- Which of the following would NOT be considered an indicator of attack? (Choose two)
(a) Detection of an ongoing spear phishing campaign against employees
(b) A NIDS identifies a buffer overflow exploit in an inbound packet
(c) Unusual amounts of SSH traffic leaving the network
(d) Log files show the same username attempted to log into 20 different servers in a 20 second window
(e) A zero day exploit has been identified for software widely used in your enterprise
Answer:
(c), (e)
Explanation:
(c) is an indication of compromise (as opposed to an attack), and suggests data exfiltration is in progress
(e) is not an indication of attack or compromise, but it could leave you open to attack if not mitigated
- In response to a report you delivered to executives detailing the security features of smartcards, you have been asked to explain how the keys on the smart card are used to authenticate the user. Which of the following is the BEST answer?
(a) The smartcard calculates a hash of the user certificate and sends it to the host computer
(b) The computer validates the user certificate with standard PKI validation techniques
(c) The user smartcard PIN unlocks access to the user certificate
(d) The user private key encrypts a challenge generated by the computer
Answer:
(d)
Explanation:
(a) does not occur, and would not provide authentication
(b) is technically true, but not the best answer as this doesn’t authenticate the user
(c) the PIN unlocks/provides access to the private key
(d) authentication is provided by using the user private key to encrypt a challenge generated by the computer to decrypt using the public key in the certificate
- As part of the development of a new software product being built in-house, you are completing the design of the system security architecture. What phase of the SDLC are currently in?
(a) Initiation
(b) Development & Acquisition
(c) Implementation & Assessment
(d) Operations & Maintenance
(e) Disposal
Answer:
(b)
Explanation:
During the Development & Acquisition phase (phase 2 of the SDLC), risk assessments are performed, security controls are defined, legal & regulatory landscape is assessed, and the security architecture is designed & engineered, making sure that security is built in from the start.
- Who is ultimately responsible for accepting a risk associated with operating a system in your enterprise?
(a) System owner
(b) ISSO
(c) Software developer
(d) Authorising Official (AO)
(e) CIO
Answer:
(d)
Explanation:
The AO provides authorisation for the use of the system and formally accepts the risk associated.
- Which one of the following tasks would a custodian most likely perform?
(a) Access the data
(b) Classify the data
(c) Assign permissions to the data
(d) Back up data
Answer:
(d)
Explanation:
A data custodian performs day-to-day taks to protect the integrity & security of data, and this includes backing it up. Administrators assign permissions to the data.
- Which one of the following data roles is most likely to assign permissions to grant users access to data?
(a) Administrator
(b) Custodian
(c) Owner
(d) User
Answer:
(a)
Explanation:
The administrator assigns permissions based on the principles of least privilege and need-to-know. A custodian protects the integrity & security of the data.
- Which of the following is a PRIMARY activity that should occur during the implementation & assessment phase of the SDLC?
(a) Authorisation to operate should be obtained from the AO
(b) Security documentation should be developed
(c) A privacy impact assessment should be performed
(d) Continuous monitoring processes should be implemented
Answer:
(a)
Explanation:
(a) An ATO must be obtained from the Authorising Officer as a primary activity in this phase.
(b) Would occur in the previous phase: Development & Acquisition
(c) Would occur in the first phase: Initiation
(d) Would also incur in Development & Acquisition
- A web application regularly gets and puts confidential information to a cloud-based HTTPS server. Your security admin is concerned about the data being compromised if/when the server’s private key is obtained by an adversary. Which of the following represents the BEST way to mitigate this issue?
(a) Increase the key size to 2048 bits
(b) Install a new certificate with a lifetime not longer than 90 days
(c) Enable perfect forward secrecy on the HTTPS server
(d) Enable certificate pinning
Answer:
(c)
Explanation:
(a) While 2048 is the minimum recommended key size for asymmetric crypto, (a) won’t help – if the adversary has your private key, they have your private key.
(b) This is labour intensive and would only limit the adversary to a maximum of 90 days’ worth of data, which doesn’t fully solve the problem.
(c) Perfect forward secrecy is a way of largely fixing the concern of an adversary (or even law enforcement) getting hold of private keys. With PFS, your long term keys are not actually used in the key exchange process, so if someone gets hold of the keys, they will not be able to decrypt the data of previous communications. The long term keys are instead use to sign an ephemeral key, and this ephemeral key pair is destroyed when communication is complete.
(d) Can speed up connection speed and mitigate fraudulent certificates, so doesn’t help us in this context.
- Once you have identified that a security event is an actual security incident, what is the FIRST action you should take?
(a) Isolate the affected system(s) from the network
(b) Begin documenting everything being done
(c) Power off the system by pulling the power cable
(d) Create a forensic image of the affected system(s)
Answer:
(b)
Explanation:
(a) is a good option, but (b) should happen first so is the best answer.
- Users in the Sales team access multiple third-party web-based applications, and each app authenticates the users with its own user account database. You want to deploy an SSO solution that allows team members to access the apps using their domain credentials. Which of these options is the BEST choice?
(a) SAML
(b) JSON-RPC
(c) LDAPS
(d) OAuth
(e) Kerberos
Answer:
(a)
Explanation:
(a) SAML allows you to have an identity provider (in this case, your Active Directory) and service providers (the individual apps, assuming they support SAML) to provide SSO.
(b) is a JavaScript-based data format used for remote procedure calls
(c) LDAPS is the secure version of the LDAP directory service (not normally used over the Internet)
(d) OAuth is used to authenticate via third-party identity providers such as Facebook, Twitter & Google, not normally internal Active Directory domains.
(e) Kerberos could be used internally to your network but not for federated access to external web apps
- Comment
- Reblog
-
Subscribe
Subscribed
Already have a WordPress.com account? Log in now.
My CISSP Notes 