Module 1.1 Part 1 Questions (SY0-041) 1. What is the
51 Slides580.66 KB
Module 1.1 Part 1 Questions (SY0-041) 1. What is the difference between authorization and authentication? Authorization means granting a user account configured on the computer system the right to make use of a resource (allocating the user privileges on the resource). Authentication protects the validity of the user account by testing that the person accessing that account is who he says he is. 2. What type of access control system is based on resource ownership? Discretionary Access Control. 3. True or false? A "Need to Know" policy can only be enforced using discretionary or rolebased access control. False - a mandatory access control system supports the idea of domains or compartments to supplement the basic hierarchical system. 4. What steps should be taken to enroll a new user? Perform identity proofing to confirm the user's identity, issue authentication credentials securely, and assign appropriate permissions / privileges to the account.
Module 1.1 Part 2 Questions (SY0-041) 1. What is the basis of computer security accounting? Log files. It is also vital that users be properly authenticated. 2. What term is used to describe a property of a secure network where a sender cannot deny having sent a message? Non-repudiation. 3. How does accounting provide non-repudiation? A user's actions are logged on the system. Each user is associated with a unique computer account. So long as the user's authentication is secure, they cannot deny having performed the action. 4. You are implementing security controls to protect highly confidential information that must only be made available on a "Need to Know" basis. What class of security control should you investigate? Mandatory Access Control systems are best-suited for applying non-discretionary, need-to-know access controls. 5. You have implemented a web gateway that blocks access to a social networking site. How would you categorize this type of security control? It is a technical type of control (implemented in software) and acts as a preventive measure. 6. The company you work for has suffered numerous intrusions due to poor password management by employees. Given a significant budget to mitigate the problem, what type of security control would you use? A multifactor authentication product would mitigate this type of problem by requiring users to authenticate with a smart card or biometric information as well as a password.
Module 1.2 Part 1 Questions (SY0-041) What is a lunchtime attack? If a user logs on then leaves a workstation unattended, the user's account can be compromised by anyone able to physically access the workstation. Users should always log off or lock the workstation before leaving it. When considering non-accidental threats, what important distinctions can be made to identify different threat sources? Motive - whether the threat is structured or unstructured; whether the threat is internal or external to the organization. Apart from natural disaster, what type of events threaten physical damage to assets? Accidental damage, vandalism, war / terrorism. What distinguishes a rootkit from other types of Trojan? A rootkit typically replaces kernel-level files, making it harder to detect and remove. True or false? All backdoors are created by malware such as rootkits. False - a backdoor may be created by legitimate software or hardware that has not been configured securely.
Module 1.2 Part 1 Questions (SY0-041) What techniques does anti-virus software use to identify threats? A database of known virus patterns, which needs to be regularly updated, and heuristic analysis of suspicious code. What techniques do viruses use to avoid detection by anti-virus software? Stealth (infecting files slowly or moving from file to file) disguise the virus code (metamorphic or polymorphic virus), or disabling the A-V software (retrovirus). How do social engineering attacks succeed? They generally depend on lack of security awareness in users. An attacker can either be intimidating (exploiting users' ignorance of technical subjects or fear of authority) or persuasive (exploiting the "customer service" mindset to be helpful developed in most organizations). Is the goal of social engineering to gain access to premises or a computer system? This is usually the end goal but may not be the immediate goal of the social engineering attack. Information gathering can be just as useful (for instance, discovering what operating systems and applications the company runs or obtaining user information). What is shoulder surfing? Observing someone entering their password or PIN.
Module 1.3 Part 1 Questions (SY0-041) Is it possible to eavesdrop on the traffic passing over a company's internal network from the internet? No - to eavesdrop the sniffer has to be attached to the same local network segment. Why might an ARP poisoning tool be of use to an eavesdropper? The attacker could trick computers into sending traffic through the attacker's computer and therefore examine traffic that would not normally be accessible to him (on a switched network). What type of tool(s) would be used in a footprinting attack? Network mapper / port scanner and packet sniffer - the idea is to understand how the network is configured, what hosts are present, and what services they run. Is it possible to discover what ports are open on a web server from another computer on the internet? Yes (providing the web server is not protected against port scanning). How does a replay attack work? The attacker captures some data used to log on or start a session legitimately. The attacker then disrupts the legitimate session and resends the captured data to re-enable the connection.
Module 1.3 Part 2 Questions (SY0-041) Why are most network DoS attacks distributed? Most attacks depend on overwhelming the victim. This typically requires a large number of hosts. What can you use to mitigate ARP poisoning attacks? A switch that supports port authentication. What is a Fraggle attack? A type of Distributed Reflection Denial of Service (DRDoS) attack. The attacker bombards a network with UDP diagnostic packets directed from the faked source IP address of the victim host.
