Attacks, Threats, and Vulnerabilities
What is Open Source Intelligence (OSINT)?
CORRECT ANSWER
3. Using web search tools and social media to obtain information about the target
OSINT is using web search tools and social media to obtain information about the target. It requires almost no privileged access as it relies on finding information that the company makes publicly available, whether intentionally or not.
Obtaining information, physical access to premises, or access to a user account through the art of persuasion is social engineering.
The means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources is considered a security policy.
Using software tools to obtain information about a host or network topology is considered scanning.
A system administrator downloads and installs software from a vendor website. Soon after installing the software, the administrator’s computer is taken over remotely. After closer investigation, the software package was modified, probably while it was downloading. What action could have prevented this incident from occurring?
CORRECT ANSWER
1. Validate the software using a checksum
The administrator should have validated the software with a checksum, which uses a cryptographic algorithm to generate a unique hash value based on the file contents. If the file is changed, the checksum of the modified file will not match the original.
A private certificate does not validate software.
A key signing key is associated with Domain Name System Security Extensions (DNSSEC), which validates DNS responses to help mitigate spoofing and poisoning attacks. It does not apply to software.
Kerberos is an authentication service based on a time-sensitive ticket-granting system. It is used to validate users, not software.
An employee handling key management discovers that a private key has been compromised. Evaluate the stages of a key's life cycle and determine which stage the employee initiates upon learning of the compromise.
CORRECT ANSWER
4. Revocation
Upon learning of a compromise, the current key should be revoked, and a new key can then be generated.
Certificate generation identifies the public part of a key pair as belonging to a subject, and the subject submits it for signing by the CA as a digital certificate with the appropriate key usage.
Key generation occurs during the initial distribution of the key, or after having revoked one.
Expiration and renewal are used for a key pair that has not been revoked or expired after a certain period. A given shelf-life increases security.
An organization plans the destruction of old flash drives. In an attempt to erase the media, an employee uses an electromagnet, only to discover that it did not destroy the data. Which method has the employee tried?
CORRECT ANSWER
2. Degaussing
Degaussing involves exposing a magnetic hard disk to a powerful electromagnet. This disrupts the magnetic pattern that stores the data on the disk surface. Degaussing cannot erase non-magnetic disks, such as flash drives.
Pulping involves mixing any shredded remains of destroyed documents with water to provide an extra measure of protection.
Pulverizing involves destroying media by impact. It is important to note that hitting a hard drive with a hammer can actually leave a surprising amount of recoverable data. Industrial machinery should perform this type of destruction.
Burning or incineration is an effective method for all media types, as long as a furnace designed for media sanitization performs the task.
The _____ requires federal agencies to develop security policies for computer systems that process confidential information.
CORRECT ANSWER
2. Computer Security Act
The Computer Security Act (1987) specifically requires federal agencies to develop security policies for computer systems that process confidential information.
The Sarbanes-Oxley Act (2002) mandates the implementation of risk assessments, internal controls and audit procedures. This act is not for any specific entity.
The Federal Information Security Management Act (2002) governs the security of data processed by federal government agencies. This act requires agencies to implement an information security program.
The Gramm-Leach-Bliley Act (1999) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information.
Analyze the types of password cracker attacks to determine which scenario best describes a brute force attack.
CORRECT ANSWER
3. An attacker attempts every possible combination in the key space in order to derive a plaintext password from a hash
A brute force attack attempts every possible combination in the key space in order to derive a plaintext password from a hash. The key space is determined by the number of bits used.
A hybrid password attack uses a combination of dictionary and brute force attacks. It is principally targeted against naively strong passwords. The password cracking algorithm tests dictionary words, and names in combination with several numeric prefixes.
A rainbow table attack refines the dictionary approach. The attacker uses a precomputed lookup table of all possible passwords and their matching hashes.
A dictionary attack can be used where there is a good chance of guessing the likely value of the plaintext, such as a non-complex password.
Evaluate how identification and authentication are distinct in their functions. Which of the following scenarios best illustrates a user being authenticated?
CORRECT ANSWER
1. A user accesses a system by having their face scanned.
A face scan is also known as biometrics, which is a "something you are" authentication. This is known as behavioral biometric recognition.
Creating a user account based on an official company document is an identification process called identity proofing, or verifying subjects are who they say they are.
By creating and sending the initial password over a Virtual Private Network (VPN), the administrator is implementing secure transmission of credentials identification process.
Identification of a subject on a computer system is done through an account. An account consists of an identifier, credentials, and a profile. Each identifier must be unique, which is accomplished with a Security Identifier (SID) string.
