Security+ ITProTV Practice Exam I Flashcards

Question

** Which two suppression methods are recommended when paper, laminates, and wooden furniture are the elements of a fire in the facility? (Choose TWO) Water Soda Acid Dry Powder Halon

Answer 1

Water Soda Acid Explanation: Water or soda acid should be used to suppress a fire that has wood products, laminates, and paper as its elements. The suppression method should be based on the type of fire in the facility. The suppression substance should interfere with the elements of the fire. For example, soda acid removes the fuel while water reduces the temperature. Water or soda acid are used to extinguish class A fires. Electrical wiring and distribution boxes are the most probable cause of fires in data centers. Class C fire suppression agents, such as halon or carbon dioxide, are used when the fire involves electrical equipment and wires. They can also be used to suppress Class B fires that include liquids, such as petroleum products and coolants. The production of halon gas was banned by the Montreal Protocol in 1987. Halon causes damage to the ozone layer and is harmful to humans. The treaty requires vendors who already have halon extinguishers to get the extinguishers refilled with replacements, such as FM-200, approved by the Environmental Protection Agency (EPA). Carbon dioxide, also used to extinguish class B and C fires, eliminates oxygen. Carbon dioxide is harmful to humans and should be used only in unattended facilities. Dry powder is a suppression method for a fire that has magnesium, sodium, and potassium as its elements. Dry powder extinguishes class D fires. Although dry powder can also suppress Class B and C fires, companies commonly use other forms of suppression for Class B and C fires. The only suppression method for combustible metals is dry powder.

Answer 2

Acquire/Collect Use Delete/Dispose Explanation: Legal Hold refers to an exceptional step that is taken after evidence is collected for a criminal investigation. It is NOT a standard component of the Data Life Cycle. Data Life Cycle Steps: - Acquire - Obtaining or Creating Data - Store - Storing the Data in a Secure Location. - Use - Reading/Editing the Data - Share - Transmitting Data - Archive - Backing Up the Data in a Secure manner. - Dispose - Erasing, Deleting, Destroying the Data.

Answer 3

SKIP is a key distribution protocol (Simple Key Internet Protocol) Explanation: Simple Key management protocol for Internet Protocols (SKIP) is a key management and distribution protocol used for secure IP communication, such as Internet Protocol Security (IPSec). SKIP uses hybrid encryption to convey session keys. These session keys are used to encrypt data in IP packets. SKIP uses a key exchange algorithm, such as the Diffie-Hellman algorithm, to generate a key-encrypting key that will be used between two parties. A session key is used with a symmetric algorithm to encrypt data. SKIP is not a key storage protocol. It is a key distribution and management protocol similar to Internet Key Exchange (IKE).SKIP works on a session-by-session basis, although it does not require prior communication for the establishment of sessions. SKIP employs encryption standards, such as Data Encryption Standard (DES) and Triple DES (3DES), to provide secure communication. SKIP does not deploy IKE for key distribution and management. IKE is a separate framework used to securely exchange keys to establish an IPSec session. Key exchange can occur either in band or out of band. In-band key exchange occurs over the same transmission media that is used by data and voice transmissions. Out-of-band exchange occurs outside the data and voice transmission media. In-band key exchange is less secure than out-of-band key exchange.

Answer 4

Respond to tactics and techniques found in real-world attacks. Explanation: The purpose of the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework is to learn how to respond to tactics and techniques found in real-world attacks. The Open Web Application Security Project (OWASP) Top 10 is meant for patching the most critical software vulnerabilities found by experts, some of which have yet to be exploited in the wild. The purpose of the Cyber Kill Chain is to identify and stop advanced persistent threats (APTs) before data is exfiltrated. In penetration testing, the goal is to identify and exploit system vulnerabilities using an attacker mindset.

Answer 5

RFCs (Request for Comments) Explanation: A Request for Comments (RFC) is a numbered document, which includes appraisals, descriptions, and definitions of online protocols, concepts, methods, and programs. RFCs are administered by the IETF (Internet Engineering Task Force). RFCs occur when a new technology is accepted as a web standard, which become useful when discovering new vulnerabilities and potential threats in existing internet standards. TTP stands for tactics, techniques, and procedures, and is a concept that is used to identify patterns of behavior which can be employed to defend against certain strategies and threat vectors utilized by malicious actors. TTP is not solely concerned with existing Internet standards. Structured Threat Information Expression (STIX) defines a common language for discussion threat intelligence and serializes it into a coherent format. TAXII stands for Trusted automated exchange of indicator information and was designed to specifically support STIX information by defining how cyber threat information can be shared via services and message exchanges. STIX and TAXII are not solely concerned with existing Internet standards.

Answer 6

DNS Logs (Domain Name System) Explanation: There is a ton of security knowledge that can be discovered from within the logs of your organization’s internal DNS servers. It also helps to monitor the outbound DNS queries on your network. This potential wealth of information can help you find potentially compromised hosts on the network by searching for queries that are abnormal or known to be malicious. An adversary may find that an internal DNS is an attractive method for performing malicious activities like network reconnaissance, communication with the command and control servers, data transfers out of the network, or malware downloads that are capable of all of these. Subsequently, it is critical that DNS traffic be monitored for proper threat protection.

Answer 7

to search for malicious code or behavior. Explanation: The purpose of content inspection is to search for malicious code or suspicious behavior. The purpose of load balancing is to distribute the workload across multiple devices. Often DNS servers are load balanced to ensure that DNS clients can obtain DNS information as needed. Other services are load balanced as well. Load balancers optimize and distribute data workloads across multiple computers or networks. The purpose of an Internet or Web proxy is to filter and forward Web content anonymously. The purpose of a spam filter is to identify and block unwanted messages. Spam filters should be configured to prevent employees from receiving unsolicited e-mail messages. Another type of hardware that is similar to a spam filter is an all-in-one security appliance. This device filters all types of malicious, wasteful, or otherwise unwanted traffic. Many all-in-one security appliances include a component that performs content inspection and malware inspection. These appliances usually also include a URL filter feature that allows administrators to block and allow certain Websites. For example, the URL filter in an all-in-one security appliance could be configured to restrict access to peer-to-peer file sharing Websites.

Answer 8

SAN (Subject Alternate Name) Explanation: A Subject Alternative Name (SAN) is a field in the certificate definition that allows you to stipulate additional information, such as an IP address or host name, associated with the certificate. Machine/computer certificates are assigned to a designated machine. During authentication, the computer (or machine) requesting access must supply the certificate assigned to it. These certificates do not always include host name information. Domain validation certificates are very common. They are low-cost and are often used by web admins to offer TLS to a domain. They are validated using only the domain name. However, they do not allow you to configure alternate information in the certificate. These certificates do not always include host name information. Extended validation certificates, as the name suggests, provide additional validation for HTTPS web sites. The certificate provides the name of the legal entity responsible for the web site. These certificates require the most effort by the CA to validate and provide a higher level of trust than domain validation because they are validated using more than the domain information, including the host name. You should also be familiar with email certificates, code signing certificates, user certificates, and root certificates. User certificates are assigned to individual users, much like machine/computer certificates are assigned to individual machines. Users must provide their assigned certificate for authentication prior to accessing certain resources. Email certificates are used to secure email. One such example is Secure Multipurpose Internet Mail Extensions (S/MIME), which provides a digital "signature" for that email. Code signing certificates are used for code that is distributed over the Internet, including programs or applications. Code signing certificates verify the code's origin and help the user trust that the claimed sender is indeed the originator. Root certificates define the root CA and validate all other certificates issued by that CA. They are at the top of the CA hierarchy. They are self-signed and are closely guarded.

Answer 9

Collect Analyze Store Present Return

Answer 10

Diffusion Explanation: Diffusion is the cryptographic technique whereby a change of a single input bit results in a change of multiple output bits. Confusion is the technique where the relationship between the components of the message – the plain text, the key used, and the cipher text – is difficult to see. As a contrast, with ROT13, it is very easy to see the relationship between the components. Salting is a countermeasure to protect against rainbow table attacks. With salting, additional bits are added before the text is hashed. For example, if the password is "OpenSesame," salting will add additional characters prior to the hash, such as "Open00Salt99," which changes the hash value of the password. When the rainbow table searches for a password that matches "OpenSesame," the hash value will not match. An initialization vector (IV) is a number that is used once (nonce). As an example of this technique, assume that one portion of a cryptographic key was encrypted with RC4, and another portion included the IV. In the event the RC4 portion of the key was cracked, the IV that is used only once would protect the message from unauthorized decryption. Weak or deprecated algorithms are to be avoided. Wired Equivalent Privacy (WEP), for example, is now considered a weak encryption algorithm, as well as Data Encryption Standard (DES).

Answer 11

Shibboleth Explanation: Shibboleth uses Security Assertion Markup Language (SAML), which defines security authorizations on web pages as opposed to web page elements in HTML. Shibboleth is a single sign-on (SSO) system that uses an identity provider and a service provider. OAuth is Open Authorization. The current standard, OAuth 2.0, grants an application limited access to a user's account on a third-party site, such as Facebook or Twitter. OAuth could grant the application access to a friend's list or give the application the ability to post on the user's behalf. OpenID Connect provides the authentication necessary in OAuth. It authenticates the user and stores the user information in a token. OAuth does not work with SAML. A secure token contains the user information and authentication information used by OpenID.

Answer 12

Supply Chain Assessment Explanation: Supply chain assessment might have stopped the store's data breach. The breach was initiated with the failure of a contractor to have adequate anti-malware protection. Supply chain assessment would include verifying that vendors and contractors have adequate safeguards in place before they can access your network. A risk register is a scatter graph of problem areas identified in a business impact analysis. Risk response techniques include avoidance, transference, mitigation, and acceptance. Analyzing the likelihood of occurrence compares the potential threat with the probability that the threat will occur.

Answer 13

Legal Hold Explanation: Legal hold is the term for the preservation of information relevant to an impending lawsuit. Personnel will be instructed not to destroy or alter information relating to the topic of the lawsuit. Chain of custody deals with how the evidence is handled once it has been collected and guarantees the identity and integrity of the evidence from the collection stage to its presentation in the court of law. There should be a log of who has had custody of the evidence, where it has been, and who has seen it. Active logging should also be used to document access to the evidence, including photographic or video records, showing the manner in which the evidence is secured. Preserving data for a legal hold just ensures that data is retained for the appropriate period and has nothing to do with chain of custody, although chain of custody is vital to preserving evidence. An incident response plan describes how to respond to various types of security incidents. Incident response plans provides details on how to preserve data and logs related to an incident. Data sovereignty means that the data is subject to the laws of the location where it is stored. Different countries may differ in their laws for preserving the existence and integrity of records prior to litigation.

Answer 14

CAC (Common Access Card) Explanation: A Common Access Card (CAC) is a certificate-based smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login. None of the other options are implemented by the U.S. military. Proximity cards are a type of smartcard that incorporate Radio Frequency Identification (RFID) chips. These chips contain authentication information and transmit over a very short range. When the authentication device is within range of the proximity card, and the information transmitted is correct, authentication is granted. A Personal Identity Verification (PIV) card is a certificate-based smart card issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login. Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Smartcards have permissions and access information stored on the card. The greatest concern with smart cards is theft. Once stolen, the thief can use the card in the same manner as the rightful owner. As an example, if the user has access to a highly secure area by using the smartcard, a thief will have the same access when using the stolen card. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user.

Answer 15

Federation Explanation: Federation and federated identity is the ability of a user to use a single identity across multiple businesses or networks. Federation differs from single sign-on, where a user has one password that grants access to all the permitted network resources. Federation relies on trust relationships that are established between the different businesses or networks. Another example of federated identity is allowing Microsoft users to sign into cloud services using their on-premises Active Directory domain credentials. A transitive trust involves creating relationships between domains to grant authenticated users access to other domains. In Active Directory, for example, if the Sales domain trusts the Marketing domain, and the Marketing domain trusts the HR domain, then Sales trusts the HR domain through a transitive relationship. Transitive trusts are established within a single organization or between private organizations. PayPal and Google Checkout do not use transitive trusts. Biometrics and keyboard cadence are both factors used in multi-factor authentication. Biometrics is something you are. Fingerprints, voiceprints, retina scans, and iris scans are all examples of biometrics. Keyboard cadence is an example of something you do. When the user enters a new password, the keystroke timing (cadence) is recorded as a signature pattern. Authentication factors may be part of the process of authenticating to your identity, but it has nothing to do with authorizing the identity to access multiple businesses or networks. For the Security+ exam, you must understand the following authentication factors: something you are, something you have, and something you know. You also need to understand the following attributes: somewhere you are, something you exhibit, someone you know, and something you do. Something you have is based on the user possessing some type of security device. These can include things such as smart cards, tokens, and key fobs. Something you know would be a password, a PIN, the name of a childhood sweetheart, the color of your first car, or the answer to a similar question.

