Answer: A
Rule set based access controls (RSBAC) are discretionary controls giving data owners the discretion to determine the rules necessary to facilitate access.
Answer: D
The RSBAC framework logic is based on the work done for the generalized framework for access control (GFAC) by Abrams and LaPadula.
Answer: B
View based access control (VBAC) are most commonly found in database applications to control access to specific parts of a database. The constrained user interface in VBAC restricts or limits an access control subject’s ability to view or perhaps act on “components” of an access control object based on the access control subject’s assigned level of authority. Views are dynamically created by the system for each user-authorized access.
Simply put, VBAC separates a given access control object into subcomponents and then permits or denies access for the access control subject to view or interact with specific subcomponents of the underlying access control object.
Answer: A and C
There are a number of authentication methods supported with iSCSI:
Answer: C
Content dependent access control is used to protect databases containing sensitive information. Content dependent access control works by permitting or denying the access control subjects access to access control objects based on the explicit content within the access control object.
Context based access control is often confused with content dependent access control but they are two completely different methodologies. While content dependent access control makes decisions based on the content within an access control object, context based access control is not concerned with the content; it is only concerned with the context or the sequence of events leading to the access control object being allowed through the firewall.
In the example of blood test records for content dependent access control above, the access control subject would be denied access to the access control object because it contained information about an HIV test. Context based access control could be used to limit the total number of requests for access to any blood test records over a given period of time. Hence, a health-care worker may be limited to accessing the blood test database more than 100 times in a 24-hour period.
While context based access control does not require that permissions be configured for individual access control objects, it requires that rules be created in relation to the sequence of events that precede an access attempt.
Answer: D
An access control subject cannot access an access control object that has a higher integrity level is not one of the three primary rules in the Biba formal model.
Answer: A
Context based access control also considers the “state” of the connection, and in a static packet filter no consideration is given to the connection state. Each and every packet is compared to the rule base regardless of whether it had previously been allowed or denied.
Answer: C
Some common problems with RFID are reader collision and tag collision. Reader collision occurs when the signals from two or more readers overlap. The tag is unable to respond to simultaneous queries. Systems must be carefully set up to avoid this problem; many systems use an anti-collision protocol (also called a singulation protocol). Anti-collision protocols enable the tags to take turns in transmitting to a reader.
Answer: A and C
While biometrics devices are used in some access control systems to confirm an individual’s identity, they are not considered to be one of the principal components of an access control system.
While auditing is used in many access control systems, it is not a mandatory feature or function of all systems, and is not always enabled.
Both objects and subjects are the building blocks of all access control systems.
Answer: A
Voice pattern, signature dynamics, and keystroke dynamics all are behavioral traits in biometric devices.
Answer: D
A false reject rate is a type 1 error, false acceptance rate is a type 2 error, and cross-over error rate is the intersection when FRR equals FAR.
Answer: B
Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something. All tokens contain some secret information that are used to prove identity. There are four different ways in which this information can be used:
Answer: A
An authorization table is a matrix of access control objects, access control subjects, and their respective rights. The authorization table is used in some DAC systems to provide for a simple and intuitive user interface for the definition of access control rules.
Answer: C
Table A-1: Network Ports Used During Kerberos Authentication
Service Name | UDP | TCP |
DNS | 53 | 53 |
Kerberos | 88 | 88 |
Answer: D
In essence, identity management is the process for managing the entire life cycle of digital identities, including the profiles of people, systems, and services, as well as the use of emerging technologies to control access to company resources. A digital identity is the representation of a set of claims made by a digital subject including, but not limited to, computers, resources, or persons about itself or another digital subject. The goal of identity management, therefore, is to improve companywide productivity and security, while lowering the costs associated with managing users and their identities, attributes, and credentials.
There are 5 areas that make up the identity management lifecycle:
Answer: A
The aim of security awareness is to make the organization more resistant to security vulnerabilities and therefore maintain the organization’s security posture.
Answer: D
Configuration management begins with identification of the baseline configuration as one or more configuration items within the configuration management database (CMDB). Once the baseline is established, all changes are controlled throughout the lifecycle of the component. Each change is accounted for by capturing, tracking, and reporting on change requests, configurations, and change history. Finally, auditing insures integrity by verifying that the actual configuration matches the information captured and tracked in the CMDB and that all changes have been appropriately recorded and tracked.
Answer: B
Certification reviews the system against the requirements specified in the system security plan to ensure that all required control specifications are met. Answer D is incorrect because while the process may include vulnerability testing, this is only one component of the process and residual risks do not preclude certification against requirements. Answer C is incorrect because the controls specified in the security plan are requirements, not standards. The answer is not A, because the certification process results in a recommendation only; accreditation is the process of obtaining signoff to operate the system.
