Security SY0301 Study Guide v611

Security+ SY0-‐301 Study Guide

PORTS 20 and 21 -‐ FTP 22 – SSH, SCP, and SFTP 23 – Telnet 25 – SMTP 49 – TACACS 53 – DNS (Domain Naming System) 80 – HTTP (Hypertext Transfer Protocol) 88 – Kerberos 110 – POP3 (Incoming Email) 143 – IMAP (Email) 161 -‐ SNMP 443 – SSL, HTTPS 636 – Secure LDAP 1443 – MS-‐SQL Database 1701 – L2TP 1723 – PPTP 3389 – RDP (Remote Desktop) 6881 – 6889 – Bit Torrent Confidentiality – Encryption and Permissions Integrity -‐ Hashing Availability – RAID-‐1, RAID-‐5, Load Balancing, and Clustering Network Security

1. IPv6 uses a long string of both numbers and alphanumeric characters to create addressing options and avoid duplicate addresses.

2. ICMP is being blocked if you cannot ping a router. 3. Implement loop protection on your switch to prevent users from causing

network disruptions because of a user connecting both ends of a patch cable into different ports of a switch.

4. It is best practice to disable any unused ports to secure the switch from physical access.

5. Port security can be implemented by applying a security control which ties specific ports to a device’s MAC address and prevents other devices from being able to connect to your network.

6. Use a VLAN if there is a need for departmental separation on the network. 7. VLAN segregation can be used to prevent ARP poisoning attacks across the

network. 8. A firewall and VPN server can allow remote access to your corporate

network. 9. The default rule in a firewall’s ACLs is a Deny All, or implicit deny. 10. The last rule on a firewall should be an implicit deny, in firewall ACLs

statement is called Drop All.


11. The implicit deny firewall rule set will stop network traffic that is not identifiable.

12. Stateful packet inspection will block incoming traffic that does not match an internal request.

13. Flood guards can protect against SYN attacks. 14. An IDS identifies malicious activity after it has occurred. 15. To identify a malicious attacker’s computer from the IDS, look for unknown

MAC addresses. 16. Your users are unable to download content from certain websites. Also, the

IDS keeps alerting you about suspicious traffic on the network. The most likely cause is the NIPS that is on the network is blocking activities from those websites.

17. NIDS are used to detect suspicious behavior but not react to it. 18. A NIDS can be implemented to help identify smurf attacks. 19. An IPS will stop an attack that is in progress. 20. SNMP is used to monitor network devices. 21. SNMP allows an administrator to set device traps. 22. Content filtering can be performed by a web security gateway. 23. A proxy is used to cache and filter content. 24. A load balancer can be used to optimize and distribute network traffic loads

across multiple computers and networks. 25. If one server in your DMZ is unable to communicate on the Internet or the

internal network, make sure the server has the correct default gateway IP address configured.

26. A VPN concentrator is used to provide secure remote access into the network.

27. A provider cloud facilitates computing for heavily utilized systems and networks.

28. A security control that is lost with cloud computing is physical control of the data.

29. Software as a Service (SaaS) is a good solution if budget requirements do not allow for additional servers or hiring new personnel.

30. Webmail would be classified as a Software as a Service (SaaS) technology. 31. The Platform as a Service (PaaS) cloud concept is described as providing an

easy-‐to-‐configure operating system and on-‐demand computing for customers.

32. A DMZ allows access to services within it while segmenting access to the internal network.

33. EMI shielding is used to prevent someone from capturing network traffic via the network wire.

34. WEP is an unsecure protocol because of its improper use of the RC4 stream cipher.

35. Isolation mode on an access point will segment each wireless user from the other wireless users.

36. To allow only certain wireless clients on your network you should enable and configure MAC filtering.


37. AES is one of the best choices for encryption on a wireless network. 38. WPA2 provides the highest level of security on a wireless network. 39. If your wireless device keeps connecting and disconnecting from the wireless

network, make sure there is not a nearby wireless network that might be interfering with yours.

40. The first thing you should look at when implementing an access point to gain more coverage is the power levels of the access point.

