security plus
TRANSCRIPT
Domain 1----
What type of malicious code is self replicating?
A: Worm
Instant messaging users are NOT vulnerable to which type of attack?
A: Leaking server information
Which of the following is an 8.3 file naming convention?
A: testfile.exe
Which type of virus wraps itself in code to hide its characteristics from detection?
A: Armored
An attack that sends more data than an application can handle exploits which vulnerability?
A: Buffer Overflow
Besides the host operating system, which of the following application specific servers would you harden or lockdown?
A: DNS, Web and Database server (all of the above)
In a virtual machine environment, the platform OS is known as the ________ while the virtual system is known as the ___________.
A: Host , Guest
Executable code that tracks your online activity and reports it back to marketers without actually attacking your computer, is categorized as what?
A: Adware
Which of the following is a self-contained program and executed in the client environment to control or manipulate browser settings?
A: Java Script
Removing all non-essential services and application from a server is called
A: Minimization
How are virtual machine instances stored?
A: As files
Antivirus/Antimalware programs screen for unauthorized code on what?
A: Fixed or removable media, Network data streams, Email and attachments (all of the above).
If your computer is being controlled by an outside entity as part of a coordinated attack against some third party, your computer is suffering from which compromise?
A: Botnet
What are the characteristics of a virus?
A: Find, Install, Propagate
The use of instant messaging is particularly vulnerable to what?
A: Malicious code through file transfers.
Best practices for OS hardening are (choose two):
A: Update system with patches and service packs regularly, and disable guest accounts/access.
What does an email hoax try to do?
A: Create panic among users
What is the easiest way to defeat BIOS password system protection?
A: Remove the system battery.
What type of system compromises are designed to install malicious code that will be undetectable by antivirus programs?
A: Root Kit
Which of the following are effective methods of preventing intrusions on host systems?
A: Auditing, Strong authentication and Physical security
Domain 2---
Frames that go only to their destination hosts are referred to as what?
A: Unicast
Which of the following is NOT true of host based intrusion detection systems?
A: Fairly resource intensive on host
VLAN trunks create a security risk because:
A: Trunks connected to hosts can be used in VLAN hopping attacks
Domain Kiting is:
A: Using a domain name without paying for it
Which of the following devices transforms digital information from a computer to an analog signal and back?
A: Modem
As a network administrator, you’ve been asked to isolate your public services from your protected network. Which of the following would best accomplish this?
A: DMZ
Host based intrusion detection systems monitor:
A: Single systems
The most secure 802.11 encryption algorithm is _________, while backward compatibility with older devices may require using __________ encryption.
A: WPA2, WEP
The File Transfer Protocol (FTP) that prevents users from viewing the directory structure is known as:
A: Blind FTP
File Transport Protocol (FTP) uses which two TCP ports?
A: 20 and 21
If an organization is using honeypots, honeynets or similar techniques, which type of incident handling is being used?
A: Deflection
What provides security services between a mobile device and a WAP (Wireless Application Protocol) gateway?
A: WTLS (Wireless Transport Layer Security)
An Intrusion Detection System (IDS) alert that has been generated by valid traffic is commonly called a
A: False Positve
Which would be the best place for payroll, accounting and human resource services?
A: Intranet
Which of the following best describes SNMP?
A: Used to manage and collect information from network devices.
When wireless traffic is sent unencrypted or using weak wireless encryption, users can secure their data by also using:
A: SSL, IPSEC and VPN connections (all the above)
Which of the following is an attack using fragmented UDP packets that cannot be reassembled?
A: Teardrop
Lightweight Direct Accessory Protocol (LDAP) is not vulnerable to which attack?
A: Java Script
Which of the following protocols are inherently insecure and should be avoided if possible?
A: Telnet, SNMP, NNTP, RSH and PAP
Telnet and other non-encrypted TCP/IP applications are vulnerable to which attack?
A: Man in the Middle
Domain 3---
Which of the following is true of identification without authentication?
A: It is unreliable since there are no safeguards against ID spoofing.
Which services does the Kerberos server (Key Distribution Center) run?
A: Authentication and ticket granting
Which access control list allows the user to define the ACLs?
A: DAC (Discretionary Access Control)
What is NOT a factor of authentication?
A: Something you trust
In a Linux file system, an unauthenticated user would have what rights to a file with security set to 774?
A: Read
Which access control method is used to assign privileges based on a user’s responsibilities in an organization?