Module 1.4 Questions (SY0-041) What general precautions should you take before contracting someone to perform system scanning? Establish ground rules, such as the extent of testing and disruption to the network. What is meant by a black box pentest? The tester will attempt to penetrate the security system without having any privileged knowledge about its configuration. What are the disadvantages of performing penetration testing against a simulated test environment? Setting up a replica of a production environment is costly and complex. It may be very difficult to create a true replica, so potential vulnerabilities may be missed. Why should an ISP be informed before pentesting takes place? ISPs monitor their networks for suspicious traffic and may block the test attempts. The pentest may also involve equipment owned and operated by the ISP. True or false? A honeypot is designed to prevent network attacks by intercepting them and trapping them within a secure, decoy environment. False - a honeypot is passive. It could act as a decoy but you cannot rely on it to deter attacks against the production network.
Module 2.1 Part 1 Questions (SY0-041) What is the principal use of symmetric encryption? Confidentiality - symmetric ciphers are generally fast and well suited to encrypting large amounts of data. The difficult of distributing keys securely makes them less useful for integrity and authentication. What features of a one-time pad make the system cryptographically secure? The pad must be generated randomly and must not be re-used. Which offers better security - MD5 or SHA? SHA. Which symmetric cipher is being selected for use in many new products? Advanced Encryption Standard (AES) based on Rijndael. What is the process of digitally signing a document? A secure hash function is used to create a message digest. The digest is then signed using the sender's private key. The resulting signature can be decrypted using the sender's public key and cannot be modified by any other agency.
Module 2.1 Part 2 Questions (SY0-041) How are cryptographic authentication systems protected against replay attacks? By timestamping session tokens so that they cannot be reused outside of the validity period. What technique might be used to detect the presence of a hidden message within a file? If you have a copy of the original file you can compare it to the changed file. Otherwise statistical analysis with some knowledge of the way the steganographic application works. You want to ensure that data stored on backup media cannot be read by third-parties. What type of security control should you choose? You require a security control that delivers confidentiality, such as encryption. You are distributing a software application to clients and want to provide them with assurance that the executable file has not been modified. What type of security control is appropriate for this task? A control that provides integrity, such as a secure hash function (MD5 or SHA) would be suitable. Your company issues vouchers by email for various products and events. What security control could you use to prove the authenticity of the vouchers? You could use steganography to embed an authenticity code in the voucher file.
Module 2.2 Part 1 Questions (SY0-041) What cryptographic information is stored in a digital certificate? The owner's public key and the algorithms used for encryption. The certificate also stores a digital signature from the issuing CA. What does it mean if a certificate extension is marked as critical? That the application processing the certificate must be able to interpret the extension correctly, otherwise it should reject the certificate. You are developing a secure web application. What sort of certificate should you request to show that you are the publisher of a program? A code signing certificate. Certificates are issued for specific purposes. A certificate issued for one purpose should not be reused for other functions. What are the weaknesses of a hierarchical trust model? The structure depends heavily on the integrity of the root CA and trust relationships are limited to one organization only. What trust model enables users to sign one another's certificates, rather than using CAs? Web of Trust.
Module 2.2 Part 2 Questions (SY0-041) What options exist for creating a key repository? Software-based storage means that keys are stored in a CA application running on a standard operating system. Hardware-based storage means that a key is stored on a dedicated device, such as a smart card. What mechanism informs users about suspended or revoked keys? Certificate Revocation List (CRL). What should be done before a certificate expires? The certificate should be renewed. What does it mean if key recovery agent is subject to "M of N" control? Of "N" agents configured to perform key recovery, "M" must be present to authorize a recovery operation. What does it mean if a cryptographic module is FIPS? The product has been tested under the US government's Federal Information Processing Standard.
Module 2.3 Part 1 Questions (SY0-041) How are cryptographic systems protected against brute force attacks? By using key sizes that make brute force attacks computationally impossible to achieve (within a reasonable time frame). Why might a standalone installation of Windows XP be more vulnerable to password cracking than in Windows 7? Windows XP uses weak LM responses by default. What key features are provided by Kerberos? Single sign-on and support for mutual authentication. True or false? In order to create a service ticket, Kerberos passes the user's password to the target application server for authentication. False - only the KDC verifies the password. The Ticket Granting Service sends the user's account details (SID) to the target application for authorisation (allocation of permissions) not authentication. Why might forcing users to change their password every month be counterproductive? More users would forget their password or try to select insecure ones.
Module 2.3 Part 2 Questions (SY0-041) A user maintains a list of commonly used passwords in a file located deep within the computer's directory structure. Is this secure password management? No. This is security by obscurity. The file could probably be easily discovered using Search tools. Your company creates software that requires a database of stored encrypted passwords. What security control could you use to make the password database more resistant to brute force attacks? Using a key stretching password storage library (such as brcypt or PBKDF2) would improve resistance to brute force cracking methods. In what scenario would PAP be an appropriate cryptographic method? None - the Password Authentication Protocol uses plaintext ASCII passwords with no cryptographic protection. This could only be used securely if the endpoints established a secure tunnel (using IPsec for instance).
Module 2.4 Part 1 Questions (SY0-041) True or false? An account requiring a password, PIN, and one-time password is an example of three-factor authentication. False - three factor authentication would include a biometric or behavioral element. What type of logon security is provided by OTP? A One-Time Password is valid only for a short period (usually 60 seconds), before it changes again. Apart from cost, what would you consider to be the major considerations for evaluating a biometric recognition technology? Error rate and throughput. Which type of eye recognition is easier to perform: retinal or iris scanning? Iris scans are simpler. True or false? The holder of a Common Access Card can authenticate to a computer system using biometric information stored on the card. False - the card contains biometric data for identity proofing but cannot be used to authenticate. It does support smart card authentication.
