2.2 Given a scenario, use appropriate software tools to assess the security posture of an org Flashcards
(36 cards)
A company is using Microsoft’s Security Compliance Toolkit (SCT) and Nessus to get a sense of the company’s security posture. What of the following does NOT describe nor apply to either of these applications? (Select two)
Nessus compares with a system configuration template
SCT patches non-compliant systems
Nessus is, by design, a vulnerability scanner. It does not have a database of system configuration templates, for example, specific to Windows, to compare hosts with.
SCT does not patch systems. Any findings of non-compliance can be used to determine actions for a WSUS (Windows Server Update Services) server to handle.
Microsoft’s Policy Analyzer is part of the Security Compliance Toolkit (SCT). It compares scanned hosts with a template of controls and configuration settings to determine system compliance.
CVEs (Common Vulnerabilities and Exposures) can be used by Nessus scanner to compare and find vulnerabilities in commonly used systems. Vulnerability scans and security compliance audits can be gathered all at once with Nessus.
A company is going through excess equipment and recyclables. Management will repurpose all the computer workstations and discard archived printed documents. Which of the following can help achieve the company’s goals? (Select two)
Active KillDisk software
Paper shredder
Active KillDisk is a disk wiping sanitization software tool that can purge data on disk by overwriting data with 1s and 0s. Overwriting might also be performed in multiple passes. The disk can be recycled after using this software.
A paper shredder can make printed information harder to read or recover. This type of machinery cannot shred hard drives or other computer parts.
A powerful magnet can erase data on a hard drive, but it also renders the hard drive inoperable by eliminating the disk’s magnetic charge.
A hard drive shredder would break apart or pulverize a hard drive and make it is unusable.
And admin wants to quickly asses the open ports of a Windows server. Which command will provide the admin with the right information?
netstat
The netstat command allows the admin to check the state of ports on the local machine (Windows or Linux). He or she may also be able to identify suspect remote connections to services on the local host or from the host to remote IP (Internet protocol) addresses.
The netcat (or nc for short) is a remote access software that is available for both Windows and Linux. It can be used as a backdoor to other servers.
The ipconfig command only provides network adapter information such as the IP address of the server.
The ip command is a replacement to the ifconfig command that is used on Linux servers. It serves the same functionality as the ipconfig command used on the Windows operating system.
A security event popped up, alerting security of a suspicious user gaining access to and copying files from the %SystemRoot%\NTDS\ file path on a server. What is the user trying to do?
Gather employee login credentials.
The %SystemRoot%\NTDS\NTDS.DIT file stores domain user passwords and credentials. Employees commonly use their domain credentials to login to do work and gain access to corporate information.
BitLocker keys are stored along with the associated computer account object in Active Directory. It is viewable in the object’s properties view. This is a different location than the NTDS.DIT file.
A brute force attack is the process of using precompiled dictionaries and rainbow tables to break naïvely chosen passwords. Only file copies are occurring at this point.
Proprietary company information is never stored in the same location as Windows operating system files and folders or the C: drive.
Which password cracking tool comes with a password sniffing tool and is compatible with Windows computers?
Cain and Abel
Cain and Abel is used to recover Windows passwords and includes a password sniffing utility.
John the Ripper is compatible with multiple platforms such as Windows, MAC OS X, Solaris, and Android, and is primarily used as a password hash cracker.
THC Hydra is often used against remote authentication using protocols such as Telnet, FTP (file transfer protocol), HTTPS (hypertext transfer protocol secure), SMB (server message protocol), etc.
Aircrack is used to sniff and decrypt WEP (wired equivalent privacy) and WPA (wireless protected access) wireless traffic.
A hacker obtained the 24-bit prefix of several network interface MAC (media access control) addresses. From this information, the hacker notated that the target company has Cisco and Dell devices. What type of attack technique did the hacker use?
OUI grabbing
OUI (Organizationally Unique Identifier) grabbing is like banner grabbing or OS fingerprinting. The OUI can identify the manufacturer of the network adapter and therefore, conclude other assumptions related to system type and/or purpose.
OS (operating system) fingerprinting is a method used by Nmap to probe hosts for running OS type and version, and even application names and device type (e.g., laptop or virtual machine).
Packet injection refers to injecting forged or spoofed network traffic. Often, network sniffing software libraries allow frames to be inserted into the network steam in this manner.
Side channel attacks is a technique used in cryptographic systems and is not applicable to this scenario.
