Tricky Questions Flashcards
Users of a mobile app authenticate with username, password, and the app logs their location (from GPS). How many different authentication factors is this using?
ONE!
Username and password are both something you know. While the app logs the GPS location, it doesn’t say that the auth process even looks at it.
A company has several contractors who work for about one week each quarter. What should be done with their accounts when they aren’t actively working for the company?
Disable the accounts. That leave the data there, and it’s easy to enable them again when the contractor is actively working again.
A company needs a strong authentication and authorization system that protects privacy of data, and that allows employees to use SSO. What should they use? Choices are OpenID, SAML, Kerberos, RADIUS
Kerberos.
OpenID is for Internet, not internal networks. SAML is for web apps. RADIUS is for remote access clients.
Which protocol is best for encrypting confidential data transferred over internal network? Choices are FTP, SSH, SNMPv3, SRTP
SSH
Which protocol is best for collecting network device configuration and statistics while protecting the confidentiality of the credentials used to connect to the devices? Choices are SSH, FTPS, SNMPv3, TLS
SNMPv3
This is Simple Network Management Protocol version 3. It has strong authentication mechanisms. None of the other choices monitor network devices.
Which type of device would be likely to use these as part of its configuration?
permit IP any any eq 80
permit IP any any eq 443
deny IP any any
Choices are firewall, proxy server, web server, jump server.
Firewall.
While this is a good configuration to protect a web server, it gets put on the firewall, not the web server itself.
A firewall protects subnet 10.0.1.0/24. It needs to use only secure protocols for remote management. It needs to block cleartext web traffic.
Which of the following rules already on this firewall needs to be changed to do this?
HTTPS Outbound, Any, 10.0.1.0/24, HTTPS, allow
HTTP Outbound, Any, 10.0.1.0/24, HTTP, allow
DNS, Any, 10.0.1.0/24, DNS, allow
HTTPS Inbound, 10.0.1.0/24, HTTPS, allow
HTTP Inbound, 10.0.1.0/24, HTTP, block
Telnet, 10.0.3.0/24, Telnet, allow
SSH, 10.0.1.0/24, Any, SSH, allow
HTTP Outbound, because that is cleartext web traffic and it is set to allow. That should be blocked.
Yes, Telnet should not be allowed ANYWHERE, however since that rule is for 10.0.3.0/24 subnet, and this router is protecting 10.0.1.0/24, it won’t ever be handling that traffic. Tricky question indeed.
A power plant has several standalone computers used to verify proper operation of various processes. Employees log into these computers using local accounts. We want to make sure these computers have no access to the internet, and cannot be connected to the organization’s network. What’s the best choice among:
- air gap the computers
- place the computers in a screened subnet
- create a separate isolated network for these computers
- place the computers in a VLAN
Air gap.
Both screened subnet and VLAN would add a risk of connections to the larger network and the internet. A separate isolated network would technically work however there is no stated need for the computers to communicate with each other, and that adds a risk of one getting infected somehow and then spreading it to the rest.
A router on a corporate network provides a path to a limited access network that is not advertised. A net admin needs to access this limited access network regularly. How can he configure his computer to access it?
- Implement QoS technologies
- Add a VLAN
- Use the route command
- Open additional ports on the router
Use the route command.
None of the other choices can add a routing path.
An admin places a file named passwords.txt with usernames of two accounts in it. This file was placed in the administrator account desktop on several servers. Why would this be done?
It’s a honeyfile. This distracts hackers from real documents. Since the file doesn’t contain passwords, just usernames, then it’s not a risk - and if the usernames are for accounts that don’t have access to anything important, even better.
What wireless network protocol provides encrypted authentication of users over TLS? Choices are EAP, PEAP, WPA2, WPA3.
PEAP.
WPA2 and WPA3 don’t use TLS. EAP by itself doesn’t provide encryption at all.
A wireless user had been accessing his network shares one morning, but later when trying to access the Internet got a popup marked as from the same wireless SSID that prompted him to login again. After logging in he couldn’t access his network shares but could access Internet. What happened here?
An Evil Twin access point tricked him. Odds are it stole his login credentials as well and is now using them to hack the network.
Your organization wants to upgrade VPN so that after the VPN client connects to the VPN server, all traffic from the VPN client is encrypted. What kind of VPN should you use?
