Chapter 1. Domain 1.0: Systems Security
Securing your resources is a challenge in any working environment. After all, resources are now commonly attacked through software, hardware, and peripherals. Domain 1 of the Security+ exam requires that you understand how to minimize system threats and thus thwart would-be attackers and that you understand the different types of potential attacks. Be sure to give yourself plenty of time to review all of these concepts. The following list identifies the key areas from Domain 1.0 (which counts as 21% of the exam) that you need to master:
Differentiate among various systems security threats.
Explain the security risks pertaining to system hardware and peripherals.
Implement OS hardening practices and procedures to achieve workstation and server security.
Carry out the appropriate procedures to establish application security.
Implement security applications.
Explain the purpose and application of virtualization technology.
Practice Questions
Objective 1.1: Differentiate among various systems security threats.
1. Which of the following is the most common result of a buffer overflow?
A. Privilege escalation
B. Disguised malicious programs
C. Code replication
D. Collection of personal data
Quick Answer: 41
Detailed Answer: 44
2. Which of the following best describes a virus?
A. An action that exceeds the storage-space allocation of an application
B. A program disguised as a useful application
C. A program designed to attach itself to other code and replicate
D. Software that communicates information from a user’s system without notifying the user
Quick Answer: 41
Detailed Answer: 44
3. Which of the following is best describes a Trojan?
A. It infects other systems only after a user executes the application that it is buried in.
B. It sends messages to a computer with an IP address indicating that the message is coming from a trusted host.
C. It collects personal information, or changes your computer configuration without appropriately obtaining prior consent.
D. It is self-replicating and therefore needs no user intervention.
Quick Answer: 41
Detailed Answer: 44
4. Which of the following best describes a rootkit?
A. Software used for the collection of personal data
B. Software hidden on a computer for the purpose of compromising the system
C. Software that provides the originator with the venue to propagate
D. Software that reports data such as surfing habits and sites visited
Quick Answer: 41
Detailed Answer: 44
5. Which of the following is considered a worm?
A. Melissa
B. Acid Rain
C. Code Red
D. Mocmex
Quick Answer: 41
Detailed Answer: 45
6. A disgruntled employee creates a utility for purging old emails from the server. Inside the utility is code that will erase the server’s hard drive contents on January 1, 2010. This is an example of which of the following attacks?
A. Virus
B. Logic bomb
C. Spoofing
D. Trojan horse
Quick Answer: 41
Detailed Answer: 45
7. Which of the following best describes spyware?
A. Software used for the collection of personal data
B. Software hidden on a computer for the purpose of compromising the system
C. Software that provides the originator with the venue to propagate
D. Software that reports data such as surfing habits and sites visited
Quick Answer: 41
Detailed Answer: 45
8. Which of the following is the best reason not to request to be removed from a mailing list in a reply to an unsolicited email?
A. It allows the sender to spoof your email address.
B. It is a waste of time because the sender very seldom removes you from the list.
C. It verifies that you have a legitimate, working email address.
D. It allows the sender to collect personal data.
Quick Answer: 41
Detailed Answer: 45
9. Which of the following are methods by which email spam lists are created? (Select all correct answers.)
A. Searching the Web for addresses
B. Scanning newsgroup postings
C. Stealing Internet mailing lists
D. Stealing user email address books
Quick Answer: 41
Detailed Answer: 45
10. Which of the following best describes programming errors that result in allowing someone to gain unauthorized administrative access?
A. Buffer overflow
B. Virus
C. Trojan
D. Logic bomb
Quick Answer: 41
Detailed Answer: 46
11. Which of the following best describes malware that takes advantage of a security hole, and then automatically replicates to other systems running the same software?
A. Spyware
B. Virus
C. Trojan
D. Worm
Quick Answer: 41
Detailed Answer: 46
12. Which of the following is a type of malware that is disguised as a useful application?
A. Spyware
B. Virus
C. Trojan
D. Worm
Quick Answer: 41
Detailed Answer: 46
13. Which of the following is a type of malware is associated with collecting personal information without appropriately obtaining prior consent?
A. Spyware
B. Virus
C. Trojan
D. Worm
Quick Answer: 41
Detailed Answer: 46
14. Which of the following is a type of malware hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges?
A. Spyware
B. Spam
C. Adware
D. Rootkit
Quick Answer: 41
Detailed Answer: 47
15. Which of the following is a type of malware that provides the spam or virus originator with a venue to propagate?
A. Logic bomb
B. Botnet
C. Adware
D. Rootkit
Quick Answer: 41
Detailed Answer: 47
16. Which of the following is true with regard to antispyware programs?
A. They must be updated regularly.
B. They can detect rootkits.
C. They can detect botnets.
D. They do not have to be updated.
Quick Answer: 41
Detailed Answer: 47
17. Which of the following best describes the primary security issue with botnets?
A. They are malicious.
B. They can remain undetected.
C. They can execute code.
D. They are remotely controlled.
Quick Answer: 41
Detailed Answer: 47
18. Which of the following is also referred to as slag code?
A. Logic bomb
B. Botnet
C. Adware
D. Rootkit
Quick Answer: 41
Detailed Answer: 47
19. A buffer overflow can result in which of the following? (Select all correct answers.)
A. Overwriting of data or memory storage
B. A denial of service
C. Automatic code replication to other hosts
D. Execution of arbitrary code at a privileged level
Quick Answer: 41
Detailed Answer: 48
20. Which of the following are virus types? (Select all correct answers.)
A. Polymorphic
B. Polynomial
C. Stealth
D. Covert
Quick Answer: 41
Detailed Answer: 48
21. Which of the following best describes a boot sector virus?
A. Can change each time it is executed to avoid detection
B. Uses techniques to avoid detection
C. Is placed into the first sector of the hard drive
D. Infects executable program files and becomes active in memory
Quick Answer: 41
Detailed Answer: 48
22. Which of the following is another name for a botnet?
A. Privilege escalation
B. Global hook
C. Honeynet
D. Zombie army
Quick Answer: 41
Detailed Answer: 48
23. Which of the following is most like spyware?
A. Virus
B. Trojan
C. Spam
D. Worm
Quick Answer: 41
Detailed Answer: 48
24. Which of the following best describes what rootkits use for stealth activity?
A. Global hooks
B. Tracking software/adware
C. Privilege escalation
D. Social engineering
Quick Answer: 41
Detailed Answer: 48
25. Which of the following is the most effective method to avoid rootkit infection?
A. Never responding to the sender of an unsolicited email message
B. Running operating systems from an account with lesser privileges
C. Properly disabling the accounts of all terminated employees
D. Only downloading trusted applications
Quick Answer: 41
Detailed Answer: 48
26. Which of the following best describes a botnet?
A. A program designed to execute malicious actions when a certain event occurs or a period of time goes by
B. A large number of programs disguised as useful applications
C. A large number of computers that forward transmissions to other computers on the Internet
D. Exploitation in software code that takes advantage of a programming flaw
Quick Answer: 41
Detailed Answer: 48
27. Which of the following terms is most closely related to software exploitation that crashes the system and leaves it in a state where arbitrary code can be executed?
A. Logic bomb
B. Privilege escalation
C. Spam
D. Trojan
Quick Answer: 41
Detailed Answer: 49
28. Which of the following are the most effective ways to prevent an attacker from exploiting software? (Select all correct answers.)
A. Apply current patches
B. Do not allow Internet access
C. Apply current service packs
D. Monitor the Web for newly discovered vulnerabilities
Quick Answer: 41
Detailed Answer: 49
29. Which of the following virus is a hybrid of boot and program viruses?
A. Polymorphic
B. Macro
C. Stealth
D. Multipartite
Quick Answer: 41
Detailed Answer: 49
30. Which of the following malware finds other systems running the same vulnerable software and then replicates itself without any user interaction?
A. Virus
B. Trojan
C. Worm
D. Logic bomb
Quick Answer: 41
Detailed Answer: 49
31. Which of the following is the main difference between a Trojan and a virus?
A. A Trojan requires user interaction and a virus does not.
B. A Trojan does not replicate itself and a virus does.
C. A virus does not require user interaction and a Trojan does.
D. A virus does not replicate itself and a Trojan does.
Quick Answer: 41
Detailed Answer: 49
32. Which of the following are indications that a computer may contain spyware? (Select all correct answers.)
A. The browser home page changes.
B. It takes a long time for the Windows desktop to come up.
C. Clicking a link does nothing or goes to an unexpected website.
D. The email inbox contains an unsolicited email message.
Quick Answer: 41
Detailed Answer: 49
33. Which of the following are acceptable ways of dealing with spam? (Select all correct answers.)
A. Delete the email without opening it.
B. Reply back and try to identify the spammer.
C. Turn off the preview function of your email software.
D. Immediately call the local law enforcement office.
Quick Answer: 41
Detailed Answer: 50
34. Which of the following are ways a rootkit can be installed? (Select all correct answers.)
A. By accessing documents on the local intranet.
B. Included as part of software package.
C. An unpatched vulnerability.
D. The user downloads it.
Quick Answer: 41
Detailed Answer: 50
35. Which of the following is a type of malware that can use encryption to protect outbound communications and piggyback on commonly used ports to communicate without interrupting other applications that use that port?
A. Logic bomb
B. Botnet
C. Adware
D. Rootkit
Quick Answer: 41
Detailed Answer: 50
36. The system administrator abruptly leaves the organization after being passed over for a promotion. Two weeks later, employees report they cannot access files. It has been determined that at midnight the system suddenly began deleting files. Which of the following is the most likely type of malicious code that caused this event?
A. Logic bomb
B. Botnet
C. Adware
D. Rootkit
Quick Answer: 41
Detailed Answer: 50
37. Which of the following would best describe the type of malicious code that enters a system through a freeware program that the user installed?
A. Virus
B. Trojan
C. Worm
D. Logic bomb
Quick Answer: 41
Detailed Answer: 50
38. Which of the following type of virus avoids antivirus software detection by changing form each time it is executed?
A. Polymorphic
B. Macro
C. Stealth
D. Multipartite
Quick Answer: 41
Detailed Answer: 50
39. Which of the following is an automated computer program controlled by outside sources with the intention of forwarding transmissions to other computers on the Internet?
A. Logic bomb
B. Adware
C. Bot
D. Virus
Quick Answer: 41
Detailed Answer: 51
40. Which of the following are steps taken to protect a network from malicious code? (Select all correct answers.)
A. Do not use any type of removable media from another user without first scanning the disk.
B. Open all attachments sent to you by people you might know.
C. Install firewalls or intrusion-prevention systems on client machines.
D. Subscribe to security newsgroups.
Quick Answer: 41
Detailed Answer: 51
Objective 1.2: Explain the security risks pertaining to system hardware and peripherals.
1. Which of the following type of hardware vulnerability can allow local users to cause a denial of service or the system not to boot?
A. USB
B. BIOS
C. NAS
D. PDA
Quick Answer: 41
Detailed Answer: 51
2. Which of the following is an inherent security risk when using network attached storage?
A. It is easy to lose this type of storage device.
B. Running applications this way leaves little trace on the host system.
C. Organizations often fail to protect data on storage subsystems.
D. Antivirus software cannot be installed on large storage systems.
Quick Answer: 41
Detailed Answer: 51
3. Which of the following is the primary security concern associated with cell phones and other mobile devices?
A. This type of storage device can easily be lost or stolen.
B. Antivirus software cannot be installed on this type of storage device.
C. The data cannot be encrypted on this type of storage device.
D. It is easy to crack the password on this type of storage device.
Quick Answer: 41
Detailed Answer: 51
4. Which of the following can result in the exploitation of a BIOS vulnerability? (Select all correct answers.)
A. Hard drive failure
B. System not to boot
C. System to lock up
D. Denial of service
Quick Answer: 41
Detailed Answer: 51
5. Which of the following is the greatest security risk when allowing personal small, high-capacity, removable storage devices on the network?
A. A disgruntled employee can easily misuse data.
B. There is no way scan the device for malware.
C. The data transferred cannot be encrypted.
D. The device can easily break off in the attached computer.
Quick Answer: 41
Detailed Answer: 52
6. Which of the following is the most appropriate method to disable unauthorized users from accessing USB storage devices?
A. Edit the Registry.
B. Fill the USB slots with glue.
C. Edit Security Accounts Manager.
D. Use Group Policy.
Quick Answer: 41
Detailed Answer: 52
7. Which of the following are ways the BIOS can be compromised? (Select all correct answers.)
A. Modifying Registry keys
B. Known vulnerabilities
C. Bypassing access control
D. The BIOS password
Quick Answer: 41
Detailed Answer: 52
8. Which of the following is an inherent security risk associated when allowing cell phones and other mobile devices on the network?
A. The data transferred cannot be encrypted.
B. The device can be synched to the user desktop.
C. The device can easily be compromised.
D. Employee productivity is greatly reduced.
Quick Answer: 41
Detailed Answer: 52
9. Which of the following is the primary method used to reduce the risks associated with allowing email to cell phone access?
