SEC+ Study Guide I

Smart Cards increase the security of the authentication process because they must be physically possessed by the user. Smart cards are small plastic cards that contain an embedded chip, which stores and processes data securely. The user must insert the smart card into a card reader and provide a PIN or biometric authentication to access the data stored on the card. This physical possession requirement makes it difficult for unauthorized individuals to gain access to the authentication credentials, enhancing the overall security of the authentication process.

Social engineering attacks often succeed due to a lack of security awareness. This means that individuals and organizations may not be adequately educated or trained on how to identify and respond to these types of attacks. Without this awareness, people may be more susceptible to manipulation and deception by attackers who use psychological tactics to gain unauthorized access to sensitive information or systems. Therefore, increasing security awareness and providing proper training can help mitigate the risk of social engineering attacks.

The email asking for personal information, including bank account numbers, is described as phishing. Phishing is a type of cyber attack where attackers impersonate legitimate organizations to trick users into revealing sensitive information or performing actions that could compromise their security. In this case, the email is attempting to deceive the user into providing personal and financial information, which could be used for fraudulent purposes.

A worm is a type of malicious software that can travel across computer networks without the need for user distribution. Unlike a virus, which requires a host file or program to replicate, a worm can independently spread itself through network connections. It can exploit vulnerabilities in network protocols or use social engineering techniques to trick users into executing it. Once inside a system, a worm can replicate itself and spread to other connected devices, causing damage or stealing information. Therefore, the correct answer is worm.

Turnstiles, double entry doors, and security guards are all prevention measures for piggybacking. Piggybacking refers to the act of unauthorized individuals following closely behind an authorized person to gain access to a secure area without proper authentication. These prevention measures are put in place to ensure that only authorized individuals are granted entry and to prevent unauthorized individuals from piggybacking on someone else's access.

A demilitarized zone (DMZ) is a portion of a company's network that is located between the Internet and an internal network. It acts as a buffer zone, separating the internal network from the external network (Internet). The purpose of a DMZ is to provide an additional layer of security by placing public-facing servers, such as web servers or email servers, in the DMZ. This allows external users to access these servers while keeping the internal network protected from potential threats.

If an audit recording fails in an information system, it is important to send an alert to the appropriate personnel. This is because failing audit recordings can indicate a potential security breach or system malfunction. By alerting the appropriate personnel, they can investigate the issue, identify the cause of the failure, and take necessary actions to rectify the problem and ensure the integrity and security of the system.

PGP uses a PKI Trust Model where no certificate authority (CA) is subordinate to another, meaning there is no single trusted root. This model is known as "peer-to-peer." In a peer-to-peer trust model, each participant in the system has equal trust and can independently verify the authenticity of other participants' certificates without relying on a central authority. This decentralized approach enhances security and reduces the risk of a single point of failure.

A VPN (Virtual Private Network) typically provides a remote access link from one host to another over the Internet. This means that users can securely connect to a private network from a remote location using the public Internet as the medium. VPNs use encryption and other security measures to ensure that the data transmitted over the Internet remains secure and confidential. By using the Internet as the transport mechanism, VPNs offer a cost-effective and flexible solution for remote access connectivity.

Turning off the SSID broadcast is the correct answer because when the SSID broadcast is disabled, the network name is not visible to devices scanning for available networks. This makes it harder for unauthorized users to discover and connect to the network. Leaving the SSID default or changing the SSID name may provide some level of security, but it does not prevent automatic discovery of the network. Activating the SSID password is important for securing the network, but it does not directly address the issue of automatic discovery.

The given scenario describes a situation where the person uses deception and manipulation to gain unauthorized access to a building and network. This type of attack is known as social engineering. Social engineering involves exploiting human psychology and trust to deceive individuals into performing actions that may compromise security. In this case, the person pretends to be a technician and tricks the security guard into unlocking the wiring closet, allowing them to connect a packet sniffer to intercept network traffic. This highlights the importance of employee awareness and training to prevent social engineering attacks.

Non-repudiation is the correct answer because it provides evidence that a user has received an email and prevents them from denying its receipt. It ensures that the sender can prove that the email was successfully delivered and received by the intended recipient. This is typically achieved through the use of digital signatures or other cryptographic methods that provide authentication and non-repudiation of the message.

