Tricky Questions Flashcards
1
Q
Users of a mobile app authenticate with username, password, and the app logs their location (from GPS). How many different authentication factors is this using?
A
ONE!
Username and password are both something you know. While the app logs the GPS location, it doesn’t say that the auth process even looks at it.
2
Q
A company has several contractors who work for about one week each quarter. What should be done with their accounts when they aren’t actively working for the company?
A
Disable the accounts. That leave the data there, and it’s easy to enable them again when the contractor is actively working again.
3
Q
A company needs a strong authentication and authorization system that protects privacy of data, and that allows employees to use SSO. What should they use? Choices are OpenID, SAML, Kerberos, RADIUS
A
Kerberos.
OpenID is for Internet, not internal networks. SAML is for web apps. RADIUS is for remote access clients.
4
Q
Which protocol is best for encrypting confidential data transferred over internal network? Choices are FTP, SSH, SNMPv3, SRTP
A
SSH
5
Q
Which protocol is best for collecting network device configuration and statistics while protecting the confidentiality of the credentials used to connect to the devices? Choices are SSH, FTPS, SNMPv3, TLS
A
SNMPv3
This is Simple Network Management Protocol version 3. It has strong authentication mechanisms. None of the other choices monitor network devices.
6
Q
Which type of device would be likely to use these as part of its configuration?
permit IP any any eq 80
permit IP any any eq 443
deny IP any any
Choices are firewall, proxy server, web server, jump server.
A
Firewall.
While this is a good configuration to protect a web server, it gets put on the firewall, not the web server itself.
7
Q
A firewall protects subnet 10.0.1.0/24. It needs to use only secure protocols for remote management. It needs to block cleartext web traffic.
Which of the following rules already on this firewall needs to be changed to do this?
HTTPS Outbound, Any, 10.0.1.0/24, HTTPS, allow
HTTP Outbound, Any, 10.0.1.0/24, HTTP, allow
DNS, Any, 10.0.1.0/24, DNS, allow
HTTPS Inbound, 10.0.1.0/24, HTTPS, allow
HTTP Inbound, 10.0.1.0/24, HTTP, block
Telnet, 10.0.3.0/24, Telnet, allow
SSH, 10.0.1.0/24, Any, SSH, allow
A
HTTP Outbound, because that is cleartext web traffic and it is set to allow. That should be blocked.
Yes, Telnet should not be allowed ANYWHERE, however since that rule is for 10.0.3.0/24 subnet, and this router is protecting 10.0.1.0/24, it won’t ever be handling that traffic. Tricky question indeed.
8
Q
A power plant has several standalone computers used to verify proper operation of various processes. Employees log into these computers using local accounts. We want to make sure these computers have no access to the internet, and cannot be connected to the organization’s network. What’s the best choice among:
- air gap the computers
- place the computers in a screened subnet
- create a separate isolated network for these computers
- place the computers in a VLAN
A
Air gap.
Both screened subnet and VLAN would add a risk of connections to the larger network and the internet. A separate isolated network would technically work however there is no stated need for the computers to communicate with each other, and that adds a risk of one getting infected somehow and then spreading it to the rest.
9
Q
A router on a corporate network provides a path to a limited access network that is not advertised. A net admin needs to access this limited access network regularly. How can he configure his computer to access it?
- Implement QoS technologies
- Add a VLAN
- Use the route command
- Open additional ports on the router
A
Use the route command.
None of the other choices can add a routing path.
10
Q
An admin places a file named passwords.txt with usernames of two accounts in it. This file was placed in the administrator account desktop on several servers. Why would this be done?
A
It’s a honeyfile. This distracts hackers from real documents. Since the file doesn’t contain passwords, just usernames, then it’s not a risk - and if the usernames are for accounts that don’t have access to anything important, even better.
11
Q
What wireless network protocol provides encrypted authentication of users over TLS? Choices are EAP, PEAP, WPA2, WPA3.
A
PEAP.
WPA2 and WPA3 don’t use TLS. EAP by itself doesn’t provide encryption at all.
12
Q
A wireless user had been accessing his network shares one morning, but later when trying to access the Internet got a popup marked as from the same wireless SSID that prompted him to login again. After logging in he couldn’t access his network shares but could access Internet. What happened here?
A
An Evil Twin access point tricked him. Odds are it stole his login credentials as well and is now using them to hack the network.
13
Q
Your organization wants to upgrade VPN so that after the VPN client connects to the VPN server, all traffic from the VPN client is encrypted. What kind of VPN should you use?
A
Full tunnel. This encrypts that client’s Internet traffic too, not just the traffic to the organization’s network.
14
Q
A supplier needs to connect several laptops to our organization’s network, but we are concerned about possible vulnerabilities from the laptops. How do we mitigate this risk?
A
Implement a jumpbox system. The supplier’s laptops will connect to the jumpbox and from there connect to our network.
15
Q
We want to allow visiting business partners to be able to use an available Ethernet port in a conference room to be able to use VPN to connect to their headquarters. The same port should allow our own employees to connect to our own secure internal network. How can we do this?
A
Implement NAC.
16
Q
One of your network services becomes disabled and this affects production. What can be used to determine which service was interrupted and why it happened. Choices are firewall logs, NIDS, syslog, network mapping.
A
Syslog
17
Q
In storing passwords, some organizations will add a salt and a hash to the password, then repeat this several times before storing the result. What is the term for this process?
A
Key stretching
18
Q
Which of these is not a shared authentication protocol?
OpenID Connect, Facebook Connect, LDAP, OAuth
A
LDAP
While this allows SSO for a given organization, it is not a shared protocol.
19
Q
Tool used to collect wireless packet data
A
Aircrack-ng
Notice it specifies wireless. Wireshark is for wired packets.
20
Q
Secure way to erase data from old hard drives before donating to charity
A
Cryptographic erase
21
Q
Which key is used when sending an encrypted email?
A
Recipient’s public key
22
Q
How does a secure web server decrypt a client’s session key?
A
Using the private key for the website. Session keys are encrypted using the site’s public key.