A. Limiting email address access
B. Encrypting the communication
C. Not allowing attachments
D. Requiring both to be password protected
Quick Answer: 41
Detailed Answer: 52
10. Which of the following methods can be used to bypass BIOS access control? (Select all correct answers.)
A. Cracking the BIOS password
B. Deleting the contents of the MBR
C. Deleting the contents of the CMOS RAM
D. Overloading the keyboard buffer
Quick Answer: 41
Detailed Answer: 52
11. System access to the BIOS configuration utility is controlled by which of the following?
A. Hardware token
B. Lock
C. Password
D. ACL
Quick Answer: 41
Detailed Answer: 52
12. Which of the following is a correct statement regarding the BIOS passwords on a desktop and on a laptop?
A. Desktop passwords are automatically encrypted.
B. Laptop passwords are automatically encrypted.
C. Desktop passwords are usually flashed into firmware.
D. Laptop passwords are usually flashed into firmware.
Quick Answer: 41
Detailed Answer: 52
13. Which of the following may be used to bypass the password on a laptop? (Select all correct answers.)
A. Special loopback device
B. Lock pick
C. Hardware dongle
D. Removing the CMOS battery
Quick Answer: 41
Detailed Answer: 52
14. Which of the following can minimize the risks associated BIOS vulnerabilities? (Select all correct answers.)
A. Using the same BIOS password for all machines
B. Creating a BIOS password policy
C. Changing the BIOS password frequently
D. Using an HDD password
Quick Answer: 41
Detailed Answer: 53
15. Which of the following is the main underlying concern when allowing small, high-capacity, removable storage devices on the corporate network?
A. Data encryption
B. Accessibility of multiple computers
C. Malware infection
D. Accessibility of information
Quick Answer: 41
Detailed Answer: 53
16. Which of the following best describes the probable cause when employee handheld devices send large quantities of text messages to random numbers?
A. Virus
B. Rootkit
C. Too low of a workload
D. Theft of proprietary information
Quick Answer: 41
Detailed Answer: 53
17. Which of the following should be implemented when employee handheld devices send large quantities of text messages to random numbers?
A. Increased work loads
B. Intrusion detection
C. Antivirus software
D. Data encryption
Quick Answer: 41
Detailed Answer: 53
18. Which of the following are security concerns when allowing removable hard drives such as small passport types on the network? (Select all correct answers.)
A. Malware infection
B. Data theft
C. Reduced productivity
D. Information leakage
Quick Answer: 41
Detailed Answer: 53
19. Which of the following is the best approach to prevent unauthorized use of removable storage and portable devices?
A. Placing a USB lock on ports
B. Issuing authorized devices and access
C. Prohibiting the use of media including CDs
D. Requiring device registration with the IT department
Quick Answer: 41
Detailed Answer: 53
20. Which of the following is currently the most effective method to minimize data theft if a storage device is lost?
A. Encryption
B. Password protection
C. Immediate dismissal of the employee
D. Policies dictating proper employee remediation
Quick Answer: 41
Detailed Answer: 53
21. Which of the following are essential parts of SAN or NAS security? (Select all correct answers.)
A. USB locks on ports
B. Secure passwords
C. Antivirus software
D. Data encryption
Quick Answer: 41
Detailed Answer: 54
22. Which of the following security mechanisms should be considered when dealing with large data repositories? (Select all correct answers.)
A. Key management
B. Secure logging
C. Authentication devices
D. Encryption
Quick Answer: 41
Detailed Answer: 54
23. Which of the following storage devices would require protection for data considered “at rest?”
A. USB
B. PDA
C. NAS
D. BIOS
Quick Answer: 41
Detailed Answer: 54
24. Which of the following in an inherent risk associated with BIOS passwords?
A. They can easily be guessed.
B. Manufacturer created backdoors.
C. Too many incorrect guesses can lock it out forever.
D. Too many incorrect guesses can destroy the BIOS.
Quick Answer: 41
Detailed Answer: 54
25. Which of the following is the most likely result of the physical compromise of the BIOS?
A. A DoS attack.
B. A virus infection.
C. The MBR has been changed.
D. The system boot order has been changed.
Quick Answer: 41
Detailed Answer: 54
Objective 1.3: Implement OS hardening practices and procedures to achieve workstation and server security.
1. Which of the following are basic areas of hardening? (Select all correct answers.)
A. Operating system
B. Application
C. Internet
D. Network
Quick Answer: 42
Detailed Answer: 54
2. In which of the following hardening areas would file-level security solutions occur? (Select all correct answers.)
A. Operating system
B. Application
C. Internet
D. Network
Quick Answer: 42
Detailed Answer: 54
3. In which of the following hardening areas would disabling unnecessary protocols and services occur?
A. Operating system
B. Application
C. Internet
D. Network
Quick Answer: 42
Detailed Answer: 55
4. In which of the following hardening areas would hotfixes, patches, and service packs occur? (Select all correct answers.)
A. Operating system
B. Application
C. Internet
D. Network
Quick Answer: 42
Detailed Answer: 55
5. Which of the following is critical in hardening a network?
A. File-level security
B. Configuring log files
C. Configuring auditing
D. Mapping avenues of access
Quick Answer: 42
Detailed Answer: 55
6. Which of the following updates are very specific and targeted toward an exact problem?
A. Service pack
B. Hotfix
C. Patch
D. Maintenance release
Quick Answer: 42
Detailed Answer: 55
7. Which of the following updates is a major revision of functionality and operation?
A. Service pack
B. Hotfix
C. Patch
D. Maintenance release
Quick Answer: 42
Detailed Answer: 56
8. Which of the following updates is generally used to eliminate security vulnerabilities?
A. Service pack
B. Hotfix
C. Patch
D. Maintenance release
Quick Answer: 42
Detailed Answer: 56
9. Application hardening practices should include reviewing which of the following? (Select all correct answers.)
A. Key management
B. Default administration accounts
C. Standard passwords
D. Behavior-based profiles
Quick Answer: 42
Detailed Answer: 56
10. Which of the following best describes why regular update reviews for all deployed operating systems is imperative?
A. Default administration accounts may have been compromised.
B. Behavior-based profiles may have changed.
C. Automated attacks make use of common vulnerabilities.
D. Firmware updates may have been accidentally missed.
Quick Answer: 42
Detailed Answer: 56
11. Which of the following best describes why public key infrastructure (PKI) implementations must be properly configured and updated?
A. Behavior-based profiles may have changed.
B. To maintain key and ticket stores.
C. Automated attacks make use of common vulnerabilities.
D. To isolate access attempts.
Quick Answer: 42
Detailed Answer: 56
12. Hardening of the operating system includes which of the following? (Select all correct answers.)
A. Updating the system firmware
B. Configuring log files and auditing
C. Implementation of account lockout policies
D. Changing default account names and passwords
Quick Answer: 42
Detailed Answer: 57
13. Hardening of the network includes which of the following? (Select all correct answers.)
A. Configuring devices and firewalls
B. Configuring log files and auditing
C. Securing the file system selection
D. Updating the hardware firmware
Quick Answer: 42
Detailed Answer: 57
14. Which of the following is the primary reason public areas of the network should be included in a site survey?
A. It mitigates unsecure access to a secured network.
B. It addresses emergent hardware-related vulnerabilities.
C. It isolates access attempts within the operating system environment.
D. It allows the proper level of access control.
Quick Answer: 42
Detailed Answer: 57
15. Which of the following is the primary reason regular log review is critical for web servers?
A. To prevent SMTP relay from being used by spammers
B. To verify URL values are not exploiting unpatched buffer overruns
C. To confirm that password details are not being intercepted
D. To prevent poisoning by unauthorized zone transfers
Quick Answer: 42
Detailed Answer: 57
16. Which of the following is the primary reason hardening is necessary for email servers?
A. To prevent SMTP relay from being used by spammers
B. To verify URL values are not exploiting unpatched buffer overruns
C. To confirm that password details are not being intercepted
D. To prevent poisoning by unauthorized zone transfers
Quick Answer: 42
Detailed Answer: 57
17. NNTP servers raise many of the same security considerations risks as which of the following server types?
A. Database
B. DNS
C. Email
D. DHCP
Quick Answer: 42
Detailed Answer: 58
18. Which of the following is the primary reason hardening is necessary for DNS servers?
A. To prevent SMTP relay from being used by spammers
B. To verify URL values are not exploiting unpatched buffer overruns
C. To confirm that password details are not being intercepted
D. To prevent poisoning from forged query results
Quick Answer: 42
Detailed Answer: 58
19. Which of the following is the primary reason regular log review is critical for FTP servers?
A. To prevent SMTP relay from being used by spammers
B. To verify URL values are not exploiting unpatched buffer overruns
C. To confirm that password details are not being intercepted
D. To prevent poisoning by unauthorized zone transfers
Quick Answer: 42
Detailed Answer: 58
20. Which of the following is the primary reason hardening is necessary for print servers?
A. To prevent SMTP relay from being used by spammers
B. To prevent exposure of access credentials to packet sniffing
C. To prevent client leases from rogue servers
D. To prevent DoS attacks by unauthorized parties
Quick Answer: 42
Detailed Answer: 58
21. DHCP servers raise many of the same security considerations risks as which of the following server types?
A. Database
B. DNS
C. Email
D. NNTP
Quick Answer: 42
Detailed Answer: 58
22. Data repositories of any type might require specialized security considerations due to which of the following? (Select all correct answers.)
A. Access requirements
B. Bandwidth requirements
C. Processing resources requirements
D. Lease requirements
Quick Answer: 42
Detailed Answer: 59
23. Which of the following is true of network file shares?
A. Scope address pools will flood with insufficient lease duration.
B. They are not secure until default access permissions are removed.
C. If not secured, DoS attacks can prevent proper name resolution.
D. The password is always encrypted in all network file-sharing systems.
Quick Answer: 42
Detailed Answer: 59
24. Which of the following best describes why operating systems that support DHCP server authentication should be used?
A. To prevent SMTP relay from being used by spammers
B. To prevent exposure of access credentials to packet sniffing
C. To prevent client leases from rogue servers
D. To prevent DoS attacks by unauthorized parties
Quick Answer: 42
Detailed Answer: 59
25. Which of the following are appropriate methods to improve the security of data repositories? (Select all correct answers.)
A. Use of role-based access control
B. Elimination of unneeded connection libraries
C. Use of discretionary-based access control
D. Elimination of bandwidth restrictions
Quick Answer: 42
Detailed Answer: 59
26. Which of the following enables an administrator to set consistent common security standards for a certain group of computers and enforce common computer and user configurations?
A. Group Policy
B. User Manager
C. Task Manager
D. Network Monitor
Quick Answer: 42
Detailed Answer: 59
27. Which of the following best describes the default behavior of a group policy?
A. Hierarchical and proportionate
B. Hierarchical and singular
C. Inherited and singular
D. Inherited and cumulative
Quick Answer: 42
Detailed Answer: 59
28. Which of the following is the most appropriate method to apply a security update to 1000 client machines?
A. Use role-based access control
B. Use a Group Policy object
C. Use a distribution server
D. Use Resultant Set of Policy
Quick Answer: 42
Detailed Answer: 60
29. Which of the following are the most compelling reasons that configuration baselines have been established? (Select all correct answers.)
A. Industry standards
B. Organizational requests
C. Governmental mandates
D. Regulatory bodies
Quick Answer: 42
Detailed Answer: 60
30. Which of the following would an administrator apply to reflect an appropriate level of baseline security based on server role?
A. Group Policy
B. Configuration baseline
C. Security template
D. Active Directory
Quick Answer: 42
Detailed Answer: 60
Objective 1.4: Carry out the appropriate procedures to establish application security.
1. Which of the following are identified vulnerabilities of the Java language? (Select all correct answers.)
A. Buffer overflows
B. Unauthorized file upload
C. Email exposure
D. Unexpected redirection
Quick Answer: 42
Detailed Answer: 60
2. Which of the following most accurately describes how Java applets execute?
A. When the web server retrieves the directory web page
B. When the web server’s browser loads the hosting web page
C. When the client machine’s browser loads the hosting web page
D. When the operating system loads the hosting web page
Quick Answer: 42
Detailed Answer: 60
3. Which of the following best describes the reason Java applets are a security risk?
A. Java is compiled on the client browser.
B. Java is a precompiled language.
C. Java is compiled by the client operating system.
D. Java applets execute on the hosting web server.
Quick Answer: 42
Detailed Answer: 60
4. Which of the following are identified vulnerabilities of JavaScript? (Select all correct answers.)
A. Buffer overflows
B. Unauthorized file upload
C. Email exposure
D. Unexpected redirection
Quick Answer: 42
Detailed Answer: 61
5. Which of the following is the most effective method to mitigate vulnerabilities exposed by earlier forms of Java?
A. Keeping machines up-to-date with new version releases
B. Disabling third-party browser extensions
C. Setting the pop-up blocker setting to high
D. Enabling Integrated Windows Authentication
Quick Answer: 42
Detailed Answer: 61
6. ActiveX and its controls share many of the same vulnerabilities present in which of the following?
A. Cookies
B. JavaScript
C. Embedded Java applets
D. Common Gateway Interface script
Quick Answer: 42
Detailed Answer: 61
7. Which of the following is the most realistic method to mitigate having cookies expose long-term browsing habits?
A. Disabling third-party browser extensions
B. Regularly clearing the browser cookie cache
C. Configuring client browsers to block all cookies
D. Disabling automatic code execution on client browsers
Quick Answer: 42
Detailed Answer: 61
8. Which of the following is the most effective method to mitigate buffer overflows or cross-site scripting attacks?
A. Blocking third-party cookies
B. Accepting only numeric data input
C. Disabling third-party browser extensions
D. Validating data input
Quick Answer: 42
Detailed Answer: 61
9. Which of the following is most likely to use a tracking cookie?
A. Spyware
B. Credit Union
C. Trojan
D. Shopping cart
Quick Answer: 42
Detailed Answer: 61
10. Which of the following best describes what the exploitation of Simple Mail Transport Protocol (SMTP) relay agents is used for?