Where should an administrator place an internet-facing host on the network?
CORRECT ANSWER
1. DMZ
Internet-facing hosts reside in one or more Demilitarized Zones (DMZs), or perimeter networks. Traffic can not pass through a DMZ, but it enables external clients to access data on private systems, such as web servers, without compromising the security of the entire internal network.
Bastion hosts reside in a DMZ and are not fully trusted by the internal network due to the possibility of Internet compromise.
An extranet is a network of semi-trusted hosts, typically representing business partners, suppliers, or customers. Hosts must authenticate to join the extranet.
A private network or intranet is a network of trusted hosts owned and controlled by the organization. It should never be Internet-facing.
Which of the following is an example of the process of identifying and de-duplicating files and metadata to be stored for evidence in a trial?
CORRECT ANSWER
3. eDiscovery
eDiscovery is a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format to use as evidence in a trial.
Legal hold refers to the fact that information that may be relevant to a court case must be preserved.
Forensics is the practice of collecting evidence from computer systems to an accepted standard in a court of law.
Due process is a term used in common law to require that people only be convicted of crimes following the fair application of the laws of the land.
Management of a company identifies priorities during a risk management exercise. By doing so, which risk management approach does management use?
CORRECT ANSWER
2. Risk posture
Risk posture is the overall status of risk management. Risk posture shows which risk response options management can identify and prioritize.
The result of a quantitative or qualitative analysis is a measure of inherent risk. Inherent risk is the level of risk before attempting any type of mitigation.
Transference means assigning risk to a third party, such as an insurance company or a contract with a supplier that defines liabilities.
Risk avoidance means that management halts the activity that is risk-bearing. For example, management may discontinue a flawed product to avoid risk.
During the planning/scoping phase of the kill chain, an attacker decides that a Distributed Denial of Service (DDoS) attack would be the best way to disrupt the target website and remain anonymous. Evaluate the following explanations to determine the reason the attacker chose a DDoS attack.
CORRECT ANSWER
2. DDoS attacks utilize botnets
DDoS uses a botnet to launch the attack. Distributed means the attack launches from multiple, compromised computers and devices, which is a botnet. Since the attack will come from multiple IP addresses, it will mask the identity of the attacker.
A covert channel is a means of secretly communicating with a compromised machine. The purpose of a DDoS is to overload the target so it’s unavailable to legitimate users, not to communicate with it.
A backdoor is a mechanism for gaining access to a computer that bypasses the normal method of authentication. DDoS aims to deny service, not gain access.
DDoS attacks do not use impersonation, which is a social engineering technique where one pretends to be someone else.
An organization plans a move of systems to the cloud. In order to identify and assign areas of risk, which solution does the organization establish to contractually specify cloud service provider responsibilities?
CORRECT ANSWER
1. Service level agreement
It is imperative to identify precisely which risks are transferring to the cloud, which risks the service provider is undertaking, and which risks remain with the organization. A service level agreement (SLA) outlines those risks and responsibilities.
A trust relationship simply defines the relationship with a cloud service provider. The more important the service is to a business, the more risk the business invests in that trust relationship.
A responsibility matrix is a good way to identify what risks exist, and who is responsible for them. The matrix can be part of an SLA.
High availability is an approach to keeping systems functionality at a constant.
A systems administrator configures several subnets within a virtual private cloud (VPC). The VPC has an Internet gateway attached to it, however, the subnets remain private. What does the administrator do to make the subnets accessible by the public?
CORRECT ANSWER
3. Configure a default route for each subnet.
The administrator must configure the Internet gateway as the default route for each public subnet. If the admin does not configure a default route, the subnet remains private, even if the VPC has an Internet gateway attached to it.
Connections to other services such as storage or services running in other VPCs are possible with VPC endpoint configurations.
While VPCs remain private from each other, the admin can create a CSP-managed feature or a VPN, to connect the VPCs and VPNs.
Multiple VPCs are not required. A VPC is an isolated virtual cloud that can contain many subnets.
Arrange the following stages of the incident response life cycle in the correct order.
CORRECT ANSWER
1. Preparation; Identification; Containment, Eradication, and Recovery; Lessons Learned
Stage 1. Preparation requires making the system resilient to attack in the first place (hardening systems, writing policies and procedures, and establishing confidential lines of communication).
Stage 2. Identification involves determining whether an incident has taken place and assessing how severe it might be, followed by notification of the incident to stakeholders.