23
Q
In which order should these three items be done?
Risk analysis
Business impact analysis
ALE
A
ALE, risk analysis, business impact analysis
24
Q
Give an example of implicit deny
A
User A is added to group G. When this is done, user A no longer has read access to items in folder F.
25
What log lists failed login attempts on Windows?
Security log
26
What is Fail Secure?
A system that is Fail Secure remains secure even in the event of failure. It doesn’t necessarily remain up. If log files running out of space means the server refuses connections, that is fail secure.
27
What technique can reveal internal business procedures and computing configurations?
Dumpster diving
28
List two things to configure to prevent users from reusing old passwords within a short period of time
Minimum password age
| Password history
29
You estimate it would take four technicians two days to remove an infection, at a total cost of $3200. What type of analysis is this dollar amount?
Business impact analysis
30
When researching new rack mount servers to determine the max BTU value of all servers in the server room, what related item should also be considered?
HVAC
| BTU measures heat. HVAC will need to be able to handle the additional heat provided by the new servers.
31
You need to determine which TCP port a certain custom app uses, so that you can configure a firewall rule allowing it. Users connect to an internal web site, that in turn connects to this custom app. How do you find which port the custom app uses?
Generate activity on the custom app while capturing traffic.
32
Name a tool commonly used to automate incident response.
SOAR
33
Name a type of server that provides centralized authentication services for devices such as switches and wireless routers.
RADIUS
34
List two items that are found in an IP header
Source IP address
TTL value
(other things as well I'm sure, such as Destination IP address. the question offered 4 options and said to pick 2)
35
If you find a way to gain remote administrative access to a host without knowing the administrative credentials, what is the term for this technique?
Exploit
36
What's the best way to safeguard cryptographic keys that are used to communicate with a cloud service provider?
HSM (hardware security module). Some cloud providers will offer cloud-based HSM services to their customers, as an alternative to having local physical HSM on the network.
37
When two users have a shared secret key (unknown to anybody else) and use symmetric cryptography, what common goal of cryptography is impossible for them to achieve?
Nonrepudiation.
Since messages are encrypted and decrypted they have confidentiality and integrity (if the message was altered then it would decrypt to garbage). They have authentication because they are the only two who know that key. They can't get nonrepudiation because there is no way to prove to a 3rd party that the message wasn't just forged by one of them who claims the other sent it.
38
A wildcard certificate for *.mydomain.com can not be used for which of these sites?
www. mydomain.com
mydomain. com
dev. www.mydomain.com
mail. mydomain.com
dev.www.mydomain.com
| wildcard certs don't cover more than a single level of subdomain.
39
A web application is not setting the Secure attribute on its cookies. What type of attack is at risk due to this?
Session replay, assuming that the web app uses cookies for session authentication.
40
Name the five elements of the NIST CSF
identify, protect, detect, respond, recover
41
Which environment should be used for UAT testing?
Officially, it's supposed to be the Test environment. We use Staging. If you see this on the exam, remember it's supposed to be Test.
42
What encryption key is included in a DNSKEY record?
the organization's public key
43
Number of passwords to keep in a password history to prevent password reuse, according to currently accepted best practice
ZERO.
NIST currently advises that users should no longer be forced to change passwords periodically. Another one that is against our own current practice, so becomes tricky.
44
At what point should a forensic investigator start tracking the chain of custody for evidence?
As soon as it is collected.
45
Name a certificate file type that contains ASCII text.
PEM or CER
| there may be others, but these are all binary: PFX, DER, P12.
46
Which of these is NOT a common means of securing ML algorithms?
A. Understand the quality of the source code.
B. Build a secure working environment for ML developers.
C. Require 3rd party review for bias in ML algorithms.
D. Ensure changes to ML algorithms are reviewed and tested.
C. Require 3rd party review for bias in ML algorithms.
47
What step should be taken to ensure that baseline data is not tainted, before using a ML algorithm?
A. Scan network for vulnerabilities and remediate them.
B. Only run after you are confident that the network is secure.
C. Disable outbound and inbound network access so only normal internal traffic is validated.
D. Disable all firewall rules so all potential traffic can be validated.
B. Only run after you are confident that the network is secure.
48
After uploading a malware sample to a 3rd party scanning site, the result gives several different answers for what the malware package is. Why?
Different vendors use different names for malware packages. Most malware scanning sites use multiple antimalware and antivirus engines for the scan.
49
```
You notice traffic between your systems and a known malicious host on TCP port 6667. What type of traffic is this most likely to be?
A. Command and control
B. Hijacked web browser
C. RAT
D. Worm
```
A. Command and control
| Port 6667 is commonly used for IRC which is often used by C&C for botnets.
50
Which of the following is the most serious vulnerability for a public facing server?
A. An HTTP response that reveals an internal IP address
B. Cryptographically weak encryption cipher
C. Website using a self-signed SSL certificate
D. Buffer overflow known to allow remote code execution
D. Buffer overflow known to allow remote code execution
51
While doing a pentest of a web application, you entered this into a search box and it was actually executed. What kind of vulnerability is this?
IMG SRC=vbscript:msgbox("Vulnerable to Attack");> originalAttribute="SRC" originalPath="vbscript:msgbox("Vulnerable to Attack ");>"
Cross-site scripting, aka XSS.
52
```
Which of the following vulnerabilities is the greatest threat to data confidentiality?
A. HTTP TRACE/TRACK methods enabled
B. Web application SQL injection
C. SSL Server with SSLv3 enabled
D. phpinfo information disclosure
```
B. Web application SQL injection
53
What Linux command will display the network address and subnet mask for a wired network connection?
ip
The ip command will display IP address, subnet mask, and MAC address. Don't confuse it with ipconfig which is Windows not Linux. Older versions of Linux used "ifconfig" for this.
54
How can you identify a malware beacon is on your network?
Protocol used does NOT help. Persistence (remaining after rebooting the system) and Interval (time between beacon signals) are key indicators. It helps to remove known traffic on the network to reduce the amount of data that you have to analyze.
