need a digital certificate for a new web server. If you have no prior relationship with a CA, what type of certificate can you obtain most quickly?

Answer 122

DV (Domain Validation). These only require verification of domain ownership, which can usually be done through an automated process. All other types (other than self-signed of course) require thorough and time-consuming verification steps.

Question 123

What’s the difference between SOC 1 and SOC 2 reports?

Answer 123

A SOC 1 report is designed to address internal controls over financial reporting while a SOC 2 report addresses a service organization’s controls that are relevant to their operations and compliance.

Often subcategorized as type 1 or type 2. Type 2 includes assessing the effectiveness of the controls. Type 1 does not do that.

Question 124

You want to secure the BGP traffic that your routers rely on for route info. What should you do?
A. Choose a TLS enabled version of BGP
B. Turn on BGP route protection
C. Use signed BGP by adopting certificates for each BGP peer
D. None of the above

Answer 124

D. None of the above

BGP doesn’t HAVE any native security methods. Two solutions that have not be broadly adopted are SIDR and RPLS.

Question 125

A device based on an Arduino will be deployed across your organization. What type of device is it, and what should be your focus on securing it?
A. FPGA, network security
B. Microcontroller, physical security
C. GPU, network security
D. ICS, physical security

Answer 125

B. Microcontroller, physical security

Arduinos are a form of microcontroller. They don’t have networking built in, so focus should be on the physical security of the device.

Question 126

Which of the following is NOT a common concern with IPv6 networks?
A. Scanning sequential IP addresses is no longer viable
B. Blocking ICMP can cause problems
C. Devices may have more than one IP stack and interface
D. Device identification via MAC address is difficult

Answer 126

D. Device identification via MAC address is difficult

IPv6 makes device identification via MAC address EASIER since the IP addresses are configured based on the MAC address.

Question 127

Which of these is most likely to provide up-to-date security vulnerabilities info?
A. Academic journal
B. Vendor website
C. Local industry group
D. RFC documents

Answer 127

B. Vendor website

Vendors are usually quick to create patches and warn of zero-day vulnerabilities too. RFC documents don’t list vulnerabilities at all, and the other two would be much slower.

Question 128

You want to deploy one-time passwords to your staff, and be able to support many different sites while also providing the ability to enroll users using MDM.  What tool is best?
A. hardware tokens
B. static codes
C. authentication application
D. phone-based push notifications

Answer 128

C. authentication application

Examples of such are Google Authenticator, Duo, Microsoft Authenticator. The others aren’t managed using MDM.

Question 129

Which of these is NOT true about zero day attacks?
A. They may be found in software or hardware
B. They have a limited window of use
C. They are generally unpatchable
D. They are often widely publicized

Answer 129

D. They are often widely publicized

Usually only known to a small group of researchers (or attackers). If they became widely known then the vendor would create a patch and they would no longer be termed zero-day.

Question 130

What is a fast way to check whether unneeded services have been disabled?

Answer 130

port scan

Vulnerability scan will do this too but port scan is faster.

Question 131

What’s a secure replacement for FTP that requires the least additional work through a firewall?
A. FTPS, because is uses stronger encryption
B. SFTP, because it uses the same port as SSH
C. FTPS, because it uses the same port as SSH
D. SFTP, because it uses stronger encryption

Answer 131

B. SFTP, because it uses the same port as SSH

Both FTPS and SFTP offer strong encryption, so A and D are out. SFTP uses the same port as SSH, but FTPS uses a different port.

Question 132

Which of these is responsible for providing secrecy in a cryptographic system?
A. message digest
B. key
C. algorithm design
D. algorithm choice

Answer 132

B. key

The other choices are often known publicly, including the code to implement the algorithm even. The key is always secret.

Question 133

Which of these is the best example of a fog computing environment?
A. A camera that performs motion detection on board and only sends motion footage to the cloud.
B. A network of oil field sensors that send data to a local IoT gateway for preprocessing.
C. A satellite that streams live weather data back to the cloud datacenter for processing.
D. A vehicle that contains onboard computers that interact with GPS for navigation.

Answer 133

B. A network of oil field sensors that send data to a local IoT gateway for preprocessing.

The camera is a good example of edge computing. Satellite is standard cloud client-server computing. Vehicle isn’t using the cloud at all.

Question 134

What cloud control can be used to limit remote access to a server instance in the cloud?
A. Resource group
B. CASB
C. HSM
D. Security group

Answer 134

D. Security group

This is the equivalent of network firewall rules in an on-prem environment.

