Security + quiz 1

Questions and Answers

Which of the following vulnerabilities directly affects the hardware of a system?

• Firmware version (correct)
• SQL injection
• Cross-site scripting
• Buffer overflow

A technician is troubleshooting a firewall configuration and decides to add a 'deny any' policy to the bottom of the ACL. This causes several company servers to become unreachable. What should the technician have done to prevent this issue?

• Tested the policy in a non-production environment before enabling it in the production network. (correct)
• Documented the new policy in a change request and submitted it to change management.
• Included an 'allow any' policy above the 'deny any' policy.
• Disabled any intrusion prevention signatures on the 'deny any' policy prior to enabling the new policy.

An organization wants to build a new backup data center with the primary goal of minimizing cost, an RTO of two days, and an RPO of around two days. Which type of backup site is most appropriate for this scenario?

• Warm (correct)
• Hot
• Real-time recovery
• Cold

Which of the following statements is TRUE regarding data sovereignty regulations?

Data sovereignty regulations dictate where data can be stored and processed, often requiring local storage and processing for certain types of data. (B)

Which of the following security techniques is most effective in mitigating the risk of a SQL injection attack?

Using a web application firewall (WAF) to filter malicious input. (C)

Which threat actor is MOST likely to be employed by a nation-state to target infrastructure in another country?

Organized crime syndicate (D)

What is the purpose of adding a unique, random value to a password before hashing?

Salting (B)

An employee enters their login information into a fake website after clicking a link in an email. What type of social engineering attack is this?

Phishing (C)

If an organization wants only the device with IP $10.50.10.25$ to send DNS requests, which firewall access control list (ACL) is correct?

Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53 (B)

A company wants to use existing domain credentials for its new SaaS application, what security mechanism would be MOST suitable?

SSO (B)

Which scenario BEST exemplifies a Business Email Compromise (BEC) attack?

An attacker crafts an email that appears to come from the CEO's personal email to request an urgent wire transfer to an external company. (C)

A company implements a system that requires multiple methods for authentication. Which technology describes the authentication system?

Multi-factor authentication (C)

Which of the following describes an attack where a user is redirected to a malicious website by a similar-looking URL?

Typosquatting (B)

An employee receives an email seemingly from an executive requesting gift cards. Which social engineering tactic is most directly exemplified by this?

Impersonation (B)

A database administrator requires access to database servers on a separate network segment. What is the recommended secure method?

Jump server (C)

A company's internet-facing website was compromised though a buffer overflow. Which of the following security measures is best suited to protect against similar attacks in the future?

Web Application Firewall (WAF) (B)

Users are logging in from suspicious IP addresses. After user interviews and password resets, what should the administrator implement to prevent this in the future?

Multi-factor authentication (B)

A text message requests credential verification from what appears to be the payroll department. What two social engineering techniques are being demonstrated?

Impersonation and Smishing (A)

Following a smishing attack where the CEO was impersonated, which two actions should the company take?

Add a smishing exercise to company training and issue a general email warning (C)

A company requires certified hardware. How can the risk of counterfeit hardware be best addressed?

Conduct a thorough supply chain analysis (B)

What document outlines the parameters and limitations of a third-party penetration test?

Rules of engagement (B)

A penetration tester is actively scanning ports and services. Which type of reconnaissance is being used?

Active (B)

Which of the following plans is required for an organization to properly manage its restore process after a system failure?

Disaster Recovery Plan (DRP) (A)

Installing software outside of a manufacturer's approved repository is associated with which risk?

Side loading (A)

Multiple failed login attempts from different source IPs are occurring. What attack type is most likely in progress?

Password spraying (A)

In the context of a Zero Trust data plane, what should an analyst prioritize when evaluating security?

Subject Role (D)

An engineer needs a security solution to prevent unauthorized access to internal company resources. Which is the best recommendation?

Jump server (D)

An attacker compromises an internal system, then pivots to gain access to a critical database server. Which security concept was most directly violated?