55
The root cause of an incident was never determined. As part of your recovery and remediation, which of the following is LEAST likely to be helpful?
A. Disable unused user accounts
B. Sanitize and reimage all of your routers and switches
C. Review and enhance patch management policies
D. Restrict host access to peripheral protocols like USB or Bluetooth
B. Sanitize and reimage all of your routers and switches
This step is likely to have unwanted disruptive effects on the company, and waste a lot of time and money as well. Better to increase monitoring of the devices to ensure they were not compromised.
56
During a pentest you use a vulnerability in an Apache webserver to gain access to it. What is the next step, that will help you pivot to a protected system outside the screened subnet?
Privilege escalation. Apache webservers are run as limited users, so your best chance of getting further into the system is to find a way to get admin rights.
57
Name the four forms of regulated data
```
PII, PCI, GDPR, and PHI.
PII - personally identifiable
PCI - payment card industry
GDPR - EU's General Data Protection Regulation
PHI - protected health info
```
58
What's the best technology to implement when configuring better defenses for an ICS/SCADA system?
Intrusion Prevention System.
ICS/SCADA systems use a very specific set of commands to do their job, so configuring an IPS to only allow those specific commands will prevent a lot of problems.
Patching is likely to break ICS/SCADA systems because they don't use standard operating systems. Antivirus/antimalware software is unlikely to run on the systems for the same reason. Logging is useful but won't prevent anything.
59
During a pentest you gain access to a hashed password file from the target site. This site does not have a strong password policy. What technique would work best to exploit this file?
Rainbow table attack.
60
Diagram shows three guest operating systems on top of a hypervisor, on top of a host operating system, on top of hardware. What type of hypervisor is this?
Type 2 hypervisor, because it has a full host operating system. Type 1 runs on the bare metal hardware. There are no other types.
61
```
You trying to diagnose a service that is not responding to user requests. The host firewall logs indicate that the traffic is allowed. What is the likely cause?
A. Host firewall misconfiguration
B. Network firewall misconfiguration
C. Network IPS misconfiguration
D. Application failure
```
D. Application failure
Since the host firewall logs show the packets arriving and being acceptable, the two firewalls and IPS aren't misconfigured. The application likely threw an exception or has stopped running for some reason.
62
What type of account does a vulnerability scanner need in order to do a credentialed scan of the network?
Read-only
63
What is the main difference between on-premises identity services and those used in a cloud-hosted environment?
The cloud service will provide account and identity management services.
64
What should be done with the Administrator account on a Windows system, to reduce the chances of a brute force attack succeeding?
Rename the Administrator account, to something that doesn’t include “admin”. A nice touch is to create another account named Administrator with a super nasty password but don’t give it any permissions.
65
What log should you examine to determine that a user has launched a privilege escalation attack on a database server?
Operating System log.
66
You boot a laptop and get a plain blue dialog asking you to "Enter Current Password", without any mention of a username. What is presenting this prompt?
BIOS, presented through the UEFI interface. This isn't a particularly secure feature to enable, as there are many techniques to bypass BIOS passwords.
67
While collecting evidence from a variety of sources, you notice from the logs that the clocks from the different systems don't all agree. What should you do, so that you can create an accurate timeline of events?
Record the time offsets for each device. Since the evidence you are collecting is from events that already happened, that's all you can do. To avoid future similar headaches, it is best to configure the systems to synch using an NTP server.
68
```
Which of these authentication factors is the most difficult to implement?
A. something you have
B. something you know
C. something you do
D. something you are
```
C. something you do
| Behavioral factors are difficult to measure and implement effectively.
69
What's the best way to detect missing operating system patches?
Configuration management tool.
70
In a typical wireless authentication scenario using 802.1x, what device creates the RADIUS request?
Wireless access point
71
Ten employees use symmetric encryption to communicate with each other, with complete confidentiality between any two. If we hire an eleventh employee, how many new keys must be added to the system?
10.
Each pair of users needs a unique shared secret key, so it's one less than the total number of users. Clearly not a good option for a large company, as the number of keys will increase factorially with the number of users. Compare this to asymmetric encryption which would add just two keys (public and private for the new guy).
72
```
Which employee would be most in need of awareness training about wire transfer fraud schemes?
A. system administrator
B. accounts payable clerk
C. sales director
D. executive user
```
B. accounts payable clerk
| Since this is the person who would initiate any wire transfer, it is most crucial that this person get this training.
73
What is the minimum fence height to slow down a determined intruder?
8 feet.
74
What authentication protocol provides port based authentication for wired networks?
802.1x
| Yes this is the same one we use for wireless networks.
75
You are creating a digital certificate for a web server. The certificate will use an intermediate CA that is validated by a trusted root CA. Who creates the CSR?
You create the CSR on the web server, submitting it to the intermediate CA.
76
What's the best way to address issues on a WiFi network with interference between access points?
Use a WiFi controller. This allows automated modification of access point settings.
77
Which CASB approach interacts with the cloud provider directly?
API-based CASB. Inline CASB intercepts requests between the user and provider.
78
What technology is able to link networks in an on-prem datacenter with cloud VPCs securely?
Transit gateway
79
SSH key security concerns
NOT: Weak encryption
YES: weak passwords, SSH key sprawl, inadvertant exposure of the private key
80
What type of one time password does Google Authenticator use in its default mode?
Time-based one-time password
81
```
Which of the following security controls is most effective against zero-day attacks?
A. Vulnerability scans
B. Application control
C. Intrusion Prevention Systems
D. Signature-based antivirus software
```
B. Application control
Use whitelisting of applications. That prevents unknown apps from being installed. Zero-day attacks don't have signatures yet.
82
```
A web server has the following characteristics. Which poses the greatest security risk?
A. Server supports access on port 80
B. Server runs Apache and MySQL
C. Server uses TLS 1.2
D. Server supports access on port 443
```
B. Server runs Apache and MySQL
Each server should support a single primary function. Having both Apache and MySQL on the same server gives attackers two different apps to be attacked.
83
What type of control will let you limit the ability of users in your org to provision cloud server instances without permission?
