Practice study 2 Flashcards

Question

``` Which of these threat actors would be the MOST likely to deface a website to promote a political agenda? ❍ A. Organized crime ❍ B. Nation state ❍ C. Hacktivist ❍ D. Competitor ```

Answer 1

C. Hacktivist A hacktivist often has a political statement to make, and their hacking efforts would commonly result in a public display of that information. The incorrect answers: A. Organized crime Organized crime is usually motivated by money. An organized crime group is more interested in stealing information than defacing sites. B. Nation state Nation states are highly sophisticated hackers, and their efforts are usually focused on obtaining confidential government information or disrupting governmental operations. D. Competitor A competitor may be interested in making another company look bad, but the reason for the denial of services is not commonly based on a political agenda. SY0-501, Objective 1.3 - Threat Actors

Answer 2

D. Disconnect the web servers from the network The unusual log entries on the web server indicate that the system may have been exploited. In that situation, the servers should be isolated to prevent access to or from those systems. The incorrect answers: A. Check the IPS logs for any other potential attacks Before looking for additional exploits, the devices showing a potential exploit should be isolated and contained. B. Create a plan for removing malware from the web servers The recovery process should occur after the systems have been isolated and contained. C. Disable any breached user accounts This is part of the recovery process, and it should occur after isolation and containment of the exploited servers. SY0-501, Objective 5.4 - Incident Response Process

Answer 3

A. The antivirus application identified three viruses and quarantined two viruses The logs are showing the name of files on the local device and a quarantine disposition, which indicates that two of the files were moved (quarantined) to a designated area of the drive. This will prevent the malicious files from executing and will safely store the files for any future investigation. The second file in the list failed the quarantine process, and was most likely because the library was as already in use by the operating system and could not be moved. The incorrect answers: B. The host-based firewall blocked two traffic flows A host-based firewall will allow or deny traffic flows based on IP address, port number, application, or other criteria. A host-based firewall does not block traffic flows based on the name of an existing file, and the firewall process would not quarantine or move files to other folders. C. A host-based whitelist has blocked two applications from executing The “quarantine” disposition refers to a file that has been moved from one location to another. A whitelist function would simply stop the application from executing without changing the location of an application file. 8:55:30 AM | D:\Downloads\ChangeLog-5.0.4.scr | Quarantine Success 9:22:54 AM | C:\Program Files\Photo Viewer\ViewerBase.dll | Quarantine Failure 9:44:05 AM | C:\Sales\Sample32.dat | Quarantine Success Practice Exam B - Answers 205 D. A network-based IPS has identified two known vulnerabilities The logs from a network-based IPS (Intrusion Prevention System) would not commonly be located on a user’s laptop, and those logs would display allow or deny dispositions based on the name of a known vulnerability. A network-based IPS would also not commonly move (quarantine) files on an end-user’s computer. SY0-501, Objective 2.4 - Analyzing Security Output

Answer 4

A. Sideloading If Apple’s iOS has been circumvented using jailbreaking, then apps can be installed without using the Apple App Store. This installation process that circumvents the App Store is called sideloading. The incorrect answers: B. MMS install Text messages that prompt to install an application will link to the App Store version of the application. C. OTA updates OTA (Over the Air) updates are commonly provided from the carrier and are not part of mobile app installations. D. Tethering Tethering uses a mobile phone as a communications medium to the Internet, and it does not have any relationship to the apps that are installed on the mobile device. SY0-501, Objective 2.5 - Mobile Device Enforcement

Answer 5

A. Organized crime The primary goal of organized crime is to make money, and accessing and selling credit card data is a common method of revenue generation. Organized crime also has the capital to fund their hacking efforts, and the use of zero-day or unknown vulnerabilities is not uncommon. The incorrect answers: B. Nation state A nation state is generally less concerned with revenue generation and more interested in gaining access to confidential data or disrupting the operations of another government. C. Script kiddie A script kiddie does not often use sophisticated methods to gain access to a system. Using an unknown vulnerability would be well outside the scope of knowledge for most script kiddies. D. Insiders An insider wouldn’t need to use an unknown vulnerability to gain access to data. Their existing rights SY0-501, Objective 1.3 - Threat Actors

Answer 6

B. Defense-in-depth The process of layering physical, technical, and administrative security controls is called defense-in-depth. No single process or technology will secure the entire network, so you have to layer multiple security controls to provide the best possible security posture. SY0-501, Objective 3.1 - Defense-in-Depth

Answer 7

A. Enable password expirations for all accounts A standard password expiration timeout of 30 days would be a good way to ensure that accounts were constantly updated. Abandoned accounts would be automatically disabled within 30 days, regardless of their rights and permissions. This is a good best practice for all accounts and not just service or administrator accounts. The incorrect answers: A. OSI Layering The OSI model is a concept related to the transfer of data across the network. The layers of the OSI model are not related to a layered security approach. C. Multi-factor authentication Multi-factor authentication uses different techniques to help confirm the identity of a user. The security mechanisms listed above do not describe multi-factor authentication. D. Role-based access control Role-based access control is a method of assigning rights and permissions based on job responsibilities. The security SY0-501, Objective 4.4 - Account Policy Enforcement

Answer 8

B. Default configuration When a device is first installed, it will often have a default set of credentials, such as admin/password or admin/admin. Many times, these default credentials are never changed and can allow access by anyone who knows the default configuration. The incorrect answers: B. Disable all service accounts with Administrator permissions Some services may require administrator permissions, so disabling all of them would not be the best option in this case. C. Increase the password complexity policy A complex password can still be attacked. Disabling an abandoned account would ensure that forgotten accounts would not be a significant security risk. D. Require passwords of eight characters or more Abandoned accounts that have Administrator rights would hopefully use a secure password, but the more pressing issue is that these powerful accounts are still accessible yet not in production use. SY0-501, Objective 1.6 - Vulnerability Types