Question 135

You need to configure a new IoT device.  It broadcasts a SSID to allow you to perform initial configuration.  After connecting to unsecure WiFi, you can manage the device with an application.  What connection model does this use?
A. Point to multipoint
B. WPA2 Enterprise
C. WPA3 Enterprise
D. Point to point

Answer 135

D. Point to point

It says unsecure, which rules out B and C. If it were an access point, then that would be point to multipoint. Since it’s device to device, it’s point to point.

Question 136

Which of these is not a common item to include in a contract for an organization that is migrating to a cloud service?
A. right-to-audit clauses
B. right to forensic examination
C. choice of jurisdiction
D. data breach notification timeframe

Answer 136

B. right to forensic examination

This is highly unusual. You can ask for details of their incident response process, previous breach notification, and incident documentation shared with customers instead.

Question 137

What mobile device deployment method provides employees with devices that they can use as if they were personally owned?

Answer 137

COPE (company owned, personally enabled)

Question 138

Which way of gaining physical access during daylight hours is least likely to arouse suspicion?

Answer 138

Tailgating

Question 139

From the statistics shown here for a biometric authentication system, what is the system's FAR?
Accept, Authorized: 98
Accept, Unauthorized: 16
Reject, Authorized: 2
Reject, Unauthorized: 84

Answer 139

8%

that’s a total of 200 in the statistics. False acceptance rate is “Accept, Unauthorized”, so 16/200 = 8/100 = 8%.

Question 140

What nslookup command should you type to request information only on name servers?

Answer 140

nslookup set type=ns

Question 141

You notice that the POS terminals that accept credit cards in your network have a recent Windows OS vulnerability. These are embedded systems so they can’t be patched, and the manufacturer has no update for them. What should you do to stay in compliance with PCI DSS?

Answer 141

Identify, implement, and document compensating controls

Question 142

What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with random data?

Answer 142

Clear (usually overwriting 1-3 times) or Wiping (usually overwriting 1-35 times)

Question 143

What’s the best way to detect rogue devices attached to the network?

Answer 143

Router and switch-based MAC address reporting
Not only does it tell you that a rogue device is on the network, but it also gives you a starting point for finding where it is physically

Question 144

Which of these sets of security features would best protect your servers in the data center?
A. GPS tracking, Biometrics, Proximity badges, Remote wipe
B. FM-200, Biometric locks, Mantrap, Antivirus
C. Strong passwords, Biometrics, Mantrap, Cable lock
D. Antivirus, Mantrap, Cable lock, GPS tracking

Answer 144

B. FM-200, Biometric locks, Mantrap, Antivirus

FM-200 is a fire extinguishing system often used in server rooms.
Biometric locks are commonly used to lock the access door of a high security area.
Mantrap prevents tailgating into the server room.
Antivirus for defense against intrusions over the network.

Of the other choices, GPS tracking would not help at all most likely. Cable locks aren’t needed if the high security area has a single access preventing all but trusted people from entering.

Question 145

Which analysis framework provides a graphical depiction of the attacker’s approach relative to a kill chain?

Answer 145

Diamond Model of Intrusion Analysis

Question 146

What is the LEAST secure wireless security and encryption protocol?
A. WPA
B. WEP
C. WPA2
D. WPA3

Answer 146

B. WEP

Wired Equivalent Privacy.

WPA replaced WEP, then WPA2 replaced WPA, and now we are on the shiny new WPA3 for newest hardware.

Question 147

Which EAP protocol for wireless does not require clients to have a certificate or extra software, but does require mutual authentication?

Answer 147

PEAP

Wrong answers:
EAP-TLS requires certificates on the clients
EAP-TTLS requires additional software to be installed on the clients
EAP-FAST focuses on quick authentication

Question 148

Which of the following would be most likely involved with an on-path attack?
A. compromised router
B. browser plug-in
C. compromised server
D. modified hosts file

Answer 148

B. browser plug-in

This would be a man-in-the-browser attack

Question 149

What does SSL Stripping look for to perform an on-path attack?

Answer 149

an unencrypted HTTP connection

Question 150

Which two items listed will mask PII?
Fingerprint
Gloves
Anonymous proxy server
Tattoo

Answer 150

Gloves, anonymous proxy server.

Gloves mask your fingerprints. Anonymous proxy server masks your IP address and location.

Not fingerprint because that IS PII, so it can’t mask it. Ditto with tattoo.

Question 151

An attacker gains access to a corporate WiFi network where two employees are exchanging data. The attacker captures network traffic between the two, modifies it, and sends it back on the network. How could this be prevented?

Answer 151

Computer authentication using PKI

If computers on the corporate network have PKI certs from a trusted source configured, then network traffic from hosts not using a PKI cert can be blocked or ignored.

