pp Flashcards

Question

A security specialist reviews an open data closet and discovers areas for improvement. Most notable is the exposed connectivity media. Which concerns does the specialist have regarding the need for better security? (Select all that apply.) Eavesdropping Speed Damage Length

Answer 1

AC A physically secure cabled network is referred to as a protected distribution system (PDS). This method of cable installation can deter eavesdropping. A hardened PDS is one where all cabling is routed through sealed metal conduit. This type of enclosure protects the cabling from accidental or intentional damage. The speed, or throughput, of a network cable is dependent on the type of cable such as Cat5 versus Cat6. The cable speed is typical based on the number of twists inside the cable and is not a security concern. The length of a network cable is dependent on the type of cable such as Cat5 versus Cat6. The cable length dictates how far signal can travel and is not a security concern. P560 Protected Distribution and Faraday Cages A physically secure cabled network is referred to as protected cable distribution or as a protected distribution system (PDS). There are two principal risks: • An intruder could attach eavesdropping equipment to the cable (a tap). • An intruder could cut the cable (Denial of Service). A hardened PDS is one where all cabling is routed through sealed metal conduit and subject to periodic visual inspection. Lower-grade options are to use different materials for the conduit (plastic, for instance). Another option is to install an alarm system within the cable conduit, so that intrusions can be detected automatically. It is possible to install communications equipment within a shielded enclosure, known as a Faraday Cage. The cage is a charged conductive mesh that blocks signals from entering or leaving the area. The risk of eavesdropping from leakage of electromagnetic signals was investigated by the US DoD who defined TEMPEST (Transient Electromagnetic Pulse Emanation Standard) as a means of shieldingthe signals.

Answer 2

C A single hash function, symmetric cipher, or asymmetric cipher is called a cryptographic primitive. The properties of different symmetric/asymmetric/hash types and of specific ciphers for each type impose limitations when used alone. Non-repudiation depends on a recipient not being able to encrypt the message, or the recipient would be able to impersonate the sender. A complete cryptographic system or product is likely to use multiple cryptographic primitives, such as within a cipher suite. To use a key pair, the user or server generates the linked keys. These keys are an example of a cryptographic primitive that uses a symmetric cipher. P121 A single hash function, symmetric cipher, or asymmetric cipher is called a cryptographic primitive. A complete cryptographic system or product is likely to use multiple cryptographic primitives, such as within a cipher suite. The properties of different symmetric/asymmetric/hash types and of specific ciphers for each type impose limitations on their use in different contexts and for different purposes. If you are able to encrypt a message in a particular way, it follows that the recipient of the message knows with whom he or she is communicating (that is, the sender is authenticated). This means that encryption can form the basis of identification, authentication, and access control systems.

Answer 3

AD Blockchain is recorded in a public ledger. This ledger does not exist as an individual file on a single computer; rather, it is distributed across a peer-to-peer (P2P) network. The hash value of a previous block in a chain is added to the hash calculation of the next block in the chain. This ensures that each successive block is cryptographically linked. Steganography is a technique for obscuring the presence of a message. Typically, information is embedded where it is not expected. Homomorphic encryption is a solution that allows an entity to use information in particular fields within the data while keeping the data set as a whole encrypted. P131 Blockchainis a concept in which an expanding list of transactional records is secured using cryptography. Each record is referred to as a blockand is run through a hash function. The hash value of the previous block in the chain is added to the hash calculation of the next block in the chain. This ensures that each successive block is cryptographically linked. Each block validates the hash of the previous block, all the way through to the beginning of the chain, ensuring that each historical transaction has not been tampered with. In addition, each block typically includes a timestamp of one or more transactions, as well as the data involved in the transactions themselves. The blockchain is recorded in a public ledger. This ledger does not exist as an individual file on a single computer; rather, one of the most important characteristics of a blockchain is that it is decentralized. The ledger is distributed across a peer-to-peer (P2P) network in order to mitigate the risks associated with having a single point of failure or compromise. Blockchain users can therefore trust each other equally. Likewise, another defining quality of a blockchain is its openness—everyone has the same ability to view every transaction on a blockchain. Blockchain technology has a variety of potential applications. It can ensure the integrity and transparency of financial transactions, online voting systems, identity management systems, notarization, data storage, and more. However, blockchain is still an emerging technology, and outside of cryptocurrencies, has not yet been adopted on a wideranging scale.

Answer 4

C Availability over confidentiality and integrity is often presented by taking "shortcuts" to get a service up and running. Compromising security might represent a quick fix but creates long term risks. Complex dependencies may include services that require many different systems to be available. Ideally, the failure of individual systems or services should not affect the overall performance of other network services. Overdependence on perimeter security can occur if the network architecture is "flat." Penetrating the network edge gives the attacker freedom of movement. A single point of failure is a "pinch point" in a network that may rely on a single hardware server or appliance. P236 Secure Network Designs A secure network design provisions the assets and services underpinning business workflows with the properties of confidentiality, integrity, and availability. Weaknesses in the network architecture make it more susceptible to undetected intrusions or to catastrophic service failures. Typical weaknesses include: • Single points of failure—a "pinch point" relying on a single hardware server or appliance or network channel. • Complex dependencies—services that require many different systems to be available. Ideally, the failure of individual systems or services should not affect the overall performance of other network services. • Availability over confidentiality and integrity—often it is tempting to take "shortcuts" to get a service up and running. Compromising security might represent a quick fix but creates long term risks. • Lack of documentation and change control—network segments, appliances, and services might be added without proper change control procedures, leading to a lack of visibility into how the network is constituted. It is vital that network managers understand business workflows and the network services that underpin them. • Overdependence on perimeter security—if the network architecture is "flat" (that is, if any host can contact any other host), penetrating the network edge gives the attacker freedom of movement.

Answer 5

BC A transparent proxy must be implemented on a switch, router, or other inline network appliance. An intercepting proxy (known as a transparent proxy) is configured to intercept client traffic without the client having to be reconfigured. A non-transparent proxy configuration means that the client must be configured with the proxy server address and port number to use it. Proxy servers can be application-specific; others are multipurpose. A multipurpose proxy is one configured with filters for multiple protocol types. In this case, the target is not a specific application. P271 A proxy server must understand the application it is servicing. For example, a web proxy must be able to parse and modify HTTP and HTTPS commands (and potentially HTML and scripts too). Some proxy servers are application-specific; others are multipurpose. A multipurpose proxy is one configured with filters for multiple protocol types, such as HTTP, FTP, and SMTP. Proxy servers can generally be classed as non-transparent or transparent. • A non-transparent proxymeans that the client must be configured with the proxy server address and port number to use it. The port on which the proxy server accepts client connections is often configured as port 8080.auto • A transparent (or forced or intercepting) proxyintercepts client traffic without the client having to be reconfigured. A transparent proxy must be implemented on a switch or router or other inline network appliance.

Answer 6

C Tunnel mode, also called router implementation, creates a virtual private network (VPN), allowing communications between VPN gateways across an unsecure network. Transport mode secures communications between hosts on a private network (an end-to-end implementation). The AH protocol authenticates the origin of transmitted data and provides integrity and protection against replay attacks. The payload is not encrypted, so this protocol does not provide confidentiality. ESP is an IPSec sub-protocol that enables encryption and authentication of a data packet’s header and payload. Encapsulation Security Payload (ESP) provides confidentiality and/or authentication and integrity, and can be used to encrypt the packet. P316 IPSec can be used in two modes: • Transport mode—this mode is used to secure communications between hosts on a private network (an end-to-end implementation). When ESP is applied in transport mode, the IP header for each packet is not encrypted, just the payload data. If AH is used in transport mode, it can provide integrity for the IP header. • Tunnel mode—this mode is used for communications between VPN gateways across an unsecure network (creating a VPN). This is also referred to as a router implementation. With ESP, the whole IP packet (header and payload) is encrypted and encapsulated as a datagram with a new IP header. AH has no real use case in tunnel mode, as confidentiality will usually be required.

Answer 7

CD(因為這個題目在問跟認證有關的選項) The lack of compute resources means that embedded systems are not well-matched to the cryptographic identification technologies that are widely used on computer networks. As embedded systems become more accessible, they will need to use authentication technologies to ensure consistent confidentiality, integrity, and availability. Due to their size, embedded systems are usually constrained in terms of processor capability (cores and speed), system memory, and persistent storage. Networks for embedded systems emphasize the power-efficient transfer of small amounts of data with a high degree of reliability and low latency. P341

Answer 8

BD SCADA typically runs as software on ordinary computers, gathering data from and managing plant devices and equipment, with embedded PLCs, referred to as field devices. Many sectors of industry, including utilities, industrial processing, fabrication and manufacturing, logistics, and facilities management use these types of systems. SCADA typically use WAN communications, such as cellular or satellite, to link the SCADA server to field devices. ICS/SCADA was historically built without regard to IT security, though there is now high awareness of the necessity of enforcing security controls to protect them, especially when they operate in a networked environment. P344

Answer 9

BC Point-to-multipoint (P2M) microwave links multiple sites and uses smaller sectoral antennas than P2P, each covering a separate quadrant. P2M links multiple sites or subscriber nodes to a single hub. This can be more cost-efficient in high density urban areas and requires less radio spectrum. A high gain connection means that the antennas used between sites are highly directional. Each antenna is pointed directly at the other. Point-to-point (P2P) microwave uses high gain antennas to link two sites. The satellite modems or routers are also normally paired to one another. P372 Point-to-multipoint (P2M)microwave uses smaller sectoral antennas, each covering a separate quadrant. Where P2P is between two sites, P2M links multiple sites or subscriber nodes to a single hub. This can be more cost-efficient in high density urban areas and requires less radio spectrum. Each subscriber node is distinguished by multiplexing. Because of the higher risk of signal interception compared to P2P, it is crucial that links be protected by over-the-air encryption.

Answer 10

A Virtual desktop infrastructure (VDI) means provisioning an OS desktop to interchangeable hardware. The hardware only has to be capable of running a VDI client viewer or have a browser support a clientless HTML5 solution. Each time a user accesses VDI, the session is “as new” and employees can remotely access it. Location services alone represent a security risk. Location services can use geo-fencing to enforce context-aware authentication based on the device’s location. If a malicious actor steals a user's device using a remote wipe (kill switch), it can reset the device to factory defaults or clear personal data (sanitization). Carrier unlocking involves the removal of restrictions that lock a device to a single carrier and uses it for privilege escalation. P423 Virtual desktop infrastructure (VDI)refers to using a VM as a means of provisioning corporate desktops. In a typical VDI, desktop computers are replaced by low-spec, low-power thin client computers. When the thin client starts, it boots a minimal OS, allowing the user to log on to a VM stored on the company server infrastructure. The user makes a connection to the VM using some sort of remote desktop protocol (Microsoft Remote Desktop or Citrix ICA, for instance). The thin client has to find the correct image and use an appropriate authentication mechanism. There may be a 1:1 mapping based on machine name or IP address or the process of finding an image may be handled by a connection broker. P623 Virtual Desktop Infrastructure (VDI) allows a client device to access a VM. In this scenario, the mobile device is the client device. Corporate data is stored and processed on the VM so there is less chance of it being compromised, even though the client device itself is not fully managed

Answer 11

B To configure a public subnet, first an Internet gateway (virtual router) must be attached to the VPC configuration. Secondly, the Internet gateway must be configured as the default route for each public subnet. After a VPC has a virtual router attached, a gateway is set as a default route. If an Internet gateway is not assigned as a default route, the subnet is private. Each instance in a public subnet is configured with a public IP in its cloud profile. The Internet gateway performs 1:1 network address translation (NAT) to route Internet communications to and from the instance. Typically, the virtual Internet gateway performs 1:1 network address translation (NAT) to route Internet communications to and from the instance. One-to-many is another NAT approach. P433 Virtual Private Clouds (VPCs) Each customer can create one or more virtual private clouds (VPCs)attached to their account. By default, a VPC is isolated from other CSP accounts and from other VPCs operating in the same account. This means that customer A cannot view traffic passing over customer B's VPC. The workload for each VPC is isolated from other VPCs. Within the VPC, the cloud consumer can assign an IPv4 CIDR block and configure one or more subnets within that block. Optionally, an IPv6 CIDR block can be assigned also. The following notes focus on features of networking in AWS. Other vendors support similar functionality, though sometimes with different terminology. For example, in Microsoft Azure, VPCs are referred to as virtual networks. Public and Private Subnets Each subnet within a VPC can either be private or public. To configure a public subnet, first an Internet gateway (virtual router) must be attached to the VPC configuration. Secondly, the Internet gateway must be configured as the default route for each public subnet. If a default route is not configured, the subnet remains private, even if an Internet gateway is attached to the VPC. Each instance in the subnet must also be configured with a public IP in its cloud profile. The Internet gateway performs 1:1 network address translation (NAT) to route Internet communications to and from the instance. The instance network adapter is not configured with this public IP address. The instance's NIC is configured with an IP address for the subnet. The public address is used by the virtualization management layer only. Public IP addresses can be assigned from your own pool or from a CSP-managed service, such as Amazon's Elastic IP

Answer 12

A The local system account creates the host processes that start Windows before the user logs on. Administrative or privileged accounts can install and remove apps and device drivers. Admin should prohibit superuser accounts from logging on in normal circumstances. Admin should replace the default superuser with named accounts that have sufficient elevated privileges for a given job role. This ensures that admin can audit administrative activity and the system conforms to non-repudiation. A network service account has the same privileges as the standard user account but can present the computer's account credentials when accessing network resources. A local service account has the same privileges as the standard user account. It can only access network resources as an anonymous user.

Answer 13

BC Smart-card authentication means programming cryptographic information onto a card equipped with a secure processing chip. The chip stores the user's digital certificate, the private key associated with the certificate, and a personal identification number (PIN) used to activate the card. Strong, multifactor authentication (MFA) technology combines the use of more than one type of knowledge, ownership, and biometric factor. A Trusted Platform Module (TPM) is a cryptoprocessor enclave implemented on a PC, laptop, smartphone, or network appliance. The TPM is usually a module within the CPU and can be used to present a virtual smart card. A one-time password (OTP) is generated automatically, rather than being chosen by a user, and used only once.

Answer 14

A One of the most important standard extensions is key usage. This extension defines the purpose for issuing a digital certificate, such as for signing documents or key exchange. The ability to create a secure key pair of the required strength using the chosen cipher is key generation, not key usage. Configuring the security log to record key indicators and then reviewing the logs for suspicious activity is usage auditing, not key usage. In terms of key management, escrow refers to archiving a key (or keys) with a third party. It is not key usage. P140

Answer 15

AD If the date and time settings on the system are not synchronized with the server’s setting, the server’s certificate will be rejected. An expired server certificate would cause the browser to return an error message. Certificate pinning ensures that when a client inspects the certificate presented by a server, it is inspecting the proper certificate. This is mostly done to prevent a Man-in-the-Middle attack and would not generate an error message. A mistyped web address would not return an error message about the server certificate. It would return a message that the website could not be found.

Answer 16

The traceroute command performs route discovery from a Linux host. This command uses UDP probes rather than ICMP, by default. The route command displays and modifies a system's local routing table. This command does not collect network data. The tracert command uses ICMP probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. This command is a Windows based tool. The pathping command is a Windows tool that provides statistics for latency and packet loss along a route over a measuring period.