A. Buffer overflow
B. Logic bomb
C. Spyware
D. Spam
Quick Answer: 42
Detailed Answer: 62
11. Which of the following best describes a tracking cookie?
A. Beneficial
B. Permanent
C. Temporary
D. Valuable
Quick Answer: 42
Detailed Answer: 62
12. S-HTTP communicates over which of the following ports?
A. 80
B. 443
C. 110
D. 4445
Quick Answer: 42
Detailed Answer: 62
13. HTTPS communicates over which of the following ports?
A. 80
B. 443
C. 110
D. 4445
Quick Answer: 42
Detailed Answer: 62
14. Which of the following exploits are associated with SSL certificates? (Select all correct answers.)
A. Ill-formatted requests
B. Small key sizes
C. Outdated CRLs
D. Buffer overflows
Quick Answer: 42
Detailed Answer: 62
15. Which of the following vulnerabilities are associated with LDAP? (Select all correct answers.)
A. Ill-formatted requests
B. Small key sizes
C. Outdated CRLs
D. Buffer overflows
Quick Answer: 42
Detailed Answer: 62
16. Which of the following vulnerabilities are associated with FTP? (Select all correct answers.)
A. Buffer overflows
B. Anonymous file access
C. Unencrypted authentication
D. Improper formatted requests
Quick Answer: 42
Detailed Answer: 63
17. FTP over SSL communicates over which of the following ports?
A. 21
B. 80
C. 22
D. 81
Quick Answer: 42
Detailed Answer: 63
18. Which of the following are security concerns when allowing IM applications on the network? (Select all correct answers.)
A. The capture of cached logs containing conversations
B. Malware spreading through IM contacts
C. Unauthorized data and video sharing
D. Improper formatted requests
Quick Answer: 42
Detailed Answer: 63
19. Which of the following are exploits for CGI scripts? (Select all correct answers.)
A. Buffer overflows.
B. Anonymous file access.
C. Arbitrary commands may be executed on the server.
D. Arbitrary commands may be executed on the client.
Quick Answer: 42
Detailed Answer: 63
20. An attacker places code within a web page that redirects the client’s browser to attack yet another site when a client’s browser opens the web page. This is an example of what type of attack?
A. Unencrypted authentication
B. Session hijacking
C. Buffer overflow
D. Cross-site scripting
Quick Answer: 42
Detailed Answer: 63
21. Which of the following best describes Java or JavaScript?
A. Java applets allow access to cache information.
B. JavaScript can provide access to files of known name.
C. JavaScript runs even after the applet is closed.
D. Java applets can execute arbitrary instructions on the server.
Quick Answer: 42
Detailed Answer: 63
22. Which of the following is another name for identification of configuration details of the server that may be helpful to later identify unauthorized access attempts?
A. Profiling
B. Reporting
C. Abstracting
D. Hyperlinking
Quick Answer: 42
Detailed Answer: 64
23. Which of the following is the most likely reason it is dangerous to maintain cookie session information?
A. It provides custom user configuration settings.
B. It may expose sensitive information about secured sites.
C. It allows multiple actual connections to a web server.
D. It may allow automatic code execution on client browsers.
Quick Answer: 42
Detailed Answer: 64
24. Which of the following are browser-based vulnerabilities? (Select all correct answers.)
A. Session hijacking
B. SQL injection
C. Buffer overflows
D. Social engineering
Quick Answer: 42
Detailed Answer: 64
25. Which of the following is of most concern for a security administrator when allowing peer-to-peer networking?
A. Buffer-overflow attacks can go unnoticed.
B. Unauthorized file upload to network servers.
C. Connections are negotiated directly between clients.
D. Arbitrary commands may be executed on the server.
Quick Answer: 42
Detailed Answer: 64
Objective 1.5: Implement security applications.
1. Which of the following most accurately describes personal firewall design?
A. Closes off systems by integrity checking
B. Closes off systems by blocking port access
C. Closes off systems by blacklisting applications
D. Closes off systems by blocking BIOS access
Quick Answer: 43
Detailed Answer: 64
2. Which of the following best describes where host intrusion prevention system software resides?
A. Between the system’s Registry and OS kernel
B. At the application level
C. Between the system’s applications and OS kernel
D. At the network layer
Quick Answer: 43
Detailed Answer: 64
3. Which of the following types of detection does a host intrusion detection system use? (Select all correct answers.)
A. Anomaly detection
B. Misuse detection
C. Blacklist detection
D. Outbound detection
Quick Answer: 43
Detailed Answer: 64
4. Which of the following is the most appropriate reason for firewalls to monitor outbound connections?
A. To track the collection of personal data
B. To track users going to inappropriate sites
C. To monitor excessive user bandwidth usage
D. To catch malware that transmits information
Quick Answer: 43
Detailed Answer: 65
5. Which of the following is most common detection method used in antivirus programs?
A. Anomaly detection
B. Misuse detection
C. Scanning
D. Filtering
Quick Answer: 43
Detailed Answer: 65
6. Which of the following is most common main component of antispam software?
A. Anomaly detection
B. Misuse detection
C. Scanning
D. Filtering
Quick Answer: 43
Detailed Answer: 65
7. Which of the following best describes antivirus scanning technology?
A. Identifies virus code based on a unique behavior pattern
B. Identifies virus code based on a unique set of Registry keys
C. Identifies virus code based on a unique string of characters
D. Identifies virus code based on a unique set of commands
Quick Answer: 43
Detailed Answer: 65
8. Which of the following are unintended consequences of using pop-up blockers with high settings? (Select all correct answers.)
A. Applications or programs might not install.
B. Firewall applications might not work properly.
C. It verifies a legitimate working user account.
D. Information entered is deleted by reloading the page.
Quick Answer: 43
Detailed Answer: 65
9. Which of the following best describes heuristic scanning behavior?
A. Searches for operating system kernel-level changes
B. Looks for instructions not typically found in the application
C. Identifies virus code based on a unique string of characters
D. Monitors both incoming and outgoing connections
Quick Answer: 43
Detailed Answer: 65
10. Which of the following are known issues with using heuristic scanning methods? (Select all correct answers.)
A. Buffer overflow
B. Susceptible to false positives
C. Cannot identify new viruses without database update
D. Logic bomb
Quick Answer: 43
Detailed Answer: 65
11. Which of the following best describes a false positive?
A. The software classifies a nonintrusive action as a possible intrusion.
B. The software detects virus-like behavior and pops up a warning.
C. The software classifies an intrusive as a nonintrusive action.
D. The software fails to detects virus-like behavior.
Quick Answer: 43
Detailed Answer: 66
12. When an organization implements a decentralized antispam software solution, which of the following will happen?
A. A central server pushes updates to the client machines.
B. The antispam vendor is responsible for the updates.
C. The department manager is responsible for updates.
D. The individual users are responsible for updates.
Quick Answer: 43
Detailed Answer: 66
13. Which of the following will result when the antispam software filter level is set to high? (Select all correct answers.)
A. Fewer false positives
B. More false positives
C. Less spam will be filtered
D. More spam will be filtered
Quick Answer: 43
Detailed Answer: 66
14. Which of the following best describes the result of adding an email address to the approved list?
A. It is considered part of the white list.
B. It is considered part of the black list.
C. It is considered part of the gray list.
D. It is considered part of the brown list.
Quick Answer: 43
Detailed Answer: 66
15. Which of the following best describes the result of adding an email address to the blocked list?
A. It is considered part of the white list.
B. It is considered part of the black list.
C. It is considered part of the gray list.
D. It is considered part of the brown list.
Quick Answer: 43
Detailed Answer: 66
16. Which of the following are characteristics of pop-ups? (Select all correct answers.)
A. Some are helpful.
B. Most are integrated in toolbars.
C. Many are an annoyance.
D. Some are malicious.
Quick Answer: 43
Detailed Answer: 66
17. Which of the following is true about pop-up blockers? (Select all correct answers.)
A. Most block only JavaScript.
B. Many are integrated into toolbars.
C. Flash can bypass a pop-up blocker.
D. The user cannot adjust the settings.
Quick Answer: 43
Detailed Answer: 66
18. Which of the following pop-up blocker settings will block most automatic pop-ups but still allow functionality?
A. Low
B. Medium
C. High
D. Custom
Quick Answer: 43
Detailed Answer: 67
19. Which of the following best describes a pop-under ad?
A. Pop-up used to install software
B. Pop-up used to fill-in forms
C. Unseen until the current window is closed
D. Floating pop-up in a web page
Quick Answer: 43
Detailed Answer: 67
20. Which of the following best describes a hover ad?
A. Pop-up used to install software
B. Pop-up used to fill-in forms
C. Unseen until the current window is closed
D. Floating pop-up in a web page
Quick Answer: 43
Detailed Answer: 67
21. Which of the following is the most likely reason that certain messages continue to pass though the spam filter even though they are set to the organizational specifications?
A. The software is inferior and should be returned.
B. The software settings need to be adjusted.
C. The software can’t assign meaning to words.
D. The software needs to be retrained.
Quick Answer: 43
Detailed Answer: 67
22. Which of the following is a part of heuristic antispam filtering?
A. A predefined rule set
B. A predefined character set
C. A predefined set of commands
D. A predefined set of Registry keys
Quick Answer: 43
Detailed Answer: 67
23. Which of the following best describes the term for a unique string of characters used in antivirus software?
A. Heuristic
B. Signature
C. Misnomer
D. Anomaly
Quick Answer: 43
Detailed Answer: 67
24. Which of the following best describes the characteristics of host-based IDSs? (Select all correct answers.)
A. Good at detecting unauthorized user activity
B. Good at detecting unauthorized file modifications
C. Good at detecting denial of service attacks
D. Good at detecting unauthorized user access
Quick Answer: 43
Detailed Answer: 67
25. Which of the following is the main purpose of a host-based IDS?
A. Prevent attacks in real time
B. Locate packets not allowed on the network
C. Proactively protect machines against attacks
D. Analyze data that originates on the local machine
Quick Answer: 43
Detailed Answer: 68
Objective 1.6: Explain the purpose and application of virtualization technology.
1. Which of the following is an inherent security risk in using virtual machines?
A. The BIOS can easily be compromised.
B. The boot order can be easily changed.
C. Security measures are nonexistent.
D. The entire machine can be compromised.
Quick Answer: 43
Detailed Answer: 68
2. Which of the following would be the most effective method to protect a virtual environment hosting medical data?
A. Using segmented physical hardware for the virtual servers
B. Using shared physical hardware with virtual machines for testing
C. Using segmented physical hardware for each virtual server
D. Using shared physical hardware with virtual machines for web applications
Quick Answer: 43
Detailed Answer: 68
3. Which of the following are appropriate reasons to use virtualized environments? (Select all correct answers.)
A. Reduces threat risk
B. Allows isolation of applications
C. Reduces equipment costs
D. Allows environments on USB devices
Quick Answer: 43
Detailed Answer: 68
4. Which of the following controls how access to a computer’s processors and memory is shared in a virtual environment?
A. BIOS
B. Hypervisor
C. Operating system
D. Virtual machine applications
Quick Answer: 43
Detailed Answer: 68
5. In which of the following ways would a forensic analyst mostly likely use a virtual environment? (Select all correct answers.)
A. To view the environment the same way the criminal did
B. To load multiple cases at once
C. To image hard drives and removable media
D. To examine environments that may contain malware
Quick Answer: 43
Detailed Answer: 68
6. Which of the following is true in regard to a compromised virtual machine environment?
A. It is contained in its own environment.
B. It can provide access to the network.
C. Any threat can easily be addressed by deletion.
D. It can be replaced by a backup copy immediately.
Quick Answer: 43
Detailed Answer: 68
7. Which of the following is true about virtual machine environments? (Select all correct answers.)
A. They are susceptible to the same issues as a host operating system.
B. They do not need antivirus or malware protection.
C. They need to be patched just like host environments.
D. They are contained environments that do not need patching.
Quick Answer: 43
Detailed Answer: 69
8. In which of the following areas should the vulnerabilities of existing virtual environments be addressed?
A. Change management policy
B. Business continuity plan
C. Organizational security policy
D. Disaster recovery plan
Quick Answer: 43
Detailed Answer: 69
9. Which of the following are areas where virtual environments can be used to improve security? (Select all correct answers.)