Resource policy
| This is offered by cloud providers.
84
Who should perform the exit interview for an employee who voluntarily resigns?
Second-level supervisor.
HR doesn't know much about this person's job, and if it's the immediate supervisor then the employee can't complain about him if that's the issue.
85
```
Which of these file types is normally shared publicly?
A. CRT
B. KEY
C. PEM
D. CSR
```
A. CRT
This contains the org's public X.509 certificate.
86
At a web hosting company, which of the following is the highest mission critical system?
A. Firewall
B. Web server for company's own site
C. Billing system
D. Web server for one of the company's clients
A. Firewall
None of this will work if the firewall is down. Of the rest, client web servers should come before the company's own website, and the clients won't mind if their bills are a few days late.
87
Your SIEM has been sending you hundreds of alerts each night when scheduled jobs run. What should you do to reduce the false positive rate?
Change the sensitivity for the alerts. Adjust the alerts to ignore safe or expected events. Correlation rules may need to be adjusted if they are matching unrelated items, but the primary action is changing the sensitivity.
88
You want to deploy an encrypted, WPA2 secured wireless for a small business. What's the best option for wireless authentication?
PSK (pre-shared key).
89
What's the best tool for analyzing a VoIP conversation?
Wireshark.
| tcpdump can capture the data but Wireshark has built-in VoIP analysis.
90
What's a good way to detect that an attacker has created a new service?
Vulnerability scans are the best way to detect new services, and often they will flag new services when they appear.
91
Symptom: Systems are infected by malware exploiting an OS vulnerability and critical data is encrypted. What type of attack is this, and how can we control against it in the future?
Ransomware. Regular patch management.
92
Symptom: Scripts included in message board posts are compromising systems belonging to site visitors. What type of attack is this, and how do we control it?
XSS attack. Proper input validation, or a WAF (Web Application Firewall) protects against this.
93
Symptom: A former employee configures a system to delete all data when it notices that the person is no longer an employee. What type of attack is this, and what can protect against it?
Logic bomb. Code reviews should catch it.
94
Symptom: An attacker posing as a help desk tech calls an employee and tricks them into revealing a password. What type of attack is this, and what can prevent it?
Social engineering. User education is the only way to defend against this.
95
Symptom: A switch begins sending all network traffic to all devices connected to the switch. What type of attack is this, and how do we prevent it in the future?
MAC flooding. Port security should prevent this.
96
On a Linux system, you use "chmod 740" on a file. What permissions does that file have now?
Owner has read, write, and execute. The group for the file has read only. Nobody else has any access (unless they have sudo privileges of course).
Read this as three octal digits. Owner is the first digit, group is the second, others is the third. For each octal digit, look at the binary equivalent, RWX. Or just sum the permissions, with Read being 4, Write being 2, and Execute being 1, so full rights = 7, read only = 4, etc.
97
When a CA creates a digital certificate for a web server, what key is used to apply the digital signature to the certificate?
The CA's private key. Everybody else can verify that the certificate is validly signed by the CA by using the CA's public key.
98
What is the maximum scope of a single ARP spoofing attack?
The attacker and the victim must be attached to the same switch, but do not need to be sharing the same switch port.
99
Which RAID configuration provides redundancy while it maximizes read performance, for a server where data is read often but written rarely?
RAID 1, aka mirroring.
100
Which of the following is not an appropriate use of MD5?
A. creating digital signatures
B. Verifying file checksums against corruption
C. Identifying duplicate records
D. Partitioning database keys
A. creating digital signatures
MD5 is cryptographically broken, so should never be used for secure purposes. It is perfectly fine to use it as a hash function for other purposes.
101
```
You need a new security control for use in a multicloud environment, and want to minimize the admin work that will be required for this. What type of control do you choose?
A. Third party
B. Internally developed
C. Cloud-native
D. Any of the above
```
A. Third party
Since it is multicloud, the best choice is third party, which are usually designed to work with multiple types of clouds. Cloud-native would only work with a single one of the clouds, and internally developed will require a lot of work to set up.
102
```
You need to keep a system online but limit the impact of malware found on it while the investigation occurs. Which method should you use?
A. Containment
B. Isolation
C. Segmentation
D. Black holing
```
A. Containment
Isolation walls off a system from the rest of the network. Segmentation walls off a portion of a network. Containment works to prevent further malicious actions or attacks. No clue what Black Holing is supposed to be - likely nonsense.
103
In a Kerberos authentication scheme, who provides the client with the TGS session key?
Authentication server
104
You need to choose a card-based control system for physical access to a facility, where the primary concern is the speed of the authentication. What's the best type of card?
Proximity card has a very fast scanning time. Smart cards and magnetic stripe cards take a bit longer. Photo ID cards are longest of all of these.
105
What method can be used to acquire the firmware from a running device for analysis?
Use forensic memory acquisition techniques, or in a few cases direct hardware interface access will work. Firmware is typically stored in BIOS or UEFI chip, which isn't removable. Firmware is likely to allow updates but usually won't allow downloads or copying.
106
Does forensic information require a timestamp?
Timestamps are not required. They can help build a case that shows when events occurred, so it's better if there are timestamps on the artifacts.
(this was reworded from a multiple choice question that asked for which item isn't something to be concerned about)
107
What is the best practice for handling repeated failed authentication attempts, for a password based authentication system?
Impose an exponentially increasing timeout period between login attempts. Doubling the timeout after each successive failure would fit this, with a very short timeout for the first one. This will get quite large rather quickly. Using a larger exponent (such as 10x for each failure) grows even faster.
108
You are running two load balancers in active/active mode. What is the most significant risk to doing this?
The load balancers may not have capacity to survive the failure of one device.
109
A vulnerability scan reports these issues with the certificate for an internal web application: it is self-signed, the common name doesn't match the server name, and the signature failed. How should you fix this?
Replace the certificate with a certificate from the same source.
Since this is an internal web app, it's fine to use a self signed cert. Using a cert with an incorrect domain name is not safe, so it should be replaced.
110
What is the best defense against a rainbow table attack?
