Free CompTIA CS0-003 Übungsprüfungen - Seite 6 von 17

Question #51

A security analyst scans a host and generates the following output:

文本

描述已自动生成

Which of the following best describes the output?

A . The host is unresponsive to the ICMP request.
B . The host Is running a vulnerable mall server.
C . The host Is allowing unsecured FTP connectlons.
D . The host is vulnerable to web-based exploits.

Lösung einblenden Lösung ausblenden

Question #51

A security analyst scans a host and generates the following output:

文本

描述已自动生成

Which of the following best describes the output?

A . The host is unresponsive to the ICMP request.
B . The host Is running a vulnerable mall server.
C . The host Is allowing unsecured FTP connectlons.
D . The host is vulnerable to web-based exploits.

Lösung einblenden Lösung ausblenden

Question #53

An analyst is examining events in multiple systems but is having difficulty correlating data points.

Which of the following is most likely the issue with the system?

A . Access rights
B . Network segmentation
C . Time synchronization
D . Invalid playbook

Lösung einblenden Lösung ausblenden

Question #54

A network security analyst for a large company noticed unusual network activity on a critical system.

Which of the following tools should the analyst use to analyze network traffic to search for malicious activity?

A . WAF
B . Wireshark
C . EDR
D . Nmap

Lösung einblenden Lösung ausblenden

Question #55

A cybersecurity team has witnessed numerous vulnerability events recently that have affected operating systems. The team decides to implement host-based IPS, firewalls, and two-factor authentication.

Which of the following does this most likely describe?

A . System hardening
B . Hybrid network architecture
C . Continuous authorization
D . Secure access service edge

Lösung einblenden Lösung ausblenden

Question #56

While a security analyst for an organization was reviewing logs from web servers. the analyst found several successful attempts to downgrade HTTPS sessions to use cipher modes of operation susceptible to padding oracle attacks.

Which of the following combinations of configuration changes should the organization make to remediate this issue? (Select two).

A . Configure the server to prefer TLS 1.3.
B . Remove cipher suites that use CBC.
C . Configure the server to prefer ephemeral modes for key exchange.
D . Require client browsers to present a user certificate for mutual authentication.
E . Configure the server to require HSTS.
F . Remove cipher suites that use GCM.

Lösung einblenden Lösung ausblenden

Richtige Antwort: AE
AE

Explanation:

The correct answer is A. Configure the server to prefer TLS 1.3 and B. Remove cipher suites that use CBC.

A padding oracle attack is a type of attack that exploits the padding validation of a cryptographic message to decrypt the ciphertext without knowing the key. A padding oracle is a system that responds to queries about whether a message has a valid padding or not, such as a web server that returns different error messages for invalid padding or invalid MAC. A padding oracle attack can be applied to the CBC mode of operation, where the attacker can manipulate the ciphertext blocks and use the oracle’s responses to recover the plaintext12.

To remediate this issue, the organization should make the following configuration changes: Configure the server to prefer TLS 1.3. TLS 1.3 is the latest version of the Transport Layer Security protocol, which provides secure communication between clients and servers.

TLS 1.3 has several security improvements over previous versions, such as:

It deprecates weak and obsolete cryptographic algorithms, such as RC4, MD5, SHA-1, DES, 3DES, and CBC mode.

It supports only strong and modern cryptographic algorithms, such as AES-GCM, ChaCha20-Poly1305, and SHA-256/384.

It reduces the number of round trips required for the handshake protocol, which improves performance and latency.

It encrypts more parts of the handshake protocol, which enhances privacy and confidentiality.

It introduces a zero round-trip time (0-RTT) mode, which allows resuming previous sessions without additional round trips.

It supports forward secrecy by default, which means that compromising the long-term keys does not affect the security of past sessions3456.

Remove cipher suites that use CBC. Cipher suites are combinations of cryptographic algorithms that specify how TLS connections are secured. Cipher suites that use CBC mode are vulnerable to padding oracle attacks, as well as other attacks such as BEAST and Lucky 13. Therefore, they should be removed from the server’s configuration and replaced with cipher suites that use more secure modes of operation, such as GCM or CCM78.

The other options are not effective or necessary to remediate this issue.