Stage 3. Containment, Eradication, and Recovery are limiting the scope and impact of the incident. Once the incident is contained, the cause can then be removed and the system brought back to a secure state.
Stage 4. Lessons learned consists of analyzing the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident.
A company performs risk management. Which action identifies a risk response approach?
CORRECT ANSWER
2. A company develops a countermeasure for an identified risk.
The fifth phase of risk management is identifying risk response. A countermeasure should be identified for each risk and the cost of deploying additional security controls should be assessed.
The first phase of risk management is to identify mission essential functions. Mitigating risk can involve a large amount of expenditure, so it is important to focus efforts. Part of risk management is to analyze workflows and identify the mission essential functions that could cause the whole business to fail if they are not performed.
The second phase of risk management is to identify vulnerabilities for each function or workflow. This includes analyzing systems and assets to discover, and list any vulnerabilities or weaknesses they may be susceptible to.
The fourth phase of risk management is to analyze business impacts, the likelihood of a vulnerability being activated as a security incident by a threat, and the impact that incident may have on critical systems.
When a company attempts to re-register their domain name, they find that an attacker has supplied false credentials to the domain registrar and redirected their host records to a different IP address. What type of attack has occurred?
CORRECT ANSWER
1. Domain Hijacking
In domain hijacking (or brandjacking), the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity.
Before DNS is contacted, a text file named HOSTS is checked that may have name:IP address mappings recorded. If an attacker can place a false name:IP address mapping in the HOSTS file, poisoning the DNS cache, the attacker can redirect traffic.
The Dynamic Host Configuration Protocol (DHCP) facilitates automatic network address allocation. If an attacker establishes a rogue DHCP, it can perform DoS or snoop on network information.
DNS server cache poisoning corrupts records within the DNS server itself.
A company has recently started using a Platform as a Service (PaaS). Compare cloud service types to determine what is being deployed.
CORRECT ANSWER
4. The company has leased both software and infrastructure resources.
IaaS is a means of provisioning resources such as servers, load balancers, and Storage Area Network (SAN) components quickly.
SaaS is a different model of provisioning software applications. Rather than purchasing software licenses for a given number of seats, a business can access software hosted on a supplier's servers on a pay-as-you-go or lease arrangement.
Managed Security Services Provider (MSSP) is a means of fully outsourcing responsibility for information assurance to a third party.
Platform as a service (PaaS) provides resources somewhere between SaaS and IaaS. A typical PaaS solution would provide servers and storage network infrastructure (as per IaaS) but also provide a multi-tier web application/database platform on top.
An Internet Service Provider's (ISP) customer network is under a Distributed Denial of Service (DDoS) attack. The ISP decides to use a blackhole as a remedy. How does the ISP justify their decision?
CORRECT ANSWER
1. A blackhole drops packets for the affected IP address(es) and is in a separate area of the network that does not reach any other part of the network.
A blackhole drops packets for the affected IP addresses(es). A blackhole is an area of the network that cannot reach any other part of the network which protects the unaffected portion.
A blackhole does make the attack less damaging to the other ISP customers but does not send legitimate traffic to the correct destination. The blackhole does not look at packets and simply drops all packets into the black hole.
A sinkhole routing routes traffic to a particular IP address, to a different network, so the ISP can analyze and identify the source of the attack.
A blackhole is preferred, but it does not evaluate each packet. An ACL option will evaluate each packet but can overwhelm the processing resources, which makes using a blackhole preferred.
A security expert needs to review systems information to conclude what may have occurred during a breach. By using NetFlow data, what data does the expert review?
CORRECT ANSWER
3. Statistics about network traffic
A flow collector is a means of recording metadata and statistics about network traffic rather than recording each frame. Network traffic and flow data may come from a wide variety of sources.
A SIEM collects data from sensors. The information captured from network packets can be aggregated and summarized to show overall protocol usage and endpoint activity.
sFlow, developed by HP and subsequently adopted as a web standard, uses sampling to measure traffic statistics at any layer of the OSI model for a wide range of protocol types.
If one has reliable baselines for comparison, bandwidth usage can be a key indicator of suspicious behavior. Unexpected bandwidth consumption could be evidence of a data exfiltration attack.
within data governance and conclude which tasks the employee in this role performs.
CORRECT ANSWER
2. The employee ensures data is labeled and identified with appropriate metadata.
The data steward is primarily responsible for data quality. This involves tasks such as ensuring data is labeled and identified with appropriate metadata, and data is collected and stored in a format with values that comply with applicable laws and regulations.