Answer 17

AB A media report of a newly discovered vulnerability in the version of software that’s currently running would be valuable information that should be addressed immediately. A whistleblower with information about a potential insider threat would be worthy of pursuit. “Out of band” is an authenticated communications channel separate from the company’s primary channel. If the marketing department is trying to post a document that has been identified as confidential data, the IT department would not be concerned since the company’s data loss prevention mechanisms are working. If an employee is trying to save a document that has been identified as confidential data to USB and it fails, the IT department would not be concerned since the company’s data loss prevention mechanisms are working.

Answer 18

BC Quarantining is the process of isolating a file, computer system, or computer network to prevent the spread of a virus or another cybersecurity incident. This allows for analysis of the attack and collection of evidence. A hot swap involves bringing a backup system into operation, and the live system is frozen to preserve evidence of the attack. Analysis is an early stage in the process and involves determining whether a genuine incident has been identified and what level of priority it should be assigned. Gathering and preserving evidence is not a consideration at this point. Prevention occurs when the response team takes countermeasures to end the incident on the live system, without regard to preserving evidence.

Answer 19

B In a walkthrough, a facilitator presents a scenario and the incident responders demonstrate what actions they would take. Responders may run scans and analyze sample files, typically on sandboxed versions of the company's actual response and recovery tools. The facilitator in a tabletop exercise presents a scenario and the responders explain what action they would take to manage the threat—without the use of computer systems. Simulations are team-based exercises, where the red team attempts an intrusion, the blue team operates response and recovery controls, and a white team moderates and evaluates the exercise. Digital forensics describes techniques to collect and preserve evidence. Forensics procedures are detailed and time-consuming, where the purpose of incident responses are usually urgent.

Answer 20

A The goal of the containment stage is to secure data while limiting the immediate impact on customers and business partners. Based on an alert or report, identification determines whether an incident has taken place, how severe it might be (triage), and notifies stakeholders. Once the security admin contains the incident, eradication removes the cause and restores the affected system to a secure state. When security admin eradicates the cause of the incident, they can reintegrate the system into the business process that it supports. This recovery phase may involve restoration of data from backup and security testing.

Answer 21

C Statistical deviation analysis can alert security admin to a suspicious data point. A cluster graph might show activity by standard users and privileged users, and data points outside these clusters may indicate suspicious account activity. Frequency-based trend analysis establishes a baseline for a metric, and if frequency exceeds the baseline threshold, then the system raises an alert. Volume-based trend analysis uses simpler indicators, such as log or network traffic volume, or endpoint disk usage. Unusual log growth needs investigating, and unexpected disk capacity may signify data exfiltration. Syslog provides an open format, protocol, and server software for logging event messages. A very wide range of host types use Syslog.

Answer 22

D Analysis methods should follow strong ethical principles and must be repeatable by third parties with access to the same evidence. This can indicate that any evidence has not been changed or manipulated. Searching information through e-discovery allows investigators to locate files of interest to the case. As well as keyword search, software might support semantic search. Applying standardized keywords or tags to files and metadata helps to organize evidence. Tags might be used to indicate relevancy to a case or part of a case. Disclosure is an important part of trial procedure. Disclosure states that the same evidence be made available to both plaintiff and defendant.

Answer 23

C CPU registers and cache memory are most highly volatile, although they may not be accessible as sources of forensics evidence. Non-persistent system memory (RAM) contents, including routing table, ARP cache, process table, kernel statistics occupy the second volatility priority. The third most volatile category includes data on persistent mass storage devices. This includes system memory caches, partition and file system blocks, slack space, free space, temporary file caches, and user, application, and OS files and directories. Remote logging and monitoring data comprise the fourth most volatile form of data, followed by physical configuration and network topology. Archival media and printed documents are considered least volatile. P500 Data acquisition usually proceeds by using a tool to make an image from the data held on the target device. An image can be acquired from either volatile or nonvolatile storage. The general principle is to capture evidence in the order of volatility, from more volatile to less volatile. The ISOC best practice guide to evidence collection and archiving, published as tools.ietf.org/html/rfc3227, sets out the general order as follows: 1. CPU registers and cache memory (including cache on disk controllers, GPUs, and so on). 2. Contents of nonpersistent system memory (RAM), including routing table, ARP cache, process table, kernel statistics. 3. Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices): • Partition and file system blocks, slack space, and free space. • System memory caches, such as swap space/virtual memory and hibernation files. • Temporary file caches, such as the browser cache. • User, application, and OS files and directories. 4. Remote logging and monitoring data. 5. Physical configuration and network topology. 6. Archival media and printed documents.

Answer 24

D Following a break-in that included both physical intrusion and data compromise, the lab should take corrective action to reduce the impact of the intrusion event. Implementing preventative measures can help secure data from future attacks, and physical controls can mitigate the probability of future physical break-ins. Deterrent controls, such as warning signs, may not physically or logically prevent access, but psychologically discourage attackers from attempting an intrusion. Detective controls, such as logs, which operate during an attack, may not prevent or deter access, but they will identify and record any attempted or successful intrusion. Compensating controls serve as a substitute for a principal control, but corrective controls reduce the impact of an intrusion event.

Answer 25

ACD(?A??? Mandatory vacations force employees to take earned vacation time. During this time, someone else fulfills their duties while they are away so audits can occur and potential discrepancies can be identified. The principle of least privilege solely grants a user sufficient rights to perform a specific job. For critical tasks, duties should be divided between several people. Standard Operating Procedures (SOPs) result in the employee having no cause for lapses in following protocol in terms of performing these types of critical operations. It is advisable that employees do not stay in the same role for an extended period of time. For example, managers may be moved to different departments periodically. P192 Separation of Duties Separation of dutiesis a means of establishing checks and balances against the possibility that critical systems or procedures can be compromised by insider threats. Duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers. An employee is supposed to work for the interests of their organization exclusively. A situation where someone can act in his or her own interest, personally, or in the interests of a third party is said to be a conflict of interest. Separation of duties means that employees must be constrained by security policies: • Standard operating procedures (SOPs) mean that an employee has no excuse for not following protocol in terms of performing these types of critical operations. • Shared authority means that no one user is able to action or enable changes on his or her own authority. At least two people must authorize the change. One example is separating responsibility for purchasing (ordering) from that of authorizing payment. Another is that a request to create an account should be subject to approval and oversight. Separation of duties does not completely eliminate risk because there is still the chance of collusion between two or more people. This, however, is a much less likely occurrence than a single rogue employee.

Answer 26

C A baseline configuration is the template of settings that a device, VM instance, or other CI was configured to, and that a system should continue to match while in use. A template is a predefined set of settings that are used when deploying a system. With configuration management, a template helps to deploy a uniform environment. Diagrams are the best way to capture the complex relationships between network elements. Diagrams can be used to show how CIs are involved in business workflows. With serverless technologies, applications are developed as functions and microservices, each interacting with other functions to facilitate client requests. Microservices are not a management item.

Answer 27

B Effective risk management must focus on mission essential functions that could cause the whole business to fail if they are not performed. Identifying these systems and processes should be done first. Identifying vulnerabilities for each function or workflow (starting with the most critical) is done by analyzing systems and assets to discover and list any vulnerabilities or weaknesses. Analyzing business impacts identifies the likelihood of a vulnerability being activated as a security incident by a threat and the impact of that incident on critical systems. Identifying risk response for each risk requires identifying possible countermeasures and assesses the cost of deploying additional security controls to protect systems and processes. P510 Risk managementis a process for identifying, assessing, and mitigating vulnerabilities and threats to the essential functions that a business must perform to serve its customers. You can think of this process as being performed over five phases: 1. Identify mission essential functions—mitigating risk can involve a large amount of expenditure so it is important to focus efforts. Effective risk management must focus on mission essential functions that could cause the whole business to fail if they are not performed. Part of this process involves identifying critical systems and assets that support these functions. 2. Identify vulnerabilities—for each function or workflow (starting with the most critical), analyze systems and assets to discover and list any vulnerabilities or weaknesses to which they may be susceptible. 3. Identify threats—for each function or workflow, identify the threat sources and actors that may take advantage of or exploit or accidentally trigger vulnerabilities. 4. Analyze business impacts—the likelihood of a vulnerability being activated as a security incident by a threat and the impact of that incident on critical systems are the factors used to assess risk. There are quantitative and qualitative methods of analyzing impacts and likelihood. 5. Identify risk response—for each risk, identify possible countermeasures and assess the cost of deploying additional security controls. Most risks require some sort of mitigation, but other types of response might be more appropriate for certain types and level of risks.

Answer 28

A Control risk measures how much less effective a security control has become over time. Risk management is an ongoing process, requiring continual reassessment and re-prioritization. Transference (or sharing) means assigning risk to a third-party, such as an insurance company or a contract with a supplier that defines liabilities. A company’s IT department is not a third-party. A security categorization (SC) of low risk describes an impact as minor damage to an asset or loss of performance (though essential functions remain operational). Companies may accept some risks. Risk acceptance means that no countermeasures are emplaced either because the level of risk does not justify the cost or because there will be unavoidable delay before deploying the countermeasures.

Answer 29

A RPO is the amount of data loss a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means the system can recover the data (from a backup copy) to a point not more than 24 hours before the infection. RTO is the post-disaster period an IT system may remain offline, including the amount of time it takes to identify a problem and perform recovery. MTD is the longest period of time that a business function outage may occur, without causing irrecoverable business failure. Following system recovery, WRT is the additional work necessary to reintegrate systems, test functionality, and brief users on changes and updates to fully support the business function.

Answer 30

C Critical or top secret information is too valuable to allow any risk of its capture. Viewing is severely restricted. Confidential or secret information is highly sensitive, for viewing only by approved persons within the owner organization, and possibly by trusted third parties under NDA. The terms confidential and secret are sometimes used interchangeably, but some agencies make a distinction between confidential and secret data. Another type of classification schema identifies the kind of information asset. Proprietary information or intellectual property (IP) is information a company creates and owns; typically about the products or services that they make or perform.

Answer 31

A Any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. An ISA sets out a security risk awareness process and commits the agency and supplier to implementing security controls. An NDA establishes a legal basis for protecting information assets. If a party breaks this agreement and shares prohibited information, they may face legal consequences. Data sharing and use agreements specify the purpose for which an entity can collect and analyze data, and proscribes the use of re-identification techniques. An SLA is a contractual agreement detailing the terms under which a contractor provides service. This includes terms for security access controls and risk assessments plus processing requirements for confidential and private data.

Answer 32

A External responsibility for security (due care or liability) lies mainly with directors or owners. It is important to note that all employees share some measure of responsibility. Technical and specialist staff have the direct responsibility for implementing, maintaining, and monitoring the policy. Security might be made a core competency of systems and network administrators, or there may be dedicated security administrators. Managers at an organization may have responsibility for a specific domain or unit, such as building control, ICT, or accounting. Non-technical staff have the responsibility of complying with policy and with any relevant legislation. Public relations is responsible for media communications.

Answer 33

D DevSecOps extends the boundary to security specialists and personnel, reflecting the principle that security is a primary consideration at every stage of software development and deployment. Traditionally, software code would be the responsibility of a programming or development team. Separate development and operations departments or teams can lead to silos. A dedicated cyber incident response team (CIRT)/computer security incident response team (CSIRT)/computer emergency response team (CERT) as a single point-of-contact for the notification of security incidents. Development and operations (DevOps) is a cultural shift within an organization to encourage much more collaboration between developers and system administrators.

Answer 34

B The Computer Security Act (1987) specifically requires federal agencies to develop security policies for computer systems that process confidential information. The Sarbanes-Oxley Act (2002) mandates the implementation of risk assessments, internal controls and audit procedures. This act is not for any specific entity. The Federal Information Security Management Act (2002) governs the security of data processed by federal government agencies. This act requires agencies to implement an information security program. The Gramm-Leach-Bliley Act (1999) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information.

Answer 35

D NIST defines vulnerability as a weakness that could be triggered accidentally or exploited intentionally to cause a security breach. In addition to delays in applying patches, other examples of vulnerabilities include improperly installed hardware, untested software, and inadequate physical security. Control is a system or procedure put in place to mitigate a risk. An example of control is policies or network monitoring to identify unauthorized software. Risk is the likelihood and impact of a threat actor exercising a vulnerability. Threat is the potential for a threat agent to exercise a vulnerability.

Answer 36

C Deep web is any part of the World Wide Web that is not indexed by a search engine. Examples include pages that require registration, unlinked pages, and pages using nonstandard DNS. A dark net is deliberately concealed and is an overlay to internet infrastructure. A dark net is one type of deep web. Cyber threat actors use deep web pages to communicate and exchange information without detection. This is accomplished using deep web. Dark web are sites, content, and services that are accessible only over a dark net.

Answer 37

AB Anyone who has or had authorized access to an organization’s network, system, or data is considered an insider threat. In this example, a former employee and a contractor fit the criteria. Current employees, business partners, and contractors also qualify as insider threats. A customer does not have authorized access and is unlikely to be affiliated with an organization’s staff. A white box hacker is given complete access to information about the network, which is useful for simulating the behavior of a privileged insider threat, but they are not an insider threat.

Answer 38

C The TAXII protocol provides a means for transmitting CTI data between servers and clients. Subscribers to the CTI service obtain updates to the data to load into analysis tools over TAXII. While STIX provides the syntax for describing CTI, the TAXII protocol transmits CTI data between servers and clients. The Department of Homeland Security's (DHS) Automated Indicator Sharing (AIS) is especially aimed at Information Sharing and Analysis Centers (ISACs), but private companies can join too. AIS is based on the STIX and TAXII standards and protocols. A file/code repository holds signatures of known malware code. P39 Threat Data Feeds When you use a cyber threat intelligence (CTI) platform, you subscribe to a threat data feed. The information in the threat data can be combined with event data from your own network and system logs. An analysis platform performs correlation to detect whether any IoCs are present. There are various ways that a threat data feed can be implemented. Structured Threat Information eXpression (STIX) The OASIS CTI framework (oasis-open.github.io/cti-documentation) is designed to provide a format for this type of automated feed so that organizations can share CTI. The Structured Threat Information eXpression (STIX)part of the framework describes standard terminology for IoCs and ways of indicating relationships between them. Where STIX provides the syntax for describing CTI, the Trusted Automated eXchange of Indicator Information (TAXII)protocol provides a means for transmitting CTI data between servers and clients. For example, a CTI service provider would maintain a repository of CTI data. Subscribers to the service obtain updates to the data to load into analysis tools over TAXII. This data can be requested by the client (referred to as a collection), or the data can be pushed to subscribers (referred to as a channel). Automated Indicator Sharing (AIS) Automated Indicator Sharing (AIS)is a service offered by the Department of Homeland Security (DHS) for companies to participate in threat intelligence sharing (us-cert.gov/ais). It is especially aimed at ISACs, but private companies can join too. AIS is based on the STIX and TAXII standards and protocols.

Answer 39

ABD(?AD? Wireshark and tcdump are packet sniffers. A sniffer is a tool that captures packets, or frames, moving over a network. Wireshark is an open source graphical packet capture and analysis utility. Wireshark works with most operating systems, where tcpdump is a command line packet capture utility for Linux. A packet analyzer works in conjunction with a sniffer to perform traffic analysis. Protocol analyzers can decode a captured frame to reveal its contents in a readable format, but they do not capture packets. A packet injection involves sending forged or spoofed network traffic by inserting (or injecting) frames into the network stream. Packets are not captured with packet injection. P53 A protocol analyzer (or packet analyzer) works in conjunction with a sniffer to perform traffic analysis. You can either analyze a live capture or open a saved capture (.pcap) file. Protocol analyzers can decode a captured frame to reveal its contents in a readable format. You can choose to view a summary of the frame or choose a more detailed view that provides information on the OSI layer, protocol, function, and data. Wireshark(wireshark.org) is an open-source graphical packet capture and analysis utility, with installer packages for most operating systems. Having chosen the interface to listen on, the output is displayed in a three-pane view. The packet list pane shows a scrolling summary of frames. The packet details pane shows expandable fields in the frame currently selected from the packet list. The packet bytes pane shows the raw data from the frame in hex and ASCII. Wireshark is capable of parsing (interpreting) the headers and payloads of hundreds of network protocols.