Option C is not effective because configuring the server to prefer ephemeral modes for key exchange does not prevent padding oracle attacks. Ephemeral modes for key exchange are methods that generate temporary and random keys for each session, such as Diffie-Hellman or Elliptic Curve Diffie-Hellman. Ephemeral modes provide forward secrecy, which means that compromising the long-term keys does not affect the security of past sessions. However, ephemeral modes do not protect against padding oracle attacks, which exploit the padding validation of the ciphertext rather than the key exchange9.

Option D is not necessary because requiring client browsers to present a user certificate for mutual authentication does not prevent padding oracle attacks. Mutual authentication is a process that verifies the identity of both parties in a communication, such as using certificates or passwords. Mutual authentication enhances security by preventing impersonation or spoofing attacks. However, mutual authentication does not protect against padding oracle attacks, which exploit the padding validation of the ciphertext rather than the authentication.

Option E is not necessary because configuring the server to require HSTS does not prevent padding oracle attacks. HSTS stands for HTTP Strict Transport Security and it is a mechanism that forces browsers to use HTTPS connections instead of HTTP connections when communicating with a web server. HSTS enhances security by preventing downgrade or man-in-the-middle attacks that try to intercept or modify HTTP traffic. However, HSTS does not protect against padding oracle attacks, which exploit the padding validation of HTTPS traffic rather than the protocol.

Option F is not effective because removing cipher suites that use GCM does not prevent padding

oracle attacks. GCM stands for Galois/Counter Mode and it is a mode of operation that provides both

encryption and authentication for block ciphers, such as AES. GCM is more secure and efficient than

CBC mode, as it prevents various types of attacks, such as padding oracle, BEAST, Lucky 13, and IV

reuse attacks. Therefore, removing cipher suites that use GCM would reduce security rather than

enhance it.

Reference: 1 Padding oracle attack – Wikipedia

2 flast101/padding-oracle-attack-explained – GitHub

3 A Cryptographic Analysis of the TLS 1.3 Handshake Protocol | Journal of Cryptology

4 Which block cipher mode of operation does TLS 1.3 use? – Cryptography Stack Exchange

5 The Essentials of Using an Ephemeral Key Under TLS 1.3

6 Guidelines for the Selection, Configuration, and Use of … – NIST

7 CBC decryption vulnerability – .NET | Microsoft Learn

8 The Padding Oracle Attack | Robert Heaton

9 What is Ephemeral Diffie-Hellman? | Cloudflare

[10] What is Mutual TLS? How mTLS Authentication Works | Cloudflare

[11] What is HSTS? HTTP Strict Transport Security Explained | Cloudflare

[12] Galois/Counter Mode – Wikipedia

[13] AES-GCM and its IV/nonce value – Cryptography Stack Exchange

Question #57

A security analyst received an alert regarding multiple successful MFA log-ins for a particular user

When reviewing the authentication logs the analyst sees the following:

表格

描述已自动生成

Which of the following are most likely occurring, based on the MFA logs? (Select two).

A . Dictionary attack
B . Push phishing
C . impossible geo-velocity
D . Subscriber identity module swapping
E . Rogue access point
F . Password spray

Lösung einblenden Lösung ausblenden

Question #58

Which of the following best describes the key goal of the containment stage of an incident response process?

A . To limit further damage from occurring
B . To get services back up and running
C . To communicate goals and objectives of the incident response plan
D . To prevent data follow-on actions by adversary exfiltration

Lösung einblenden Lösung ausblenden

Question #59

An organization wants to consolidate a number of security technologies throughout the organization and standardize a workflow for identifying security issues prioritizing the severity and automating a response

Which of the following would best meet the organization’s needs?

A . MaaS
B . SIEM
C . SOAR
D . CI/CD

Lösung einblenden Lösung ausblenden

Question #60

You are a penetration tester who is reviewing the system hardening guidelines for a company.

Hardening guidelines indicate the following.

There must be one primary server or service per device.

Only default port should be used

Non- secure protocols should be disabled.

The corporate internet presence should be placed in a protected subnet

Instructions:

Using the available tools, discover devices on the corporate network and the services running on these devices.

You must determine

ip address of each device

The primary server or service each device

The protocols that should be disabled based on the hardening guidelines

图示

描述已自动生成

图形用户界面, 表格

描述已自动生成

Lösung einblenden Lösung ausblenden