Module 2.4 Part 2 Questions (SY0-041) Which remote authentication protocol supports smart cards? EAP-TLS (Extensible Authentication Protocol - Transport Layer Security. What is a RADIUS client? A device or server that accepts user connections. Using RADIUS architecture, the client does not need to be able to perform authentication itself; it passes the logon request to an AAA server. Which of TACACS, TACACS , and XTACACS is most likely to be deployed on modern networks? TACACS - the others are legacy protocols. Your company has won a contract to work with the Department of Defense. What type of site access credentials will you need to provide? Contractors working for the DoD require a Common Access Card with an embedded token and photograph. You are working with a cloud services company to use their identity management services to allow users to authenticate to your network. The company will not establish a transitive trust between their network system and yours to allow you to access and update user profiles. Why would they refuse this and what impact will it have on your application? They would have to obtain user consent for your network to access their profile and this may be difficult for them to do. You will have to create and store a profile for the user on your own system.
Module 2.5 Part 1 Questions (SY0-041) You are working on a privilege management policy and trying to work out a way to protect information that is restricted to executive-level employees from being snooped upon by IT administrative staff. Someone suggests locating the data on a PC that is not connected to the network. Why is this not an appropriate solution? Either the data will not be subject to network security mechanisms (accounting and backup for instance) or different mechanisms will have to be set up, increasing complexity. It will also be of limited availability (what if executives cannot physically access the PC?) What are the advantages of a decentralized, discretionary access control policy over a mandatory access control policy? It is easier for users to adjust the policy to fit changing business needs. Centralized policies can easily become inflexible and bureaucratic. What is the difference between group- and role-based management? A group is simply a container for a number of user objects. Any organizing principle can be applied. In a role-based access control system, groups are tightly defined according to job functions. Also, a user should (logically) only possess the permissions of one role at a time. Under a rule-based access control model, how would a subject negotiate with the data owner for access privileges? This sort of negotiation would not be permitted under rule-based access control; it is a feature of discretionary access control.
Module 2.5 Part 2 Questions (SY0-041) What container would you use if you want to apply a different security policy to a subset of objects within the same domain? Organization Unit (OU). What authentication scheme is often used in conjunction with LDAP? Kerberos. Why are the default OS user accounts a security risk? They make it easier to identify the administrative account and in some cases may allow anonymous or unintended access to the system and file/print resources. A router appliance only supports a single administrative user. Given that at least two members of staff are required to be available to perform configuration updates on the router, what methods could you use to enforce accountability and non-repudiation? Restrict administrative access to the router to a management PC and configure authentication and logging on the PC to verify which administrator has used it to administer the router and when.
Module 3.1 Part 1 Questions (SY0-041) Why is subnetting useful in secure network design? It provides defense in depth. Subnet traffic is routed allowing it to be filtered by devices such as a firewall. An attacker must be able to gather more information about the configuration of the network and overcome more barriers to launch successful attacks. What is the purpose of a DMZ? To prevent traffic from the public internet zone passing through the Demilitarized Zone (DMZ) to the private intranet zone. How can a DMZ be implemented? Either using two firewalls (external and internal) as a screened subnet or using a triple-homed firewall (one with three network interfaces). What technology would you implement to protect part of a network against packet sniffing? Switch (and optionally VLAN).
Module 3.1 Part 2 Questions (SY0-041) True or false? Administration and configuration of a switch should be limited to the "default" or "management" VLAN. False - the management VLAN is for trunking protocol traffic only and should otherwise by unused. It is a good idea to use a dedicated VLAN for network device admin though. How could you prevent a malicious attacker from engineering a switching loop from a host connected to a standard switch port? Enable the appropriate guards on non-trunk ports. What technology would you use to enable private addressing on the LAN and still permit hosts to browse the web? Network Address Translation (NAT) or Network Address Port Translation (NAPT) or a proxy server. What steps would you take to secure a network device against unauthorized reconfiguration? Enable a single management interface or protocol (preferably encrypted), secure the administrative account with a strong password or set up an Access Control List, update firmware when necessary. If the device has an external (internet-facing) interface, restrict access to the management console to a management subnet (alternatively restrict access to a single host).
Module 3.2 Part 1 Questions (SY0-041) What is the advantage of a firewall that works above layer 3 of the OSI model? This type of firewall can maintain stateful information about connections, making it work better with many applications and offering better defenses against DoS attacks. A stateful inspection firewall may be able to block an even wider range of attacks and malware. What distinguishes a personal software firewall from a network firewall appliance? Desktop firewall software can block processes from accessing a network connection as well as applying filtering rules. However, since it is a software application, it is easier for malware to interfere with its operation. Other than attempting to block access to sites based on content, what other security options might be offered by web security gateways? Blocking access based on time of day or total usage. True or false? Host-based IDS cannot be combined with network-based IDS? False; though products from different vendors may not be interoperable. What are examples of passive detection? Logging or alerting intrusion incidents.
