The security administrator is observing unusual network behavior from a workstation. The workstation is communicating with a known malicious destination over an encrypted tunnel. A full antivirus scan, with an updated antivirus definition file, does not show any signs of infection. Which of the following has happened on the workstation?
A. Zero-day attack B. Known malware infection C. Session hijacking D. Cookie stealing
Explanation: The vulnerability was unknown in that the full antivirus scan did not detect it. This is zero day vulnerability. A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term “zero day” refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.
A server dedicated to the storage and processing of sensitive information was compromised with a rootkit and sensitive data was extracted. Which of the following incident response procedures is best suited to restore the server?
A. Wipe the storage, reinstall the OS from original media and restore the data from the last known good backup. B. Keep the data partition, restore the OS from the most current backup and run a full system antivirus scan. C. Format the storage and reinstall both the OS and the data from the most current backup. D. Erase the storage, reinstall the OS from most current backup and only restore the data that was not compromised.
Explanation: Rootkits are software programs that have the ability to hide certain things from the operating system. With a rootkit, there may be a number of processes running on a system that do not show up in Task Manager or connections established or available that do not appear in a netstat display—the rootkit masks the presence of these items. The rootkit is able to do this by manipulating function calls to the operating system and filtering out information that would normally appear. Theoretically, rootkits could hide anywhere that there is enough memory to reside: video cards, PCI cards, and the like. The best way to handle this situation is to wipe the server and reinstall the operating system with the original installation disks and then restore the extracted data from your last known good backup. This way you can eradicate the rootkit and restore the data.
Peter a company’s new security specialist is assigned a role to conduct monthly vulnerability scans across the network. He notices that the scanner is returning a large amount of false positives or failed audits. Which of the following should Peter recommend to remediate these issues?
A. Ensure the vulnerability scanner is located in a segmented VLAN that has access to the company’s servers B. Ensure the vulnerability scanner is configured to authenticate with a privileged account C. Ensure the vulnerability scanner is attempting to exploit the weaknesses it discovers D. Ensure the vulnerability scanner is conducting antivirus scanning
Explanation: The vulnerability scanner is returning false positives because it is trying to scan servers that it doesn’t have access to; for example, servers on the Internet. We need to ensure that the local network servers only are scanned. We can do this by locating the vulnerability scanner in a segmented VLAN that has access to the company’s servers.
A false positive is an error in some evaluation process in which a condition tested for is mistakenly found to have been detected. In spam filters, for example, a false positive is a legitimate message mistakenly marked as UBE -unsolicited bulk email, as junk email is more formally known. Messages that are determined to be spam — whether correctly or incorrectly — may be rejected by a server or client-side spam filter and returned to the sender as bounce e-mail. One problem with many spam filtering tools is that if they are configured stringently enough to be effective, there is a fairly high chance of getting false positives. The risk of accidentally blocking an important message has been enough to deter many companies from implementing any anti-spam measures at all. False positives are also common in security systems. A host intrusion prevention system (HIPS), for example, looks for anomalies, such as deviations in bandwidth, protocols and ports. When activity varies outside of an acceptable range – for example, a remote application attempting to open a normally closed port — an intrusion may be in progress. However, an anomaly, such as a sudden spike in bandwidth use, does not guarantee an actual attack, so this approach amounts to an educated guess and the chance for false positives can be high. False positives contrast with false negatives, which are results indicating mistakenly that some condition tested for is absent.
A user has downloaded and installed a browser add-on that causes the browser to hang. The PC has very slow system response when rebooted. Which of the following should a technician do to troubleshoot this problem?
A. Run System Restore, update antivirus program, and run an antivirus scan. B. Remove all Internet temporary files, run an antivirus scan, and reboot using Last Known Good Configuration. C. Remove all temporary files, turn off System Restore, update and run an antivirus scan. D. Run an antivirus scan, Run Disk Cleanup, and reboot into Safe Mode.
Correct Answer: C
Explanation: This might be the sign of a virus infecting the system. First, remove all temporary Internet files on your computer. Viruses are downloaded through software or a webpage. And normally it resides in Temporary Internet Files folder. Now turn off system restore because you don’t want to load a previous state on the computer with the virus still lingering the digital wild. Run an antivirus program to clean infected files.
A technician is about to put a computer back into service that has not been turned on for many months. It was healthy when taken out of service and boots quickly without any problems. Which of the following actions would be a best practice to begin computer maintenance? (Select TWO).
A. Run a full antivirus scan. B. Defragment the hard disk. C. Run antivirus updates. D. Run Windows updates. E. Configure the firewall to access the Internet.
Correct Answer: CD
Explanation: You have to update the system. Run antivirus updates because antivirus changes frequently as new viruses are discovered. Run Windows updates to keep the system updated and ready to use.
Peter, an end-user, reports that the PC he uses periodically logs off his user account and displays a message that updates are being installed. Which of the following is the MOST likely cause of this issue?
A. Time of day restrictions are enabled on the machine B. Scheduled antivirus scans and updates are enabled on the machine C. Remote desktop is enabled and an administrator has logged into the machine D. Automatic Windows Update is enabled on the machine
A technician installs a biometric device using the manufacturer supplied driver. After confirming the device functions properly, the technician performs Windows and antivirus updates. Which of the following would BEST explain why the biometric device no longer functions?
A. The recently updated antivirus scanning software is interfering with the proper operations of the biometric device. B. A virus that specifically targets retinal scanning software infected the PC because the user was late applying new definitions. C. The recently installed Windows updates overwrote the manufacturer’s supplied biometric device driver. D. The biometric device needs to be recalibrated due to environmental conditions involved with the installation.
Correct Answer: C
Explanation: Microsoft updates Windows oftenly. The update contains drivers as well. The possible reason of the problem is that Windows update manufacturer’s device driver during the update process. Check the driver to confirm the issue. You can always install the original driver for the biometric device if this problem occurs.