Chapter13 Mock Exam 2 Assessment Part 2
26. The political adviser to the prime minister of the United Kingdom has returned from the two month of summer break that all staff are entitled to. He applied for an immediate transfer to another department, stating that his health is bad and the job was far too intense. When his replacement arrives, they find that during the summer recess, the political adviser shredded all documents relating to a political inquiry that involved their cousin. The police are immediately called in and say that they cannot prosecute the political adviser because of a lack of evidence. What precautions could the House of Parliament security team take to prevent further events such as this happening in the future?
A. Create a change-management document to ensure that the receptionists are more vigilant about people coming in out of hours
B. Enforce time-of-day restrictions so that nobody can access the IT systems during summer breaks
C. Enforce separation of duties to ensure that any document that is destroyed has been witnessed by a second person
D. Enforce mandatory vacations to prevent staff coming in during the recess
Answer: B
Concept: Time-of-day restrictions would have prevented someone accessing the system during the holidays.
Wrong answers:
A. If the staff of the House of Commons are on holiday, then there will be no receptionists present
C. Separation of duties cannot be enforced during a shutdown period
D. Mandatory vacations cannot be enforced when nobody is working
27. You work in the forensics team of a very large multinational corporation where an attack has happened across three different sites in two different countries. You have been collecting the following log files from these locations:
What is the first action that you need to take when collating these logs?
A. Apply time normalization to these logs
B. Copy them into a worm drive so that they cannot be tampered with
C. Sort out the sequence of events by site
D. Raise chain of custody documentation for these logs
Answer: A
Concept: When collating forensic evidence, it needs to be put in a time sequence. In this case, we use time normalization to put it all in order. If we collect physical evidence from different computers, we use the record time offset to put the data and events in time sequence by using the regional time on the machine.
Wrong answers:
B. Copying into a worm drive will prevent deletion, but not the analysis of data.
C. This could be a first step, but it will not collate the information properly.
D. A chain of custody would be needed once you hand the evidence to someone else, but it is too early at this time for this. A chain of custody records who has handled the evidence.
28. You are an Active Directory administrator and have been having problems with time synchronization regarding the Kerberos authentication protocols. Consequently, you have now contacted a third party to provide your time synchronization. They use Stratum Network Time Protocol (NTP) servers. What is the MOST secure method of setting up a Stratum server for time synchronization?
A. Having the servers connect to an internal Stratum 1 NTP server
B. Having the servers connect to an internal Stratum 2 NTP server
C. Having the servers connect to an internal Stratum 0 NTP server
D. Having the servers connect to an external Stratum 0 NTP server
Answer: A
Concept: The time server must be internal. The Stratum 1 NTP server connects to the Stratum 0 NTP server, which is the ultimate time source. However, if there is no internal Stratum 1 NTP server, then we will use an internal Stratum 0 NTP server.
Wrong answers:
B. A Stratum 2 server can only connect to a Stratum 1 time server
C. Only use an internal Stratum 0 server when an internal Stratum 1 server is not available
D. The connection to the time server should come from the internal network
29. You are the network administrator for a company that runs an Active Directory domain environment where the system administrator is failing to keep you updated when new hosts are added to the network. You now decide that you will use your networking tools to do the following:
Which of the following network-based tools provide the information that you require? Select the most likely tools that you are MOST likely to use:
A. Protocol scanner
B. Microsoft baseline analyzer
C. Nmap
D. Penetration testing
Answers: A and C
Concept: Protocol scanners and network mappers can identify new hosts, operating system versions, and services that are running. An NIDS can detect new hosts.
Wrong answers:
B. The Microsoft baseline analyzer is a vulnerability scanner
D. A penetration tester is trying to break into your network
30. You are working for the serious crimes unit of the United Nations and have been given a laptop to investigate. You need to ensure that the evidence you are investigating has not been tampered with during your investigation. How are you going to prove this to the court when it is time to present your findings? Which of the following techniques will you adopt to BEST prove this? Select all that apply:
A. MD5
B. 3DES
C. SHA1
D. Blowfish
Answer: A and C
Concept: Hashing proves data integrity, and SHA1 and MD5 are both hashing algorithms.
Explanation: When data is collected as part of a chain of custody, all data is hashed by SHA1, MD5, or HMAC. HMAC prior to looking through the data. When you finish the investigation you will run the hash a second time, if the hash matches then the data integrity is confirmed.