Answer 16

Execute a Well-Written Program Explanation: A well-written program is the best method to prevent buffer overflow errors. Buffer overflow occurs when the length of the input data is longer than the length processor buffers can handle. Buffer overflow is caused when input data is not verified for appropriate length at the time of input. Buffer overflow and boundary condition errors are examples of input validation errors. Audit trails and file integrity checks are examples of security controls in a trusted application system. Security controls cannot control buffer overflow, but can assist in monitoring unauthorized activity on either an application or a system. A check digit, also referred to as a checksum, provides data integrity by computing hash values. A checksum occurs when either a source application or a system uses a mathematical formula to compute a hash value against a standard input and sends the value to the destination. After receiving the data, the receiving application performs the same mathematical operation. If the hash values match, the data is considered acceptable. If the hash values do not match, the data is discarded. Check digits do not either prevent or detect buffer overflows. A reasonableness check verifies whether the data within an application program lies within the predefined limits and format. For example, an application meant for processing numbers should not accept alphabetical characters as a valid input. Reasonableness checks monitor the data input format and not the buffer overflows.

Answer 17

FRR (False Rejection Rate) Explanation: You should investigate the device's FRR to determine its accuracy. False rejection rate (FRR) measures how likely it would be that an authorized user is denied access to the system. Expressed as a ratio, it is the number of authorized users who were denied access to the protected system divided by the number of authentication attempts. False rejections can occur if the system settings are too precise, or if users are not trained properly on biometric login procedures. By contrast, false acceptance rate (FAR) measures how likely it would be that an unauthorized user is granted access to the system. Its ratio is the number of unauthorized users who were incorrectly allowed access to the protected system divided by the number of authentication attempts. FAR could happen because the system was not precise enough when matching the authorized user. Crossover error rate (CER) is the point where FAR and FRR are equal. Generally, a lower CER value would indicate a more accurate system. CER is primarily used to compare biometric authentication systems. HOTP/TOTP are two types of one-time passwords, (i.e., they can only be used once). Hashed One Time Passwords (HOTP) are secure passwords used with hardware tokens. Time-based One Time Passwords (TOTP) are issued for a specific period of time. Once used, or once the time expires, the TOTP is no longer valid. Other considerations include ABAC, proximity cards, smartcards, tokens, CAC, PIV, and file security. Attribute-based access control (ABAC) goes beyond authentication based on username and password. It evaluates other factors, such as time of day and location of logons. Another aspect would be if a user has read access to files but is attempting to edit or delete files remotely. Smartcards have permissions and access information stored on the card. The greatest concern with smart cards is theft. Once stolen, the thief can use the card in the same manner as the rightful owner. As an example, if the user has access to a highly secure area by using the smartcard, a thief will have the same access when using the stolen card. Proximity cards are a type of smartcard that incorporate Radio Frequency Identification (RFID) chips. These chips contain authentication information and transmit over a very short range. When the authentication device is within range of the proximity card, and the information transmitted is correct, authentication is granted. Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user. A Common Access Card (CAC) is a smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login. A Personal Identity Verification (PIV) smart card is issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two barcodes and a magnetic strip. They can be used for visual identification and for login. File system security should always be set to only allow what is absolutely essential for the user to do their job. This is also known as the principle of least privilege.

Answer 18

RTOs (Real Time Operating Systems) Explanation: Real Time Operating Systems (RTOs) are particularly dangerous because they process data with little or no latency. They are susceptible to code injection, exploiting shared memory, priority inversion, DoS attacks, and attacks on inter-process communication. While the other options are security risks, none processes data with little or no latency. Home automation devices, such as smart thermostats, lighting systems, and refrigerators, are susceptible to security issues. The security concerns are the same as for industrial controls, just at the home level. Wearable technology devices are at risk. Most transmit via Wi-Fi or Bluetooth to a host device, and as such are subject to attack. In addition to being subject to attack, wearable devices such as voice recorders, video recorders, and hidden cameras can also be used for an attacker to gain information. System on a chip (SOC) is often found in smart phones. Checks should be incorporated that ensure the system only boots with trusted code and builds a root of trust (RoT).

Answer 19

Politically Motivated Threat Explanation: A terrorist attack is most likely a politically motivated threat. A terrorist attack is usually an attack against a particular country view from a group that opposes that the political views of that country. Often, a particular group takes credit for a terrorist attack. Politically motivated threats include strikes, riots, civil disobedience, and terrorist attacks. Natural environmental threats include floods, earthquakes, tornadoes, hurricanes, and extreme temperatures. Supply system threats include power outages, communications interruptions, and water and gas interruption. An internal threat is one that originates from within an organization. A terrorist attack is not most likely an internal threat. A threat assessment is performed to determine the threats that threaten an organization and its assets. Internal threats are those that originate from within the organization, and external threats are those that originate from outside the organization.

Answer 20

Reconnaissance Explanation: Reconnaissance does not require prior knowledge of the target. It helps the attacker gather information for a later attack. Remember that reconnaissance can mean visiting a target to observe security controls in person, but it also can refer to digital and remote intelligence gathering techniques. Spear phishing is a type of phishing aimed at a specific user or group, and appears to come from a trusted source. Spear phishing requires some inside knowledge of the target, which the attacker can gather from reconnaissance, open-source intelligence (OSINT), or other social engineering attacks. Whaling is a type of spear phishing aimed at high-profile targets, such as board members and CEOs. An invoice scam involves sending a fake invoice (by mail or electronically) to an accounts payable department in the hopes that it will be paid without being verified. It requires knowledge of the target’s email address or physical address.

Answer 21

Resource Policies Explanation: Cloud service providers can provide users with access to resources via policies. There are two ways to do this, role-based policies or resource based polices. You can use resource-based policies to provide access control where the user in a different cloud can be granted access to a resource in your account. You can also use role-based policies in which you assign a user to a role that has permission to use a resource. Container security refers to the controls that apply to applications deployed to lightweight OS containers, while secrets management refers to the system used to control access to sensitive application data like keys and configuration settings. Resource clustering describes how resources can be collected together to perform the same role in load balancing scenarios.

Answer 22

low Security cost easier to implement Explanation: Role-based access control (RBAC) has a low security cost because security is configured based on roles. For this reason, it is also easier to implement than the other access control models. During the information gathering stage of a deploying RBAC model, you will most likely need a matrix of job titles with their required access privileges. RBAC is NOT the most user friendly option. Discretionary access control (DAC) is more user friendly than RBAC because it allows the data owner to determine user access rights. If a user needs access to a file, he only needs to contact the file owner. RBAC is NOT discretionary in nature. DAC is discretionary, meaning access to objects is determined at the discretion of the owner. RBAC is NOT a highly secure environment. Mandatory access control (MAC) is considered a highly secure environment because every subject and object is assigned a security label. With RBAC, it is easy to enforce minimum privilege for general users. You would create the appropriate role, configure its permissions, and then add the users to the role. A role is defined based on the operations and tasks that the role should be granted. Roles are based on the structure of the organization and are usually hierarchical. RBAC is a popular access control model used in commercial applications, especially large networked applications. Rule-based access control is often confused with RBAC because their names are similar. With rule-based access control, access to resources is based on a set of rules. The user is given the permissions of the first rule that he matches.

Answer 23

Full Device Encryption (FDE) Explanation: Utilizing full device encryption on mobile devices through Mobile Device Management (MDM) will best provide confidentiality if the device were to be stolen. Full device encryption ensures that the contents of the mobile device are encrypted. With more organizations moving to a mobile-first workforce, each and every mobile device contains a lot of confidential corporate data which needs to be secured from unauthorized access. Encryption is the most common way to secure the data present on the devices, whereby unauthorized usage of corporate data is restricted. Another option to ensure that any corporate data is not able to be accessed by an unauthorized source is to adopt a remote wipe policy for mobile devices. A remote wipe or sanitation process would erase all of the data on the mobile device in the event that the mobile device is lost or stolen. However, it would not provide the BEST confidentiality because the data is only erased once the device manager is notified that the device is lost or stolen. The device also would need to be online as well. Other security mechanisms used for mobile devices include screen locks, strong passwords, voice encryption, and GPS tracking. Screen locks prevent users from accessing the mobile device until a password or other factor is entered. Strong passwords ensure that mobile devices cannot be accessed unless the password is entered. They also ensure that the password is hard to discover using a password attack. Voice encryption ensures that conversations cannot be eavesdropped. GPS tracking allows a mobile device to be located. However, GPS tracking can also be considered a security threat and is often disabled. Geofencing can limit the effectiveness of devices within a confined geographic area, but if the device is stolen and moved outside of that area, its data would still be available to an attacker.

Answer 24

Secure IMAP -- Secure Email (Internet Mail Access Protocol) Port 993 SRTP -- Secure Voice and Video (Secure Real Time Protocol) - LDAPS -- Secure Directory Services (Lightweight Directory Access Protocol Secure) Port 636 FTPS -- File transfer over SSL (File Transfer Protocol Secure) Port 989/990 SFTP -- File transfer over SSH (Secure File Transfer Protocol) Port 22 - SecureShell (SSH), SecureCopy (SCP)

Answer 25

A Triple DES (3DES) algorithm uses 48 rounds of computation. Explanation: A Triple DES (3DES) algorithm uses 48 rounds of computation. It offers high resistance to differential cryptanalysis because it uses so many rounds. The encryption and decryption process performed by 3DES takes longer due to the higher processing power required. The actual key size of the Data Encryption Standard (DES) is 64 bits. A key size of 8 bits is used for a parity check. Therefore, the effective key size of DES is 56 bits. The DES algorithm uses 16 rounds of computation. The order and the type of computations performed depend upon the value supplied to the algorithm through the cipher blocks. According to the following calculation, a 56-bit DES encryption is 65,536 times more secure than a 40-bit DES encryption: 240 = 1099511627776 and 256 = 72057594037927936 Therefore, 72057594037927936 divided by 1099511627776 = 65,536. DES has many security issues. If a bank has a fleet of aging payment terminals used by merchants for transactional processing, and the terminals currently support single DES but require an upgrade to be compliant with security standards, the simplest solution to improve the in-transit protection of transactional data is to upgrade to 3DES.

Answer 26

Configuration Validation Explanation: Configuration validation through automation and scripting can ensure that new equipment has all the proper settings, applications, and drivers as existing equipment. Continuous monitoring can be employed to ensure that any device on the network cannot have their configuration settings changed, but it will not ensure the configurations match. Automated courses of action can be accomplished through scripting, so that certain events trigger a series of responses or actions. Automated courses of action can also be used to obtain updates and patches by scheduling the software to check for them at certain times. Automated courses of action usually cannot verify that equipment has the same settings, applications, and drivers as existing equipment. Templates provide standardized documentation for several issues. Such issues can include security analysis reporting, threat and vulnerability identification, and impact assessment, among others. Templates can also be used to configure operating systems (OSs) to ensure that certain settings are automatically configured. Templates are usually used as a first time configuration measure, but often cannot be reapplied because doing so would result in loss of any user changes that have been made.

Answer 27

Nessus Explanation: Nessus is NOT a backdoor application. It is a network vulnerability scanner. Back Orifice, NetBus, and Masters Paradise are all backdoor applications. These applications work by installing a client application on the attacked computer and then using a remote application to gain access to the attacked computer. Back Orifice is a famous rootkit that targets Windows systems and is sometimes used as a remote administration tool.

Answer 28

SSL/TLS -- Cryptographic Communication Protocol S/MIME -- Secure Encryption and Digital Signatures for Email SNMPv3 -- Routing and Switching Management SSH -- Secure Remote Access

Answer 29

Reputation Loss Explanation: Reputation loss is intangible damage to the organization that occurs due to a company suffering a data breach. Security awareness is a term used to describe the security sophistication of a user group or company. Identity theft is the theft of certain personal information that allows for making financial transactions in the name of the targeted person. Availability disruption is not a term used when discussing security or breaches.

Answer 30

Internet Connection Explanation: Alarm systems with a connection to the internet are a two-way street for connectivity. Not only does it make it more convenient when you are away from home, but it also can be a means for attackers to connect via a remote connection to your alarm system making them vulnerable to attack. The best way to prevent these remote alarm system attacks is to use extremely strong passwords for both your home WiFi network, and your account you use to access the alarm system via the internet. Having a convenient power plug or WPS button could only impact the local attack surface. Although the cloud storage could be attacked to gain image files, the device itself is not open to attack through that vector.

Answer 31

Confidentiality Explanation: Encryption provides confidentiality security services. An encrypted file is protected from being read by users who cannot decrypt the file. Users require digital keys to decrypt and read encrypted files. Confidentiality deals with ensuring that information is not intentionally or unintentionally disclosed. Accountability is a security service that is used to determine the identity of users. Authentication is an example of an accountability security service. Availability is a security service that protects hardware and data from loss by ensuring that any needed data is available when necessary. Backups are an example of availability. Integrity is a security service that ensures that digital files have not been changed. Digital signatures are an example of an integrity security method. A digital signature provides integrity and non-repudiation. Non-repudiation ensures that the data's origin is known.

