Mitigating Security Threats

Question 1

You have enabled encryption for cloud-based virtual machine hard disks. To which term does this configuration apply?

Availability

Integrity

Confidentiality

Answer 1

Confidentiality

Encryption of data at rest or network transmissions provides confidentiality in that only possessors of a decryption key can return the cipher text to its original plain text form

Question 2

Your manager suggests using laptop hardware to store cryptographic keys that are used to protect disks in a Windows 10 laptop. Which type of hardware is required to implement this plan?

HSM

Load balancer

TPM

Answer 2

TPM

Trusted platform module (TPM) security firmware is embedded in some computer systems and supports boot process integrity and the storage of cryptographic keys used by that machine

Question 3

You have decided to use a centralized hardware solution for storing cryptographic keys. The keys will be used to protect data at rest. Which type of hardware is required to implement this plan?

HSM

Load balancer

TPM

Answer 3

HSM

A hardware security module (HSM) is an appliance that is used to securely store cryptographic secrets that can be accessed by multiple hosts. In the cloud, managed HSM solutions are referred to as HSM as a service (HSMaaS)

Question 4

Your Windows laptop has a single disk containing operating system files and data. The machine does not support TPM, and a local cryptographic key must be used to encrypt and decrypt the drive. What should you configure?

HSM

Group policy

A removable USB drive containing the key

Answer 4

A removable USB drive containing the key

Many disk encryption solutions allow the decryption key to be provided through a removable USB drive, which is often used in place of trusted platform module (TPM) firmware key storage

Question 5

To which OSI model layer do port numbers apply?

Network

Session

Transport

Answer 5

Transport

Layer 4 of the Open Systems Interconnect (OSI) model is the transport layer, which can use User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) port numbers to identify a network service running on a host. Port numbers are layer 4 addresses

Question 6

You are attempting to use SSH to remotely manage a running Linux server hosted in the cloud, but the connection is never made. Standard TCP port numbers are being used. What is the most likely cause of the problem?

Port 23 traffic is blocked.

Port 389 traffic is blocked.

Port 22 traffic is blocked.

Answer 6

Port 22 traffic is blocked.

Secure Shell (SSH) is commonly used to remotely manage network equipment as well as Unix and Linux hosts. The standard SSH port number is TCP port 22

Question 7

You are part of a penetration testing team hired to test an organization’s network security. The first phase of the test involves reconnaissance to discover which network services might be exposed to the Internet. Which tool should be used to complete this phase as quickly as possible?

Vulnerability scanner

HSM

Port scanner

Answer 7

Port scanner

Port scanners can scan a single host or multiple hosts for open ports

Question 8

Your load balancer is configured with a TLS certificate and contacts backend web application servers listening on TCP port 8081. Users must be able to access the web application using standard TCP port numbers in their web browsers. Which listening port should you configure on the load balancer?

25

80

443

Answer 8

443

TCP port 443 is the standard HTTPS port. Users do not have to enter in the port number in their web browser address bar when standard port numbers for HTTP and HTTPS are in use

Question 9

Your IoT video surveillance device allows remote management connections over HTTPS. To increase security, you want to use a nonstandard port number exposed to the Internet for managing the IoT device. What should you configure?

Port forwarding

TLS

Load balancer

Answer 9

Port forwarding

Port forwarding enables a device to listen on a configured port number for an external interface, which is then sent internally to devices using either the same or a different port number. In this case, a port number other than 443 (HTTPS) should be used to increase security. If you’re using a web browser to connect to IoT devices, the port number will have to follow the IP address or hostname after a full colon (:), such as https://mydevice.local:2000

Question 10

What should you recommend to harden a Linux computer that is currently configured and being used in the following way?

.The computer administrator signs in using the default root account.

.Remote SSH management is done using the default port number.

.For confidentiality purposes, file hashes of customer financial transaction data have been generated on a local disk volume where the source data is also stored.

Use the sudo command, change port 22 to a nonstandard port, and encrypt customer data.

Change port 22 to a nonstandard port and regenerate updated customer data file hashes.

Change port 80 to a nonstandard port and regenerate updated customer data file hashes.

Answer 10

Use the sudo command, change port 22 to a nonstandard port, and encrypt customer data.

The sudo command is used to run other commands with escalated privileges when you’re not logged in using the root account (logging in as root is not recommended for security reasons). Changing default port numbers, such as TCP 22 for SSH, is one way to harden network services. Hashing customer data files can be used to determine whether the data has been tampered with, but encryption ensures that only authorized parties can even read customer data

Question 11

You need to apply security settings to the registry on a Windows server. Which command should you use?

cipher

certutil

regedit

Answer 11

regedit

The Windows regedit command enables Windows administrators to view and modify registry entries, import and export registry settings, and set permissions to different parts of the registry

Question 12

An application named APP1 runs on a domain-joined Windows server named SERVER1. When APP1 runs, it reads and writes to a specific registry key. You need to harden APP1’s access to the registry. What should you do?

Create a service account for APP1 and assign the service account the appropriate registry permissions using regedit.exe.

Create a service account for SERVER1 and assign the service account the appropriate registry permissions using regedit.exe.

Create a service account for APP1 and add it as a member to the Domain Admins group.

Answer 12

Create a service account for APP1 and assign the service account the appropriate registry permissions using regedit.exe.