Answer: C
Degaussing eliminates remanence by applying and then removing a strong magnetic field, removing magnetic signals from media. Reformatting does not actually erase data, so D is incorrect. While degaussing may render some media unusable, this is not the aim, so A is also incorrect. Answer B is incorrect because data are not overwritten by degaussing; it is removed.
Answer: C
An injection flaw occurs when user-supplied data can be sent directly to a command processor or query interpreter; attackers can exploit this flaw by supplying a query string as input to a web application to extract data from a database. Answer A is incorrect; cross-site scripting vulnerabilities allow an attacker to execute scripts, typically in a user’s browser. Malicious file execution (B) is a vulnerability in applications that accept file names or object references as input and then execute the files or objects. Answer D is also incorrect, as failures in input validation can have many adverse consequences (not necessarily disclosure of database content).
Answer: D
Least privilege grants users and processes only those privileges they require to perform authorized functions, that is, “need to know.” Mandatory access control (A) limits access based on the clearance of the subject and the sensitivity of the object, and may provide access to objects of lower sensitivity where there is no business purpose for access; therefore, a is incorrect. Answer B is also incorrect; a “default deny” configuration refers to rule-based access control in which only that which is explicitly authorized is allowed; this is implemented in most firewall rule sets and is the premise behind whitelisting. Role-based access control (C) is not correct because while it provides access based on a role a user is associated with, it does not allow for granting individuals access to specific objects based on a need to know and may provide more access than is required to perform a certain function.
Answer: D
A guideline is a recommended security practice, but is not required (as in A or C) or enforced. As a recommended practice, there is no standard of measurement, so B is also incorrect.
Answer: C
A baseline is a special type of security standard that specifies the minimum security controls or requirements for a system. Answer A is incorrect because this more accurately describes a configuration baseline established in a CMDB, but does not indicate whether requirements have been met. Answer B refers to a guideline and is incorrect. Answer D is incorrect; a benchmark, not a baseline, is a value used in metrics against which to measure variations in performance.
Answer: B
Dual control requires two people to physically or logically complete a process, such that one initiates and the other approves, or completes, the process. Dual control operates under the theory that controls that require more than one person operating together to circumvent are more secure than those under the control of a single individual. Answer A is incorrect; under separation of duties, two individuals may perform two separate, although perhaps similar, processes; that is, they perform separate functions. Answer C is incorrect; this refers to an access control model. Answer D is incorrect because dual control is actually a single control mechanism, not a series of layered controls.
Answer: A
The waterfall method is a linear sequence of seven steps used in application development. It is not iterative, does not make use of prototypes, and does not use rapid application development (RAD) or extreme programming techniques; thus B, C, and D are incorrect.
Answer: D
Code signing using hash functions and a digital signature is used in the release process to insure that the code that is moved to production is the same as that which was approved for production release. Answer A is not correct because the signature is not the same as a license key. Answer B is not correct because signing itself does not prevent tampering, although it can be used to detect tampering. Answer C is not correct; code signing verifies authenticity of the signed code, but does not identify discrete components or packages.
Answer: B
The information owner determines who can access the system and the privileges that will be granted to users. The system owner is responsible for A, maintaining the system security plan. The approver or authorizing official is responsible for D, authorizing the system for operation, at the end of the certification and accreditation process. Assessing the effectiveness of security controls (C) is the responsibility of the system security officer.
Answer: A, B and D
There are four mandatory tenets of the Code of Ethics:
“Promote and preserve public trust and confidence in information and systems” is part of the Code of Ethics canons, but it is not one of the four mandatory tenets.
Answer: C
Confidentiality supports the principle of least privilege by providing that only authorized individuals, processes, or systems should have access to information on a need-to-know basis. The level of access that an authorized individual should have is at the level necessary for them to do their job. In recent years, much press has been dedicated to the privacy of information and the need to protect it from individuals, who may be able to commit crimes by viewing the information. Identity theft is the act of assuming one’s identity through knowledge of confidential information obtained from various sources.
Answer: D
Non-repudiation can be accomplished with digital signatures and PKI. The message is signed using the sender’s private key. When the recipient receives the message, they may use the sender's public key to validate the signature. While this proves the integrity of the message, it does not explicitly define the ownership of the private key. A certificate authority must have an association between the private key and the sender (meaning only the sender has the private key) for the non-repudiation to be valid.
Answer: B
Information security risk can be thought of as the likelihood of loss due to threats exploiting vulnerabilities, that is:
Answer: C
Compensating controls are introduced when the existing capabilities of a system do not support the requirements of a policy. Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the required controls, there may exist other technology or processes that can supplement the existing environment, closing the gap in controls, meeting policy requirements, and reducing overall risk.