The purpose of the SSID in a wireless network is to identify the network. SSID stands for Service Set Identifier, and it is a unique name that is assigned to a wireless network. It allows devices to identify and connect to a specific network among multiple available networks in the vicinity. The SSID is broadcasted by the wireless access point (WAP), allowing devices to recognize and join the correct network. It does not define encryption protocols, secure the WAP, or protect the client.

Snooping is an access attack that involves looking through someone's files with the intention of finding something interesting or valuable. It is a form of unauthorized access where an individual tries to gather information or gain insights into someone's personal or confidential data without their knowledge or consent. This can include searching through digital files, emails, documents, or any other type of stored information. Snooping is a common tactic used by hackers, malicious insiders, or individuals with malicious intent to gather sensitive information for personal gain or to exploit it in some way.

Revoke the key would be an effective way to ensure that a compromised PKI key cannot access a system. By revoking the key, its validity is immediately terminated, preventing any further use or access to the system. This ensures that the compromised key cannot be used for any malicious activities and maintains the security of the system.

The given scenario describes the use of multiple factors for authentication. In this case, the user is required to provide a username, password, and undergo a thumbprint scan. This combination of factors, including something the user knows (password), something the user has (thumbprint), and something the user is (username), is known as multifactor authentication. It provides an additional layer of security by requiring multiple pieces of evidence to verify the user's identity before granting access to the workstation.

Integrity refers to the ability to be reasonably certain that data is not modified or tampered with. This means that the data remains intact and has not been altered in any unauthorized way. Ensuring data integrity is important for maintaining the accuracy and reliability of information.

Single sign-on is the authentication process that allows a user to access multiple resources or systems using a single set of credentials. This eliminates the need for the user to remember and enter multiple usernames and passwords, providing convenience and simplifying the authentication process. With single sign-on, once the user logs in to one system, they are automatically authenticated and granted access to other systems or resources without the need for additional credentials. This improves user experience, enhances security by reducing the risk of weak or reused passwords, and streamlines access management for both users and administrators.

When an employee is terminated, it is important to disable their user accounts to prevent unauthorized access. However, it is also necessary to keep the data for a specified period of time for legal and audit purposes. This allows the company to retain any necessary information or evidence that may be required in the future. Deleting all data could potentially result in the loss of important information or evidence. Contacting the employee's supervisor regarding the disposition of user accounts may not be the best action as the HR department is responsible for managing employee accounts. Changing the employee's user password may not be sufficient as the accounts should be disabled to ensure complete security.

Host hardening is the process of securing a host or computer system by reducing its vulnerabilities. Disabling unnecessary services is an important component of host hardening as it helps to minimize the attack surface by shutting down any services that are not needed. Applying patches is also crucial as it ensures that any known vulnerabilities in the system are fixed and closed, making it less susceptible to attacks. Adding users to the administrator group and configuring the Start menu and Desktop are not directly related to host hardening.

Input validation is the correct answer because it involves checking and validating user input to ensure that it meets certain criteria and is within the expected range. By validating input, potential buffer overflow attacks can be prevented because the input is checked for its length and content before it is processed. This helps to ensure that the input does not exceed the allocated buffer size, preventing the attacker from overwriting adjacent memory locations and executing malicious code.

The baseline process of securing devices on a network infrastructure involves hardening the devices. Hardening refers to the process of configuring the devices to remove any unnecessary services or features, applying security patches and updates, and implementing security measures such as strong passwords and access controls. This helps to reduce vulnerabilities and make the devices more resistant to attacks.

Performing a vulnerability assessment is the most effective way for an administrator to determine what security holes reside on a network. A vulnerability assessment involves scanning the network infrastructure and systems to identify any weaknesses or vulnerabilities that could be exploited by attackers. This assessment provides a comprehensive view of the network's security posture, allowing the administrator to prioritize and address the identified vulnerabilities to enhance the network's overall security. Running a port scan, running a sniffer, or installing and monitoring an IDS can also provide valuable information, but they are more focused on specific aspects of network security rather than providing a holistic assessment of vulnerabilities.

The most important security issue to address when using instant messaging is that communications are open and unprotected. This means that the messages sent through instant messaging can be intercepted and read by unauthorized individuals. This lack of encryption and protection puts sensitive information at risk and can lead to data breaches or leaks. It is crucial to implement secure protocols and encryption methods to ensure the confidentiality and integrity of instant messaging communications.