Software requiring specific permissions can be configured to use a service account, which can then be granted specific permissions to parts of the Windows registry using the regedit.exe tool

Question 13

You need to use a command line tool to disable the Windows AutoRun feature in the Windows registry on Microsoft Windows Server Core computers. You have exported the appropriate registry settings to a file named DISABLEAUTORUN.REG. Which command should you issue on Server Core computers?

cipher disableautorun.reg

msconfig disableautorun.reg

regedit disableautorun.reg

Answer 13

regedit disableautorun.reg

The regedit command can be used to manipulate the Windows registry, including importing .reg files

Question 14

Which regedit.exe command line parameter is used to export a registry subkey?

regedit /S

regedit /Export

regedit /E

Answer 14

regedit /E

The /E switch for the regedit command means “export.” A filename must also be specified

Question 15

Your organization uses Windows desktop computers. You need to implement an efficient solution for deploying updates to the Windows computers. What should you deploy?

HSM

WSUS

TLS

Answer 15

WSUS

Windows Server Update Services (WSUS) is a Windows Server role designed to provide updates to internal Windows hosts instead of all internal Windows hosts pulling down updates

Question 16

Your organization uses Windows client machines connected to an on-premises Active Directory domain. You need to configure all client machines to point to the newly deployed WSUS update server. What should you do?

Create a Bash script.

Configure the registry on client machines.

Configure a group policy.

Answer 16

Configure a group policy.

In order for Windows clients to pull updates from a WSUS server, they must be configured to do so. This can be done centrally for Microsoft Active Directory domain-joined computers using group policy

Question 17

You have been tasked with configuring a WSUS update server, but when you sign in to the Windows server, WSUS is unavailable in the Start menu. Why is this happening?

Your user account lacks sufficient permissions.

WSUS must be managed from the command line.

The WSUS role has not been installed.

Answer 17

The WSUS role has not been installed.

The Windows Server Update Services (WSUS) role is not installed by default and can be installed using the Server Manager GUI or the Install-WindowsFeature PowerShell cmdlet

Question 18

You need to configure a network perimeter firewall to enable a newly deployed branch office WSUS server to synchronize updates over HTTP from an existing WSUS server located in the headquarters office. Standard port numbers are being used. Which TCP port number should be opened up in the firewall?

80

3389

8530

Answer 18

8530

Windows Server Update Services (WSUS) uses TCP port 8530 for HTTP transmissions and TCP port 8531 for HTTPS transmissions

Question 19

Which Red Hat Enterprise Linux command is used to apply server updates?

wsus update

wua update

yum update

Answer 19

yum update

Red Hat Enterprise Linux (RHEL) uses the yum command syntax to manage software, including updates

Question 20

Your Windows stations use non-Microsoft applications. You need to ensure that patches and updates for these applications are applied on a regular basis. What should you do?

Configure yum updates.

Configure apt-get updates.

Deploy a third-party update tool.

Answer 20

Deploy a third-party update tool.

WSUS is designed for Microsoft software updates, not third-party software updates, so a third-party update tool must be used in this case

Question 21

You are about to install a new line-of-business application on sales managers’ Windows computers. The new app requires a specific Windows security update to have been applied. The Windows computers download updates directly from Microsoft on the Internet. What should you do?

Review network-perimeter firewall logs.

View the Windows firewall log settings.

View the update history on sales managers’ computers.

Answer 21

View the update history on sales managers’ computers.

Windows computers retain Windows update details, including specific update names and versions. This information is accessible through the Windows update history

Question 22

Upon starting your Ubuntu Linux server, you are presented with a message asking for a disk unlock key. Nobody in the IT department has knowledge of a disk unlock key. What does this mean?

The Linux disk is hashed; the key must be retrieved from a recovery agent.

The Linux disk is hashed and is no longer accessible.

The Linux disk is encrypted and is no longer accessible.

Answer 22

The Linux disk is encrypted and is no longer accessible.

Disks that are encrypted with a passphrase or key are inaccessible if the passphrase or key cannot be provided. The disk could be repartitioned and formatted and used again, however

Question 23

You need to allow standard HTTP traffic into an Ubuntu Linux server running the Apache web server. You are logged into the host with your user account. Which Linux command should you use?

sudo ufw allow 80/tcp

ufw allow 80/tcp

sudo ufw allow 443/tcp

Answer 23

sudo ufw allow 80/tcp

Linux commands that make system changes require elevated privileges, which is achieved using the sudo command prefix. The Linux universal firewall (uwf) command can allow HTTP traffic over TCP port 80

Question 24

You need to scan hosts on a network to determine which ports are open. Which TCP/IP protocols use port numbers? (Choose two.)

IP

ICMP

TCP

UDP

Answer 24

TCP

UDP

The Transmissions Control Protocol (TCP) establishes “sessions” between hosts before transmissions can occur. After session establishment, transmitted data receipt must be acknowledged by the recipient; otherwise, the data is re-sent by the sender. Many network services use TCP, and each network service on a host is uniquely identified by a port number. The User Datagram Protocol (UDP) does not use sessions; instead, it simply transmits data to a target with no receipt acknowledgments. Network services that use the UDP transport also use port numbers

Question 25

Why is UDP port scanning through firewalls considered unreliable?

Most firewalls block IP packets.

Most firewalls block ICMP packets.

Most firewalls block HTTP traffic.

Answer 25

Most firewalls block ICMP packets.

Common forms of UDP port scanning use ICMP, which reports if a network host is unreachable for some reason. This can indicate that the port is closed. Because ICMP is commonly blocked by most firewalls, this type of scanning is not considered reliable

Question 26

You have placed IoT HVAC devices on an isolated subnet named SUBNET1. The IoT devices can be managed only through an HTTP connection using standard port numbers. When you’re configuring the network firewall for SUBNET1, which inbound traffic should be allowed?

None

All

TCP port 80

Answer 26

TCP port 80

HTTP connections use the standard TCP 80 port number. Internal segmentation firewalls (ISFWs) are used to allow or block network traffic between internal network segments