Answer 32

Trust Explanation: This was an example of trust. Even though the menus in the café had clearly been altered, they appeared to come from a trustworthy source and were part of an established pattern of use. QR codes can embed malicious links or direct users to compromised sessions. For these reasons, users should be taught never to scan QR codes placed in random public areas, or QR codes printed on stickers or other temporary media. CompTIA lists seven principles that can make social engineering attacks effective: Authority – The attacker impersonates someone with the power to request access to sensitive information, such as an IT support desk member or law enforcement. Intimidation –The attacker bullies or belittles the victim to get access or sensitive information, such as an attacker who says he will have a security guard fired if the guard does not unlock a secured door for the attacker. Consensus – The attacker convinces the victim that it is fine to reveal confidential information or perform a risky action because the victim’s peers or coworkers are doing it too. Scarcity – The attacker wraps the attack in an offer that is limited, restricted, or expiring soon, such as an invitation to an exclusive LinkedIn group that the attacker will use to harvest confidential company information. Familiarity – The attacker pretends to be someone who belongs in the victim’s environment, such as an employee in a neighboring office or a remote coworker. Trust – The attacker gains the victim’s trust by pretending to be a sympathetic person who will help the victim, or who deserves to be helped by the victim. Urgency – The attacker pretends there is an emergency that requires the victim to immediately release confidential information or grant access. Urgency is often combined with authority attacks that impersonate law enforcement.

Answer 33

It monitors data on computers to ensure the data is not deleted or removed. Explanation: Data Loss Prevention (DLP) is a network system that monitors data on computers to ensure the data is not deleted or removed. If your organization implements a DLP system, you can prevent users from transmitting confidential data to individuals outside the company. Cloud computing is a technology that allows organizations to use the Internet to host services and data remotely instead of locally. Microsoft Security Essentials is an application that protects against malware. It is included in Windows 7. Windows 8 and above use Windows Defender. Other applications are available that protect against malware. Trusted Platform Module (TPM) and Hardware Security Module (HSM) are both chips that implement hardware-based encryption. The main difference between the two is that a TPM chip is usually mounted on the motherboard and HSM chips are PCI adapter cards. DLP provides different solutions based on data location: Network based – deals with data in motion and is usually located on the network perimeter. Storage based – operates on long-term storage (archive) Endpoint based – operates on a local device and focuses on data-in-use. Cloud based – operates in "the cloud" data in use, motion, and at rest DLP identifies and controls end-point ports as well as block access to removable media by providing the following services: Identify removable connected to your network by type (USB thumb drive, DVD burner, mobile device), manufacturer, model number, and MAC address. Control and manage removable devices through endpoint ports, including USB, Wi-Fi, and Bluetooth. Require encryption, limit file types, and limit file size. Provide detailed forensics on device usage and data transfer by person, time, file type, and amount. DLP includes USB blocking, cloud-based, and email services.

Answer 34

80 Explanation: Only port 80 should be opened on the Internet side of the demilitarized zone (DMZ) firewall. The firewall will allow only HTTP traffic to enter the DMZ; all other port traffic will be prevented from entering the DMZ. Port 20 is used by File Transfer Protocol (FTP) to send data. Port 110 is used by Post Office Protocol (POP), and port 443 is used by Secure Sockets Layer (SSL). The Web server on the DMZ only serves Web pages, so only HTTP services should be activated on the Web server. All other services on the Web server should be deactivated, which will strengthen security on the Web server. Access control lists (ACLs) are used to configure rules on network devices. These ACLs determine which communication is allowed or denied. ACLs can be based on port numbers, IP addresses, MAC addresses, and other criteria.

Answer 35

tail -- Display the last 10 lines of a file. top -- Display running processes. grep -- Search a file for a text string or pattern. dd -- Create an image of a disk.

Answer 36

Geotagging Explanation: Geotagging is the process of attaching location information in the form of geographical metadata to digital media like web sites, videos, and photographs. Geotagging is a security concern because it can reveal location information. This feature embeds unseen code into a picture that records the longitude/latitude information of where the picture was taken. Geotags may also be applied to digital output and communications such as tweets or status updates on social media. The information included in a geotag may include place co-ordinates (latitude and longitude), bearings, altitude, distances, or even place names. This feature becomes a serious concern when it comes to protecting your privacy and data. Geotagging can give enough information about your current whereabouts (and where you’re not) which can allow thieves to target your home or workplace in your absence. None of the other features is a security concern. They are all security solutions for mobile devices. Remote wiping allows you to remotely wipe the contents of a mobile device. White-listing permits certain applications to be installed and run on mobile devices. Black-listing is the opposite of white-listing, and prevents the installation of certain applications. A screen lock prevents users from accessing the mobile device unless they know the code. When considering applications that can be installed on mobile devices, you need to understand the following concepts for the Security+ exam: Key management – You should take measures to ensure that all keys are protected. Measures that you can use include implementing device encryption to protect the keys while stored and using IPSec to protect the keys during transmission. Credential management – You should implement solutions that allow you to manage credentials for users to ensure that mobile devices are only accessed by valid users. In addition, you should ensure that the protocols that you use do not transmit credential information in plaintext. Authentication – If possible, you should require your mobile applications to authenticate users before allowing access. This ensures that applications are only accessed by valid users. Geotagging – Geotagging attaches certain location information to pictures and videos. In most mobile devices, this feature can be disabled. Encryption – Applications often request personally identifiable information (PII) that should be protected. In addition, they often transmit PII and other confidential information. Therefore, you should employ encryption to protect the data in storage and in transmission. Application white-listing – Application white-listing allows administrators to configure a list of applications that are allowed to run on a mobile device. In some cases, it also includes a way of checking the hash value of the application to ensure data integrity. Transitive trust/authentication – Transitive trust occurs when federated user identities allow users to access multiple applications, devices, and resources using a single authentication. A trusted computing base is established as the basis of federated user identity. Enterprises should ensure that any entities allowed into the trusted computing base are fully protected. When deploying mobile devices securely, security professionals need to set policies and enforce them through monitoring all of the following features or practices: third-party app stores, rooting/jailbreaking, sideloading, custom firmware, carrier unlocking, firmware over-the-air (OTA) updates, camera use, SMS/MMS, external media, USB on-the-go (OTG), recording microphone, GPS tagging, Wi-Fi direct/ad hoc, tethering, and payment methods. Management should set the policy for each of these mobile device components. Policies are only effective if a plan for enforcement and monitoring is also established.

Answer 37

Issuing the Run As command to execute administrative tasks during a regular user session. Explanation: The best implementation of the principle of least privilege is to issue the Run as command to execute administrative tasks during a regular user session. You should never use an administrative account to perform routine operations such as creating a document or checking your e-mail. Administrative accounts should only be used to perform an administrative task, such as configuring services or backing up the computer. By issuing the Run as command to execute administrative tasks during a regular user session, you execute the task as needed, but limit the administrative account to only running the particular task. If you logged off and back on using the administrative account, there is a possibility that you would forget to return to using your regular user account when performing routine tasks. Completing administrative tasks at a computer that functions only as a server is not an implementation of the principle of least privilege. Users should be able to perform administrative tasks at servers and workstations. Ensuring that all services use the main administrative account to execute their processes is an example of NOT ensuring the principle of least privilege. Services should use a service account specifically created for the service that is only configured with those rights, permissions, and privileges for the service to carry out its functions. Issuing a single account to each user, regardless of his job functions, is an example of NOT ensuring the principle of least privilege. Those users charged with administrative duties should be issued a minimum of two accounts: one regular user account for performing normal user tasks and one administrative user account configured with those rights, permissions, and privileges for the user to carry out the administrative duties. A proper implementation of the principle of least privilege ensures users are given only the user rights they need to execute their authorized tasks. The concept of least privilege exists within the Trusted Computer System Evaluation Criteria (TCSEC), which is used to categorize and evaluate security in all computer software. The principle of least privilege is usually implemented by limiting the number of administrative accounts. Tools that are likely to be used by hackers should have permissions that are as restrictive as possible.

Answer 38

Man-Hours Explanation: To justify the expenses of the forensic investigation, you should track man-hours. From security guards to overtime used by staff, to the hours spent by experts in evidence examination, man-hours should be tracked. Careful documentation may be required by accounting, human resource, the courts, or insurance companies. Capturing screenshots is an important part of forensic investigation. Screenshots allow you to record what is displayed on a computer screen or a smartphone. If the computer is powered down, whatever is on the screen would be lost without a screenshot. Network traffic and logs analysis should be performed during forensic investigation and during incident response. Variations in baselines can indicate repeated attacks, and password hack attempts would show up in the logs. Chain of custody deals with how the evidence is handled once it has been collected. There should be a log of who has had custody of the evidence, where it has been, and who has seen it.

Answer 39

redundant site hot site Explanation: The hot site and the redundant site are the easiest to test because they both contain all of the alternate computer and telecommunication equipment needed in a disaster. Usually, testing either of these environments is as simple as switching over to them after ensuring they contain the latest versions of your data. A warm site is harder to test than a hot site or a redundant site, but easier to test than a cold site. It only contains telecommunications equipment. Therefore, to properly test disaster recovery procedures at the warm site, alternate computer equipment such as servers would need to be set up and configured. A cold site is the hardest to test. It only includes a basic room with raised flooring, electrical wiring, air conditioning, and telecommunications lines. To properly test disaster recovery procedures at the cold site, alternate telecommunications and computer equipment would need to be set up and configured. Hot sites and redundant sites are usually the most expensive to implement. Warm sites are less expensive than hot sites but more expensive than cold sites. Cold sites are the least expensive to implement.

Answer 40

Kerberos Explanation: Kerberos is a protocol that issues ticket-granting tickets (TGTs), which clients can then use to request session keys. A Kerberos client can use a session key to gain access to resources. Address Resolution Protocol (ARP) is used on TCP/IP networks to resolve Internet Protocol (IP) addresses to Media Access Control (MAC) addresses. MAC addresses are assigned to network interface cards (NICs) and are used to identify physical resources on a network. IP is used on TCP/IP networks to locate hosts. ARP enables Ethernet and TCP/IP to interoperate. Layer 2 Tunneling Protocol (L2TP) can be used to create secure virtual private network (VPN) connections. Telnet is a TCP/IP protocol that enables a user to remotely connect to a server through a text-based interface. The user can then use Telnet to remotely issue commands on the server as if it were the local computer.

Answer 41

STP (Spanning Tree Protocol) Explanation: You should deploy spanning tree protocol (STP). The primary loop protection on an Ethernet network is STP. The problem with looping is the waste of network throughput capacity. STP can help mitigate the risk of Layer 2 switches in the network suffering from a DoS style attack caused by staff incorrectly cabling network connections between switches. Loop protection is also referred to as loop prevention. Time To Live (TTL) is the primary loop protection on an IP network. Flood guards are devices that protect against denial-of-service (DoS) attacks. Network separation is a technique that is used to prevent network bridging. Network bridging can cause performance issues in the network. You can employ network separation by using routers or firewalls to implement IP subnets. Often routers or switches are the main network devices on an Ethernet network. Switches are considered more secure than routers. Secure router configuration is a must when routers are deployed. A secure router configuration is one where malicious or unauthorized route changes are prevented. To do this, complete the following steps: Configure the router's administrator password to something unique and secret. Configure the router to ignore all Internet Control Message Protocol (ICMP) type 5 redirect messages. Implement a secure routing protocol that requires authentication and data encryption to exchange route data. Configure the router with the IP addresses of other trusted routers with which routing data can be exchanged.

Answer 42

chmod u=rwx,g=rx,o=r Tablemaker Explanation: chmod is the command and system call which is used to change the access permissions of file system objects (files and directories). The name of the command is an abbreviation of change mode. The characters r, w, and x stand for read, write, and execute. The categories can have all three privileges, just specific ones, or none at all (represented by –, for denied). Users that have reading permission can see the content of a file (or files in a directory). However, they cannot modify it (nor add/remove files in a directory). On the other hand, those who have writing privileges can edit (add and remove) files. Finally, being able to execute means the user can run the file. This option is mainly used for running scripts. The file owner’s permissions are indicated by everything after the u in the command. Then there are the permissions for members of the group indicated by g, and all others are indicated by an o. The permissions after each = dictate which privileges each type of user has access to.

Answer 43

syslog Explanation: Syslog is a protocol that is used to consolidate event information from multiple devices on a network into a single storage location. Syslog works on an extremely wide variety of different types of devices and applications, allowing them to send text-formatted log messages to a central server known as a syslog server. The syslog service itself relies greatly upon having a syslog server of some kind to receive, store, and interpret syslog messages. This is a necessity because a device or application being able to send log event messages is of little use if there's nothing in place to receive and view them.

Answer 44

PCI-DSS (Payment Card Industry - Data Security Standard) Explanation: PCI-DSS stands for the Payment Card Industry Data Security Standard, which applies to merchants, cardholder organizations, or any entity that stores, processes, or transmits cardholder data. The PCI-DSS aims to protect organizations and their customers from credit card fraud. Organizations should recognize that PCI-DSS requires that organizations that process cardholder information maintain confidentiality through data encryption, integrity through hashing, availability through fault tolerance and appropriate permissions to data, which makes up the CIA triad. The Health Insurance Portability and Accountability Act (HIPAA) is a federal US act put in place in 1996. This law required the establishment of national standards to safeguard sensitive patient health information (PHI) from being disclosed without the patient’s consent or knowledge. GLBA is the Gramm-Leach-Bliley Act, also known as the Financial Modernization Act of 1999. It is a federal act that applies to any financial organizations such as banks, investment companies, credit card companies, etc., along with insurance companies in the United States. This act makes it so these financial or insurance organizations have to explain their information sharing practices to their customers and maintain a safeguard of customer’s sensitive data. GDPR is a European act that applies to any company that collects or processes personally identifiable information (PII) of the citizens of the EU. GDPR stands for the General Data Protection Regulation. The law also addresses the transfer of personal data outside of the EU and EEA areas.