Question 152

Which type of attack exploits a web site's trust of a user session?
A. Directory traversal
B. Cross-site request forgery
C. DoS
D. Cross-site scripting

Answer 152

B. Cross-site request forgery

This is about exploiting a user session in a different browser tab.

Question 153

Which key does a secured web server use to decrypt a client session key?

Answer 153

Web server’s private key. The web server created the client session key in the first place, using the web server’s public key.

Question 154

Which of these is the best rule of thumb for deciding whether a risk is acceptable?
A. ARO is less than cost of mitigating the risk
B. ALE is more than cost of mitigating the risk
C. ALE is less than cost of mitigating the risk
D. SLE is less than cost of mitigating the risk

Answer 154

C. ALE is less than cost of mitigating the risk

Annual rather than Single loss expectancy because if a risk is extremely rare the ALE could be very low where the SLE is extremely high. Some risk that has a very low SLE but that is likely to happen thousands of times a year might actually be worth fixing.

Question 155

You have a RAID with six hard disks. Which RAID configuration can you use to protect from a single hard disk failure while maximizing disk space utilization efficiency?

Answer 155

RAID 5

If one disk fails, the parity bits stored on the other disks can be used to restore to a fresh disk. So basically you have 5 disks worth of data. With RAID 1 you would only have 3 disks worth of data. RAID 6 keeps enough parity to restore two failed disks, so there’s less room for total data.

Question 156

A user gains access to a secure Web application using a digitally signed security token in the form of a Web browser cookie.  Which security term best applies to this?
A. Accounting
B. Authorization
C. Availability
D. Authentication

Answer 156

B. Authorization

Authorization is what granted him access to the web app.

Question 157

Which OSI layer would be involved in a web browser connecting to a specific URL?

Answer 157

Layer 7 (application)

This is the key on a practice question about which firewall should be configured to block inappropriate web sites, where all the choices were “Layer X firewall”

Question 158

Which of the following is NOT useful in preventing broadcast storms?
A. Disable ARP on all accessible ports
B. Enable STP
C. Enable loop protect features on switches
D. Limit the size of VLANs

Answer 158

A. Disable ARP on all accessible ports

Question 159

Which of these is an AAA system?
A. RADIUS
B. SAML
C. OAuth
D. LDAP

Answer 159

A. RADIUS

Question 160

You created a Python script on a Linux server named “myScript.py”. If you try to run it from the command line it does not execute. What is the most likely reason?
A. You must be logged in as root
B. chgrp was not used to set the owning group
C. script does not include #!/usr/bin/bash python
D. script does not include #!/user/bin/env python

Answer 160

D. script does not include #!/user/bin/env python

To run a Python script you have to either specify the name of the script after the python command, or else the script has to specify the Python engine.

(it’s also possible that you didn’t make the script executable, but in that case Linux would have complained about not being able to find the file)

Question 161

Which of the following is NOT used to prevent or correct routing loops?
A. Split horizon
B. Loop prevention
C. Hold-down timers
D. Flood guard

Answer 161

D. Flood guard

Flood guard doesn’t do anything about routing loops, it’s for DoS attacks.

Question 162

Which of the following would be most difficult to answer based solely on a review of NetFlow records?
A. How much data was exchanged during the attack?
B. What information left the organization?
C. What was the source of the attack?
D. What systems were targeted in the attack?

Answer 162

B. What information left the organization?

NetFlow captures source and destination IP addresses and ports, timestamps, and amount of data transferred in either direction. It does not include payload so there’s no way to tell what the data was that was exfiltrated.

Question 163

You have a hardware multifactor authentication token that you push when you want a new authentication code. What algorithm does this token use?

Answer 163

HOTP

This type of token generates passcodes based on a counter that increments each time you press the button, using the HMAC-based one-time password algorithm. A TOTP token would update automatically based on the current time, with no need to press a button.

Question 164

Which of the following is an appropriate use case for an open wireless network?
A. Office network in a building in a remote location.
B. Private network in a home with limited physical access.
C. Guest network for a coffee shop with transient customers.
D. Open wireless networks are never appropriate

Answer 164

C. Guest network for a coffee shop with transient customers.

Even in cases where physical building access is limited, the wireless signal could leak out of the building and be accessible to attackers.

Question 165

You are hardening a database server. An external port scan shows ports 22 and 1433 are open. What is the best action to take to improve the security posture?
A. Close all open ports on the host firewall
B. Close port 22 on the host firewall
C. Close ports 22 and 1433 on the network firewall
D. No action is necessary

Answer 165

C. Close ports 22 and 1433 on the network firewall

We don’t want anybody from outside the organization’s network using SSH or MS-SQL ports, but we do need that for our internal network.