41. Decrease the power levels on your WAP to limit the wireless signal range. 42. Two wireless security controls that can be easily and quickly circumvented

using only a network sniffer are MAC filtering and to disable the SSID broadcast.

Compliance and Operational Security

1. Confidentiality ensures that authorized users can only view data. Installing a mantrap and HVAC in order to protect company data is an example of confidentiality and availability.

2. Hot and cold aisles should be used to regulate cooling within a datacenter. 3. A hot site is a duplicate of the original site. 4. A cold site is the least expensive type of backup site. Just make sure the cold

site meets power and connectivity requirements in case of a disaster. 5. RAID is a form of availability. Specifically RAID-‐1 and RAID-‐5. 6. Clustered servers could eliminate having a single point of failure. 7. An off-‐site backup is the best way to secure data. 8. A Disaster Recovery Plan (DRP) should contain a hierarchical list of critical

systems. 9. Change management is a way to manage updates for operating systems and

firmware. 10. If security policy states that all flash drives are banned, also make sure that

this includes personal music devices. 11. A clean desk policy is implemented to reduce the risk of possible data theft

and to force users to organize their work area. 12. Detective control is performing routine security audits. 13. Asset value (cost) is used when performing a quantitative risk analysis. 14. Good judgment is used for performing a qualitative risk analysis. 15. Risk cannot be eliminated. 16. Risk transference is when a company purchases insurance to reduce risk. 17. If your company is looking into a new enterprise solution, make sure a risk

assessment is performed before implementation. 18. Bank account information is considered Personally Identifiable Information

(PII), so make sure users are educated on how to handle these types of malicious attempts to obtain this type of information.

19. Personally Identifiable Information (PII) requires special handling and explicit policies for data retention and data distribution.


20. Using your name and birthday together are considered Personally Identifiable Information (PII).

21. After taking a forensic image of a computer’s memory chip you should run that image through SHA256 to ensure image integrity.

22. Forensic hashing on a drive should be done before and after the imaging process, and then hash the forensic image.

23. Hooked processes can be found in RAM. 24. To reduce a data leakage threat if your mobile devices get stolen, make sure

you have the ability to remotely sanitize the devices. 25. Job rotation would be when you have to change roles with another

administrator every few months. 26. User awareness and training should be performed to minimize the

organizational risk posed by users. 27. Security awareness training should be coupled with employees signing a user

agreement. 28. Reviewing user rights and permissions is a common routine while reviewing

system audits. 29. Chain of custody provides documentation as to who, what, when, where, and

maybe why; that has handled evidence. 30. Chain of custody can assist in identifying in that a system was handled

properly during transportation. 31. Information disclosure is a security risk when using P2P software. 32. Detecting fraud is a security benefit of mandatory vacations. 33. CCTV is a detective security control type. 34. A video surveillance system will contain reliable proof that a building was

accessed at a certain time of day. 35. Change management strategy is used to prevent ad-‐hoc configuration

mistakes. 36. Humidity can reduce the potential for static discharge. 37. When getting rid of old hard drives you should make sure you perform a bit

level erasure or overwrite all data. 38. Recovery Point Objectives and Recovery Time Objectives relate to the

Business Impact Analysis of the BCP. 39. Required data labeling is used to ensure that users know what data they are

handling and processing. 40. Least privilege is giving the user only the rights they need to complete their

job. 41. To be able to identify hard drive evidence tampering you should implement

hard drive hashing. 42. The privacy policy should be referenced if you need to know what type of

user information should be collected by your website. 43. Fluorescent lighting causes EMI on ethernet cables so do not place ethernet

cables over lighting when running cable. 44. A COOP (Continuity of Operations Plan) is described as restoring mission

essential functions at an alternate site and performing those functions for up to 30 days.


45. Mean time to restore is a metric for determining the effectiveness of Continuity of Operations Plan or a Disaster Recovery Plan.

Threats and Vulnerabilities

1. A malicious attacker is also known as a black hat. 2. The primary difference between a virus and a worm is that a worm is self-‐

replicating, whereas a virus is not. 3. Keygens (Key Generators) are well known to contain Trojans. Beware!!! 4. Trojans are commonly installed via a thumb drive. 5. A rootkit is a system-‐level kernel module that is used to modify file system

operations. 6. A botnet can be installed on a PC by the user visiting a

malicious/compromised website and the software being installed on the PC. After this has occurred the user will notice slow performance and a lot of outbound connections to various websites.