Management wants to create a fake network with similar network security boundaries as the operational network. This fake network will host a few servers and will be near the DMZ (Demilitarized Zone). Which of the following solutions will allow an administrator to gather information about how an attacker penetrates a network of working servers and services, while the attack happens?
Honeynet
A honeynet is a whole network, which can be simulated, to attract attackers, with the intention of analyzing attack strategies and tools and to provide early warnings of attack attempts.
NIDS or network intrusion detection provides real-time analysis of either network traffic or system and application logs.
A honeypot is similar in purpose as a honeynet, but represents only a single computer system. This is best for analyzing penetration techniques on a Windows server, for example.
Firewalls are the devices principally used to implement security zones, such as intranet, DMZ, and the Internet. The basic function of a firewall is traffic filtering.
A network administrator’s computer desktop is full of network security tools that are useful for patching and hardening the network. However, after an audit, admin recently discovered a Wireshark application, which alarmed management. What is it about Wireshark that makes management apprehensive about having it on company computers? (Select two)
Can eavesdrop on network communication
Can scan a network for open ports
A protocol analyzer tool like Wireshark facilitates eavesdropping, which is a valuable counterintelligence technique. It can decode a captured frame to reveal its contents in a readable format.
Packets that are analyzed or decoded will provide information, such as protocol used and at what port. If a port is open, it will be listed in the analyzed information.
A sniffer is a tool that captures frames moving over the network medium. This might be a cabled or wireless network. Once captured, the protocol analyzer can decode the data and make sense of the information. Wireshark sniffs and analyzes captured data packets.
A blocked connection is more of an action performed by a firewall or NIPS (network intrusion prevention system).
Which procedure would a government agency prefer to use, to completely destroy top secret documentation removed from basement file cabinets?
Incinerate
Incineration is the process of destroying something by burning. Burning paper documents will leave no trace of top-secret information.
Degaussing is the process of exposing a computer disk to a powerful electromagnet that disrupts the magnetic pattern that stores the data. This option will destroy electronic documents stored on the disk.
Wiping is the process of writing zeroes and ones in a random pattern over existing data on the disk, to render the electronic information unrecoverable. This option is applicable to electronic documents.
Performing a low-level format resets a disk to factory condition. This option is applicable to electronic data on the disk.
Steganography is a technique for hiding data within other data. Typically, information embeds in the least expected places. Which of the following are examples of steganography? (Select three)
Embed a watermark on bank notes
Encode message within TCP packet data
Embedding a watermark using the design and color of bank notes is an example of steganography. This method is employed by the Counterfeit Deterrence System (CDS) and can be used for anti-counterfeiting efforts.
Encoding messages within TCP packet data fields to create a covert message channel is an example of steganography.
Changing the least significant bit of pixels in an image file (the cover file) is another example. This can code a useful amount of information, without distorting the original image noticeably.
IPSec or IP Security is used to secure data as it travels across the network or the Internet. Running in tunnel mode, IPSec encrypts the whole IP packet (header and payload) and a new IP header is added.
A local environment includes modern servers with Windows Server 2012 R2, along with some legacy systems using Windows Server 2003. A security administrator has concerns about legacy servers and their LAN (local area network) Manager service vulnerabilities with password hashes. What are the organization’s best options to improve authentication? (Select two)
Fresh install of Windows Server 2008 R2
Kerberos
Kerberos is the preferred method in a Windows domain, using a ticket-granting system to login and access resources on the network.
A fresh install will ensure core services and settings of a Windows Server 2008 R2 operating system is working and authentic. LM (LAN manager) is disabled by default starting with Windows Server 2008.
Windows server upgrade paths are not always clean. A system upgraded from Windows Server 2003 to Windows Server 2008 R2 may still hold residual systems files from Windows Server 2003.
NTLM (New Technology LAN Manager) and NTLMv2 (version 2) provide stronger session key generation for digital signing and sealing applications, rather than LM and LM version 2. However, they are still vulnerable to Man-in-the-Middle attacks and others.
Network administrators look for ways to map out their network to find rogue devices. The admins would prefer a solution with a UI or user interface to manage and view the map. Which of the following tools and features will provide a useful report of devices on the network? (Select more than one)
Zenmap
–traceroute
Zenmap is the GUI (Graphical User Interface) version for Nmap. Also known as Nmap Security Scanner, it uses diverse methods of host discovery.
Using the –traceroute switch with Zenmap, the GUI can record the path to an IP target address and present the route in a graphical view, like a map.