Least Privilege (D)

A security analyst identifies an attempted connection to a non-encrypted website. Which string would a web filter use to block these connections?

http:// (C)

A security team needs to block network traffic from a specific IP address (10.1.4.9). Which of the following access list configurations will accomplish this?

access-list inbound deny ip source 10.1.4.9/32 destination 0.0.0.0/0 (A)

Which security measure provides the most secure administrative access with minimal traffic through the security boundary?

Implementing a bastion host (B)

To investigate a potential security incident involving an employee's laptop, which log source would provide details of the executable running on the machine?

Endpoint (D)

A security team learns of a new attack method, but SIEM alerts are not yet configured. Which action should be taken to identify this new behavior?

Threat hunting (D)

Purchasing cyber insurance is a strategy to deal with risks identified in the risk register. Which risk management strategy does this represent?

Transfer (B)

Which of the following encryption methods would a security administrator use to encrypt the data stored on employees' laptops?

Full disk (A)

What type of security control does an acceptable use policy represent?

Preventive (A)

An IT manager limits access to the help desk software's administrative console. What security principle is being applied?

Least privilege (D)

Which document is most likely to contain risks, responsible parties, and risk thresholds?

Risk register (B)

What procedure should a security administrator follow when setting up new firewall rules?

Change management procedure (D)

A company allows external security testing on its application in exchange for compensation. What type of program is being set up?

Bug bounty (B)

Which threat actor is the most likely to utilize substantial financial resources when targeting systems in different countries?

Nation-state (B)

Which method enables the manipulation of data by running commands through user input fields?

SQL injection (B)

What type of data would be considered the primary focus for employees in a research and development unit?

Intellectual property (C)

What security benefit is provided by labeling laptops with asset inventory stickers and associating them with employee IDs?

The device can be tied to the correct employee for incident notifications. (C), User awareness training can be effectively scheduled based on device usage. (D)

What is the most effective method to enhance situational awareness among users transitioning back to office work?

Modifying the content of recurring training. (A)

Which visualization method is most suitable for presenting quarterly incident reports to the board of directors?

Creating a dashboard to visualize incidents. (D)

If a file integrity monitoring tool reports a hash change for cmd.exe but no patches were applied, what most likely occurred?

A rootkit was deployed on the system. (A)

In an IaaS cloud model, which party holds the responsibility for securing the company’s database?

The client who utilizes the service. (C)

Which document should a security company provide when asked for information on a project’s scope, cost, and time frame?

Statement of Work (SOW). (A)

What application security technique is recommended to mitigate cross-site scripting vulnerabilities?

Use input validation techniques. (B)

What must be prioritized when designing a high-availability network?

Ease of recovery from failures. (B), Network responsiveness to transactions. (D)

What is the first step a technician should take before applying high-priority patches to a system?

Create a change control request. (D)

Why is root cause analysis important in the incident response process?

To prevent similar incidents in the future. (D)

What is the likely consequence for a large bank that fails an internal PCI DSS compliance assessment?

Receiving detailed audit findings. (D)

What is the purpose of capacity planning in business continuity strategies?

To gauge recovery resources. (D)

Which method is most effective for a company to restrict access to sensitive documents created in a SaaS application?

Enforcing a geolocation policy. (C)

Flashcards

What type of threat actor is most likely hired by a foreign government for cyberattacks?

A type of threat actor who is often hired by governments to conduct cyberattacks against other nations. They are highly skilled and often have access to advanced resources and tools.

What is added to data before hashing to increase its security?

A technique used to enhance the security of one-way hashing algorithms by adding a random value to the input data before hashing. This makes it more challenging for attackers to reverse the hash and obtain the original data.

What type of attack uses a fake website to steal login information?

A type of social engineering attack where attackers create fake websites that closely resemble legitimate online services to trick victims into providing their login credentials and other sensitive information.

How to create an ACL to limit outbound DNS traffic to a specific IP address?

A firewall Access Control List (ACL) rule that allows outbound DNS traffic ONLY for a specific IP address, preventing other devices on the network from making DNS requests.

What is used to reduce the number of credentials employees need to manage?

A method that enables users to access multiple applications using a single set of credentials, eliminating the need for separate logins. This simplifies user authentication and improves security by reducing the number of passwords users need to manage.