Answer 9

D. Protect against data exfiltration A common way to remove data from a facility is to copy the data to a portable storage device such as a USB flash drive. Once the data is on the USB drive, it can be easily taken outside of the facility. The incorrect answers: A. Prevent operating system file corruption There are many ways to corrupt operating system files, but blocking removable USB drives doesn’t make the system files any less susceptible to corruption. B. Avoid license compliance violations USB interfaces are sometimes used for application licensing through the use of a USB dongle. Restricting the use of the USB interface could prevent the application from starting and may prevent the proper use of licensing tools. If the applications don’t require a USB dongle, then USB interface policies will have no effect on license compliance. C. Prevent the use of a non-standard mouse or keyboard The USB policies allow USB devices that do not register as a storage device, so mouse and keyboard connections will still work normally. SY0-501, Objective 2.3 - Common Security Issues

Answer 10

A. ICS An ICS (Industrial Control System) is often a dedicated network used to manage and control manufacturing equipment, power generation equipment, water management systems, and other industrial machines. The incorrect answers: B. SoC An SoC (System on a Chip) consists of multiple components running on a single chip. These are usually small form-factor devices that work best as embedded systems. SoC systems would not commonly be associated with the control and management of industrial equipment. C. MFD An MFD (Multifunction Device) is commonly associated with a device that can print, scan, and fax. D. IoT IoT (Internet of Things) devices are generally associated with home automation and not with the management and control of industrial equipment. SY0-501, Objective 3.5 - Embedded Systems

Answer 11

B. OCSP stapling The use of OCSP (Online Certificate Status Protocol) requires communication between the client and the CA that issued a certificate. If the CA is an external organization, then validation checks will communicate across the Internet. The certificate holder can verify their own status and avoid client Internet traffic by storing the status information on an internal server and “stapling” the OCSP status into the SSL/TLS handshake. The incorrect answers: A. CSR A CSR (Certificate Signing Request) is used during the key creation process. The public key is sent to the CA to be signed as part of the CSR. C. Key escrow Key escrow will provide a third-party with access to decryption keys. The escrow process is not involved in real-time server revocation updates. D. Hierarchical CA A hierarchical CA design will create intermediate CAs to distributed the certificate management load and minimize the impact if a CA certificate needs to be revoked. The hierarchical design is not involved in the certification revocation check process. SY0-501, Objective 6.4 - PKI Concepts

Answer 12

C. ESP The ESP (Encapsulation Security Payload) protocol encrypts the data that traverses the VPN. The incorrect answers: A. AH The AH (Authentication Header) is used to hash the packet data for additional data integrity. B. Diffie-Hellman Diffie-Hellman is an algorithm used for two devices to create identical shared keys without transferring those keys across the network. D. SHA-2 SHA-2 (Secure Hash Algorithm) is a hashing algorithm, and does not provide any data encryption. SY0-501, Objective 2.1 - VPN Concentrators

Answer 13

B. The card reader is infected with malware Of the available options, a malware infection is the only answer that would best describe the messages displayed on the card reader. A segmentation fault is commonly caused by a program attempting to write or read information from an illegal memory location. The incorrect answers: A. The card reader has identified a network issue A network issue would cause the reader to display an error message relating to network communication, or transactions would not complete and show a communications error. A segmentation fault would not commonly be caused by a network issue. C. The card reader requires a firmware upgrade Although it’s always a good idea to keep devices updated with the latest firmware, an older version of firmware would not be a common reason for a segmentation fault. D. The card reader has declined a transaction A declined transaction would show information regarding the transaction failure. Segmentation faults are memory conflicts and would not be expected during normal operation. SY0-501, Objective 2.3 - Common Security Issues

Answer 14

A. PTA A PIA (Privacy Impact Assessment) is a process that ensures that all systems are compliant with privacy laws and regulations. To determine if a system should be part of the PIA, a PTA (Privacy Threshold Analysis) is performed. If the PTA determines that a privacy impact assessment is required, the system will be subject to a PIA. The incorrect answers: B. RTO RTO (Recovery Time Objectives) defines the minimum service level acceptable when recovering from an outage. C. BIA A BIA (Business Impact Analysis) documents the potential effects that the organization would suffer if normal operations are interrupted. D. RPO RPO (Recovery Point Objectives) define the objectives that are required when recovering a system. SY0-501, Objective 5.2 - Business Impact Analysis

Answer 15

A. tracert and E. dig Tracert (traceroute) provides a summary of hops between two devices. In this example, tracert can be used to determine the local ISP’s IP addresses and more information about the physical location of the attacker. The dig (Domain Information Groper) command can be used to perform a reverselookup of the IPv4 address and determine the IP address block owner that may be responsible for this traffic. The incorrect answers: B. arp The arp (Address Resolution Protocol) command shows a mapping of IP addresses to local MAC addresses. This information doesn’t provide any detailed location information outside of the local IP subnet. C. ping The ping command can be used to determine if a device may be connected to the network, but it doesn’t help identify any geographical details. D. ipconfig The ipconfig command shows the IP address configuration of a local device, but it doesn’t provide any information about a remote computer. F. netcat Netcat allows the reading or writing of information to the network. Netcat is often used as a reconnaissance tool, but it has limited abilities to provide any location information of a device. SY0-501, Objective 2.2 - Command Line Security Tools