The given scenario describes a privilege management system where different roles have different levels of access. Administrators have full access, human resources personnel have slightly less access, and managers have access to their own department files only. This aligns with the concept of Role Based Access Control (RBAC), where access is granted based on the roles that individuals hold within the organization. RBAC is a commonly used access control model that provides a structured approach to managing privileges and ensuring that users have the appropriate level of access based on their roles and responsibilities.

A Trojan horse is a type of malicious software that disguises itself as a legitimate program or file, tricking the user into downloading and installing it. Once installed, the Trojan horse can perform various malicious actions, such as renaming and deleting random files, as described in the question. Unlike viruses and worms, Trojan horses do not replicate themselves or spread to other systems. A logic bomb is a type of malware that is programmed to execute a malicious action at a specific time or under certain conditions. Therefore, the best description for the given scenario is a Trojan horse.

A challenge-response session refers to a workstation or system that generates a random challenge string. This challenge string is then presented to the user, who must provide it along with the correct PIN (Personal Identification Number) in order to authenticate themselves.

The correct answer is to avoid executing the file and contact the source website administrator. This is because the MD5 hash values are used to verify the integrity of the downloaded file. If the MD5 hash is different, it means that the file has been modified or tampered with, and it may contain malicious code. Therefore, it is important to avoid executing the file and contact the source website administrator to report the issue and seek further guidance.

A Faraday cage is an enclosure made of conductive material that blocks external electromagnetic fields and prevents radio frequency signals from escaping or entering the controlled environment. It works by redistributing the electromagnetic energy around the exterior of the cage, effectively canceling out the signals. This is useful in situations where electromagnetic interference needs to be minimized or prevented, such as in sensitive electronic equipment or secure communication systems. A Faraday cage is the best choice among the given options for preventing radio frequency signals from emanating out of a controlled environment.

Applying the most recent manufacturer updates and patches to the server is a preventative measure to reduce vulnerabilities on a web server. Manufacturers regularly release updates and patches to address security vulnerabilities and improve the server's overall security. By keeping the server up to date with these updates, the administrator ensures that any known vulnerabilities are patched, reducing the risk of exploitation by attackers. This measure is essential in maintaining the security and integrity of the web server.

Disabling unnecessary services on a server reduces the attack surface, which refers to the potential entry points that attackers can exploit to gain unauthorized access. By disabling these services, the server's exposure to vulnerabilities and potential compromise is minimized. This is the best reason because it directly addresses the security aspect of server management and helps protect the server from potential attacks.

Disguising oneself as a reputable hardware manufacturer's field technician in order to pick up a server for repair is an example of social engineering. Social engineering refers to the manipulation of individuals to gain unauthorized access or obtain sensitive information. In this scenario, the attacker is using deception and impersonation to gain physical access to the server, exploiting the trust placed in the reputation of the hardware manufacturer and the legitimacy of their technicians. This tactic allows the attacker to bypass security measures and potentially gain access to sensitive data or compromise the server.

Social engineering refers to the act of manipulating or deceiving individuals into performing certain actions that may compromise their security or provide unauthorized access to systems or information. In this context, an attacker encourages a person to perform an action in order to achieve their malicious objectives. This can involve techniques such as phishing, impersonation, or psychological manipulation to trick individuals into revealing sensitive information, clicking on malicious links, or installing malicious software.

The correct answer is "Use of multiple computers to attack a single organization." In a DDoS attack, multiple compromised computers are used to flood a target system or network with a high volume of traffic, overwhelming its resources and causing it to become inaccessible to legitimate users. This is done to disrupt the target's services and deny access to its resources.

A buffer overflow is a common type of attack on web servers where an attacker sends more data than a buffer can handle, causing the excess data to overflow into adjacent memory. This can lead to the execution of malicious code or the crashing of the server.

The FIRST action to take when an unauthorized user has accessed the network is to contain the problem. This means isolating the affected systems or devices from the rest of the network to prevent further unauthorized access and potential damage. This step is crucial in order to minimize the impact and mitigate any potential harm caused by the unauthorized access. Once the problem is contained, further actions such as notifying management, determining the business impact, and contacting law enforcement officials can be taken.

WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) are both wireless security protocols that can be used to secure a wireless network. WEP was the original security protocol for wireless networks but is now considered to be weak and easily cracked. WPA, on the other hand, is a more secure protocol that provides stronger encryption and authentication. Therefore, both WEP and WPA can be used to deploy secure wireless on a network.