Administrative | Technical | Physical | |
Directive | Policy | Configuration Standards | Authorized Personnel Only Signs Traffic Lights |
Deterrent | Policy | Warning Banner | Beware of Dog Sign |
Preventative | User Registration Procedure | Password-Based Login | Fence |
Detective | Review Violation Reports | Logs | Sentry CCTV |
Corrective | Termination | Unplug, isolate, and terminate connection | Fire Extinguisher |
Recovery | DR Plan | Backups | Rebuild |
Compensating | Supervision Job Rotation Logging | CCTV Keystroke Logging | Layered Defense |
Answer: A
Trusted Platform Module (TPM) chips provide additional security features such as platform authentication and remote attestation, a form of integrity protection that makes use of a hashed copy of hardware and software configuration to verify that configurations have not been altered.
Answer: B
The change control policy document covers the following aspects of the change process under management control:
Answer: B
A threat (A) is the potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. A vulnerability (C) is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy. An asset (D) is anything of value that is owned by an organization.
Answer: D
Vulnerability assessments (A) only attempt to determine if vulnerabilities exist but do not attempt to actively exploit identified vulnerabilities. Intrusion detection (B) is an automated technique for identifying active intrusion attempts. Risk management (C) is the process of assessing and mitigating risk.
Answer: C
A qualitative risk analysis (A) assesses impact in relative terms such as high, medium, and low impact without assigning a dollar value. Risk mitigation (B) describes a process of applying risk mitigation strategies to reduce risk exposure to levels that are acceptable to the organization. A business impact analysis (D) assesses financial and nonfinancial impacts to an organization that would result from a business disruption.
Answer: C
You should always follow the organization’s incident response policy when responding to an incident. Information related to the incident should only be shared on a need-to-know basis. Many types of incidents will not require notification to executive management. The incident response policy and procedure should define when notification to executive management is required. Data restoration should not be performed until forensic analyses and evidence gathering is complete.
Answer: A, B, C, and D
Natural threats, human threats, environmental threats and software bugs are all potential threat sources to information technology systems.
Answer: A
Asset value (B) is the value of a specific asset to the organization. Annualized rate of occurrence (C) represents the expected number of occurrences of a specific threat to an asset in a given year. Exposure factor (D) represents the portion of an asset that would be lost if a risk to the asset was realized.
Answer: B
Risk avoidance (A) is a strategy that is used to reduce risk by avoiding risky behaviors. Risk transference (C) is a strategy to transfer risk from the organization to a third party by methods such as insurance or outsourcing. Risk acceptance (D) is a strategy in which the organization decides to accept the risk associated with the potential occurrence of a specific event.
Answer: C
In the risk determination phase (A), overall risk to an IT system is assessed. During the results documentation phase (B), results of the risk assessment are documented. In the control analysis phase (D), controls are assessed to evaluate their effectiveness.
Answer: B
NIST Special Publication 800-30 R1, “Risk Management Guide for Information Technology Systems” details a four-step risk assessment process. The risk assessment process described by NIST is composed of the following steps (as shown in Figure A-1):
Answer: A
Vulnerability testing usually employs software specific to the activity and tends to have the following qualities:
Answer: D
Penetration testing consists of five different phases:
Answer: B
A security baseline defines a set of basic security objectives which must be met by any given service or system. The objectives are chosen to be pragmatic and complete, and do not impose technical means. Therefore, details on how these security objectives are fulfilled by a particular service/system must be documented in a separate security implementation document. These details depend on the operational environment a service/system is deployed into, and might, thus, creatively use and apply any relevant security measure. Derogations from the baseline are possible and expected, and must be explicitly marked.
Answer: B
Social engineering is an activity that involves the manipulation of persons or physical reconnaissance to get information for use in exploitation or testing activities.
Answer: A
By analyzing various logs sources, it is possible to piece together a timeline of events and user activity. Answer (B) is partially correct, but not the most fitting answer. This is only a small picture of what the attacker could have done. Answer (C) may be true, but again is not the most important reason. This answer is meant to distract. Answer (D) may apply in some cases, but this is not the primary goal of correlating event logs.
Answer: A, B, and D
Counterattacking systems determined to be hostile is never something an organization wants to do, and does not constitute security testing. Answer (A) is part of security testing. Using a network mapping technique such as nmap can reveal security holes. Answer (B) can involve googling an organization to determine information for future attacks. Answer (D) is an example of social engineering and should be a part of an organizations security testing process.
Answer: B
Some versions of an OS or software may be vulnerable, and this information is useful to an attacker. Answer (A) may or may not be true depending on the system, and is not a reason to determine the OS or other system details. Answer (C) is true, but it does not answer why system fingerprinting is part of the security testing process. Answer (D) is not true. Just because a machine is running a particular OS, for example, does not mean it has not been updated and patched to prevent certain vulnerabilities.
Answer: B
Administrative controls are “managerial” and are a part of corporate security policy. Technical controls (A) implement specific technologies. A policy would not constitute a specific technological process. Physical controls (D) constitute elements such as Closed Caption Television (CCTV), padlocks, or any other physical barrier or device to bar access. Logical control is a fictitious term.