Answer 45

Misconfiguration/Weak Configuration Explanation: If a user modifies a browser's security settings to make it more convenient to visit web sites, such as turning off pop-up blockers and anti-phishing controls, this is an example of weak configuration. Misconfiguration and weak configuration can have a severe impact on the entire organization. Misconfiguration, such as not changing the default administrative user name or password, can also have a significant impact. A SQL injection is an example of improper input handling, and the impact can include data destruction or unfettered access to the database. Inputs should be checked for common SQL injection symbols. Other examples of improper input handling include failure to validate the type of data in an input field, the length of the data, and proper date ranges. Improper error handling could allow an attacker to crash a program. Error checking should be built into every module or code function. An error should not result in a crashed application, but rather generate an error message. Systems and components, such as routers, should never be deployed with the default configuration enabled. As an example, many SOHO users are thrilled that they got their new wireless network to finally communicate "out of the box." As a result, they do not change the default administrator information, leaving their network wide open for attack.

Answer 46

A user accesses a financial organization's site using his/her login credentials. Explanation: Cross-site scripting (XSS) poses the most danger when a user accesses a financial organization's site using his or her login credentials. The problem is not that the hacker will take over the server. It is more likely that the hacker will take over the client's session. This will allow the hacker to gain information about the legitimate user that is not publicly available. To prevent XSS, a programmer should validate input to remove hypertext. You can mitigate XSS by preventing the use of HTML tags or JavaScript image tags. While the other situations can result in an XSS attack, these situations do not pose as much danger because it is unlikely that any real-world information will be obtained. There are different steps organizations and security professionals can take to protect against XSS attacks. For regular users, you should restrict untrusted JavaScript, use built-in browser protections, restrict external Web sites from requesting internal resources, and maintain system updates and patches. Developers should use whitelisting/blacklisting, OWASP Enterprise Security API (ESAPI), Microsoft AntiXSS Library, and Web vulnerability scanners. Network administrators should White Trash Squid Web Proxy plug-ins and Web Application Firewalls (WAFs). Finally, another technique is to coordinate between the Web application and the client browser to separate user-supplied data from web application HTML using a content security policy (CSP).

Answer 47

Untrained Users Explanation: Untrained users are often the most vulnerable point in an organization’s security chain and represent the biggest vulnerability. It is impossible for users to adhere to an organization's information security polices if they are not aware of them. It is also impossible for the user to implement a security procedure without being trained on how to do so. Without the proper user training, even the most sophisticated defense an organization can purchase may be rendered useless. Keeping end-of-life systems active in the network, such as running an outdated operating system, can create system-wide vulnerabilities. As an example, new malware attacks would be particularly effective on systems that are running Windows 7 after Microsoft discontinued security updates for it. Embedded systems are smaller computer systems, perhaps even a chip, that are used as component of a larger system. They may be used in industrial controls, smart homes, manufacturing, and even printers. Consider the impact of a networked printer that does not have the appropriate security controls updated on the firmware. Lack of vendor support can be particularly harmful. A vendor should be responsible for providing security updates for issues that are discovered. Failure of the vendor to do so provides an attacker with the opportunity to exploit a system vulnerability.

Answer 48

Clickjacking Explanation: Clickjacking involves putting a transparent button over an existing button (or image) on a web page. When the victim clicks the button, instead of going to the website they intended, they are routed to a different site where the attacker captures personal information. Amplification attacks are often part of a DDoS attack, usually associated with UDP protocols. The goal of this attack is to turn a simple query, such as DNS or NTP, into a flood of responses that overwhelms the victim's network resources. Pass the hash attacks exploit authentication protocol weaknesses, where the password hash remains the same between sessions until the password value changes. Driver manipulation attacks change the information provided to a device driver. This results in the driver not being used at all or performing with unexpected results. Other types of application/service attacks include shimming, refactoring, and MAC spoofing. Shimming is a form of driver manipulation. An API library is created that changes the arguments (parameters) passed to the driver, bypasses the driver, or has the API deal with the driver operation. Refactoring identifies the flow within an application's code and changes the code without changing how the code appears to function. This is often used to identify exploitation opportunities in a weak area of an application's code. MAC spoofing involves manipulating the MAC address, or unique identifier, of the network interface card on a device. The attacker substitutes a MAC address of his choosing instead of using the hard-coded MAC address. This can often be done through NIC adapter settings, or through a registry entry.

Answer 49

Production Honeypots mitigate Risks to production systems by aiding in attack prevention, detection, and response. Research Honeypots are information-gathering resources. Explanation: Production honeypots are the most common type of honeypot, especially among businesses and organizations. They mitigate risks to production systems by aiding in attack prevention, detection, and response within the organization’s production network. Research honeypots are information-gathering resources that are used to gather information about the specific methods and tactics hackers use. Research honeypots collect information about attacks and vulnerabilities as well.

Answer 50

Telnet -- Port 23 FTP -- Port 20 (File Transfer Protocol) DNS -- Port 53 (Domain Name System) HTTP -- Port 80 (Hyper Text Transfer Protocol) SMTP -- Port 25 (Simple Mail Transfer Protocol) FTP also uses Port 21.

Answer 51

ipconfig command Explanation: ipconfig /release - to release your computer's DHCP lease ipconfig /renew - to renew your computer's DHCP lease. Other commands that you need to be familiar with include: Netstat – displays network connections, routing tables, and protocol statistics Nslookup – queries DNS servers on Windows computers. Dig – queries DNS servers on Linux/Unix computers Tcpdump – allows the user to display packets being transmitted or received over a network Nmap – discovers hosts and services on a computer network and builds a map of the network Netcat – reads and writes from TCP and UDP sockets

Answer 52

VPN (Virtual Private Network) Explanation: A virtual private network (VPN) is not a physical network. In a VPN, a public network, such as the Internet, is used to allow secure communication between companies that are not located together or between private networks. A VPN transports encrypted data. A Virtual LAN (VLAN) allows networks to be segmented logically without physically rewiring the network. A VLAN is an excellent way to provide an added layer of security by isolating resources into separate subnets. If a small company purchases an all-in-one wireless router/switch and has two Web servers, and it needs to protect from access by BYOD, you could create a server VLAN and place an ACL on the Web servers. An extranet enables two or more companies to share information and resources. While an extranet should be configured to provide the shared data, an extranet is only a Web page. It is not actually responsible for data transmission. An extranet has a wider boundary than an intranet. A certificate server provides certificate services to users. Certificates are used to verify user identity and protect data communication. VPNs use what is known as a tunneling protocol for the secure transfer of data using the Internet. A common tunneling protocol for this purpose is Point-to-Point Tunneling Protocol (PPTP). The term "tunnel" refers to how the information is privately sent. Data being sent is encapsulated into what are called network packets. Packets are encrypted from where they originate before they are sent via the Internet. The information travels in an encrypted, or non-readable, form. Once the information arrives at its destination, it is then decrypted. By using a VPN, a company avoids the expense of leased lines for secure communication, but instead can use public networks to transfer data in a secure way. Client computers can connect to the VPN by dial-up, DSL, ISDN, or cable modems. An intranet is a local area network (LAN) add-on that is restricted to certain users, usually a company's employees. The data contained on it is usually private in nature.

Answer 53

Dynamic KBA (Knowledge-based Authentication) Explanation: Dynamic KBA (Knowledge-based authentication) comes in two forms. The most basic is static KBA, also called shared secrets. This is what you commonly deal with when you forget your email password. The user verifies their identity through the use of a security question with a static answer that the user supplied when they made their account. Dynamic KBA is a bit more invasive. Just like with static KBA, the user's identity is verified with questions, but rather than those questions being pre supplied, these questions are generated based on the user's public and private data such as credit reports or transaction history. Therefore, the answers to these dynamic questions could not be found in a stolen wallet or purse, making it difficult for anyone other than the actual person to know the correct answer.

Answer 54

NAC -- (Network Access Control) A Network Server that ensures that all Network devices comply with an organization's Security policy. DMZ -- (Demilitarized Zone) A Network that is isolated from other Networks using a Firewall. VLAN -- (Virtual Local Area Network) A Network that is isolated from other Networks using a Switch. NAT -- (Network Address Translation) A transparent Firewall solution between Networks that allows multiple internal computers to share a single internet interface and IP address.

Answer 55

Zero-Day Vulnerability Explanation: Zero-day vulnerabilities are often unknown or known only to an attacker who is able to exploit that vulnerability. Patches are not readily available until the manufacturer can develop a solution. A SQL injection describes an input validation issue in the front-end of an application that allows attackers to directly manipulate the underlying data source using structured query language (SQL). A distributed denial-of-service (DDoS) attack uses multiple sending devices to take a single host or group of hosts offline. The sending devices are typically a group of compromised devices, known as a botnet, that are controlled by central Command and Control (C&C) server.

Answer 56

A Replay Attack Explanation: Digital timestamps prove helpful in preventing replay attacks. In a replay attack, the attacker monitors the traffic stream in a network. The attacker maliciously repeats or delays the transmission of valid data over the network. Setting a threshold time value on each system ensures that the computer only accepts packets within a specified time frame. A packet received after the specified time will indicate the chances of a replay attack. Digital timestamps are attached to a document at document creation. In a side channel attack, the attacker gains information about the encryption algorithms from the cryptosystem that is implemented in the network. The attacker can use information, such as power consumption, electromagnetic radiations, and sound to break into a system. The side channel attack can also be based on the measurement of time taken to perform a computation. A ciphertext-only attack is primarily focused on discovering the encryption key by gathering multiple encrypted messages and then trying to deduce a pattern from the encrypted messages. A known-plaintext attack primarily focuses on the discovery of the key used to encrypt the messages. The key can be used to decrypt and read messages. The attacker has access to multiple instances of plaintext and ciphertext for several messages.

Answer 57

OCSP (Online Certificate Status Protocol) Explanation: Online Certificate Status Protocol (OCSP) is a real-time protocol for validating keys. OCSP is replacing CRL, which takes 24-48 hours to broadcast. Object identifiers (OID) are optional extensions for X.509 certificates. They are dotted decimal numbers that would assist with identifying objects. A certificate signing request (CSR) is typically one of the first steps in getting a certificate for authentication from a certificate authority (CA). A certificate revocation list (CRL) is a method for listing certificates that have expired, been replaced, or were revoked. A web browser, for example, would check a CRL to verify whether or not the responding server is authentic. A CRL takes 24-48 hours to broadcast, which could cause an invalid key to be accepted.

Answer 58

Holds event messages that are valuable for troubleshooting both Security and performance issues. Explanation: Syslog stands for System Logging Protocol and is a standard computing protocol used to send system log or event messages to a specific server, which is referred a syslog server. It is primarily used to collect and store a variety of device logs, such as security and performance events from several different machines, in a central location for monitoring and review purposes. Microsoft scheduler and cron on Unix-like systems can be used to schedule maintenance tasks, while their logs can be used to verify when those tasks were performed. The Internet time service (ITS) and network time protocol (NTP) are used to synchronize world clocks.

Answer 59

Change Management Explanation: Change management stipulates that multiple modifications to a computer system should NOT be made at the same time. This makes tracking any problems that can occur much simpler. Change management includes the following rules: Distinguish between your system types. Document your change process. Develop your changes based on the current configuration. Always test your changes. Do NOT make more than one change at a time. Document your fallback plan. Assign a person who is responsible for change management. Regularly report on the status of change management. All changes made to your network and computers should be documented in the change management system. An appropriate change management system can help to prevent against ad-hoc configuration mistakes. Due diligence is the investigation of a business, person, or act prior to signing a contract or committing the act. Due care is the normal care that a reasonable entity would exercise over that entity's property. As part of due care, an organization is responsible for implementing policies and procedures to prevent data loss or theft. Acceptable use is employee or customer usage of company resources that is allowed and defined in a contractually binding document, referred to as an acceptable use policy. Incident management is a facet of risk management that is similar to change management. Incident management refers to the activities of an organization to identify, analyze, and correct risks as they are identified.

Answer 60

Quantum computers can perform complex mathematical operations faster than classical computers with comparable resources. Explanation: Quantum computers are able to perform complex mathematical operations much faster than classical computers can, even with comparable resources. Security experts believe that all public-key encryption schemes can be defeated by a quantum computer with reasonable computational resources. It is important to note that quantum computing does not impact the strength of hashing or symmetric encryption algorithms, because those algorithms do not rely on complexity the way that asymmetric encryption does.

Answer 61

Audit Logs Explanation: You should implement audit logs to document actions taken on a computer network, along with the parties responsible for those actions. In order to ensure the integrity of audit logs, proper identification and authentication should be required on a network. If an audit log is lost or compromised, then a company might not be able to prosecute hackers who attack or attempt to attack a network. Regular backups on backup tapes can help protect a company against data loss. Encryption algorithms can be used to encrypt files to protect the confidentiality of the information contained in encrypted files. Smart cards are physical cards that contain digital authentication information and encryption keys that can be used to gain entry to restricted areas and computer systems. For the Security+ exam, you need to understand permission auditing and review and usage auditing and review. Permission auditing and review ensures that users have the appropriate permissions to complete the tasks that are part of their job. By implementing permission auditing and review, you ensure that privilege creep does not occur. Usage auditing and review ensures that accounts are still being used. By implementing usage auditing and review, you ensure that accounts that are no longer in use are disabled.