Wrong answers:
B and D are both used with encryption, not hashing.
31. You are the security administrator for a multinational corporation that has an Active Directory domain. What type of attack uses HTML tags with JavaScript inserted between the script> and </script> tags?
A. Cross-site scripting
B. Man-in-the-middle
C. Cross-site forgery attack
D. SQL-injection
Answer: A
Concept: Cross-Site Scripting (XSS) uses HTML tags with JavaScript. JavaScript can be identified by using the word var for variable—for example, varchar or var data.
32. You are a system administrator working for a multinational company that has a windows domain and is using an active-passive model. Which of the following are the BEST reasons why your company would have adopted this model?
A. It provides vendor diversity
B. It provides much faster disaster recovery
C. It is the best model to use for symmetric encryption
D. It provides availability of your IT systems
Answers: B and D
Concept: Clustering provides availability, and it has a quick failover to the passive host should the active host fail.
Explanation: We would use an active-passive or active-active setup in the failover cluster so that if one node failed, the passive or second server would be up and running within seconds; users would not even be aware of this. This provides both faster disaster recovery and 99.999% availability, otherwise known as the five nines.
Wrong answers:
A. The cluster would come from the same vendor
C. Clustering is about availability—nothing to do with encryption
33. You are the system administrator for an Active Directory domain and deal with authentication on a daily basis. Which of the following do you use as an authentication method by entering a PIN instead of a password?
A. Smart card
B. Kerberos
C. WPS
D. TOTP
Answer: A
Concept: A smart card uses a PIN.
Wrong answers:
B. Kerberos can be accessed by entering a username and password
C. WPS is accessed by pushing a button to connect to a wireless network
D. TOTP uses a secret key or code
34. You are the security administrator for a large multinational corporation and you have a meeting with the CEO about the security posture of the company. He wants you to ensure the following are carried out effectively:
Which of the following are the BEST solutions to implement? Select all that apply:
A. Robocopy firewall logs to a worm drive
B. Robocopy firewall logs to a RAID 5 volume
C. Implement usage auditing and reviews
D. Carry out permission audits and reviews every seven days
Answer: A and D
Concept: Storing files on a worm drive prevents deletion. Continuous audits of permissions will help track escalations of privilege.
Wrong answers:
B. Storing data on a RAID volume is a solution for redundancy, but not the deletion of data
C. Account reviews may be quarterly, and so are not the best option
35. You are the security administrator for a multinational company, and you know that one of your X509 certificates, used in at least 300 desktop machines, has been compromised. What action are you going to take to protect the company, using the LEAST amount of administrative effort?
A. Email the people involved and ask them to delete the X509 from their desktop immediately
B. Carry out certificate pinning to prevent the CA from being compromised
C. Revoke the root CA X509 so it is added to the CRL
D. Revoke the X509 so it is added to the CRL
Answer: D
Concept: Once a certificate has been compromised, it should immediately be revoked so it is added to the CRL.
Wrong answers:
B. Certificate pinning cannot be set up after an event; it is set up to protect the CA against being compromised. This was only a low-level X509 that was compromised
C. There is no reason to revoke the root CA certificate as the certificate authority has not been compromised
36. You need to install a new wireless access point that should be as secure as possible while also being backward compatibile with legacy wireless systems. Which of the following would help you in this?
A. WPA2 PSK
B. WPA
C. WPA2 CCMP
D. WPA2 TKIP
Answer: D
Concept: WPA2 is the most secure and TKIP is backward compatible.
Wrong answers:
A. WPA2 is used to connect to the wireless access point using a password
B. Although WPA is backward compatible, it is not strong
C. Although WPA2 CCMP is the most secure, it is not backward compatible
37. You are the capacity planning administrator for a large multinational corporation, and find that Server 1 is running out of disk space. When you monitor its network card, it is at 100% utilization. Which of the following reasons best describes what is happening?
A. There are hardware errors on the server
B. Unauthorized software is being downloaded
C. Event logs are getting full and slowing down the system
D. The disks that were selected were too small
Answer: B
Concept: Unauthorized software takes up disk space and causes high network utilization.
