Attacks, Threats, and Vulnerabilities
An engineer receives an alert from a mobile system equipped with an RFID tag. Upon investigating, the mobile system is missing from its assigned station. Which alarm type prompted the engineer to investigate?
CORRECT ANSWER
2. Proximity
A proximity alarm may use radio frequency ID (RFID) tags and readers that can track the movement of tagged objects within an area. This can form the basis of an alarm system to detect whether someone is trying to remove equipment.
Employees manually trigger a duress alarm if they come under threat. There are many ways of implementing this type of alarm. An automobile key fob with a panic button is an example of a duress alarm.
Linked to a detector, a motion-based alarm is triggered by any movement within an area (defined by the sensitivity and range of the detector).
A circuit-based alarm sounds when the circuit is opened or closed, depending on the type of alarm. A door or window opening or a fence being cut can trigger the alarm.
An Identity and Access Management (IAM) system has four main processes. Which of the following is NOT one of the main processes?
CORRECT ANSWER
3. Integrity
Integrity is the fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications. However, it is not part of the IAM system. IAM defines the attributes that comprise an entity's identity. The four processes include Authorization, Accounting, Identification, and Authentication.
Accounting is tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.
Identification is creating an account or ID identifying the user, device, or process on the network.
Authentication is proving that a subject is who or what it claims to be when attempting to access the resource.
There are several types of security zones on a network. Analyze network activities to determine which of the following does NOT represent a security zone.
CORRECT ANSWER
2. Screened host
A screened host is when a smaller network accesses the Internet using a dual-homed proxy/gateway servers.
A Demilitarized Zone (DMZ) is a protected but untrusted area (zone) between the Internet and the private network.
Traffic from wireless networks might be less trusted than from a cabled network. If unauthenticated open access points or authenticated guest Wi-Fi networks exist on the network, admin should keep them isolated.
A guest network is a zone that allows untrusted or semi-trusted hosts on the local network. Examples include publicly accessible computers or visitors bringing their own portable computing devices to the premises.
Which term defines the practice of collecting evidence from computer systems to an accepted standard in a court of law?
CORRECT ANSWER
1. Forensics
Computer forensics is the practice of collecting evidence from computer systems to an accepted standard in a court of law.
Due Process is a common law term used in the US and the UK which requires that people only be convicted of crimes following the fair application of the laws of the land.
eDiscovery is a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format to use as evidence in a trial.
Legal hold refers to the fact that information that may be relevant to a court case must be preserved.
A company has an annual contract with an outside firm to perform a security audit on their network. The purpose of the annual audit is to determine if the company is in compliance with their internal directives and policies for security control. Select the broad class of security control that accurately demonstrates the purpose of the audit.
CORRECT ANSWER
1. Managerial
Managerial is the control that gives oversight of the information system including selection of other security controls. An example of this type of control is regular scans and audits.
Technical control is implemented as a system (hardware, software, or firmware). For example, firewalls, antivirus software, and OS access control models are technical controls. Technical controls may also be described as logical controls.
Physical controls deter access to premises and hardware. Examples include alarms, gateways, and locks.
A compensating control serves as a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.
An IT manager in the aviation sector checks the industry's threat intelligence feed to keep up on the latest threats and ensure the work center implements the best practices in the field. What type of threat intelligence source is the IT manager most likely accessing?
CORRECT ANSWER
2. An Information Sharing and Analysis Center (ISAC)
ISACs are set up to share industry-specific threat intelligence and best practices in critical sectors, such as the aviation industry.
OSINT includes any publicly available intelligence, in addition to threat intelligence services companies operate on an open source basis.
Vendors often post proprietary intelligence on their websites and blogs, free of cost, as a general benefit to their consumers.
Proprietary or closed threat intelligence platforms operate on a paid subscription basis. The security solution provider will also make the most valuable research available early to platform subscribers in the form of blogs, white papers, and webinars.
Which of the following is NOT a use of cryptography?
CORRECT ANSWER
3. Security through obscurity
Security through obscurity involves keeping something a secret by hiding it, but not necessarily encrypting it. While this can fool the unwitting observer, it is easily detectable by those involved in cybersecurity and their tools.
Non-repudiation is when the sender cannot deny sending the message. If the message has been encrypted in a way known only to the sender, logic follows the sender must have composed it.
Obfuscation is the art of making a message difficult to understand. Cryptography is a very effective way of obfuscating a message by encrypting it.
Resiliency occurs when the compromise of a small part of the system is prevented from allowing compromise of the whole system. Cryptography ensures the authentication and integrity of messages delivered over the control system.