A. Scanning for malicious software
B. Reducing internal data aggregation
C. Allowing unstable applications to be isolated
D. Providing better disaster recovery solutions
Quick Answer: 43
Detailed Answer: 69
10. Which of the following is the most effective method to reduce server power consumption?
A. Replacing older servers with newer low wattage servers
B. Combining all physical hardware into one virtualized server
C. Using segmented physical hardware for like-kind servers
D. Using shared physical hardware for all virtual servers
Quick Answer: 43
Detailed Answer: 69
11. On which of the following types of technology can virtual environments be run? (Select all correct answers.)
A. Servers
B. Desktops
C. USB drives
D. Routers
Quick Answer: 43
Detailed Answer: 69
12. Which of the following best describes a hypervisor?
A. Acts as an intermediary between the kernel and the OS
B. Provides multiple hardware systems to run one OS
C. Acts as an intermediary between the kernel and the hardware
D. Provides more than one operating system to run on a computer
Quick Answer: 43
Detailed Answer: 69
13. Which of the following best describes a Type 1 hypervisor?
A. Runs directly on the hardware platform
B. Runs at the second level above the hardware
C. Runs within an operating system environment
D. Runs at the third level above the hardware
Quick Answer: 43
Detailed Answer: 70
14. Which of the following best describes a Type 2 hypervisor?
A. Runs directly on the hardware platform
B. Runs at the second level above the hardware
C. Runs within an operating system environment
D. Runs at the third level above the hardware
Quick Answer: 43
Detailed Answer: 70
15. Security concerns of virtual environments begin with which of the following?
A. The underlying hardware
B. The guest operating system
C. The host operating system
D. The virtual machine files
Quick Answer: 43
Detailed Answer: 70
16. Which of the following is an unintended security risk in using virtual machines?
A. The BIOS can easily be compromised.
B. Disaster recovery becomes more complex.
C. Most virtual machines run with high privileges.
D. Technology is advancing faster than security.
Quick Answer: 43
Detailed Answer: 70
17. Which of the following is the most effective method to secure a virtualized environment?
A. Using encryption for all communication
B. Locking down the host machine as tightly as possible
C. Hosting as many virtual machines per server as possible
D. Segmenting by the sensitivity of the contained information
Quick Answer: 43
Detailed Answer: 70
18. Which of the following are areas that need special consideration when used in a virtualized environment? (Select all correct answers.)
A. Web servers in a virtualized demilitarized zone
B. Secure storage on virtualized SAN technologies
C. Financial applications on virtualized shared hosting
D. Multiple virtualized email applications on the same server
Quick Answer: 43
Detailed Answer: 71
19. Preconfigured virtual appliances are available for which of the following? (Select all correct answers.)
A. Output devices
B. Operating systems
C. Networking components
D. Applications
Quick Answer: 43
Detailed Answer: 71
20. When using a Type 2 hypervisor, the guest operating system runs where?
A. Directly on the hardware platform
B. At the second level above the hardware
C. Within an operating system environment
D. At the third level above the hardware
Quick Answer: 43
Detailed Answer: 71
Quick-Check Answer Key
Objective 1.1: Differentiate among various systems security threats.
1. A
2. C
3. A
4. B
5. C
6. B
7. A
8. C
9. A, B, C
10. A
11. D
12. C
13. A
14. D
15. B
16. A
17. B
18. A
19. A, B, D
20. A, C
21. C
22. D
23. B
24. A
25. B
26. C
27. B
28. A, C, D
29. D
30. C
31. B
32. A, B, C
33. A, C
34. B, C, D
35. D
36. A
37. B
38. A
39. C
40. A, C, D
Objective 1.2: Explain the security risks pertaining to system hardware and peripherals.
1. B
2. C
3. A
4. B, D
5. A
6. D
7. B, C, D
8. B
9. B
10. A, C, D
11. C
12. D
13. A, C
14. B, C
15. D
16. A
17. C
18. A, B, D
19. B
20. A
21. C, D
22. A, B, C, D
23. C
24. B
25. D
Objective 1.3: Implement OS hardening practices and procedures to achieve workstation and server security.
1. A, B, C
2. A, B
3. D
4. A, B
5. D
6. B
7. A
8. C
9. B, C
10. C
11. B
12. B, C, D
13. A, B, D
14. A
15. B
16. A
17. C
18. D
19. C
20. D
21. B
22. A, B, C
23. B
24. C
25. A, B
26. A
27. D
28. B
29. A, C, D
30. C
Objective 1.4: Carry out the appropriate procedures to establish application security.
1. A, D
2. C
3. B
4. B, C
5. A
6. C
7. B
8. D
9. A
10. D
11. B
12. A
13. B
14. B, C
15. A, D
16. B, C
17. A
18. A, B, C
19. A, C
20. D
21. B
22. A
23. B
24. A, C
25. C
Objective 1.5: Implement security applications.
1. B
2. C
3. A,
4. D
5. C
6. D
7. C
8. A, D
9. B
10. B, C
11. A
12. D
13. B, D
14. A
15. B
16. A, C, D
17. A, B, C
18. B
19. C
20. D
21. C
22. A
23. B
24. A, B
25. D
Objective 1.6: Explain the purpose and application of virtualization technology.
1. D
2. A
3. B, C
4. B
5. B, D
6. B
7. A, C
8. C
9. C, D
10. C
11. A, B, C, D
12. D
13. A
14. C
15. B
16. C
17. D
18. B, C
19. B, C, D
20. D
Answers and Explanations
Objective 1.1: Differentiate among various systems security threats.
1. Answer: A. Perhaps the most popular method of privilege escalation is a buffer overflow attack. Buffer overflows cause disruption of service and lost data. This condition occurs when the data presented to an application or service exceeds the storage-space allocation that has been reserved in memory for that application or service. Answer B is incorrect because programs disguised as useful applications are Trojans. Trojans do not replicate themselves like viruses, but they can be just as destructive. Code is hidden inside the application that can attack your system directly or allow the system to be compromised by the code’s originator. The Trojan is typically hidden, so its ability to spread depends on the popularity of the software (such as a game) and a user’s willingness to download and install the software. Answer C is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer D is incorrect because spyware is associated with behaviors such as advertising, collecting personal information, or changing you computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user.
2. Answer: C. A program or piece of code that runs on your computer without your knowledge is a virus. It is designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer A is incorrect. Buffer overflows cause disruption of service and lost data. This condition occurs when the data presented to an application or service exceeds the storage-space allocation that has been reserved in memory for that application or service. Answer B is incorrect because programs disguised as useful applications are Trojans. Trojans do not replicate themselves like viruses, but they can be just as destructive. Code is hidden inside the application that can attack your system directly or allow the system to be compromised by the code’s originator. The Trojan is typically hidden, so its ability to spread depends on the popularity of the software and a user’s willingness to download and install the software. Answer D is incorrect because spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user.
3. Answer: D. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer A is incorrect because it describes a worm. Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. Answer B is incorrect because it describes IP spoofing. Answer C is incorrect because it describes spyware.
4. Answer: B. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights. Answer A is incorrect because spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer C is incorrect. A bot provides a spam or virus originator with the venue to propagate. Many computers compromised in this way are unprotected home computers (although recently it has become known that many computers in the corporate world are bots, too). A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to a zombie army. Answer D is incorrect. Adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited.
5. Answer: C. Code Red is an exploit is used to spread a worm. This threat affects only web servers running Microsoft Windows 2000. Answers A, B, and D are incorrect; Melissa, Acid Rain, and Mocmex are not worms. Melissa is a virus. Acid Rain and Mocmex are Trojans.
6. Answer: B. A logic bomb is a virus or Trojan horse that is built to go off when a certain event occurs or a period of time goes by. Answers A and D are incorrect because a specified time element is involved. Answer C is incorrect because spoofing involves modifying the source address of traffic or the source of information.
7. Answer: A. Spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer B is incorrect because a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights is a rootkit. Answer C is incorrect because a large number of computers that forward transmissions to other computers on the Internet, allowing the originator a venue to propagate, is a botnet. Answer D is incorrect because a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection is adware. It reports data to the company, such as your surfing habits and which sites you have visited.
8. Answer: C. Requesting to be removed from junk email lists often results in more spam because it verifies that you have a legitimate, working email address. Therefore answers A, B, and D are incorrect.
9. Answer: A, B, C. Email spam lists are often created by scanning newsgroup postings, stealing Internet mailing lists, or searching the Web for addresses. Spammers use automated tools to subscribe to as many mailing lists as possible. From those lists, they capture addresses or use the mailing list as a direct target for their attacks. Answer D is incorrect because email spam lists are not created in this manner.
10. Answer: A. Perhaps the most popular method of privilege escalation is a buffer overflow attack. Buffer overflows cause disruption of service and lost data. This condition occurs when the data presented to an application or service exceeds the storage-space allocation that has been reserved in memory for that application or service. Answer B is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer C is incorrect. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer D is incorrect. A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by.
11. Answer: D. Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host. Answer A is incorrect. Spyware is associated with behaviors such as collecting personal information or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer B is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer C is incorrect. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed.
12. Answer: C. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer A is incorrect. Spyware is associated with behaviors such as collecting personal information or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer B is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer D is incorrect. Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host.
13. Answer: A. Spyware is associated with behaviors such as collecting personal information or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer B is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer C is incorrect. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer D is incorrect. Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host.
14. Answer: D. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights. Answer A is incorrect. Spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer B is incorrect. Spam is a term that refers to the sending of unsolicited commercial email. Email spam targets individual users with direct mail messages. Answer C is incorrect because adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection.
15. Answer: B. A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to a zombie army. Answer A is incorrect. A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. Answer C is incorrect. Adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited. Answer D is incorrect. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights.
16. Answer: A. Many spyware-eliminator programs are available. These programs scan your machine, similarly to how antivirus software scans for viruses; and just as with antivirus software, you should keep spyware-eliminator programs updated and regularly run scans. Therefore, answer D is incorrect. Answers B and C are incorrect because antispyware programs cannot detect rootkits or botnets.
17. Answer: B. The main issue with botnets is that they are securely hidden. This allows the botnet masters to perform tasks, gather information, and commit crimes while remaining undetected. Answers A, C, and D are concerns, but the main security concern it is they can remain undetected.
18. Answer: A. A logic bomb is also referred to as slag code. It is malicious in intent, and usually planted by a disgruntled employee. Answer B is incorrect. A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to a zombie army. Answer C is incorrect. Adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited. Answer D is incorrect. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights.
19. Answer: A, B, D. A buffer overflow can result in the overwriting of data or memory storage, a denial of service due to overloading the input buffer’s ability to cope with the additional data, or the originator can execute arbitrary code, often at a privileged level. Answer C is incorrect because a buffer overflow is targeted toward an individual machine.
20. Answer: A, C. There are several types of viruses, including boot sector, polymorphic, macro, program, stealth, and multipartite. Answers B and D are incorrect because they do not describe types of viruses.
21. Answer: C. A boot sector is placed into the first sector of the hard drive so that when the computer boots, the virus loads into memory. Answer A is incorrect because it describes a polymorphic virus. Answer B is incorrect because it describes a stealth virus. Answer D is incorrect because it describes a program virus.
22. Answer: D. A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to a zombie army. Answer A is incorrect because a popular method of privilege escalation is a buffer-overflow attack. Answer B is incorrect because most rootkits use global hooks for stealth activity. Answer C is incorrect because a honeynet is used for monitoring large networks.
23. Answer: B. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer A is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer C is incorrect because spam is a term that refers to the sending of unsolicited commercial email. Email spam targets individual users with direct mail messages. Answer D is incorrect. Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host.
24. Answer: A. Most rootkits use global hooks for stealth activity. So, if you use security tools that can prevent programs from installing global hooks and stop process injection, you can prevent rootkit functioning. Answer B is incorrect because adware uses tracking software. Answer C is incorrect because privilege escalation is associated with buffer overflows. Answer D is incorrect because social engineering is taking advantage of human nature.
25. Answer: B. Rootkit functionality requires full administrator rights. Therefore, you can avoid rootkit infection by running Windows from an account with lesser privileges. Answer A is incorrect; it describes an effective way to deal with spam. Answer C is incorrect; it describes an effective way to deal with user account exploitation. Answer D is incorrect because it describes an effective way to deal with spyware.
26. Answer: C. A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to a zombie army. Answer A is incorrect because it describes a logic bomb. Answer B is incorrect because it describes Trojans. Answer D is incorrect because it describes a buffer overflow.
27. Answer: B. Privilege escalation takes advantage of a program’s flawed code, which then crashes the system and leaves it in a state where arbitrary code can be executed or an intruder can function as an administrator. Answer A is incorrect because a logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. Answer C is incorrect; spam is a term that refers to the sending of unsolicited commercial email. Email spam targets individual users with direct mail messages. Answer D is incorrect Trojans are programs disguised as useful applications.
28. Answer: A, C, D. Currently, the most effective way to prevent an attacker from exploiting software is to keep the manufacturer’s latest patches and service packs applied and to monitor the Web for newly discovered vulnerabilities. Answer B is incorrect because it not feasible to disconnect the network from the Internet.
29. Answer: D. A multipartite virus is a hybrid of boot and program viruses. It first attacks a boot sector and then attacks system files or vice versa. Answer A is incorrect because a polymorphic virus can change each time it is executed. It was developed to avoid detection by antivirus software. Answer B is incorrect because a macro virus is inserted into a Microsoft Office document and emailed to unsuspecting users. Answer C is incorrect because a stealth virus uses techniques to avoid detection, such as temporarily removing itself from an infected file or masking a file’s size.
30. Answer: C. Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host. Answer A is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer B is incorrect because a Trojan appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer D is incorrect because a logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by.
31. Answer: B. Trojans are programs disguised as useful applications. Trojans do not replicate themselves like viruses, but they can be just as destructive. Code hidden inside the application can attack your system directly or allow the system to be compromised by the code’s originator. The Trojan is typically hidden, so its ability to spread depends on the popularity of the software and a user’s willingness to download and install the software. Answer A is incorrect because Trojans can perform actions without the user’s knowledge or consent, such as collecting and sending data or causing the computer to malfunction. Answers C and D are incorrect; a virus is a program or piece of code that runs on your computer without your knowledge. It is designed to attach itself to other code and replicate.