What is a possible scenario for a business email compromise attack?

A type of cyberattack that targets organizations by compromising and manipulating their email communications. Attackers gain unauthorized access to email accounts and send fraudulent emails to unsuspecting recipients, often impersonating executives or other trusted individuals within the organization.

Hardware-specific vulnerability

A vulnerability that is specific to the hardware of a device, meaning it exploits flaws in the hardware design or implementation rather than software vulnerabilities.

SQL injection

A type of attack that injects malicious code into a web application to exploit vulnerabilities in the application's database layer.

Cold site

A type of data center that provides a basic infrastructure with limited resources, often requiring the organization to bring their own equipment and resources. It is suitable for situations with longer recovery times (RTO) and data loss (RPO) tolerance.

Warm site

A data center that provides a balance between cost and functionality, offering equipment and IT infrastructure, but not fully operational. This site typically has shorter recovery times (RTO) than a cold site.

Deny any policy

A security policy that blocks all traffic by default, often used as the last rule in a firewall ACL. It can help prevent unexpected or unauthorized traffic.

What is a hypervisor?

Hypervisor is a software that creates and manages virtual machines, enabling a single physical computer to run multiple operating systems or applications as if each one was on a separate machine.

How do you block access to non-encrypted websites using a web filter?

Blocking access to HTTP websites helps prevent connections to unencrypted web services. This can be achieved by filtering URL strings containing "http://" to restrict connections to those using HTTPS.

How do you block access to the corporate network from a specific IP address?

Firewalls define rules for network traffic. To block a malicious IP address you add a rule that denies all inbound connections from that specific IP address.

What is a bastion host and how does it help with security?

A bastion host is a computer specifically configured to be hardened and act as a gateway between the internet and the internal network. It provides a secure point of entry and helps minimize the attack surface by limiting access to only essential services.

Why are endpoint logs significant for security investigations?

Endpoint logs are essential for security investigations, providing details about executed programs and their associated events. This helps to understand the activity of a specific device and identify any malicious behavior.

What is the purpose of threat hunting?

Threat hunting is a proactive security practice involving proactive searching for threats and vulnerabilities, even if there are no immediate alerts. This helps to identify potential threats before they can exploit vulnerabilities.

How does cyber insurance help with risk management?

Cyber insurance is considered a risk transfer strategy. It acts as a financial safety net, covering potential losses caused by cyberattacks, enabling organizations to financially recover from breaches.

What is full disk encryption and why is it important for laptop security?

Full disk encryption protects all data stored on a drive, ensuring that access to the device doesn't grant access to the data. This protects data even if a device is lost or stolen.

What is an acceptable use policy (AUP) and what type of security control is it considered?

Acceptable use policies (AUPs) are documents outlining how devices and network resources can be used responsibly. They act as a preventive control by setting expectations and establishing rules of conduct.

What is the principle of least privilege?

The principle of least privilege means granting users only the permissions necessary to perform their assigned tasks. This reduces the potential impact of a compromise by limiting access to sensitive data.

What is a risk register?

A risk register is a document that lists and documents potential risks, the responsibility for managing each risk, and the thresholds or levels of acceptable risk tolerance.

Why is change management important when setting up new firewall rules?

Change management procedures are essential before implementing any changes to critical systems, particularly firewalls. They help to ensure controlled implementation, minimize disruptions, and reduce security risks.

What is a bug bounty program?

Bug bounty programs reward security researchers for finding and reporting vulnerabilities in a company's systems. It provides a way to crowdsource security testing and incentivize ethical hacking.

What are nation-state actors in cyber security?

Nation-state actors are highly sophisticated threat actors often backed by governments. They have access to significant resources and technical capabilities, and their motives can be political or economic espionage.

Explain the concept of SQL injection.

SQL injection is a code injection technique that uses malicious SQL statements to manipulate data or gain unauthorized access to databases. It exploits vulnerabilities in application code that interacts with databases.