Full tunnel. This encrypts that client’s Internet traffic too, not just the traffic to the organization’s network.
A supplier needs to connect several laptops to our organization’s network, but we are concerned about possible vulnerabilities from the laptops. How do we mitigate this risk?
Implement a jumpbox system. The supplier’s laptops will connect to the jumpbox and from there connect to our network.
We want to allow visiting business partners to be able to use an available Ethernet port in a conference room to be able to use VPN to connect to their headquarters. The same port should allow our own employees to connect to our own secure internal network. How can we do this?
Implement NAC.
One of your network services becomes disabled and this affects production. What can be used to determine which service was interrupted and why it happened. Choices are firewall logs, NIDS, syslog, network mapping.
Syslog
In storing passwords, some organizations will add a salt and a hash to the password, then repeat this several times before storing the result. What is the term for this process?
Key stretching
Which of these is not a shared authentication protocol?
OpenID Connect, Facebook Connect, LDAP, OAuth
LDAP
While this allows SSO for a given organization, it is not a shared protocol.
Tool used to collect wireless packet data
Aircrack-ng
Notice it specifies wireless. Wireshark is for wired packets.
Secure way to erase data from old hard drives before donating to charity
Cryptographic erase
Which key is used when sending an encrypted email?
Recipient’s public key
How does a secure web server decrypt a client’s session key?
Using the private key for the website. Session keys are encrypted using the site’s public key.
In which order should these three items be done?
Risk analysis
Business impact analysis
ALE
ALE, risk analysis, business impact analysis
Give an example of implicit deny
User A is added to group G. When this is done, user A no longer has read access to items in folder F.
What log lists failed login attempts on Windows?
Security log
What is Fail Secure?
A system that is Fail Secure remains secure even in the event of failure. It doesn’t necessarily remain up. If log files running out of space means the server refuses connections, that is fail secure.
What technique can reveal internal business procedures and computing configurations?
Dumpster diving
List two things to configure to prevent users from reusing old passwords within a short period of time
Minimum password age
Password history
You estimate it would take four technicians two days to remove an infection, at a total cost of $3200. What type of analysis is this dollar amount?
Business impact analysis
When researching new rack mount servers to determine the max BTU value of all servers in the server room, what related item should also be considered?
HVAC
BTU measures heat. HVAC will need to be able to handle the additional heat provided by the new servers.
You need to determine which TCP port a certain custom app uses, so that you can configure a firewall rule allowing it. Users connect to an internal web site, that in turn connects to this custom app. How do you find which port the custom app uses?
Generate activity on the custom app while capturing traffic.
Name a tool commonly used to automate incident response.
SOAR
Name a type of server that provides centralized authentication services for devices such as switches and wireless routers.
RADIUS
List two items that are found in an IP header
Source IP address
TTL value
(other things as well I’m sure, such as Destination IP address. the question offered 4 options and said to pick 2)
If you find a way to gain remote administrative access to a host without knowing the administrative credentials, what is the term for this technique?
Exploit
What’s the best way to safeguard cryptographic keys that are used to communicate with a cloud service provider?
HSM (hardware security module). Some cloud providers will offer cloud-based HSM services to their customers, as an alternative to having local physical HSM on the network.
When two users have a shared secret key (unknown to anybody else) and use symmetric cryptography, what common goal of cryptography is impossible for them to achieve?
Nonrepudiation.
Since messages are encrypted and decrypted they have confidentiality and integrity (if the message was altered then it would decrypt to garbage). They have authentication because they are the only two who know that key. They can’t get nonrepudiation because there is no way to prove to a 3rd party that the message wasn’t just forged by one of them who claims the other sent it.
A wildcard certificate for *.mydomain.com can not be used for which of these sites?
www. mydomain.com
mydomain. com
dev. www.mydomain.com
mail. mydomain.com
dev.www.mydomain.com
wildcard certs don’t cover more than a single level of subdomain.
A web application is not setting the Secure attribute on its cookies. What type of attack is at risk due to this?
Session replay, assuming that the web app uses cookies for session authentication.
Name the five elements of the NIST CSF
identify, protect, detect, respond, recover
Which environment should be used for UAT testing?
Officially, it’s supposed to be the Test environment. We use Staging. If you see this on the exam, remember it’s supposed to be Test.
What encryption key is included in a DNSKEY record?
the organization’s public key
Number of passwords to keep in a password history to prevent password reuse, according to currently accepted best practice
ZERO.
