Lets Pray Flashcards
A security administrator is segregating all web-facing server traffic from the internal network and restricting it to a single interface on a firewall. Which of the following BEST describes this new network?
DMZ
An organization does not want the wireless network name to be easily discovered. Which of the following software features should be configured on the access points?
SSID Broadcast
While reviewing your vulnerability-scan log files, you find a vulnerability on your network with an assigned identification number. You research that number on the vendor’s website, then apply their recommended fix for the vulnerability.
Which type of vulnerability scanner was used?
Signature based
Suspicious traffic without a specific signature was detected. Under further investigation, it was determined that these were false indicators. Which of the following security devices needs to be configured to disable future false alarms?
Anomaly based IDS
You want to monitor and limit users’ access to external websites.
Which of the following would BEST address this?
Install a proxy server
Your company allows business partners to connect to several of your application servers located at the main office. What can the main office implement to protect the rest of the company from those business partners?
DMZ
TWO ways to segment your network based on organizational groups:
VLAN & Subnetting
You scan your company routers and find they haven’t been changed from their default configuration. Which would address this?
Secure router configuration
You want to create a small wireless network for testing before you roll the network out company-wide. For now though, you don’t want to tell employees about it yet. Which of these would offer the greatest obscurity about the new wireless network?
Disabling SSID broadcasting
Which device allows you to inspect network traffic by redirecting packets before sending them on to their final destination?
Proxies
While scanning the network, you find an unauthorized smart-phone has been used to surf the internet. Which of these device attributes was used to figure out that the device was not authorized?
MAC Address
You have a VLAN that is dedicated to printers. This VLAN has more traffic than usual, which is causing congestion. You find out that someone has installed a bunch of new printers without your knowledge. Which of these could prevent this type of traffic congestion from happening again?
Access control Listed
An attacker was able to connect to your router using a console cable. Which TWO should you have implemented to prevent this?
Console access to the router should have been disabled.
Physical access to the router should have been restricted.
Which is the best reason to include several different elements like firewalls, IDS’s, DMZ’s, HIPs, and antivirus servers in your network?
Defense in depth
What’s it called when a load-balancer can remember a user, and always send that user to the same server?
Session affinity
Your admin thinks that wireless MAC filtering is all he needs to protect the WLAN. Which of these would prove to him that he should also turn on WPA or WPA2?
Sniff and clone a MAC address
You have a user who must have local admin access on her laptop. Which is the BEST way to reduce the risk of her machine becoming compromised in this scenario?
HIPS
Which of these can ensure that only authorized devices can connect to your switch, based on MAC address?
Switch port security
Which of these would you use to separate different
types of traffic through a switch?
VLAN
Which of these would you use to separate different types of traffic through a switch
VLAN
You are looking at the log file of an attack against your
webserver. Here’s a sample of what you find:
3: 15:45 IP 192.168.5.5.4000 > 10.0.1.8.20 Flags[S]
3: 15:45 IP 192.168.5.5.4001 > 10.0.1.8.21 Flags[S]
3: 15:45 IP 192.168.5.5.4002 > 10.0.1.8.25 Flags[S]
3: 15:45 IP 192.168.5.5.4003 > 10.0.1.8.53 Flags[S]
Which of these ACL’s would you implement to protect
against this attack and future attacks by the same IP,
while minimizing any service interruptions?
DENY TCP FROM 192.168.5.5 TO 10.0.1.8
You are planning on adding a new VoIP phone system
to your network, but you’re worried about
performance problems. The core switches on your
data network are almost maxed-out with traffic
already, so which of these would provide the best
performance and availability for both your VoIP traffic
as well as your existing data traffic?
Physically separate the VoIP phones from the data network.
Your network has been very slow, so you look at your
Spanning-Tree setup. You find that an old, inferior
switch has been made the root-bridge. Why could this
be?
The switch has the lowest MAC address.
Which would allow server access to external clients,
while still allowing access from internal users?
DMZ
You just got a wireless music-streaming device for
your birthday and while at home it works great. It
connects to the internet and plays music through its
speakers. At work though, it doesn’t connect to the
internet. It is associated with the AP, and did receive
the expected network parameters. Also, other
wireless devices work fine. Which is the most likely
reason your device doesn’t work while in the office?
The company implements a captive portal.
You want to protect a group of servers. Which would
be BEST to implement to prevent connections from
unauthorized networks?