Answer 40

A A zero-day vulnerability is exploited before the developer knows about it or can release a patch. These can be extremely destructive, as it can take the vendor some time to develop a patch, leaving systems vulnerable in the interim. A legacy platform is no longer supported with security patches by its developer or vendor. By definition, legacy platforms are not patchable. Legacy systems are highly likely to be vulnerable to exploits and must be protected by security controls other than patching, such as isolating them to networks that an attacker cannot physically connect to. Even if effective patch management procedures are in place, attackers may still be able to use zero-day software vulnerabilities, before a vendor develops a patch.

Answer 41

AB Weaknesses in products or services in a supply chain can impact service availability and performance, or lead to data breaches. Suppliers and vendors in the chain rely on each other to perform due diligence. Relying on the manufacturer default settings when deploying an appliance or software applications is a weak configuration. Although many vendors ship products in secure default configurations, it is insufficient to rely on default settings. Default settings may leave unsecure interfaces enabled that allow an attacker to compromise the device. Weak settings on network appliances can allow attackers to move through the network unhindered and snoop on traffic. An unsecure protocol transfers data as cleartext. It does not use encryption for data protection.

Answer 42

BD Non-credentialed scanning is often the most appropriate technique for external assessment of the network perimeter or when performing web application scanning. A non-credentialed scan proceeds by directing test packets at a host without being able to log on to the OS or application. A non-credentialed scan provides a view of what the host exposes to an unprivileged user on the network. A passive scan has the least impact on the network and on hosts but is less likely to identify vulnerabilities comprehensively. Configuration reviews investigate how system misconfigurations make controls less effective or ineffective, such as antivirus software not being updated, or management passwords left configured to the default. Configuration reviews generally require a credentialed scan. P71 Credentialed versus Non-Credentialed Scanning A non-credentialed scan is one that proceeds by directing test packets at a host without being able to log on to the OS or application. The view obtained is the one that the host exposes to an unprivileged user on the network. The test routines may be able to include things such as using default passwords for service accounts and device management interfaces, but they are not given privileged access. While you may discover more weaknesses with a credentialed scan, you sometimes will want to narrow your focus to think like an attacker who doesn't have specific high-level permissions or total administrative access. Non-credentialed scanning is often the most appropriate technique for external assessment of the network perimeter or when performing web application scanning. A credentialed scan is given a user account with log-on rights to various hosts, plus whatever other permissions are appropriate for the testing routines. This sort of test allows much more in-depth analysis, especially in detecting when applications or security settings may be misconfigured. It also shows what an insider attack, or one where the attacker has compromised a user account, may be able to achieve. A credentialed scan is a more intrusive type of scan than non-credentialed scanning.

Answer 43

AD Two penetration test steps are being utilized by actively testing security controls and exploiting the vulnerabilities. Identifying weak passwords is actively testing security controls. In addition, exploiting vulnerabilities is being used by proving that a vulnerability is high risk. The list of critical data obtained will prove that the weak passwords can allow access to critical information. Bypassing security controls can be accomplished by going around controls that are already in place to gain access. Verifying that a threat exists would have consisted of using surveillance, social engineering, network scanners, and/or vulnerability assessment tools to identify vulnerabilities.

Answer 44

B(這題很爛，他在講PT，但混入cyber kill chain) Persistence refers to the hacker’s ability to reconnect to the compromised host and use it as a Remote Access Tool (RAT) or backdoor. To do this, the hacker must establish a Command and Control (C2 or C&C) network. Weaponization is an exploit used to gain some sort of access to a target's network, but it doesn't involve being able to reconnect. Reconnaissance is the process of gathering information, it is not related to Command and Control networks. Pivoting follows persistence. It involves a system and/or set of privileges that allow the hacker to compromise other network systems (lateral spread). The hacker likely has to find some way of escalating the privileges available to him/her. P80 Pen Test Attack Life Cycle In the kill chain attack life cycle, reconnaissance is followed by an initial exploitation phase where a software tool is used to gain some sort of access to the target's network. This foothold might be accomplished using a phishing email and payload or by obtaining credentials via social engineering. Having gained the foothold, the pen tester can then set about securing and widening access. A number of techniques are required: • Persistence—the tester's ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor. To do this, the tester must establish a command and control (C2 or C&C) network to use to control the compromised host, upload additional attack tools, and download exfiltrated data. The connection to the compromised host will typically require a malware executable to run after shut down/log off events and a connection to a network port and the attacker's IP address to be available. • Privilege escalation—persistence is followed by further reconnaissance, where the pen tester attempts to map out the internal network and discover the services running on it and accounts configured to access it. Moving within the network or accessing data assets are likely to require higher privilege levels. For example, the original malware may have run with local administrator privileges on a client workstation or as the Apache user on a web server. Another exploit might allow malware to execute with system/root privileges, or to use network administrator privileges on other hosts, such as application servers. • Lateral movement—gaining control over other hosts. This is done partly to discover more opportunities to widen access (harvesting credentials, detecting software vulnerabilities, and gathering other such "loot"), partly to identify where valuable data assets might be located, and partly to evade detection. Lateral movement usually involves executing the attack tools over remote process shares or using scripting tools, such as PowerShell. • Pivoting—hosts that hold the most valuable data are not normally able to access external networks directly. If the pen tester achieves a foothold on a perimeter server, a pivot allows them to bypass a network boundary and compromise servers on an inside network. A pivot is normally accomplished using remote access and tunneling protocols, such as Secure Shell (SSH), virtual private networking (VPN), or remote desktop. • Actions on Objectives—for a threat actor, this means stealing data from one or more systems (data exfiltration). From the perspective of a pen tester, it would be a matter of the scope definition whether this would be attempted. In most cases, it is usually sufficient to show that actions on objectives could be achieved. • Cleanup—for a threat actor, this means removing evidence of the attack, or at least evidence that could implicate the threat actor. For a pen tester, this phase means removing any backdoors or tools and ensuring that the system is not less secure than the pre-engagement state. P470 The Lockheed Martin kill chain identifies the following phases: 1. Reconnaissance—in this stage the attacker determines what methods to use to complete the phases of the attack and gathers information about the target's personnel, computer systems, and supply chain. 2. Weaponization—the attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system. 3. Delivery—the attacker identifies a vector by which to transmit the weaponized code to the target environment, such as via an email attachment or on a USB drive. 4. Exploitation—the weaponized code is executed on the target system by this mechanism. For example, a phishing email may trick the user into running the code, while a drive-by-download would execute on a vulnerable system without user intervention. 5. Installation—this mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system. 6. Command and control (C2 or C&C)—the weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack. 7. Actions on objectives—in this phase, the attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration). An attacker may have other goals or motives, however.

Answer 45

B Consensus/social proof revolves around the belief that without an explicit instruction to behave in a certain way, people will follow social norms. It is typically polite to assist someone with their hands full. Familiarity/Liking is when an attacker uses charisma to persuade others to do as requested. They downplay their requests to make it seem like their request is not out of the ordinary. Authority and Intimidation can be used by an attacker by pretending to be someone senior. The person receiving the request would feel the need to take action quickly and without questioning the attacker. Identity fraud is a specific type of impersonation where the attacker uses specific details (such as personal information) of someone's identity. P85 Consensus/Social Proof The principle of consensusor social proofrefers to the fact that without an explicit instruction to behave in a certain way, many people will act just as they think others would act. A social engineering attack can use this instinct either to persuade the target that to refuse a request would be odd ("That's not something anyone else has ever said no to") or to exploit polite behavior to slip into a building while someone holds the door for them. As another example, an attacker may be able to fool a user into believing that a malicious website is actually legitimate by posting numerous fake reviews and testimonials praising the site. The victim, believing many different people have judged the site acceptable, takes this as evidence of the site's legitimacy and places their trust in it.

Answer 46

C A rootkit is characterized by its ability to hide itself by changing core system files and programming interfaces and to escalate privileges. The gaming company accomplished this. Spyware monitors user activity and may be installed with or without the user's knowledge, but it cannot gain administrative privileges or hide itself. A keylogger is also a type of spyware that records a user’s keystrokes. It occurs without a user’s knowledge, but it cannot hide itself or gain privileges. Trojans cannot conceal their presence entirely and will surface as a running process or service. While a rootkit is a type of Trojan or spyware, it differs in its ability to hide itself.

Answer 47

BC Both a program and script virus can use a PDF as a vector. The user stated that a PDF file was recently opened. A program virus is executed when an application is executed. Executable objects can also be embedded or attached within other file types such as Microsoft Word and Rich Text Format. A script virus typically targets vulnerabilities in an interpreter. Scripts are powerful languages used to automate operating system functions and add interactivity to web pages and are executed by an interpreter rather than self-executing. PDF documents have become a popular vector for script viruses. A boot sector virus is one that attacks the disk boot sector information, the partition table, and sometimes the file system. A macro virus uses the programming features available in Microsoft Office documents. P93 A computer virusis a type of malware designed to replicate and spread from computer to computer, usually by "infecting" executable applications or program code. There are several different types of viruses and they are generally classified by the different types of file or media that they infect: • Non-resident/file infector—the virus is contained within a host executable file and runs with the host process. The virus will try to infect other process images on persistent storage and perform other payload actions. It then passes control back to the host program. • Memory resident—when the host file is executed, the virus creates a new process for itself in memory. The malicious processremains in memory, even if the host process is terminated. • Boot—the virus code is written to the disk boot sector or the partition table of a fixed disk or USB media, and executes as a memory resident process when the OS starts or the media is attached to the computer. • Script and macro viruses—the malware uses the programming features available in local scripting engines for the OS and/or browser, such as PowerShell, Windows Management Instrumentation (WMI), JavaScript, Microsoft Office documents with Visual Basic for Applications (VBA) code enabled, or PDF documents with JavaScript enabled.

Answer 48

C這是課本定義 Security through obscurity involves keeping something a secret by hiding it. With cryptography, messages do not need to be hidden since they are not understandable unless decrypted. Non-repudiation is when the sender cannot deny sending the message. If the message has been encrypted in a way known only to the sender, logic follows the sender must have composed it. Obfuscation is the art of making a message difficult to understand. Cryptography is a very effective way of obfuscating a message by encrypting it. Resiliency occurs when the compromise of a small part of the system is prevented from allowing compromise of the whole system. Cryptography ensures the authentication and integrity of messages delivered over the control system. P106 Security through obscurity involves keeping something a secret by hiding it. With cryptography, messages do not need to be hidden since they are not understandable unless decrypted. Non-repudiation is when the sender cannot deny sending the message. If the message has been encrypted in a way known only to the sender, logic follows the sender must have composed it. Obfuscation is the art of making a message difficult to understand. Cryptography is a very effective way of obfuscating a message by encrypting it. Resiliency occurs when the compromise of a small part of the system is prevented from allowing compromise of the whole system. Cryptography ensures the authentication and integrity of messages delivered over the control system. P609 2. How can cryptography support high resiliency? A complex system might have to support many inputs from devices installed to potentially unsecure locations. Such a system is resilient if compromise of a small part of the system is prevented from allowing compromise of the whole system. Cryptography assists this goal by ensuring the authentication and integrity of messages delivered over the control system.

Answer 49

``` B Counter Mode (CTR) and Galois/Counter Mode (GCM) combine each block with a counter value. This allows each block to be processed individually and in parallel, improving performance. ``` Electronic Code Book (ECB) mode applies the same key to each plaintext block, which means identical plaintext blocks can output identical ciphertexts. This is not how a stream cipher behaves. Counter Mode (CTR) and Galois/Counter Mode (GCM) allow block ciphers to behave like stream ciphers, which are faster than block ciphers. Cipher Block Chaining (CBC) mode applies an Initialization Vector (IV) to the first plaintext block to ensure that the key produces a unique ciphertext from any given plaintext and repeating as a “chain.” This is not how a stream cipher behaves. P648 GCM (Galois/Counter Mode)A mode of block chained encryption that provides message authenticity for each block. P110 Stream Ciphers In a stream cipher, each byte or bit of data in the plaintext is encrypted one at a time. This is suitable for encrypting communications where the total length of the message is not known. The plaintext is combined with a separate randomly generated message, calculated from the key and an initialization vector (IV). The IV ensures the key produces a unique ciphertext from the same plaintext. The keystream must be unique, so an IV must not be reused with the same key. The recipient must be able to generate the same keystream as the sender and the streams must be synchronized. Stream ciphers might use markers to allow for synchronization and retransmission. Some types of stream ciphers are made self-synchronizing. Block Ciphers In a block cipher, the plaintext is divided into equal-size blocks (usually 128-bit). If there is not enough data in the plaintext, it is padded to the correct size using some string defined in the algorithm. For example, a 1200-bit plaintext would be padded with an extra 80 bits to fit into 10 x 128-bit blocks. Each block is then subjected to complex transposition and substitution operations, based on the value of the key used. The Advanced Encryption Standard (AES)is the default symmetric encryption cipher for most products. Basic AES has a key size of 128 bits, but the most widely used variant is AES256, with a 256-bit key.

Answer 50

C Some technologies or ciphers configured with longer keys require more processing cycles and memory space, which makes them slower and consume more power. This makes them unsuitable for handheld devices and embedded systems that work on battery power. Speed is most impactful when processing large amounts of data. For some use cases, the time required to obtain a result is more important than a data rate. Latency issues may negatively affect performance when an operation or application times out before the authentication handshake. Cost issues may arise in any decision-making process, but for mobile device cryptography, computing overhead is a primary limiting factor. P123 Differences between ciphers make them more or less useful for resource-constrained environments. The main performance factors are as follows: • Speed—for symmetric ciphers and hash functions, speedis the amount of data per second that can be processed. Asymmetric ciphers are measured by operations per second. Speed has the most impact when large amounts of data are processed. • Time/latency—for some use cases, the time required to obtain a result is more important than a data rate. For example, when a secure protocol depends on ciphers in the handshake phase, no data transport can take place until the handshake is complete. This latency, measured in milliseconds, can be critical to performance. • Size—the security of a cipher is strongly related to the size of the key, with longer keys providing better security. Note that the key size cannot be used to make comparisons between algorithms. For example, a 256-bit ECC key is stronger than a 2048-bit RSA key. Larger keys will increase the computational overhead for each operation, reducing speed and increasing latency. • Computational overheads—in addition to key size selection, different ciphers have unique performance characteristics. Some ciphers require more CPU and memory resources than others, and are less suited to use in a resource-constrained environment.

Answer 51

``` A A cryptanalyst can test for the presence of common factors and derive the whole key much more easily. The TRNG or PRNG module in the cryptographic implementation is critical to its strength. ``` Predictability is a weakness in either the cipher operation or within particular key values that make a ciphertext more vulnerable to cryptanalysis. Reuse of the same key within the same session can cause this weakness. The principal characteristic of a nonce is that it is never reused ("number used once") within the same key value. A nonce can be a random, pseudo-random, or counter value. Salt is a random or pseudo-random number or string. The term salt is used specifically in conjunction with hashing password values.