Answer: B
Answers (A and C) are good examples of a type of security audit, but do not answer the question of what a security audit is. Answer (D) is a security control check used to harden a host against vulnerabilities.
Answer: A
The primary purpose of an IDS is to detect known attacks or anomalous activity. Answer (B) would fall more along the line of an intrusion prevention system or a firewall. Answer (C) is not correct because CPU utilization is not the primary concern of an IDS, but rather load balancing or bandwidth limiting. Answer (D) is an unrealistic and storage-consuming goal unrelated to the primary purpose of an IDS.
Answer: C
NIDS can monitor data in real-time and notify appropriate personnel. Answer (A), a DDOS attack, is an example of an overt attack. Answer (B) is not true, as overt attacks can be just as complex and hard to defend against as covert attacks. Answer (D) is certainly not true. A waiter can steal a credit card number just as fast as any overt method.
Answer: C
Critical business functions (A) are functions that are integral to the success of an organization, without which the organization is incapable of operating. Business continuity plans (B) focus on the continuity and recovery of critical business functions during and after disaster. A crisis communications plan (D) details how organizations will communicate internally and externally during a disaster situation.
Answer: A
During the detection and analysis phase (B), security incidents are initially identified and analyzed to determine if an actual incident has occurred. During the containment, eradication, and recovery phase (C), security incidents are contained, corrected, and systems are restored to normal operations. During the preparation phase (D), incident response policies and procedures are documented and training is provided to enable the incident response team to be prepared to respond to an incident.
Answer: B
Simulation testing (A) simulates an actual disaster and is a more in-depth testing approach than structured walkthrough testing. Parallel testing (C) uses testing performed at alternate data processing sites. This test involves significant cost to the organization and should not be performed before structured walkthrough testing. Full interruption testing (D) requires that business operations are actually interrupted at the primary processing facility.
Answer: C
The recovery time objective (A) indicates the period of time within which a business function or information technology system must be restored after a business disruption. A business impact analysis (B) assesses financial and nonfinancial impacts to an organization that would result from a business disruption. Maximum tolerable downtime (D) is the maximum amount of time that a business function can be unavailable before an organization is harmed to the degree that puts the survivability of the organization at risk.
Answer: D
RAID 0 stripes data across multiple disks but no parity information is included. RAID 1 uses mirroring to store identical copies of data on multiple disks. RAID 4 implements striping at the block level and uses a dedicated parity disk. RAID 4 is not used in practice.
Answer: D
In a full backup (A), the entire system is copied to backup media. Incremental backups (B) record changes from the previous day or previous incremental backup. A partial backup (C) is not a widely accepted backup type.
Answer: A
A cold site is the lowest cost type of alternative processing site. The warm site, hot site, and mobile site are all higher-cost solutions that support quicker recovery requirements.
Answer: A and B
Phases of the incident response process include:
Answer: B
RAID (C) refers to a method for writing data across multiple disks to provide redundancy or improve performance. Remote journaling (A) transfers journals and database transaction logs electronically to an offsite location. Clustering (D) uses multiple systems to reduce the risk associated with a single point of failure.
Answer: D
Applied against a block of data, hash functions generate a hash of the original data that verifies the data has not been modified from its original form.
Answer: B
In symmetric key cryptography, each party must exchange a private key in advance of establishing encrypted communications.
Answer: A
The idea of nonrepudiation is to link the actions of an individual to those actions with a great deal of certainty.
Answer: D
ECB uses the same cipher for each block resulting in identical ciphertext blocks when encrypting identical plaintext blocks.
Answer: C
CBC XOR's the previous block of ciphertext with the current block of plaintext to produce the key used to encrypt the block.
Answer: B
Stream ciphers tend to be faster than block ciphers while generally being less robust and operating on single bits of information.
Answer: A
Key escrow services are third-party organizations that can provide a customer organization with archived keys should the recovery of the customer organization’s encrypted data be required.
Answer: C
An IPSec solution that uses ESP will encapsulate the entire original data packet when implemented in a tunnel mode.
Answer: D
A cryptographic salt is a series of random bits added to a password or passphrase to help avoid a possible hash collision.
Answer: B
In key clustering, two different keys end up generating the same ciphertext from the same plaintext while using the same cipher algorithm.
Answer: B
Steganography is the hiding of a message inside of another medium, and does not rely on the use of asymmetric key cryptography.
Answer: A
Diffie-Hellman is an asymmetric algorithm.
Answer: D
A certificate authority “signs” an entities digital certificate to certify that the certificate content accurately represents the certificate owner. Answer (A) is not a certificate authority function, because public keys are not meant to be kept secret. Answer (B) is a function of key management. Answer (C) is a function of a digital certificate.