Firewall
You’ve plugged a WAP in to your switch and
configured WPA2-TKIP for security. Hacker Joe is
somehow able to intercept clear-text HTTP
communication between the wireless users and the
internet. Why is Hacker Joe able to intercept and see
the clear-text communication?
Hacker-Joe is able to capture the wired
communication.
Which of these can scan computers to make sure they
have antivirus software, before the computer is
allowed to access the network?
NAC
A group of visitors connect their laptops to your wired
network and start using up a large chunk of your
bandwidth. How can you prevent this situation in the
future?
Port security
Which type of IDS detects intrusions based on a
vendor-provided list?
Signature based
You’re configuring your firewall to block traffic
to-and-from a small list of specific IP addresses, while
allowing all other traffic. Which of these firewall rules
would then be necessary to implement in this
scenario?
Implicit allow as the last rule
Each cubicle in your company needs to have a VoIP
phone and a desktop computer. Which of these
would be the best way to prevent users from
connecting unauthorized devices to the network?
Enforce authentication for network devices.
You’re setting up a new 5GHz wireless network, but
you find that some areas of the building don’t get
very good coverage because you’re using vertical
antennas on your WAPs. Without moving any WAPs,
which of these would fix this problem?
Install unidirectional antennas to focus coverage where
needed.
You’ve disabled the SSID broadcast on your WAP, but
unauthorized users are still connecting to it. Which of
these would further obscure the presence of your
wireless network?
Disable responses to a broadcast probe request.
You have both a secured, password-protected wireless
network for employees, and an open, un-secured visitor
network for guests. Walking by a guest’s laptop, you
notice this on her screen:
Reaver –I mon0 –b 10:4A:7D:0F:6B:EA
Starting…
[+] Trying pin 12345678
[+] Trying pin 12345688
[+] Trying pin 12345698
What should you implement?
Disable WPS because the visitor is trying to crack the employee network.
You asked your newb tech to connect two buildings’
networks via wireless. He installs two ground plane
antennaes on 802.11b bridges to transfer data
between the buildings, which are 400 feet apart. It
doesn’t work. Which of these should you do to allow
connectivity between the two buildings?
Replace the current antennae with Yagi antennae.
You’re thinking about hosting data with a Cloud
Service Provider (CSP) and you are evaluating a
particular provider. Which of these would pose the
biggest risk when choosing to go with that vendor?
The financial review indicates the company is a startup.
Your users are having trouble reaching your intranet
site. You sniff the traffic going to the site and you see
the following packets:
09: 15:25 192.168.3.12:52550 -> 172.16.10.10:80 SYN
09: 15:25 192.168.3.12:52550 -> 172.16.10.10:80 SYN
09: 15:25 192.168.3.12:52550 -> 172.16.10.10:80 SYN
09: 15:25 192.168.3.12:52550 -> 172.16.10.10:80 SYN
09: 15:25 192.168.3.12:52550 -> 172.16.10.10:80 SYN
09: 15:25 192.168.3.12:52550 -> 172.16.10.10:80 SYN
DoS attack
Which of these would prevent users from using ARP
spoofing attacks against the computers located in
your HR department?
Separate Layer 2 VLANs
You set up an ECS (Environmental Control System) to
protect your data-center. You want to be able to
manage and monitor this system from any part of the
network. Which should you do to allow access, while
also reducing the attack surface of the system?
Configure the ECS host-based firewall to block non-ECS
application traffic.
Corporate policy says that in order for new computers
to be added to your network, they must have the
corporate antivirus software loaded on them first.
Which of these would send an alert if a computer is
added to the network without the antivirus software?
NAC
You have a server that is supposed to only be
accessible from the inside of your network.
Unfortunately, one of your admins made a
configuration mistake, and now the server is
accessible from the outside. Which one of these
configurations was probably modified wrong?
NAT
Which TWO would prevent unauthorized devices
from connecting to your wireless network?
MAC filtering
Enable WPA2
An inside attacker has sent thousands of MAC
addresses through one switch port in order to fill up
the switch’s CAM table (MAC address table). Which of
these would prevent this type of attack in the future?
Port security
Which would you use to encrypt voice data?
SRTP
Your video application relies on IGMP to function.
Which of these is your app most likely using?
Multicast
Which of these is the best way to prevent
unauthorized devices from connecting to the
corporate network?
Port security
Which network design component would separate
network traffic based on the logical location of users?
VLAN
Which would be the best way to prevent attacks from
new devices introduced to the corporate network?