Salting prior to hashing.
111
In a Kerberos system, the client sends an authenticator to the TGS when requesting a service ticket. How does the client encrypt this authenticator?
The client encrypts the authenticator with the TGS session key, which the client had received earlier from the authentication server. The authenticator itself consists of the client's ID and a timestamp.
112
Which of these protocols does not take advantage of TLS?
| EAP-FAST, EAP-TTLS, EAP-IKEv2, EAP-TLS
EAP-IKEv2 uses Internet Key Exchange (IKE) instead of TLS.
113
```
Which of these RADIUS messages is normally only found when the organization requires MFA?
Access-Request
Access-Accept
Access-Reject
Access-Challenge
```
Access-Challenge
The access-request is sent by the client. When not using MFA, the server responds by sending either access-accept or access-reject. With MFA, if the first request is accepted, the server responds with access-challenge which asks the client for the second authentication.
114
You are configuring your network firewall for correct access to the email server. Internet users should be allowed to send email to this email server, but only internal users will be allowed to access email on the server. What protocol(s) should be allowed through the firewall?
SMTP only (of the various types of email protocols, likely both port 25 and the secure ports). SMTP is used to relay inbound email. IMAP and POP3 are used to retrieve messages from an email server, so they shouldn't be allowed through the firewall.
115
You identified a missing patch on a server that would allow an attacker to gain remote control, and patched it. In risk management terms, what did patching it do? (Remove/reduce; threat/vulnerability)
Removed the vulnerability.
116
You need to know about the actions an individual performed on a PC. What's the best starting point to identify those actions?
Ask the individual. AFTER that, check various logs for clues. None of those logs will mention everything that was done.
117
Which of the following is the least volatile?
| RAM, data on a hard drive, backups, remote logs
Backups
118
What does this Linux command do?
| grep -vi example /home/me/myfile.txt
Scans myfile.txt and finds each line that does NOT contain "example", regardless of capitalization.
- v flag looks for lines without the search term
- i flag uses case insensitive matching
119
Scenario: You are trying to determine the risk associated with a DoS attack. No permanent damage is expected from such an attack. Company would lose $75,000 in lost revenue in the event of a successful DoS attack. There is a 10% chance of such an attack succeeding in the next 12 months.
What is the SLE?
$75,000
| SLE is single loss expectancy. The 10% is a distraction.
120
```
What file would an attacker need in order to conduct an offline brute force attack against a Linux system?
A. John the Ripper
B. /etc/passwd
C. /etc/shadow
D. No file needed, just use SSH
```
/etc/shadow contains the password hashes in most types of Linux.
/etc/passwd is just a pointer to etc/shadow.
121
```
Which of these does S/MIME not provide when it is used to protect attachments for email?
A. Authentication
B. Nonrepudiation of the sender
C. Message integrity
D. Data security for the email headers
```
D. Data security for the email headers
122
You need a digital certificate for a new web server. If you have no prior relationship with a CA, what type of certificate can you obtain most quickly?
DV (Domain Validation). These only require verification of domain ownership, which can usually be done through an automated process. All other types (other than self-signed of course) require thorough and time-consuming verification steps.
123
What's the difference between SOC 1 and SOC 2 reports?
A SOC 1 report is designed to address internal controls over financial reporting while a SOC 2 report addresses a service organization's controls that are relevant to their operations and compliance.
Often subcategorized as type 1 or type 2. Type 2 includes assessing the effectiveness of the controls. Type 1 does not do that.
124
You want to secure the BGP traffic that your routers rely on for route info. What should you do?
A. Choose a TLS enabled version of BGP
B. Turn on BGP route protection
C. Use signed BGP by adopting certificates for each BGP peer
D. None of the above
D. None of the above
BGP doesn't HAVE any native security methods. Two solutions that have not be broadly adopted are SIDR and RPLS.
125
```
A device based on an Arduino will be deployed across your organization. What type of device is it, and what should be your focus on securing it?
A. FPGA, network security
B. Microcontroller, physical security
C. GPU, network security
D. ICS, physical security
```
B. Microcontroller, physical security
Arduinos are a form of microcontroller. They don't have networking built in, so focus should be on the physical security of the device.
126
Which of the following is NOT a common concern with IPv6 networks?
A. Scanning sequential IP addresses is no longer viable
B. Blocking ICMP can cause problems
C. Devices may have more than one IP stack and interface
D. Device identification via MAC address is difficult
D. Device identification via MAC address is difficult
IPv6 makes device identification via MAC address EASIER since the IP addresses are configured based on the MAC address.
127
```
Which of these is most likely to provide up-to-date security vulnerabilities info?
A. Academic journal
B. Vendor website
C. Local industry group
D. RFC documents
```
B. Vendor website
Vendors are usually quick to create patches and warn of zero-day vulnerabilities too. RFC documents don't list vulnerabilities at all, and the other two would be much slower.
128
```
You want to deploy one-time passwords to your staff, and be able to support many different sites while also providing the ability to enroll users using MDM. What tool is best?
A. hardware tokens
B. static codes
C. authentication application
D. phone-based push notifications
```
C. authentication application
Examples of such are Google Authenticator, Duo, Microsoft Authenticator. The others aren't managed using MDM.
129
Which of these is NOT true about zero day attacks?
A. They may be found in software or hardware
B. They have a limited window of use
C. They are generally unpatchable
D. They are often widely publicized
D. They are often widely publicized
Usually only known to a small group of researchers (or attackers). If they became widely known then the vendor would create a patch and they would no longer be termed zero-day.
130
What is a fast way to check whether unneeded services have been disabled?
port scan
Vulnerability scan will do this too but port scan is faster.
131
What's a secure replacement for FTP that requires the least additional work through a firewall?
A. FTPS, because is uses stronger encryption
B. SFTP, because it uses the same port as SSH
C. FTPS, because it uses the same port as SSH
D. SFTP, because it uses stronger encryption
B. SFTP, because it uses the same port as SSH
Both FTPS and SFTP offer strong encryption, so A and D are out. SFTP uses the same port as SSH, but FTPS uses a different port.
