Peter, a security analyst, has been tasked with explaining the different types of malware to his colleagues. The two malware types that the group seems to be most interested in are botnets and viruses. Which of the following explains the difference between these two types of malware?
A. Viruses are a subset of botnets which are used as part of SYN attacks. B. Botnets are a subset of malware which are used as part of DDoS attacks. C. Viruses are a class of malware which create hidden openings within an OS. D. Botnets are used within DR to ensure network uptime and viruses are not.
Answer: B
Explanation: A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network. The term is usually used with a negative or malicious connotation. Computers can be co-opted into a botnet when they execute malicious software. This can be accomplished by luring users into making a drive-by download, exploiting web browser vulnerabilities, or by tricking the user into running a Trojan horse program, which may come from an email attachment. This malware will typically install modules that allow the computer to be commanded and controlled by the botnet’s operator. Many computer users are unaware that their computer is infected with bots. Depending on how it is written, a Trojan may then delete itself, or may remain present to update and maintain the modules.
Which of the following is synonymous with a server’s certificate?
A. Public key B. CRL C. Private key D. Recovery agent
Answer: A
Explanation: A public key certificate (also known as a digital certificate or identity certificate) is an electronic document used to prove ownership of a public key.
Which of the following, if properly implemented, would prevent users from accessing files that are unrelated to their job duties? (Select TWO).
A. Separation of duties B. Job rotation C. Mandatory vacation D. Time of day restrictions E. Least privilege
Answer: A,E
Explanation: Separation of duties means that users are granted only the permissions they need to do their work and no more. More so it means that you are employing best practices. The segregation of duties and separation of environments is a way to reduce the likelihood of misuse of systems or information. A separation of duties policy is designed to reduce the risk of fraud and to prevent other losses in an organization.
A least privilege policy should be used when assigning permissions. Give users only the permissions that they need to do their work and no more.
A network stream needs to be encrypted. Emily, the network administrator, has selected a cipher which will encrypt 8 bits at a time before sending the data across the network. Which of the following has Emily selected?
A. Block cipher B. Stream cipher C. CRC D. Hashing algorithm
Answer: A
Explanation: With a block cipher the algorithm works on chunks of data—encrypting one and then moving to the next. Example: Blowfish is an encryption system that performs a 64-bit block cipher at very fast speeds.
In Kerberos, the Ticket Granting Ticket (TGT) is used for which of the following?
A. Identification B. Authorization C. Authentication D. Multifactor authentication
Answer: C
Explanation: An authentication ticket, also known as a ticket-granting ticket (TGT), is a small amount of encrypted data that is issued by a server in the Kerberos authentication model to begin the authentication process. When the client receives an authentication ticket, the client sends the ticket back to the server along with additional information verifying the client’s identity. The server then issues a service ticket and a session key (which includes a form of password), completing the authorization process for that session. In the Kerberos model, all tickets are time-stamped and have limited lifetimes. This minimizes the danger that hackers will be able to steal or crack the encrypted data and use it to compromise the system. Ideally, no authentication ticket remains valid for longer than the time an expert hacker would need to crack the encryption. Authentication tickets are session-specific, further improving the security of the system by ensuring that no authentication ticket remains valid after a given session is complete.
An application developer has tested some of the known exploits within a new application. Which of the following should the administrator utilize to test for unidentified faults or memory leaks?
A. XSRF Attacks B. Fuzzing C. Input Validations D. SQL Injections
Answer: B
Explanation: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.
Which of the following should a security technician implement to identify untrusted certificates?
A. CA B. PKI C. CRL D. Recovery agent
Answer: C
Explanation: Untrusted certificates and keys are revoked and put into the CRL. Note: The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included.
Peter, a user, wants to send an encrypted email to Ann. Which of the following will Ann need to use to verify the validity’s of Peter’s certificate? (Select TWO).
A. The CA’s public key B. Peter’s private key C. Ann’s public key D. The CA’s private key E. Peter’s public key F. Ann’s private key
Answer: A,E
Explanation: Peter wants to send a message to Ann. It’s important that this message not be altered. Peter will use the private key to create a digital signature. The message is, in effect, signed with the private key. Peter then sends the message to Ann. Ann will use the public key attached to the message to validate the digital signature. If the values match, Ann knows the message is authentic and came from Peter. Ann will use a key provided by Peter—the public key—to decrypt the message. Most digital signature implementations also use a hash to verify that the message has not been altered, intentionally or accidently, in transit. Thus Ann would compare the signature area referred to as a message in the message with the calculated value digest (her private key in this case). If the values match, the message hasn’t been tampered with and the originator is verified as the person they claim to be. This process provides message integrity, nonrepudiation, and authentication. A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates. A certificate is nothing more than a mechanism that associates the public key with an individual. If Peter wants to send Ann an encrypted e-mail, there should be a mechanism to verify to Ann that the message received from Mike is really from Peter. If a third party (the CA) vouches for Peter and Ann trusts that third party, Ann can assume that the message is authentic because the third party says so.
Which of the following can use RC4 for encryption? (Select TWO).
A. CHAP B. SSL C. WEP D. AES E. 3DES
Answer: B,C
Explanation: B: In cryptography, RC4 (Rivest Cipher 4 also known as ARC4 or ARCFOUR meaning Alleged RC4) is the most widely used software stream cipher and is used in popular Internet protocols such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS).
C: WEP also uses RC4, however WEP is still unsecure.
Which of the following wireless security measures can an attacker defeat by spoofing certain properties of their network interface card?
A. WEP B. MAC filtering C. Disabled SSID broadcast D. TKIP
Answer: B
Explanation: MAC filtering is typically used in wireless networks. In computer networking, MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network. MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists. While the restriction of network access through the use of lists is straightforward, an individual person is not identified by a MAC address, rather a device only, so an authorized person will need to have a whitelist entry for each device that he or she would use to access the network. While giving a wireless network some additional protection, MAC filtering can be circumvented by scanning a valid MAC (via airodumping) and then spoofing one’s own MAC into a validated one.