A: RBAC (Role Based Access Control)
Forcing responsibilities to be shared across multiple people and not allowing one employee to act alone in a business function is the concept of what?
A: Separation of Duties
Which of the following periodically verifies identity using a three way handshake during a session?
A: CHAP
Which of the following is an example of multi-factor authentication?
A: Smart Card and PIN
Kerberos is a frequently implemented authentication system for all of the following reasons
EXCEPT:
A: It periodically verifies identity using a three way handshake.
A VPN using IPSec in transport mode will encrypt:
A: The payload but not the message header.
Assigning users only the access that is required to perform their job function is known as what?
A: Least privilege
When an OS supports multiple file and print protocols, which of the following is true?
A: The system is vulnerable to attacks on all protocols in operation.
Which of the following is true of CHAP?
A: It uses a one-way hashing function
You have been asked to implement a new authentication method for users to access company resources. Which of the following would be the most expensive to implement?
A: Biometrics
What is the one additional permission granted by “Full Control” not granted with other permission settings?
A: The ability to grant permissions to other accounts.
Fire and print resource access can be permitted or denied by ______________, while granular authorization can only be managed by____________.
A: Firewall settings; access control entries
In a Rule Based Access Control (RBAC) environment, what are access decisions based on?
A: Access Control Lists
Which of the following are forms of privilege management?
A: User, Group and Role Management along with Auditing
Which network layer protocol is an essential part of VPNs?
A: L2TP
Domain 4---
No generally available version of which monitoring system currently exists?
A: Behavior based monitoring
Windows Task Manager provides which performance measures?
A: CPU and memory utilization for running processes, and the ability to halt processes if necessary
Why is it considered a best practice to audit failed intrusions along with successful ones?
A: Failures will yield information on unauthorized access attempts
Which of the following is the proper role for security auditing?
A: Audits justify security budgets
Running processes on a Linux system can be reported using which command?
A: ps
Risk management schemes include all of the following EXCEPT:
A: Divert
Which of the following should be considered when determining risks of vulnerability or weakness?
A: Software, Architecture, Personnel (All of the above).
Firewall logs should be audited for which of the following?
A: Packet denials due to firewall rules, Unauthorized attempts to modify or disable the firewall, and events in violation of security policies (All of the above).
Which of the following are passive vulnerability assessment tools that operate by inspecting existing network traffic?
A: SNORT & WIRESHARK
Which of the following vulnerability assessment tools performs intrusion detection scanning based on pattern signatures?
A: SNORT
What is defined as having an integral relationship with the mission of the organization and its success?
A: Critical Assets
Which of the following is a vulnerability assessment tool that looks for known unpatched vulnerabilities on host systems?
A: NESSUS
Which packet capture tool displays contents of data frames?
A: WIRESHARK
If an organization has missing or destroyed audit logs, what does it limit their ability to do?
A: Discover possible vulnerabilities
Which of the following are weaknesses in determining variations from “normal’ system behavior?
A: Compromised systems can have malicious behavior included in the profile for “normal” and the difficulty in determining “normal” in the operation of dynamic systems
Which monitoring methodology uses “markers” of known attack vectors?
A: Signature based monitoring
All of the following are methodologies for analyzing suspicious system behaviors EXCEPT:
A: Error based monitoring
Windows Performance Monitor provides all the following performance measures EXCEPT:
A: The ability to halt processes if necessary
SNORT, ETHEREAL/WIRESHARK, and MS Network Monitor are examples of what?
A: Packet Sniffing Tools
Which of the following is NOT a component of risk identification?
A: Response
Domain 5---
Which of the following is a concept of PKI (Public Key Infrastructure)?
A: Certificates
The method that operates on each character in a text message to transform it into an unintelligible message is called:
A: Stream cipher
Which encryption method uses different keys for encryption and decryption?
A: Asymmetric
Secure web connectivity over SSL uses which port?
A: 443
What size key is used in DES encryption?
A: 56 Bit
What is a characteristic of key escrow?
A: Storing private keys at a third party agency
Which of the following is true of key expiration?
A: Expired keys may be used in conjunction with old messages
Which of the following would you find in a Certificate Revocation List?
A: Certificates that have been terminated before their expiration
PKI certificates can be issued to which of the following?
A: Users, computers, and services
Which of the following symmetric algorithms is a stream cipher?
A: RC4
Besides proof of identity, what must be provided to a trusted Certificate Authority in order to obtain a new certificate?
A: The user’s public key
PKI is particularly useful for preventing what type of attack?