Answer 62

Deception Explanation: A honeypot is a deception method of active response to a hacker attack. In a deception response, a hacker is led to believe that he or she has infiltrated a network while information is being gathered about the attack. A honeypot is a computer on a network that is configured to lure hacker attacks so that the attacks can be studied, and the intruder can be caught. Another term that you need to understand is a honeynet. A honeynet is a network that is configured to lure hackers so that attacks can be studied. Honeynets usually contain honeypots. An administrator should implement honeypots and honeynets to research current attack methodologies. A honeynet is more efficient than penetration tests, firewall logs, and IDSs when gathering intelligence about the types of attacks being launched against an organization. Reconfiguration of a network can be used to close potential avenues of attack. Termination of a process or connection that a hacker is currently using might also counteract a hacker attack. An active response to an attack prevents or contains the attack. A passive response to an attack just collects data about the attack for later review. Active tools are better for handling the attacks but are often more expensive than passive tools.

Answer 63

Versioning Control Explanation: In all stages of application development, version control is essential. Version control allows you to manage changes to files over time and store these revisions in a database. Changes one developer made should not necessarily be wiped out by the changes another developer presents, especially if it was meant to be only a temporary modification for testing purposes. Any integration errors should be rolled back, so that they do not cause the entire application to fail. The resolution is to have a version control system that manages those changes across the development team and process stages. Unit testing occurs on each component of an application to ensure that the expected outputs occur based on given inputs. Integration testing verifies that each component works together in the overall application. After deployment to a staging or production environment, monitoring will assist in tracking performance requirements and runtime issues.

Answer 64

Database View Explanation: The database security feature that provides this granular access control are database views. Database views are used to limit user and group access to certain information based on the user privileges and the need to know. Views can be used to restrict information based on group membership, user rights, and security labels. Views implement least privilege and need-to-know and provide content-dependent access restrictions. Views do not provide referential integrity, which is provided by constraints or rules. A save point does not provide granular access control. Save points ensure data integrity and availability but are not a database security feature. Save points are used to ensure that a database can return to a point when the system crashes. This further ensures the availability of the data prior to the database failure. Save points can be initiated either at a scheduled time or by a user action during data processing. Database integrity can also be provided through the implementation of referential integrity, where all the foreign keys reference the existing primary keys to identify the resource records in a table. Referential integrity requires that for any foreign key attribute, the referenced relation must have a tuple with the same value for its primary key. Partitioning does not provide granular access control. Partitioning is another protection technique of ensuring database security. Partitioning involves splitting the database into many parts. Partitioning makes it difficult for an intruder to collect and combine confidential information and deduce relevant facts. Noise and perturbation do not provide granular access control. The noise and perturbation technique deploys the insertion of bogus data to mislead attackers and protect database confidentiality and integrity. The noise and perturbation technique involves inserting randomized bogus information along with valid records of the database. This technique alters the data but allows the users to access relevant information from the database. This technique creates enough confusion for the attacker to extract confidential information. Database views are an example of content-dependent access control in which the access control is based on the sensitivity of information and the user privileges granted. This leads to a higher overhead in terms of processing because the data is granularly controlled by the content and the privileges of users. Database views can limit user access to portions of data instead of to the entire database. For example, during database processing in an organization, a department manager might have access only to the data of employees belonging to that department.

Answer 65

when the result of running the ipconfig /all command indicates a 169.254.163.6 address when recent scope changes have been made on the DHCP server Explanation: It would it be appropriate to issue the ipconfig command with the /release and /renew options in the following situations: When the result of running the ipconfig /all command indicates a 169.254.163.6 address When recent scope changes have been made on the DHCP server When a computer has an address in the 169.254.0.0 network, it indicates that the computer has not been issued an address from the DHCP server. Instead, the computer has utilized Automatic Private IP Addressing (APIPA) to issue itself an address. If the reason for this assignment is a temporary problem with the DHCP server or some other transitory network problem, issuing the ipconfig /release command followed by the ipconfig /renew command could allow the computer to receive the address from the DHCP sever. Similarly, if changes have been made to the settings on the DHCP server, such as a change in the scope options (such as gateway or DNS server), issuing this pair of commands would update the DHCP client with the new settings when this address is renewed. These commands will have no effect if no IP helper address has been configured on the router between the client and the DHCP server. An IP helper address can be configured on the local interface of a router when no DHCP server exists on that subnet and you would like to allow the router to forward DHCP DISCOVER packets to the DHCP server on a remote subnet. DHCP DISCOVER packets are broadcast, and routers do not pass on broadcast traffic by default. These commands will have no effect if the no ip directed-broadcast command has been issued in the router interface that is local to the client, and an IP helper address has not been configured on the router between the client and the DHCP server. The no ip directed-broadcast command instructs the router to deny broadcast traffic, which is the default behavior. Under those conditions, the command will not result in finding the DHCP server or receiving an address.

Answer 66

OTP (One-Time Pad) Explanation: A one-time pad (OTP) is an encryption method designed to be used only once. An OTP is a random number that is used to encrypt only one document. The OTP must be used to decrypt a file that was encrypted with the OTP. Data Encryption Standard (DES) is a private key encryption algorithm. A substitution cipher is an encryption method that substitutes one character with another character in a particular pattern. For example, the Caesar cipher is a substitution cipher that replaces a letter with a letter that appears three letters later in the alphabet. For example, in the Caesar cipher, the letter J is replaced with the letter M.

Answer 67

Wearable Technology Explanation: Wearable technology transmits data via Wi-Fi or Bluetooth to a host device, and as such is subject to data interception and attack. In addition to being subject to attack, wearable devices such as voice recorders, video recorders, and hidden cameras can also be used by an attacker to gain information. Unmanned Aerial Vehicles (UAVs) or drones are often controlled remotely, which is an inherent security risk. Aircraft/UAVs have multiple embedded systems, ranging from navigation to fuel control and ordnance delivery. Significant security systems must be incorporated to prevent these airborne vehicles from being compromised. UAVs only use Wi-Fi to communicate. Medical devices are a risk. They can be manipulated to report false data, resulting in harm to the patient. They can also be manipulated to provide the wrong level of service to a patient, such as the flaw that was announced by the FDA with pacemakers whereby unauthorized users could manipulate the heartbeat rate or cause the battery to drain at a faster rate. Medical devices usually only use Wi-Fi. Bluetooth, or a wired connection to communicate. Personal vehicles with embedded technology are susceptible to hackers. As an example, an air pressure sensor on a tire can be manipulated to show a low-pressure alert. When the consumer fills the tire sufficiently so that the alert stops, the tire is now overinflated. This can cause the tire to explode at highway speeds. Recently, security professionals have even demonstrated hacking into an automobile and driving it. Personal vehicles usually use satellite or cellular communication.

Answer 68

Proprietary Explanation: Proprietary data is data that an organization owns that gives the organization a competitive advantage. This classification is used most in the private sector. Proprietary information are things like company secrets, like a famous recipe or a process that a company has developed and maintains on its own. It is information developed, created, conveyed to, or discovered by the organization, that has commercial value in the organization’s business.

Answer 69

HSM (Hardware Security Module) Explanation: An HSM, or a hardware security module, is a specialized, highly trusted physical device which performs all major cryptographic operations, including encryption, decryption, authentication, key management, key exchange, and more. HSMs are dedicated security devices, with the sole objective of hiding and protecting cryptographic objects. If the existing client machines do not currently have any cryptoprocessors, they need to have an HSM installed to be able to implement the key-based authentication method for the SFTP server.

Answer 70

Secure Code Review Explanation: Secure code review examines all written code for any security holes that may exist. Secure code review should occur initially in software development. Secure coding concepts include exception handling, error handling, and input validation. During the system development life cycle (SDLC), secure coding concepts are included as part of application hardening. Baseline reporting ensures that security policies are being implemented properly. By providing baselines, gap analysis can determine if the current configuration has been changed in any way. Review design includes any steps you take to review the design of your network, devices, and applications. It often involves examining the ports and protocols used and the access control practices implemented. Vulnerability scanning looks for weaknesses in applications, devices, and networks. You can also determine the attack surface and review architecture to help with the assessment. While both of these will allow you to identify areas where attacks may occur, they each assess different aspects. Determining the attack surface will help you identify the different components that can be attacked and reviewing the architecture will help you identify network architecture security issues. For the Security+ exam, you must understand that all environments that you work in must be secured. All security patches and controls should be deployed in all physical and virtual environments, including the development, test, staging, and production environments. If you use smart card authentication in your production environment, you should also deploy it in the development, test, and staging environment so that all development, testing, and staging occurs in an environment that is identical to the production environment.

Answer 71

SHA-1 (Secure Hash Algorithm-1) Explanation: Secure hash algorithm (SHA)-1 is a hashing algorithm that creates a message digest, which can be used to determine whether a file has been changed since the message digest was created. An unchanged message should create the same message digest on multiple passes through a hashing algorithm. Advanced Encryption Standard (AES), Data Encryption Standard (DES), and International Data Encryption Algorithm (IDEA) are secret key encryption standards that are used to encrypt files.

Answer 72

Snapshots Explanation: A snapshot is an image of the system at a given point in time. If a system crashed, restoring the snapshot would be the fastest way to restore the system. Differential backups begin with a full backup. On each day thereafter, you would back up all of the changes that had occurred since the last full backup. The order of restoration would be to restore the last full backup first, and then to restore the most recent differential backup. Incremental backups begin with a full backup. On each day thereafter, you would back up that day's changes. The order of restoration would be to restore the last full backup first, and then to restore each day's incremental backup in order from oldest to newest. Performing a full restoration using a full backup takes longer than restoring from a snapshot. The order of restoration if you did not have the appropriate backups would be to reinstall the OS, reinstall the applications, and then reinstall the user data.

Answer 73

All of these options. Explanation: You should consider all of these requirements when choosing a mail gateway: spam filters, data loss prevention (DLP), and encryption. Spam filters trap undesirable email before it reaches the user's inbox. Such filters could include country of origin, key words in the subject line, specific IP addresses, or blacklisted mail domains. If your organization implements a DLP system, you can prevent users from transmitting confidential data to individuals outside the company. DLP systems incorporate a number of data protection processes. These processes can include prevention from unauthorized access, protecting data from modification or destruction, or keeping data from leaving the network. Encryption can be a critical component and feature of a mail gateway. Encryption on a mail gateway would scramble the outgoing message, making it unreadable to someone who intercepts the message. For the Security+ exam, you should also understand the installation and configuration of media gateways, SSL/TLS accelerators, and SSL decryptors. Media gateways perform the same function as mail gateways but work with multimedia communication. SSL/TLS accelerators alleviate the load on the processor during encryption. They transfer the encryption process to a separate device, typically a PCI card, for encryption. SSL decryptors decrypt incoming traffic, examine that traffic, and re-encrypt it before it goes back out on the network. While this does put extra load on the processor, it prevents the instance where a problem was not intercepted due to an encrypted packet.

Answer 74

the average amount of time from one failure to the next. Explanation: The mean time between failures (MTBF) is the average amount of time from one failure to the next. The MTBF is usually supplied by the hardware vendor or a third party. The mean time to repair (MTTR) is the estimated amount of time that it will take to repair a piece of equipment when failure occurs. None of the other options is correct.

Answer 75

Passive Reconnaissance Explanation: Passive reconnaissance detects vulnerabilities through techniques such as social engineering, accessing supposedly confidential information on publicly available databases, dumpster diving, and shoulder surfing. Active reconnaissance accesses the system directly to detect vulnerabilities. Tools and techniques such as network mapping, port scans, and network sniffing are used to test the system and identify potential sources of attack. Pivots use a compromised system to attack another system. Initial exploitation compromises one system so that it can be used in a pivot test against another system. Persistence is when the compromised system is used in an attack at some point after the initial exploitation occurred. An example of persistence would be when a student's notebook computer contracts malware at a coffee shop, but the school network is not affected until the student logs in to the school network.

Answer 76

Impact Explanation: Impact is a description of the cost to an organization due to an adverse event, such as the harm caused from an exploited vulnerability. Risk is the probability of an adverse incident occurring and its impact. A threat is an adverse action made possible by the presence of a vulnerability. Likelihood is a description of the probability of an adverse event.