NIST currently advises that users should no longer be forced to change passwords periodically. Another one that is against our own current practice, so becomes tricky.
At what point should a forensic investigator start tracking the chain of custody for evidence?
As soon as it is collected.
Name a certificate file type that contains ASCII text.
PEM or CER
there may be others, but these are all binary: PFX, DER, P12.
Which of these is NOT a common means of securing ML algorithms?
A. Understand the quality of the source code.
B. Build a secure working environment for ML developers.
C. Require 3rd party review for bias in ML algorithms.
D. Ensure changes to ML algorithms are reviewed and tested.
C. Require 3rd party review for bias in ML algorithms.
What step should be taken to ensure that baseline data is not tainted, before using a ML algorithm?
A. Scan network for vulnerabilities and remediate them.
B. Only run after you are confident that the network is secure.
C. Disable outbound and inbound network access so only normal internal traffic is validated.
D. Disable all firewall rules so all potential traffic can be validated.
B. Only run after you are confident that the network is secure.
After uploading a malware sample to a 3rd party scanning site, the result gives several different answers for what the malware package is. Why?
Different vendors use different names for malware packages. Most malware scanning sites use multiple antimalware and antivirus engines for the scan.
You notice traffic between your systems and a known malicious host on TCP port 6667. What type of traffic is this most likely to be? A. Command and control B. Hijacked web browser C. RAT D. Worm
A. Command and control
Port 6667 is commonly used for IRC which is often used by C&C for botnets.
Which of the following is the most serious vulnerability for a public facing server?
A. An HTTP response that reveals an internal IP address
B. Cryptographically weak encryption cipher
C. Website using a self-signed SSL certificate
D. Buffer overflow known to allow remote code execution
D. Buffer overflow known to allow remote code execution
While doing a pentest of a web application, you entered this into a search box and it was actually executed. What kind of vulnerability is this?
IMG SRC=vbscript:msgbox(“Vulnerable to Attack”);> originalAttribute=”SRC” originalPath=”vbscript:msgbox(“Vulnerable to Attack “);>”
Cross-site scripting, aka XSS.
Which of the following vulnerabilities is the greatest threat to data confidentiality? A. HTTP TRACE/TRACK methods enabled B. Web application SQL injection C. SSL Server with SSLv3 enabled D. phpinfo information disclosure
B. Web application SQL injection
What Linux command will display the network address and subnet mask for a wired network connection?
ip
The ip command will display IP address, subnet mask, and MAC address. Don’t confuse it with ipconfig which is Windows not Linux. Older versions of Linux used “ifconfig” for this.
How can you identify a malware beacon is on your network?
Protocol used does NOT help. Persistence (remaining after rebooting the system) and Interval (time between beacon signals) are key indicators. It helps to remove known traffic on the network to reduce the amount of data that you have to analyze.
The root cause of an incident was never determined. As part of your recovery and remediation, which of the following is LEAST likely to be helpful?
A. Disable unused user accounts
B. Sanitize and reimage all of your routers and switches
C. Review and enhance patch management policies
D. Restrict host access to peripheral protocols like USB or Bluetooth
B. Sanitize and reimage all of your routers and switches
This step is likely to have unwanted disruptive effects on the company, and waste a lot of time and money as well. Better to increase monitoring of the devices to ensure they were not compromised.
During a pentest you use a vulnerability in an Apache webserver to gain access to it. What is the next step, that will help you pivot to a protected system outside the screened subnet?
Privilege escalation. Apache webservers are run as limited users, so your best chance of getting further into the system is to find a way to get admin rights.
Name the four forms of regulated data
PII, PCI, GDPR, and PHI. PII - personally identifiable PCI - payment card industry GDPR - EU's General Data Protection Regulation PHI - protected health info
What’s the best technology to implement when configuring better defenses for an ICS/SCADA system?
Intrusion Prevention System.
ICS/SCADA systems use a very specific set of commands to do their job, so configuring an IPS to only allow those specific commands will prevent a lot of problems.
Patching is likely to break ICS/SCADA systems because they don’t use standard operating systems. Antivirus/antimalware software is unlikely to run on the systems for the same reason. Logging is useful but won’t prevent anything.
During a pentest you gain access to a hashed password file from the target site. This site does not have a strong password policy. What technique would work best to exploit this file?