Module 3.2 Part 2 Questions (SY0-041) What sort of maintenance must be performed on signature-based monitoring software? Definition / signature updates. What is the best option for monitoring switched Ethernet traffic? Connecting the monitor to a spanning port. What feature of server logs makes them useful as an audit trail? That the logs are tamper-proof. What difficulty is inherent in monitoring the way users exercise privileges granted to them (to access particular files for instance)? This is likely to generate a large amount of raw data (numerous events), which will be difficult to analyze. You have configured perimeter security firewalls. What type of security control would provide defense-indepth against insider threats? Host-based security controls such as a personal firewall or intrusion detection.
Module 3.3 Part 1 Questions (SY0-041) What are the security considerations when placing antennas to boost the range of a wireless network? Extending the range of the network can increase the opportunity for eavesdropping or penetration (war driving). However, it is practically impossible for most organizations to shield a wireless network, so it is best to ensure that the WLAN uses strong authentication and encryption. What is the main difference between WPA and WPA2? WPA2 supports an encryption algorithm based on AES. What technologies exist to prevent the connection of rogue wireless access points to a network? This can be prevented through switches that support port authentication (802.1X) and by deploying wireless intrusion detection systems. If WPA2 provides the strongest possible wireless encryption and authentication, why is it not deployed on all networks? Not all devices or operating systems support WPA2. For example, it is not supported by Windows 2000. What is a pre-shared key? This is a type of group authentication used when the infrastructure for authenticating securely (via RADIUS for instance) is not available. The system depends on the strength of the passphrase used for the key.
Module 3.3 Part 2 Questions (SY0-041) Why is it best to disable the wireless adapter in a laptop if Wi-Fi is not being used? The adapter may provide "backdoor" access to the computer if not configured correctly. Wi-Fi can be set up in ad hoc mode, which means computers can be configured to connect to one another. Your company director wants the presence of the wireless network to be concealed. What measure could you take to comply with this? Disable SSID broadcast. You are constrained to operating a single wireless network that must provide access for both guests and employees. Consequently the network uses open authentication. What technology could you use to make the network secure for employee use? Deploy a VPN for employees to connect to the company network. Which provides stronger security: TKIP or CCMP? CCMP allows the use of AES encryption in the WPA2 standard while TKIP fixes some of the problems with RC4 in the original WPA standard so CCMP is the stronger method. You need to configure a wireless bridge between two sites. What type of wireless network technology will be most useful? A wireless bridge will benefit from the use of a particular antenna type. A directional antenna will work better than an omnidirectional one.
Module 3.4 Part 1 Questions (SY0-041) Which protocol is used in conjunction with L2TP to provide a secure access VPN? IPsec. What two protocols must a firewall allow to establish a PPTP link? TCP port 1723 and GRE (IP type 47). What are the two main advantages of L2TP over PPTP? Support for protocols other than PPP and TCP/IP and the initial link negotiation can be made securely. What IPsec mode would you use for data confidentiality on a private network? Transport mode (tunnel mode encrypts the IP header information, but this is unnecessary on a private network). What authentication methods are supported by IPsec? Certificate, pre-shared key, or Kerberos.
Module 3.4 Part 2 Questions (SY0-041) Describe what role SSH might play in securing communications. Secure replacement for *nix remote administration tools and more generally securing communication between TCP applications (using port forwarding). What protocol could you deploy to protect the management interface of a router that only accepts Telnet connections? You could use IPsec to configure a secure tunnel, mitigating the fact that Telnet transfers information in the clear. What is the main risk of using remote administration tools over a network without encryption? The username and password would be passed in plaintext. As this is most likely to be the password for an administrative account, this makes the network extremely vulnerable. Your firewall is configured with a rule allowing external hosts to connect to port 3389. What protocol is being permitted? Remote Desktop. What bit of information confirms the identity of an SSH server to a client? The server's public key. Note that this can only be trusted if the client trusts that the public key is valid. The client might confirm this manually or using a Certificate Authority.
Module 3.5 Part 1 Questions (SY0-041) What risk might IPv6 pose to a network that does not have an IPv6 management plan? IPv6 may already be enabled and running on hosts and could be used to tunnel traffic into and out of the network covertly. What vulnerabilities does a rogue DHCP server expose users to? Denial of Service (providing an invalid address configuration) and spoofing (providing a malicious address configuration [one that points to a malicious DNS for instance]). Why is it vital to ensure the security of an organization's DNS service? DNS resolves domain names. If it is corrupted, users could be directed to spoofed websites. Disrupting DNS can also perform Denial of Service. True or false? The contents of the HOSTS file are irrelevant so long as a DNS service is properly configured. False (probably) - the contents of the HOSTS file are written to the DNS cache on startup. It is possible to edit the registry to prioritize DNS over HOSTS though. What is DNS cache poisoning? Corrupting the records of a DNS server to point traffic for a legitimate domain to a malicious IP address.