A: Man in the middle
A document that specifies the use and management of PKI is which type of PKI document?
A: Policy
All of the following are true of tunneling EXCEPT:
A: VPNs are common tunnels but do not provide data security or encryption.
Which of the following is NOT involved in correctly identifying the contents of a user’s X.509 certificate?
A: Location of the user’s electronic identity
All of the following are properties of a digital signature EXCEPT:
A: It must use a fairly complex generation process.
Of the following crypto attacks, which is an attack of the algorithm?
A: Mathematical
The major advantage of the asymmetric encryption scheme compared to symmetric is what?
A: No shared secret key
What does S/MIME use to encrypt email?
A: Digital Signatures
Common Gateway Interface (CGI) is being replaced by what technology?
A: ActiveX
Which of the following is an asymmetric algorithm?
A: RSA
What is the most common standard symmetric encryption algorithm used by organ izations to protect sensitive material?
A: AES
S/FTP is encrypted FTP sessions between the client and server using what?
A: SSH
The computer system that validates and digitally signs identity credentials or certificates is called what?
A: Certification Authority
Which of the following is NOT true of the hash function?
A: Offers confidentiality
Domain 6---
Which of the following is described as sending email or other messages to direct users to false websites to capture private data as they enter it?
A: Phishing
Which of the following is the process of obtaining information from discarded hardware, media or printouts?
A: Dumpster Diving
Which RAID version creates two identically mirrored disks?
A: RAID 1
What is the documenting process called for transferring all evidence from one person to another that includes the dates, times, reasons for transfer, and parties involved?
A: Chain of custody
Single points of failure in IT staffing can be minimized by:
A: Separating duties so no one person has the ability to damage all systems, Cross-training so no one person is the sole operator of any system, and documenting systems and procedures so loss of one person does not endanger continuity (All of the above)
The alternative business site available immediately with hardware and staff present and is ready for operations is called:
A: Hot site
Which disaster recovery site has spare, unconfigured equipment, but is not operational until needed?
A: Warm site
What can be used as a measure for evaluations and benchmarking?
A: Standards
What is the best defense against social engineering?
A: Training and education
When choosing a location for data operations, which of the following physical security considerations should be taken?
A: Environment, Utilities, and Emergency response capabilities (All of the above)
Which of the following is a metal box or wire mesh used for shielding from electromagnetic fields?
A: Faraday Cage
Which of the following contains diagrams and documentation of the system architecture?
A: Network diagram
An attacker manipulating a legitimate user in order to obtain information or gain physical access is called:
A: Social Engineering
Which of the following is true of Social Engineering?
A: Least sophisticated type of attack, but very successful.
Which of the following is described as standards and policies specifying how documentation is handled (accessed, stored, destroyed, etc.) and may include predefined labels?
A: Classification
Standards are usually derived from what?
A: Guidelines
Documenting system changes such as updates and revisions is a key component for:
A: Disaster Recovery
Which RAID version increases redundancy by combining mirroring and striping with parity?
A: RAID 10
Single points of failure (SPOFs), threaten which aspect of Information Assurance?
A: Availability
A detailed ________________ should be created to provide procedures for preparing for a catastrophe as well as recovering from it.
A: Disaster recovery plan
Domains 1-6
What do virtual machines provide that can aid security efforts?
A: Quick, complete systems restores, system compatibility across hardware platforms, and flexible test environments (All of the above).
Which of the following should NOT be allowed as an email attachment?
A: .com
Which of the following are examples of social engineering?
A: Dumpster diving and Shoulder surfing
The Advanced Encryption Standard (AES) is based on which cryptographic algorithm:
A: Rijindael
Using your ATM card and your PIN to access your bank account is an example of which type multi-factor authentication?
A: Something you have, Something you know
Which of the following is described as an access configuration that allows files to be hidden by allowing uploads to an FTP server without user’s ability to view the contents of the folder?
A: Blind FTP
The four IDS classifications are”
A: Host based, Signature based, Network based and Anomaly based
Which two monitoring methodologies look for variations from “normal” system behavior?
A: Anomaly based and Behavior based monitoring
Which of the following is a characteristic of a virus?
A: Find, Initiate, Propagate (All of the above)
Whys is fiber media preferred over copper media for network security?
A: Copper media can be tapped to passively listen to traffic on the wire.
Which of the following are password guessing/discovery attacks?
A: Brute force and Dictionary attacks
Antivirus/Antimalware programs protect by doing all of the following EXCEPT:
A: Blocking denial of service attacks at the network connection.