Answer: C
Research and Development in Advanced Communications Technologies in Europe (RACE) Integrity Primitives Evaluation Message Digest (RIPEMD) is a hash function that produces 160-bit message digests using a 512-bit block size.
Answer: D
ANSI X9.17 was developed to address the need of financial institutions to transmit securities and funds securely using an electronic medium. Specifically, it describes the means to ensure the secrecy of keys. The ANSI X9.17 approach is based on a hierarchy of keys. At the bottom of the hierarchy are data keys (DKs). Data keys are used to encrypt and decrypt messages. They are given short lifespans, such as one message or one connection. At the top of the hierarchy are master key-encrypting keys (KKMs).
KKMs, which must be distributed manually, are afforded longer lifespans than data keys. Using the two-tier model, the KKMs are used to encrypt the data keys. The data keys are then distributed electronically to encrypt and decrypt messages. The two-tier model may be enhanced by adding another layer to the hierarchy. In the three-tier model, the KKMs are not used to encrypt data keys directly, but to encrypt other key-encrypting keys (KKs). The KKs, which are exchanged electronically, are used to encrypt the data keys.
Answer: C
The key or cryptovariable is the input that controls the operation of the cryptographic algorithm. It determines the behavior of the algorithm and permits the reliable encryption and decryption of the message.
Answer: A
AES is a block cipher. It has variable key length of 128, 192, or 256 bits; the default is 256 bits. It encrypts data blocks of 128 bits in 10, 12 and 14 round depending on the key size.
Answer: C
A MAC based on DES is one of the most common methods of creating a MAC; however, it is slow in operation compared to a hash function. A hash function such as MD5 does not have a secret key, so it cannot be used for a MAC. Therefore, RFC 2104 was issued to provide a hashed MACing system that has become the process used now in IPSec and many other secure Internet protocols, such as SSL/TLS. Hashed MACing implements a freely available hash algorithm as a component (black box) within the HMAC implementation. This allows ease of the replacement of the hashing module if a new hash function becomes necessary. The use of proven cryptographic hash algorithms also provides assurance of the security of HMAC implementations. HMACs work by adding a secret key value to the hash input function along with the source message. The HMAC operation provides cryptographic strength similar to a hashing algorithm, except that it now has the additional protection of a secret key, and still operates nearly as rapidly as a standard hash operation.
Answer: B, C, and D
Implementation attacks are some of the most common and popular attacks against cryptographic systems due to their ease and reliance on system elements outside of the algorithm. The main types of implementation attacks include:
Side-channel attacks are passive attacks that rely on a physical attribute of the implementation such as power consumption/emanation. These attributes are studied to determine the secret key and the algorithm function. Some examples of popular side-channels include timing analysis and electromagnetic differential analysis.
Fault analysis attempts to force the system into an error state to gain erroneous results. By forcing an error, gaining the results and comparing it with known good results, an attacker may learn about the secret key and the algorithm.
Probing attacks attempt to watch the circuitry surrounding the cryptographic module in hopes that they complementary components will disclose information about the key or the algorithm. Additionally new hardware may be added to the cryptographic module to observe and inject information.
Answer: D
The process of using a KEK to protect session keys is called key wrapping. Key wrapping uses symmetric ciphers to securely encrypt (thus encapsulating) a plaintext key along with any associated integrity information and data. One application for key wrapping is protecting session keys in untrusted storage or when sending over an untrusted transport. Key wrapping or encapsulation using a KEK can be accomplished using either symmetric or asymmetric ciphers. If the cipher is a symmetric KEK, both the sender and the receiver will need a copy of the same key. If using an asymmetric cipher, with public/private key properties, to encapsulate a session key both the sender and the receiver will need the other’s public key.
Protocols such as SSL, PGP, and S/MIME use the services of KEKs to provide session key confidentiality, integrity, and sometimes to authenticate the binding of the session key originator and the session key itself to make sure the session key came from the real sender and not an attacker.
Answer: D
A reverse proxy is a device or service placed between a client and a server in a network infrastructure. Incoming requests are handled by the proxy, which interacts on behalf of the client with the desired server or service residing on the server. The most common use of a reverse proxy is to provide load balancing for web applications and APIs. Reverse proxies can also be deployed to offload services from applications as a way to improve performance through SSL acceleration, intelligent compression, and caching. They can also enable federated security services for multiple applications.
A reverse proxy may act either as a simple forwarding service or actively participate in the exchange between client and server. When the proxy treats the client and server as separate entities by implementing dual network stacks, it is called a full proxy. A full reverse proxy is capable of intercepting, inspecting, and interacting with requests and responses. Interacting with requests and responses enables more advanced traffic management services such as application layer security, web acceleration, page routing, and secure remote access.
Answer: B
An extension to network address translation (NAT) is to translate all addresses to one routable IP address and translate the source port number in the packet to a unique value. The port translation allows the firewall to keep track of multiple sessions that are using PAT.