Answer 16

D. ECB ECB (Electronic Code Book) is a simple block cipher that encrypts each block with the same encryption key. When using ECB, identical plaintext blocks will create identical ciphertext blocks. The incorrect answers: A. RIPEMD RIPEMD (RACE Integrity Primitives Evaluation Message Digest) is a hashing algorithm. B. 3DES 3DES (Triple Data Encryption Standard) commonly uses three keys to provide encryption and decryption. C. SHA SHA (Secure Hash Algorithm) is a hashing algorithm. SY0-501, Objective 6.2 - Block Cipher Modes

Answer 17

D. Use rule-based access controls Rule-based access control evaluates a series of rules to determine if access should be granted. For example, the rule may check the time of day before determining if access should be granted. The incorrect answers: A. Assign firewall access to the developer group Role-based access grants permission based on the role of the user. A common example of role-based access control is based on groups within an operating system. For example, a user added to the “developer” group would have the rights and permissions associated with that group. Rolebased access control does not usually include rules, such as access based on the time of day. B. Block all network traffic during non-working hours Blocking network traffic has a much larger impact than restricting access to the firewall logs, and blocking traffic on the test network could potentially impact other development efforts. C. Add TACACS+ integration to the firewall A centralized login for firewall users would make it easier to manage user accounts, but it does not inherently provide any time-based login restrictions. SY0-501, Objective 4.3 - Access Control Models

Answer 18

C. Banner grabbing Netcat or Telnet can be commonly used to view the initial application connection text, or the banner. This banner is from a reverse-proxy that is the connection point for a web server farm. The incorrect answers: A. Password cracking The output from password cracking usually displays the password hash and the tested or identified matches for those hashes. B. Results of the nbtstat command The nbtstat command is used by Windows system to perform queries across the network. A typical nbtstat output would display Windows device names, IP addresses, and other Windows-specific information. D. Exploit log An exploit log will display the results of a penetration test or exploitation framework. The output in this question does not display any exploit information. SY0-501, Objective 2.2 - Software Security Tools

Answer 19

D. Something you have The use of the hardware token generator requires that the user be in possession of the device during the login process. The incorrect answers: A. Something you know The number, or token, created by the token generator isn’t previously known by the user, and there’s no requirement to remember the tokens once the authentication process is complete. B. Something you do The process of pressing the button on the token generator isn’t something that would be unique to an individual user. C. Something you are The token generator works without any type of biometric scan or voiceprint. SY0-501, Objective 4.1 - AAA and Authentication

Answer 20

B. The service provider will provide 99.999% uptime An SLA (Service Level Agreement) is a contract that specifies the minimum terms for provided services. It’s common to include uptime, response times, and other service metrics in an SLA. The incorrect answers: A. The customer will connect to partner locations over an IPsec tunnel A service level agreement describes the minimum service levels provided to the customer. You would not commonly see descriptions of how the service will be used in the SLA contract. C. The customer applications use HTTPS over tcp/443 The protocols used by the customer’s applications aren’t part of the service requirements from the ISP. D. Customer application use will be busiest on the 15th of each month The customer’s application usage isn’t part of the service requirements from the ISP. SY0-501, Objective 5.1 - Agreement Types

Answer 21

C. Worm One of the fundamental characteristics of a worm is the ability to replicate between systems without any human interaction. The incorrect answers: A. Virus A virus traditionally requires a user to perform a function for the virus to replicate. When you click a link or run an application, the virus can execute code to potentially duplicate itself. B. Bot A bot is often the result of a worm or virus infection, but bots cannot inherently copy themselves from system to system. D. Trojan A Trojan horse is specifically designed to fool the user and encourage them to run the malware software. Trojan horse software relies on the user to duplicate itself between systems. SY0-501, Objective 1.1 - Viruses and Worms

Answer 22

C. Between staging and production The staging process is the step just prior to moving into production, so the application code would not be expected to change. This would allow the security team to update or verify the security baseline prior to going live. The incorrect answers: A. During the QA process The QA (Quality Assurance) process is for internal testing, and it’s possible that the application code may continue to change during this process. B. After the move to production Once the application has been moved into production, it’s too late to provide any protection of the data or users. D. In the development sandbox The developers perform constant changes to the application during the development process. A secure baseline would only be useful once no further changes will occur. SY0-501, Objective 3.4 - Secure Deployments

Answer 23

C. Customer information is transferred between countries Data sovereignty laws can mandate how data is handled. Data that resides in a country is usually subject to the laws of that country, and compliance regulations may not allow the data to be moved outside of the country. The incorrect answers: A. IPsec connects data centers over public Internet links Connecting remote locations using IPsec tunnels over public Internet connections is a common method of securely linking sites together. If someone was to capture the data traversing these links, they would find that all of the data was encrypted. B. Fulfillment requests are shipped within the customer’s country There are no significant security issues associated with shipments within the same country. D. The data centers are located geographically distant from each other A best practice for many international organizations is to have data centers in geographically diverse locations to minimize the impact of any single data center outage. SY0-501, Objective 5.6 - Geographic Considerations

Answer 24