Labeling laptops with asset stickers and employee IDs

Attaching asset inventory stickers to laptops and associating them with employee IDs aids in quickly identifying a device's owner, ensuring appropriate security policies are applied and facilitating communication regarding security incidents.

Best practice for improving user awareness

A periodic security reminder, a new hire documentation update, and a recurring training modification all aim to enhance user awareness; however, recurring training is the most effective option for continuously reinforcing security best practices with existing users.

Presenting security incident data to the board

Dashboards are used to visualize security data efficiently, providing a clear and concise overview of incident data to the board of directors.

Identifying a rootkit infection

A rootkit is a type of malware that conceals its presence and changes system files. This unauthorized modification of the cmd.exe file, coupled with the absence of recent patches, strongly indicates a rootkit infection.

Who is responsible for database security in an IaaS model?

In an Infrastructure-as-a-Service (IaaS) model, the client is responsible for securing the database, including configuration, access management, and data protection.

Document outlining project scope and deliverables

A Statement of Work (SOW) is a legally binding document outlining a project's details, including scope, timelines, deliverables, and cost, ensuring clear communication and expectations between the client and the security company.

Preventing Cross-Site Scripting (XSS) attacks

Input validation is a crucial application security technique that prevents cross-site scripting (XSS) attacks by filtering and sanitizing user inputs to remove malicious scripts that could be injected into the application.

Key considerations in designing a high-availability network

High-availability networks emphasize ease of recovery and responsiveness. They ensure minimal downtime and rapid restoration of services by employing redundant components and efficient failover mechanisms.

First step before applying a high-priority patch to a production system

Before applying any high-priority patch, a change control request must be submitted and approved to ensure proper documentation, communication, and risk assessment before implementing the patch, safeguarding infrastructure stability.

Importance of root cause analysis in incident response

Root cause analysis is performed during incident response to discover the underlying issue that caused the incident, enabling effective remediation and prevention of similar events in the future.

Potential outcome of failing a PCI DSS compliance assessment

Failing an internal PCI DSS compliance assessment might lead to audit findings, highlighting areas needing improvement. It can also involve potential fines or sanctions if the noncompliance is severe.

Identifying the required staff for business continuity

Capacity planning is determining the necessary resources, including staff, to maintain business operations during a disruption. It ensures sufficient personnel are available to continue critical functions.

Limiting access based on location

A geolocation policy restricts access to sensitive data based on the user's geographical location. This helps prevent unauthorized access from high-risk regions.

What is phishing?

Phishing is a type of social engineering attack where attackers impersonate legitimate entities to trick users into revealing sensitive information. The attacker may send an email, text message, or phone call that appears to be from a trusted source, such as a bank or government agency. The message will often include a link to a phishing website that looks just like the real one. If the user clicks on the link and enters their credentials, the attacker will be able to steal their information.

What is a jump server?

A jump server is a secure server that acts as an intermediary between an administrator's workstation and the database servers. This server allows administrators to connect to the database servers without giving them direct access to the network segment where the database servers are located. This prevents attackers from exploiting any vulnerabilities on the administrator's workstation to gain access to the database servers.

What is a WAF?

A web application firewall (WAF) is a software application that protects websites from attacks that target web applications. A WAF can identify and block attacks such as cross-site scripting (XSS), SQL injection, and buffer overflows. By analyzing incoming requests, it can detect and block malicious traffic.

What is multi-factor authentication?

Multi-factor authentication (MFA) is a security measure that requires users to provide two or more forms of authentication before they can access an account. This helps to prevent unauthorized access to accounts, even if attackers have stolen a user's username and password. For example, if a user has a password they must also enter a code sent to their phone.

What is smishing?

Smishing is a type of phishing attack that uses text messages to deceive users. Attackers impersonate a trusted source, like a bank or credit card company, and send text messages asking for sensitive information, such as account numbers or passwords. Users may be tricked into believing the text message is legitimate.

What is impersonation?

Impersonation is a form of social engineering attack, where attackers pretend to be someone else. They might try to convince victims they are from a trusted source or have a specific role. They might use this to gain access to sensitive information, manipulate decisions, or gain access to systems.

Why is supply chain analysis important?