Answer 77

Input Validation Explanation: Input handling means that every input is validated against a range of acceptable values. If the input does not match that range of values, the input is rejected, and an error message is generated. Program crashes occur when an invalid input produces unexpected results. Proper input validation is essential in any application development project. Stored procedures are a series of SQL statements that are executed as a group and are similar to scripts. Using properly written stored procedures protects the database from damage caused by poorly written SQL statements and SQL injection attacks, not invalid input. Encryption should be used in software development, as well as network traffic, to protect data being stored or transmitted. Encryption protects existing data, but does not guard against improper input. Provisioning and deprovisioning allocate resources based on demand for those resources. Neither concept is related to input validation. Other secure coding techniques and issues include code signing, obfuscation, camouflage, code reuse, dead code, server-side versus client-side execution and validation, memory management, third-party SDKs, and data exposure. Code signing embeds a digital signature into a piece of software, and is often used with device drivers. Validating the signature would verify that you are installing software that is from the vendor and not lookalike malware. Obfuscation and camouflage are closely related. Obfuscation means to make something difficult to understand, and camouflage means to hide something among its surroundings and make it more difficult to detect. The purpose of both is to make it more difficult for someone to tamper with code or reverse engineer the code. Code reuse and dead code are closely related. Attackers can reuse code that was developed for another purpose. In some cases, the code being reused is no longer valid or outdated. If the code is outdated, it is called dead code. When comparing server-side versus client-side execution and validation, server-side execution and validation happen on the server when the data returns to the server. Client-side validation occurs on the browser on the client machine. Client-side validation provides a quicker response than server-side validation and does not generate a lot of overhead on the server. With that said, however, the browser needs to monitor for malicious code. Memory management watches for things like memory leaks. Memory leaks can be caused by a programmer failing to free up memory once the process using that memory has been completed. C and C++ are particularly prone to memory leaks. Use of third-party libraries and software development kits (SDKs), while common, present security vulnerabilities. A flaw in an SDK can result in issues in every application that SDK was used to develop. Data exposure occurs when there are not sufficient safeguards on a database. Failure to protect your database can result in data hijacking and injection attacks.

Answer 78

SIEM (Security Information and Event Management) Explanation: A Security Information and Event Management (SIEM) system collects data from the different security devices in the system, such as firewalls and IPSs, and then aggregates the log files for analysis. It provides predictive trend analysis, behavior analytics, alerts, and even helps you comply with regulations like SOX and HIPAA. Automated alerting and triggers are a SIEM feature that allow the system to react based on predetermined criteria. A network intrusion detection system (NIDS) is a system that operates on the network and detects attacks on that network. A network intrusion prevention system (NIPS) is a system that also operates on the network and detects attacks but can also prevent them before an attack can be executed on the network.

Answer 79

MAC Filtering Explanation: To increase the security of this wireless network, you should configure Media Access Control (MAC) filtering. With this filtering, the MAC address of each network interface card (NIC) that attempts to connect to the network is checked. Only MAC addresses that are specifically allowed connection are granted connection. When configuring MAC filtering, you should set up an access control list (ACL). Some access points also allow you to configure MAC filtering for those addresses that should be denied access. But always keep in mind that the MAC addresses will need to be entered manually. MAC filtering is easily vulnerable to spoofing because MAC address information is sent unencrypted. An attacker then discovers the address and impersonates an approved device. If a user is able to connect to a wireless network using one mobile device but not another, the most likely cause is that MAC filtering is enabled. MAC filtering can be used to both allow access and deny access. The following examples are both types of entries on a router: PERMIT 0A:1:FA:B1:03:37 and DENY 01:33:7F:AB:10:AB. A service-set identifier (SSID) broadcast actually decreases security in a wireless network. If the SSID is broadcast, any wireless NICs in the proximity can locate the network. If you disable SSID broadcast, you increase the security of your network, and users will have to type the SSID to connect. However, it does not prevent invalid devices from connecting to the network. War driving is a technique used to discover wireless networks. Once intruders locate your wireless network, they attempt to hack into your system. Rogue access points are wireless access points that have been connected to your network without authorization. This decreases the security of your network. A site scan can be used to determine if you have rogue access points. For example, if your company is located in a building with three wireless networks, you have a rogue access point if a quarterly scan showed the following results: CorpPrivate – Connected Channel 1 - 70dbm CorpPublic – Connected Channel 5 - 80dbm CorpResearch – Connected Channel 3 - 75dbm CorpDev – Connected Channel 6 - 95dbm Radio frequency interference (RFI) can cause wireless network problems. It can come from cordless phones, microwaves, and other equipment. For example, if your wireless network is frequently dropping connections, you could have a cordless phone interfering with the wireless access point.

Answer 80

BitLocker Explanation: BitLocker drive encryption works with TPM hardware. TPM is a hardware chip that stores encryption keys. The BitLocker technology encrypts drive contents so that data cannot be stolen. BitLocker can encrypt both user and system files. BitLocker is enabled or disabled by an administrator for all computer users and provides full disk encryption. TPM and hardware security module (HSM) both provide storage for the Rivest, Shamir, and Adleman (RSA) algorithm and may assist in user authentication. TPM is usually included with computers and can be deployed easier than HSM. None of the other options works with TPM hardware. Encrypting File System (EFS) encrypts the contents of a disk. However, EFS is enabled on a per-user basis and can only encrypt files belonging to the user that enabled EFS. EFS does not require any special hardware or administrative configuration. New Technology File System (NTFS) is the 32-bit file system used by Windows operating systems. Internet Protocol Security (IPSec) is a protocol that protects communication over a network.

Answer 81

Asymmetric with Authentication Explanation: RSA is an example of asymmetric cryptography with authentication. RSA is used as the worldwide de facto standard for digital signatures. RSA is a public key algorithm that provides both encryption and authentication. It relies on the hacker's inability to factor large prime numbers. Asymmetric algorithms include Diffie-Hellman, RSA, ElGamal, Elliptic Curve Cryptosystem (ECC), CAST, and Knapsack. Symmetric algorithms include Data Encryption Standard (DES), Triple DES (3DES), Advanced Encryption Standard (AES), International Data Encryption Algorithm (IDEA), Blowfish, RC4, RC5, and RC6. Symmetric algorithms are sometimes called block ciphers. RSA does not deal with discrete logarithms. The security that RSA provides is based on the use of large prime numbers for encryption and decryption. It is difficult to factor large prime numbers. Therefore, it is difficult to break the encryption. RSA can prevent man-in-the-middle attacks by providing authentication before the exchange of public and private keys. The key is securely passed to the receiving machine. Therefore, public key cryptography is preferably used to secure fax messages. RSA requires higher processing power due to the factorability of its numbers but provides efficient key management.

Answer 82

HSM (Hardware Security Module) Explanation: An HSM, or a hardware security module, is a specialized, highly trusted physical device which performs all major cryptographic operations, including encryption, decryption, authentication, key management, key exchange, and more. HSMs are dedicated security devices, with the sole objective of hiding and protecting cryptographic objects. If the existing client machines do not currently have any cryptoprocessors, they need to have an HSM installed to be able to implement the key-based authentication method for the SFTP server.

Answer 83

Controller-based Explanation: A controller-based WAP allows you to manage all the WAPs in the network from a centralized location. This would allow you to configure consistent settings for updates and policies. When comparing fat vs. thin access points, thin access points allow for configuration from a switch or router, and fat access points are typically stand alone and require manual configuration. While a standalone WAP might allow you to manage it remotely, it does not allow management of several WAPs from a single location. Each standalone WAP has its own management interface. When comparing controller-based vs. stand-alone WAPs, controller-based WAPs are easier to configure remotely and do not require manual configuration.

Answer 84

DNSSEC -- Secure Domain Name Resolution DHCP -- Network Address Allocation HTTPS -- Secure Web Access Secure NTP -- Secure Time Synchronization Secure POP3 -- Secure Email Download

Answer 85

Virtual Machines Explanation: RedPill and Scooby Doo attacks target virtual machines. These attacks attempt to detect virtual servers and machines on a network. Once the virtual machines are identified, various techniques are used to attack the virtual machines to breach the host and eventually the network. RedPill and Scooby Doo attacks do not target Windows Server 2016 computers, Windows 10 clients, or terminal servers, unless these computers are virtualized. Virtual machines are usually implemented within an organization so that the organization can internally manage them. Cloud computing differs from virtual computing in that cloud computing is usually physically managed by an outside entity. An organization pays the cloud computing organization for rights to use portions of the organization's cloud. However, the organization that is leasing the cloud is never really in physical control of the data.

Answer 86

HIPS (Host Intrusion Prevention System) Explanation: You should implement a Host Intrusion Prevention System (HIPS) to prevent intrusions on a single server or computer. A Host Intrusion Detection System (HIDS) detects intrusions on a single server or computer. A Network-based Intrusion Detection System (NIDS) detects intrusions on a network. A Network-based Intrusion Prevention System (NIPS) prevents intrusions on a network. Intrusion prevention systems (IPS) and intrusion detection systems (IDS) work together to complement each other. IPS systems can block activities on certain Web sites. Users may be allowed to access the sites but may be prevented from accessing certain features within the site. In other cases, the entire site may be blocked, depending on the security requirements for the organization. IDS systems detect security breaches and alert administrators of the breaches. They cannot block access to any specific site or entity.

Answer 87

Code Signing Explanation: You should use a code signing certificate. Code signing certificates are used for code that is distributed over the Internet, including programs or applications. Code signing certificates verify the code's origin and help the user trust that the claimed sender is indeed the originator. Email certificates are used to secure email. One such example is Secure Multipurpose Internet Mail Extensions (S/MIME), which provides a digital "signature" for that email. User certificates are assigned to individual users, much like machine/computer certificates are assigned to individual machines. Users must provide their assigned certificate for authentication prior to accessing certain resources. Root certificates define the root CA and validate all other certificates issued by that CA. They are at the top of the CA hierarchy. They are self-signed and are closely guarded. You should also be familiar with SAN fields, machine/computer certificates, domain validation certificates, and extended validation certificates. Subject Alternative Name (SAN) is a field in the certificate definition that allows you to stipulate additional information, such as an IP address or host name, associated with the certificate. Machine/computer certificates are assigned to a designated machine. During authentication, the computer (or machine) requesting access must supply the certificate assigned to it. Domain validation certificates are very common. They are low-cost and are often used by web admins to offer TLS to a domain. They are validated using only the domain name. Extended validation certificates, as the name suggests, provide additional validation for HTTPS web sites. The certificate provides the name of the legal entity responsible for the web site. These certificates provide a higher level of trust than domain validation and require the most effort by the CA to validate. They are validated using more information than just the domain.

Answer 88

Memory Leak Integer Overflow Pointer Dereference Buffer Overflow Explanation: All of the listed options may result from poor programming processes. Memory leaks can be caused by a programmer failing to free up memory once the process using that memory has been completed. C and C++ are particularly prone to memory leaks. Integer overflows happen when a number too large to fit into the data type "integer" is not rejected and is allowed to corrupt the program. Dangling pointer dereferences occur when a pointer (which points to the proper memory location) has the reference changed. This results in the pointer pointing to an inaccurate value. A buffer overflow is an example of improper input handling being allowed by the application code, and the impact can include crashing the application. Other examples of improper input handling include failure to validate the type of data in an input field, the length of the data, proper date ranges.

Answer 89

A syslog Server makes it easier to coordinate events and combine information into a single log. Explanation: Syslog stands for System Logging Protocol and is a standard computing protocol used to send system log or event messages to a specific server which is referred a syslog server. It is primarily used to collect and store a variety of device logs such as security and performance events from several different machines in a central location for monitoring and review purposes. Using a syslog server makes it much easier to coordinate events and combine information into a single comprehensive log. A syslog does provide the other features, but only because it coordinates events across multiple systems into a central log.

Answer 90

It is low maintenance. Explanation: The primary advantage of an NIDS is the low maintenance involved in analyzing traffic in the network. An NIDS is easy and economical to manage because the signatures are not configured on all the hosts in a network segment. Configuration usually occurs at a single system, rather than on multiple systems. By contrast, host-based intrusion detection systems (HIDSs) are difficult to configure and monitor because the intrusion detection agent should be installed on each individual workstation of a given network segment. HIDSs are configured to use the operating system audit logs and system logs, while NIDSs actually examine the network packets. Individual hosts do not need real-time monitoring because intrusion is monitored on the network segment on which the NIDS is placed, and not on individual workstations. An NIDS is not capable of analyzing encrypted information. For example, the packets that travel through a Virtual Private Network tunnel (VPN) cannot be analyzed by the NIDS. The lack of this capability is a primary disadvantage of an NIDS. The high throughput of the workstations in a network does not depend on the NIDS installed in the network. Factors such as the processor speed, memory, and bandwidth allocated affect the throughput of workstations. The performance of an NIDS can be affected in a switched network environment because the NIDS will not be able to properly analyze all the traffic that occurs on the network on which it does not reside. An HIDS is not adversely affected by a switched network because it is primarily concerned with monitoring traffic on individual computers.

Answer 91

Platform as a Service (PaaS) -- Allows orgs to deploy Web Servers, Databases, and Development Tools in a Cloud. Software as a Service (PaaS) -- Allows orgs to run applications in a Cloud. Infrastructure as a Service (IaaS) -- Allows orgs to deploy Virtual Machines, Servers, and Storage in a Cloud.

Answer 92

Standard Naming Conventions Explanation: Creating a standard naming convention would resolve the issue of obvious account names. Account names should not identify job roles. Recertification is the process of examining a user's permissions and determining if they still need access to what was previously granted. For example, if an employee were transferred from the Chicago, IL office to the Charlotte, NC, it would be reasonable to revoke the user's Chicago permissions. Account maintenance is maintaining user accounts with the appropriate permissions. This includes onboarding and offboarding, adding and removing permissions, and auditing user accounts. File system security should always be set to only allow what is absolutely essential for the user to do their job. This is also known as the principle of least privilege.

