A company offers a hardware security appliance to customers that provides remote administration of a device on the customer's network Customers are not authorized to alter the configuration The company deployed a software process to manage unauthorized changes to the appliance log them, and forward them to a central repository for evaluation Which of the following processes is the company using to ensure the appliance is not altered from its ongmal configured state?
Correct Answer:
C
Anti-tamper is a process that protects a system or device from unauthorized changes or modifications. It can also log and report any attempts to alter the system or device. The company is using anti-tamper to ensure the appliance is not altered from its original configured state. CI/CD, software assurance, and change management are not processes that specifically deal with unauthorized changes. Reference: https://www.acq.osd.mil/se/briefs/16943-DoD-AT-Overview-Brief.pdf
During a review of SIEM alerts, a securrty analyst discovers the SIEM is receiving many alerts per day from the file-integrity monitoring toot about files from a newly deployed application that should not change. Which of the following steps should the analyst complete FIRST to respond to the issue7
Correct Answer:
C
The analyst should check if temporary files are being monitored first to respond to the issue. Temporary files are files that are created and used by applications for various purposes, such as storing data temporarily or caching data for faster access. However, temporary files are not meant to be permanent and are usually deleted when they are no longer needed or when the application is closed. Therefore, monitoring temporary files can generate many alerts from the file-integrity monitoring tool that are not relevant or useful for security purposes. The analyst should check if temporary files are being monitored and exclude them from the monitoring scope to reduce the number of alerts and focus on the files that should not change.
Which of the following activities is designed to handle a control failure that leads to a breach?
Correct Answer:
B
Incident management is a process that aims to handle a control failure that leads to a breach by restoring normal operations as quickly as possible and minimizing the impact and damage of the incident. Incident management involves activities such as identifying, analyzing, containing, eradicating, recovering, and learning from security incidents. Risk assessment, root cause analysis, and vulnerability management are other processes related to security management, but they are not designed to handle a control failure that leads to a breach. Reference:
https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
Which of the following is the best method to ensure secure boot UEFI features are enabled to prevent boot malware?
Correct Answer:
A
The correct answer is A. Enable secure boot in the hardware and reload the operating system. Secure boot is a feature of UEFI that ensures that only trusted and authorized code can execute during the boot process. Secure boot can prevent boot malware, such as rootkits or bootkits, from compromising the system before the operating system loads1. To enable secure boot, the hardware must support UEFI and have a firmware that implements the secure boot protocol. The operating system must also support UEFI and have a digital
signature that matches the keys stored in the firmware. If the operating system was installed in legacy mode or does not have a valid signature, it may not boot with secure boot enabled. Therefore, it may be necessary to reload the operating system after enabling secure boot in the hardware2.
* B. Reconfigure the system’s MBR and enable NTFS is not correct. MBR stands for Master Boot Record, and it is a legacy partitioning scheme that stores information about the partitions and the boot loader on a disk. NTFS stands for New Technology File System, and it is a file system that supports features such as encryption, compression, and access control. Reconfiguring the system’s MBR and enabling NTFS would not enable secure boot UEFI features, as they are not related to UEFI or secure boot. Moreover, MBR is incompatible with UEFI, as UEFI requires a different partitioning scheme called GPT (GUID Partition Table)3.
* C. Set UEFI to legacy mode and enable security features is not correct. Legacy mode is a compatibility mode that allows UEFI systems to boot using legacy BIOS methods. Legacy mode disables some of the features and benefits of UEFI, such as secure boot, faster boot time, or larger disk support. Setting UEFI to legacy mode would not enable secure boot UEFI features, but rather disable them.
* D. Convert the legacy partition table to UEFI and repair the operating system is not correct. Converting the legacy partition table to UEFI means changing the partitioning scheme from MBR to GPT, which is required for UEFI systems to boot. However, this alone would not enable secure boot UEFI features, as it also depends on the firmware settings and the operating system support. Repairing the operating system may or may not fix any issues caused by converting the partition table, but it would not necessarily enable secure boot either.
1: What Is Secure Boot? 2: How to Enable Secure Boot 3: MBR vs GPT: Which One Is Better for You [UEFI vs Legacy BIOS – The Ultimate Comparison Guide]
An organization has a policy that requires dedicated user accounts to run programs that need elevated privileges. Users must be part of a group that allows elevated permissions. While reviewing security logs, an analyst sees the following:
Which of the following hosts violates the organizational policies?
Correct Answer:
D
The host “lincoln” violates the organizational policies that require dedicated user accounts to run programs that need elevated privileges. The log file shows that the user “ldavis” tried to run programs such as “su root”, “sudo apache.bin”, and “sudo grep” on the host “lincoln”, which indicate attempts to gain elevated privileges or access sensitive files. The other hosts do not show any evidence of policy violation.