The basic syntax of an nmap command is to give the IP subnet (or IP address) to scan. When used without switches, it pings and sends a TCP ACK packet to ports 80 and 443 to determine whether a host is present. This is a command line view.
Nmap, by default, does a host discovery and port scan. Using a -sn switch suppresses the port scanning.
The security administrator at a brand-new company proposes the use of vulnerability scanners to find common targets. The admin suggests using a method that will not use up a lot of bandwidth on the network and does not need direct or privileged access. What type of scanning may this security administrator be proposing? (Select two)
Passive scanning
Non-credentialed scanning
A scanning technique to passively test security controls operates by sniffing network traffic to identify assets communicating on the network, service ports used, and potentially some types of vulnerabilities.
A non-credentialed scan is one that proceeds without being able to log on to a host. Consequently, the only view obtained is the one that the host exposes to the network.
Active scanning techniques involve making a connection to the target host. This might mean authenticating and establishing a session with the host or running an agent on a host.
A credentialed scan is given a user account with logon rights to various hosts. This method allows much more in-depth analysis, especially in detecting when applications or security settings may be misconfigured.
Which of the following will make data nearly impossible to recover on a hard disk drive (HDD) using basic recovery software?
Drilling holes
Drilling holes through a physical hard drive destroys the spinning platters and the mechanisms that make the disk work. Physical destruction like this renders the disk unusable and unrecoverable through common ways like using recovery software.
Encryption technologies, like Windows BitLocker, encrypt full hard drives. However, encryption technologies output a recovery key or password that can still be used to unlock an encrypted disk.
Disk formatting is the creation of a file system on disk. Formatting an already used hard drive does not wipe the data, but merely hides the data, allowing the operating system to write over blocks on a disk.
A CD shredder is useful to shred CDs, making them unusable and unrecoverable. There are hard drive shredders available for use.
After a recent hurricane, the company realizes that it is not ready to resume services of their online products immediately after the weather event. IT (Information Technology) management must develop an architectural solution to this dilemma. Which of the following will provide the best solution? (Select two)
Stand up a hot site
Create a failover process
The company, using Enterprise-level networking, can create a failover of the current site to an alternate processing site or recovery site, in the event the current site is no longer active.
A hot site can be described as an alternate processing site. Services at the main site can failover immediately to a hot site and will have duplicate services running.
A warm site can be described as a site with the necessary resources, but services will need to be loaded and/or manually activated. Typical recovery may take a few hours to a day.
Scheduled backups are a common configuration and should already be in place prior to planning a disaster recovery scenario. Backups can be restored at a recovery site.
A company finalizes the plans for their COOP (Continuity of Operation Planning) site. Security and compliance should be at the same level as the current site of operations. When looking at the order of restoring services at this warm site, which of the following is the most important to enable, test, and monitor?
Nessus checks against CVEs
Microsoft’s Policy Analyzer uses a configuration template
Microsoft’s Policy Analyzer is part of the Security Compliance Toolkit (SCT). It compares scanned hosts with a template of controls and configuration settings to determine system compliance.
CVEs (Common Vulnerabilities and Exposures) can be used by Nessus scanner to compare and find vulnerabilities in commonly used systems. Vulnerability scans and security compliance audits can be gathered all at once with Nessus.
SCT does not patch systems. Any findings of non-compliance can be used to determine actions for a WSUS (Windows Server Update Services) server to handle.
Nessus is, by design, a vulnerability scanner. It is not a NIPS (Network Intrusion Prevention System).
System administrators at a government facility are replacing damaged hard drives from a storage unit. After receiving the new hard drives from the manufacturer, the administrators must properly dispose of the bad drives. What policy items are applicable in this case? (Select two)
Degauss media with a magnet
Use the DoD 5220.22-M method
The Department of Defense (DoD) 5220.22-M wipe method involves a three-phase pass of writing 1s, 0s, and random characters onto a hard drive. This method will prevent the use of many software-based file recovery methods.
Degaussing is a method of erasing data on a hard drive with a powerful magnet. This process also renders the drive unusable because of permanent damage to the device’s servo control data that is required to read and write.
A CD shredder will make the disk unreadable. This is effective for CDs with data, but not applicable to hard drives.
A paper shredder can make printed information harder to read or recover. The method does not apply to hard drives.
An administrator noticed a flood of network packets coming into a file server. After closing the open port experiencing the excess traffic, the admin rebooted the server. The admin checked the server and it no longer sent a flood of packets to the same port. Which of the following tools did the admin most likely use to troubleshoot the issue?