Consider the types of zones within a network's topology and locate the zone considered semi-trusted and requires hosts to authenticate to join.
CORRECT ANSWER
2. Extranet
An extranet zone is a network of semi-trusted hosts, typically representing business partners, suppliers, or customers. Hosts must authenticate to join the extranet.
A private network (intranet) is a network of trusted hosts owned and controlled by the organization. This type of trusted host network is under administrative control and subject to the security mechanisms set up to defend the network.
Internet, or guest, zones permit anonymous access by untrusted hosts over the Internet. This can also be a mix of anonymous and authenticated access.
Anonymous is not a zone but is a part of the Internet or guest zones.
During weekly scans, a system administrator identifies a system that has software installed that goes against security policy. The system administrator removes the system from the network in an attempt to limit the effect of the incident on the remainder of the network. Apply the Computer Security Incident Handling Guide principles to determine which stage of the incident response life cycle the administrator has entered.
CORRECT ANSWER
3. Containment, eradication and recovery
The system administrator has entered the containment, eradication, and recovery stage by removing the system from the network. This action contains the incident and protects the other network resources. This is also the stage where the administrator will repair the system and bring it back online or replace it.
Preparation is the stage where the admin puts controls in place to prevent the software from being installed.
The identification stage was completed when the scan was conducted and the unauthorized software identified.
The lessons learned stage will occur after the containment, eradication, and recovery stage is completed and lessons learned will be utilized to improve the security of the network.
A document contains information about a company that is too valuable to permit any risks, and viewing is severely restricted. Analyze levels of classification and determine the appropriate classification for the document.
CORRECT ANSWER
1. Critical
Documents labeled as critical contain information that is too valuable to permit any risk of its capture, and viewing is severely restricted.
Documents labeled as confidential contain information that is highly sensitive and is for viewing only by approved persons within the organization or possibly by third parties under a Nondisclosure Agreement (NDA). This classification may also be called low.
Documents labeled as classified contains information that limits viewing by only persons within an organization or by third parties that are under an NDA. This classification may also be called private, restricted, internal use only, or official use only.
Unclassified documents are unrestricted and anyone can view the document. This document does not contain information that will harm the company if released. This classification is also known as public.
A manufacturing company hires a pentesting firm to uncover any vulnerabilities in their network with the understanding that the pen tester receives no information about the company’s system. Which of the following penetration testing strategies is the manufacturing company requesting?
CORRECT ANSWER
1. Black box
Black box (or blind) is when the pen tester receives no privileged information about the network and its security systems. Black box tests are useful for simulating the behavior of an external threat.
A sandbox is a test environment that accurately simulates a production environment. It is not a penetration testing strategy.
Gray box describes the penetration strategy where the pen tester receives some information. Typically, this would resemble the knowledge of junior or non-IT staff to model particular types of insider threats.
White box (or full disclosure) is when the pen tester receives complete access to information about the network. White box tests are useful for simulating the behavior of a privileged insider threat.
Biometric authentication methods have different error rates, with some methods being easier to fool than others. An unauthorized user is unlikely to fool which of the following methods?
CORRECT ANSWER
2. Retinal scan
Biometric authentication based on a retinal scan is the hardest method to fool. Retinal scanning is used to identify the patterns of blood vessels with the eye, whereas an iris scan only uses the surface of the eye.
It is possible to obtain a copy of a user's fingerprint and create a mold of it that will fool a fingerprint scanner.
Facial recognition suffers from relatively high false acceptance and rejection rates, and as a result is vulnerable to spoofing.
Voice recognition is subject to impersonation. It is also sensitive to background noise and other environmental factors which can interfere with authentication.
Evaluate the following choices based on their potential to lead to a network breach. Select the choice that is NOT a network architecture weakness.
CORRECT ANSWER
4. Not all hosts on the network can talk to one another.
It is good that not all the hosts can talk to each other. If any host can contact another host, an attacker can penetrate the network edge and gain freedom of movement.
A flat architecture is where all hosts can contact each other, exposing an overdependence on perimeter security.
When services rely on several different systems, the failure of one will affect the overall performance of other network services.
Relying on a single hardware server represents a single point of failure, meaning the whole network crashes if the server goes down.
An engineer retrieves data for a legal investigation related to an internal fraud case. The data in question is from an NTFS volume. What will the engineer have to consider with NTFS when documenting a data timeline?
CORRECT ANSWER
1. UTC time
NTFS uses UTC "internally." When collecting evidence, it is vital to establish the procedure to calculate a timestamp and note the difference between the local system time and UTC.