Answer 93

Static Code Analyzers Explanation: Static code analyzers look for memory allocation commands have corresponding deallocation commands. Stress testing puts a load on the system much higher than what is normally expected. For example, testing a website with 100x the normal amount of traffic will identify how the system will respond to the stress. They will not check for memory deallocations, although stress test results may indicate that memory is not being released. Sandboxing is developing an application outside of the production environment. Sandboxing can also be useful to test a legacy operating system that may not have security patches. Virtual machines are often used to create the sandbox. Memory allocation issues may be discovered during sandbox testing but are not directly a part of the sandbox functionality. Model verification is important. There are many types of simulation model, and it is critical that you examine whatever model you use for accuracy. Any incorrect data or configuration settings in the model will yield inaccurate results. This will not check for memory deallocation. You should also keep in mind that when comparing compiled versus runtime code, compiled code is more secure. In runtime applications (Java and .NET, for example), the runtime execution environment may have vulnerabilities, so checking for the most current version is a concern.

Answer 94

Integrity Non-Repudiation Authentication Explanation: My Take -- Digital Signatures don't Encrypt, they provide Integrity, Non-Repudiation, and Authentication to prove who someone is, that the a transaction being sent from 1 user to another are the users involved that were intended to be involved and that the transaction was not modified from the original as it goes to the destination. A digital signature provides integrity, authentication, and non-repudiation in electronic mail. The public key of the signer is used to verify a digital signature. Non-repudiation ensures that the sender cannot deny the previous actions or message. Integrity involves providing assurance that a message was not modified during transmission. Authentication is the process of verifying that the sender is who he says he is. Digital signatures do not provide encryption and cannot ensure availability. A digital signature is a hash value that is encrypted with the sender's private key. For example, a file on Windows 98 that has been digitally signed indicates that the file has passed quality testing by Microsoft. The message is digitally signed. Therefore, it provides authentication, non-repudiation, and integrity. If a recipient wants to verify a digital signature, the public key of the signer must be used in conjunction with the hash value. Digital Signature Standard (DSS) defines digital signatures. It provides integrity and authentication. It is not a symmetric key algorithm. A digital signature cannot be spoofed. Therefore, attacks, such as man-in-the-middle attacks, cannot harm the integrity of the message. Microsoft uses digital signing to ensure the integrity of driver files.

Answer 95

Authentication of the user's Google Account Explanation: OpenID Connect provides the authentication necessary in OAuth 2.0. It authenticates the user and stores the user information in a secure token. A secure token contains the user information and authentication information used by OpenID. OAuth is Open Authorization. The current standard, OAuth 2.0, grants an application limited access to a user's account on a third-party site, such as Facebook or Twitter. OAuth could grant the application access to a friend's list or give the application the ability to post on the user's behalf. Shibboleth uses Security Assertion Markup Language (SAML), which defines security authorizations on web pages, as opposed to web page elements in HTML. Shibboleth is a single sign-on (SSO) system but does allow the usage of Facebook, Google, or Twitter credentials

Answer 96

L2TP over IPsec (Layer Two Tunneling Protocol over Internet Protocol Security) Explanation: You should use Layer 2 Tunneling Protocol (L2TP) over Internet Protocol Security (IPsec). When you implement L2TP over IPsec, it encrypts transmitted traffic on virtual private network (VPN) connections. L2TP supports multiple protocols, such as Transmission Control Protocol (TCP), Internet Protocol (IP), Internetwork Packet Exchange (IPX), and Systems Network Architecture (SNA). L2TP is based on two older tunneling protocols: Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F).Hypertext Transfer Protocol (HTTP) transmits information in clear text. Hypertext Transfer Protocol Secure (HTTPS) uses Secure Sockets Layer (SSL) to encrypt HTTP traffic. HTTPS only supports the encryption of HTTP traffic. File Transfer Protocol (FTP) transmits data in clear text. HTTP uses port 80, and HTTPS uses port 443.

Answer 97

Data Exfiltration Explanation: You should voice your concern over data exfiltration. It would be very easy for a picture of something confidential to be posted to a social media site or for someone to discuss a new intellectual property project in a public forum. None of the other concerns would be affected by employee use of social media. Content filters on firewalls and routers must be configured properly. Proper configuration is often an iterative process, blocking undesirable traffic while allowing appropriate traffic. Access points must also be configured properly. Wireless networks have their own security issues, but none that are affected by social media. Weak security configurations can arise from neglecting to implement a specific security device, or not configuring security settings properly.

Answer 98

Asymmetric Encryption Explanation: My Take -- Confidentiality is Encryption, making sure Data is Confidential, protecting Data via Encryption. Asymmetric encryption provides confidentiality because encryption protects the contents of a file from being viewed by unauthorized users. Authentication provides accountability by establishing an individual's identity and defining that individual's access to resources. Some disk arrays, such as Redundant Array of Independent Disks (RAID)-1 and RAID-5 arrays, are implemented to provide fault tolerance for the data stored on those disks. If a user signs a file with a digital signature before sending the file to another user, the recipient can then use the digital signature to ensure that the file was not changed during transmission.

Answer 99

an Information Policy Explanation: An information policy defines the sensitivity of a company's data and the proper procedures for storage, transmission, disposal, and marking of a company's data. The cornerstone practice of a company's information policy, as with all security-related policies, is to grant only the level of access that is required to allow particular individuals to fulfill their responsibilities. Accordingly, a well-developed information policy will rely on information about separation of duties to establish different levels of access by group role or individual responsibility. Individuals will be granted access only to that information for which they have a 'need to know' to accomplish the goals of their position. A backup policy defines the procedures that should be used to back up information stored on a company's network. A security policy defines the technical means that are used to protect data on a network. A use policy, sometimes referred to as an acceptable use policy, defines the manner in which employees are allowed to use a company's network equipment and resources, such as bandwidth, Internet access, and e-mail services. Policies contain conditions of expected performance and the consequences of non-compliance. An access control policy details guidelines on the rights, privileges, and restrictions for using company equipment and assets.

Answer 100

Implicit Deny Explanation: The default permission position in a secure network should be implicit deny. This will ensure that if a user or group does not have an explicit allow permission configured, the access will default to an implicit deny. An implicit deny should be the last rule contained on any firewall because most firewalls do not default to this setting. This firewall rule is often defined with a Drop All statement. On Windows servers, the access control list (ACL) defaults to an implicit deny. None of the other permissions should be the default position in a secure network. An explicit allow is an allowed permission that is configured explicitly for that resource. An implicit allow is an allowed permission that is implied for that resource based on another explicit or implicit permission. An explicit deny is a denied permission that is configured explicitly for that resource.

Answer 101

Industrial Camouflage Explanation: Industrial camouflage or Crime Prevention Through Environmental Design (CPTED) are principles used to design facilities in a way that enhances rather than complicates physical security. Unmanned aerial vehicle technology (UAV) covers everything from the aerodynamics of the drone, materials in the manufacture of the physical UAV, to the circuit boards, chipset, and software, which are the brains of the drone. Two-person integrity control prescribes that multiple persons should do a job so they can monitor one another. Job rotation and separation of duties are both examples of two-person integrity controls. Object detection is the capability of some cameras to scan a scene for items or persons and report on it.

Answer 102

a Firewall Explanation: An administrator can install a firewall on a network to create a demilitarized zone (DMZ). A DMZ separates a public network from a private network. A DMZ can be implemented with one firewall that is connected to the DMZ segment, the private network, and the Internet. A DMZ can also be implemented with two firewalls. In this configuration, one firewall is connected to a private network and a DMZ segment, and the other firewall is connected to the Internet and the DMZ segment. To implement a firewall, you should first develop and implement a firewall policy. When configuring a firewall policy, the default setting should deny all traffic not explicitly allowed. Firewalls implement stateful inspection by inspecting every packet and allowing or denying the packet based on the firewall policy. A bridge is a device that separates a network into distinct collision domains to control network traffic. A network divided by a bridge is considered to be a single network. A hub is a central connection device used on Ethernet networks. A router is a device that is designed to transmit data between networks on a TCP/IP internetwork. Bridges, hubs, and routers are not used to create DMZs.

Answer 103

CASB (Cloud Access Security Broker) Explanation: A cloud access security broker (CASB) enforces proper security measures between a cloud solution and a customer organization. A CASB monitors user activities, notifies administrators about significant events, performs malware prevention and detection, and enforces compliance with security policies. Besides ensuring compliance with your security policy and reporting compliance issues in real-time, a CASB should report risks, see any shadow IT, and do it all from one platform. A CASB uses an array of strategies to protect an organization from cyberattacks. A CASB uses data loss prevention to protect against critical data leaks by labeling, tracking, and restricting access to files and specific information as it travels from a device to the cloud and beyond.

Answer 104

Domain Validation Explanation: Domain validation certificates are very common. They are low-cost and are often used by web admins to offer TLS to a domain. They are validated using only the domain name. Extended validation certificates, as the name suggests, provide additional validation for HTTPS web sites. The certificate provides the name of the legal entity responsible for the web site. These certificates provide a higher level of trust than domain validation and require the most effort by the CA to validate. They are validated using more information than just the domain. Extended validation certificates require much more effort to deploy than domain validation certificates. Email certificates are used to secure email. One such example is Secure Multipurpose Internet Mail Extensions (S/MIME), which provides a digital "signature" for that email. Wildcard certificates allow you to create a certificate in a domain and use that same certificate for multiple subdomains. For example, if you had mail.mysite.com, ftp.mysite.com, and www.mysite.com, you could issue a wildcard certificate for mysite.com, and have it cover all the subdomains. Without the wildcard certificate, you would have to issue a certificate for each subdomain.

Answer 105

AS (Authentication Service) Explanation: TGT = Ticket Granting Ticket TGS = Ticket Granting Service AS = Authentication Service CS = Client-Server In Kerberos 5, Authentication Service (AS) Exchange authenticates users and provides users with a ticket-granting ticket (TGT). When a user wants to gain access to a network resource, that user's TGT is sent to a computer that provides Kerberos Ticket Granting Service (TGS) Exchange. A TGS server uses a TGT to create a session key for the client requesting service and the server providing service. A client requesting service sends a session key to a server, and Client-Server (CS) exchange is used to enable a client and a server to authenticate one another. After these processes are completed, a client can gain access to services on a server. AS, CS, and TGS are the three main protocols used on a Kerberos network to provide authentication and authorization for use of resources.

Answer 106

SSH -- Protocol that uses a secure channel to connect a server and a client. (SecureShell - Port 22) SSL -- Protocol that secures messages between the Application and Transport Layers. (Secure Socket Layer) SCP -- Protocol that allows files to be copied over a secure connection. (SecureCopy - uses SSH Port 22 to accomplish this.) ICMP -- Protocol used to test and report on path information between Network devices. (Internet Control Message Protocol)

Answer 107

Captive Portal Explanation: Captive portals are associated with public-access Wi-Fi networks. Once you select the network, you are directed to a web page. There, you typically have to sign on and agree to a policy such as an acceptable use or fair use policy. Once your agreement is accepted, you can use the network. These portals are typically found in a public place, such as a hotel, coffee shop, or airport. None of the other options would force users to accept a fair use policy before connecting to the Internet. Wi-Fi Protected Setup (WPS) allows a wireless access point to broadcast a PIN, which connecting devices use for authentication. It is not a difficult task to break the PIN using a packet sniffer. IEEE 802.1x is standard for network access control. It allows you to apply security to an individual port on a switch with the result of only allowing authenticated users access to that port. RADIUS Federation is a group of RADIUS servers that assist with network roaming and will validate the login credentials of a user belonging to another RADIUS server's network. For the Security+ exam, you also need to understand EAP-FAST, EAP-TLS, and EAP-TTLS. Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) is used in wireless and point-to-point networks. EAP manages key transmissions, and FAST creates a TLS tunnel to be used in authentication through a protected access credential. In Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), EAP manages key transmissions, and TLS uses X.509 digital certificates for authentication. In Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS), EAP manages key transmissions, and TTLS is an extension of TLS (which authenticates the server). TTLS encapsulates the TLS session, allowing for authentication of the client.

Answer 108

Permit ALL inbound TCP connections. Explanation: The Permit all inbound TCP connections filter will most likely result in a security breach. This rule is one you will not see in most firewall configurations. By simply allowing all inbound TCP connections, you are not limiting remote hosts to certain protocols. Security breaches will occur because of this misconfiguration. You should only allow those protocols that are needed by remote hosts and drop all others. In most cases, permitting all traffic to and from local hosts is a common firewall rule. If you configure firewall rules regarding local host traffic, you should use extreme caution. It is hard to predict the type of traffic originating with your local hosts. If you decide to drop certain types of traffic, users may complain about being unable to reach remote hosts. Limiting certain types of traffic, such as SSH and SMTP traffic, to certain computers is a common firewall configuration. By using this type of rule, you can protect the other computers on your network from security breaches using those protocols or ports. Other common firewall packet filters include dropping inbound packets with the Source Routing option set, dropping router information exchange protocols, and dropping inbound packets with an internal source IP address. For the most part, filters blocking outbound packets with a specific external destination IP address are not used. Any time rules are implemented on a network, you are using rules-based management. With these rules, you specifically allow or deny traffic based on IP address, MAC address, protocol used, or some other factor. Keep in mind that misconfiguration of devices is one of the most common reasons that security issues occur. Make sure to consult vendor documentation to discover all best practices and recommended procedures. In addition, security professionals should ensure that all devices are patched in a timely manner.

