Pen used to do a practice exam.

Domain 3 Quiz

Domain 3 Quiz

  1. Decide where things go. On the real test you will drag them and they snap into place.
    Physical security map
    4 cable locks with 4 laptops

    Safe with signing keys (these would be stored on optical discs or USB sticks)

    Locking cabinet with WAP. (CompTIA says "locking cabinet" where I would say "equipment rack with locking doors", and yes, enclosing a WAP inside a metal cabinet makes no sense)

    Card-swipe lock with door from lobby to business office.

    Card-swipe lock with door from business office to server room.

    Video camera in server room.

    Captive portal with lobby.
  2. Management wants to use a security framework that is designed to bridge the gap between management and technical groups in order to quantitatively analyze and control risk, focusing on identifying the maturity of processes and establishing sound metrics. What do you recommend?
    1. ISO 27001 and 27002
    2. NIST SP 800-37 RMF
    3. COBIT
    4. COVID
    The first three are all frameworks, but the tip-off is maturity of processes and metrics, which links it to COBIT. ISO 27001 is an international standard for cybersecurity, and 27002 is best-practice guidance on how to achieve it. It would have been the answer if you were asked for an internationally recognized formally auditable standard for cybersecurity. NIST Special Publication 800-37 is the U.S. Government's standard for a Risk Management Framework. It would have been the answer if you were asked for an RMF required for the government (when you see just "the government" think "US Federal Government), or one that could easily (meaning for free versus very expensive ISO documents) usable by anyone world-wide.

    Something that might be a tipoff is the overly obvious wrong choice COVID. It's probably there to distract you, tempt you away from the correct answer COBIT. An absurdly wrong choice very similar to something else might suggest that the similar one is correct.
  3. Which of these can you put in a boot script to prevent MitM?
    1. nmap -sS -sV -T5 192.168.12.72
    2. arp -s 00:13:3B:12:6f:aa 192.168.12.72
    3. tcpdump -i eth0 host 192.168.12.72 or ether host 00:13:3b:12:6f:aa
    4. netstat -an
    5. ping 192.168.12.72
    That arp syntax sets up static ARP, it's that same syntax on Windows, Linux, MacOS, BSD, and probably other places. Static ARP isn't at all practical, but it could prevent MitM connection hijacking with ARP spoofing. Once you set a static ARP mapping, the operating system no longer uses ARP to make requests, or pays attention to inbound unsolicited ARP "answers". The other commands are nmap (port scanning and OS detection), tcpdump (packet capture), netstat (measuring TCP/UDP activity), and ping (testing end-to-end IP connectivity). Static ARP is the only one that has any preventative function.
  4. You are examining records from a busy server that is critical to your organization's financial well-being. You find this: 
    LAST WEEK:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

TODAY:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		9a4fb74ef00824d6e84785ad53d6fed364947778
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842
    What should you report to management?
    1. Everything seems to be fine.
    2. A user is violating the AUP.
    3. An intruder has gained administrative access and changed the system configuration.
    4. An intruder has gained administrative access and replaced operating system components, and we can no longer trust the operating system itself or any programs installed there.
    The file /etc/shadow changed, but we expect this. It will change every time a user changes their password. Apparently "busy" implies enough users that we caught someone changing their password between yesterday's and today's Tripwire run.
  5. You are examining records from a busy server that is critical to your organization's financial well-being. You observe the following: 
    LAST WEEK:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

TODAY:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		7c6fa9266a5abfa03d685ea7f7164393c984b710
/etc/shadow:		9a4fb74ef00824d6e84785ad53d6fed364947778
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842
    What should you report to management?
    1. Everything seems to be fine.
    2. A user is violating the AUP.
    3. An intruder has gained administrative access and changed the system configuration.
    4. An intruder has gained administrative access and replaced operating system components, and we can no longer trust the operating system itself or any programs installed there.
    Both /etc/shadow and /etc/passwd changed. You probably added a new user, adding one new line to each file. Or maybe you modified a user (changing passwd) and coincidentally someone changed their password (changing shadow). Again, no worry.

    It's possible that someone gained administrative access and they created the new user. But A is by far the most likely explanation.
  6. You are examining records from a busy server that is critical to your organization's financial well-being. You observe this: 
    LAST WEEK:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

TODAY:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	9c5bbcbdc2994a9835b8804b9ffa699935715a34
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842
    What should you report to management?
    1. Everything seems to be fine.
    2. A user is violating the AUP.
    3. An intruder has gained administrative access and changed the system configuration.
    4. An intruder has gained administrative access and replaced operating system components, and we can no longer trust the operating system itself or any programs installed there.
    Intrusion! Someone has modified a system configuration file! See /etc/ssh/sshd_config.
  7. You are examining records from a busy server that is critical to your organization's financial well-being. You observe this: 
    LAST WEEK:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