Question 166

What coding technique is MOST helpful in preventing vulnerabilities in your application during the development stage?
A. documentation
B. keeping attack surfaces to a minimum
C. code review
D. design review

Answer 166

B. keeping attack surfaces to a minimum

Question 167

For a high security facility, which authentication model provides the most security for PHYSICAL access?
A. MFA
B. SSO
C. Photo ID and a security guard check
D. PIN

Answer 167

A. MFA

Multifactor authentication

Question 168

Which of the following is the best choice for authenticating to a VPN for remote access?
A. LDAP server
B. Security token
C. Local username and password
D. Call-back security

Answer 168

A. LDAP server

Question 169

Which of the following allows you to run a public-facing web app but still maintain a private backend with servers that aren't publicly accessible?
A. Virtual private cloud
B. Private IP addressing
C. Proxy server
D. Network address translation

Answer 169

A. Virtual private cloud

Question 170

Which of the following is a good security control to be used on a smartphone for preventing bluesnarfing attacks?
A. Bluejacking
B. Smartphone lock password
C. Link-level security
D. Call-back security

Answer 170

C. Link-level security

Link-level security authenticates the actual communications link before data transmission begins.

Question 171

Which of the following is a good security control for remote computers used at home that connect to the corporate network via VPN, to protect the corporate network from threats originating from the home ISP connection?
A. Anti-spam software
B. Pop-up blocker
C. Host-based firewall
D. Anti-malware software

Answer 171

C. Host-based firewall

Question 172

Your web app authenticates users with a CAC and PIN. Which of the following can prevent session cookie hijacking?
A. Disable cross-site scripting
B. Refresh the web browser page after login
C. Disable cookies in the web browser
D. Regenerate session keys and IDs after a successful login

Answer 172

D. Regenerate session keys and IDs after a successful login
This means that a later attempt to use the same session key (either original one or the regenerated one) will fail. (I’m a bit confused on why it would fail, but take their word for it)

Question 173

Which of the following is the highest probability risk for a server room?
A. Low temperature
B. Fire
C. War driving
D. Unauthorized access

Answer 173

D. Unauthorized access

Fire is dire but unlikely.

Question 174

Which secure coding practice helps prevent cross-site request forgery attacks?
A. Session cookie authentication
B. Fuzzing
C. Input validation
D. Cookie privacy

Answer 174

A. Session cookie authentication

Question 175

The range of your wireless network is well beyond your facility. What’s the best way to prevent users outside of the facility from accessing it?

Answer 175

Lower the power of the wireless transmissions on your access points.

Question 176

Which of the following is best suited to prevent, detect, and mitigate physical theft?
A. Security guards
B. Video surveillance
C. Security lighting
D. Perimeter fencing

Answer 176

A. Security guards

Question 177

Which of these is most likely to help detect a zero-day attack?
A. Logging and auditing
B. Firewall
C. Antivirus software
D. Awareness training

Answer 177

D. Awareness training

Question 178

Which of the following will help you prevent unauthorized remote access to your access points?
A. Disable 802.11g/n mixed mode
B. Disable SSID broadcast
C. Restrict remote access to direct wired connections
D. Enable authentication with strong passwords

Answer 178

D. Enable authentication with strong passwords

Question 179

What is the next step after researching and documenting a DRP?
A. have the plan approved by the CEO
B. test the plan
C. store backup copies of the plan offsite
D. store the plan in a locked safe

Answer 179

B. test the plan

Question 180

Which of the following will increase security when using SNMP?
A. Change the “public” community name
B. Ensure the monitoring station is protected by a firewall
C. Disable ICMP
D. Close SNMP TCP and UDP port 161 on the client

Answer 180

A. Change the “public” community name

The community name acts as a password - it must be changed when SNMP is set up.

Question 181

Which of these can be used to make sure OS commands cannot be inserted into web forms and executed?
A. Fuzzing
B. Transitive access
C. Escaping
D. Cross-site scripting

Answer 181

C. Escaping

Question 182

An end user was on your web app when it crashed, allowing the user access to a command-line prompt with admin access to the system.  Which is the security issue the web app has?
A. Command injection
B. Transitive access
C. Fuzzing
D. Buffer overflow

Answer 182

B. Transitive access

Question 183

Your organization’s legal counsel has instructed you to begin collecting evidence for a pending investigation. What do you need to formally initiate?

Answer 183

Legal hold

Question 184

What can be done outside of the development cycle to improve the quality of the software code?

Answer 184

Known environment penetration testing

Question 185

What is the maximum speed of a 5G network?