32. Answer: A, B, C. Indications that a computer may contain spyware include: the system is slow, (especially when browsing the Internet), it takes a long time for the Windows desktop to come up, clicking a link does nothing or goes to an unexpected website, the browser home page changes (and you might not be able to reset it), and web pages are automatically added to your favorites list. Answer D is incorrect because it describes spam.
33. Answer: A, C. When dealing with spam, the user should delete the email without opening it and turn off the preview function of the mail software. Answer B is incorrect because this is an inappropriate action. There are specific laws that deal with spamming, and trying to conduct your own investigation can be dangerous. Answer D is incorrect because local law enforcement does not investigate a single spam incident.
34. Answer: B, C, D. Rootkits can be included as part of software package, and can be installed by way of an unpatched vulnerability or by the user downloading and installing it. Answer A is incorrect because accessing documents on the local intranet should not result in a rootkit installation
35. Answer: D. Rootkits have also been known to use encryption to protect outbound communications and piggyback on commonly used ports to communicate without interrupting other applications that use that port. Answer A is incorrect. A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. Answer B is incorrect. A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to a zombie army. Answer C is incorrect. Adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited.
36. Answer: A. A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by Answer B is incorrect. A botnet is a large number of computers that forward transmissions to other computers. Answer C is incorrect. Adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited. Answer D is incorrect. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights.
37. Answer: B. A Trojan appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer A is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer C is incorrect because a worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host. Answer D is incorrect because a logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by.
38. Answer: A. A polymorphic virus can change each time it is executed. It was developed to avoid detection by antivirus software. Answer B is incorrect because a macro virus is inserted into a Microsoft Office document and emailed to unsuspecting users. Answer C is incorrect because a stealth virus uses techniques to avoid detection, such as temporarily removing itself from an infected file or masking a files size. Answer D is incorrect because multipartite virus is a hybrid of boot and program viruses. It first attacks a boot sector then attacks system files or vice versa.
39. Answer: C. A bot, short for robot, is an automated computer program that needs no user interaction. Bots are systems that outside sources can control. A bot provides a spam or virus originator with the venue to propagate. Answer A is incorrect because a logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by Answer B is incorrect. Adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited. Answer D is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate.
40. Answer: A, C, D. You can take steps to protect your network from malicious code such as not using any type of removable media from another user without first scanning for malware, performing backups on a daily basis, installing firewalls or intrusion-prevention systems on client machines, and subscribing to newsgroups and checking antivirus websites on a regular basis. Answer B is incorrect. Opening all attachments will mostly likely infect a machine.
Objective 1.2: Explain the security risks pertaining to system hardware and peripherals.
1. Answer: B. A vulnerability in the BIOS can allow local users to cause a denial of service and the system not to boot. Answers A, C, and D are incorrect because they are all types of storage devices.
2. Answer: C. Organizations fail to protect data when it reaches its final resting on these storage subsystems. Although many organizations protect data in motion using encryption, they fail to protect that same data when it reaches its final resting on storage subsystems. Answer A is incorrect. Network attached storage is a large-capacity device, and it not easy to lose. Answer B is incorrect because it describes virtualization. Answer D is incorrect because antivirus software can be installed on large storage systems.
3. Answer: A. Just about everyone carries a cell phone, and most corporate workers have PDAs. These devices have associated risks. The first is theft or loss. It is estimated that eight million cell phones are lost or stolen every year. For many organizations, losing a cell phone or a PDA loaded with contacts, emails, and client data can be a severe detriment to business. Handheld devices are rarely password protected, even though they contain a remarkable amount of data. Answer B is incorrect antivirus software can be installed on mobile systems. Answer C is incorrect because encryption can be used with handheld devices. Answer D is incorrect because cracking the password on handheld devices is no easier than regular password cracking.
4. Answer: B, D. A vulnerability in the BIOS can allow local users to cause a denial of service and the system not to boot. Answer A is incorrect because a hard drive failure has to do with the hard disk itself and nothing to do with the BIOS. Answer C is incorrect because system lockup implies that the machine was already booted and is associated more with attacks that happen after the machine is up and running.
5. Answer: A. Small, high-capacity, removable storage devices present a concern when it comes to corporate security and protecting proprietary information. It is quite simple for a disgruntled employee to take data and sell it. Answers B and C are incorrect because the devices can be scanned for malware and can also be encrypted. Answer D is incorrect because having the device break off in the computer is not a security risk.
6. Answer: D. Group Policy can be used to disable the capacity for unauthorized users to use any USB storage devices. Another layer of protection can be applied by encrypting and properly securing sensitive corporate information. Answer A is incorrect because editing the Registry can cause harm. Answer B is incorrect because filling the USB slots with glue can cause harm to the computer. Answer C is incorrect because the Security Accounts Manager (SAM) stores password information.
7. Answer: B, C, D. The BIOS can be compromised in several ways: the BIOS password, known vulnerabilities, and bypassing access control. Answer A is incorrect because editing the Registry is done after the system had already booted.
8. Answer: B. To provide convenience and redundancy, technology such as WLAN, USB, and Bluetooth connections are used with client software to sync PDAs and cell phones to a user’s desktop computer. There are also enterprise-level product suites. Although this might prevent lost data, it also presents other risks. New security threats targeting cell phones and other mobile devices could quickly become bigger than anything the industry has seen so far. Therefore, answers A, C, and D are incorrect.
9. Answer: B. Security policy should dictate that sensitive data be encrypted. Answer A is incorrect because the limiting email address access would cause excessive overhead. Answer C is incorrect because eliminating attachments would not secure the communication. Answer D is incorrect because the use of passwords would not secure the communication.
10. Answer: A, C, D. BIOS access control can be bypassed by cracking the BIOS password, overloading the keyboard buffer, and deleting the contents of the CMOS RAM. Answer B is incorrect because the MBR is part of the hard disk configuration and has nothing to do with the BIOS.
11. Answer: C. System access to the BIOS configuration utility is controlled by a password. After the password is set, the configuration of the computer cannot be changed without inputting the password. Answers A and B are incorrect because they are hardware devices. Answer D is incorrect because access control lists are used on routers and operating systems but not on the BIOS.
12. Answer: D. The BIOS passwords of laptops are a bit different in that the passwords are usually flashed into firmware. Answers A and B are incorrect because encryption is not automatic for all BIOS versions. Answer C is incorrect because desktop BIOS passwords and stored in the CMOs and are not flashed into the firmware.
13. Answer: A, C. Depending on the manufacturer, the laptop may have a hardware dongle or special loopback device to bypass the password. Answer B is incorrect because a lock pick is used for breaking standard locking mechanisms such as a door lock. Answer D is incorrect because removing the CMOS battery will not reset a password that is flashed into the firmware.
14. Answer: B, C. Many organizations do not have a policy for BIOS passwords. In many organizations, most computers share the same BIOS password, and that password is seldom changed. If an attacker manages to gain physical access, a large portion of the network could be compromised. Answer A is incorrect because sharing the same BIOS password is not good practice and leaves the machine vulnerable. Answer D is incorrect because a hard disk drive password is used after the system boots.
15. Answer: D. It is quite simple for a disgruntled employee to misuse data (take the data and sell it, for instance). Of course, the real issue is access to the information. However, if the information is readily available, even employees with good intentions might misplace or have a removable storage device stolen. Answers A, B, and C are incorrect; the main underlying concern is the amount of data that is available to employees, not unencrypted data, the ability to access multiple machines, or malware infection.
16. Answer: A. The more capabilities a device has, the more vulnerable the device. The Cabir virus has been found in about 15 different variations. According to a report from an Ireland-based cell phone security company, in mid-2008 the security company tracked 100,000 virus incidents per day. Answer B is incorrect because rootkits are normally not found on handheld devices. Answers C and D are incorrect because they both imply that the users are the ones sending the text messages.
17. Answer: C. The more capabilities a device has, the more vulnerable the device. The Cabir virus has been found in about 15 different variations. According to a report from an Ireland-based cell phone security company, in mid-2008 the security company tracked 100,000 virus incidents per day. Answer A is incorrect because it implies that the users are the ones sending the text messages. Answer B is incorrect because not all devices currently have intrusion detection software available. Answer D is incorrect because encryption will not eliminate virus threats.
18. Answer: A, B, D. Removable hard drives, especially the small passport types, afford users the convenience to carry files for both their work environment and their home environment in one device. This convenience provides an opportunity for viruses and other malware to spread between networks and physical locations as they share files in both environments and with other users. In addition to malware infections, these devices have a large amount of storage space, so they lend themselves to data theft and information leakage. Answer C is incorrect. Reduced productivity should not be a byproduct of allowing removable hard drives.
19. Answer: B. A better approach is to combine security policies with purchasing and issuing removable storage devices and encrypting them as necessary. Then allowing only the approved devices and blocking all unauthorized devices. Although answers A and C are viable solutions, they are not the best approach. Answer D is incorrect because it causes undue administrative overhead.
20. Answer: A. An organization should consider implementing controls that ensure all portable devices and removable media are encrypted and accounted for. The security policy should require encryption of all data on portable computers and removable storage. Answer B is incorrect because as of this writing, the device is still undergoing internal testing, and consideration for the device becoming an actual product will come later. Answers C and D are incorrect because they are not types of viruses.
21. Answer: C, D. A good antivirus solution is essential to protect the integrity of stored data and to prevent malware from spreading to other parts of the network through the storage system. Additional considerations when dealing with large data repositories should include encryption, authentication devices, secure logging, and key management. Answer A is incorrect because it describes a solution for small storage devices. Answer B is incorrect because it does not address data at rest.
22. Answer: A, B, C, D. A good antivirus solution is essential to protect the integrity of stored data and to prevent malware from spreading to other parts of the network through the storage system. Additional considerations when dealing with large data repositories should include encryption, authentication devices, secure logging, and key management.
23. Answer: C. Some security appliances sit on a SAN or are connected to NAS to protect data considered “at rest.” Answers A and B are incorrect because they are handheld devices and the data changes. Answer D is incorrect. The BIOS is not considered data at rest.
24. Answer: B. Many BIOS manufacturers build in backdoor passwords. Often, they are simple, such as the name of the BIOS manufacturer. In addition, lists of known backdoor passwords are available on the Internet. Because this method of access has become so public, BIOS manufacturers have become more secretive about any backdoors they may now use. Answer A is incorrect because secure BIOS passwords can be made. Answer C is incorrect because the BIOS does not lock the user out after too many bad passwords. This is a condition set with Group Policy. Answer D is incorrect because too many incorrect BIOS password guesses will not destroy it, but improperly flashing it will.
25. Answer: D. If an attacker gains physical access to the machine and changes the boot order, there is no way to protect the system from compromise. An attacker could boot the system from a device that contains software to change the administrative password, extract password information for a later attack, directly access data on the hard disk, or install a backdoor or Trojan. Answers A and B are incorrect; a DoS attack and virus do not require physical access to the machine. Answer C is incorrect because the MBR is concerned with operating system boot order, not BIOS boot order.
Objective 1.3: Implement OS hardening practices and procedures to achieve workstation and server security.
1. Answer: A, B, D. The three basic areas of hardening are operating system, application, and network. Answer C is incorrect because the Internet is a shared public network and is not hardened.
2. Answer: A, B. Operating system hardening includes encrypted file support and secured file system selection that allows the proper level of access control. Application hardening includes default application administration accounts, standard passwords, and common services installed by default should also be reviewed and changed or disabled as required. Answer C is incorrect because the Internet is a shared public network and is not hardened. Answer D is incorrect because network hardening involves access restrictions to network services, updates to security hardware and software, and disabling unnecessary protocol support and services.
3. Answer: D. Network hardening involves access restrictions to network services, updates to security hardware and software, and disabling unnecessary protocol support and services. Answer A is incorrect; operating system hardening includes encrypted file support and secured file system selection that allows the proper level of access control. Answer B is incorrect; application hardening includes default application administration accounts, standard passwords, and common services installed by default should also be reviewed and changed or disabled as required. Answer C is incorrect because the Internet is a shared public network and is not hardened.
4. Answer: A, B. Operating system hardening includes encrypted file support and secured file system selection. This allows the proper level of access control and allows you to address newly identified exploits and apply security patches, hotfixes, and service packs. Application hardening includes default application administration accounts, standard passwords, and common services installed by default should also be reviewed and changed or disabled as required. Applications must be maintained in an updated state through the regular review of hotfixes, patches, and service packs. Answer C is incorrect because the Internet is not a shared public network and is not hardened. Answer D is incorrect because network hardening involves access restrictions to network shares and services, updates to security hardware and software, and disabling unnecessary protocol support and services.
5. Answer: D. Mapping avenues of access is critical in hardening a network. This process is a part of the site survey that should be performed for any network, especially those that involve public areas where a simple connection through a workstation might link the protected internal network directly to a public broadband connection. Answers A, B, and C are incorrect because they are part of operating system hardening.