Answer 52

C To protect against the birthday attack, encryption algorithms must demonstrate collision avoidance (that is, to reduce the chance that different inputs will produce the same output). Key stretching takes a key that is generated from a user password and repeatedly converts it to a longer and more random key. The initial key may be put through thousands of rounds of hashing to slow down potential attackers. Securely authenticating public keys, such as associating the keys with certificates, helps protect against man-in-the-middle attacks. Passwords stored as hashes are vulnerable to brute force and dictionary attacks. Adding salt values when creating hashes can slow down both of these attacks. P127 A birthday attackis a type of brute force attack aimed at exploiting collisions in hash functions. A collisionis where a function produces the same hash value for two different plaintexts. This type of attack can be used for the purpose of forging a digital signature.

Answer 53

A Presently, the most powerful quantum computers have about 50 qubits. A quantum computer will need about a million qubits to run useful applications. Quantum computing could put the strength of current cryptographic ciphers at risk, but it also has the promise of underpinning more secure cryptosystems in the future. Cryptographic agility refers to an organization's ability to update the specific algorithms used in security products without affecting the business workflows that those products support. Quantum computing could pose a threat to cryptographic agility. Steganography obscures the presence of a message and can be used for data exfiltration. The quantum computing properties of entanglement, superposition, and collapse suit the design of a tamper-evident communication system that would allow secure key agreement. P130 Quantum and Post-Quantum Quantumrefers to computers that use properties of quantum mechanics to significantly out-perform classical computers at certain tasks. Computing A quantum computer performs processing on units called qubits(quantum bits). A qubit can be set to 0 or 1 or an indeterminate state called a superposition,where there is a probability of it being either 1 or 0. The likelihood can be balanced 50/50 or can be weighted either way. The power of quantum computing comes from the fact that qubits can be entangled. When the value of a qubit is read, it collapses to either 1 or 0, and all other entangled qubits collapse at the same time. The strength of this architecture is that a single operation can utilize huge numbers of state variables represented as qubits, while a classical computer's CPU must go through a read, execute, write cycle for each bit of memory. This makes quantum very well-suited to solving certain tasks, two of which are the factoring problem that underpins RSA encryption and the discrete algorithm problem that underpins ECC. Communications While quantum computing could put the strength of current cryptographic ciphers at risk, it also has the promise of underpinning more secure cryptosystems. The properties of entanglement, superposition, and collapse suit the design of a tamperevident communication system that would allow secure key agreement. Post-Quantum Post-quantumrefers to the expected state of computing when quantum computers that can perform useful tasks are a reality. Currently, the physical properties of qubits and entanglement make quantum computers very hard to scale up. At the time of writing, the most powerful quantum computers have about 50 qubits. A quantum computer will need about a million qubits to run useful applications. No one can predict with certainty if or when such a computer will be implemented. In the meantime, NIST is running a project to develop cryptographic ciphers that are resistant to cracking even by quantum computers.

Answer 54

D Homomorphic encryption is used to share privacy-sensitive data sets. It allows a recipient to perform statistical calculations on data fields, while keeping the data set as a whole encrypted, thus preserving patient privacy. Blockchain uses cryptography to secure an expanding list of transactional records. Each record, or block, goes through a hash function. Each block’s hash value links to the hash value of the previous block. Quantum computing could serve as a secure foundation for secure cryptosystems and tamper-evident communication systems that would allow secure key agreement. Perfect forward security (PFS) mitigates the risks from RSA key exchanges through the use of ephemeral session keys to maintain confidentiality. P131

Answer 55

AD When used to conceal information, steganography amounts to "security by obscurity," which is usually deprecated. A message can be encrypted by some mechanism before embedding it in a covertext, providing confidentiality. Steganography technology can also provide integrity or non-repudiation; for example, it can show that something was printed on a particular device at a particular time, which could demonstrate that it was genuine or a fake. A phishing or hoax email can be made more convincing by using prepending. In an offensive sense, prepending means adding text that appears legitimate and to have been generated by the mail system such as "MAILSAFE:PASSED."

Answer 56

B Verification is not a stage in a key’s life cycle. It is part of the software development life cycle. The stages are: key generation, certificate generation, storage, revocation, and expiration and renewal. Storage is the stage where a user must take steps to store the private key securely. It is also important to ensure that the private key is not lost or damaged. The expiration and renewal stage addresses that a key pair expires after a certain period. Giving the key a "shelf-life" increases security. Certificates can be renewed with new key material. Revocation is the stage that concerns itself with the event of a private key being compromised; it can be revoked before it expires. P147 Key managementrefers to operational considerations for the various stages in a key's life cycle. A key's life cycle may involve the following stages: • Key generation—creating a secure key pair of the required strength, using the chosen cipher. • Certificate generation—to identify the public part of a key pair as belonging to a subject (user or computer), the subject submits it for signing by the CA as a digital certificate with the appropriate key usage. At this point, it is critical to verify the identity of the subject requesting the certificate and only issue it if the subject passes identity checks. • Storage—the user must take steps to store the private key securely, ensuring that unauthorized access and use is prevented. It is also important to ensure that the private key is not lost or damaged. • Revocation—if a private key is compromised, the key pair can be revoked to prevent users from trusting the public key. • Expiration and renewal—a key pair that has not been revoked expires after a certain period. Giving the key or certificate a "shelf-life" increases security. Certificates can be renewed with new key material.

Answer 57

C The Signature Algorithm field provides the algorithm used by the CA to sign the certificate. The signature algorithm is used to assert the identity of the server's public key and facilitate authentication. The Version field provides which X.509 version is supported (V1, V2, or V3). The Issuer field provides the name of the CA, expressed as a Distinguished Name (DN). The Subject field gives the name of the certificate holder, expressed as a distinguished name (DN). Within this, the common name (CN) part should usually match either the fully qualified domain name (FQDN) of the server or a user email address.

Answer 58

B Extensions allow for extra information to be included about the certificate. A Critical section is available and is a Boolean value that indicates if the section is critical. By making the Extended Key Usage (EKU) field critical the certificate will only work for VPN. The "true" option will only allow VPN while "false" will not block the certificate for other uses. The Extension ID (extnID) is expressed as an OID. The Value (extnValue) is a string value of the extension. Distinguished Encoding Rules (DER) are what certificates use to encode a certificate as a digital file for exchange between different systems.

Answer 59

B The first step is to recover any data encrypted with the key so the data can be decrypted. Once the data is recovered, the key can be revoked and an administrator can issue a new key pair. After the data has been recovered, the keys should be revoked. They are compromised and should not be used for any future tasks. After the compromised keys are revoked, the user can be issued new keys. The user requires two sets of keys, one for encrypting messages and the other for digitally signing documents. Certificate generation is used to identify the public part of a key pair as belonging to a subject and will occur after the user’s new keys have been generated.

Answer 60

B A correct configuration for an M-of-N control is M=3 and N=5. M stands for the number of authorized administrators that must be present to access the critical encryption keys and N is the total number of authorized administrators. In this scenario, 3 of the 5 administrators must be present for access. M is always greater than 1 for this type of configuration making M=1 and N=5 not a valid choice. If only 1 administrator must be present, this configuration would be unnecessary. M=6 and N=5 is not possible as this configuration is asking for more administrators to be present than is authorized. The final option of M=0 is not viable because M must always equal more than 1.

Answer 61

A One or two hours over the publish period is considered normal thus making 26 hours within the window. The validity period is the period during which the CRL is considered authoritative. This is usually a bit longer than the publish period, giving a short window to update and keep the CRL authoritative. The validity period would not be less than the publish period as it would make the CRL nonauthoritative prior to the next publishing. If the validity period was set to 72 hours this would be much too long after the publish period. The CRL would be published two additional times prior to the validity period ending.

Answer 62

C Identification controls are set to ensure that customers are legitimate. An example is to ensure that billing and primary delivery addresses match. Authentication controls are to ensure that customers have unique accounts, and that only they can manage their orders and billing information. An example is to require each customer create an account prior to allowing them to store billing or shipping information. Authorization controls are to ensure customers can only place orders when they have valid payment information in place prior to completing an order. Accounting controls include maintaining a record of each action taken by a customer to ensure that they cannot deny placing an order. Records may include order details, date, time, and IP address information.

Answer 63

C Restricting logons can become a vulnerability by exposing a user to Denial of Service (DoS) attacks. The attacker keeps trying to authenticate, locking out valid users. In a replay attack, an intercepted key or password hash is reused to gain access to a resource. This is prevented with once-only tokens or timestamping, not restricting logon attempts. A brute force attack is where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords. Restricting logon attempts is a way to mitigate this threat, not be vulnerable to it. In an offline attack, a password cracker works on a downloaded password database without having to interact with the authentication system. It is unrelated to logon attempts.

Answer 64

AB The Authentication Service (AS) is responsible for authenticating user logon requests. The first step within AS is when the client sends the AS a request for a Ticket Granting Ticket (TGT). This is composed by encrypting the date and time on the local computer with the user's password hash as a key. The Ticket Granting Ticket (TGT) contains information about the client and includes a timestamp and validity period. The information is encrypted using the KDC's secret key. This occurs after the user is found in the database and the request is valid. The AS does not respond back with a TGT key but with a Ticket Granting Service (TGS) key that is used in communications between the client and the TGS. The TGS is the service that responds with a service session key for use between the client and the application server. P165

Answer 65

AC Inputting a correct PIN authorizes the smart card's cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request to an Authentication Server (AS). The AS can place trust when the user's certificate is issued by a local or third-party root certification authority. An AS responds with a TGT and Ticket Granting Service (TGS) session key, not the smart card. An AS would be able to decrypt the request because it has a matching public key and trusts the user's smart-card certificate.

Answer 66

BCD RADIUS uses UDP over ports 1812 and 1813 and TACACS+ uses TCP on port 49. TACACS+ encrypts the whole packet (except the header, which identifies the packet as TACACS+ data) and RADIUS only encrypts the password portion of the packet using MD5. RADIUS is primarily used for network access for a remote user and TACACS+ is primarily used for device administration. TACACS+ provides centralized control for administrators to manage routers, switches, and firewall appliances, as well as user privileges. RADIUS is an open-source protocol, not TACACS+. TACACS+ is a Cisco proprietary protocol.

Answer 67

A Where EAP provides the authentication mechanisms, the IEEE 802.1X Port-based Network Access Control (NAC) protocol provides the means of using an EAP method when a device connects to a VPN gateway. Kerberos is designed to work over a trusted local network. Several authentication protocols have been developed to work with remote access protocols, where the connection is made over a serial link or virtual private network (VPN). TACACS+ uses TCP communications. Authentication, authorization, and accounting (AAA) functions within TACACS+ are discrete. With authentication, authorization, and accounting (AAA), the network access server (NAS) devices (RADIUS or TACACS+) do not have to store any authentication credentials. They forward this data between the AAA server and the supplicant. P175 Extensible Authentication Protocol/IEEE 802.1X The smart-card authentication process described earlier is used for Kerberos authentication where the computer is attached to the local network and the user is logging on to Windows. Authentication may also be required in other contexts: • When the user is accessing a wireless network and needs to authenticate with the network database. • When a device is connecting to a network via a switch and network policies require the user to be authenticated before the device is allowed to communicate. • When the user is connecting to the network over a public network via a virtual private network (VPN). In these scenarios, the Extensible Authentication Protocol (EAP)provides a framework for deploying multiple types of authentication protocols and technologies. EAP allows lots of different authentication methods, but many of them use a digital certificate on the server and/or client machines. This allows the machines to establish a trust relationship and create a secure tunnel to transmit the user credential or to perform smart-card authentication without a user password. Where EAP provides the authentication mechanisms, the IEEE 802.1XPort-based Network Access Control (NAC) protocol provides the means of using an EAP method when a device connects to an Ethernet switch port, wireless access point (with enterprise authentication configured), or VPN gateway. 802.1X uses authentication, authorization, and accounting (AAA) architecture: • Supplicant—the device requesting access, such as a user's PC or laptop. • Network access server (NAS)—edge network appliances, such as switches, access points, and VPN gateways. These are also referred to as RADIUS clientsor authenticators. • AAA server—the authentication server, positioned within the local network. With AAA, the NAS devices do not have to store any authentication credentials. They forward this data between the AAA server and the supplicant. There are two main types of AAA server: RADIUS and TACACS+.

Answer 68

``` B A sensor module acquires the biometric sample from the target. Examples of a sensor module can be a fingerprint scanner or retina scanner. ``` One problem that biometric cryptosystems is the lack of revocability. A legitimate person will almost always have the same template (fingerprint, retina, etc). If a company is using a smart card and it is compromised, the card is revoked and reissued. The same cannot be done for biometric cryptosystems. A feature extraction module records the significant information from the sample. This record would include the fingerprint that was scanned when authentication was requested. A sensor module acquires the biometric sample from the target.

Answer 69

AD Behavioral technologies are sometimes classified as "something you do." These technologies often have a lower cost to implement than other types of biometric cryptosystems, but they have a higher error rate. Typing is used as a behavioral technology, and the template is based on the speed and pattern of a user's input of a passphrase. Signature recognition is not based on the actual signature due to it being easy to replicate. Instead, it is based on the process of applying a signature such as stroke, speed, and pressure of the stylus. Obtaining a voice recognition template is not a fast process, and can be difficult. Background noise and other environmental factors can also interfere with authentication.

Answer 70

C The integrity of the information on the network (write access) is also a concern. Only users who have write access are able to modify a file. Non-repudiation means a subject cannot deny doing something, such as creating, modifying, or sending a resource. It is not a consideration for managing privileges and authorization. Confidentiality of the information on the network (read access) is a concern. A user may be able to view a file, but not read it. Another concern is Denial of Service (DoS), a network-based attack that consumes the network's bandwidth to disable the directory server.

Answer 71

A Group memberships of an authenticated user are on the access key and also contains the user's username. The system provides the access key upon authentication, and the user has access to all of the allowed resources. A security database holds authentication data for users and compares this information with the supplied authentication data from the user. If the supplied data and the data within the security database match, then the system has authenticated the user, and the security database generates an access key. An Access Control List (ACL) controls access to resources. The ACL contains entries for all usernames and groups that have permission to use the resource. A directory is like a database, such as an object is like a record, and the attributes known about the object are like fields.

Answer 72

AB One recommended guideline is implementing the principle of least privilege when assigning user and group account access. This involves assigning no more than the minimum sufficient permissions to perform the relevant job function. Another recommended guideline is drafting a password policy and including requirements to ensure strong passwords, such as minimum password length, requiring complex passwords, requiring periodic password changes, and placing limits on password reuse. Identifying group or role account types, and how admin or systems will allocate them to users, is a recommended guideline for Access Management Control, not Account Management. Identifying user account types to implement within the model, such as standard users and types of privileged users, is a recommended guideline for Access Management Control.

Answer 73

C The System account, not the Local Service account, creates the host processes that start Windows before the user logs on. The Network Service account and the Local Service account have the same privileges as the standard user account. Standard users have limited privileges, typically with access to run programs, create, and modify files only belonging to their profile. Any process created using the System account will have full privileges over the local computer. The System account has the most privileges of any Windows account. The Local Service account can only access network resources as an anonymous user, unlike a Network Service account. Network Service accounts can present the computer's account credentials when accessing network resources.

Answer 74

B Usage auditing refers to configuring the security log to record key indicators and then reviewing the logs for suspicious activity. Behavior recorded by event logs that differs from expected behavior may indicate everything from a minor security infraction to a major incident. The systems administrator puts in place permission auditing to review privileges regularly. This includes monitoring group membership and access control lists for each resource plus identifying and disabling unnecessary accounts. An information security audit measures how the organization's security policy is employed and determines how secure the network or site is that is being audited. A compliance audit reviews a company's policies and procedures and determines if it is in compliance with regulatory guidelines.

Answer 75

ABC Security Assertion Markup Language (SAML) is an identity federation format used to exchange authentication information between the principle, the service provider, and the identity provider. Authentication and authorization for a RESTful API is often implemented using the Open Authorization (OAuth) protocol. OpenID is an identity federation method enabling users authentication on cooperating websites by a third-party authentication service. Lightweight Directory Access Protocol (LDAP) is not an identity federation. It is a network protocol used to access network directory databases storing information about authorized users and their privileges, as well as other organizational information.

Answer 76

B A distinguished name is a unique identifier for any given resource within an X.500-like directory and made up of attribute=value pairs, separated by commas. The most specific attribute lists first, and then successive attributes become progressively broader. Also referred to as the relative distinguished name, the most specific attribute (in this case, system1) uniquely identifies the object within the context of successive attribute values. The directory schema describes the types of attributes, what information they contain, and the way attributes define object types. Some of the attributes commonly used include Common Name (CN), Organizational Unit (OU), Organization (O), Country (C), and Domain Component (DC). In this scenario, CN=system1 is the Common Name, CN=User is the broader common name, OU=Univ is the Organizational Unit, and DC=local is the Domain Component. This goes in order of a specific system to the broadest Domain Component. P213 Directory servicesare the principal means of providing privilege management and authorization on an enterprise network, storing information about users, computers, security groups/roles, and services. A directory is like a database, where an object is like a record, and things that you know about the object (attributes) are like fields. In order for products from different vendors to be interoperable, most directories are based on the same standard. The Lightweight Directory Access Protocol (LDAP) is a protocol widely used to query and update X.500 format directories. A distinguished name (DN) is a unique identifier for any given resource within an X.500-like directory. A distinguished name is made up of attribute=value pairs, separated by commas. The most specific attribute is listed first, and successive attributes become progressively broader. This most specific attribute is also referred to as the relative distinguished name, as it uniquely identifies the object within the context of successive (parent) attribute values. The types of attributes, what information they contain, and the way object types are defined through attributes (some of which may be required, and some optional) is described by the directory schema. Some of the attributes commonly used include common name (CN), organizational unit (OU), organization (O), country (C), and domain component (DC). For example, the distinguished name of a web server operated by Widget in the UK might be: CN=WIDGETWEB, OU=Marketing, O=Widget, C=UK, DC=widget, DC=foo

Answer 77