Answer 109

Captive Portal Explanation: A captive portal is used to display a webpage to the user upon connection. It may or may not require authentication and may also post permissible activities. WPS is a method for sending credentials from an AP to a system rather than manually configuring the system. WPA2 Enterprise is a version of EAP that uses AES encryption and requires the use of a RADIUS server. WPA2 Personal is a version of EAP that uses either TKIP or AES encryption and can use passwords.

Answer 110

It backs up ALL new files and any files that have changed since the last full or Incremental Backup and resets the Archive Bit. Explanation: An incremental backup backs up all new files and files that have changed since the last full or incremental backup, and also resets the archive bit. When restoring the data, the full backup must be restored first, followed by each incremental backup in order. Incremental backups build on each other; for example, the second incremental backup contains all of the changes made since the first incremental backup. A full backup backs up all files every time it runs. Because of the amount of data that is backed up, full backups can take a long time to complete. A full backup is used as the baseline for any backup strategy and most appropriate when using offsite archiving. A compressed full backup backs up all files in compressed format. A differential backup backs up all new files and files that have changed since the last full backup without resetting the archive bit. When restoring the data, the full backup must be restored first, followed by the most recent differential backup. Differential backups are not dependent on each other. For example, each differential backup contains the changes made since the last full backup. Therefore, differential backups can take a significantly longer time than incremental backups. A continuous backup system is one that performs backups on a regular basis to ensure that data can be restored to a particular point-in-time. SQL Server is an application that provides this feature. If a continuous backup plan is not used, any data changes that occurred since the last backup must be recreated after the restore is completed. Working copies are used to store data that consists of partial or full backups that are stored at the computer center for immediate recovery purposes, if necessary.

Answer 111

Passive Reconnaissance Explanation: Passive reconnaissance detects vulnerabilities through techniques such as social engineering, accessing supposedly confidential information on publicly available databases, dumpster diving, and shoulder surfing. Active reconnaissance accesses the system directly to detect vulnerabilities. Tools and techniques such as network mapping, port scans, and network sniffing are used to test the system and identify potential sources of attack. Pivots use a compromised system to attack another system. Initial exploitation compromises one system so that it can be used in a pivot test against another system. Persistence is when the compromised system is used in an attack at some point after the initial exploitation occurred. An example of persistence would be when a student's notebook computer contracts malware at a coffee shop, but the school network is not affected until the student logs in to the school network.

Answer 112

IPv4 Explanation: The version of addressing used by the packet is IPv4. The version is specified explicitly in the header as the first four bits. The first four bits of an IP header identifies its version. Version 6 is represented in binary as 0110 while version 4 is 0100. The source and destination addresses are also in the dotted quad format associated with IPv4.

Answer 113

TOTP (Timed One-Time Password or Time-based One Time Password) Explanation: Time-based One Time Passwords (TOTP) are issued for a specific period of time. Once it is used or its time expires, the TOTP is no longer valid. HOTP and TOTP are both types of one-time passwords, (i.e., they can only be used once). Hashed One Time Passwords (HOTP) are secure passwords used with hardware tokens. They do not include a time limit for usage. Attribute-based access control (ABAC) goes beyond authentication based on username and password. It evaluates other factors, such as time of day and location of logons. Another aspect would be if a user has read access to files but is attempting to edit or delete files remotely. False rejection rate (FRR) is one way to measure the accuracy of a biometric authentication system. It measures how likely it would be that an authorized user is denied access to the system. Expressed as a ratio, it is the number of authorized users who were denied access to the protected system divided by the number of authentication attempts. False rejections can occur if the system settings are too precise, or if users are not trained properly on biometric login procedures. By contrast, false acceptance rate (FAR) measures how likely it would be that an unauthorized user is granted access to the system. Its ratio is the number of unauthorized users who were incorrectly allowed access to the protected system divided by the number of authentication attempts. FAR could happen because the system was not precise enough when matching the authorized user. Crossover error rate (CER) is the point where FAR and FRR are equal. Generally, a lower CER value would indicate a more accurate system. CER is primarily used to compare biometric authentication systems. Other considerations include proximity cards, smartcards, tokens, CAC, PIV, and file security. Smartcards have permissions and access information stored on the card. The greatest concern with smart cards is theft. Once stolen, the thief can use the card in the same manner as the rightful owner. As an example, if the user has access to a highly secure area by using the smartcard, a thief will have the same access when using the stolen card. Proximity cards are a type of smartcard that incorporate Radio Frequency Identification (RFID) chips. These chips contain authentication information and transmit over a very short range. When the authentication device is within range of the proximity card, and the information transmitted is correct, authentication is granted. Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user. A common access card (CAC) is a smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two barcodes and a magnetic strip. They can be used for visual identification and for login. A Personal Identity Verification (PIV) smart card is issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two barcodes and a magnetic strip. They can be used for visual identification and for login. File system security should always be set to only allow what is absolutely essential for the user to do their job. This is also known as the principle of least privilege.

Answer 114

Hashing Explanation: Hashing is a cryptographic process that maintains the integrity of data. Hashes are created using hashing algorithms, which is a one-way process that converts the data of any size into a fixed length unique output. Once you create a hash, the only way to reproduce the same exact hash is to input the exact same text. If you change even just one character in the data, the hash value will completely change as well. This is how investigators can determine if a file has been altered. If the hash is different from the one created by the original version, the investigator knows that the data has been tampered with. If the hash is the same, that indicates that the integrity of the data was maintained and is safe to investigate.

Answer 115

Tabletop Exercises Explanation: A tabletop exercise simulates a disaster and allows you to check the thoroughness of your disaster recovery plan. You should perform a document review during all exercises. Apart from a tabletop exercise, you can also perform a walkthrough, simulation, parallel testing, and cutover testing to test your disaster recovery plans. If your plan has a weakness, it is better to discover it during an exercise as opposed to discovering it during a live event. After-action reports documents how well or how poorly the exercise went. It will also indicate action items for follow-up, as well as any necessary modifications that should be made to improve the disaster recovery response. A business continuity plan ensures that the business stays running in the event that interferes with normal business functions. It is a separate plan from the disaster recovery plan and only needs review and revision. It does not usually require any testing. Critical business functions are those items that are identified as the most crucial. They are the first to be restored after a disaster. A continuity of operations plan (COOP) is a document that explains how critical operations will be maintained in the event a disaster occurs.

Answer 116

Recertification Explanation: Recertification is the process of examining a user's permissions and determining if they still need access to what was previously granted. For example, if someone were transferred from the Chicago, IL office to the Charlotte, NC office, it would be reasonable to revoke the user's Chicago permissions. Likewise, a promotion would most likely require new privileges, and it is important to examine whether the privileges from the old position are still necessary. Federation and federated identity is the ability of a user to use a single identity across multiple businesses or networks. It differs from single sign-on, where a user has one password that grants access to all the permitted network resources. Federation would address enabling user's logon from office to office but would not address the issue of current and relevant permissions related to users' job roles. Creating a standard naming convention would resolve an issue relating to account names that identify job roles or locations. However, it would not address the issue of current and relevant permissions. Transitive trust involves creating relationships between domains to grant authenticated users access to other domains. In Active Directory, for example, if the Sales domain trusts the Marketing domain, and the Marketing domain trusts the HR domain, then Sales trusts the HR domain, through a transitive relationship.

Answer 117

a collection of programs that grants a hacker administrative access to a computer or Network. Explanation: A rootkit is a collection of programs that grants a hacker administrative access to a computer or network. The hacker first gains access to a single system, and then uploads the rootkit to the hacked system. An example of a rootkit is a system-level kernel module that modifies file system operations. If a server dedicated to the storage and processing of sensitive information is compromised with a rootkit and sensitive data was exfiltrated, you should wipe the storage, reinstall the OS from original media, and restore the data from the last known good backup. Adware is a software application that displays advertisements while the application is executing. Some adware is also spyware if it monitors your Internet usage and personal information. Some adware will even allow credit card information theft. It is possible for spyware to inject malicious code into otherwise benign adware, especially pop-up ads. Adware displays unwanted browser ads, leaves persistent tracking cookies, and gathers information on user’s browser activities for the adware owner’s use. Adware is not itself malware, but the ads it displays can contain injected third-party malware. Spyware often uses tracking cookies to collect and report a user's activities. Not all spyware is adware, and not all adware is spyware. To define a program as spyware requires that your activities are monitored and tracked; to define a program as adware requires that advertisements are displayed. A worm is a program that spreads itself through network connections. Another malware that you need to be familiar with is ransomware, which restricts access to a computer that it infects. The ransomware then demands a ransom paid to the creator of the malware for the restriction to be removed.

Answer 118

ABAC (Attribute-based Access Control) Explanation: Attribute-based access control (ABAC) goes beyond authentication based on username and password. It evaluates other factors, such as time of day and location of logons. It would also control behavior based on location, such as if a user has read access to files but is attempting to edit or delete files remotely. Proximity cards are a type of smartcard that incorporate Radio Frequency Identification (RFID) chips. These chips contain authentication information and transmit over a very short range. When the authentication device is within range of the proximity card, and the information transmitted is correct, authentication is granted. Smartcards have permissions and access information stored on the card. The greatest concern with smart cards is theft. Once the card is stolen, the thief can use it in the same manner as the rightful owner. For example, if the user has access to a highly secure area by using the smartcard, a thief will have the same access when using the stolen card. False acceptance rate (FAR) is one way to measure the accuracy of a biometric authentication system. It measures how likely it would be that an unauthorized user is granted access to the system. Expressed as a ratio, it is the number of unauthorized users who were incorrectly allowed access to the protected system divided by the number of authentication attempts. A false acceptance can occur, for example, when an unauthorized individual with a dirty finger uses a fingerprint reader and is allowed access to the system. This could happen because the system was not precise enough when matching the authorized user. By contrast, false rejection rate (FRR) measures how likely it would be that an authorized user is denied access to the system. It is also expressed as a ratio, calculated as the number of authorized users who were denied access to the protected system divided by the number of authentication attempts. False rejections can occur if the system settings are too precise, or if users are not trained properly on biometric login procedures. Other considerations include CER, tokens, HOTP, TOTP, CAC, PIV, and file system security. Crossover error rate (CER) is the point where FAR and FRR are equal. Generally, a lower CER value would indicate a more accurate system. CER is primarily used to compare biometric authentication systems. Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user. HOTP and TOTP are two types of one-time passwords, i.e., they can only be used once. Hashed One Time Passwords (HOTP) are secure passwords used with hardware tokens. Time-based One Time Passwords (TOTP) are issued for a specific period of time. Once it is used or its time expires, the TOTP is no longer valid. As an example of a TOTP, a user forgets a password to a website. When the user clicks the "Forgot Password" link, the website would send a new temporary password to the user but would limit how long the temporary password would be valid. A Common Access Card (CAC) is a smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login. A Personal Identity Verification (PIV) smart card is issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login. File system security should always be set to only allow what is absolutely essential for the user to do their job. This is also known as the principle of least privilege.

Answer 119

Analyze the change request. Explanation: You should analyze the change request. The change control procedures ensure that all modifications are authorized, tested, and recorded. Therefore, these procedures serve the primary aim of auditing and review by the management. The necessary steps in a change control process are as follows: - Make a formal request. - Analyze the request. This step includes developing the implementation strategy, calculating the costs of the implementation, and reviewing the security implication of implementing the change. - Record the change request. - Submit the change request for approval. This step involves getting approval of the actual change once all the work necessary to complete the change has been analyzed. - Make changes. The changes are implemented, and the version is updated in this step. - Submit results to management: In this step, the change results are reported to management for review.

Answer 120

Salting -- adds text to each password before the password is hashed to prevent stored passwords from being decrypted Lockout -- allows you to configure the number of invalid logon attempts that can occur before an account is inaccessible for a pre-determined amount of time History -- allows you to configure how many new passwords must be created before an old one can be reused Age -- allows you to configure the minimum or maximum number of days that must pass before a user is required to change the password

Answer 121

retina scan Explanation: A retina scan is a biometric system that examines the unique pattern of the blood vessels at the back of an individual's eye. In a retina scan, a beam is projected inside the eye to capture the pattern and compare it with the reference records of the individual. The employee is authenticated only if a match is found. Retina scans provide better accuracy than iris scans. There are some disadvantages of using a retina scan. Employees are sometimes reluctant to pass through a retina scan because the test is considered too intrusive. Also, retina scan results can alter over time. Other disadvantages are the expense, the enrollment time, and the complexity involved in its implementation. An iris scan is based on the examination of unique patterns, colors, rings, and coronas of an individual's eye. Each characteristic is captured by a camera and compared with the reference records of an employee gathered during the enrollment process. Iris scanning provides better accuracy than fingerprinting, voice recognition, or facial recognition. A facial scan is based on an individual's bone structure, nose ridge, eye width, forehead structure, and chin shape. Such characteristics are captured by a camera and compared with the reference records of an employee gathered during the enrollment process. Eye recognition is not a biometric scan technology used for the authentication of an individual.