132
```
Which of these is responsible for providing secrecy in a cryptographic system?
A. message digest
B. key
C. algorithm design
D. algorithm choice
```
B. key
The other choices are often known publicly, including the code to implement the algorithm even. The key is always secret.
133
Which of these is the best example of a fog computing environment?
A. A camera that performs motion detection on board and only sends motion footage to the cloud.
B. A network of oil field sensors that send data to a local IoT gateway for preprocessing.
C. A satellite that streams live weather data back to the cloud datacenter for processing.
D. A vehicle that contains onboard computers that interact with GPS for navigation.
B. A network of oil field sensors that send data to a local IoT gateway for preprocessing.
The camera is a good example of edge computing. Satellite is standard cloud client-server computing. Vehicle isn't using the cloud at all.
134
```
What cloud control can be used to limit remote access to a server instance in the cloud?
A. Resource group
B. CASB
C. HSM
D. Security group
```
D. Security group
This is the equivalent of network firewall rules in an on-prem environment.
135
```
You need to configure a new IoT device. It broadcasts a SSID to allow you to perform initial configuration. After connecting to unsecure WiFi, you can manage the device with an application. What connection model does this use?
A. Point to multipoint
B. WPA2 Enterprise
C. WPA3 Enterprise
D. Point to point
```
D. Point to point
It says unsecure, which rules out B and C. If it were an access point, then that would be point to multipoint. Since it's device to device, it's point to point.
136
```
Which of these is not a common item to include in a contract for an organization that is migrating to a cloud service?
A. right-to-audit clauses
B. right to forensic examination
C. choice of jurisdiction
D. data breach notification timeframe
```
B. right to forensic examination
This is highly unusual. You can ask for details of their incident response process, previous breach notification, and incident documentation shared with customers instead.
137
What mobile device deployment method provides employees with devices that they can use as if they were personally owned?
COPE (company owned, personally enabled)
138
Which way of gaining physical access during daylight hours is least likely to arouse suspicion?
Tailgating
139
```
From the statistics shown here for a biometric authentication system, what is the system's FAR?
Accept, Authorized: 98
Accept, Unauthorized: 16
Reject, Authorized: 2
Reject, Unauthorized: 84
```
8%
that's a total of 200 in the statistics. False acceptance rate is "Accept, Unauthorized", so 16/200 = 8/100 = 8%.
140
What nslookup command should you type to request information only on name servers?
nslookup set type=ns
141
You notice that the POS terminals that accept credit cards in your network have a recent Windows OS vulnerability. These are embedded systems so they can't be patched, and the manufacturer has no update for them. What should you do to stay in compliance with PCI DSS?
Identify, implement, and document compensating controls
142
What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with random data?
Clear (usually overwriting 1-3 times) or Wiping (usually overwriting 1-35 times)
143
What's the best way to detect rogue devices attached to the network?
Router and switch-based MAC address reporting
Not only does it tell you that a rogue device is on the network, but it also gives you a starting point for finding where it is physically
144
Which of these sets of security features would best protect your servers in the data center?
A. GPS tracking, Biometrics, Proximity badges, Remote wipe
B. FM-200, Biometric locks, Mantrap, Antivirus
C. Strong passwords, Biometrics, Mantrap, Cable lock
D. Antivirus, Mantrap, Cable lock, GPS tracking
B. FM-200, Biometric locks, Mantrap, Antivirus
FM-200 is a fire extinguishing system often used in server rooms.
Biometric locks are commonly used to lock the access door of a high security area.
Mantrap prevents tailgating into the server room.
Antivirus for defense against intrusions over the network.
Of the other choices, GPS tracking would not help at all most likely. Cable locks aren't needed if the high security area has a single access preventing all but trusted people from entering.
145
Which analysis framework provides a graphical depiction of the attacker's approach relative to a kill chain?
Diamond Model of Intrusion Analysis
146
```
What is the LEAST secure wireless security and encryption protocol?
A. WPA
B. WEP
C. WPA2
D. WPA3
```
B. WEP
Wired Equivalent Privacy.
WPA replaced WEP, then WPA2 replaced WPA, and now we are on the shiny new WPA3 for newest hardware.
147
Which EAP protocol for wireless does not require clients to have a certificate or extra software, but does require mutual authentication?
PEAP
Wrong answers:
EAP-TLS requires certificates on the clients
EAP-TTLS requires additional software to be installed on the clients
EAP-FAST focuses on quick authentication
148
```
Which of the following would be most likely involved with an on-path attack?
A. compromised router
B. browser plug-in
C. compromised server
D. modified hosts file
```
B. browser plug-in
This would be a man-in-the-browser attack
149
What does SSL Stripping look for to perform an on-path attack?
an unencrypted HTTP connection
150
```
Which two items listed will mask PII?
Fingerprint
Gloves
Anonymous proxy server
Tattoo
```
Gloves, anonymous proxy server.
Gloves mask your fingerprints. Anonymous proxy server masks your IP address and location.
Not fingerprint because that IS PII, so it can't mask it. Ditto with tattoo.
151
An attacker gains access to a corporate WiFi network where two employees are exchanging data. The attacker captures network traffic between the two, modifies it, and sends it back on the network. How could this be prevented?
Computer authentication using PKI
If computers on the corporate network have PKI certs from a trusted source configured, then network traffic from hosts not using a PKI cert can be blocked or ignored.
152
```
Which type of attack exploits a web site's trust of a user session?
A. Directory traversal
B. Cross-site request forgery
C. DoS
D. Cross-site scripting
```
B. Cross-site request forgery
This is about exploiting a user session in a different browser tab.
153
Which key does a secured web server use to decrypt a client session key?
Web server's private key. The web server created the client session key in the first place, using the web server's public key.
154
Which of these is the best rule of thumb for deciding whether a risk is acceptable?
A. ARO is less than cost of mitigating the risk
B. ALE is more than cost of mitigating the risk
C. ALE is less than cost of mitigating the risk
D. SLE is less than cost of mitigating the risk
C. ALE is less than cost of mitigating the risk
Annual rather than Single loss expectancy because if a risk is extremely rare the ALE could be very low where the SLE is extremely high. Some risk that has a very low SLE but that is likely to happen thousands of times a year might actually be worth fixing.