6. Answer: B. Hotfixes are, typically, small and specific-purpose updates that alter the behavior of installed applications in a limited manner. These are the most common type of update. A hotfix is related to a service pack and should be deployed with this in mind. Answer A is incorrect because service packs are major revisions of functionality or service operation in an installed application. Service packs are the least common type of update, often requiring extensive testing to ensure against service failure in integrated network environments before application. Answer C is incorrect because patches are similar to hotfixes; security patches eliminate security vulnerabilities. They may be mandatory if the circumstances match and need to be deployed quickly. Answer D is incorrect because maintenance releases are incremental updates between service packs or software versions to fix multiple outstanding issues.
7. Answer: A. Service packs are major revisions of functionality or service operation in an installed application or operating system. Service packs are the least common type of update, often requiring extensive testing to ensure against service failure in integrated network environments before application. Answer B is incorrect because hotfixes are, typically, small and specific-purpose updates that alter the behavior of installed applications in a limited manner. These are the most common type of update. Answer C is incorrect because patches are similar to hotfixes; patches are typically focused updates that affect installed applications. Security patches eliminate security vulnerabilities. They may be mandatory if the circumstances match and need to be deployed quickly. Answer D is incorrect because maintenance releases are incremental updates between service packs or software versions to fix multiple outstanding issues.
8. Answer: C. Patches are similar to hotfixes; patches typically focus on updates that affect installed applications. Security patches eliminate security vulnerabilities. They may be mandatory if the circumstances match and need to be deployed quickly Answer A is incorrect because service packs are major revisions of functionality or service operation in an installed application. Service packs are the least common type of update, often requiring extensive testing to ensure against service failure in integrated network environments before application. Answer B is incorrect; hotfixes are, typically, small and specific-purpose updates that alter the behavior of installed applications in a limited manner. These are the most common type of update. Answer D is incorrect because maintenance releases are incremental updates between service packs or software versions to fix multiple outstanding issues.
9. Answer: B, C. In application hardening, default application administration accounts, standard passwords, and common services installed by default should also be reviewed and changed or disabled as required. Answer A is incorrect because key management has to do with certificates. Answer D is incorrect because behavior-based profiles are associated with intrusion detection.
10. Answer: C. It is also imperative to include regular update reviews for all deployed operating systems, to address newly identified exploits and apply security patches, hotfixes, and service packs. Answer A is incorrect; update reviews will not reveal compromised administrative accounts. Answer B is incorrect because behavior-based profiles are associated with intrusion detection. Answer D is incorrect. Firmware updates have to do with hardware, not operating systems.
11. Answer: B. IP Security (IPsec) and public key infrastructure (PKI) implementations must be properly configured and updated to maintain key and ticket stores. Some systems may be hardened to include specific levels of access, gaining the C2 security rating required by many government deployment scenarios. Answer A is incorrect because behavior-based profiles are associated with intrusion detection. It is also imperative to include regular update reviews for all deployed operating systems, to address newly identified exploits and apply security patches, hotfixes, and service packs. Answer C is incorrect; regular update reviews for all deployed operating systems will address newly identified exploits as well as application of security patches, hotfixes, and service packs. Answer D is incorrect. IPsec and PKI have nothing to do with isolating access attempts.
12. Answer: B, C, D. Operating system hardening includes configuring log files and auditing, changing default administrator account names and default passwords, and the institution of account lockout and password policies to guarantee strong passwords that can resist brute-force attacks. File-level security and access control mechanisms serve to isolate access attempts within the operating system environment. Answer A is incorrect because regularly reviewing applied firmware updates and applying those that are required for the network configuration and hardware solutions in use are associated with network hardening practices.
13. Answer: A, B, D. Network hardening practices include configuring log files, auditing, and configuring network devices and firewalls to exclude unsecure protocols, such as raw Telnet sessions that transfer logon and session details in plain-text format. Routing hardware must also be maintained in a current state by regularly reviewing applied firmware updates and applying those that are required for the network configuration and hardware solutions in use. Answer C is incorrect because securing the file system is an operating system hardening activity.
14. Answer: A. Mapping avenues of access is critical in hardening a network. This process is a part of the site survey that should be performed for any network, especially those that involve public areas where a simple connection through a workstation might link the protected internal network directly to a public broadband connection. Wireless networks also create significant avenues for unsecure access to a secured network. A user who configures a PC card on his workstation to allow synchronization of his 802.11-compliant wireless PDA may have inadvertently bypassed all security surrounding an organization’s network. Answer B is incorrect; hardware-related vulnerabilities are associated with network hardening practices. Answer C is incorrect; hardware-related vulnerabilities are associated with operating system hardening practices. Answer D is incorrect; access control is associated with operating system hardening practices.
15. Answer: B. Regular log review is critical for web servers, to ensure that submitted URL values are not used to exploit unpatched buffer overruns or to initiate other forms of common exploits. Answer A is incorrect. Email service hardening includes preventing SMTP relay from being used by spammers, and limiting attachment and total storage per user to prevent denial-of-service attacks using large file attachments. Answer C is incorrect. Because of limitations in FTP, unless an encapsulation scheme is used between the client and host systems the logon and password details are passed in clear text and may be subject to interception by packet sniffing. Answer D is incorrect. Unauthorized DNS zone transfers should also be restricted to prevent DNS poisoning attacks.
16. Answer: A. Email service hardening includes preventing SMTP relay from being used by spammers, and limiting attachment and total storage per user to prevent denial-of-service attacks using large file attachments. Answer B is incorrect. Regular log review is critical for web servers, to ensure that submitted URL values are not used to exploit unpatched buffer overruns or to initiate other forms of common exploits. Answer C is incorrect. Because of limitations in FTP, unless an encapsulation scheme is used between the client and host systems the logon and password details are passed in clear text and may be subject to interception by packet sniffing. Answer D is incorrect. Unauthorized DNS zone transfers should also be restricted to prevent DNS poisoning attacks.
17. Answer: C. Network News Transfer Protocol (NNTP) servers providing user access to newsgroup posts raise many of the same security considerations risks as email servers. Answers A, B, and D are incorrect. Access control for newsgroups may be somewhat more complex, with moderated groups allowing public anonymous submission (and authenticated access required for post approval). This type of control is not addressed with database, DNS, or DHCP servers.
18. Answer: D. Query results that are forged and returned to the requesting client or recursive DNS query can poison the DNS records. Answer A is incorrect. Email service hardening includes preventing SMTP relay from being used by spammers, and limiting attachment and total storage per user to prevent denial-of-service attacks using large file attachments. Answer B is incorrect. Regular log review is critical for web servers, to ensure that submitted URL values are not used to exploit unpatched buffer overruns or to initiate other forms of common exploits. Answer C is incorrect. Because of limitations in the FTP protocol, unless an encapsulation scheme is used between the client and host systems the logon and password details are passed in clear text and may be subject to interception by packet sniffing.
19. Answer: C. FTP logs should be spot-checked for password-guessing and brute-force attacks. Because of limitations in FTP, unless an encapsulation scheme is used between the client and host systems the logon and password details are passed in clear text and may be subject to interception by packet sniffing. Answer A is incorrect. Email service hardening includes preventing SMTP relay from being used by spammers, and limiting attachment and total storage per user to prevent denial-of-service attacks using large file attachments. Answer B is incorrect. Regular log review is critical for web servers, to ensure that submitted URL values are not used to exploit unpatched buffer overruns or to initiate other forms of common exploits. Answer D is incorrect. Unauthorized DNS zone transfers should also be restricted to prevent DNS poisoning attacks.
20. Answer: D. Print servers pose several risks, including possible security breaches in the event that unauthorized parties access cached print jobs or sensitive printed material. DoS attacks may be used to disrupt normal methods of business, and network-connected printers require authentication of access to prevent attackers from generating printed memos, invoices, or any other manner of printed materials. Answer A is incorrect. Email service hardening includes preventing SMTP relay from being used by spammers, and limiting attachment and total storage per user to prevent denial-of-service attacks using large file attachments. Answer B is incorrect. Because of limitations in FTP, unless an encapsulation scheme is used between the client and host systems the logon and password details are passed in clear text and may be subject to interception by packet sniffing. Answer C is incorrect. If the operating system in use does not support DHCP server authentication, attackers may also configure their own DHCP servers within a subnet, taking control of the network settings of clients and obtaining leases from these rogue servers.
21. Answer: B. Dynamic Host Configuration Protocol (DHCP) servers share many of the same security problems associated with other network services, such as DNS servers. DHCP servers may be overwhelmed by lease requests if bandwidth and processing resources are insufficient. Answer A is incorrect because data repositories of any type might require specialized security considerations. Answers C and D are incorrect. Network News Transfer Protocol (NNTP) servers providing user access to newsgroup posts raise many of the same security considerations risks as email servers.
22. Answer: A, B, C. Data repositories of any type might require specialized security considerations, based on the bandwidth and processing resources required to prevent DoS attacks, removal of default password and administration accounts such as the SQL default sa account, and security of replication traffic to prevent exposure of access credentials to packet sniffing. Answer D is incorrect because lease requirements are associated with DHCP servers.
23. Answer: B. Network file shares are not secure until you remove default access permissions. Answer A is incorrect scope address pools have to do with DHCP servers. Answer C is incorrect because proper name resolution is associated with DNS servers. Answer D is incorrect. The password is not encrypted in many network file-sharing systems.
24. Answer: C. If the operating system in use does not support DHCP server authentication, attackers may also configure their own DHCP servers within a subnet, taking control of the network settings of clients and obtaining leases from these rogue servers. Answer A is incorrect. Email service hardening includes preventing SMTP relay from being used by spammers, and limiting attachment and total storage per user to prevent denial-of-service attacks using large file attachments. Answer B is incorrect. Because of limitations in FTP, unless an encapsulation scheme is used between the client and host systems the logon and password details are passed in clear text and may be subject to interception by packet sniffing. Answer D is incorrect. Unauthorized DNS zone transfers should also be restricted to prevent DNS poisoning attacks.
25. Answer: A, B. Data repositories of any type might require specialized security considerations, based on the bandwidth and processing resources required. Role-based access control may be used to improve security, and the elimination of unneeded connection libraries and character sets may help to alleviate common exploits. Answers C and D are incorrect; using discretionary-based access control and eliminating bandwidth restrictions would relax security, not improve it.
26. Answer: A. Group Policy can be used for ease of administration in managing the environment of users. This can include installing software and updates or controlling what appears on the desktop based on the user’s job function and level of experience. The Group Policy object (GPO) is used to apply Group Policy to users and computers. Answer B is incorrect because User Manager is used to create and manage user accounts. Answers C and D are incorrect because Active Directory and Directory services store information and settings in a central database.
27. Answer: D. Group policies are applied in a specific order or hierarchy. By default, a group policy is inherited and cumulative. Answer A is incorrect because group policies are cumulative not proportionate. Answer B is incorrect; group policies are inherited, not singular. Answer C is incorrect because group policies are cumulative, not singular.
28. Answer: B. Group Policy enables you to set consistent common security standards for a certain group of computers and enforce common computer and user configurations. It also simplifies computer configuration by distributing applications and restricting the distribution of applications that may have limited licenses. To allow this wide range of administration, GPOs can be associated with or linked to sites, domains, or organizational units. Answer A is incorrect role-based access control allow access to resources based on the user role. Answer C is incorrect. Using a distribution server may be helpful, but the update is mandatory, and therefore it needs to be pushed out. Answer D is incorrect. RSoP is used for predicting the affect of a policy.
29. Answer: A, C, D. Security baselines are often established by governmental mandate, regulatory bodies, or industry representatives, such as the PCI requirements established by the credit card industry for businesses collecting and transacting credit information. Answer B is incorrect because organizational requests are merely requests, and security baselines are often established due to some type of regulation or standard.
30. Answer: C. Security templates are sets of configurations that reflect a particular role or standard established through industry standards or within an organization, assigned to fulfill a particular purpose. Examples include a “minimum access” configuration template assigned to limited access kiosk systems, whereas a “high-security” template could be assigned to systems requiring more stringent logon and access control mechanisms. Answer A is incorrect because Group Policy enables you to set consistent common security standards for a certain group of computers and enforce common computer and user configurations. Answer B is incorrect because security baselines are often established by governmental mandate, regulatory bodies, or industry representatives, such as the PCI requirements established by the credit card industry for businesses collecting and transacting credit information. Answer D is incorrect because Active Directory stores information and settings in a central database.
Objective 1.4: Carry out the appropriate procedures to establish application security.
1. Answer: A, D. Some identified vulnerabilities of the Java language include buffer overflows, ability to execute instructions, resource monopolization, and unexpected redirection. Answers B and C are incorrect because unauthorized file upload and email exposure are associated with JavaScript, not the Java language.
2. Answer: C. Java applets execute when the client machine’s browser loads the hosting web page. Vulnerabilities are based on the Java language. JavaScript vulnerabilities must be addressed based on the operating system and browser version in use on each client. Answers A and B are incorrect because JavaScript vulnerabilities must be addressed based on the operating system and browser version in use on each client, not the server. Answer D is incorrect the operating system does not load the hosting web page an application and browser do.
3. Answer: B. Java is a precompiled language. Before it can be executed, it undergoes a Just In Time (JIT) compilation into the necessary binary bytes. A Java-based mini-program, called an applet, may present many security risks to the client. Applets execute when the client machine’s browser loads the hosting web page. Answers A and C are incorrect because Java is a precompiled language. Answer D is incorrect because applets execute when the client machine’s browser loads the hosting web page.