A supply chain analysis is a process of identifying and assessing the risks associated with a company's supply chain. This process involves evaluating the suppliers, manufacturers, and distributors that a company works with to identify potential vulnerabilities. The aim is to make sure that the company is not using counterfeit hardware or software, and that its supply chain is reliable and trustworthy.

What is a rules of engagement document?

The rules of engagement (ROE) are a document that outlines the scope and limitations of a penetration test. It includes things like what parts of the network can be tested, what types of tools can be used, and when the tester can stop the test. They are crucial for defining the objectives and boundaries of the test, ensuring the tester has a clear scope and the client understands what to expect.

What is 'active' reconnaissance?

Active reconnaissance is a type of reconnaissance that involves interacting with the target system in order to gather information. Common active reconnaissance techniques include port scans, banner grabbing, and vulnerability scanning. They can help testers understand the system's services and discover potential vulnerabilities.

What is a disaster recovery plan?

A disaster recovery plan (DRP) is a document that outlines how an organization will recover its IT systems and data in the event of a disaster. This plan involves setting up processes for restoring backup data, relocating IT equipment, and communicating with employees and customers. It's important because it helps the organization to quickly recover from a disaster and minimize business disruption.

What is side-loading?

Side-loading is the process of installing software on a device from a source other than the official app store or manufacturer-approved repository. This can be a security risk because the software may not have been vetted for malware. It may introduce vulnerabilities or bypass security measures.

What is password spraying?

Password spraying is a type of brute-force attack that involves using a list of common passwords against multiple accounts. Instead of trying all possible combinations for each account, the attacker cycles through a small set of known passwords against many accounts hoping to get lucky. By targeting a few accounts at a time, it can avoid detection by security systems.

What is subject role in Zero Trust?

Subject role is a method of securing access by grouping users and their permissions based on their role within the organization. It limits access based on the required permissions for the job, not just individual users. This helps to reduce the risk of unauthorized access from different employees.

How does a jump server work?

A jump server acts as a secure intermediary between an administrator's workstation and a restricted network segment. Instead of giving direct access to the restricted segment, the administrator connects to the jump server first, then uses the jump server to access the target resources. This keeps the administrator's workstation isolated from the restricted network segment, reducing the potential for compromise.

Study Notes

Threat Actor Analysis

• Organized crime is the most likely threat actor to be hired by a foreign government to attack critical systems in other countries (83% community vote).

Data Transformation

• Salting is used to add complexity before one-way data transformation algorithms (89% community vote).

Social Engineering Attacks

• Phishing is the most likely social engineering attack in which an employee clicks a link in an email, enters login information, and receives a "page not found" error (84% community vote).

Firewall ACLs

• To allow outbound DNS requests from a specific IP address (10.50.10.25), a firewall rule should permit that IP address and deny all others (93% community vote).

Single Sign-On (SSO)

• SSO is the method to reduce employee credentials by using domain credentials to access SaaS applications (100% community vote).

Business Email Compromise (BEC)

• A BEC attack occurs when an employee receives an email from the HR director requesting login credentials to a cloud administrator account (61% community vote).

Jump Server

• A jump server is used for database administrators to access database servers when direct access is restricted (100% community vote).

Web Application Firewall (WAF)

• A WAF is the best solution to protect against buffer overflow attacks on internet-facing websites (74% community vote).

Multi-Factor Authentication (MFA)

• MFA is used to prevent unauthorized logins from suspicious IP addresses (100% community vote).

Social Engineering Techniques

• Impersonation and smishing are common social engineering techniques used to gain credentials, often via text messages (92% community vote).

Employee Recognition Gift Card Phishing

• Cancel gift cards, add smishing exercises to security training and issue general email warnings are best responses to gift card phishing attempts (97% community vote).

Counterfeit Hardware

• Thorough supply chain analysis is the best approach to mitigate risks associated with procuring counterfeit hardware (78% community vote).

Rules of Engagement

• Rules of engagement document the terms of a penetration test with a third-party tester (95% community vote).

Reconnaissance Types

• Active reconnaissance involves port and service scans during penetration testing (100% community vote).