Wireshark
Wireshark is a protocol analyzer. It can parse the headers network protocols and list their contents and derive purpose. This can help pinpoint the dropped packets and on what network adapter, so further troubleshooting can take place.
The internet protocol configuration (ipconfig) command is a tool used to query or reset network settings and information. It cannot examine network traffic like Wireshark.
Sysinternals is a suite of tools designed to assist with troubleshooting issues with Windows. Its Process Explorer can reveal all the processes and its details on the system. These tools are not useful for a networking issue.
The trace route (tracert) command can help discover where a network route ends when a ping fails. However, the server is responding to pings.
An independent security penetration tester tried to access the company’s wireless network. The first test is to determine if pre-shared keys are not dictionary words. Which of the following tools would help find weak passwords?
Aircrack-ng
Aircrack-ng is a suite of utilities designed for wireless network security testing. The specific tool, which is also called aircrack-ng, can decode the authentication pre-shared key or password for WEP, WPA, and WPA2 using a dictionary word or a relatively short key.
Sniffing non-unicast wireless traffic requires a wireless adapter driver that supports monitor mode. Windows would usually need a wireless adapter designed specifically for packet capture, such as AirPcap.
inSSIDer is a software that can survey Wi-Fi networks to determine SSID, BSSID (wireless access point MAC address), frequency band, and radio channel.
Netcat (nc) is a remote access trojan (RAT) that is available for both Windows and Linux. It can be configured as a backdoor.
Management wants to see a graphical view of the company’s network and endpoints. This information will help to determine any rogue devices on the network. Which of the following tools will be most effective in providing the right information?
Zenmap
A network admin troubleshoots a virtual host that currently restarted. The admin wants to know when the virtual host is reachable through the network. Which ping switch would provide the most useful information?
-t
The -t switch pings the specified server name or IP (Internet protocol) address until stopped. Typing CTL+C on the keyboard will stop the pings.
The -n switch sets the number of echo requests to send. The standard send count is four. The number can be specified after the -n switch.
The -S switch, which is a capital S, is used to specify a source address to use that is different from the server that the admin is initiating the ping command from.
The -r switch records route for count hops. This is used for IPv4 addresses.
A company finalizes the plans for their COOP (Continuity of Operation Planning) site. Security and compliance should be at the same level as the current site of operations. When looking at the order of restoring services at this warm site, which of the following is the most important to enable, test, and monitor?
UPS
In general, the first step in restoring services involves enabling and testing power delivery systems, such as a power grid, generators, and even UPSs (uninterruptible power supplies). Without power, IT systems and network equipment cannot run.
In general, the second step in restoring services involves enabling and testing switch infrastructure, then routing appliances and systems.
In general, the fourth step in restoring services involves enabling and testing critical network servers, like DHCP, so that client computers can get an IP address. Other important network servers include domain controllers so that users may log in to their computers and reach Enterprise services.
In general, the sixth step in restoring services involves enabling and testing front-end applications like a web server.
It is time to audit the network’s security. Which of the following will help with the process of scanning for vulnerabilities? (Select two)
Perform passive reconnaissance activities.
Check all computers for installed anti-virus software.
Creating a report of computers with and without anti-virus software can help gauge the network’s security posture. Software, like System Center Configuration Manager, can provide an active reporting of such instances.
Using brute force attacks is a type of penetration testing technique. Exploiting vulnerabilities is a separate action that can be performed afterward.
Passive reconnaissance includes actions such as finding unpatched software or finding week password policies. These actions probe the network or application to discover issues, but not exploit them.
Running malware from a USB is a penetration testing technique that is exploiting a vulnerability.
Your organization has some Windows computers that are not part of the domain and therefore, cannot receive computer security policy updates. Which of the following tools can assess the local computer and make updates when necessary?
Microsoft Security Compliance Toolkit
The Microsoft Security Compliance Toolkit includes the Policy Analyzer Tool and the Local Group Policy Object (LGPO) Tool. Both are necessary to assess the local policies from a baseline and automate changes where needed.
Nessus is a commonly deployed solution for application vulnerability assessments. It does not perform any changes to the application or computer operating system.
Metasploit is an exploitation framework with tools for exploiting vulnerabilities.
The local group policy object (LGPO) Tool, on its own, automates the process of change of local GPOs on a computer. This tool is helpful in managing systems that are not part of the domain. This tool is best used in conjunction with the policy analyzer tool.