Answer: A
The subnet mask is broken into two parts, the network ID and the host ID. The network ID represents the network that the device is connected to. If, for example, the subnet mask in question was supposed to be 255.224.0.0, but instead was entered as 255.240.0.0, then the device would only be able to see other computers in the 255.240.0.0 subnet, and the default gateway of the subnet. When the wrong subnet mask is entered for a network configuration, the device will not be able to communicate with any other devices outside of the subnet until the right subnet mask is entered, allowing them to be able to interact with the devices on the network that the subnet mask represents.
Answer: D
The security perimeter is the first line of defense between trusted and untrusted networks. In general it will include a firewall and a router to help filter traffic. Security perimeters may also include proxies and devices such as intrusion detection systems to warn of suspicious traffic flows.
Answer: B, C, and D
SIEM is a solution that involves harvesting logs and event information from a variety of different sources on individual servers or assets, and analyzing it as a consolidated view with sophisticated reporting. Similarly, entire IT infrastructures can have their logs and event information centralized and managed by large-scale SIEM deployments. SIEM will not only aggregate logs but will perform analysis and issue alerts (e-mail, pager, audible, etc.) according to suspicious patterns.
Answer: B
A bot is a type of malware that an attacker can use to control an infected computer or mobile device. A group or network of machines that have been co-opted this way and are under the control of the same attacker is known a botnet.
Answer: A
WPA2 is a security technology commonly used on Wi-Fi wireless networks. WPA2 (Wi-Fi Protected Access 2) replaced the original WPA technology on all certified Wi-Fi hardware since 2006 and is based on the IEEE 802.11i technology standard for data encryption. WPA was used to replace WEP, which is not considered a secure protocol for wireless systems due to numerous issues with its implementation. Disabling the SSID will further enhance the security of the solution, as it requires the user that wants to connect to the WAP to have the exact SSID, as opposed to selecting it from a list.
Answer: C
Since fiber optic cabling relies on light as the transmission mechanism, electromagnetic interference will not affect it.
Answer: C
If the default subnet mask is used, then the network ID portion of the IP address 191.154.25.66 is 191.154. The first octet, 191, indicates that this is a class B address. In a class B address, the first two octets of the address represent the network portion. The default subnet mask for a Class B network address is 255.255.0.0.
Answer: B and D
192.168.10.19/28 belongs to 192.168.10.16 network with mask of 255.255.255.240. This offers 14 usable IP address range from 192.168.10.17 – 30.
Answer: B
Circuit-switched networks establish a dedicated circuit between endpoints. These circuits consist of dedicated switch connections. Neither endpoint starts communicating until the circuit is completely established. The endpoints have exclusive use of the circuit and its bandwidth. Carriers base the cost of using a circuit-switched network on the duration of the connection, which makes this type of network only cost-effective for a steady communication stream between the endpoints. Examples of circuit- switched networks are the plain old telephone service (POTS), Integrated Services Digital Network (ISDN), and Point-to-Point Protocol (PPP).
Answer: A
MPLS is often referred to as “IP VPN” because of the ability to couple highly deterministic routing with IP services. In effect, this creates a VPN-type service that makes it logically impossible for data from one network to be mixed or routed over to another network without compromising the MPLS routing device itself. MPLS does not include encryption services; therefore, any MPLS service called “IP VPN” does not in fact contain any cryptographic services. The traffic on these links would be visible to the service providers.
Answer: C and D
Most of the attention paid to DNS security focuses on the DNS query and response transaction. This transaction is a UDP transaction; however, DNS utilizes both UDP and TCP transport mechanisms. DNS TCP transactions are used for secondary zone transfers and for DNSSEC traffic that exceeds the maximum single packet size. The original single packet size was 512 bytes, but there is an extension available to DNS that allows the single packet size to be set to 4096 bytes.
Answer: C
Secure FTP with TLS is an extension to the FTP standard that allows clients to request that the FTP session be encrypted. This is done by sending the AUTH TLS command. The server has the option of allowing or denying connections that do not request TLS. This protocol extension is defined in the proposed standard RFC 4217.
Answer: D
The DCB standards define four new technologies:
Answer: C
SIP provides integrity protection through MD5 hash functions.
Answer: A
Layer 2 Tunneling Protocol (L2TP) is a hybrid of Cisco’s Layer 2 Forwarding (L2F) and Microsoft’s Point to Point Tunneling Protocol (PPTP).
Answer: C
The control plane is where forwarding/routing decisions are made. Switches and routers have to figure out where to send frames (L2) and packets (L3). The switches and routers that run the network run as discrete components, but since they are in a network, they have to exchange information such as host reachability, and status with neighbors. This is done in the control plane using protocols like spanning tree, OSPF, BGP, QoS enforcement, etc.