Rainbow table attack.
Diagram shows three guest operating systems on top of a hypervisor, on top of a host operating system, on top of hardware. What type of hypervisor is this?
Type 2 hypervisor, because it has a full host operating system. Type 1 runs on the bare metal hardware. There are no other types.
You trying to diagnose a service that is not responding to user requests. The host firewall logs indicate that the traffic is allowed. What is the likely cause? A. Host firewall misconfiguration B. Network firewall misconfiguration C. Network IPS misconfiguration D. Application failure
D. Application failure
Since the host firewall logs show the packets arriving and being acceptable, the two firewalls and IPS aren’t misconfigured. The application likely threw an exception or has stopped running for some reason.
What type of account does a vulnerability scanner need in order to do a credentialed scan of the network?
Read-only
What is the main difference between on-premises identity services and those used in a cloud-hosted environment?
The cloud service will provide account and identity management services.
What should be done with the Administrator account on a Windows system, to reduce the chances of a brute force attack succeeding?
Rename the Administrator account, to something that doesn’t include “admin”. A nice touch is to create another account named Administrator with a super nasty password but don’t give it any permissions.
What log should you examine to determine that a user has launched a privilege escalation attack on a database server?
Operating System log.
You boot a laptop and get a plain blue dialog asking you to “Enter Current Password”, without any mention of a username. What is presenting this prompt?
BIOS, presented through the UEFI interface. This isn’t a particularly secure feature to enable, as there are many techniques to bypass BIOS passwords.
While collecting evidence from a variety of sources, you notice from the logs that the clocks from the different systems don’t all agree. What should you do, so that you can create an accurate timeline of events?
Record the time offsets for each device. Since the evidence you are collecting is from events that already happened, that’s all you can do. To avoid future similar headaches, it is best to configure the systems to synch using an NTP server.
Which of these authentication factors is the most difficult to implement? A. something you have B. something you know C. something you do D. something you are
C. something you do
Behavioral factors are difficult to measure and implement effectively.
What’s the best way to detect missing operating system patches?
Configuration management tool.
In a typical wireless authentication scenario using 802.1x, what device creates the RADIUS request?
Wireless access point
Ten employees use symmetric encryption to communicate with each other, with complete confidentiality between any two. If we hire an eleventh employee, how many new keys must be added to the system?
10.
Each pair of users needs a unique shared secret key, so it’s one less than the total number of users. Clearly not a good option for a large company, as the number of keys will increase factorially with the number of users. Compare this to asymmetric encryption which would add just two keys (public and private for the new guy).
Which employee would be most in need of awareness training about wire transfer fraud schemes? A. system administrator B. accounts payable clerk C. sales director D. executive user
B. accounts payable clerk
Since this is the person who would initiate any wire transfer, it is most crucial that this person get this training.
What is the minimum fence height to slow down a determined intruder?
8 feet.
What authentication protocol provides port based authentication for wired networks?
802.1x
Yes this is the same one we use for wireless networks.
You are creating a digital certificate for a web server. The certificate will use an intermediate CA that is validated by a trusted root CA. Who creates the CSR?
You create the CSR on the web server, submitting it to the intermediate CA.
What’s the best way to address issues on a WiFi network with interference between access points?
Use a WiFi controller. This allows automated modification of access point settings.
Which CASB approach interacts with the cloud provider directly?
API-based CASB. Inline CASB intercepts requests between the user and provider.
What technology is able to link networks in an on-prem datacenter with cloud VPCs securely?
Transit gateway
SSH key security concerns
NOT: Weak encryption
YES: weak passwords, SSH key sprawl, inadvertant exposure of the private key
What type of one time password does Google Authenticator use in its default mode?
Time-based one-time password
Which of the following security controls is most effective against zero-day attacks? A. Vulnerability scans B. Application control C. Intrusion Prevention Systems D. Signature-based antivirus software
B. Application control
Use whitelisting of applications. That prevents unknown apps from being installed. Zero-day attacks don’t have signatures yet.
A web server has the following characteristics. Which poses the greatest security risk? A. Server supports access on port 80 B. Server runs Apache and MySQL C. Server uses TLS 1.2 D. Server supports access on port 443
B. Server runs Apache and MySQL
Each server should support a single primary function. Having both Apache and MySQL on the same server gives attackers two different apps to be attacked.