7. If your computer is part of a botnet, if you turn the computer off you will not be able to retrieve data from memory, system processes, and network processes.

8. Botnets will typically use IRC for command and control activities. 9. A man-‐in-‐the-‐middle attack is when there is interruption of network traffic

accompanied by the insertion of malicious code. 10. DoS attacks commonly happen to web servers and more often by a single

external user. 11. An example of a DoS attack is if you notice your web server logs shows that

the online store crashes after a single external user has executed a particular search string.

12. DDoS and Smurf attacks create additional network traffic in order to congest the network.

13. Spear phishing targets specific employees/person of a company. 14. ARP poisoning allows traffic to be redirected through a malicious machine by

sending false hardware address updates to a switch. 15. To prevent host enumeration by a sweeping device the ICMP protocol should

be blocked. 16. Hiring a secure shredding and disposal service would be to mitigate

dumpster diving. 17. Whaling is a social engineering attack that targets executives and high-‐profile

targets. 18. An example of a vishing attack is you receive a call that is an automated

recording stating it is from your credit card company. The recording asks you to state your credit card information to verify you identity. Don’t do this!

19. Using password protected screen savers, password masking, and privacy screens would be used to mitigate shoulder surfing.

20. Mantraps are good at stopping tailgating.


21. Tailgating is when you allow another person access through a physical access system without them verifying their credentials.

22. War driving attacks can be reduced by proper wireless antenna placement and reducing radio power settings.

23. Evil twin is a wireless attack where a rogue, or counterfeit, access point uses the same SSID of a legitimate access point.

24. A rogue access point is an unauthorized wireless router that allows access to a secure network.

25. Data can still be stolen by a bluesnarfing attack on a smartphone even if the screen-‐lock is enabled and disk encrypted.

26. To prevent cross-‐site scripting you must implement validate input to remove hypertext.

27. Preventing the use of HTML tags can mitigate cross-‐site scripting. 28. Cross-‐site scripting can be manifested as a JavaScript image tag or embedded

HTML image object in an email. 29. An example of a command injection is when a command has been entered

into an HTML form. 30. JavaScripts that are being used to send random data to another service on the

same system is most likely attempting a buffer overflow. 31. Initial vector can be compromised by a buffer overflow. 32. You are creating a new program and allocate 32 bytes for a string variable.

However, you do not adequately ensure that more than 32 bytes cannot be copied into the variable. Your program might be vulnerable to a buffer overflow.

33. NOOP sled or instructions indicates a buffer overflow attack occurred. 34. If you need to prevent unauthorized people into your office building you

could use proximity readers and security guards. 35. A protocol analyzer can determine if an application is transmitting

passwords in clear-‐text. 36. A protocol analyzer lets you view the IP headers on a data packet. 37. Content inspection is actively monitoring data traffic in order to find

malicious code or malicious behavior. 38. When conducting a corporate vulnerability assessment you should organize

data based on severity and asset value. 39. A vulnerability scan is a passive attempt to identify weaknesses, but it does

not exploit it. 40. A vulnerability scan is a management control type. 41. A good reason to preform a penetration test is to determine the impact of a

threat. 42. Penetration testing should be done with the consent of the owner and with

preset conditions because the testing actively tests security controls and can cause system instability.

43. White box penetration testing is a software testing technique whereby explicit knowledge of the internal workings of the item being tested is used to select the test data.


44. A gray box penetration test is performed with limited inside knowledge of the network.

Application, Data and Host Security

1. Fuzzing can allow an intruder to identify vulnerabilities in a closed source application.

2. Input validation should be implemented to avoid SQL injection attacks. 3. Input validation will ensure that certain characters and commands entered

on a web server are not interpreted as legitimate data and not passed on to backend servers.

4. Determining what ports are open on a system can let you know what services are running.

5. Integrity has been compromised if a bulk update process fails and writes incorrect data throughout your database.

6. If a user is crashing a program due to improper input, the programmer probably failed to configure some sort of error handling.