Wrong answers:
A. If there were hardware errors, no download would have happened, and there would not be a decrease in disk space
C. The event logs are text files and will not use up too much space
D. This is not a good choice as the disks that are purchased would be of a reasonable size
38. You are the security administrator and someone has just tried to attack your web server, which is protected by a web application firewall. When you look into the log files of the web application firewall, two of the rows of the log file have the following two entries:
var data = “<blackbeard> ++ </../etc/passwd>"
Select* from customers where 1=1
Which of the following attacks are most likely to be have been attempted? Select all that apply:
A. Integer-overflow
B. SQL-injection
C. JavaScript
D. Buffer-overflow
Answers: B and C
Concept: An SQL-injection attack uses the phrase 1 = 1. JavaScript is commonly used in XSS attacks and uses the var variable, so if you see var, it is most likely to be JavaScript.
Wrong answers:
A. Integer-overflow is where larger numbers are used than should be used, normally with multiplication
C. Buffer-overflow is where more characters are used than should be. The strcat and strcpy are applications that cause buffer-overflow
39. Data has previously only been classified as internal data and external data. The company recently added two new classifications: legal and financial. What would be the benefit of these new classifications? Select the best solution for the new data classifications:
A. You need a minimum of three classifications for it to be effective
B. Better data classification
C. Quicker indexing
D. Faster searching
Answer: B
Concept: The more data classifications there are, the easier to classify it will be.
Wrong answers:
A. Data classification has no minimum values
C. Indexing will be slower for more classifications
D. Faster searching is done by reducing the amount of data
40. You are the security administrator for a multinational corporation based in Miami, and your company has recently suffered a replay attack. After lessons learned, you have decided to use a protocol that uses time stamps and USN to prevent replay attacks. Which of the following protocols is being implemented here? Select the best answer:
A. Federation services
B. EAP-TLS
C. Kerberos
D. RADIUS federation
Answer: C
Concept: Kerberos issues tickets for authentication, and each change has a different Updated Sequence Number (USN) and time stamps.
Wrong answers:
A. Federation services use SAML, an XML-based authentication protocol
B. EAP-TLS uses certificates and is used for wireless authentication
D. The RADIUS federation is a federation that uses wireless as its method of access
41. Which of the following threat actors would be the most likely to steal a company's R&D data?
A. Organized criminals
B. A competitor
C. A script kiddie
D. A nation state
Answer: B
Concept: The R&D department creates a lot of a company's trade secrets; therefore, a competitor would steal them to beat you to the marketplace.
Wrong answers:
A. Organized crime is most likely to target financial transactions rather than R&D data
C. A script kiddie reuses someone else's scripts
D. A nation state is more interested in attacking foreign governments than R&D data
42. You are a security administrator for a large multinational corporation based in the United Kingdom. You have just attended an annual seminar about the various types of password attacks. You have already disabled NTLM on all of the servers to prevent pass-the-hash attacks. Which of the following statements involves storing passwords as a hash value?
A. A collision attack, the hash value and the data match
B. A collision attack, the hash values match
C. A rainbow-table attack performs a search of simple passwords
D. A rainbow-table attack performs a search of precomputed hashes
Answer: B and D
Concept: A rainbow table is a list of precomputed hashes. A collision attack is where two hashes match.
Wrong answers:
A. When a hash is created, it takes the data inside a file and turns it into a hexadecimal hash value—they don't match
C. This is false; look at the explanation of the concept
43. You are the new IT Director of a small, family-owned business that is rapidly expanding. You have submitted your annual budget for the IT team and the owners of the company want to know what you have asked for funds for "Vendor diversity". They have asked you to provide two good reasons why they should grant you the funds. Which of the following are the MOST suitable reasons why you wish to implement vendor diversity?
A. Reliability
B. Regulatory compliance
C. It is a best practice in the industry
D. Resiliency
Answer: A and D
Concept: Vendor diversity involves getting a service from two different providers at the same time. Vendor diversity provides reliability and resiliency. For example, if broadband from one provider fails, then the second provider's broadband should still be up and running.
Wrong answers:
B. There are no regulations that say you must get services from two suppliers
C. It is not an industry best practice, though it may well be advisable
44. You are the network administrator for a large multinational corporation where you have captured packets that show that the traffic between the company's network devices is in clear text. Which of the following protocols could be used to secure the traffic between the company's network devices? Select all that apply.
A. SNMP V 3
B. SNMP
C. SCP
D. SFTP
Answer: A
Concept: Traffic between network devices uses a simple network transport protocol; the secure version is SMTPv3.