B. Role-based access control Role-based access control uses groups to assign permissions. Any users placed into the group will be assigned the same rights and permissions as the group. The incorrect answers: A. Rule-based access control Rule-based access control determines access based on a series of systemenforced rules. An access rule might require that a particular browser type be used to complete a web page form, or that access to a file or system is only allowed during certain times of the day. C. Discretionary access control Discretionary access control allows the owner of an object to assign access. If a user creates a spreadsheet, then the user can then assign other users and groups to have a particular level of access to that spreadsheet. D. Mandatory access control Mandatory access control uses a series of security levels (i.e., public, private, secret) and assigns those levels to each object in the operating system. Users are assigned a security level, and they would only have access to objects that meet or are below that assigned security level. SY0-501, Objective 4.3 - Access Control Models

Answer 25

B. Block all unknown outbound network traffic at the Internet firewall Keylogging software has two major functions; record keystrokes, and transmit those keystrokes to a remote location. Local file scanning and software best-practices can help prevent the initial installation, and controlling outbound network traffic can block unauthorized file transfers. The incorrect answers: A. Prevent the installation of all software Blocking software installations may prevent the initial malware infection, but it won’t provide any control of outbound keylogged data. C. Install host-based anti-virus software A good anti-virus application can identify malware before the installation occurs, but anti-virus does not commonly provide any control of network communication. D. Scan all incoming email attachments at the email gateway Malware can be installed from many sources, and sometimes the source is unexpected. Scanning or blocking executables at the email gateway can help prevent infection but it won’t provide any control of outbound file transfers. SY0-501, Objective 1.1 - Keyloggers

Answer 26

E. The client computer does not have the proper certificate installed The error message states that the server credentials could not be validated. This indicates that the certificate authority that signed the server’s certificate is either different than the CA certificate installed on the client’s workstation, or the client workstation does not have an installed copy of the CA’s certificate. This validation process ensures that the client is communicating to a trusted server and there are no man-in-the-middle attacks occurring. The incorrect answers: A. The user’s computer is in the incorrect VLAN The RADIUS server certificate validation process should work properly from all VLANs. The error indicates that the communication process is working properly, so an incorrect VLAN would not be the cause of this issue. B. The RADIUS server is not responding If the RADIUS server had no response to the user, then the process would simply timeout. In this example, the error message indicates that the communication process is working between the RADIUS server and the client’s computer. Practice Exam B - Answers 229 C. The user’s computer does not support WPA2 encryption The first step when connecting to a wireless network is to associate with the 802.11 access point. If WPA2 encryption was not supported, the authentication process would not have occurred and the user’s workstation would not have seen the server credentials. D. The user is in a location with an insufficient wireless signal The error message regarding server validation indicates that the wireless signal is strong enough to send and receive data on the wireless network. SY0-501, Objective 6.3 - Wireless Authentication Protocols

Answer 27

D. Two different messages share the same hash A well-designed hashing algorithm will create a unique hash value for every possible input. If two different inputs create the same hash, the hash algorithm has created a collision. SY0-501, Objective 6.1 - Hashing and Digital Signatures

Answer 28

B. Use HTTPS over port 443 for all server communication and D. Create a web server certificate and sign it with the internal CA Using the secure HTTPS (Hypertext Transfer Protocol Secure) protocol will ensure that all network communication is protected between the web server and the client devices. If someone manages to capture the network traffic, they would be viewing encrypted data. A signed certificate from a trusted internal CA (Certificate Authority) allows web browsers to trust that the web server is the legitimate server endpoint. If someone attempts a man-in-the-middle attack, the certificate presented by the MitM will not validate and a warning message will appear in the browser. The incorrect answers: A. Two different messages have different hashes In normal operation, two different inputs will create two different hash outputs. B. The original message can be derived from the hash Hashing is a one-way cipher, and you cannot derive the original message from a hash value. C. Two identical messages have the same hash Two identical messages should always create exactly the same hash output. SY0-501, Objective 2.6 - Secure Protocols

Answer 29

C. S/MIME S/MIME (Secure/Multipurpose Internet Mail Extensions) are used to encrypt and digitally sign email messages using public key encryption in an email client. The incorrect answers: A. POP3S The secure version of POP3 (Post Office Protocol version 3) can be used to encrypt email communication across the network, but it doesn’t provide any public key encryption or digital signature functionality in an email client. B. IPsec IPsec (IP Security) tunnels are useful when encrypting the communication between sites or from end user devices. However, IPsec does not provide any functionality for encrypting or digitally signing individual messages in an email client. D. IMAPS IMAPS (Internet Message Access Protocol Secure) can be used to encrypt email communication over the network, but it does not provide any permessage encryption or digital signature features. SY0-501, Objective 2.6 - Secure Protocols

Answer 30

D. Air gap An air gapped network removes all connectivity between components and ensures that there would be no possible communication path between the test network and the production network. The incorrect answers: A. Virtualization Although virtualization provides the option to connect devices in a private network, there’s still the potential for a misconfigured network configuration or an application to communicate externally. B. VLANs VLANs (Virtual Local Area Networks) are a common segmentation technology, but a router could easily connect the VLANs to the production network. C. Cloud computing Cloud-based technologies provide for many network options, and it’s common to maintain a connection between the cloud and the rest of the network. SY0-501, Objective 3.2 - Network Segmentation

Answer 31