802.1x
You have a connectivity issue and you think that the
router may be blocking traffic to a remote network.
Which of these would confirm your theory by
providing helpful feedback?
ICMP
You need to ensure that only authorized devices can
connect to the wired and wireless networks.
Unauthorized devices should be automatically placed
on a guest network. Which TWO of these should you
implement to achieve these goals?
Port security
VLAN
You need to build several different environments for
application development and testing. What should
you implement to create these new environments?
Network segmentation
You need to find the source of a suspected attack that
keeps disconnecting systems from the wireless
network. You verify that there are no rogue wireless
access points, unauthorized wireless clients, or
de-authentication attacks occurring. Which would be
BEST to identify the source of the outage?
Conduct a wireless site survey
What is it called when you use a cloud infrastructure
as your company’s payment portal?
software as a service
You get an alert that an internal IP address is connecting to several
unknown malicious domains. You connect to the switch and add a
MAC filter to switch port 18 to block the system from the network.
Before
After
A few minutes later, the same malicious traffic starts again from a
different IP. Which of the following is the MOST likely reason that the
system was able to bypass the administrator’s MAC filter?
The system is now spoofing a MAC address.
You discover that telnet was enabled on your Sales
server and that someone outside the Sales subnet has
been attempting to login to the server. You’ve
disabled telnet on the server, but which of these
would let you track attempts to log on to telnet
without exposing important company data?
Honeypot
Which of these configurations would give you the
MOST information regarding threats while also
minimizing the risk to the internal corporate network?
Placing a NIDS between the corporate firewall and ISP
You are investigating an incident involving an internal host
that has been communicating with a C&C server. You are
having trouble determining the identity of the host. You
discover that the flow of traffic from the host to the C&C
server takes the following path: Switch A, Proxy A, Switch
B, and Router A. Multiple departments also follow the
same flow of traffic. You see one RFC1918 (private)
address arriving at Router A. Which of the following
administrator should be contacted FIRST in order to help
aid in determining the identification of the compromised
host?
Router A network administrator
A security administrator has concerns about new
types of media which allow for the mass distribution
of personal comments to a select group of people. To
mitigate the risks involved with this media, employees
should receive training on which of the following?
Social networking
A security team has established a security awareness
program. Which of the following would BEST prove
the success of the program?
Metrics
In which of the following steps of incident response
does a team analyze the incident and determine steps
to prevent a future occurrence?
Lessons learned
Which of these risk mitigation techniques could help
prevent collusion between users?
Job rotation
Separation of duties is often implemented between
developers and administrators in order to separate
which of the following?
Changes to program code and the ability to deploy to production
Sara, a security architect, has developed a framework
in which several authentication servers work together
to increase processing power for an application.
Which of the following does this represent?
Clustering
Which of the following is the BEST approach to
perform risk mitigation of user access control rights?
Perform routine user permission reviews.
One of your datacenters is handling some sensitive
data, however, it is in an area with a volatile political
situation. You decide to move that data to another
datacenter in a more stable region. Which risk
mitigation strategy did you adopt here?
Avoidance
You find that some of your users have permissions to
shares they should no longer have, because of
department changes and promotions. Which of the
following would mitigate this issue in the future?
User account reviews
You find that long-time employees have more system
rights than they need to do their jobs. Which two
should you implement to make sure employees only
have the access they need to do their jobs?
Implement access control lists
Conduct user access reviews
Which of these would be the BEST example of a
deterrent security control?
Security cameras
Which control should you use to reduce the risk of
losing USB drives that contain confidential data?
DLP
You installed a new patch to a server which caused it
to crash. You couldn’t find system rollback procedures
so you just restored the server from the last backup.
What can you do to prevent future problems caused
by the lack of rollback procedures?
Change management plan
What would be the reason for having two racks of
servers, one behind the other, facing in opposite
directions?
To create environmental hot and cold aisles
Which stage of the Incident Handling process involves
developing procedures in order to respond to future
incidents?
Preparation
Before updating some production networking devices,
you have been asked to first submit a an
implementation plan and a roll-back plan. Which type
of risk mitigation strategy is being used here?
Change management
Which is the best way to ensure that ad hoc changes
aren’t making their way into your live applications?
Change management
You are concerned that your database admins are
also responsible for auditing database changes and
backup logs. Which access control method would
BEST help with this situation.
Separation of duties
Which of these uses disk striping with parity?