Wrong answers:
B. SNMP is not secure
C. SCP copies files securely
D. SFTP secures downloaded traffic from FTP sites
45. You are the auditor of a large multinational corporation and the SIEM server has been finding vulnerabilities on a server. Manual inspection proves that it has been fully hardened and has no vulnerabilities. What are the two main reasons why the SIEM server is producing this output?
A. There was a zero-day virus
B. False negatives
C. False positives
D. The wrong filter was used to audit
Answer: C and D
Concept: If we are using the wrong configuration for the SIEM server, we will get poor monitoring, resulting in false positives.
Wrong answers:
A. A zero-day virus would not have been detected in the first place
B. False negatives allow attacks to happen, but are not detected
46. You are a forensic investigator who has been called out to deal with a virus attack. You collect the information from the network card and volatile memory. After gathering, documenting, and securing the evidence of a virus attack, what is the best method for preventing further losses to the company?
A. Send a copy of the virus to the lab for analysis
B. Mitigate the attack and get the system back up and running
C. Initiate a chain of custody
D. Initiate business-impact analysis
Answer: B
Concept: Collecting the volatile evidence, mitigating the attack, removing the virus, and getting the system back up and running is the best thing to do.
Wrong answers:
A. This does not get you back up and running
C. A chain of custody records who has handled the evidence and does not get you back up and running
D. BIA only tells you the losses that you have incurred and does not generate any income
47. You are the purchasing manager for a very large multinational company, and you are looking at the company's policy that deals with the insurance of laptops. Last year, the company lost a record number of laptops. Your company is losing 10 laptops per month and the monthly insurance cost is $10,000. Which of the following laptop purchases would prevent you from purchasing insurance?
A. Budget laptops at $1,300 each
B. Budget laptops at $1,200 each
C. Budget laptops at $1,000 each
D. Budget laptops at $1,001 each
Answer: C
Concept:
SLE = ALE/ARO
ALE = 12 x 10,000 = $120,000
ARO = 12 X 10 = 120 laptops a year
Single loss expectancy = $120,000/120 = $1000
Explanation: The cost of losing the laptops is $120,000, the same as purchasing the insurance. You should not take out the insurance in the hope that next year you may lose fewer laptops, as a record number of laptops has already been lost.
Wrong answers:
A, B, and D would cost more than the insurance; therefore, in these cases, you would do better to take out the insurance.
48. Your company has suffered a system-sprawl attack, and you need to be able to identify what has caused the attack and what the symptoms of the attack are. Which of the following attacks could cause system sprawl and what would be a tell-tale sign of it? Select the BEST two answers; each is a part of the solution:
A. SQL-injection
B. DoS attack
C. CPU at 100% utilization
D. Buffer-overflow
Answer: B and C
Concept: System sprawl is when your resources are running out—for example, if your CPU was at 100% utilization. When your system is running like this, it could also suffer from DoS, which makes resources unavailable with too many SYN flood attacks.
Wrong answers:
A. An SQL- injection attack involves placing the phrase 1 = 1 into a transact SQL script
D. A buffer-overflow attack involves putting more data into a field than it was programmed to handle
49. Which of the following is a measure of reliability?
A. MTTR
B. MTBF
C. MTTF
D. RPO
Answer: B
Concept: Mean Time Between Failures (MTBF) is the measure of the number of failures. If I purchased a car and it broke down every day for the next week, I would take it back, as it would be unreliable.
Wrong answers:
A. MTTR is the mean time to repair. If I break down at 1 pm and it is repaired by 2 pm, the MTTR is 1 hour
C. MTTF is the mean time to failure; this is the lifespan of a piece of equipment
D. RPO is the recovery point objective. It is the amount of time a company can be without its data, meaning the acceptable downtime
50. Which of the following are the characteristics of a third-party-to-third-party authentication protocol that uses XML-based authentication? Select the three BEST answers:
A. Single Sign-On (SSO)
B. Kerberos
C. SAML
D. Federation services
Answers: A, C, and D
Concept: Federation services is a third-party-to-third-party authentication method that uses SAML, an XML-based method for authentication. It also provides SSO. This means that you only log in once in order to get access to resources.
Wrong answer:
B. Kerberos uses a ticket granting ticker = t and only works on a Microsoft Active Directory domain.