TODAY:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	cfc34c90281bbed47540c6288ec975a4602ee3df
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842
    What should you report to management?
    1. Everything seems to be fine.
    2. A user is violating the AUP.
    3. An intruder has gained administrative access and changed the system configuration.
    4. An intruder has gained administrative access and replaced operating system components, and we can no longer trust the operating system itself or any programs installed there.
    This is worst of all! Someone has replaced the file containing the kernel. Once you reboot after such a change, you are running the intruder's operating system. This is a sign of a root kit.
  8. Management has decided that they want wireless security, but they don't have the resources to do key management and maintain certificates. What should they use?
    1. WEP
    2. WAP
    3. WPA
    4. WPA2 Enterprise
    5. WPS
    WEP, of course, must not be used. WPS is also insecure, but not as well-known to be so insecure for as long as WEP. Multiple WAPs will be involved but it's a tempting distractor. It's like "We need copper wire" for solving Ethernet problems. WPA2 Enterprise requires a RADIUS server and certificates, thus PKI.
  9. Management has decided to use geo-fencing to restrict mobile device operation to company premises. Which technology should you select?
    1. BYOD
    2. COPE
    3. CYOD
    4. BODE
    BYOD and CYOD would leave the employees with partially dysfunctional personal devices. The COPE choice is just as dysfunctional off-premises, but it's the company's phone, not the employee's.
  10. Lori's manager, Brian, has just returned from a board meeting where it was announced that the company would be deploying Infrastructure as a Service. Brian didn't know what that was, and was embarrassed to ask. Which is the best explanation of what it will involve?
    1. Logical rather than physical network isolation
    2. Air gaps
    3. Virtualization
    4. Subcontracting
    Brian didn't say if it was to happen out at a public provider like Google or Amazon, or in house. Either way, virtualized servers will be involved. Yes, software-defined networking and logical isolation will also be involved, but to support communication between and with all those virtual machines.
  11. Why might you use fuzzing? Select two.
    1. You need to detect logical errors
    2. You don't have the source code
    3. You have the source code
    4. You have the source code, but you signed a non-disclosure agreement
    5. You're uncertain of the purpose of the software
    The first is your goal, the second is your restriction.
  12. Refineries and waste water treatment plants are controlled by which of the following, which have been successfully attacked on multiple occasions:
    1. RTOS
    2. IoT
    3. SCADA
    4. SoC
    5. Embedded
    SCADA is the industrial one here. RTOS is more for vehicles and robots. IoT is usually about consumer items. SoC or System on Chip lets them much more easily build a Raspberry Pi, with one chip hosting the CPU, memory, video interface, sound interface, and more. Embedded includes the 50+ small outdated Linux computers in a recent automobile design, controlling the entertainment center, windows, seat positions, etc.
  13. Dorothy, the software development manager, needs development and testing platforms for her programmers. However, she doesn't want to have to buy server hardware, or cross-train programmers to be system administrators. Which cloud solution could solve her problem?
    1. IaaS
    2. IDaaS
    3. PaaS
    4. SaaS
    Infrastructure as a Service means you have to be your own system administrator. Software as a Service means buying the use of already existing software. Identity as a Service is something like SAML as sold by Okta, Symplified, Oracle, etc.
  14. Maria, a security analyst, was about to boot a suspect system with a Kali Linux DVD. Her manager stopped her, saying that she mustn't modify the computer's operating system or data. She explained that it was safe, it would load an operating system into RAM and treat everything on disk as read-only data, because it's:
    1. Non-modification boot
    2. Live boot
    3. Transparent boot
    4. Ephemeral boot
    The others suggest what's going on, but it's called live boot.
  15. Suheb, the IT department manager, needs to be able to assess organizational security at any time, and identify issues before they become big problems. Which should he use?
    1. Monthly audits
    2. Continuous monitoring
    3. Continuous improvement
    4. Baseline analysis
    Tipoffs are "at any time" and "before they become big problems"
  16. Chuck, a network engineer, needs to compartmentalize traffic flow on the Intranet, and authenticate each connected endpoint device. What should he use? Select two.
    1. NAC
    2. DLP
    3. 802.3
    4. VLAN
    Compartmentalize with VLANs, authenticate with NAC or 802.1x. 802.3 is plain Ethernet, you build your networks with it but it doesn't add those two required capabilities.
  17. Alexei, an attacker from Eastern Europe, was able to break into one of your organization's virtual web servers. However, he was unable to pivot to any of several other virtual servers running on the same hardware platform. What happened?
    1. VM Escape
    2. Shadow IT
    3. VM sprawl
    4. Sandboxing
    5. Hypervisor flaws
    VM Escape and hypervisor flaws are the opposite of what happened. Shadow IT and VM sprawl might be happening, but aren't the point here. The hypervisor kept the VMs safely sandboxed, isolated from each other.
  18. Akio, a systems engineer, needs to implement a technical defense that verifies the validity of the operating system itself before booting the system. He hopes this will solve the problem of root kits and other kernel modification. What should he use?
    1. Anti-malware scanning
    2. BIOS checks
    3. UEFI
    4. Trusted supply chain
    This is Secure Boot.
  19. Philip, a system administrator, has been asked for recommendations for protecting compute servers in the data center. Which should he suggest? Select three.
    1. FM-200
    2. Biometrics
    3. DLP
    4. Remote wipe
    5. Mantrap
    6. GPS tracking
    Biometrics and mantrap for access, FM-200 for fire suppression. DLP would instead be at end points (where the data is used, and might be transferred to portable media) and the organization edge.

Exhibit with 10 things, plus 18 questions

Passing = 82% of 28 = 23.0

Goal = 91% of 28 = 25.5

To the Cybersecurity Page