The data plane is where the action takes place. It includes things like the forwarding tables, routing tables, ARP tables, queue's, tagging and re-tagging, etc. The data plane carries out the commands of the control plane.
For example, in the control plane, you set up IP networking and routing (routing protocols, route preferences, static routers, etc…) and connect hosts and switches/routers together. Each switch/router figures out what is directly connected to it, and then tells its neighbor what it can reach and how it can reach it. The switches/routers also learn how to reach hosts and networks not attached to it. Once all of the routers/switches have a coherent picture--shared via the control plane--the network is converged.
In the data plane, the routers/switches use what the control plane built to dispose of incoming and outgoing frames and packets. Some get sent to another router, for example. Some may get queued up when congested. Some may get dropped if congestion gets bad enough.
Answer: C
The DNSSEC trust chain is a sequence of records that identify either a public key or a signature of a set of resource records. The root of this chain of trust is the root key which is maintained and managed by the operators of the DNS root. DNSSEC is defined by the IETF in RFCs 4033, 4034, and 4035.
There are several important new record types:
Answer: D
MACsec is configured in connectivity associations. MACsec is enabled when a connectivity association is assigned to an interface.
MACsec provides security through the use of secured point-to-point Ethernet links. The point-to-point links are secured after matching security keys—a user-configured pre-shared key when you enable MACsec using static connectivity association key (CAK) security mode or a user-configured static secure association key when you enable MACsec using static secure association key (SAK) security mode—are exchanged and verified between the interfaces at each end of the point-to-point Ethernet link. Other user-configurable parameters, such as MAC address or port, must also match on the interfaces on each side of the link to enable MACsec.
Answer: B
VBS is short for Visual Basic Script and is a prefix commonly associated with VBS threats. The general structure of CARO as presented in this chapter is Platform.Type.Family_Name.Variant[:Modifier]@Suffix
.
W64.Root.AC
is what variant of this malcode?
Answer: B
The variant is commonly the last element added to a malcode name, AC in this example.
W64.Slober.Z@mm
spreads through what primary vector, according to Symantec naming conventions?
Answer: A
Symantec uses the @SUFFIX
mailing convention to identify how malcode spreads. In this case the suffix is @mm
, which stands for mass mailer. Answers (B and C) are specific to the platform, not to how the malcode spreads. Answer (D) is also used by Symantec, but would be specified as @m
.
Backdoor.win64.Agent.igh
. What should the SSCP do to monitor to the threat?
Answer: D
The CARO name indicates that this is a backdoor Trojan. Backdoor Trojans provide attackers with remote access to the computer. Monitoring of network communications is critical in identifying egress communications related to the Trojan. Installation or use of various rootkit or antivirus solutions is not helpful in monitoring the threat. Additionally, antivirus has already detected the threat on the system.
Answer: C
Viruses require a host file to infect. Trojans do not replicate but masquerade as something legitimate. Worms create copies of themselves as they spread. Rootkits are used for stealth to increase survivability in the wild.
Answer: C
Keyloggers are not destructive but merely steal keystrokes on a system. Data diddler is defined online by Virus Bulletin as a destructive overwriting Trojan, but it does not have a “time” or conditional component to when the payload is executed like that of a logic bomb. A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.
Answer: B
Cavity viruses inject code into various locations of a file. Prepending is to put code before the body of a file. Appending is to put code following the body of a file.
Answer: C
Mebroot is a kernel-level rootkit that modifies the master boot record to load before the operating system even runs in memory. Modifications made to the Windows registry keys and startup folder are not unique, as they are used by many programs to load specified settings with the operating system.
Answer: D
Kernel-level rootkits normally have SYS and VXD filenames. Userland rootkits are typically a DLL extension. Trojans and worms are general classifications for malcode that are not as specific as the answer Kernel rootkits.
Answer: A, B and D
This is technically legal software that includes an End User License Agreement (EULA) but may monitor or capture sensitive data.
0.0.0.0 avp.ch
is a string found within a Trojan binary, indicating that it likely performs this type of change to a system upon infection:
avp.ch
avp.ch
avp.ch
Answer: B
The structure of the string is that of a HOSTS file, indicating that it likely modifies the HOSTS file on the computer.
explorer.exe
in the Windows Task Manager on a host machine?
explorer.exe
to not appear in Windows Task Manager.explorer.exe
is likely injected and hidden by a Windows rootkit.explorer.exe
does not need to be visible if svchost.exe is visible.Answer: B
explorer.exe
provides the Windows desktop graphical user interface (GUI) and should always be visible within the Windows Task Manager. If it is not visible, a Windows rootkit is likely concealing the process after having injected into it.
Answer: A, B and D
Answer (C) will not help to identify what the suspicious code may be, to analyze it further, or to learn anything of value about the code, as VMware technical support will not be able to answer any questions regarding the suspicious code itself.