Module 3.5 Part 2 Questions (SY0-041) If anonymous access to an IPC share is required by a Line of Business application, what steps can be taken to prevent remote exploitation of RPC? Block NetBIOS ports at the firewall. What steps should you take to secure an SNMPv2 service? Configure strong community names and use Access Control Lists to restrict management operations to known hosts. Optionally, encrypt SNMP traffic using IPsec to prevent packet sniffing. What access control measures could you deploy on a Fibre Channel SAN to restrict which servers can access certain storage devices? You can configure LUN masking, which is similar to MAC filtering, and/or zoning, which is similar to VLANs. True or false? The management console of a PBX can often be accessed from outside the organization. True - an external interface is often configured by the provider to perform maintenance or support. Why is it difficult to encrypt VoIP? Encryption adds a substantial processing overhead and can seriously affect call quality.
Module 4.1 Part 1 Questions (SY0-041) What is a "security-enabled" configuration? A basic principle of security is to run only services that are needed. Many default OS installations and network devices also install optional services automatically; requiring the installer to disable them if they are not needed. Most devices and software now ship in a "security-enabled" configuration, meaning that the installer must choose which services to install and enable. Why is it essential to create a baseline when setting up a system for the first time? "Unless you know where you started, you won't know how far you've come." Security monitoring and accounting largely depends on identifying things that are out-of-the-ordinary. Baselining a system establishes what is normal. What are the management options and security considerations for network clients? Local management - this means performing management at each machine, which is timeconsuming. Remote management saves time but raises the possibility that the management software will open a backdoor vulnerability. There is also the possibility that management traffic could be captured unless secured by encryption. Remote management can either be in-band (uses the standard network) or out-of-band (uses a different network or interface). What first step must you take when configuring automatic updates on a Linux server? Choose a trustworthy installation source.
Module 4.1 Part 2 Questions (SY0-041) True or false? Only Microsoft's operating systems and applications require security patches. False - any vendor's or open source software or firmware can contain vulnerabilities that need patching. What is meant by "remediation" in the context of NAC? The options provided to a client that does not meet the health policy - for example, allowed basic internet access only, given access to required patches, and so on. What use is made of a Trusted Platform Module for NAC attestation? The TPM is a tamper-proof (at least in theory) cryptographic module. This can provide a means to report the system configuration to a policy enforcer securely. IT administrators in your company have been abusing their privileges to install computer games on company PCs. What technical control could you deploy to prevent this? It is difficult to define technical controls to apply to administrators but you could enforce whitelisting or blacklisting of executables allowed.
Module 4.1 Part 3 Questions (SY0-041) You are managing a huge site with large numbers of network ports spread across many floors. You are considering implementing a Network Access Control system but what interim measures could you take to identify rogue machines? Use network mapping and host discovery software. Why is a trusted OS necessary to implement file system access control measures? Trusted OS means that the OS fully mediates the access control system. If this is not the case, an attacker may be able to bypass the security controls.
Module 4.2 Part 1 Questions (SY0-041) What are the main management issues for a confidential document that has been published? Secure storage and distribution, change management, and privilege management (notification of any changes to access control for instance). What are satisfactory ways of protecting confidential data stored on a hard disk for disposal of the disk? Over-writing is secure enough for most purposes. Top secret data may mandate destruction of the unit. The disk could be disposed of relatively safely if all confidential information were encrypted but it would be pointless to leave the data on the disk for the sake of it. What technology protects data in the event of the loss or theft of a computer or mobile device? File or disk encryption. What sort of software prevents unauthorized copying of data onto removable media? Data Leakage Prevention (or Data Loss Prevention). What term is used to describe data stored on the flash drive memory of a smartphone? Data at-rest.
Module 4.2 Part 2 Questions (SY0-041) What range of information classifications could you implement in a data labeling project? High, Medium, Low, Confidential, Private, and Public. Often the designations Top Secret, Secret, Confidential, and Classified are used too. What is meant by PII? Personally Identifiable Information - any data that could be used to identify, contact, or locate an individual. What use is a TPM when implementing full disk encryption? A Trusted Platform Module provides a secure storage mechanism for the private key used to encrypt the data. Access to the key is provided by configuring a password. The alternative is usually to store the private key on a USB stick. Why is the "velocity" of a big data dataset a problem for data handling procedures? The data may be acquired too quickly to classify it and apply appropriate access controls and authorizations. This means that often administrators will be granted access to the whole data set, regardless of what different sensitivities of information may be present within it. Why might an organization implement backups using incremental sets along with full sets rather than just full sets? To minimize backup time.
Module 4.3 Part 1 Questions (SY0-041) How does SSL accomplish the secure exchange of session keys using certificates? If using RSA key exchange, the server sends its certificate to the client, which uses the public key in the certificate to encrypt a pre-master secret. The client and server then calculate the same master secret and use that to create the session key. Alternatively, the Diffie-Hellman key agreement protocol can be used to generate an ephemeral session key, which does not depend on the continued security of the server's private key. What general principles should be followed when setting up user accounts on a public web server? Do not re-use account names or passwords from the private network. Ensure that the guest account is only configured to browse resources. What is throttling? Configuring the web server to limit the number of simultaneous connections. What application is typically used to secure FTP? SSH or SSL. What cipher(s) can be selected to enable Perfect Forward Secrecy when configuring TLS? Diffie-Hellman Ephemeral mode (DHE or EDH) or Elliptic Curve Diffie-Hellman Ephemeral mode (ECDHE).