Devices might be pointed towards an NTP server to synchronize time, but the engineer will need to record the times that the actual device itself is registering.
Most computers have the clock configured to synchronize to a Network Time Protocol (NTP) server. Closely synchronized time is important for authentication and audit systems to work properly.
A Dynamic Host Configuration Protocol (DHCP) server is not associated with time. A DHCP server distributes IP addresses to clients on the network. These logs could be helpful though during the investigation.
A cyber team is tasked with reviewing the organization’s end-user policies for employees after critical information was found on a public GitHub repository. What conduct policy protects the organization from the security and legal implications of employees misusing company assets?
CORRECT ANSWER
4. Acceptable Use Policy
Enforcing an acceptable use policy (AUP) is important to protect the organization from the security and legal implications of employees misusing its equipment.
A code of conduct, or rules of behavior, sets out expected professional standards, such as employees' use of social media and file sharing, and how it poses substantial risks to the organization, including threat of virus infection or systems intrusion.
A clean desk policy means that each employee's work area should be free from any documents left there.
Capture the Flag (CTF) is a training technique and not a personnel policy that is typically used in ethical hacker training programs and gamified competitions.
Compare the types of Distributed Denial of Service (DDoS) attacks and select the best example of a synchronize (SYN) flood attack.
CORRECT ANSWER
3. Client IP addresses are spoofed to misdirect the server's SYN/ACK packet increasing session queues.
An SYN flood attack works by withholding clients’ ACK packets during TCP's three-way handshakes that can increase the server session queues and prevent other legitimate clients from connecting. The server will continue to send SYN/ACK packets because there is no acknowledgment and will not timeout until sometime later.
A coordinated attack occurs when a group of attackers engage together against a well-known company or government institution.
DDoS attacks can be simple and just focus on consuming network bandwidth resulting in the denial of legitimate hosts.
A smurf attack occurs by the adversary spoofing the client's IP address and then pings the broadcast address of a third-party network with many hosts. This is known as amplifying the network.
When using a digital envelope to exchange key information, the use of what key agreement mitigates the risk inherent in the Rivest–Shamir–Adleman (RSA) algorithm, and by what means?
CORRECT ANSWER
1. Perfect forward secrecy (PFS) uses Diffie-Hellman (DH) key agreement to create ephemeral session keys without using the server's private key.
Perfect forward secrecy (PFS) mitigates the risk from RSA key exchange, using Diffie-Hellman (DH) key agreement to create ephemeral session keys without using the server's private key.
Modes of operation refer to AES use in a cipher suite. Cipher Block Chaining (CBC) mode applies an initialization vector (IV) to a chain of plaintext data and uses padding to fill out blocks of data.
Counter mode makes the AES algorithm work as a stream cipher. Each block of data can be processed individually and in parallel, improving performance.
A certificate authority (CA), validates the owner of a public key, issuing a signed certificate. The process of issuing and verifying certificates is called public key infrastructure (PKI).
Based on knowledge of the fundamentals of One-time Passwords (OTP), which of the following choices represents the problem that exists with HMAC-based One-time Password Algorithm (HOTP) and is addressed by Time-based One-time Password Algorithm (TOTP)?
CORRECT ANSWER
4. Tokens can be allowed to continue without expiring in HOTP.
Tokens can persist unexpired in HOTP, increasing the risk of an attacker obtaining one and decrypting data in the future. TOTP addresses this by adding a value to the shared secret derived from the device’s and server’s local timestamp. TOTP automatically expires each token after a short window of time.
The authentication server and client token are configured with the same shared secret in HOTP.
The HOTP server is configured with a counter, combining with the shared secret to create a one-time password. When the HOTP value is authenticated, it increments by one.
The server and the device both compute the hash and derive a 6-8 digit HOTP value.
A systems breach occurs at a financial organization. The system in question contains highly valuable data. When performing data acquisition for an investigation, which component does an engineer acquire first?
CORRECT ANSWER
4. Disk controller cache
The order of volatility outlines a general list of which components the engineer should examine for data. The engineer should first examine CPU registers and cache memory (including the cache on disk controllers and GPUs).
The engineer should acquire contents of nonpersistent system memory (RAM), including routing tables, ARP caches, process tables, and kernel statistics after any cache memory.
The engineer performs data acquisition on persistent mass storage devices after any available system caches or memory. This includes temporary files, such as those found in a browser cache.
The engineer performs data acquisition on persistent mass storage devices (such as HDDs or SSDs) after any available system caches or memory.