``` BD Organizational Units (OUs) represent administrative boundaries. They allow the enterprise administrator to delegate administrative responsibility for users and resources in different locations or departments. An OU grouped by location will be sufficient if different IT departments are responsible for services in different geographic locations. An OU grouped by department is more applicable if different IT departments are responsible for supporting different business functions. ``` Within each root-level parent OU, use separate child OUs for different types of objects such as servers, client systems, users and groups. Be consistent. Do not create too many root-level containers or nest containers too deeply. They should not be more than five levels. Separate administrative user and group accounts from standard ones.

Answer 78

AB Capture the Flag (CTF) is usually used in ethical hacker training programs and gamified competitions. Participants complete a series of challenges within a virtualized computing environment to discover a flag that represents a vulnerability or attack to overcome. Computer-based training (CBT) allows a student to acquire skills and experience by completing practical simulations or branching choice scenarios. CBT might use video game elements to improve engagement. A phishing campaign training event means sending simulated phishing messages to users. Users that respond to the messages can be targeted for follow-up training. Staff training should focus on user roles, which require different levels of security training, education, or awareness. P211 Phishing Campaigns A phishing campaign training event means sending simulated phishing messages to users. Users that respond to the messages can be targeted for follow-up training. Capture the Flag Capture the Flag (CTF)is usually used in ethical hacker training programs and gamified competitions. Participants must complete a series of challenges within a virtualized computing environment to discover a flag. The flag will represent either threat actor activity (for blue team exercises) or a vulnerability (for red team exercises) and the participant must use analysis and appropriate tools to discover it. Capturing the flag allows the user to progress to the next level and start a new challenge. Once the participant has passed the introductory levels, they will join a team and participate in a competitive event, where there are multiple flags embedded in the environment and capturing them wins points for the participant and for their team. Computer-Based Training and Gamification Participants respond well to the competitive challenge of CTF events. This type of gamification can be used to boost security awareness for other roles too. Computerbased training (CBT)allows a student to acquire skills and experience by completing various types of practical activities: • Simulations—recreating system interfaces or using emulators so students can practice configuration tasks. • Branching scenarios—students choose between options to find the best choices to solve a cybersecurity incident or configuration problem. CBT might use video game elements to improve engagement. For example, students might win badges and level-up bonuses such as skills or digitized loot to improve their in-game avatar. Simulations might be presented so that the student chooses encounters from a map and engages with a simulation environment in a first person shooter type of 3D world.

Answer 79

B A screened host is when a smaller network accesses the Internet using a dual-homed proxy/gateway servers. A Demilitarized Zone (DMZ) is a protected but untrusted area (zone) between the Internet and the private network. Traffic from wireless networks might be less trusted than from a cabled network. If unauthenticated open access points or authenticated guest Wi-Fi networks exist on the network, admin should keep them isolated. A guest network is a zone that allows untrusted or semi-trusted hosts on the local network. Examples include publicly accessible computers or visitors bringing their own portable computing devices to the premises.

Answer 80

D Overdependence on perimeter security occurs when the network architecture is flat. If an attacker can penetrate the network edge, the attacker will then have freedom of movement throughout the entire network. A single point of failure occurs with a "pinch point" by relying on a single hardware server or appliance or network channel. Complex dependencies are services that require many different systems to be available. Ideally, the failure of individual systems or services should not affect the overall performance of other network services. Availability over confidentiality and integrity occurs when a company takes shortcuts to get a service up and running. Compromising security might represent a quick fix but creates long term risks.

Answer 81

D It is good that not all the hosts can talk to each other. If any host can contact another host, an attacker can penetrate the network edge and gain freedom of movement. A flat architecture is where all hosts can contact each other, exposing an overdependence on perimeter security. When services rely on several different systems, the failure of one will affect the overall performance of other network services. Relying on a single hardware server represents a single point of failure, meaning the whole network crashes if the server goes down.

Answer 82

CD Intrusion detection and NAC are security suites and appliances that can combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network. Wireless monitoring can reveal the presence of unauthorized or malicious access points and stations. Visual inspection of ports/switches will reveal any obvious unauthorized devices or appliances; however, a sophisticated attack can prevent observation, such as creating fake asset tags. Network mapping can identify hosts unless an OS is actively trying to remain unobserved by not operating when scans are running. Identifying a rogue host on a large network from a scan may still be difficult.

Answer 83

BD In MAC filtering, a switch will record the specified number of MACs allowed to connect to a port, but then drop any traffic from other MAC addresses. DHCP snooping inspects traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address. MAC filtering on a switch defines which MAC addresses are allowed to connect to a particular port, dropping other traffic to protect against MAC flooding attacks. Dynamic ARP inspection (DAI), which can be configured alongside DHCP snooping, prevents a host attached to an untrusted port from flooding the segment with gratuitous ARP replies. P240 MAC Filtering and MAC Limiting Configuring MAC filteringon a switch means defining which MAC addresses are allowed to connect to a particular port. This can be done by creating a list of valid MAC addresses or by specifying a limit to the number of permitted addresses. For example, if port security is enabled with a maximum of two MAC addresses, the switch will record the first two MACs to connect to that port, but then drop any traffic from machines with different MAC addresses that try to connect. This provides a guard against MAC flooding attacks. DHCP Snooping Another option is to configure Dynamic Host Configuration Protocol (DHCP) snooping. DHCP is the protocol that allows a server to assign IP address information to a client when it connects to the network. DHCP snooping inspects this traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address. It can also be used to prevent rogue (or spurious) DHCP servers from operating on the network. With DHCP snooping, only DHCP messages from ports configured as trusted are allowed. Additionally dynamic ARP inspection (DAI), which can be configured alongside DHCP snooping, prevents a host attached to an untrusted port from flooding the segment with gratuitous ARP replies. DAI maintains a trusted database of IP:ARP mappings and ensures that ARP packets are validly constructed and use valid IP addresses.

Answer 84

ABC A rogue AP masquerading as a legitimate one is an evil twin, or sometimes known as WiPhishing. A DoS attack can form the evil twin to overcome the legitimate AP. An attacker can also form evil twins, giving the AP a similar name (SSID) to that of the legitimate AP. Users may select this AP by mistake, and enter their credentials, which the attacker will capture. Rogue APs can be setup with something as basic as a smartphone with tethering capabilities. It is vital to periodically survey the site to detect rogue APs. When enabling authentication security on the AP (without the attacker knowing the details of the authentication method), a DoS will not succeed. It is important to scan for rogue APs, but the ease of a DoS is not the reasoning behind the need for regular scans.

Answer 85

B WEP version 1 has both 64-bit and 128-bit keys, while WEP version 2 has 128-bit and 256-bit keys but is still not secure. The main problem with WEP is the 24-bit Initialization Vector (IV). The IV changes the keystream each time, but this does not always occur due to problems. One of the problems is that the IV is not sufficiently large, meaning the system will reuse the IV within the same keystream under load. WEP, depending on the version, allows for the use of 64-, 128-, and 256-bit keys, but none of these options are secure. The IV is not large enough, meaning that the system will reuse it, within the same keystream under load. WEP does have the option to use 64- and 128-bit keys but also allows for 256-bit keys. Packs use a checksum to verify integrity, but that is easy to compute. WEP allows for 64-, 128-, and 256-bit keys. The IV is often not generated using a sufficiently random algorithm.

Answer 86

A A blackhole drops packets for the affected IP addresses(es). A blackhole is an area of the network that cannot reach any other part of the network which protects the unaffected portion. A blackhole does make the attack less damaging to the other ISP customers but does not send legitimate traffic to the correct destination. The blackhole does not look at packets and simply drops all packets into the black hole. A sinkhole routing routes traffic to a particular IP address, to a different network, so the ISP can analyze and identify the source of the attack. A blackhole is preferred, but it does not evaluate each packet. An ACL option will evaluate each packet but can overwhelm the processing resources, which makes using a blackhole preferred.

Answer 87

A In active/passive clustering, if the active node suffers a fault, the connection can failover to the passive node, without performance degradation. In an active/active cluster, both nodes process connections concurrently, using the maximum hardware capacity. During failover, the failed node’s workload shifts to the remaining node, the workload on the remaining nodes increases, and performance degrades. Most network appliances process packets on a best effort and first in, first out (FIFO) basis, while the Quality of Service (QoS) framework prioritizes traffic based on its characteristics to better support voice and video applications susceptible to latency and jitter. Failover ensures that a redundant component, device, or application can quickly and efficiently take over the functionality of an asset that has failed.

Answer 88

C Session affinity is a layer 4 approach to handling user sessions. When a client establishes a session, it stays with the node that first accepted the request. Most network appliances process packets on a best effort and FIFO basis. Layer 4 load balancers only make basic connectivity tests, while layer 7 appliances can test the application's state. An application-layer load balancer uses persistence to keep a client connected to a session. Persistence typically works by setting a cookie, which can be more reliable than session affinity. Quality of Service (QoS) prioritizes traffic based on its characteristics, like bandwidth requirements for video and voice applications. A round robin is a simple form of scheduling that picks the next node. P260 Source IP Affinity and Session Persistence When a client device has established a session with a particular node in the server farm, it may be necessary to continue to use that connection for the duration of the session. Source IP or session affinityis a layer 4 approach to handling user sessions. It means that when a client establishes a session, it becomes stuck to the node that first accepted the request. An application-layer load balancer can use persistenceto keep a client connected to a session. Persistence typically works by setting a cookie, either on the node or injected by the load balancer. This can be more reliable than source IP affinity, but requires the browser to accept the cookie.

Answer 89

BD A content filter restricts web use to only authorized sites. Examples of content filter uses can be schools restricting access to only sites that are .edu or to not allow sites that have adult-level content. Another example of a content filter can be the workplace, only allowing sites that are for work purposes. A proxy server works on a store-and-forward model and deconstructs each packet, performs analysis, then rebuilds the packet and forwards it on. A part of this process is removing suspicious content in the process of rebuilding the packet. A system admin configures packet filtering firewalls by specifying a group of rules that define the type of data packet, and the appropriate action to take when the packet matches the rule.

Answer 90

BC A NIDS can identify and log hosts and applications and detect attack signatures and other indicators of attack. An administrator can analyze logs to tune firewall rulesets, remove or block suspect hosts and processes, or deploy additional security controls to mitigate threats identified. One of the main disadvantages of NIDS is that training and tuning are complex, which results in high false positive and false negative rates, especially during initial deployment. NIDS training and tuning are complex, with high initial false positive and false negative rates. A NIDS will not block the traffic during an attack, which is a disadvantage. If an administrator does not immediately review logs during an attack, a delay will occur and the attack will continue.

Answer 91

B A signature-based detection (or pattern-matching) engine is loaded with a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident. While complex NGFW and UTM solutions provide high confidentiality and integrity, lower throughput reduces availability. One solution to this is to treat security solutions for server traffic differently from that for user traffic. An SWG acts as a content filter, which applies user-focused filtering rules and also conducts threat analysis. Intrusion prevention systems (IPS), positioned like firewalls at borders between network zones, provide an active response to network threats. A TAP is a hardware device inserted into a cable to copy frames for analysis. P661 SWG (secure web gateway)An appliance or proxy server that mediates client connections with the Internet by filtering spam and malware and enforcing access restrictions on types of sites visited, time spent, and bandwidth consumed. P437 Enterprise networks often make use of secure web gateways (SWG). An on-premises SWG is a proxy-based firewall, content filter, and intrusion detection/prevention system that mediates user access to Internet sites and services. A next-generation SWG, as marketed by Netskope , combines the functionality of an SWG with that of data loss prevention (DLP) and a CASB to provide a wholly cloud-hosted platform for client access to websites and cloud apps. This supports an architecture defined by Gartner as secure access service edge (SASE).

Answer 92

D A memory leak is a process that takes up memory without subsequently freeing it up, which a worm or other type of malware can cause. Looking for decreasing available bytes and increasing committed bytes can detect this type of memory leak. The free disk space performance threshold counter will create an alert when there is a rapid decrease in available disk space, which malware or the illegitimate use of a server could cause. Insufficient physical memory could cause high page file utilization but otherwise could indicate malware. High utilization out-of-hours can be suspicious if no scheduled activities are occurring, such as backup or virus scanning.

Answer 93

ACD The system administrator should use scanning and intrusion detection to pick up suspicious activity. The system administrator should set logging to be enabled and then review the logs regularly for suspicious events. The system administrator should disable unused ports and perform regular physical inspections to ensure that unauthorized devices are not connected via unused jacks. The system administrator should enable DHCP snooping on switch access ports to prevent the use of unauthorized DHCP servers. DHCP snooping acts as a firewall between the server and untrusted hosts and should be enabled versus disabled.