C. SaaS ``` The SaaS (Software as a Service) model generally has no local application installation, no ongoing maintenance tasks, and no local infrastructure requirements. A third-party provides the application and the support, and the user simply logs in, uses the service, and logs out. ``` The incorrect answers: A. PaaS PaaS (Platform as a Service) is a model that provides a building block of features, and requires the end user to customize their own application from the available modules. There can be a significant development effort to build an application with a PaaS model. B. Private A private model requires that the end user purchase, install, and maintain their own application hardware and software. The SaaS model doesn’t require any initial hardware or software capital purchase. D. IaaS IaaS (Infrastructure as a Service) is a model that provides the user with the hardware needed to get up and running, and the end user is responsible for the operating system, the application, and any ongoing maintenance tasks. SY0-501, Objective 3.7 - Cloud Deployment Models

Answer 32

B. Obfuscation Obfuscation is the process of taking something that is normally understandable and making it very difficult to understand. Many developers will obfuscate their source code to prevent others from following the logic used in the application. The incorrect answers: A. Confusion Confusion is a concept associated with data encryption where the encrypted data is drastically different than the plaintext. C. Encryption Encrypting source code will effectively make it impossible to use unless you have the decryption key. In this example, the source code remained usable, but the readability of the source code was dramatically affected by the changes. D. Diffusion Diffusion is an encryption concept where changing one character of the input will cause many characters to change in the output. SY0-501, Objective 3.6 - Secure Coding Techniques

Answer 33

D. Lack of patch updates on an Internet-facing database server One of the easiest ways for a competitor to obtain information is through an existing Internet connection. An unpatched server could be exploited to obtain customer data that would not normally be available otherwise. The incorrect answers: A. Data center access with only one authentication method Most competitors don’t have access to walk around inside of your building, and they certainly wouldn’t have access to secure areas. A single authentication method would commonly prevent unauthorized access to a data center for both employees and non-employees, although more authentication factors would provide some additional security. B. Spoofing of internal IP addresses when accessing an intranet server Intranet servers are not accessible from the outside. This makes them an unlikely target for competitors and other non-employees. C. Employee VPN access uses a weak encryption cipher A weak encryption cipher can be a security issue, but a potential exploitation would need the raw network traffic to begin any decryption attempts. Although this scenario would technically be possible if someone was to catch an employee on a public wireless network, it’s not the most significant security issue in the available list. SY0-501, Objective 1.3 - Threat Actors

Answer 34

A. DoS A denial of service (DoS) is a common result of a memory leak. Unused memory is not properly released, and eventually the leak uses all available memory. The system eventually crashes due to lack of resources. The incorrect answers: B. Data theft A memory leak doesn’t provide any additional access to data, so the theft of private information would not be an expected result. C. Unauthorized system access A memory leak can prevent all access to the system, but it doesn’t allow any unauthorized access to the system. D. Rootkit installation A rootkit installation would need to be executed on the operating system, and a memory leak doesn’t provide any opportunity for this installation to run. SY0-501, Objective 1.6 - Vulnerability Types

Answer 35

B. Create a hash of the data A hash will create a unique value that can be quickly validated at any time in the future. If the hash value changes, then the data must have also changed. The incorrect answers: A. Use a tamper seal on all storage devices A physical tamper seal will identify if a device has been opened, but it cannot identify any changes to the data on the storage device. C. Create an image of each storage device for future comparison A copy of the data would allow for comparisons later, but the process of doing the comparison would take much more time than validating a hash value. It’s also possible that someone could tamper with both the original data and the copy of the data. D. Take screenshots of file directories with file sizes It’s very easy to change the contents of a file without changing the size of the file. SY0-501, Objective 5.5 - Gathering Forensics Data

Answer 36

D. Complexity Adding different types of characters to a password requires technical controls that increase password complexity. The incorrect answers: A. Length Adding all of these character types to a password do not necessarily change the length of the password. B. Expiration All passwords should expire, but the expiration date should not affect the characters used in the password. C. Reuse The controls that prohibit the reuse of passwords do not control the characters used in the password. SY0-501, Objective 4.4 - Account Policy Enforcement

Answer 37

C. RSA RSA (Rivest, Shamir, and Adelman) is a public domain asymmetric algorithm. The incorrect answers: A. Blowfish Blowfish is a symmetric algorithm, and was one of the first ciphers not limited by patents. B. AES AES (Advanced Encryption Standard) is a symmetric algorithm that is used in many applications, including WPA2 wireless encryption. D. RC4 RC4 (Rivest Cipher 4) is a symmetric algorithm that was used in 802.11 WEP encryption. E. 3DES 3DES (Triple DES) is a symmetric encryption method that extends the use of the DES cipher by commonly using three keys during the encryption and decryption process. SY0-501, Objective 6.2 - Asymmetric Algorithms

Answer 38

B. A spoofing attack would provide an attacker with unauthorized access to the application Once this application authenticates a user, it maintains the session information based on the IP address of the authenticated user. Anyone who spoofs this IP address would gain access to the application with the same rights as the authenticated user. The incorrect answers: A. An attacker could use a replay attack to gain access to the application Since the web-based application is on an HTTPS (HTTP Secure) connection, a replay attack would not be available to an attacker. C. A watering hole attack would provide access to the application by outside users An application on an intranet would not be accessible to anyone outside of the organization. D. An MitM attack would allow an attacker to inject malicious code A man-in-the-middle attack would not be useful over a secure connection. E. A manipulated network driver would allow an attacker to access the application data Although modified drivers are certainly a security issue, there’s no mention of any server modifications in this question. SY0-501, Objective 1.2 - Spoofing