Module 4.3 Part 2 Questions (SY0-041) A client and server have agreed the use of the cipher suite ECDHE-ECDSA-AES256-GCMSHA384 for a TLS session. What is the key strength of the symmetric encryption algorithm? 256-bit (AES). You are implementing a new e-commerce portal with multiple web servers accessing data on a SAN. Would you deploy load balancers to facilitate access by clients to the web servers or by the web servers to the SAN? Load balancers are typically deployed for stateless fault tolerance and so would be used at the front-end (client-web server) rather than back-end (web server-storage network). Load balancing a SAN would be performed by configuring server clusters. What ports would you have to configure to allow client access to an FTP server in either active or passive mode? In active mode, allow access to TCP 21 (control) and 20 (data); in passive mode allow TCP 21 and at least one ephemeral port (from 1024-5000 by convention). You are configuring SSH on your web server to allow for secure management access. You want to allow the use of SFTP to transfer files. What port must you open on the server? TCP port 22 (by default; you can use a custom port too). You only need the one SSH port though. You do not need extra ports FTP over SSH.
Module 4.4 Part 1 Questions (SY0-041) What is a persistent XSS attack? Where the attacker inserts malicious code into the back-end database used to serve content to the trusted site. What methods should be used to protect a web server against XSS exploitation? Strong authentication and access control, security-aware application development, and testing (including web application vulnerability scanning). Why would a NoSQL database format be selected for backend storage for a website? Performance - NoSQL databases scale to meet peak demand requirements more easily than relational databases. It may also simplify application design as the data schemas can be modified in an ad hoc way. Why might an integer overflow exploit in a web application lead to data loss? If the integer overflow can be exploited to gain access to privileged memory, the attacker may be able to steal information or install malware. What type of programming practice defends against injection-style attacks, such as inserting SQL commands into a database application from a site search form? Input validation means that this sort of input cannot be passed to an application via a user form or API.
Module 4.4 Part 2 Questions (SY0-041) What type of security controls or programming practice defends against transitive access attacks? Transitive access (or confused deputy) means that an attacker is able to exploit a valid session. Web applications should be designed with secure authentication and authorization tokens to prevent this type of attack. Your company is developing a web application that will be deployed primarily to Apple iPads. What part of the auditing process will determine the security requirements for deployment on the tablets? This is part of an overall architecture review. What vulnerabilities might default error messages reveal? A default error message might reveal the workings of the code to an attacker. How does Internet Explorer choose whether to trust certificates? IE is pre-installed with root certificates from the major third-party CAs. This system is not invulnerable however; hence the introduction of high-assurance SSL. What restriction should you enforce to prevent infection by malicious browser plug-ins? Only allow installation of signed applets from trusted certificate providers.
Module 4.5 Part 1 Questions (SY0-041) What is a hypervisor? The software that hosts, configures, and manages multiple "guest" operating systems or Virtual Machines (VM). A hypervisor can be implemented as an OS itself ("bare metal") or as an application running within the host OS. What methods can be used to allow communications between VMs and the host? Hypervisors support features such as clipboard sharing, folder sharing, and nonpersistent disks. The machines can also communicate over a network connection (either a virtual network or using the host's network adapter). What term is used to describe a computing architecture where thin clients are used to access images of client operating systems stored on a server? Virtual Desktop Infrastructure. What is server consolidation? Taking servers that are currently running on multiple physical server computers and installing them as virtual servers on a single machine. Why might virtualization support faster deployment of applications? Each application can be developed and tested as an image within a virtual environment. It is easier to set up and distribute the images than it is to install the servers and applications on physical machines.
Module 4.5 Part 2 Questions (SY0-041) What is the risk of VM escaping? VM escaping refers to attacking other guest OSs or the hypervisor or host from within a virtual machine. Attacks may be to steal information, perform Denial of Service, infect the system with malware, and so on. What is a snapshot? A guest OS is stored in an image file. The single file represents all the data stored on the guest OS's hard disk. Disk images can be used as templates to set up new VMs quickly. A snapshot (or differencing disk) is a copy of the disk image at a certain point-in-time. Snapshots can be used to rollback changes made during a VM session. What is meant by a public cloud? A solution hosted by a third-party and shared between subscribers (multi-tenant). This sort of cloud solution has the greatest security concerns. What type of cloud solution would be used to implement a SAN? This would usually be described as Infrastructure as a Service (IaaS). Describe some key considerations that should be made when hosting data or systems via a cloud solutions provider. Identify responsibility for implementing security controls (such as patching or backup), identify performance metrics in an SLA, identify privacy/compliance issues, and set up monitoring to ensure security controls are deployed correctly.
Module 5.1 Part 1 Questions (SY0-041) What basic principles can you follow to plan site security? Design layers of security, with the most important resources located deeper within the site. Design security zones, making sure that passage from one zone to another can only be made through authenticating check points. What principle should you apply regarding furniture layout in public spaces? Make public spaces high visibility so that actions cannot be concealed. Position furniture so that surveillance is maximized. What use might a proximity reader be for site security? A proximity reader would allow a lock to be operated by a contactless smart card. What three types of intruder alarm can be used in a security system? Circuit, motion, and duress.
