Sec+ CH.5 Review Test

B is correct. Unnecessary open ports and services are common elements

that contribute to weak configurations so it’s important to close ports that

aren’t needed and disable unnecessary services. A network-based intrusion

detection system (NIDS) helps protect internal systems, but a NIDS would

not be installed on the server and administrators are tasked with checking

the server. Unsecured root accounts indicate a weak configuration. If root

accounts are disabled, enabling them won’t increase security on the server.

Secure Sockets Layer (SSL) is a weak encryption protocol and should not

be implemented on servers.

C is correct. A sandbox provides a simple method of testing updates. It

provides an isolated environment and is often used for testing. A baseline

configuration is a starting point of a computing environment. Bring your

own device (BYOD) refers to allowing employee-owned mobile devices in

a network and is not related to this question. Change management practices

ensure changes are not applied until they are approved and documented.

D is correct. The master image is the baseline, and the administrators

performed integrity measurements to identify baseline deviations. By

comparing the list of applications in the baseline with the applications

running on the suspect computer, it’s possible to identify unauthorized

applications. None of the other answers include the troubleshooting steps

necessary to discover the problem. Version control tracks software versions

as software is updated. A sandbox is an isolated area of a system, typically

used to test applications. A blacklist is a list of prohibited applications.

A is correct. Enforcing an application allow list (sometimes called an

application whitelist) would prevent this. An application allow list identifies

the only applications that can be installed on a computer and would not

include a malicious remote access tool (RAT). An application block list

identifies applications to block, but malware changes so often, this wouldn’t

help. Code signing verifies code is valid and hasn’t been modified. A bring

your own device (BYOD) policy identifies mobile devices employees can

buy and connect to a network but is unrelated to this question. A data loss

protection (DLP) system typically monitors outgoing traffic and wouldn’t

stop a user from installing a malicious application.

D is correct. Self-encrypting drives (SEDs) are the best solution. SEDs

have encryption circuitry built into the drive. They encrypt and decrypt data

without user interaction, though it’s common to require personnel to use

credentials to unlock the SED when booted. A data loss prevention (DLP)

solution typically monitors outgoing traffic to prevent confidential

information from getting outside the organization. A hardware security

module (HSM) is used to manage, generate, and store cryptographic keys.

It’s generally used on a network instead of on laptops. Mobile device

management (MDM) refers to technologies used to manage mobile devices.

C is correct. A remote attestation process checks a computer during the

boot cycle and sends a report to a remote system. The remote system attests

or confirms that the computer is secure. None of the other answers sends

data to a remote system. A Trusted Platform Module (TPM) is a hardware

chip on a motherboard and provides a local secure boot process. A TPM

includes an encryption key burned into the CPU, which provides a

hardware root of trust. Tokenization replaces sensitive data with a token or

substitute value, and this token can be used in place of the original data.

C is correct. Blocking write capabilities to removable media is the best

choice. This can be done with a data loss prevention (DLP) solution on all

computers. Training employees might help, but it won’t stop an insider

threat. Monitoring firewall logs might detect data exfiltration out of the

network, but it won’t monitor the use of external storage devices. A

network-based DLP solution might detect and stop data exfiltration out of

the network, but it would stop users from copying data to removable media.

B is correct. Platform as a Service (PaaS) provides customers with a

preconfigured computing platform including the hardware and software.

The cloud provider maintains the hardware and specified software such as

the operating system and key applications such as a web server application.

Infrastructure as a Service (IaaS) is a cloud computing option where the

vendor provides access to a computer, but customers must install the

operating system and maintain the system. Software as a Service (SaaS)

provides access to specific applications such as an email application.

Anything as a Service (XaaS) refers to cloud services beyond IaaS, PaaS,

and SaaS.

A is correct. An Infrastructure as a Service (IaaS) cloud model provides

clients with hardware but nothing else. A Platform as a Service (PaaS)

model provides customers with a computing platform including operating

systems and some applications. A Software as a Service (SaaS) model

provides customers with one or more applications. Anything as a Service

(XaaS) refers to cloud services beyond IaaS, PaaS, and SaaS, but this

scenario clearly describes an IaaS model.

A is correct. A cloud access security broker (CASB) is placed between a

network and a cloud provider and would meet the chief information officer

(CIO) requirements. It can monitor traffic and enforce security policies,

such as ensuring all data sent to the cloud is encrypted. Permissions should

be set on cloud storage locations to ensure only authorized personnel can

access them, but they don’t encrypt the data. A storage encryption policy

can be created to require encryption of data stored in the cloud, but the

policy wouldn’t monitor all traffic to and from the cloud. A firewall can

filter traffic, but it doesn’t include all the capabilities of a CASB, such as

verifying data is encrypted.