155
You have a RAID with six hard disks. Which RAID configuration can you use to protect from a single hard disk failure while maximizing disk space utilization efficiency?
RAID 5
If one disk fails, the parity bits stored on the other disks can be used to restore to a fresh disk. So basically you have 5 disks worth of data. With RAID 1 you would only have 3 disks worth of data. RAID 6 keeps enough parity to restore two failed disks, so there's less room for total data.
156
```
A user gains access to a secure Web application using a digitally signed security token in the form of a Web browser cookie. Which security term best applies to this?
A. Accounting
B. Authorization
C. Availability
D. Authentication
```
B. Authorization
Authorization is what granted him access to the web app.
157
Which OSI layer would be involved in a web browser connecting to a specific URL?
Layer 7 (application)
This is the key on a practice question about which firewall should be configured to block inappropriate web sites, where all the choices were "Layer X firewall"
158
Which of the following is NOT useful in preventing broadcast storms?
A. Disable ARP on all accessible ports
B. Enable STP
C. Enable loop protect features on switches
D. Limit the size of VLANs
A. Disable ARP on all accessible ports
159
```
Which of these is an AAA system?
A. RADIUS
B. SAML
C. OAuth
D. LDAP
```
A. RADIUS
160
You created a Python script on a Linux server named "myScript.py". If you try to run it from the command line it does not execute. What is the most likely reason?
A. You must be logged in as root
B. chgrp was not used to set the owning group
C. script does not include #!/usr/bin/bash python
D. script does not include #!/user/bin/env python
D. script does not include #!/user/bin/env python
To run a Python script you have to either specify the name of the script after the python command, or else the script has to specify the Python engine.
(it's also possible that you didn't make the script executable, but in that case Linux would have complained about not being able to find the file)
161
```
Which of the following is NOT used to prevent or correct routing loops?
A. Split horizon
B. Loop prevention
C. Hold-down timers
D. Flood guard
```
D. Flood guard
Flood guard doesn't do anything about routing loops, it's for DoS attacks.
162
Which of the following would be most difficult to answer based solely on a review of NetFlow records?
A. How much data was exchanged during the attack?
B. What information left the organization?
C. What was the source of the attack?
D. What systems were targeted in the attack?
B. What information left the organization?
NetFlow captures source and destination IP addresses and ports, timestamps, and amount of data transferred in either direction. It does not include payload so there's no way to tell what the data was that was exfiltrated.
163
You have a hardware multifactor authentication token that you push when you want a new authentication code. What algorithm does this token use?
HOTP
This type of token generates passcodes based on a counter that increments each time you press the button, using the HMAC-based one-time password algorithm. A TOTP token would update automatically based on the current time, with no need to press a button.
164
Which of the following is an appropriate use case for an open wireless network?
A. Office network in a building in a remote location.
B. Private network in a home with limited physical access.
C. Guest network for a coffee shop with transient customers.
D. Open wireless networks are never appropriate
C. Guest network for a coffee shop with transient customers.
Even in cases where physical building access is limited, the wireless signal could leak out of the building and be accessible to attackers.
165
You are hardening a database server. An external port scan shows ports 22 and 1433 are open. What is the best action to take to improve the security posture?
A. Close all open ports on the host firewall
B. Close port 22 on the host firewall
C. Close ports 22 and 1433 on the network firewall
D. No action is necessary
C. Close ports 22 and 1433 on the network firewall
We don't want anybody from outside the organization's network using SSH or MS-SQL ports, but we do need that for our internal network.
166
```
What coding technique is MOST helpful in preventing vulnerabilities in your application during the development stage?
A. documentation
B. keeping attack surfaces to a minimum
C. code review
D. design review
```
B. keeping attack surfaces to a minimum
167
```
For a high security facility, which authentication model provides the most security for PHYSICAL access?
A. MFA
B. SSO
C. Photo ID and a security guard check
D. PIN
```
A. MFA
| Multifactor authentication
168
```
Which of the following is the best choice for authenticating to a VPN for remote access?
A. LDAP server
B. Security token
C. Local username and password
D. Call-back security
```
A. LDAP server
169
```
Which of the following allows you to run a public-facing web app but still maintain a private backend with servers that aren't publicly accessible?
A. Virtual private cloud
B. Private IP addressing
C. Proxy server
D. Network address translation
```
A. Virtual private cloud
170
```
Which of the following is a good security control to be used on a smartphone for preventing bluesnarfing attacks?
A. Bluejacking
B. Smartphone lock password
C. Link-level security
D. Call-back security
```
C. Link-level security
| Link-level security authenticates the actual communications link before data transmission begins.
171
```
Which of the following is a good security control for remote computers used at home that connect to the corporate network via VPN, to protect the corporate network from threats originating from the home ISP connection?
A. Anti-spam software
B. Pop-up blocker
C. Host-based firewall
D. Anti-malware software
```
C. Host-based firewall
172
Your web app authenticates users with a CAC and PIN. Which of the following can prevent session cookie hijacking?
A. Disable cross-site scripting
B. Refresh the web browser page after login
C. Disable cookies in the web browser
D. Regenerate session keys and IDs after a successful login
D. Regenerate session keys and IDs after a successful login
This means that a later attempt to use the same session key (either original one or the regenerated one) will fail. (I'm a bit confused on why it would fail, but take their word for it)
173
```
Which of the following is the highest probability risk for a server room?
A. Low temperature
B. Fire
C. War driving
D. Unauthorized access
```
D. Unauthorized access
Fire is dire but unlikely.
174
```
Which secure coding practice helps prevent cross-site request forgery attacks?
A. Session cookie authentication
B. Fuzzing
C. Input validation
D. Cookie privacy
```
A. Session cookie authentication
175
The range of your wireless network is well beyond your facility. What's the best way to prevent users outside of the facility from accessing it?