Answer 39

B. File integrity check A file integrity checker (i.e., Tripwire, System File Checker, etc.) can be used to monitor and alert if there are any changes to a file. The incorrect answers: A. HIPS HIPS (Host-based Intrusion Prevention System) would help identify any security vulnerabilities, but there’s nothing relating to this issue that would indicate that this issue was caused by an operating system or application vulnerability. A HIPS would not commonly alert on the modification of a specific file. C. Application whitelist In this example, we’re not sure how the file was changed or if a separate application or editor was even used. If the change was made with a valid application, a whitelist would not provide any feedback or alerts. D. Patch management Patch management would handle the updates for the operating system and applications, but it would not provide any monitoring or alerting if a specific file is changed. E. WAF A WAF (Web Application Firewall) is used to protect web-based applications from malicious attack. The example in this question was not related to a web-based application. SY0-501, Objective 2.4 - Analyzing Security Output

Answer 40

A. RADIUS RADIUS (Remote Authentication Dial-In User Service) is a common protocol to use for centralized uthentication. Other protocols such as LDAP, TACACS+, or Kerberos would also be valid options for 802.1X authentication. The incorrect answers: B. HTTPS HTTPS (Hypertext Transfer Protocol Secure) is commonly used to encrypt web server communication. HTTPS is not an authentication protocol. C. SNMPv3 SNMPv3 (Simple Network Management Protocol version 3) is used to manage servers and infrastructure devices. SNMP is not an authentication protocol. D. MS-CHAP MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) was commonly used to authenticate devices using Microsoft’s Point-to- Point Tunneling Protocol (PPTP). Security issues related to the use of DES (Data Encryption Standard) encryption in MS-CHAP eliminate it from consideration for modern authentication. SY0-501, Objective 6.3 - Wireless Authentication Protocols

Answer 41

D. Embedded system An embedded system usually does not provide access to the OS and may not even provide a method of upgrading the system firmware. The incorrect answers: A. End-of-life A device at its end-of-life is no longer supported by the vendor. In this example, the vendor support status isn’t mentioned. B. Weak configuration A weak configuration would leave the system easily accessible by an attacker. In this example, the described scenario doesn’t describe any weak configurations. C. Improper input handling Improper handling of user input can sometimes result in an exploit. In this example, no specific user input issues were described. SY0-501, Objective 1.6 - Vulnerability Types

Answer 42

A. Pulping Pulping places the papers into a large washing tank to remove the ink, and the paper is broken down into pulp and recycled. The information on the paper is not recoverable after pulping. The incorrect answers: B. Degaussing Degaussing removes the electromagnetic field of storage media and electronics. Degaussing will not have any effect on paper items. C. NDA A non-disclosure agreement is only valid to the people who have signed the agreement. In this case, it can be assumed that the papers were obtained by a third-party after being placed in the trash. D. Fenced garbage disposal areas Although a fenced disposal area would have protected this information while it was on-site, the papers could have been obtained once they left the facility. The best choice for this question would be the option that would render the information on the pages unreadable. SY0-501, Objective 5.8 - Data Destruction

Answer 43

A. HIPS and D. Host-based firewall logs If the laptop is not communicating across the corporate network, then the only evidence of the traffic would be contained on the laptop itself. A HIPS (Host-based Intrusion Prevention System) and host-based firewall logs may contain information about recent traffic flows to systems outside of the corporate network. The incorrect answers: B. UTM appliance logs A unified threat management appliance is commonly located in the core of the network. The use of a cellular hotspot would circumvent the UTM and would not be logged. C. Web application firewall events Web application firewalls are commonly used to protect internal web servers. Outbound Internet communication would not be logged, and anyone circumventing the existing security controls would also not be logged. E. Next-generation firewall logs Although a next-generation firewall keeps detailed logs, any systems communicating outside of the normal corporate Internet connection would not appear in those logs. SY0-501, Objective 2.4 - Analyzing Security Output

Answer 44

B. Elliptic curve ECC (Elliptic Curve Cryptography) uses smaller keys than non-ECC encryption and has smaller storage and transmission requirements. These characteristics make it an efficient option for mobile devices. The incorrect answers: A. AES AES (Advanced Encryption Standard) is a useful encryption cipher, but the reduced overhead of elliptic curve cryptography is a better option for this scenario. C. Diffie-Hellman Diffie-Hellman is a key-agreement protocol, and Diffie-Hellman does not provide for any encryption or authentication. D. PGP PGP’s public-key cryptography requires much more overhead than the elliptic curve cryptography option. SY0-501, Objective 6.2 - Asymmetric Algorithms

Answer 45

B. A list of Microsoft patches that have not been applied to a server A vulnerability scan will identify known vulnerabilities, but it will stop short of exploiting these vulnerabilities. The incorrect answers: A. A list of usernames and password hashes from a server This type of secure information cannot be obtained through a vulnerability scan. C. A copy of image files from a private file share A private file share would prevent any access by unauthorized users, including vulnerability scans. D. The BIOS configuration of a server Private information, such as a device’s BIOS configuration, is not available from a vulnerability scan. SY0-501, Objective 1.5 - Vulnerability Scanning

Answer 46

A. Vulnerability scan A vulnerability scan can be used to identify any known security vulnerabilities, but it will not attempt to exploit those vulnerabilities. The incorrect answers: B. Zero-day attack A zero-day attack is an attempt to exploit a vulnerability that is not publicly known. A zero-day attack would operate against unknown vulnerabilities. C. Passive reconnaissance Passive reconnaissance is used to gather information about a target without performing any direct scans or network traffic. An example of passive reconnaissance is gathering information from social media or a company website. D. Penetration test A penetration test will attempt to exploit a vulnerability to gain access to data or a system. SY0-501, Objective 1.5 - Vulnerability Scanning