Module 5.1 Part 2 Questions (SY0-041) What are the main considerations to make when setting up a video surveillance system? Angle and depth of field, whether to have static or adjustable cameras, and arrangements for monitoring and recording images. What three elements should be in place to reduce the risk of fire? Fire prevention (identifying and removing any flammable sources), detection (smoke and flame alarms), and suppression. What security controls might be used to implement protected distribution of cabling? Make conduit physically difficult to access, use alarms to detect attempts to interfere with conduit, and use shielded cabling. Where would you expect to find "hot and cold" aisles and what is their purpose? This layout is used in a data center or large server room. The layout is the best way to maintain a stable temperature and reduce loss of availability due to thermal problems. What physical security device could you use to ensure the safety of onsite backup tapes? A fireproof safe. What physical site security controls act as deterrents? Lighting is one of the most effective deterrents. Any highly visible security control (guards, fences, dogs, barricades, CCTV, and so on) will act as a deterrent.
Module 5.2 Part 1 Questions (SY0-041) True or false? The short range of Bluetooth devices make them low risk from a security point-of-view. False (mainly) - Bluetooth devices are certainly lower risk than some other technologies but there are published exploits for data theft, hijacking, and DoS attacks on Bluetooth. At the very least you should stay up-to-date with security issues and news articles and advise users about any potentially dangerous exploits. What are SCADA devices and what are the security issues associated with them? Supervisory Control and Data Acquisition Systems are large-scale control systems used in systems such as manufacturing and fabrication. The two great security issues with SCADA devices stem from the fact that so many of them are legacy and therefore built without an eye to security and without the awareness that they would one day be networked. Securing devices such as these after the fact can therefore by its nature be extremely difficult.
Module 5.2 Part 2 Questions (SY0-041) Why do we segment networks? We segment networks for two reasons. First, for efficiency: segmenting networks limits broadcasts, decreases collisions, etc., thereby increasing availability, but secondly, for security reasons. We want to avoid the “egg” defense, wherein we secure our network’s perimeter but allow full freedom of movement within the network. Properly segmenting our networks makes accessing sensitive systems or hosts within the network far more difficult, and reduces the possibility of “sniffing”. It also increases the ease with which we can look at traffic, for example segmenting by protocol. Aside from leaving sensitive documents on it, are there security concerns with respect to printers? Modern printers have their own hard drives and their own operating systems and are therefore susceptible to the same attacks than are any other computer containing operating systems and hard drives – with the additional problem that many users are unaware of this and therefore do not remember to update or patch operating systems and to securely delete the contents of the drive, or destroy the drive itself upon retiring the printer. What are the two main security concerns when it comes to mobile devices? Storage and portability. Portability leads to the increased possibility of theft or loss; because of the increased storage capacity of mobile devices, organizations must be concerned with users illegally or inappropriately storing and extracting data.
Module 5.2 Part 3 Questions (SY0-041) What is Mobile Device Management (MDM)? A method of securing, monitoring, managing and supporting mobile devices deployed across heterogeneous environments via software. What is the first and last concern on the timeline with respect to managing security on employee owned devices? Onboarding and offboarding. As always, security must begin at the earliest possible moment and focus must be maintained until the device has been securely disposed of. What must be done with mobile devices and storage to best defend against the interception or extraction of sensitive data? Encryption, whether on the full device or only on portions of the device containing sensitive data. Why allow employees to use their own mobile devices at work? Employee satisfaction is part of the reason, but from a security perspective, organizations had better contemplate a good BYOD policy because employees are likely to use their own devices with or without permission. It is better to know what they’re doing and have a hand in securing these devices than to pretend that it’s not going to happen. Why not thoroughly lock employees’ own devices down, as you would with corporate-owned devices? Push-back from employees because of personal privacy and property issues. The organization’s risk-mitigation strategies must be acceptable to employees, or employees will simply circumvent rigid or heavy-handed policies and procedures.
Module 5.3 Part 1 Questions (SY0-041) What are the main components of BIA? Business Impact Analysis identifies critical functions and assets plus the threats and level of risk to them. What is a Continuity of Operations plan? This term is used mainly by the US government but refers to the same sort of policies and procedures as business continuity (planning and testing systems so that resources can be recovered and restored after incidents). What metric(s) could be used to make a quantitative calculation of risk due to a specific threat to a specific function or asset? Single Loss Expectancy (SLE) or Annual Loss Expectancy (ALE). ALE is SLE multiplied by ARO (Annual Rate of Occurence). What factors determine the selection of security controls in terms of an overall budget? The risk (as determined by impact and likelihood) compared to the cost of the control. This metric can be calculated as Return on Security Investment (ROSI). What metric would be put in-place to minimize acceptable downtime following a security incident? Recovery Time Objective (RTO).