Answer 94

C DNS server cache poisoning aims to corrupt the records held by the DNS server itself. A DNS server queries an authoritative server for domain information. An attacker can masquerade as an authoritative name server and respond with fraudulent information. An ARP cache contains entries that map IP addresses to MAC addresses. An ARP cache is not related to name resolution. Before developers created DNS, early name resolution took place using a text file named HOSTS. In this case, all users are experiencing an issue, not just some. Domain Reputation can be impacted if an attacker hijacks public servers. In this case, systems admin found invalid host records, which ruled out hijacking. P297 DNS Server Cache Poisoning DNS server cache poisoning aims to corrupt the records held by the DNS server itself. This can be accomplished by performing DoS against the server that holds the authorized records for the domain, and then spoofing replies to requests from other name servers. Another attack involves getting the victim name server to respond to a recursive query from the attacking host. A recursive query compels the DNS server to query the authoritative server for the answer on behalf of the client. The attacker's DNS, masquerading as the authoritative name server, responds with the answer to the query, but also includes a lot of false domain:IP mappings for other domains that the victim DNS accepts as genuine. The nslookupor digtool can be used to query the name records and cached records held by a server to discover whether any false records have been inserted.

Answer 95

AC Secure file transfer protocol (SFTP) safely transfers files remotely via SSH. System administrators typically install web servers with sample pages and scripts, along with supporting documentation. These samples sometimes contain vulnerabilities, and administrators should remove them from the production server. Most web servers must allow for secure access to guests. The guest accounts should have no permissions outside of the directory set up for browsing. Web servers should deploy using configuration templates where possible.

Answer 96

CD FDE means that the entire contents of the drive, including system files and folders, are encrypted. The cryptographic operations performed by the OS reduces performance. FDE normally utilizes a Trusted Platform Module (TPM) to secure the storage of the key used to encrypt the drive contents. FDE means that the entire content of the drive (or volume), including system files and folders, are encrypted. This is not limited to only critical files. FDE requires secure storage of the key used to encrypt the drive contents. Normally, this is in a TPM. It is also possible to use a removable USB drive if USB is a boot device option.

Answer 97

B A hardware RoT, or trust anchor, is a secure subsystem that can provide attestation. When a computer joins a network, it may submit a report to the NAC declaring valid OS files. The RoT scans the boot metrics and OS files to verify their signatures. A secure boot is a security system designed to prevent a computer from being hijacked by a malicious OS. A Trusted Platform Module (TPM) is a specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information. The Basic Input/Output System (BIOS) provides an industry standard program code that operates the essential components of the PC and ensures that the design of each manufacturer's motherboard is PC compatible.

Answer 98

B Secure boot is about provisioning certificates for trusted operating systems and blocking unauthorized OSes. Measured boot stores and compares hashes of critical boot files to detect unauthorized processes. Secure boot requires UEFI but does not require a TPM. A trusted or measured boot process uses platform configuration registers (PCRs) in the TPM at each stage in the boot process to check whether hashes of key system state data have changed. Attestation is the process of sending a signed boot log or report to a remote server. Secure boot prevents the use of a boot loader or kernel that has been changed by malware (or an OS installed without authorization). P329 Secure Boot Secure bootis designed to prevent a computer from being hijacked by a malicious OS. UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader and kernel using the stored certificate to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader or kernel that has been changed by malware (or an OS installed without authorization) from being used. Secure boot is supported on Windows and many Linux platforms. Secure boot requires UEFI, but does not require a TPM.

Answer 99

A When a manufacturer discontinues a product’s sales, it enters an end of life (EOL) phase in which support and availability of spares and updates grow limited. An end of service life (EOSL) system is one whose developer or vendor no longer supports. EOSL products no longer receive security updates and represent a critical vulnerability if companies actively use them. Microsoft provides Windows versions five years of mainstream support and five years of extended support (during which Microsoft only ships security updates). Most OS and application vendors have similar policies. Well-maintained open-source software may have long term support (LTS) versions. Developers may also abandon software, and companies who rely on such abandonware must assume any maintenance responsibility.

Answer 100

A It is well recognized that updates, particularly service releases, can cause problems with software application compatibility. The least time-consuming approach is to apply all of the latest patches. A system administrator who applies patches on a case-by-case basis must stay up to date with security bulletins to see if a patch is necessary. Patches are usually provided at no cost. The cost associated with patches is the time it takes to test, review, and apply them. It is best practice to trial and update on a test system to try to discover whether it will cause any problems. Applying a patch immediately could do more harm than good to the workstations.

Answer 101

AC Group Policy Objects (GPOs) are a means of applying security settings across a range of computers. They can be used to configure software deployment among several other tasks. GPOs can configure registry settings across a range of computers. Execution control is the process of determining which additional software may be installed on a client or server beyond its baseline. It prevents the use of unauthorized software. Baseline deviation reporting tests the configuration of clients and servers to ensure they are patched, and their configuration settings match the baseline template.

Answer 102

BD Attackers may have a goal of injuring or killing patients by tampering with dosage levels or device settings. Many of the control systems for medical devices run on unsupported versions of operating systems, such as Windows XP, because the costs of updating the software to work with newer OS versions is high and disruptive to patient services. Medical devices can be found in the hospital, clinic, and as portal devices such as cardiac monitors, defibrillators, and insulin pumps. Medical devices may have unsecure communications protocols. Many devices run on unsupported systems due to the cost and potential disruptions the update would cause.

Answer 103

AB An embedded system is a complete computer system designed to perform a specific dedicated function, typically in a dynamic environment. A PC is a dynamic environment where the user can add or remove programs and data files. A dynamic environment provides users more control, including updating. A static environment update will usually only be available through specific management interfaces. A static environment gives less control than a dynamic environment. A dynamic environment gives the user access to add and remove programs, update the system, and install new hardware components. In terms of security, static environments are easier to protect. This is due to the unchanging environment without adding new hardware or software. With fewer changes and additions, the systems are not introduced to as many threats.

Answer 104

AC Many embedded devices are battery-powered and may need to run for years without having to replace the cells. Processing must be kept to the minimum possible level. Embedded systems often use system on chip (SoC), a design where processors, controllers, and devices reside on a single processor die (or chip). This packaging saves space and is usually power efficient. TPM establishes a root of trust at the hardware level on PC, but most embedded systems do not have embedded TPMs, so they must rely on implicit trust and network perimeter security. Customers can program a field programmable gate array (FPGA) to run a specific application an embedded system requires, which is more efficient than running a pre-programmed device.

Answer 105

AB Some embedded systems use legacy OSes, making them difficult to secure. Isolating these hosts from others through network segmentation and using endpoint security can help secure them against exploitation. One way of increasing the security of data in transit for embedded systems is through the use of wrappers, such as IPSec, which secures data through authentication and encryption. Only specific security control functions require network access for static environments, which the security manager should keep separate from the corporate network with perimeter security. When designed for residential use, IoT devices can suffer from weak defaults that customers do not take steps to secure. The security manager can configure them to "work" with a minimum of configuration effort.

Answer 106

D Corporate Owned, Business Only (COBO) devices provide the greatest security of the four mobile device deployment models. The device is the property of the company and may only be used for company business. The Bring Your Own Device (BYOD) model is the least secure of the four models. The device is owned by the employee, and the employee agrees to use it for company use. Deploying a Choose Your Own Device (CYOD) model means the device is chosen by the employee and owned by the company. The employee is able to use the device for personal business. A Corporate Owned, Personally-Enabled (COPE) device is supplied and chosen by the company and personal use is allowed.

Answer 107

B Rooting is a term associated with Android devices. Some vendors provide authorized mechanisms for users to access the root account on their device. For some devices, it is necessary to exploit a vulnerability or use custom firmware. A user who has an iOS device and wants access to the administrator account will perform an action called jailbreaking versus rooting. If the user had an iOS device, and has booted the device with a patched kernel, the term would have been jailbreaking. An Android device is not able to be booted with a patched kernel. Custom firmware or access from the vendor is required to obtain administrator access.

Answer 108

B The company owns the device and dictates the device’s purpose in the corporate owned, business only (COBO) model. Employees own their own devices that meet business configuration standards and run corporate applications in the bring your own device (BYOD) model. Businesses may oversee and audit user-owned devices to some extent, but this model poses significant security challenges. In the corporate owned, personally-enabled (COPE) model, the company chooses, supplies, and owns the device, but authorizes personal use, (subject to acceptable use policies). With choose your own device (CYOD), the company owns and supplies the device, but the employee chooses it.

Answer 109

A A stack is an area of memory used by a program subroutine. It includes a return address, which is the location of the program that is called the subroutine. An attacker could use a buffer overflow to change the return address, which is called a stack overflow. A heap is an area of memory allocated by an application during execution to store a variable. A heap overflow can overwrite the variables with unexpected effects. An array is a type of variable designed to store multiple values. It is possible to create an array index overflow by exploiting unsecure code to load the array with more values than it expects. An integer overflow attack causes the target software to calculate a value that exceeds bounds that are set by the software.

Answer 110

C Dereferencing occurs when a pointer variable stores a memory location, which is attempting to read or write that memory address via the pointer. If the memory location is invalid or null, this creates a null pointer dereference type of exception and the process may crash. Dereferencing does not mean deleting or removing; it means read or resolve. A null pointer might allow a threat actor to run arbitrary code. Programmers can use logic statements to test that a pointer is not null before trying to use it. A race condition is one means of engineering a null pointer dereference exception. Race conditions occur when processes depend on timing and order, and those events fail to execute in the order and timing intended.

Answer 111

B Both reflected and stored Cross-Site Scripting (XSS) attacks exploit server-side scripts. The third type of XSS attack exploits vulnerabilities in client-side scripts, and these scripts often use the Document Object Model (DOM) to modify the content and layout of a web page. Both reflected and stored Cross-Site Scripting (XSS) attacks exploit server-side scripts, not client-side. Document Object Model (DOM) modifies the content and layout utilizing client-side scripts. While reflected Cross-Site Scripting (XSS) attacks exploit server-side scripts, Document Object Model (DOM) exploits client-side scripts. A stored attack exploits server-side scripts. A nonpersistent attack is another name for reflected, and a persistent attack is another name for a stored attack. Both of these attacks exploit server-side scripts. DOM exploits client-side scripts.

Answer 112

A A client-side or cross-site request forgery (CSRF or XSRF) can exploit applications that use cookies to authenticate users and track sessions. XSS exploits a browser’s trust and can perform an XSRF attack. XSS inserts a malicious script that appears to be part of a trusted site. XSS can conduct an XSRF attack. XSRF passes an HTTP request to the victim’s browser that spoofs a target site action, such as changing a password. The attacker can disguise and accomplish this request without the victim necessarily having to click a link. XSRF is a client-side exploit. An XSS attack may be reflected (nonpersistent) or stored (persistent) and may target back-end systems (server-side) or client-side scripts.

Answer 113

B Normalization means that a string is stripped of illegal characters or substrings, and converted to the accepted character set. This ensures that the string is in a format that can process correctly by the input validation routines. An attacker may use a canonicalization attack to disguise the nature of malicious input. Fuzzing is a means of testing that an application's input validation routines work well. The test, or vulnerability scanner, generates large amounts of deliberately invalid and random input and records the application's responses. Code reuse occurs through the use of a block of code from elsewhere in the same application, or from another application, to perform a different function. Code signing is the principal means of proving the authenticity and integrity of code.

Answer 114

B In the integration environment, (test) code from multiple developers is merged to a single master copy and subjected to several basic unit and functional tests. These tests aim to ensure the code builds correctly and fulfills the functions according to design requirements. In the development environment, the code is hosted on a secure server. Each developer checks out a portion of code for editing on a local machine. The local machine will normally be configured with a sandbox for local testing. In the staging environment, a mirror of the production environment is used, but may only use test or sample data with additional access controls, so it is only accessible to test users. In the production environment, the application is released to end users. P410 To meet the demands of the life cycle model and quality assurance, code is normally passed through several different environments: • Development—the code will be hosted on a secure server. Each developer will check out a portion of code for editing on his or her local machine. The local machine will normally be configured with a sandbox for local testing. This ensures that whatever other processes are being run locally do not interfere with or compromise the application being developed. • Test/integration—in this environment, code from multiple developers is merged to a single master copy and subjected to basic unit and functional tests (either automated or by human testers). These tests aim to ensure that the code builds correctly and fulfills the functions required by the design. • Staging—this is a mirror of the production environment but may use test or sample data and will have additional access controls so that it is only accessible to test users. Testing at this stage will focus more on usability and performance. • Production—the application is released to end users.

Answer 115

C Cookies can be a vector for session hijacking and data exposure if not configured correctly. Use the SameSite attribute to control where a cookie may be sent, mitigating request forgery attacks. Set the Secure attribute to prevent a cookie from being sent over unencrypted HTTP. Set the HttpOnly attribute to make the cookie inaccessible to document object model/client-side scripting. A number of security options can be set in the response header returned by the server to the client, including Cache-Control, which sets whether the browser can cache responses. Preventing caching of data protects confidential and personal information where multiple users might share the client device.

Answer 116

B A man-in-the-browser (MitB) attack compromises the web browser. An attacker may be able to inspect session cookies, certificates, and data, change browser settings, perform redirection, and inject code. An evil twin is a rogue WAP masquerading as a legitimate one. It can capture user logon attempts, allow man-in-the-middle attacks, and allow access to private information. Session hijacking involves replaying a web application cookie in some way. Attackers can sniff network traffic to obtain session cookies sent over an unsecured network. In a clickjacking attack, the user sees and trusts as a web application with a login page or form that contains a malicious layer or invisible iFrame that allows an attacker to intercept or redirect user input.

Answer 117

A The production phase occurs immediately after the transition phase in the Agile model. The transition phase consists of perming final integration and testing of the solution and preparing for deployment in the user environment. The production phase is ensuring that the solution operates effectively. The inception phase occurs following the concept phase. The inception phase includes identifying stakeholders and support for the project and starting to provision resources. The iteration phase follows inception and the requirements are prioritized and the cycles of designing, developing, testing, and test deploying solutions to the project goals occur. The retirement phase follows production and consists of deprovisioning the solution and any environmental dependencies.

Answer 118

C Agile development flips the waterfall model by iterating through phases concurrently on smaller modules of code. Both models are principals of a Software Development Lifecycle (SDLC). The production phase includes ensuring the solution operates effectively. The concept phase includes devising the initial scope and vision for the project and to determine its feasibility. The iteration phase consists of prioritizing requirements and working through cycles of designing, developing, testing, and test deploying solutions to the project goals. The transition phase includes performing final integration and testing of the solution and preparing for deployment in the user environment.

Answer 119

D In the testing phase, a security expert performs black box (blind) or gray box (partial disclosure) analysis to test for vulnerabilities in the published application and its publication environment. In the requirements phase, a security analyst determines security needs and privacy in terms of data processing and access controls. In the design phase, a systems engineer identifies threats and controls or secure coding practices to meet the requirements. In the implementation phase, a software developer performs a white box (full disclosure) source code analysis and code review to identify and resolve vulnerabilities.

Answer 120

``` A Continuous integration (CI) is the principle that developers should commit and test updates often. CI aims to detect and resolve coding conflicts early. ``` Continuous delivery is about testing all of the infrastructures that support an app, including networking, database functionality, client software, and so on. Verification is a compliance testing process to ensure that the product or system meets its design goals. Validation is the process of determining whether the application is fit-for-purpose. These processes ensure the application conforms to the secure configuration baseline. An automation solution will have a system of continuous monitoring to detect service failures, security incidents, and failover mechanisms.

Answer 121

``` BC Virtual Machine (VM) escaping refers to malware running on a guest Operating System (OS) jumping to another guest or to the host. ``` A timing attack occurs by sending multiple usernames to an authentication server and measuring the server's response times. Hypervisors are a common target of attacks and become more complex when the network infrastructure, such as switches and routers, is also virtualized. When the network infrastructure is implemented in software, it may not be subject to inspection and troubleshooting by system administrators. VMs providing front-end, middleware, and back-end services should be separated to different physical hosts. This reduces the security implications of a VM escaping attack on a host in the Demilitarized Zone (DMZ).