Answer 47

C. CA name The name of the issuing CA (certificate authority) is listed in a server certificate. The incorrect answers: A. CRL A CRL (Certificate Revocation List) is maintained on the certificate authority (CA) server or a different local server. The list itself is not part of the certificate. B. CSR The CSR (Certificate Signing Request) is sent to the certification authority with the public key to be signed. D. The server’s private key Private keys are not included inside of a public server certificate. SY0-501, Objective 6.4 - PKI Components

Answer 48

C. Symmetric Symmetric encryption uses the same key for both encryption and decryption. The incorrect answers: A. Asymmetric Asymmetric encryption uses different keys for encryption and decryption. B. Key escrow Key escrow is when a third-party holds the decryption keys for your data. D. Out-of-band key exchange Keys can be transferred between people or systems over the network (inband) or outside the normal network communication (out-of-band). In this example, the key wasn’t exchanged between people or systems, since the system administrator is the same person who encrypted and decrypted. SY0-501, Objective 6.1 - Symmetric and Asymmetric Encryption

Answer 49

B. SSO SSO (Single Sign-On) would require the user to memorize one single set of authentication credentials, and those single credentials would provide access to all of the necessary resources. The incorrect answers: A. Multi-factor authentication Although additional authentication factors may be less intensive than remembering a passphrase, the users will still be in the position of maintaining seven separate login names and passwords to gain access to the company applications. C. Server certificates A server certificate is useful to show that the server is trusted by the end user, but it doesn’t help the users manage their large list of usernames and passwords. D. AAA framework Using a AAA framework would be a good way to centralize the management of the login credentials, but it would not by itself decrease the number of login credentials that each user would have to maintain. SY0-501, Objective 4.1 - AAA and Authentication

Answer 50

A. Eradication The IR (Incident Response) process is preparation, identification, containment, eradication, recovery, and lessons learned. Once a system has been contained, any malware or breached user accounts should be removed from the system. The incorrect answers: B. Preparation Before an incident occurs, you should compile contact information, incident handling hardware and software, analysis resources, and other important tools and policies. C. Recovery The focus of the recovery process is to get all of the systems back to normal. This phase removes malware, deletes breached user accounts, and fixes any vulnerabilities. D. Identification Identification of an event can be challenging, but it usually consists of IPS reports, anti-virus alerts, configuration change notifications, and other indicators. E. Containment In this example, the containment and isolation occurred when the affected servers were removed from the network. SY0-501, Objective 5.4 - Incident Response Process

Answer 51

C. Mandatory vacations It’s difficult to maintain fraudulent activities if the person executing the fraud is out of the office. In financial environments, it’s not uncommon to require at least a week of consecutive vacation time at some point during the year. The incorrect answers: A. Background checks Background checks are useful to discover information prior to hiring someone, but these checks are not commonly performed after someone is an employee. B. Clean desk policy If confidential information was left available on someone’s desk, then it would be appropriate to institute a clean desk policy. In this example, the fraudulent activity did not include any mention of confidential information on a desk. D. Acceptable use policy The acceptable use policy (AUP) of an organization describes how company assets are to be used, especially computers, Internet connections, and mobile devices. SY0-501, Objective 5.1 - Personnel Management

Answer 52

B. Uses burned-in cryptographic keys and E. Includes built-in protections against brute-force attacks A TPM (Trusted Platform Module) is hardware that is part of a computer’s motherboard, and it’s specifically designed to assist and protect with cryptographic functions. Full disk encryption (FDE) can use the burnedin TPM keys to verify that the local device hasn’t changed, and there are security features in the TPM that will prevent brute-force or dictionary attacks against the full disk encryption login credentials. The incorrect answers: A. Allows the encryption of multiple volumes The use of a TPM is not associated with the number of volumes that may be encrypted with FDE. C. Stores certificates in a hardware security module A hardware security module (HSM) is high-end cryptographic hardware specifically designed for large-scale secured storage on the network. An HSM server is a separate device that is not associated with an individual device’s TPM. D. Protects against EMI leakage The leakage of EMI (Electromagnetic Interference) from keyboards, storage drives, or network connections can be a security concern, but it is not related to the use of a trusted platform module. More information: SY0-501, Objective 3.3 - Hardware Security

Answer 53

A. Mandatory Mandatory access control uses a series of security levels (i.e., public, private, secret) and assigns those levels to each object in the operating system. Users are assigned a security level, and they would only have access to objects that meet or are below that assigned security level. The incorrect answers: B. Rule-based Rule-based access control determines access based on a series of systemenforced rules. An access rule might require that a particular browser be used to complete a web page form, or that access to a file or system is only allowed during certain times of the day. C. Discretionary Discretionary access control allows the owner of an object to assign access. If a user creates a spreadsheet, the user can then assign users and groups to have a particular level of access to that spreadsheet. D. Role-based Role-based access control assigns a user’s permissions based on their role in the organization. For example, a manager would have a different set of rights and permissions than a team lead. SY0-501, Objective 4.3 - Access Control Models

Answer 54