This type of attack is often not very sophisticated or technical but still very effective:
A: Social Engineering
This type of RAID provides no data redundancy
A: RAID 0
This term relates specifically to the art and science of code breaking:
A: Cryptanalysis
Telnet operates on TCP port:
A: 23
Storing private keys with a third party is referred to as:
A: Key Escrow
Configuring servers with only the required applications and components, supports the best practice of:
A: Minimization
The C in the CIA triad stands for:
A: Confidentiality
POP3 uses Port 110
A: TRUE
What is the most common form of authentication?
A: Passwords
A co-worker with malicious intent asks to borrow your computer to “hurry and check an email” but instead of logging on with her own account she asks for your password as it will “just take a second.” What type of attack is this?
A: Social Engineering
The two main protocols included in IPSec are:
A: Authentication Header (AH) and Encapsulating Security Payload (ESP)
_______________ are configured intentionally to lure in attackers
A: Honeypots
Host Intrusion Detection Systems record which of the following?
A: Violations of rules regarding the operation of the host OS, applications and resources.
This transmission media is not susceptible to RFI or EMI:
A: Fiber
Digital Signatures provide:
A: Integrity and Non-repudiation
Which of the following is an item most likely to be addressed in an Acceptable Use Policy?
A: Security measures users are expected to follow.
What protocol utilizes X.509 certificates?
A: SSL
Cellular phone security threats include:
A: Built in cameras, connections to wireless data networks, and phone to computer synchronization (all of the above)
Which information security property is related to the ability to detect modification of data after it has been moved to back up media?
A: Integrity
Which of the following is described as stealing passwords or data by watching authorized users performing access activities?
A: Shoulder Surfing
The Diffie-Hellman key agreement algorithm is vulnerable to which of the following attacks?
A: Man in the Middle
The delay between access approval and actual access can create this type of security concern:
A: Time of check to time of use.
Which of the following is a disadvantage of proxy firewalls when compared to packet filtering firewalls?
A: Proxies prevent two connecting hosts from exchanging packets directly
How do rogue access points violate network security?
A: By creating wireless connections which may not meet security requirements, by creating connections which may be intentionally installed to facilitate intrusions and by potentially creating wireless DOS conditions through RF interference
The most expensive type of backup site:
A: Hot site
Which RAID version increases data access speeds but includes no redundancy?
A: RAID 0
A distributed Denial of Service attack:
A: Floods the target system with packets from multiple hosts
Authentication rules should include which of the following?
A: Prohibiting password re use, prohibiting account sharing and requiring complex passwords (all of the above)
Which of the following is true once a network is segmented into VLANs?
A: Each VLAN must be assigned to a unique IP subnet to permit any communication between the subnets.
This centralized network authentication service is widely used standard for both Unix and Windows systems:
A: Kerberos
Which of the following are described as false messages about non-existent threats or events that attempt to elicit responses from users receiving the messages?
A: Hoaxes
The X.509 standard defines certificate formats and fields. Which of the following is not part of a standard certificate?
A: Message authentication code
A stored value smartcard is able to perform key exchanges:
A: FALSE
With an IPSec implementation running in transport mode, which of the following is true?
B: Layer 4 packet header and payload are encrypted, Layer 3 header is unencrypted.
Adding a cryptographic hash of an unencrypted message to that message does not protect the message’s integrity. Why?
A: An attacker that changes the message in transit can also generate a matching hash.
Best practice for password complexity is to make the minimum length at least:
A: 6-8 characters
Which of the following is true of Null sessions?
A: Null sessions are an inherent vulnerability in all Windows systems.
This type of password attack tries every possible password combination until a match is found:
A: Brute Force
What is the most common negative impact of screening out spam email?
A: False Positives
Which of the following attacks was initially intended for software developer’s access for debugging?
A: Backdoor
The network segment that sits between the internet and the internal network is called the :
A: DMZ
This type of backup copies all the data modified since the last full backup and does not reset the archive bit :
A: Differential
This IP address is the local loopback address used for testing
A: 127.0.0.1
Audits should check for which of the following?
A: Unauthorized accounts in superuser groups, accounts with excessive rights, and resources with overly permissive access rights. (all of the above)
A low occurrence of false positives is an advantage of using a behavior based IDS
A: FALSE
Which of the following is a best security practice for data cabling?
A: Document all authorized cable installations so unauthorized cables can be identified, Disconnect or disable all unneeded data jacks and secure data closets (all the above)