Answer 122

A It is imperative to identify precisely which risks are transferring to the cloud, which risks the service provider is undertaking, and which risks remain with the organization. A service level agreement (SLA) outlines those risks and responsibilities. A trust relationship simply defines the relationship with a cloud service provider. The more important the service is to a business, the more risk the business invests in that trust relationship. A responsibility matrix is a good way to identify what risks exist, and who is responsible for them. The matrix can be part of an SLA. High availability is an approach to keeping systems functionality at a constant.

Answer 123

D A reverse proxy (positioned at the cloud network edge) directs traffic to cloud services if the contents of that traffic comply with policy. This does not require configuration of users' devices. Single sign-on authentication and enforcing access controls and authorizations from the enterprise network to the cloud provider is a feature of a CASB. Rather than placing a CASB appliance or host inline with cloud consumers and the cloud services, an API-based CASB brokers connections between the cloud service and the cloud consumer. A forward proxy is a security appliance or host, positioned at the client network edge, that forwards user traffic to the cloud network if the contents of that traffic comply with policy. This requires configuration of users' devices. P437 In general, CASBs are implemented in one of three ways: • Forward proxy—this is a security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with policy. This requires configuration of users' devices or installation of an agent. In this mode, the proxy can inspect all traffic in real time, even if that traffic is not bound for sanctioned cloud applications. The problem with this mode is that users may be able to evade the proxy and connect directly. Proxies are also associated with poor performance as without a load balancing solution, they become a bottleneck and potentially a single point of failure. • Reverse proxy—this is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy. This does not require configuration of the users' devices. This approach is only possible if the cloud application has proxy support. • Application programming interface (API)—rather than placing a CASB appliance or host inline with cloud consumers and the cloud services, an API-based CASB uses brokers connections between the cloud service and the cloud consumer. For example, if a user account has been disabled or an authorization has been revoked on the local network, the CASB would communicate this to the cloud service and use its API to disable access there too. This depends on the API supporting the range of functions that the CASB and access and authorization policies demand. CASB solutions are quite likely to use both proxy and API modes for different security management purposes.

Answer 124

AC The number of requests is a basic load metric that counts the number of requests per second or requests per minute. Depending on the service type, admin can set a baseline for typical usage. Latency is the time in milliseconds (ms) taken for the service to respond to an API call. This can be measured for specific services or as an aggregate value across all services. Error rates measure the number of errors as a percentage of total calls, usually classifying error types under category headings. Admin can manage unauthorized and suspicious endpoint connections to the API in the same sort of way as remote access.

Answer 125

B When using an abstract model, the engineer can divide the network functions into three "planes." The control plane makes decisions about how to prioritize and secure traffic, as well as where to switch it. A software-defined networking (SDN) application can manage the aspects of all "planes" in the abstract model. SDN can manage compatible physical appliances, but also virtual switches, routers, and firewalls. The management plane monitors traffic conditions and the overall network status. The data plane handles the actual switching and routing of traffic and the imposition of security access controls.

Answer 126

CD A security specialist can incorporate fog nodes as a data processing layer positioned close to edge gateways, assisting the prioritization of critical data transmission. Fog nodes are high-value targets for both denial of service and data exfiltration attacks. Edge gateways perform some pre-processing of data to and from edge devices to enable prioritization. They also perform the wired or wireless connectivity to transfer data to and from the storage and processing networks. Edge gateways are high-value targets to exploit. Edge devices collect and depend upon data for their operation. For example, a thermometer in an HVAC system collects temperature data. The cloud or data center provides the main storage and processing resources, plus distribution and aggregation of data.

Answer 127

BD When an operation needs processing, by using a container, the cloud spins up the container to run the code, performs the processing, and then destroys the container. A virtual machine is a full-fledged operating system that runs in a virtual environment and considered a server, not serverless. Serverless refers to creating and using containers when needed. A single service would provide a specific output. Many services require working together in a serverless environment. Serverless architecture depends heavily on the concept of event-driven orchestration with many services involved to facilitate operations.

Answer 128

C A data custodian is responsible for managing the system where data assets are stored, including responsibility for enforcing access control, encryption, and backup or recovery measures. A data owner has the ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset. The data steward is primarily responsible for data quality, such as ensuring data is labeled and identified with appropriate metadata. The privacy officer is responsible for oversight of any Personally Identifiable Information (PII) assets managed by the company and ensures that the processing and disclosure of PII comply with the legal and regulatory frameworks.

Answer 129

A Documents labeled as critical contain information that is too valuable to permit any risk of its capture, and viewing is severely restricted. Documents labeled as confidential contain information that is highly sensitive and is for viewing only by approved persons within the organization or possibly by third parties under a Nondisclosure Agreement (NDA). This classification may also be called low. Documents labeled as classified contains information that limits viewing by only persons within an organization or by third parties that are under an NDA. This classification may also be called private, restricted, internal use only, or official use only. Unclassified documents are unrestricted and anyone can view the document. This document does not contain information that will harm the company if released. This classification is also known as public.

Answer 130

CD A full name can be used to identify, contact, or locate an individual. A full name is an identifier and can be used to search for a person to locate more PII that can be used to contact or locate a person. A date of birth can be used to identify, contact, or locate an individual. This information is often used when verifying identity and may be used by an attacker to obtain unauthorized access into accounts and obtain other PII. A job position is not considered PII. The position is not considered a person and is typically categorized as public information. Having the sole information of the name of a job position does not arm an attacker with the ability to identify, contact, or locate an individual. Gender is not considered PII and is not unique to an individual. This information will not assist an attacker with contacting, identifying, or locating an individual.

Answer 131

BC Data sovereignty refers to a jurisdiction preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction. Storage locations might have to be carefully selected to mitigate data sovereignty issues. Most cloud providers allow a choice of data centers for processing and storage. GDPR protections extend to any EU citizen while they are within EU or EEA (European Economic Area) borders. There are important institutional governance roles for oversight and management of information assets within a data life cycle. These roles help to manage and maintain data.

Answer 132

ABD A benefit of IRM is that file permissions can be assigned for different document roles, such as author, editor, or reviewer. Each role can have specific access such as sending, printing, and editing. Printing and forwarding of documents can be restricted even when the document is sent as a file attachment. This means that just because a document is forwarded it may not have printing capabilities. Printing and forwarding of email messages can be restricted. One disadvantage is that a document protected with IRM is not immune to screen captures. These captures can be done with a camera phone, third party software, or a workaround using an Apple system. P460 Rights Management Services As another example of data protection and information management solutions, Microsoft provides an Information Rights Management (IRM) feature in their Office productivity suite, SharePoint document collaboration services, and Exchange messaging server. IRM works with the Active Directory Rights Management Services (RMS) or the cloud-based Azure Information Protection. These technologies provide administrators with the following functionality: • Assign file permissions for different document roles, such as author, editor, or reviewer. • Restrict printing and forwarding of documents, even when sent as file attachments. • Restrict printing and forwarding of email messages.

Answer 133

B In the identification phase, it is important to determine whether an incident has taken place, assess how severe it might be (triage), and notify stakeholders. The recovery phase reintegrates the system into the environment and may involve the restoration of data from backup and security testing. The systems administrator must monitor the systems more closely for a period to detect and prevent any reoccurrence of the attack. The containment phase aims to limit the scope and magnitude of the incident. The goal is to secure data while limiting the immediate impact on customers and business partners. In the eradication phase, the admin removes the cause and restores the system to a secure state by applying secure configuration settings and installing patches.

Answer 134

BCD Downtime is a critical factor to consider to the degree to which an incident disrupts business processes. An incident can either degrade (reduce performance) or interrupt (completely stop) the availability of an asset, system, or business process. Detection time is an important consideration requiring that the systems used to search for intrusions are thorough, and the response to detections must be fast. Recovery time must be considered, as some incidents that need to have complex system changes require lengthy remediation. This extended recovery period should trigger heightened alertness for continued or new attacks. Planning time can refer to the expected time for completing a project plan, or a period of time scheduled for an IT team to work together to plan out projects. It is not a consideration for incident remediation efforts.

Answer 135

C The system administrator has entered the containment, eradication, and recovery stage by removing the system from the network. This action contains the incident and protects the other network resources. This is also the stage where the administrator will repair the system and bring it back online or replace it. Preparation is the stage where the admin puts controls in place to prevent the software from being installed. The identification stage was completed when the scan was conducted and the unauthorized software identified. The lessons learned stage will occur after the containment, eradication, and recovery stage is completed and lessons learned will be utilized to improve the security of the network.

Answer 136

B Rsyslog can work over TCP and use a secure connection. It uses the same configuration file syntax as Syslog. Rsyslog can use more types of filter expressions in its configuration file to customize message handling. Syslog-ng is an update to Syslog that can use TCP secure communications, but it uses a different configuration file syntax than Syslog. Syslog provides an open format, protocol, and server software for logging event messages. A very wide range of host types use Syslog, as well as UDP for communications. NXlog is an open-source log normalization tool. One common use for it is to collect Windows logs, which use an XML-based format and then normalize them to a standard syslog format.

Answer 137

C A flow collector is a means of recording metadata and statistics about network traffic rather than recording each frame. Network traffic and flow data may come from a wide variety of sources. A SIEM collects data from sensors. The information captured from network packets can be aggregated and summarized to show overall protocol usage and endpoint activity. sFlow, developed by HP and subsequently adopted as a web standard, uses sampling to measure traffic statistics at any layer of the OSI model for a wide range of protocol types. If one has reliable baselines for comparison, bandwidth usage can be a key indicator of suspicious behavior. Unexpected bandwidth consumption could be evidence of a data exfiltration attack.

Answer 138

A Configuration drift applies when malware exploits an undocumented configuration change (shadow IT software or an unauthorized service/port, for instance). A weak configuration is correctly applied, but exploited anyway. Review of the settings is recommended to ensure the highest level of security. If endpoint protection/A-V, host firewall, content filtering, DLP, or MDM could have prevented an attack, then investigate the possibility of the lack of security controls. Social engineering means that a user executed an exploit. Use security education and awareness to reduce the risk of future attacks succeeding.

Answer 139

D A simple option is to disconnect the host from the network completely (creating an air gap) or disabling its switch port. This is the least stealthy option and will reduce opportunities to analyze the attack or malware due to the isolation. The analyst can implement a routing infrastructure to isolate one or more infected virtual LANs (VLANs) in a black hole that is not reachable from the rest of the network. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture such as VLANs. ACLs can prevent a host or group of hosts from communicating outside of a protected segment.

Answer 140

A Computer forensics is the practice of collecting evidence from computer systems to an accepted standard in a court of law. Due Process is a common law term used in the US and the UK which requires that people only be convicted of crimes following the fair application of the laws of the land. eDiscovery is a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format to use as evidence in a trial. Legal hold refers to the fact that information that may be relevant to a court case must be preserved

Answer 141

C eDiscovery is a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format to use as evidence in a trial. Legal hold refers to the fact that information that may be relevant to a court case must be preserved. Forensics is the practice of collecting evidence from computer systems to an accepted standard in a court of law. Due process is a term used in common law to require that people only be convicted of crimes following the fair application of the laws of the land. P495 A forensic examination of a device such as a fixed drive that contains Electronically Stored Information (ESI) entails a search of the whole drive (including both allocated and unallocated sectors, for instance). E-discoveryis a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format such that it can be used as evidence in a trial. E-discovery software tools have been produced to assist this process. Some of the functions of e-discovery suites are: • Identify and de-duplicate files and metadata—many files on a computer system are "standard" installed files or copies of the same file. E-discovery filters these types of files, reducing the volume of data that must be analyzed. • Search—allow investigators to locate files of interest to the case. As well as keyword search, software might support semantic search. Semantic search matches keywords if they correspond to a particular context. • Tags—apply standardized keywords or labels to files and metadata to help organize the evidence. Tags might be used to indicate relevancy to the case or part of the case or to show confidentiality, for instance. • Security—at all points evidence must be shown to have been stored, transmitted, and analyzed without tampering. • Disclosure—an important part of trial procedure is that the same evidence be made available to both plaintiff and defendant. E-discovery can fulfill this requirement. Recent court cases have required parties to a court case to provide searchable ESI rather than paper records.

Answer 142

D Legal hold refers to information that the security expert must preserve, which may be relevant to a court case. Regulators or the industry's best practice may define the information that is subject to legal hold. Chain of custody reinforces the integrity and proper handling of evidence from collection, to analysis, to storage, and finally to presentation. When security breaches go to trial, the chain of custody protects an organization against accusations of tampering with the evidence. Due process is a common law term used in the US and UK to require that people only be convicted of crimes following the fair application of the laws of the land. Forensics is the practice of collecting evidence from computer systems to a standard that a court of law will accept.

Answer 143

A NTFS uses UTC "internally." When collecting evidence, it is vital to establish the procedure to calculate a timestamp and note the difference between the local system time and UTC. Many operating systems and file systems record timestamps as the local system time, making it easy to document a data timeline. Most computers have the clock configured to synchronize to a Network Time Protocol (NTP) server. Closely synchronized time is important for authentication and audit systems to work properly. Local time is the time within a particular time zone, which will be offset from UTC by several hours (or in some cases, half-hours). The local time offset may also vary if a seasonal daylight savings time is in place.

Answer 144

AC Counterintelligence includes the identification and analysis of specific adversary tactics, techniques, and procedures (TTP). This information furthers the betterment of understanding adversary approaches that counterintelligence can note for monitoring. Counterintelligence provides information about how to configure and audit active logging systems so that they are most likely to capture evidence of attempted and successful intrusions. Strategic intelligence is data and research that security specialists have analyzed to produce actionable insights that help to build mature cybersecurity capabilities. Strategic intelligence is information that security specialists have gathered through research and provides insights used to inform risk management and security control provisioning.

Answer 145

B A specialist hardware or software tool can capture the contents of memory while the host is running (live acquisition). This type of tool needs to be pre-installed, as it requires a kernel mode driver to dump any data of interest. When a Windows host is in a sleep state, the system creates a hibernation file on disk in the root folder of the boot volume. This file is not a prerequisite for a live acquisition. When Windows encounters an unrecoverable kernel error, it can write contents of memory to a dump file. This file is not a prerequisite for a live acquisition. The pagefile/swap file/swap partition stores pages of memory in use that exceed the capacity of the host's RAM modules. This file is not a prerequisite for a live acquisition.

Answer 146

ABC The on-demand nature of cloud services means that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data. Jurisdiction and data sovereignty may restrict what evidence the CSP is willing to release to the organization. Chain of custody issues are complex as it may have to rely on the CSP to select and package data for the organization. If the CSP is a data processor, it will be bound by data breach notification laws and regulations. This issue does not relate to the acquisition of data.

Answer 147

D The order of volatility outlines a general list of which components the engineer should examine for data. The engineer should first examine CPU registers and cache memory (including the cache on disk controllers and GPUs). The engineer should acquire contents of nonpersistent system memory (RAM), including routing tables, ARP caches, process tables, and kernel statistics after any cache memory. The engineer performs data acquisition on persistent mass storage devices after any available system caches or memory. This includes temporary files, such as those found in a browser cache. The engineer performs data acquisition on persistent mass storage devices (such as HDDs or SSDs) after any available system caches or memory. P501 1. CPU registers and cache memory (including cache on disk controllers, GPUs, and so on). 2. Contents of nonpersistent system memory (RAM), including routing table, ARP cache, process table, kernel statistics. 3. Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices): • Partition and file system blocks, slack space, and free space. • System memory caches, such as swap space/virtual memory and hibernation files. • Temporary file caches, such as the browser cache. • User, application, and OS files and directories. 4. Remote logging and monitoring data. 5. Physical configuration and network topology. 6. Archival media and printed documents.