Lower the power of the wireless transmissions on your access points.
176
```
Which of the following is best suited to prevent, detect, and mitigate physical theft?
A. Security guards
B. Video surveillance
C. Security lighting
D. Perimeter fencing
```
A. Security guards
177
```
Which of these is most likely to help detect a zero-day attack?
A. Logging and auditing
B. Firewall
C. Antivirus software
D. Awareness training
```
D. Awareness training
178
Which of the following will help you prevent unauthorized remote access to your access points?
A. Disable 802.11g/n mixed mode
B. Disable SSID broadcast
C. Restrict remote access to direct wired connections
D. Enable authentication with strong passwords
D. Enable authentication with strong passwords
179
What is the next step after researching and documenting a DRP?
A. have the plan approved by the CEO
B. test the plan
C. store backup copies of the plan offsite
D. store the plan in a locked safe
B. test the plan
180
Which of the following will increase security when using SNMP?
A. Change the "public" community name
B. Ensure the monitoring station is protected by a firewall
C. Disable ICMP
D. Close SNMP TCP and UDP port 161 on the client
A. Change the "public" community name
| The community name acts as a password - it must be changed when SNMP is set up.
181
```
Which of these can be used to make sure OS commands cannot be inserted into web forms and executed?
A. Fuzzing
B. Transitive access
C. Escaping
D. Cross-site scripting
```
C. Escaping
182
```
An end user was on your web app when it crashed, allowing the user access to a command-line prompt with admin access to the system. Which is the security issue the web app has?
A. Command injection
B. Transitive access
C. Fuzzing
D. Buffer overflow
```
B. Transitive access
183
Your organization's legal counsel has instructed you to begin collecting evidence for a pending investigation. What do you need to formally initiate?
Legal hold
184
What can be done outside of the development cycle to improve the quality of the software code?
Known environment penetration testing
185
What is the maximum speed of a 5G network?
10 Gbps
186
What Docker command would you use to start a container named my-container. The container is configured to run on port 443 but you want it to connect using port 4443. Command starts with "sudo docker run -d -p"
sudo docker run -d -p 4443:443 my-container
187
Which Wi-Fi EAP configuring uses both client and server PKI certificates?
EAP-TLS
188
What is the approximate range of Bluetooth Class 2 devices?
30 feet
189
Your small company has a secured WiFi network. What's a convenient way you can provide for guests to immediately connect using their smartphones?
Use NFC tags that contain WiFi connection information.
190
Which hashing algorithm results in a 128-bit fixed output?
MD-5
191
One workstation at your organization has been sending out spam emails. It's only from a single employee's email account, and only from that workstation. It doesn't appear to be spreading. What is the best containment strategy?
Disable the switch port and reset the employee's username/password.
If you simply unplug the workstation from the network, the employee is likely to just plug it back in again. This does prevent the employee from doing his job until he gets a new workstation. Be sure to give the employee remedial cybersecurity awareness training first.
192
What is the major concern with using SMS for MFA?
SMS messages may be accessible to attackers using VoIP or other systems. They can't be encrypted.
193
Which of these is best practice when scheduling vulnerability scans of your data center?
A. Evenly throughout the day
B. Begin at the same time every day
C. During periods of low activity
D. During periods of peak activity to simulate performance under load
C. During periods of low activity
The other options each carry a high risk of causing disruptions to the network of its business operations.
194
```
Which of these key lengths is NOT supported by AES?
256
128
512
192
```
512 bits.
195
What cryptographic technique does WPA use to overcome the weaknesses of WEP?
TKIP
| Temporal Key Integrity Protocol
196
```
What is a key stretching algorithm that is both memory-hardened and CPU-hardened? Choices are:
PBKDF2
Bcrypt
RIPEMD
HMAC
```
Bcrypt.
| PBKDF2 is CPU hardened but not memory hardened. the other two aren't key stretching algorithms at all.
197
Which algorithm did DSS approve for the creation of digital signatures?
DSA
198
```
Which system would be most likely to detect a DDoS SYN flooding attack from across the Internet to a web server in your DMZ?
A. Signature NIDS
B. Heuristic HIDS
C. Behavioral NIDS
D. Heuristic NIDS
```
A. Signature NIDS
| This type of attack is a well known signature. any signature based IDS will spot and report it.
199
```
Which type of DLP would require the least amount of maintenance effort from your organization?
A. Host-based DLP
B. Signature-based DLP
C. Cloud-based DLP
D. Network-based DLP
```
C. Cloud-based DLP
A cloud based DLP would be maintained by the cloud vendor.
200
```
Which of the following is a passive reconnaissance tool?
A. Nmap
B. Nessus
C. Aircrack-ng
D. Metasploit
```
C. Aircrack-ng
The other three actively interact with the target.
201
```
Which cipher suite must you support to ensure compatibility with DNSSEC servers?
A. RSA/MD5
B. RSA/SHA-256
C. RSA/SHA-512
D. RSA/SHA-1
```
D. RSA/SHA-1
SHA-256 and 512 are recommended but not required. MD5 should never be used for cryptographic purposes.
202
What's the best way to sanitize hard drives before they leave your organization if you don't want to destroy them? Possible answers vary, it always wants the best choice of what shows.
In order with most secure first:
* cryptographic erase
* purge, validate and document the sanitization
* wipe
* clear (not recommended, too easy to recover data)
Degaussing destroys the ability of the hard drive to function. Some people just take a hammer to the hard drive or run it through an industrial strength shredder that just chops it into bits.
203
You notice a strange file. What's the best way to check whether it contains malware?
Submit to an open-source intelligence provider like VirusTotal. This quickly analyzes suspicious files and if malware is detected it automatically notifies the security community too.
204
What's the fastest way to determine the current version of SSH running on a web server?
Banner grabbing. Connect to the server using netcat and collect the response, which will include the server's OS and the version of SSH it is running.
Vulnerability scanners can do it too but aren't as fast.
205
When an APT attacks your network/system, what is the typical attack model they use?
Usually it just sits there quietly gathering information. APTs focus is espionage and strategic advantage.