An employee is working on a project that contains critical data for the company. In order to meet deadlines, the employee decides to email the document containing the data to their personal email to work on at home. Consider the traits of Data Loss Prevention (DLP) and evaluate the scenario to select the DLP remediation the company should utilize.
CORRECT ANSWER
2. Employee should be notified of the AUP violation, and the incident should be recorded for future reference.
Enforcing an acceptable use policy (AUP) is important to protect the organization from the security and legal implications of employees misusing its equipment and/or risking its data.
Allowing sensitive data to be sent to a personal email account can increase the risk of data loss or theft, as personal email accounts are often less secure than corporate email accounts and may not have the same level of data protection measures in place.
While network DLP remediation can be effective in preventing the accidental or intentional transmission of sensitive data, it can also be inflexible, as it may block all email traffic, including legitimate email communications, if it contains sensitive data.
There is always a risk of data loss or theft, regardless of whether the employee is working from home or in the office, and it is important to take appropriate security measures to protect sensitive data.
Given that layer 2 does not recognize Time to Live, evaluate the potential problems to determine which of the following options prevents this issue.
CORRECT ANSWER
4. STP
STP (Spanning Tree Protocol) is a switching protocol that prevents network loops by dynamically disabling links as needed. Since layer 2 protocol has no concept of Time To Live, layer 2 broadcast traffic could continue to loop through a network with multiple paths indefinitely.
ICMP (Internet Control Message Protocol) is an IP-level protocol for reporting errors and status information that supports the function of troubleshooting utilities such as ping.
L2TP (Layer 2 Tunneling Protocol) is the standard VPN (Virtual Private Network) protocol for tunneling point-to-point sessions across a variety of network protocols.
NTP (Network Time Protocol) is a Transmission Control Protocol/Internet Protocol (TCP/IP) application protocol allowing machines to synchronize to the same time clock that runs over UDP port 123.
A systems engineer configures a disk volume with a Redundant Array of Independent Disks (RAID) solution. Which solution does the engineer utilize when allowing for the failure of two disks?
CORRECT ANSWER
4. Level 6
Redundant Array of Independent Disks (RAID) Level 6 has double parity or Level 5 with an additional parity stripe. This allows the volume to continue when two disks have been lost.
Level 1 uses mirroring where data is written to two disks simultaneously, which provides redundancy. The main drawback is its storage efficiency is only 50%.
RAID Level 0 is striping without parity resulting in no fault tolerance. Data is written in blocks across several disks.
RAID Level 5 has striping with parity. Data is written across three or more disks but calculates additional information. This allows the volume to continue if one disk is lost. This solution has better storage efficiency than RAID 1.
Compare and evaluate the various levels and types of security found within a Trusted OS (TOS) to deduce which scenario is an example of a hardware Root of Trust (RoT).
CORRECT ANSWER
1. The boot metrics and operating system files are checked, and signatures verified at logon.
A hardware RoT, or trust anchor, is a secure subsystem that can provide attestation. When a computer joins a network, it may submit a report to the NAC declaring valid OS files. The RoT scans the boot metrics and OS files to verify their signatures.
A secure boot is a security system designed to prevent a computer from being hijacked by a malicious OS.
A Trusted Platform Module (TPM) is a specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information.
The Basic Input/Output System (BIOS) provides an industry standard program code that operates the essential components of the PC and ensures that the design of each manufacturer's motherboard is PC compatible.
An engineer creates a set of tasks that queries information and runs some PowerShell commands to automate several stages of the process, including the identification of threats and other malicious activity on multiple servers. The engineer defines these tasks using which of the following?
CORRECT ANSWER
1. Runbook
A runbook aims to automate as many stages of the playbook as possible, while leaving clearly defined interaction points for human analysis.
A playbook is a type of list usually referred to as an incident response workflow. A playbook is a checklist of actions to perform, to detect and respond to a specific type of incident.
Orchestration is the action of coordinating multiple automations (and possibly manual activity) to perform a complex, multistep task.
Automation, unlike orchestration, is the action of scripting a single activity.
A new cloud-based application will replicate its data on a global scale, but will exclude residents of the European Union. Which concerns should the organization that provides the data to consumers take into consideration? (Answer all that apply.)
CORRECT ANSWERS
2. Sovereignty
3. Data Location
Data sovereignty refers to a jurisdiction preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction.
Storage locations might have to be carefully selected to mitigate data sovereignty issues. Most cloud providers allow a choice of data centers for processing and storage.
GDPR protections extend to any EU citizen while they are within EU or EEA (European Economic Area) borders.
There are important institutional governance roles for oversight and management of information assets within a data life cycle. These roles help to manage and maintain data.