D. ACL An ACL (Access Control List) is a security control commonly implemented on routers to allow or restrict traffic flows through the network. The incorrect answers: A. VPN A VPN (Virtual Private Network) can be used to secure data traversing the network, but it’s not commonly used to control traffic flows on an internal network. B. IPS An IPS (Intrusion Prevention System) is designed to identify and block known vulnerabilities traversing the network. An IPS is not used to control other traffic flows. C. NAT NAT (Network Address Translation) is a method of modifying the source and/or destination IP addresses of network traffic. NAT is not a security control. SY0-501, Objective 2.1 - Router and Switch Security

Answer 55

A. Host-based firewall A host-based firewall is designed to protect an operating system from unwanted network communication. Since the firewall is software that runs in the laptop’s OS, it can provide protection from any external network connection. The incorrect answers: B. VPN software VPN (Virtual Private Network) software would encrypt communication from the laptop, but it wouldn’t prevent someone else from directly connecting to other services running on the laptop. C. Proxy A proxy can be used to protect inbound traffic to servers, but it’s not practical to have a proxy server provide inbound protection to a laptop. D. Anti-virus and anti-malware software Anti-virus and anti-malware software can identify and block known malware, but it’s not designed to block interactive network communication from other devices. SY0-501, Objective 2.1 - Firewalls

Answer 56

A. Rootkit A rootkit traditionally modifies core system files and becomes effectively invisible to the rest of the operating system. The modification of system files and specialized kernel-level drivers are common rootkit techniques. The incorrect answers: B. RAT A RAT (Remote Administration Tool) is often installed as a Trojan horse and used for malicious purposes. Although these utilities are sometimes installed subversively, they can still be identified through normal malware scans and host-based firewall software. C. Bot A bot is relatively active malware that can usually be seen in a process list and by examining network communication. Botnet participants can often be identified using traditional anti-malware software. D. Ransomware Ransomware makes itself quite visible on your system, and it usually presents warning messages and information on how to remove the ransomware from the system. E. Keylogger A keylogger is a utility that captures keyboard and mouse input and sends that information to another device. This usually means that the keylogger has a visible component in the list of processes and traffic that can be seen on the network. SY0-501, Objective 1.1 - Rootkits

Answer 57

C. No session information is stored on the server and D. The token is provided with each request to the server A significant benefit of token-based authentication is that no session information is stored on the server, so the process of maintaining a login session is completely stateless. The client is provided a token during the login process, and that token is sent with each server request to validate the user’s session. The incorrect answers: A. The server maintains the state of each authenticated user A server providing token-based authentication does not keep a list of authenticated users. The token provided to the user verifies the successful authentication, so the server doesn’t have to keep a long list of valid sessions. B. Token information can be sent in the clear The token is an important security access mechanism, so it’s a best practice to encrypt the token when it’s sent across the network. E. The token for each user is stored in a centralized database Each token is stored on the user device. None of the tokens are maintained or stored on the server or in a centralized database. SY0-501, Objective 4.2 - Federated Identities

Answer 58

A. Mantrap A mantrap is commonly used to control the flow of people through a particular area. Unlocking the one door of a mantrap commonly restricts the other door from opening, thereby preventing someone from walking through the mantrap without stopping. It’s common in large data centers to have a single room as the mantrap where users are checked in and out of the facility. The incorrect answers: B. Air gap An air gap is a technical control that creates a physical separation between devices or networks. An air gap is not used to manage the flow of people. C. Faraday cage A Faraday cage is used to block electromagnetic fields, and it is useful in environments where electromagnetic and radio signals can be an issue. D. Protected distribution A protected distribution system (PDS) is a physically secure cabled network. Cable and fiber in a protected distribution are protected from taps, cuts, or similar security breaches. SY0-501, Objective 3.9 - Physical Security Controls

Answer 59

B. Steganography Steganography is the process of hiding information within another document. For example, one common method of steganography will embed data or documents within image files. The incorrect answers: A. Digital signatures A digital signature is a cryptographic method to check the integrity, authentication, and non-repudiation of a message. Digital signatures are not used to hide information within image files. C. Block cipher A block cipher is used to encrypt fixed-length groups of data. Block ciphers do not hide data within another object. D. Perfect forward secrecy Perfect forward secrecy is a key exchange method that creates a new and unique set of session keys for each session. SY0-501, Objective 6.1 - Steganography

Answer 60

C. Credentialed A credentialed scan uses valid access rights to perform the scanning functions. This type of scan is designed to show what someone on the inside with these rights would be able to exploit. The incorrect answers: A. Black box Black box information is generally associated with penetration testing. Someone performing a black box penetration test will not have any prior knowledge of the systems under attack. B. Passive Passive information gathering is usually associated with penetration testing. Passive reconnaissance is the process of gathering information from outside sources, such as social media sites and online forums. D. Agile An agile environment is often associated with a development life-cycle model that focuses on rapid development and constant collaboration. SY0-501, Objective 1.5 - Vulnerability Scanning

Answer 61

C. ARO The ARO (Annualized Rate of Occurrence) describes the number of instances that an event would occur in a year. For example, if the organization expect to lose seven laptops to theft in a year, the ARO for laptop theft is seven. The incorrect answers: A. ALE The ALE (Annual Loss Expectancy) is the expected cost for all events in a single year. If it costs $1,000 to replace a single laptop (the SLE) and you expect to lose seven laptops in a year (the ARO), the ALE for laptop theft is $7,000. B. SLE SLE (Single Loss Expectancy) is the monetary loss if a single event occurs. If one laptop is stolen, the cost to replace that single laptop is the SLE, or $1,000. D. MTTR MTTR (Mean Time to Repair) is the time required to repair a product or system after a failure. SY0-501, Objective 5.3 - Risk Assessment