Disaster Recovery Plan (DRP)

• DRP details procedures for recovering from a system failure (97% community vote).

Side Loading

• Side loading is installing software outside a manufacturer's approved software repository (100% community vote).

Password Spraying Attack

• A password spraying attack involves attempting to log in to accounts using a limited set of common passwords (100% community vote).

Zero Trust Principles

• Subject role is the most relevant factor for evaluating Zero Trust principles in the data plane (41% community vote)

Jump Server

• A jump server is the best solution for minimizing traffic allowed through the security boundary for administrative access to internal resources (85% community vote)

Endpoint Logs

• Endpoint logs should be used as a data source for investigations into potential malicious network traffic from employee laptops (93% community vote).

Threat Hunting

• Conducting threat hunting is the best way to identify new, unknown behaviors in SIEM logs before alerts are configured (100% community vote).

Risk Transfer

• Purchasing cyber insurance represents a risk transfer strategy to address items in the risk register (80% community vote).

Full Disk Encryption

• Full disk encryption is the optimal technique for securing data on employee laptops (100% community vote).

Preventive Controls

• Acceptable use policies are preventive security controls (92% community vote).

Least Privilege

• Implementing least privilege means limiting access to only necessary resources for employees (100% community vote).

Risk Register

• A risk register documents risks, responsible parties, and thresholds (100% community vote).

Change Management

• Adhering to change management procedures is crucial when setting up firewall rules (100% community vote).

Bug Bounty Programs

• Bug bounty programs compensate researchers for discovering vulnerabilities in a company’s applications (100% community vote).

Nation-State Actors

• Nation-state actors are most likely to use substantial financial resources to attack critical systems in other countries (100% community vote).

SQL Injection

• SQL injection attacks use input fields to run commands that view or manipulate data (100% community vote).

Intellectual Property

• Intellectual property is the type of company data employees in research and development are most likely to use (100% community vote).

Asset Inventory

• Labeling laptops with asset stickers and associating them with employee IDs improves incident response, security awareness, and record keeping (50% community vote)

Security Training

• Modifying recurring training to include information about employee transition from remote to in-office work is the best way to improve situational and environmental awareness (100% community vote).

Dashboard

• Dashboards are used to present incident data to the board of directors for summary (100% community vote).

Rootkits

• A change in a system file's hash, without corresponding OS patch application, likely indicates rootkit deployment (100% community vote).

Shared Responsibility Model – IaaS

• The client is responsible for securing resources in an IaaS cloud environment (89% community vote).

Statement of Work (SOW)

• A Statement of Work (SOW) details a project, cost, and timeframe for a client (96% community vote).

Input Validation

• Implementing input validation is recommended to prevent cross-site scripting vulnerabilities in web applications (100% community vote).

High Availability

• Ease of recovery and responsiveness are crucial for designing a high-availability network (76% community vote).

Change Control

• Creating a change control request is the first step before applying a high-priority patch to a production system (100% community vote).

Incident Response – Root Cause Analysis

• Conducting root cause analysis in incident response aims to prevent future similar incidents (100% community vote).

PCI DSS Compliance

• Failing a PCI DSS compliance assessment may result in an audit finding, not just fines or sanctions (67% community vote).

Capacity Planning

• Capacity planning determines the staffing required to sustain business operations after a disruption (100% community vote).

Geolocation Policy

• Implementing a geolocation policy is the most effective way to control access to sensitive documents in a SaaS application based on country of origin (100% community vote).

Firmware

• Firmware version is a hardware-specific vulnerability (100% community vote).

Firewall Testing

• Testing firewall policies in a non-production environment before implementation is crucial to avoid disrupting production systems (73% community vote)

Warm Data Center

• A warm data center is best for cost-focused backups with an RTO and RPO of around two days (78% community vote)

Description

Test your knowledge on various cybersecurity vulnerabilities, hardware security issues, and mitigation techniques for common attacks like SQL injection. This quiz also covers data sovereignty regulations and backup strategies for data centers. Challenge yourself and see how well you understand the complexities of cybersecurity