7. Secure coding concepts is a hardening step of an application during the SDLC. 8. Application hardening will ensure that your application is secure. Part of this

process is to make sure unnecessary services are disabled. 9. If your database servers are being compromised by a database user account

with the default password, then your operational procedures are missing application hardening.

10. When installing an application you should perform software updates to the application and make sure vendor-‐provided hardening documentation is reviewed and applied.

11. Patch management is a great way to combat operating system vulnerabilities. 12. A part of patch management is to verify new software changes on a test

system. 13. A benefit of having a standardized server image is mandated security

configurations have been made to the operating system. 14. You can use baseline reporting to identify an application’s security posture. 15. If you need to know if certain network behavior is normal or not, look at the

baseline reporting. 16. Secure code review practices should happen from the start in software

development. 17. An antivirus scanner is most unlikely to discover a logic bomb and pharming. 18. If you are receiving emails containing advertisements you should implement

some sort of anti-‐spam filtering. 19. Enable the pop-‐up blocker to prevent unwanted windows from opening in a

browser. 20. A host-‐based firewall is installed on a single computer to prevent intrusion. 21. To protect the operating system from malicious software you should disable

any unused services and update the HIPS signature.


22. A locking cabinet would be great to use to prevent theft of devices and unused assets.

23. ServerA requires high availability. ServerB requires high security. The configurations for the servers are as follows: ServerA fails open, and ServerB fails closed.

24. SELinux is a trusted operating system implementation that is used to prevent malicious code from executing on UNIX/Linux system.

25. Device encryption can be used by a mobile device to ensure confidentiality of the data.

26. GPS tracking could be a security vulnerability for a mobile device and can be disabled. However, GPS can come in handy if you have mobile workers and need to recover a lost mobile device.

27. Most smartphones now have a remote wipe feature that allows the owner to remotely send a command to their stolen smartphone and tell it to erase all data.

28. Virtual machines should have the same security requirements as physical machines.

29. A network-‐based DLP (data loss prevention) can help reduce the risk of users emailing confidential data to others outside of the company.

30. Using full disk encryption is a way to mitigate data loss if a mobile/portable device is compromised.

31. Trusted Platform Module (TPM) is a hardware chip that is used to store encryption keys and is used for full disk encryption.

32. Trusted Platform Module (TPM) and Hardware Security Module (HSM) provide storage for RSA or asymmetric keys and can assist in user authentication.

33. A Hardware Security Module (HSM) is a removable device used to encrypt data.

34. A Hardware Security Module (HSM) can be added to an existing server to provide encryption capabilities.

35. Hardware Security Modules (HSM) are used to generate and store keys, even SSL session keys.

Access Control and Identity Management

1. The RADIUS protocol encrypts password packets from client to server. 2. Administrators that have both a regular user account and an administrator

user account have the two accounts to prevent escalation of privileges. 3. RADIUS is used for 802.1x authentication, even for wireless networks. 4. Kerberos is an access, authentication, and authorization protocol that is more

secure than TACACS, RADIUS, and LDAP. 5. TACACS+ uses multiple-‐challenge responses for authentication,

authorization, and auditing. 6. TACACS+ is used to authenticate users accessing a network device. 7. Kerberos uses tickets to identify users to the network.


8. LDAP is a single point of user management. 9. MSCHAPv2 and PEAP can be used in conjunction with each other to provide

mutual authentication. 10. Lanman is susceptible to brute force attacks because of its ability to only

store seven uppercase characters of data. 11. Lanman passwords can be discovered by brute force cracking the first seven

characters and then the second part of the password. 12. NTLM is a backwards compatible and replaces Lanman. 13. PEAP-‐TLS requires a CA to authenticate. Remember that TLS = certificate =