4. Answer: B, C. JavaScript is a client-side interpreted language that mainly poses privacy-related vulnerability issues such as unauthorized file upload and email exposure. Answers A and D are incorrect because they are associated with the Java language. Some identified vulnerabilities of the Java language include buffer overflows, ability to execute instructions, resource monopolization, and unexpected redirection.
5. Answer: A. To avoid vulnerabilities exposed by earlier forms of Java and ActiveX development, all machines should be kept up-to-date with new version releases. Scripting language vulnerabilities may be addressed in this manner, as well as by turning off or increasing the client’s browser security settings to prevent automatic code execution. Answer B is incorrect because this setting controls third-party tool bands and browser helper objects. Answer C is incorrect because increasing the pop-up setting will not mitigate Java vulnerabilities. Answer D is incorrect because Integrated Windows Authentication has to do with logon information, not Java vulnerabilities.
6. Answer: C. Microsoft developed a precompiled application technology that can be embedded in a web page in the same way as Java applets. This technology is referred to as ActiveX, and its controls share many of the same vulnerabilities present in embedded Java applets. Answer A is incorrect because cookies are temporary files stored in the client’s browser cache to maintain settings across multiple pages, servers, or sites. Answer B is incorrect because JavaScript is a smaller language that does not create applets or standalone applications. Answer D is incorrect because CGI (Common Gateway Interface) scripts are programs that run on the server to service client requests.
7. Answer: B. Clients should regularly clear their browser cookie cache to avoid exposing long-term browsing habits in this way. Where possible, client browsers may also be configured to block third-party cookies, although many online commerce sites require this functionality for their operation. Answer A is incorrect because this setting controls third-party tool bands and browser helper objects. Answer C is incorrect because blocking all cookies would hamper the functionality for many online commerce sites. Answer D is incorrect because disabling automatic code execution on client browsers has more to do with Java applets and ActiveX controls.
8. Answer: D. By restricting the data that can be input and using proper input validation, application designers can reduce the threat posed by maliciously crafted URL references and redirected web content. Answer A is incorrect because third-party cookies would limit exposing long-term browsing habits. Answer B is incorrect because accepting only numeric data input is not feasible, and if it not validated, it will not mitigate attacks. Answer C is incorrect because this setting controls third-party tool bands and browser helper objects.
9. Answer: A. Whereas cookies generally provide benefits to the end users, spyware would be most likely to use a tracking cookie. A tracking cookie is a particular type of permanent cookie that stays around, whereas a session cookie stays around only for the particular visit to a website. Answers B and D are incorrect because these sites would use session cookies, not tracking cookies. Answer C is incorrect because a Trojan appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed.
10. Answer: D. Spammers search for unprotected SMTP relay services running on public servers, which may then be used to resend SMTP messages to obscure their true source. Answer A is incorrect because buffer overflows are associated not using proper input validation. Answer B is incorrect. A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. Answer C is incorrect. Spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent.
11. Answer: B. A tracking cookie is a particular type of permanent cookie that stays around, whereas a session cookie stays around only for the particular visit to a website. Therefore, answer C is incorrect. Answers A and D are incorrect because tracking cookies are beneficial or valuable only to the tracking party, not the user.
12. Answer: A. Secure Hypertext Transport Protocol (S-HTTP) operates over port 80 along with regular HTTP traffic. Answer B is incorrect because HTTPS (HTTP over SSL) and SSL employ X.509 digital certificates and operate over port 443. Answer C is incorrect. Email clients connect to port 110 of a remote email server, and then use the POP3 protocol to retrieve email. Answer D is incorrect. Port 4445 uses TCP/UDP for service type upnotifyp.
13. Answer: B. HTTPS (HTTP over SSL) and SSL employ X.509 digital certificates and operate over port 443. Answer A is incorrect because Secure Hypertext Transport Protocol (S-HTTP) operates over port 80 along with regular HTTP traffic. Answer C is incorrect. Email clients connect to port 110 of a remote email server, and then use the POP3 protocol to retrieve email. Port 4445 uses TCP/UDP for service type upnotifyp, therefore Answer D is incorrect.
14. Answer: B, C. Malformed certificates may be used to exploit the parsing libraries used by SSL agents. SSL certificates may also be used to establish links vulnerable to packet sniffing by using compromised self-signed or expired certificates. Other exploits include the use of small key sizes, outdated certificate revocation lists, and other mechanisms intended to provide weak or compromised SSL certificates. Answers A and D are incorrect because they are associated with programming errors. Buffer-overflow vulnerabilities may be used to enact arbitrary commands on a server. Format string vulnerabilities may result in unauthorized access to enact commands on a server or impair its normal operation. Improperly formatted requests may be used to create an effective denial-of-service (DoS) attack against the server, preventing it from responding to normal requests.
15. Answer: A, D. Buffer-overflow vulnerabilities may be used to enact arbitrary commands on the LDAP server. Format string vulnerabilities may result in unauthorized access to enact commands on the LDAP server or impair its normal operation. Improperly formatted requests may be used to create an effective denial-of-service (DoS) attack against the LDAP server, preventing it from responding to normal requests. Answers B and C are incorrect because they are associated with SSL certificate vulnerabilities. Malformed certificates may be used to exploit the parsing libraries used by SSL agents. SSL certificates may also be used to establish links vulnerable to packet sniffing by using compromised self-signed or expired certificates. Other exploits include the use of small key sizes, outdated certificate revocation lists, and other mechanisms intended to provide weak or compromised SSL certificates.
16. Answer: B, C. FTP servers provide user access to upload or download files between client systems and a networked FTP server. FTP servers include many potential security issues, including anonymous file access and unencrypted authentication. Answers A and D are incorrect because they are associated with programming errors. Buffer-overflow vulnerabilities may be used to enact arbitrary commands on a server. Format string vulnerabilities may result in unauthorized access to enact commands on a server or impair its normal operation. Improperly formatted requests may be used to create an effective denial-of-service (DoS) attack against the server, preventing it from responding to normal requests.
17. Answer: A. FTPS (FTP over SSL) using TCP port 21. Answer B is incorrect because HTTP operates over port 80. Answer C is incorrect. A more secure version of FTP (S/FTP) has been developed, including SSL encapsulation. This is referred to as FTP over SSH using the Secure Shell (SSH) TCP port 22. Answer D is incorrect because port 81 is used as an alternate port for hosting a website.
18. Answer: A, B, C. Attackers develop viral malware capable of spreading through contact lists within IM clients. Others focus on capturing IM traffic and cached logs of past conversations, in an attempt to obtain useful or harmful information. The file-transfer and desktop-sharing capabilities of many clients present challenges against unauthorized data sharing, while creative attackers make use of the audio and video capabilities to directly “tap” unwary IM users. Answer D is incorrect. Improperly formatted requests may be used to create an effective denial-of-service (DoS) attack against servers, preventing them from responding to normal requests.
19. Answer: A, C. CGI scripts may be exploited to leak information including details about running server processes and daemons, samples included in some default installations are not intended for security and include well-known exploits, and buffer overflows may allow arbitrary commands to be executed on the server. Answer B is incorrect because anonymous file access is associated with FTP servers. Answer D is incorrect because CGI scripts do not run on the client system.
20. Answer: D. When a website redirects the client’s browser to attack yet another site, this is referred to as cross-site scripting. Answer A is incorrect because unencrypted authentication is associated with FTP servers. Answer B is incorrect because a session hijack occurs when an attacker causes the client’s browser to establish a secure connection to a compromised web server acting as a proxy or redirecting traffic to a secure target site, exposing traffic as it passes through the compromised system. Answer C is incorrect because a buffer overflow occurs when data input exceeds the memory space allocated and injects unanticipated data or programmatic code into executable memory.
21. Answer: B. An early exploit of JavaScript allowed access to files located on the client’s system if the name and path were known. Answers A and D are incorrect because incorrect because JavaScript, not Java, can be used to execute arbitrary instructions on the server, send email as the user, and allow access to cache information. Answer C is incorrect because Java, not JavaScript, can continue running even after the applet has been closed.
22. Answer: A. Exploits may allow the identification of configuration details of the server that may be helpful to later unauthorized access attempts, a process often referred to as profiling. Answer B is incorrect because reporting portrays information collected in a particular area. Answer C is incorrect because abstracting is used to understand and solve problems. Answer D is incorrect because hyperlinking is associated with web pages.
23. Answer: B. The danger to maintaining session information is that sites may access cookies stored in the browser’s cache that may contain details on the user’s e-commerce shopping habits, along with many user details that could possibly include sensitive information identifying the user or allowing access to secured sites. Answers A and C are incorrect because these actions prove helpful for the client. Answer D is incorrect because this action is associated with Java.
24. Answer: A, C. Browser-based vulnerabilities include session hijacking, buffer overflows, cross-site scripting, and add-in vulnerabilities. Answer B is incorrect because SQL injection is associated with SQL database servers. Answer D is incorrect because social engineering is taking advantage of human nature.
25. Answer: C. The common BitTorrent file-sharing application is an example of resource-sharing peer-to-peer (P2P) solution, allowing users to transport files between remote clients without passing through a central server for access. This presents difficulties for access restriction, because any two clients may negotiate connections using random ports and protocols, bypassing traffic analysis and access control restrictions. Answer A is incorrect; it describes a vulnerability exploitation of Java, CGI scripts, and LDAP. Answer B is incorrect; anonymous file upload is associated with FTP servers. Answer D is incorrect because it describes a CGI script exploit.
Objective 1.5: Implement security applications.
1. Answer: B. Like most other solutions, firewalls have strengths and weaknesses. By design, firewalls close off systems to scanning and entry by blocking ports or nontrusted services and applications. However, they require proper configuration. Answers A and C are incorrect because they describe behaviors associated with antivirus software. Answer D is incorrect because blocking off the system through BIOS access would cause it not to boot.
2. Answer: C. A host intrusion prevention system software resides between your system’s applications and OS kernel. A HIPS consists of software that sits between your system’s applications and OS kernel. The HIPS will monitor suspicious activity; then it will either block or allow the activity based on the predefined rule set. Therefore, answers A, B, and D are incorrect.
3. Answer: A, B. A host intrusion detection system uses either misuse detection or anomaly detection. A HIDS monitors events for suspicious activity. This can be done by using either misuse detection or anomaly detection. In misuse detection, a database of signatures is used, and the information monitored is compared to the database. This is similar to the way antivirus software works. Answer C is incorrect because black lists are associated with email. Answer D is incorrect because outbound monitoring is usually done by a firewall.
4. Answer: D. Monitoring outbound connections is important in the case of malware that “phones home.” Without this type of protection, the environment is not properly protected. Answer A is incorrect because behaviors such as collecting personal information or changing your computer configuration without appropriately obtaining prior consent are associated with spyware. Answer B is incorrect because tracking users inappropriate site visits is associated with content filtering. Answer C is incorrect. Monitoring bandwidth usage is a function of a network tool.
5. Answer: C. The most common method used in an antivirus program is scanning. Scanning searches files in memory, the boot sector, and on the hard disk for identifiable virus code. Scanning identifies virus code based on a unique string of characters known as a signature. Answers A and B are incorrect. A host intrusion detection system uses either misuse detection or anomaly detection. Answer D is incorrect because filtering is associated with antispam programs.
6. Answer: D. The main component of antispam software is heuristic filtering. Heuristic filtering has a predefined rule set that compares incoming email information against the rule set. Answers A and B are incorrect. A host intrusion detection system uses either misuse detection or anomaly detection. Answer C is incorrect because scanning is associated with antivirus programs.
7. Answer: C. The most common method used in an antivirus program is scanning. Scanning searches files in memory, the boot sector, and on the hard disk for identifiable virus code. Scanning identifies virus code based on a unique string of characters known as a signature. Answer A is incorrect because behavior patterns are associated with intrusion detection systems. Answers B and D are incorrect because antivirus software does not base its technologies on Registry keys or commands. It will scan Registry keys, but the technology is based on a unique set of characters to identify malware.
8. Answer: A, D. If all pop-ups are blocked, the user might not be able to install applications or programs. Field help for fill-in forms is often in the form of a pop-up. Some pop-up blockers may delete the information already entered by reloading the page, causing the users unnecessary grief. Answer B is incorrect because firewalls are not affected by pop-up blocker settings. Answer C is incorrect because the answer is associated with email lists.
9. Answer: B. Heuristic scanning looks for instructions or commands that are not typically found in application programs. Answer A is incorrect because it describes rootkit software. Answer C is incorrect because it describes antivirus scanning software. Answer D is incorrect because it describes firewall software.
10. Answer: B, C. Heuristic scanning looks for instructions or commands that are not typically found in application programs. The issue with these methods is that they are susceptible to false positives and cannot identify new viruses until the database is updated. Answers A and D are incorrect. Buffer overflows and logic bombs are malware that have nothing to do with heuristic scanning methods.
11. Answer: A. A false positive occurs when the software classifies an action as a possible intrusion when it is actually a nonthreatening action. Answer B is incorrect because it describes antivirus scanning software. Answer C is incorrect because it describes a false negative. Answer D is incorrect because the end result is a false negative.
12. Answer: D. When antispam software and updates are installed on a central server and pushed out to the client machines, this is called a centralized solution. When the updates are left up to the individual users, you have a decentralized environment. Answer A is incorrect because it describes a centralized solution. Answer B is incorrect. Vendors are never responsible for updating applications on client machines. Answer C is incorrect because making the manager responsible for the updates is not necessarily a decentralized solution.