Answer: C
The vector of attack is how the transmission of malcode takes place, such as e-mail, a link sent to an instant messenger user, or a hostile website attempting to exploit vulnerable software on a remote host. This is one of the most important components of a malcode incident for a security practitioner to understand to properly protect against reinfection or additional attacks on the infrastructure of a corporate network.
Answer: D
Kernel-mode rootkits are considered to be more powerful than other kinds of rootkits since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer. Another kernel mode rootkit technique is to simply modify the data structures in kernel memory. For example, kernel memory must keep a list of all running processes and a rootkit can simply remove themselves and other malicious processes they wish to hide from this list. This technique is known as direct kernel object modification (DKOM).
../../../
Answer: C
A directory traversal exploits a lack of security in web applications and allows an attacker to access files. The directory traversal:
../../../../<filename>
.Answer: A
A second-generation scanner does not rely on a specific signature. Rather, the scanner uses heuristic rules to search for probable malware instances. One class of such scanners looks for fragments of code that are often associated with malware. An example of this type of scanner would be a scanner that may look for the beginning of an encryption loop used in a polymorphic virus and discover the encryption key. Once the key is discovered, the scanner can decrypt the malware to identify it, then remove the infection and return the program to service. Another second-generation approach is integrity checking. A checksum can be appended to each program. If malware alters or replaces some program without changing the checksum, then an integrity check will catch this change. To counter malware that is sophisticated enough to change the checksum when it alters a program, an encrypted hash function can be used. The encryption key is stored separately from the program so that the malware cannot generate a new hash code and encrypt that. By using a hash function rather than a simpler check-sum, the malware is prevented from adjusting the program to produce the same hash code as before.
Answer: C
The most common detection and mitigation techniques include:
Answer: B
To check for cross-site scripting vulnerabilities, use a web vulnerability scanner. a web vulnerability scanner crawls an entire website and automatically checks for cross-site scripting vulnerabilities. It will indicate which URLs/scripts are vulnerable to these attacks. Besides cross-site scripting vulnerabilities a web application scanner will also check for SQL injection and other web vulnerabilities.
Answer: D
The five phases of an APT are detailed below:
Answer: A
A simple explanation of software packers, or compression, is that symbols are used to represent repeated patterns in the software code. A packed file can contain malware and unless your antivirus product knows how to unpack the file the malware will not be detected. That would seem to be the end of the story, except that we have something called run-time packers. Here is how they work. The packed file is an executable program that is only partially packed. A tiny bit of the program is not packed. The beginning of the program is not packed so, when the packed executable is run, it starts unpacking the rest of the file. The un-packer tool is built right in.
Runtime packers are used by malware authors because it makes it much harder to detect the malware. Antivirus vendors use heuristic technologies that create a virtual computer inside the scanning engine and then run the program inside the virtualized environment. This can force a run-time packed program to unpack itself; there is always a catch though. The malware programmer can make the program detect that it is running in a virtual environment and then the program may not unpack itself or may only unpack harmless parts of itself to fool the virus scanning program.
Answer: C
Native goat machines must be able to be restored quickly through imaging solutions like Acronis software or Ghost. They ideally mirror the images used in the corporate environment and are put on a separate network for the security practitioner to use in order to run their laboratory tests. It is a good idea for the security practitioner to create multiple goat images based on patched and not patched, to test for exploitation success, and up-to-date builds from the network.
Answer:
Answer: C
The ultimate goal of P&DP laws is to provide safeguards to the individuals (data subjects) for the processing of their personal data in the respect of their privacy and will: this is achieved with the definitions of principles/rules to be fulfilled by the operators involved in the data processing. These operators can process the data playing the role of data controller or data processor.
Following are typical meanings for common privacy terms:
Answer: B
Service Models:
Answer: D
IaaS uses the following storage types:
Answer: B
The Cloud Security Alliance Cloud Controls Matrix (CCM) is an essential and up to date security controls framework that is addressed to the cloud community and stakeholders. A fundamental richness of the CCM is its ability to provide mapping/cross relationships with the main industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACAs COBIT, and PCI-DSS. The CCM can be seen as an inventory of cloud service security controls.
Answer: A
“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
N.I.S.T Definition of Cloud Computing (SP 800-145)
Answer: D
According to the NIST Definition of Cloud Computing, in IaaS, “the capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).”
Answer: C
According to the NIST Definition of Cloud Computing, in PaaS, “the capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.”
Answer: D
According to the NIST Definition of Cloud Computing, the cloud deployment models are:
Answer: D
Within a host cluster, resources are allocated and managed as if they are pooled or jointly available to all members of the cluster. The use of resource sharing concepts such as reservations, limits, and shares may be used to further refine and orchestrate the allocation of resources according to requirements imposed by the cluster administrator.
3.143.5.15