RAID 5
When you audit your business partner and compare
your findings to the SLA, you are trying to verify:
Performance and service delivery metrics
Which of these would BEST address physical safety
concerns for your building?
Escape routes
Which of these documents contains information
about how and when something will be done, as well
as penalties for failure?
SLA
Sally finds a thumb-drive in the parking lot and plugs
it in to her computer. As soon as she does a command
prompt opens up and a script starts running. She
reports it to you, and you figure out that data on a
server has been compromised. What is this scenario
an example of?
Incident identification
When gathering evidence of a cyber-crime, in which
of these system components should you capture data
FIRST?
RAM
You have a server that fails and needs to be replaced
once every 4 years and costs $4,000. Which would be
the valid factors in a risk calculation for this?
ARO = 0.25; SLE = $4,000; ALE = $1,000
Bob, a security officer, has been ordered to look into a
possible vulnerability on a server. After investigating,
he decides it was a false alarm. Which of these is the
BEST action he should take here?
Document the results and report the findings
according to the incident response plan.
Which document would you need if you were going to
share data between two companies, and you wanted
to outline the data sensitivity, as well as the type and
flow of the data?
ISA
One of your forensic analysts was handed a
hard-drive to investigate. He used a log to capture
events, then sent the evidence to the lawyers to be
used in a court case. Which of these is being
demonstrated?
Data analysis
You need to be able to restore data with an RPO of 24
hours, but you also need your backups to happen
within a restricted timeframe. You also want to be
able to take backups offsite every week. Which of
these should you do?
Daily incremental backup to tape
Which of these would be MOST relevant to logical
security controls?
Biometric access system
When developing your incident response plan, who
should be trained on Order Of Volatility, Chain of
Custody, and forensics?
First responders
Which of these would prevent users from installing
unauthorized applications?
Least privilege
Your company often has guests who visit the office.
Which of these would be a low-cost way to prevent
those guests from viewing sensitive information?
Clean-desk policy
How would you calculate the total monetary losses
from a vulnerability that has been exploited?
Calculate the ALE
How would you reduce the chances of electric shocks
when touching metal items in your server room?
Increase the humidity in the room.
Which is the BEST description/objective of the term
“succession planning”?
To ensure that a personnel management plan is in
place to ensure continued operation of critical
processes during an incident
The same admin who approves patches also deploys
them. Your company has no formal vetting process
for installed patches, and there is no documented
patch management process. Which TWO controls
should you implement to reduce the risk involved
with this situation?
Separation of duties
Change management policy
After a security breach, you learn that not all of your
incident-response team has the tools they need to do
their job. You distribute those tools to your team, but
when should this problem BEST be revisited?
Preparation
On your company systems, your admin has installed
anti-virus software and then configure whitelisting
controls to prevent malware and unauthorized
application installation. What has he achieved by
combining these two technologies?
Defense in depth
You’ve created a Continuity Of Operations Plan and
need to be sure that everyone knows what actions to
perform in the event of a disaster. Which of the
following can be performed instead of completing a
full fail-over to validate this requirement?
Tabletop exercise
Which of these would be the BEST reason to forbid
employees from using their personal devices on the
corporate network?
Personally owned devices might not be subjected to
the same security controls as corporate devices.
Which BCP aspect involves choosing new key
personnel when there is a loss?
Succession planning
What’s the name of the policy that defines how long
certain types of data should remain on company
equipment?
Data retention policy
Your company webserver sometimes reboots in the
middle of the day due to regular OS patches. This
results in loss of sales while the system is rebooting.
Which of these would reduce the chances of this
happening in the future?
Change management controls
You are considering several options for internet
service at your location. Which of these documents
would be the most likely to contain information about
latency levels and MTTR?
SLA
Which would be the best preventative control to stop
the theft of equipment from a construction site?
Fencing
When a company computer gets a virus or malware, it
is immediately removed from the corporate network.
Which incident response step does this describe?
Isolation
One of your admins has gone rogue and maliciously
deleted some important folders from one of your
servers. He or she logged on to the machine locally to
do this. Unfortunately, you don’t know exactly which
admin did this, so which of these would be the best
way to figure out who did it?
CCTV review
Which of these would you implement if you wanted
peer review and committee approval on all
application changes before those applications make
their way into your production environment?
Change management
During your Business Continuity Planning process, you
and your team analyze a potential disaster and want
to elicit constructive discussion. Which of these is
being described?
Tabletop exercise
Which term refers to how often a device experiences
a breakdown?