CA. 14. Single sign-‐on (SSO) centrally authenticates multiple clients and applications

against a federated user database. 15. FTP servers use ACLs to determine what a user can or cannot do on the FTP

server. 16. A role-‐based access control is a system of controlling which users have

access to a resources based on the role or job function of the user. 17. Password recovery is an example of allowing your users to perform a self-‐

service password reset. 18. An example of a biometric device is a fingerprint scanner. 19. A biometric authentication system would help prevent intruders from

entering an office building that currently has a PIN authentication system. 20. A thumbprint scanner test the human authentication process of something a

user is. 21. A proximity card reader test the human authentication process of something

a user has. 22. Tokens allow a user to have a one-‐time password. 23. RSA tokens provide a rolling password for one-‐time use. 24. Least privilege implementation is a technical control. 25. Account disablement will ensure that terminated users no longer have access

to the network. 26. MAC filtering is a form of Network Access Control (NAC). 27. ACLs can be configured to allow remote access into a network. 28. An example of a multifactor authentication is using a pin number and a smart

card. 29. Common Access Card (CAC) is a form of photo identification. 30. It is a good idea to periodically review the user rights on a server to maintain

the security of the system. 31. If a user that is trying to authenticate through a NAC-‐enabled network, but is

not prompted for their credentials, their computer is missing the authentication agent.

32. A representation of a complex password policy that enforces lower case passwords using letters “a” through “z” where “n” is the password length is 26n.

33. You should implement a time of day restriction and use access control lists if you need to keep a group of users from accessing the network after 5:00pm and prevent them from accessing another groups network.


34. Password length requirements will require users to have a password of a specific length. If the password length is not exact, or longer, the password cannot be used.

35. Minimum age time must be implemented with password history in order to prevent users from re-‐using the same password.

36. Password expiration can ensure that a user has to change their password once it has been reset and emailed to them by an administrator.

Cryptography

1. Steganography is inserting, or hiding data within other files. This data can be password protected and encrypted.

2. Symmetric key cryptography uses the same key on each end of the transmission medium. One key to encrypt and decrypt.

3. Symmetric key sharing is the sharing of one key with trusted parties. 4. AES encryption has a 128-‐bit block size, with key sizes of 128, 192 and 256

bits. 5. DES encryption has a key size of 56 bits. 6. 3DES encryption has a key size of 168 bits. 7. In asymmetric encryption, the public key is used to encrypt and the

corresponding private key is used to decrypt. Also, the private key can encrypt and the corresponding public key can decrypt..this is ture, but not secure as anyone can use the public key.

8. Elliptical curve cryptography is an approach to public-‐key cryptography that uses smaller key sizes and less computational resources than algorithms that are calculated against a finite field.

9. RSA encryption and authenticates data going from one computer to another computer.

10. Digital signatures provide integrity and non-‐repudiation. 11. IPSec can used to create a site-‐to-‐site VPN tunnel between offices. 12. SFTP is an extension of SSH. 13. SFTP is a secure way to transfer files from a host computer. 14. FTPS is a secure method of utilizing FTP. 15. SSH is most commonly used to remotely administer a Unix/Linux system. 16. Hardware encryption is faster than software encryption and is available on

computers using TPM. 17. A user has been terminated from the company and their account has been

deleted. You need to recover a file that was encrypted with the user’s private key. Two outcomes are likely to happen. One, the data will not be recoverable because the account, along with the private key, was deleted. Two, you are able to use the recovery agent to decrypt the data.

18. A public key can be found in your Internet browser’s trusted root CA store. 19. Revoked certificates are stored in the Certificate Revocation List (CRL). 20. If your web server’s private key has been compromised you must submit, or

publish, the public key to the CRL.


21. Your CRL should be available to the public. 22. Public keys are used to decrypt the hash of a digital signature. 23. A key escrow maintains a secure copy of a user’s private key for the sole

purpose of recovering the key if it has become lost. 24. A key escrow should be established in your PKI implementation if data loss is

unacceptable. 25. A recovery agent is used to recover private keys. 26. One of the duties of a Certification Authority (CA) is to verify the authenticity

of certificate contents. 27. In the realm of PKI, a trusted third-‐party is also known as a certification

authority. 28. A self-‐signed certificate is probably being used if your web browser does not

recognize a certificate issuer.

Security SY0301 Study Guide v611

Documents

Transcript of Security SY0301 Study Guide v611