Answer 148

B The fifth phase of risk management is identifying risk response. A countermeasure should be identified for each risk and the cost of deploying additional security controls should be assessed. The first phase of risk management is to identify mission essential functions. Mitigating risk can involve a large amount of expenditure, so it is important to focus efforts. Part of risk management is to analyze workflows and identify the mission essential functions that could cause the whole business to fail if they are not performed. The second phase of risk management is to identify vulnerabilities for each function or workflow. This includes analyzing systems and assets to discover, and list any vulnerabilities or weaknesses they may be susceptible to. The fourth phase of risk management is to analyze business impacts, the likelihood of a vulnerability being activated as a security incident by a threat, and the impact that incident may have on critical systems. P510 Risk managementis a process for identifying, assessing, and mitigating vulnerabilities and threats to the essential functions that a business must perform to serve its customers. You can think of this process as being performed over five phases: 1. Identify mission essential functions—mitigating risk can involve a large amount of expenditure so it is important to focus efforts. Effective risk management must focus on mission essential functions that could cause the whole business to fail if they are not performed. Part of this process involves identifying critical systems and assets that support these functions. 2. Identify vulnerabilities—for each function or workflow (starting with the most critical), analyze systems and assets to discover and list any vulnerabilities or weaknesses to which they may be susceptible. 3. Identify threats—for each function or workflow, identify the threat sources and actors that may take advantage of or exploit or accidentally trigger vulnerabilities. 4. Analyze business impacts—the likelihood of a vulnerability being activated as a security incident by a threat and the impact of that incident on critical systems are the factors used to assess risk. There are quantitative and qualitative methods of analyzing impacts and likelihood. 5. Identify risk response—for each risk, identify possible countermeasures and assess the cost of deploying additional security controls. Most risks require some sort of mitigation, but other types of response might be more appropriate for certain types and level of risks.

Answer 149

A The first phase of risk management is to identify mission essential functions. Mitigating risk can involve a large amount of expenditure so it is important to focus efforts. Part of risk management is to analyze workflows and identify the mission essential functions that could cause the whole business to fail if they are not performed. The second phase of risk management is to identify vulnerabilities for each function or workflow. This includes analyzing systems and assets to discover and list any vulnerabilities or weaknesses to which they may be susceptible. The third phase of risk management is to identify threats. Threats that may take advantage of, exploit, or accidentally trigger vulnerabilities. Threat refers to the sources or motivations of people and things that could cause loss or damage. The fourth phase of risk management is to analyze business impacts and the likelihood of a vulnerability being activated as a security incident by a threat and the impact of that incident on critical systems. P510 Risk managementis a process for identifying, assessing, and mitigating vulnerabilities and threats to the essential functions that a business must perform to serve its customers. You can think of this process as being performed over five phases: 1. Identify mission essential functions—mitigating risk can involve a large amount of expenditure so it is important to focus efforts. Effective risk management must focus on mission essential functions that could cause the whole business to fail if they are not performed. Part of this process involves identifying critical systems and assets that support these functions. 2. Identify vulnerabilities—for each function or workflow (starting with the most critical), analyze systems and assets to discover and list any vulnerabilities or weaknesses to which they may be susceptible. 3. Identify threats—for each function or workflow, identify the threat sources and actors that may take advantage of or exploit or accidentally trigger vulnerabilities. 4. Analyze business impacts—the likelihood of a vulnerability being activated as a security incident by a threat and the impact of that incident on critical systems are the factors used to assess risk. There are quantitative and qualitative methods of analyzing impacts and likelihood. 5. Identify risk response—for each risk, identify possible countermeasures and assess the cost of deploying additional security controls. Most risks require some sort of mitigation, but other types of response might be more appropriate for certain types and level of risks.

Answer 150

B The third phase of risk management is identify threats. Threats that may take advantage of, exploit, or accidentally trigger vulnerabilities. Threat refers to the sources or motivations of people and things that could cause loss or damage. The first phase of risk management is to identify mission essential functions. Mitigating risk can involve a large amount of expenditure, so it is important to focus efforts. Part of risk management is to analyze workflows and identify the mission essential functions that could cause the whole business to fail if they are not performed. The second phase of risk management is to identify vulnerabilities for each function or workflow. This includes analyzing systems and assets to discover and list any vulnerabilities or weaknesses to which they may be susceptible. The fourth phase of risk management is to analyze business impacts and the likelihood of a vulnerability being activated as a security incident by a threat and the impact of that incident on critical systems. P510 Risk managementis a process for identifying, assessing, and mitigating vulnerabilities and threats to the essential functions that a business must perform to serve its customers. You can think of this process as being performed over five phases: 1. Identify mission essential functions—mitigating risk can involve a large amount of expenditure so it is important to focus efforts. Effective risk management must focus on mission essential functions that could cause the whole business to fail if they are not performed. Part of this process involves identifying critical systems and assets that support these functions. 2. Identify vulnerabilities—for each function or workflow (starting with the most critical), analyze systems and assets to discover and list any vulnerabilities or weaknesses to which they may be susceptible. 3. Identify threats—for each function or workflow, identify the threat sources and actors that may take advantage of or exploit or accidentally trigger vulnerabilities. 4. Analyze business impacts—the likelihood of a vulnerability being activated as a security incident by a threat and the impact of that incident on critical systems are the factors used to assess risk. There are quantitative and qualitative methods of analyzing impacts and likelihood. 5. Identify risk response—for each risk, identify possible countermeasures and assess the cost of deploying additional security controls. Most risks require some sort of mitigation, but other types of response might be more appropriate for certain types and level of risks.

Answer 151

B Risk posture is the overall status of risk management. Risk posture shows which risk response options management can identify and prioritize. The result of a quantitative or qualitative analysis is a measure of inherent risk. Inherent risk is the level of risk before attempting any type of mitigation. Transference means assigning risk to a third party, such as an insurance company or a contract with a supplier that defines liabilities. Risk avoidance means that management halts the activity that is risk-bearing. For example, management may discontinue a flawed product to avoid risk. P514

Answer 152

D Work Recovery Time (WRT) is the additional time that it takes to restore data from backup, reintegrate different systems, and test overall functionality. This can also include briefing system users on any changes or different working practices so that the business function is again fully supported. The Maximum Tolerable Downtime (MTD) is the longest period of time that a business function outage may occur without causing irrecoverable business failure. Recovery Time Objective (RTO) is the period following a disaster that an individual IT system may remain offline. This represents the amount of time it takes to identify a problem that exists and perform recovery steps. Recovery Point Objective (RPO) is the amount of data loss that a system can sustain, measured in time. If a database is destroyed and has an RPO of 24 hours, the data can be recovered to a point not more than 24 hours before the database was infected.

Answer 153

B The Maximum Tolerable Downtown (MTD) metric states the requirement for a particular business function. High availability is usually described as 24x7. For a critical system, availability will be described from 99% to 99.9999%. In this scenario, the requirement is 99.99%, resulting in the maximum downtime of 00:52:34. Since 00:49:23 is less downtime than the maximum requirement, this results in the system meeting the requirement. A downtime of 00:53:56 is more than the maximum annual downtime of 00:52:34. As a result, it is outside of the MTD. A downtime of 01:24:19 is more than the maximum annual downtime of 00:52:34. As a result, it is outside of the MTD. A downtime of 02:48:42 is more than the maximum annual downtime of 00:52:34. As a result, it is outside of the MTD.

Answer 154

AC Scalability is defined as the costs involved in supplying the service to more users is linear. For example, if the number of users doubles in a scalable system, the costs to maintain the same level of service would also double (or less than double). If costs more than double, the system is less scalable. A company that is hired to provide data processing for ten additional clients and has a linear increase in costs for the support is a scalable system. A company that has a 10% increase in clients and a 5% increase in costs is highly scalable due to the cost increase being less than the client increase. Elasticity refers to a system's ability to handle changes in demand in real time. A company that is hired to provide data processing for 10 additional clients and can utilize the same servers to complete the task is displaying elasticity. A company that has a 10% increase in clients and a 10% decrease in server performance is demonstrating linear elasticity.

Answer 155

C A system often achieves fault tolerance by provisioning redundancy for critical components and single points of failure. Although not required, a redundant component is available for system recovery. Elasticity refers to the system's ability to handle any changes in resource demand in real-time. Elasticity often applies to processing power and storage. A system achieves scalability by adding resources. To scale out is to add more resources in parallel with existing resources. A system achieves scalability is by adding resources. To scale up is to increase the power of existing resources.

Answer 156

A A popular disruption strategy is to configure a DNS sinkhole to route suspect traffic to a different network, such as a honeynet, where it can be analyzed. Port triggering or spoofing can disrupt adversarial attacks by returning fake telemetry data when a host detects port scanning activity. To create disruption for an adversary, a security specialist can configure a web server with multiple decoy directories or dynamically generated pages to slow down scanning. Fake telemetry can disrupt an adversary by reporting IP addresses as up and available when they actually are not. P545 Another type of active defense uses disruption strategies. These adopt some of the obfuscation strategies used by malicious actors. The aim is to raise the attack cost and tie up the adversary's resources. Some examples of disruption strategies include: • Using bogus DNS entries to list multiple hosts that do not exist. • Configuring a web server with multiple decoy directories or dynamically generated pages to slow down scanning. • Using port triggering or spoofing to return fake telemetrydata when a host detects port scanning activity. This will result in multiple ports being falsely reported as open and will slow down the scan. Telemetry can refer to any type of measurement or data returned by remote scanning. Similar fake telemetry could be used to report IP addresses as up when they are not, for instance. • Using a DNS sinkhole to route suspect traffic to a different network, such as a honeynet, where it can be analyzed.

Answer 157

A The order of restoration states that switch infrastructure, then routing appliances, followed by firewalls, and then Domain Name System (DNS) should be enabled in that order. The final step is to enable client workstations and devices. The DNS should not be enabled prior to routers and firewalls. Both routers and firewalls are needed prior to DNS being operable. Routers should be restored prior to firewalls. Routers should be restored immediately following switch infrastructure as firewalls are not needed until routers are online. Client workstations should be restored last as firewalls and DNS must be restored prior to bringing the client workstations back online.

Answer 158

D Snapshot/revert to known state is a saved system state that the administrator can reapply to the instance on a system. This is a mechanism that achieves nonpersistence. Configuration validation is a process that ensures that a recovery solution is working at each layer (hardware, network connectivity, data replication, and application). Data replication is a process of reinstating data on a system. Nonpersistence would occur by separating any system restore from data replication. Automation may restore a system as software may build and provision an instance according to any template instructions. This is a mastering instruction. P538 Nonpersistence When recovering systems, it may be necessary to ensure that any artifacts from the disaster, such as malware or backdoors, are removed when reconstituting the production environment. This can be facilitated in an environment designed for nonpersistence. Nonpersistencemeans that any given instance is completely static in terms of processing function. Data is separated from the instance so that it can be swapped out for an "as new" copy without suffering any configuration problems. There are various mechanisms for ensuring nonpersistence: • Snapshot/revert to known state—this is a saved system state that can be reapplied to the instance. • Rollback to known configuration—a physical instance might not support snapshots but has an "internal" mechanism for restoring the baseline system configuration, such as Windows System Restore. • Live boot media—another option is to use an instance that boots from read-only storage to memory rather than being installed on a local read/write hard disk. When provisioning a new or replacement instance automatically, the automation system may use one of two types of mastering instructions: • Master image—this is the "gold" copy of a server instance, with the OS, applications, and patches all installed and configured. This is faster than using a template, but keeping the image up to date can involve more work than updating a template. • Automated build from a template—similar to a master image, this is the build instructions for an instance. Rather than storing a master image, the software may build and provision an instance according to the template instructions. Another important process in automating resiliency strategies is to provide configuration validation. This process ensures that a recovery solution is working at each layer (hardware, network connectivity, data replication, and application). An automation solution for incident and disaster recovery will have a dashboard of key indicators and may be able to evaluate metrics such as compliance with RPO and RTO from observed data.

Answer 159

D The company is utilizing a hot site for recovery. A hot site can failover almost immediately. The site is already within the organization's ownership and is ready to deploy. A cold site takes longer to set up (up to a week) and does not have the equipment or data needed to set up immediately. A warm site contains features of both hot and cold sites. An example of a warm site is a building with the computer equipment available, but the company must supply the latest data set to be operational. Replication is the process of duplicating data between different servers or sites.

Answer 160

A Change management involves careful planning, with consideration for how the change will affect dependent components. For most significant or major changes, organizations should attempt to trial the change first. The admin performs a change control process prior to the actual change. This process requests and approves changes in a planned and controlled way. An asset management process tracks all the organization's critical systems, components, devices, and other objects of value in an inventory. Configuration management ensures that each component of ICT infrastructure is in a trusted state that has not diverged from its documented properties.

Answer 161

AB Control diversity means that the layers of controls should combine different classes of technical and administrative controls with the range of control functions. Vendor diversity means that security controls are sourced from multiple sources. A vulnerability in solutions from a single vendor approach is a security weakness. Change refers to control processes or management. Control involves careful planning, with consideration for how the change will affect dependent components. Enterprise-level networks often provision resiliency at the site level. An alternate processing or recovery site is a location that can provide the same (or similar) level of service. Resiliency itself does not provide diversity.

Answer 162

AB Authentication creates access lists and identification mechanisms to allow approved persons through the barriers. Authorization determines the barriers around a resource so that access can be controlled through defined entry and exit points. An example of authentication is a user who logs into a network with a smart card. In terms of physical security, authentication is represented by an employee using a badge to enter a building. An example of authorization is used to determine which files a user has on the network after authenticating. In physical security, the same can be said of the barriers in place to determine which employees can access a controlled room. P550 Physical access controlsare security measures that restrict and monitor access to specific physical areas or assets. They can control access to a building, to equipment, or to specific areas, such as server rooms, finance or legal areas, data centers, network cable runs, or any other area that has hardware or information that is considered to have important value and sensitivity. Determining where to use physical access controls requires a cost–benefit analysis and must consider any regulations or other compliance requirements for the specific types of data that are being safeguarded. Physical access controls depend on the same access control fundamentals as network or operating system security: • Authentication—create access lists and identification mechanisms to allow approved persons through the barriers. • Authorization—create barriers around a resource so that access can be controlled through defined entry and exit points. • Accounting—keep a record of when entry/exit points are used and detect security breaches. Physical security can be thought of in terms of zones. Each zone should be separated by its own barrier(s). Entry and exit points through the barriers need to be controlled by one or more security mechanisms. Progression through each zone should be progressively more restricted.

Answer 163

D Pulverizing involves destroying media by impact. It is important to note that hitting a hard drive with a hammer can actually leave a surprising amount of recoverable data. Industrial machinery should perform this type of destruction. Degaussing involves exposing a magnetic hard disk to a powerful electromagnet. This disrupts the magnetic pattern that stores the data on the disk surface. Pulping involves mixing any shredded remains of destroyed documents with water to provide an extra measure of protection. Shredders destroy documents. Some shredders are powerful enough to destroy optical media too. Industrial shredders can destroy hard drives and flash drives.