Answer 185

10 Gbps

Question 186

What Docker command would you use to start a container named my-container. The container is configured to run on port 443 but you want it to connect using port 4443. Command starts with “sudo docker run -d -p”

Answer 186

sudo docker run -d -p 4443:443 my-container

Question 187

Which Wi-Fi EAP configuring uses both client and server PKI certificates?

Answer 187

EAP-TLS

Question 188

What is the approximate range of Bluetooth Class 2 devices?

Answer 188

30 feet

Question 189

Your small company has a secured WiFi network. What’s a convenient way you can provide for guests to immediately connect using their smartphones?

Answer 189

Use NFC tags that contain WiFi connection information.

Question 190

Which hashing algorithm results in a 128-bit fixed output?

Answer 190

MD-5

Question 191

One workstation at your organization has been sending out spam emails. It’s only from a single employee’s email account, and only from that workstation. It doesn’t appear to be spreading. What is the best containment strategy?

Answer 191

Disable the switch port and reset the employee’s username/password.
If you simply unplug the workstation from the network, the employee is likely to just plug it back in again. This does prevent the employee from doing his job until he gets a new workstation. Be sure to give the employee remedial cybersecurity awareness training first.

Question 192

What is the major concern with using SMS for MFA?

Answer 192

SMS messages may be accessible to attackers using VoIP or other systems. They can’t be encrypted.

Question 193

Which of these is best practice when scheduling vulnerability scans of your data center?
A. Evenly throughout the day
B. Begin at the same time every day
C. During periods of low activity
D. During periods of peak activity to simulate performance under load

Answer 193

C. During periods of low activity

The other options each carry a high risk of causing disruptions to the network of its business operations.

Question 194

Which of these key lengths is NOT supported by AES?
256
128
512
192

Answer 194

512 bits.

Question 195

What cryptographic technique does WPA use to overcome the weaknesses of WEP?

Answer 195

TKIP

Temporal Key Integrity Protocol

Question 196

What is a key stretching algorithm that is both memory-hardened and CPU-hardened?  Choices are:
PBKDF2
Bcrypt
RIPEMD
HMAC

Answer 196

Bcrypt.

PBKDF2 is CPU hardened but not memory hardened. the other two aren’t key stretching algorithms at all.

Question 197

Which algorithm did DSS approve for the creation of digital signatures?

Answer 197

DSA

Question 198

Which system would be most likely to detect a DDoS SYN flooding attack from across the Internet to a web server in your DMZ?
A. Signature NIDS
B. Heuristic HIDS
C. Behavioral NIDS
D. Heuristic NIDS

Answer 198

A. Signature NIDS

This type of attack is a well known signature. any signature based IDS will spot and report it.

Question 199

Which type of DLP would require the least amount of maintenance effort from your organization?
A. Host-based DLP
B. Signature-based DLP
C. Cloud-based DLP
D. Network-based DLP

Answer 199

C. Cloud-based DLP

A cloud based DLP would be maintained by the cloud vendor.

Question 200

Which of the following is a passive reconnaissance tool?
A. Nmap
B. Nessus
C. Aircrack-ng
D. Metasploit

Answer 200

C. Aircrack-ng

The other three actively interact with the target.

Question 201

Which cipher suite must you support to ensure compatibility with DNSSEC servers?
A. RSA/MD5
B. RSA/SHA-256
C. RSA/SHA-512
D. RSA/SHA-1

Answer 201

D. RSA/SHA-1

SHA-256 and 512 are recommended but not required. MD5 should never be used for cryptographic purposes.

Question 202

What’s the best way to sanitize hard drives before they leave your organization if you don’t want to destroy them? Possible answers vary, it always wants the best choice of what shows.

Answer 202

In order with most secure first:

• cryptographic erase
• purge, validate and document the sanitization
• wipe
• clear (not recommended, too easy to recover data)

Degaussing destroys the ability of the hard drive to function. Some people just take a hammer to the hard drive or run it through an industrial strength shredder that just chops it into bits.

Question 203

You notice a strange file. What’s the best way to check whether it contains malware?

Answer 203

Submit to an open-source intelligence provider like VirusTotal. This quickly analyzes suspicious files and if malware is detected it automatically notifies the security community too.

Question 204

What’s the fastest way to determine the current version of SSH running on a web server?

Answer 204

Banner grabbing. Connect to the server using netcat and collect the response, which will include the server’s OS and the version of SSH it is running.

Vulnerability scanners can do it too but aren’t as fast.

Question 205

When an APT attacks your network/system, what is the typical attack model they use?

Answer 205

Usually it just sits there quietly gathering information. APTs focus is espionage and strategic advantage.