CompTIA CSA+ Study Guide. Mike Chapple
Читать онлайн книгу.
(3306), WINS (1512), FTP (20 and 21), and MS-SQL (1433/1434).
2
D. Regional Internet registries like ARIN are best queried either via their websites or using tools like Whois. Nmap is a useful port scanning utility, traceroute is used for testing the path packets take to a remote system, and regmon is an outdated Windows Registry tool that has been supplanted by Process Monitor.
3
A. Honeypots are systems that are designed to look like attractive targets. When they are attacked, they simulate a compromise, providing defenders with a chance to see how attackers operate and what tools they use. DNS sinkholes provide false information to malicious software, redirecting queries about command and control systems to allow remediation. Darknets are segments of unused network space that are monitored to detect traffic – since legitimate traffic should never be aimed at the darknet, this can be used to detect attacks and other unwanted traffic. Crackpots are eccentric people – not a system you’ll run into on a network.
4
D. Redundant systems, particularly when run in multiple locations and with other protections to ensure uptime, can help provide availability.
5
B. An authenticated, or credentialed, scan provides the most detailed view of the system. Black-box assessments presume no knowledge of a system and would not have credentials or an agent to work with on the system. Internal views typically provide more detail than external views, but neither provides the same level of detail that credentials can allow.
6
C. When reading the CVSS 3.0 score, AV is the attack vector. Here, N means network. Confidentiality (C), Integrity (I), and Availability (A) are listed at the end of the listing, and all three are rated as High in this CVSS rating.
7
A. When Alice encounters a false positive error in her scans, her first action should be to verify it. This may involve running a more in-depth scan like an authenticated scan, but could also involve getting assistance from system administrators, checking documentation, or other validation actions. Once she is done, she should document the exception so that it is properly tracked. Implementing a workaround is not necessary for false positive vulnerabilities, and updating the scanner should be done before every vulnerability scan. Using an authenticated scan might help but does not cover all of the possibilities for validation she may need to use.
8
C. The Containment, Eradication, and Recovery phase of an incident includes steps to limit damage and document what occurred, including potentially identifying the attacker and tools used for the attack. This means that information useful to legal actions is most likely to be gathered during this phase.
9
B. Integrity breaches involve data being modified or deleted. Systems being taken offline is an availability issue, protected information being accessed might be classified as a breach of proprietary information, and sensitive personally identifiable information breaches would typically be classified as privacy breaches.
10
A. Active monitoring sends traffic like pings to remote devices as part of the monitoring process. RMON and netflows are both examples of router-based monitoring, whereas network taps allow passive monitoring.
11
D. Regular traffic from compromised systems to command and control nodes is known as beaconing. Anomalous pings could describe unexpected pings, but they are not typically part of botnet behavior, zombie chatter is a made-up term, and probing is part of scanning behavior in some cases.
12
C. The df command is used to show the amount of free and used disk space. Each of the other commands can show information about memory usage in Linux.
13
A. FTK, EnCase, and dd all provide options that support their use for forensic disk image creation. Since xcopy cannot create a bitwise image of a drive, it should not be used to create forensic images.
14
D. Slack space is the space left when a file is written. Since the space may have previously been filled by another file, file fragments are likely to exist and be recoverable. Unallocated space is space that has not been partitioned and could contain data, but looking there isn’t part of Shelly’s task. The reserved space maintained by drives for wear leveling (for SSDs) or to replace bad blocks (for spinning disks) may contain data, but again, this was not part of her task.
15
B. Sandboxes are used to isolate attackers, malicious code, and other untrusted applications. They allow defenders to monitor and study behavior in the sandbox without exposing systems or networks to potential attacks or compromise.
16
C. The most foolproof means of ensuring that a system does not remain compromised is to wipe and rebuild it. Without full knowledge of when the compromise occurred, restoring a backup may not help, and both antimalware and antivirus software packages cannot always ensure that no remnant of the compromise remains, particularly if the attacker created accounts or otherwise made changes that wouldn’t be detected as malicious software.
17
B. NIST SP 800-88 defines three levels of action of increasing severity: clear, purge, and destroy. In this case, purging, which uses technical means to make data infeasible to recover, is appropriate for a high-security device. Destruction might be preferable, but the reuse element of the question rules this out. Reinstallation is not an option in the NIST guidelines, and clearing is less secure.
18
A. The recovery phase does not typically seek to add new privileges. Validating that only legitimate accounts exist, that the systems are all logging properly, and that systems have been vulnerability scanned are all common parts of an incident response recovery phase.
19
B. This statement is most likely to be part of a standard. Policies contain high-level statements of management intent; standards provide mandatory requirements for how policies are carried out, including statements like that provided in the question. A procedure would include the step-by-step process, and a guideline describes a best practice or recommendation.
20
D. The Family Educational Rights and Privacy Act (FERPA) requires educational institutions to implement security and privacy controls for student educational records. HIPAA covers security and privacy for healthcare providers, health insurers, and health information clearinghouses; GLBA covers financial institutions; and SOX applies to financial records of publicly traded companies.
21
B. Fire suppression systems are physical controls. Logical controls are technical controls that enforce confidentiality, integrity, and availability. Administrative controls are procedural controls, and operational controls are not a type of security control as used in security design.
22
B. Lauren should implement separation of duties in a way that ensures that Danielle and Alex cannot abuse their rights without a third party being involved. This will allow review of their actions and should result in any issues being discovered.
23
A. Kerberos is designed to run on untrusted networks and encrypts authentication traffic by default. LDAP and RADIUS can be encrypted but are not necessarily encrypted by default (and LDAP has limitations as an authentication mechanism). It is recommended that TACACS+ be run only on isolated administrative networks.
24
D. The Spiral model uses linear development concepts like those used in Waterfall but repeats four phases through its life cycle: requirements gathering, design, build, and evaluation.