Module 5.3 Part 2 Questions (SY0-041) What type of risk mitigation option is offered by purchasing insurance? Risk transference. What type of interoperability agreement would be appropriate at the outset of two companies agreeing to work with one another? A Memorandum of Understanding (MOU). What type of interoperability agreement is designed to ensure specific performance standards? Service Level Agreement (SLA). Performance standards may also be incorporated in Business Partner Agreements (BPA) and Interconnection Security Agreements (ISA) however. What metric is used to identify the expected service lifetime of a non-repairable appliance? Mean Time to Failure (MTTF). What is the first step in initiating a change if an organization is following a formal change management process? A Request For Change (RFC).
Module 5.4 Part 1 Questions (SY0-041) What is the difference between disaster recovery and business continuity planning? Disaster recovery is about anticipating what could go wrong and drawing up contingency plans to follow if the worst happens. Business continuity planning is about risk assessments and ensuring high availability for systems, including planning for fault tolerance and providing resources (such as alternate sites) that could be utilized during disaster recovery. Why are disaster recovery exercises an important part of creating a disaster recovery plan? Full-scale exercises can identify mistakes in the plan that might not be apparent when drafting procedures. It also helps to familiarize staff with the plan. In which types of disaster recovery site(s) would you expect to have to install computer equipment? While definitions vary, this is typically true of cold sites only. Warm sites have existing processing capability but not the latest data set, as hot sites would have. Is RAID mirroring a backup technology? No. RAID mirroring provides fault tolerance in the event of a mechanical failure of a hard drive. Backup provides protection for data in the event of volume failure, data corruption, accidental or malicious destruction, and so on. True or false? UPS can provide emergency power for days at a time. False - some systems may only provide a few minutes or hours of emergency power. A standby generator is required to fully backup the utility power supply.
Module 5.4 Part 2 Questions (SY0-041) What factor is most likely to reduce a system's fault tolerance? Single points of failure. What phrase describes ensuring that critical functions remain properly staffed? Succession planning. What is a tabletop exercise? A non-simulated drill of emergency response procedures. Staff may role-play and discuss their responses but actual emergency conditions are not simulated. What security considerations affect an alternate hot site that do not generally apply to warm or cold sites? Hot sites are generally kept live with a current data set, creating a data security issue. What risk is there in leasing alternate sites (as opposed to owning them)? In the event of a widespread disaster, demand can outstrip supply. This was sadly found to be the case in the aftermath of the 9/11 terrorist attack and the Hurricane Katrina natural disaster.
Module 5.5 Part 1 Questions (SY0-041) What are the 4 phases of the incident response lifecycle defined by NIST? Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Postincident Activity. What is a CSIRT? A Computer Security Incident Response Team - the first point of contact for incident notification and the people primarily responsible for managing incident response. What type of threat source does supporting and protecting whistleblowers help to negate? Insider threats. What is the significance of the fact that digital evidence is latent? The evidence cannot be seen directly but must be interpreted so the validity of the interpreting process must be unquestionable. What should be the first action at a crime scene during a forensic investigation? Preserve the crime scene by recording everything as is, preferably on video.
Module 5.5 Part 2 Questions (SY0-041) What software tools may be of use to a forensic investigator seeking to prepare a hard drive for analysis of its contents? Disk imaging software to make a copy of the drive (including boot sectors and free space) plus cryptographic software to make a hash of the drive contents. This helps to prove that the contents of the drive have not been tampered with by the investigator (or anyone else) since the drive was taken as evidence. Why might a file time stamp not show the time at which a crime was committed? The time stamp may be record the Universal Coordinated Time rather than the local time. An offset would need to be applied (and it might need to be demonstrated that the computer's time zone was correctly set). What is a Chain of Custody form? A document identifying a piece of evidence, including where it has come from, where it has been stored, and who has handled it. What is meant by a "first responder" and what initial actions should they perform? The person to whom an event is reported. The first responder must identify whether an event should be treated as an incident and what its priority should be.
Module 5.5 Part 3 Questions (SY0-041) Why might simply removing a device not be an appropriate response to an incident? It may alert the attacker. This could lead to the loss of important evidence or allow the attacker to perform countermeasures. How might "big data" assist with a forensic examination of a computer hard drive? "Big data" visualization or frequency analysis might help to identify information stored on the disk.
Module 5.6 Questions (SY0-041) 1. In what situations would it be appropriate to apply separation of duties to privilege management? Any task that should not be actioned by a single person. Typically, this is to prevent fraud or embezzlement. 2. What type of organizational policy ensures that at least two people have oversight of a critical business process? Job rotation (but also M of N control). 3. What sort of workplace security issues should be covered by HR policies? Separation of duties, acceptable uses of equipment, privacy, data handling, and security awareness and training. 4. What type of software assists with collection of training metrics? Learning Management System (LMS). 5. True or false? It is important to publish all security alerts to all members of staff. False - security alerts should be sent to those able to deal with them at a given level of security awareness. 6. What risk, apart from time-wasting, might employee use of social networking pose to an organization? Reveal confidential information or information that could help an attacker pose as an insider. 7. Why should an organization design role-based training programs? Employees have different levels of technical knowledge and different work priorities. This means that a "one size fits all" approach to security training is impractical.
