Correct answer:

When the client initiates the communication with the Kerberos server, it will send an authentication request, which includes the user’s login ID or username.

Incorrect answers:

The password will not be sent to the Kerberos server—just the user ID or username will be sent.

A password hash is not sent by the client to the server.

When the client wants to make an access request to a target server, an encrypted TGT with the name of the target server will be sent to the ticket-granting server.

Correct answer:

The difference between using the Windows version of traceroute (which is tracert) and standard traceroute (commonly found in UNIX/Linux systems) is that the Windows version uses ICMP, while the UNIX/Linux version by default uses UDP (although it can also use ICMP if required). As such, it seems that John is using some UNIX/Linux-based OS, while Michael is using a Windows machine, which would explain why tracert is not able to track the path to the web server.

Incorrect answers:

Both John and Michael are working on the same subnet and there’s nothing to suggest a routing issue. However, the difference in commands being used (tracert and traceroute) points to different operating systems being present.

DNS is not being used in this occasion, since the question mentions that the administrators are attempting to traceroute to the web server using its IP address.

There’s nothing to suggest the server is experiencing any issues. On the contrary, the fact that John is able to track the path to it properly is an indication that it is working just fine.

Correct answer:

Security policies should be updated regularly, such as once a year. If an organization’s security policy is updated, supporting policies should also be reviewed to ensure that they still provide the necessary support.

Incorrect answers:

Security risks change, so security policies are not meant to be static.

Security policies do not have any required minimum or maximum length, and they should be accessible to regular employees.

Correct answer:

IP address 192.168.10.10 belongs to the private IP address range of 192.168.0.0–192.168.255.255 (RFC 1918). However, no traffic originating from a private IP address would ever be expected to reach your perimeter firewall from the outside (with an inbound direction). This would most likely indicate that an attacker is attempting to spoof his IP address to resemble one of your internal machines or that some type of routing issue might be present. In any case, that traffic should be explicitly blocked at the firewall.

Incorrect answers:

From a private IP address with inbound direction should be accepted at the firewall. As mentioned earlier, this is most likely an attacker attempting to spoof his IP address to resemble one of the internal machines or some type of routing issue. Either way, that traffic shouldn’t be permitted.

Log only would only record this traffic flow with no additional action taken. However, having a log of this traffic won’t necessarily be useful, as the source IP is not the real IP of the attacker, not to mention that if a lot of traffic is present, logging it will consume considerable firewall resources.

It entails using the firewall’s implicit deny rule, which is located at the bottom of the ruleset, to deny this traffic. However, there’s no point in consuming device resources to have the firewall evaluate the whole ruleset if there’s no intention of allowing that traffic. As such, it is recommended to place a rule denying this traffic as close to the top of the ruleset as possible

Correct answer:

A Platform-as-a-Service (PaaS) model provides users with a computing platform, such as hardware, an operation system, and sometimes additional applications.

Incorrect answers:

Software-as-a-Service (SaaS) is also known as on-demand software. It provides users with access to software or applications over the Internet.

Infrastructure-as-a-Service (IaaS) provides access to hardware, such as servers and networking infrastructure, which the cloud provider maintains.

A service level agreement (SLA) is an agreement between an organization and a vendor and is unrelated to this question.

Correct answer:

Running background checks on future contractors will ensure that the company hires authorized individuals, thus minimizing the associated risk. As such, this is classified as a preventive control, as it allows the company to minimize any future risk that might be associated with employing a contractor.

Incorrect answers:

Detective control has the ability to provide event detection, and in this case the company is taking a proactive stance, as the intention is to perform a background check before a contractor is employed.

A corrective control would perform an activity to counter something that has taken place, but here the company is taking a proactive approach, not a reactive one.

A compensating control would be used in case a primary control fails, but there’s nothing to suggest that the background check is being used as such a control.

Correct answer:

A host-based intrusion detection system (HIDS) is installed on a system such as a server or workstation and provides continuous monitoring to detect potential malicious activity.

Incorrect answers:

A network-based IDS (NIDS) monitors traffic going through a network, but the scenario only wants to monitor the server. A NIDS uses agents monitoring traffic on routers and switches, and the agents forward the traffic to a central management console.

A signature-based IDS isn’t required, but a host-based IDS is. Additionally, any IDS is typically both signature-based and anomaly-based.

A network-based firewall monitors network traffic.

Correct answer:

SFTP (Secure FTP) uses TCP port 22. Note that even if you don’t remember the correct answer, it is still fairly easy to limit valid options. SFTP is a connection-oriented protocol (meaning it uses a three-way handshake to establish a connection), which means that there’s no chance that UDP would be used. As such, it at least limits the possible options to two. The only other thing you need to think about is the fact that SFTP runs over SSH, which uses TCP port 22.

Incorrect answers:

TCP port 443 is used for HTTPS (Hypertext Transfer Protocol over SSL), which is commonly used to establish secure connections between a client and a server.

UDP port 53 is used by DNS (Domain Name System) to allow machines to perform DNS lookups and resolve domain names to IP addresses.

UDP port 69 is used by TFTP (Trivial File Transfer Protocol), not SFTP. TFTP is an unencrypted protocol and uses UDP. It was commonly used to retrieve device configurations (i.e., in the case of a router obtaining a configuration file via TFTP) or computers booting over TFTP on a local network.

Correct answer:

An attacker can use a service scan to check if there’s indeed an SSH server running on TCP port 22. The exact method of how that will be performed depends on the tool. Nmap, for example, has a service probe database that it can utilize to identify any application running on the target, the specific version of it, and more details.

Incorrect answers:

A ping sweep would be used to check if any hosts are available in a given target subnet and is not able to provide service information.

A port scan would reveal the existence of the open ports on the target and is in fact what has already taken place, as the question states that TCP port 22 was already identified as open. However, it is not enough to ascertain if there is an SSH server using TCP port 22 running on the target machine.

OS detection would be used in order to identify the target’s operating system, not a specific service.

Correct answer:

The only valid action of the given choices is to disconnect the cable from the network interface card (NIC). This will isolate the system without modifying any evidence.

Incorrect answers:

All of the other choices will modify potential evidence.

Powering down the system will erase data in volatile RAM.

Accessing any logs or files may modify the data, resulting in new access times being recorded. Additionally, modifying the permissions is also a modification of evidence.