Clocks are used in Kerberos authentication to ensure that tickets expire correctly. Kerberos uses time-based tickets that have a limited validity period. The clocks on the client and server machines need to be synchronized to ensure that the tickets are valid and not expired. The clocks are used to track the time and determine when a ticket should expire, preventing unauthorized access to the system.

A buffer overflow occurs when a server or application is accepting more input than it is expecting, causing the excess data to overflow into adjacent memory. This can lead to the corruption of data, system crashes, and potentially allow attackers to execute malicious code. It is a common vulnerability that can be exploited to gain unauthorized access to a system or cause it to become unresponsive.

Reviewing event logs regularly is often overlooked during the auditing process. Event logs contain valuable information about system activities and can help identify any suspicious or unauthorized activities. Regularly reviewing event logs allows auditors to detect and investigate any potential security breaches or anomalies. However, it is a step that is often neglected, leading to missed opportunities for identifying and addressing security issues.

A replay attack is a type of attack where the attacker captures the user's login information and then replays it at a later time to gain unauthorized access. This attack takes advantage of the fact that login information, such as usernames and passwords, are often sent in plain text or easily decrypted formats. By capturing this information, the attacker can impersonate the user and gain access to their accounts or sensitive information.

Digital signatures are used to enforce non-repudiation. Non-repudiation ensures that the sender of a message cannot deny sending it, and the recipient cannot deny receiving it. Digital signatures provide a way to verify the authenticity and integrity of a message by using a cryptographic algorithm. The sender signs the message with their private key, and the recipient can verify the signature using the sender's public key. This ensures that the message has not been tampered with and can be attributed to the sender, thus enforcing non-repudiation.

The most likely cause of an SMTP server being the source of email spam in an organization is that anonymous relays have not been disabled. Anonymous relays allow anyone to send emails through the SMTP server without authentication, making it easy for spammers to abuse the server. By disabling anonymous relays, only authenticated users will be able to send emails, reducing the risk of spam being sent from the server.

A worm is a type of program that can autonomously replicate itself across networks. Unlike viruses, worms do not need to attach themselves to a host file or program in order to spread. They can spread independently by exploiting vulnerabilities in computer systems or by using network connections. This allows them to quickly infect multiple computers and networks, causing widespread damage. Unlike Trojan horses or spyware, worms focus on replication and spreading rather than on stealing information or gaining unauthorized access.

Tracking cookies are often misused by spyware to collect and report a user's activities. Tracking cookies are small text files that are stored on a user's computer by websites they visit. These cookies are used to track the user's browsing behavior and collect information such as search history, visited websites, and online preferences. Spyware can exploit tracking cookies to gather personal information without the user's consent or knowledge. This misuse of tracking cookies by spyware poses a significant privacy and security risk for users.

The correct answer is 65,535 ports. This is because TCP/IP uses a 16-bit address field in its header, which allows for a maximum of 65,535 different port numbers. These port numbers are used to identify specific processes or services running on a device, and some of them may be vulnerable to scanning, attacking, or exploitation if not properly secured.

Fiber optic cable is considered safer than CAT5 because it is not susceptible to interference. Unlike copper-based cables, fiber optic cables transmit data using light signals, which are not affected by electromagnetic interference or radio frequency interference. Additionally, fiber optic cables are hard to tap into. Since they transmit data as light pulses through thin strands of glass or plastic, any attempt to tap into the cable and intercept the data would cause the light signal to be disrupted, making it difficult for unauthorized access.

Non-essential services are often appealing to attackers because they are not typically configured correctly or secured. This means that they may have weak security measures in place, making them easier for attackers to exploit. Additionally, non-essential services may sustain attacks that go unnoticed because they are not as closely monitored or prioritized by security systems. This allows attackers to potentially gain unauthorized access or carry out malicious activities without being detected.

Active Inception refers to the act of placing a computer system between the sender and receiver to capture information. This involves intercepting and monitoring the communication between two parties without their knowledge or consent. It allows the interceptor to gather sensitive data, such as passwords, credit card information, or other confidential details. This definition distinguishes Active Inception from the other options, which involve activities like looking through files, monitoring network traffic, or listening to conversations, but not necessarily intercepting information in the same way.

Default passwords in hardware and software should be changed when the hardware or software is turned on. This is because default passwords are often well-known and easily exploitable by attackers. Changing the default password immediately upon turning on the hardware or software helps to ensure that unauthorized individuals cannot gain access to the system. It is important to change default passwords as soon as possible to enhance the security of the system and protect against potential threats.