13. Answer: B, D. Specific spam filtering levels can be set on the user’s email account. If the setting is high, more spam will be filtered, but it may also filter legitimate email as spam, thus causing false positives. Therefore, answers A and C are incorrect because they depict just the opposite.
14. Answer: A. In general, an email address added to the approved list is never considered spam. This is also known as a white list. Using white lists allows more flexibility in the type of email you receive. Putting the addresses of your relatives or friends in your white list allows you to receive any type of content from them. An email address added to the blocked list is always considered spam. This is also known as a black list. Answer B is incorrect. Blacklisting is blocking an email address. Answer C is incorrect. Graylisting is related to whitelisting and blacklisting. What happens is that each time a given mailbox receives an email from an unknown contact (IP), that mail is rejected with a “try again later.” Answer D is incorrect because brownlisting is a concept based on a CBL type system driven by tokens from blocked sites.
15. Answer: B. In general, an email address added to the approved list is never considered spam. This is also known as a white list. Using white lists allows more flexibility in the type of email you receive. Putting the addresses of your relatives or friends in your white list allows you to receive any type of content from them. An email address added to the blocked list is always considered spam. This is also known as a black list. Answer A is incorrect. Whitelisting is allowing an email address. Answer C is incorrect. Graylisting is related to whitelisting and blacklisting. What happen is that each time a given mailbox receives an email from an unknown contact (IP), that mail is rejected with a “try again later.” Answer D is incorrect because brownlisting is a concept based on a CBL type system driven by tokens from blocked sites.
16. Answer: A, C, D. Although some pop-ups are helpful, many are an annoyance, and others can contain inappropriate content or entice the user to download malware. Answer B is incorrect because it describes pop-up blockers, not pop-ups.
17. Answer: A, B, C. Many pop-up blockers are integrated into vendor toolbars. You can circumvent pop-up blockers in various ways. Most pop-up blockers block only the JavaScript; therefore, technologies such as Flash bypass the pop-up blocker. On many Internet browsers, holding down the Ctrl key while clicking a link will allow it to bypass the pop-up filter. Answer D is incorrect because users can adjust the settings on pop-up blockers.
18. Answer: B. Set the software to medium so that it will block most automatic pop-ups but still allow functionality. Keep in mind that you can adjust the settings on pop-up blockers to meet the organizational policy or to best protect the user environment. Answer A is incorrect because it will allow most pop-ups. Answer C is incorrect because it will affect functionality. Answer D is incorrect because the custom setting is not needed.
19. Answer: C. There are several variations of pop-up windows. A pop-under ad opens a new browser window under the active window. These types of ads often are not seen until the current window is closed. They are essentially “floating pop-ups” in a web page. Answers A and B are incorrect because they describe useful pop-ups and are not ads. Answer D is incorrect because it describes a hover ad. Hover ads are Dynamic Hypertext Markup Language (DHTML) pop-ups.
20. Answer: D. There are several variations of pop-up windows. A pop-under ad opens a new browser window under the active window. These types of ads often are not seen until the current window is closed. Hover ads are Dynamic Hypertext Markup Language (DHTML) pop-ups. They are essentially “floating pop-ups” in a web page. Answers A and B are incorrect because they describe useful pop-ups and are not ads. Answer C is incorrect because it describes a pop-under ad.
21. Answer: C. It is important to understand that the spam filter software cannot assign meaning to the words examined. It just tracks and compares the words used. Answer A is incorrect because chances are there is nothing wrong with the software. Answer B is incorrect because adjusting the settings may cause legitimate email to be filtered. Answer D is incorrect because chances are there is nothing wrong with the software. Training the software to recognize spam takes time and often the process must be repeated.
22. Answer: A. Heuristic filtering has a predefined rule set that compares incoming email information against the rule set. The software reads the contents of each message and compares the words in that message against the words in typical spam messages. Each rule assigns a numeric score to the probability of the message being spam. This score is then used to determine whether the message meets the acceptable level set. Answers B, C, and D are incorrect because heuristic filtering is not based on character sets, commands, or Registry keys.
23. Answer: B. Scanning identifies virus code based on a unique string of characters known as a signature. Answer A is incorrect because heuristic filtering has a predefined rule set that compares incoming email information against the rule set. Answer C is incorrect because a misnomer has nothing to do with security. Answer D is incorrect. Anomaly detection is associated with a HIDS.
24. Answer: A, B. HIDSs monitor communications on a host-by-host basis and try to filter malicious data. These types of IDSs are good at detecting unauthorized file modifications and user activity. NIDSs monitor the packet flow and try to locate packets that may have gotten through misconfigured firewalls and are not allowed for one reason or another. They are best at detecting DoS attacks and unauthorized user access. Answers C and D are incorrect because they are associated with a NIDS.
25. Answer: D. NIDSs try to locate packets not allowed on the network. HIDSs collect and analyze data that originates on the local machine or a computer hosting a service. NIDSs tend to be more distributed. Answers A, B, and C are incorrect because they describe features of a NIDS.
Objective 1.6: Explain the purpose and application of virtualization technology.
1. Answer: D. If attackers can compromise the virtual machines, they will likely have control of the entire machine. Most virtual machines run with very high privileges on the host because a virtual machine needs access to the host’s hardware so that it can map the physical hardware into virtualized hardware. Answer A is incorrect because although compromising the BIOS is possible, the inherent risk is to the other environments. Answer B is incorrect because physical access is usually required to change the boot order. Answer C is incorrect because virtual environments can be secured.
2. Answer: A. Segmenting virtual machines by the information they handle will keep highly sensitive data from being on the same physical hardware as virtual machines used for testing or lower security applications. The organization should have a policy in place that states that high-security virtual machines containing vital information never share the same hardware as virtual machines for testing. Answers B and D are incorrect because the environments the virtual machines will be shared with are less secure. Answer C is incorrect because this it defeats the purpose of using virtual environments.
3. Answer: B, C. Virtual environments can be used to improve security by allowing unstable applications to be used in an isolated environment and providing better disaster recovery solutions. Virtual environments are used for cost-cutting measures, too. One well-equipped server can host several virtual servers. This reduces the need for power and equipment. Forensic analysts often use virtual environments to examine environments that may contain malware or as a method of viewing the environment the same way the criminal did. Answer A is incorrect because virtualized environments, if compromised, can provide access to not only the network, but also any virtualization infrastructure. This puts a lot of data at risk. Answer D is incorrect because the ability to store environments on USB devices puts data at risk.
4. Answer: B. The hypervisor controls how access to a computer’s processors and memory is shared. A hypervisor or virtual machine monitor (VMM) is a virtualization platform that provides more than one operating system to run on a host computer at the same time. Answer A is incorrect. The BIOS holds information necessary to boot the computer. Answer C is incorrect. The operating system interfaces between the hardware and the user and provides an environment for programs and applications to run. Answer D is incorrect because it is the hypervisor, not the virtual machine applications, that controls how the virtual environment uses the host resources.
5. Answer: A, D. Forensic analysts often use virtual environments to examine environments that may contain malware or as a method of viewing the environment the same way the criminal did. Answer B is incorrect. It is not good forensic practice to load multiple cases on one machine, virtual or real. Answer C is incorrect because imaging hard drive and removable media should be done using a write-blocker to avoid data alteration.
6. Answer: B. Virtualized environments, if compromised, can provide access to not only the network, but also any virtualization infrastructure. This puts a lot of data at risk. Security policy should address virtual environments. Answer A is incorrect. It is possible that other virtual machines have been compromised, too. Answers C and D are incorrect because deleting the virtual machine or replacing it by a backup copy will not guarantee that the rest of the machine or network has not been compromised.
7. Answer: A, C. Vulnerabilities also come into play in virtual environments. For example, a few years ago, VMware’s NAT service had a buffer-overflow vulnerability that allowed remote attackers to execute malicious code by exploiting the virtual machine itself. Virtual machine environments need to be patched just like host environments and are susceptible to the same issues as a host operating system. You should be cognizant of share files among guest and host operating systems. Answers B and D are incorrect because virtual machines need to be patched just like host environments and are susceptible to the same issues as a host operating system, including malware infection.
8. Answer: C. Security policy should address virtual environment vulnerabilities. Any technology software without a defined business need should not be allowed on systems. This applies to all systems, including virtual environments. Answer A is incorrect because change management policy deals with how environmental changes are addressed. Answer B is incorrect because business continuity planning addresses how a business will survive in the long term after a mishap. Answer D is incorrect because disaster recovery planning deals with how the organization will react to a disaster.
9. Answer: C, D. Hardware vendors are rapidly embracing virtualization and developing new features to simplify virtualization techniques. Virtual environments can be used to improve security by allowing unstable applications to be used in an isolated environment and providing better disaster recovery solutions. Answer A is incorrect because virtual environments do not scan for viruses. Answer B is incorrect virtual environments have nothing to do with reducing data aggregation. Data aggregation is used to gather statistics about user habits mostly for online advertising purposes.
10. Answer: C. Segmenting virtual machines by the information they handle will keep highly sensitive data from being on the same physical hardware as virtual machines used for testing or lower security applications. The organization should have a policy in place that states that high-security virtual machines containing vital information never share the same hardware as virtual machines for testing. Answer A is incorrect because although replacing the servers may reduce the power consumption, it will be costly. Answer B is incorrect. Combining all physical hardware into one virtual server might not even be possible, and there is no guarantee this will not create additional issues. Answer D is incorrect because it does not take the security of the data into consideration.
11. Answer: A, B, C, D. Virtual environments are available to run on just about everything from servers and routers to USB thumb drives.
12. Answer: D. A hypervisor or virtual machine monitor (VMM) is a virtualization platform that provides more than one operating system to run on a host computer at the same time. Answers A and C are incorrect because hypervisors do not interact with the OS kernel. Answer B is incorrect. This describes a mainframe environment.
13. Answer: A. A Type 1 native or bare-metal hypervisor is software that runs directly on a hardware platform. The guest operating system runs at the second level above the hardware. This technique allows full guest systems to be run in a relatively efficient manner. The guest OS is not aware it is being virtualized and requires no modification. Answer B is incorrect because it describes where a Type 1 guest operating systems runs. Answer C is incorrect because it describes where a Type 2 or hosted hypervisor runs. Answer D is incorrect because it describes where a Type 2 guest operating systems runs.
14. Answer: C. A Type 2 or hosted hypervisor is software that runs within an operating system environment, and the guest operating system runs at the third level above the hardware. The hypervisor runs as an application or shell on another already running operating system. Answer A is incorrect because it describes where a Type 1 native or bare-metal hypervisor runs. Answer B is incorrect because it describes where a Type 1 guest operating systems runs. Answer D is incorrect because it describes where a Type 2 guest operating systems runs.
15. Answer: B. The security concerns of virtual environments begin with the guest operating system. If a virtual machine is compromised, an intruder can gain control of all the guest operating systems. In addition, because hardware is shared, most virtual machines run with very high privileges. This can allow an intruder who compromises a virtual machine to compromise the host machine, too. Answer A is incorrect because the underlying hardware security will only be affected if the guest operating system is compromised. Answer C is incorrect. Although the host operating system needs to be secure, the immediate concerns are with the guest operating system. Answer D is incorrect. The virtual machine files are what make up the virtual machine and are part of the way the environment loads.
16. Answer: C. The security concerns of virtual environments begin with the guest operating system. If a virtual machine is compromised, an intruder can gain control of all the guest operating systems. In addition, because hardware is shared, most virtual machines run with very high privileges. This can allow an intruder who compromises a virtual machine to compromise the host machine, too. Answer A is incorrect because although compromising the BIOS is possible, the unintended risk is high privileges need to run the virtual environment. Answer B is incorrect because disaster recovery is easier using virtual machines. Answer D is incorrect because although technology advances quite rapidly, virtual environments can be secured.
17. Answer: D. To secure a virtualized environment, machines should be segmented by the sensitivity of the information they contain. A policy should be in place that specifies that hardware is not shared for test environments and sensitive data. Answer A is incorrect because although encryption is a viable solution, it might not be possible and is not always the correct solution for an organization. Answer B is incorrect. Although the host operating system needs to be secure, the immediate concerns are with the guest operating systems. Answer C is incorrect because high-security virtual machines containing vital information should never share the same hardware as virtual machines for testing.
18. Answer: B, C. A policy should be in place that specifies that hardware is not shared for test environments and sensitive data. Another way to secure a virtualized environment is to use standard locked-down images. Other areas that present issues for a virtualized environment and need special consideration are deploying financial applications on virtualized shared hosting and secure storage on storage-area network (SAN) technologies. Answer A is incorrect. Web servers in a DMZ are generally less secure because of the nature of the environment. Answer D is incorrect. Multiple email applications on the seam server are similar to web servers in that they would generally be the DMZ and a bit less secure.
19. Answer: B, C, D. Preconfigured virtual appliances are available for operating systems, networking components, and applications. Answer A is incorrect because output devices such as monitors and printers are not currently virtualized.
20. Answer: D. A Type 2 or hosted hypervisor is software that runs within an operating system environment, and the guest operating system runs at the third level above the hardware. The hypervisor runs as an application or shell on another already running operating system. Answer A is incorrect because it describes where a Type 1 native or bare-metal hypervisor runs. Answer B is incorrect because it describes where a Type 1 guest operating systems runs. Answer C is incorrect because it describes where a Type 2 or hosted hypervisor runs.