MTBF
Which of these documents would best protect against
sharing data with people who are unauthorized to
view that data?
NDA
You need to decommission all virtual servers hosted
on the cloud. When wiping the virtual hard drives
which of the following should be removed?
Data remnants
Your data-center has had repeated burglaries that led
to equipment theft and arson. The thieves have
shown they are determined to bypass any installed
safeguards. After mantraps had been installed to
prevent tailgating, the thieves crashed through the
wall of the data-center with a Humvee late at night.
Which TWO of these could further improve the
physical safety and security of the data-center?
K-rated fencing
FM200 fire suppression
You allow employees to use personal cell phones,
laptops, and tablets for business purposes. Recently,
several files infected by viruses have been detected
on one of your servers. You suspect the files came
from an employee’s personal laptop. Which of these
BEST describes the cause of this issue?
Insufficient on-boarding procedures
A finance manager is responsible for both approving
wire transfers and also for processing those transfers.
A number of discrepancies have been found related
to the wires and they appear to be fraudulent. Which
of these should you implement to reduce the
likelihood of fraud related to wire transfers?
Separation of duties
Which would you use to prove that digital evidence
hasn’t been tampered with after being taken into
custody?
Hashing
You’ve created a new technology that has the
potential to revolutionize your industry. If you wanted
to know who might be interested in stealing your
intellectual property which of these should you
commission?
a threat assessment
The first responder to an incident has been asked to
provide an after-action report. This is an example of
which of these incident response procedures?
Lessons learned
A security administrator wants to perform routine
tests on the network during working hours when
certain applications are being accessed by the most
people. Which of the following would allow the
security administrator to test the lack of security
controls for those applications with the least impact
to the system?
Vulnerability scan
A security analyst, Sally, is reviewing an IRC channel
and notices that a malicious exploit has been created
for a frequently used application. She notifies the
software vendor and asks them for remediation steps,
but is alarmed to find that no patches are available to
mitigate this vulnerability.
Which of the following BEST describes this exploit?
Zero-day
The Quality Assurance team is testing a new third
party developed application. The Quality team does
not have any experience with the application. Which
of the following is the team performing?
Black box testing
A vulnerability scan is reporting that patches are
missing on a server. After a review, it is determined
that the application requiring the patch does not exist
on the operating system.
Which of the following describes this cause?
False positive
Using a heuristic system to detect an anomaly in a
computer’s baseline, a system administrator was able
to detect an attack even though the company
signature based IDS and antivirus did not detect it.
Further analysis revealed that the attacker had
downloaded an executable file onto the company PC
from the USB port, and executed it to trigger a
privilege escalation flaw. Which of the following
attacks has MOST likely occurred?
Zero-day
A malicious individual is attempting to write too much
data to an application’s memory. Which of the
following describes this type of attack?
Buffer overflow
You find a workstation that has data-leakage
occurring. Files are being transmitted to an IP address
in China. You check the workstation and the antivirus
and anti-malware software both have the latest
signature files. You also check and find that the
firewall has not been tampered with. Which is the
MOST likely reason for the data-leakage?
Zero-day
Your wireless network uses two WAPs with one SSID.
You do a network scan and you find three BSSIDs but
only the one SSID. Which of the following is the best
explanation?
Evil Twin
What is it called when you verify the data being
submitted to a program, with the intent of preventing
malicious attacks against the program or its data?
Input validation
Your boss thanks you for the increase in wireless
network speed. You don’t know what he’s talking
about so, after investigating, you find a WAP hidden
in a potted plant outside of his office. Which type of
attack is MOST likely happening?
Evil twin
Which TWO terms describe malware that tracks your
web surfing activities, then shows you advertisements
on other web pages?
Spyware
Adware
After having some wireless problems, you notice a
new WAP has been turned on. It has the same SSID
name as the corporate network and is set to the same
channel as a nearby WAP, however, it isn’t connected
to the wired network. Which is the MOST likely
scenario that’s causing your wireless problems?
An evil twin attack
You want to see if your new webserver complies with
your company security requirements. What is it called
when you try to identify a lack of security controls, as
well as common misconfigurations on the server?
Vulnerability scanning
Your UNIX server was hacked, and you think the
attacker altered the log files to cover his tracks. Which
of these would help detect attempts to further alter
the log files?
Implement remote syslog
What’s it called when someone intercepts
communications between two parties and modifies
the data without either party being aware?
Man-in-the-middle