A privacy officer is responsible for oversight of any Personally Identifiable Information (PII) assets managed by the company. This includes ensuring that the processing and disclosure of PII comply with legal and regulatory frameworks.
The data custodian is responsible for managing the system where data assets are stored. This includes responsibility for enforcing access control, encryption, and recovery measures.
The data owner is a senior role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset. The owner is responsible for labeling the asset and ensuring it is protected with appropriate controls.
Analyze the following statements and select the statement which correctly explains the difference between cross-site scripting (XSS) and cross-site request forgery (XSRF).
CORRECT ANSWER
1. XSRF spoofs a specific request against the web application, while XSS is a means of running any arbitrary code.
A client-side or cross-site request forgery (CSRF or XSRF) can exploit applications that use cookies to authenticate users and track sessions. XSS exploits a browser’s trust and can perform an XSRF attack.
XSS inserts a malicious script that appears to be part of a trusted site. XSS can conduct an XSRF attack.
XSRF passes an HTTP request to the victim’s browser that spoofs a target site action, such as changing a password. The attacker can disguise and accomplish this request without the victim necessarily having to click a link.
XSRF is a client-side exploit. An XSS attack may be reflected (nonpersistent) or stored (persistent) and may target back-end systems (server-side) or client-side scripts.
A company is working to restore operations after a blizzard stopped all operations. Evaluate the order of restoration and determine the correct order of restoring devices from first to last.
CORRECT ANSWER
1. Routers, firewalls, Domain Name System (DNS), client workstations
The order of restoration states that switch infrastructure, then routing appliances, followed by firewalls, and then Domain Name System (DNS) should be enabled in that order. The final step is to enable client workstations and devices.
The DNS should not be enabled prior to routers and firewalls. Both routers and firewalls are needed prior to DNS being operable.
Routers should be restored prior to firewalls. Routers should be restored immediately following switch infrastructure as firewalls are not needed until routers are online.
Client workstations should be restored last as firewalls and DNS must be restored prior to bringing the client workstations back online.
Given knowledge of secure firmware implementation, select the statement that describes the difference between secure boot and measured boot.
CORRECT ANSWER
2. Secure boot provisions certificates for trusted operating systems (OSes) and blocks unauthorized OSes. Measured boot stores and compares hashes of critical boot files to detect the presence of unauthorized processes.
Secure boot is about provisioning certificates for trusted operating systems and blocking unauthorized OSes. Measured boot stores and compares hashes of critical boot files to detect unauthorized processes.
Secure boot requires UEFI but does not require a TPM. A trusted or measured boot process uses platform configuration registers (PCRs) in the TPM at each stage in the boot process to check whether hashes of key system state data have changed.
Attestation is the process of sending a signed boot log or report to a remote server.
Secure boot prevents the use of a boot loader or kernel that has been changed by malware (or an OS installed without authorization).
An engineer needs to review systems metadata to conclude what may have occurred during a breach. The first step the engineer takes in the investigation is to review MTA information in an Internet header. Which data type does the engineer review?
CORRECT ANSWER
2. Email
An email's Internet header contains address information for the recipient and sender, plus details of the servers or message Transfer Agents (MTA) handling transmission of the message between them.
When a client requests a resource from a web server, the server returns the resource plus headers setting, or describes its properties.
File metadata is stored as attributes. The file system tracks when a user creates, accesses, and modifies a file. The user might assign a file with a security attribute, such as marking it as read-only or as a hidden or system file.
Mobile phone metadata comprises call detail records (CDRs) of incoming, outgoing, and attempted calls and other data, such as SMS text time.
A company performing a risk assessment calculates how much return the company has saved by implementing a security measure. Which formula will they use to calculate this metric?
CORRECT ANSWER
2. [(ALE-ALEm)-Cost of Solution]/Cost of Solution
Return on Security Investment (ROSI) calculates a new ALE, based on reduction in loss by new security controls. ROSI is: [(ALE – ALEm) – Cost of Solution] / Cost of Solution, where ALE is before controls and ALEm is after controls.
Single Loss Expectancy (SLE) is the potential loss from a single event. Multiplying the value of the asset by an Exposure Factor (EF), where EF is the percentage of an asset lost, gives the SLE.
Annualized Loss Expectancy (ALE) is the potential for loss over the course of a year. Multiplying the SLE by the Annualized Rate of Occurrence (ARO) gives the ALE.
Annualized Loss Expectancy (ALE) is a yearly figure, while Single Loss Expectancy (SLE) measures a single event.