Pass the The SecOps Group Security Practitioner CNSP Questions and answers with ValidTests

Authentication and Authorization (often abbreviated as AuthN and AuthZ) are foundational pillars of access control in network security:

Authentication (AuthN):Verifies "who you are" by validating credentials against a trusted source. Examples include passwords, MFA (multi-factor authentication), certificates, or biometrics. It ensures the entity (user, device) is legitimate, typically via protocols like Kerberos or LDAP.

Authorization (AuthZ):Determines "what you can do" after authentication, enforcing policies on resource access (e.g., read/write permissions, API calls). It relies on mechanisms like Access Control Lists (ACLs), Role-Based Access Control (RBAC), or Attribute-Based Access Control (ABAC).

Option Acorrectly separates these roles:

Authorization governs access decisions (e.g., "Can user X read file Y?").

Authentication establishes identity (e.g., "Is this user X?").

In practice, these processes are sequential: AuthN precedes AuthZ. For example, logging into a VPN authenticates your identity (e.g., via username/password), then authorizes your access to specific subnets based on your role. CNSP likely stresses this distinction for designing secure systems, as conflating them risks privilege escalation or identity spoofing vulnerabilities.

Why other options are incorrect:

B:Reverses the definitions—Authentication doesn’t grant/deny access (that’s AuthZ), and Authorization doesn’t validate identity (that’s AuthN). This mix-up could lead to flawed security models.

C:Falsely equates AuthN and AuthZ and attributes access rules to AuthN. They’re distinct processes; treating them as identical undermines granular control (e.g., NIST SP 800-53 separates IA-2 for AuthN and AC-3 for AuthZ).

D:Misassigns access control to AuthN and claims they don’t interoperate, which is false—they work together in every modern system (e.g., SSO with RBAC). This would render auditing impossible, contradicting security best practices.

Real-World Context:A web server (e.g., Apache) authenticates via HTTP Basic Auth, then authorizes via .htaccess rules—two separate steps.References:CNSP Official Study Guide (Access Control Fundamentals); NIST SP 800-53 (Security and Privacy Controls).

An IP address with a/18prefix (CIDR notation) indicates 18 network bits in the subnet mask, leaving 14 host bits (32 total bits - 18). For IPv4 (e.g., 192.168.0.1):

Binary Mask:First 18 bits are 1s, rest 0s.

1st octet: 11111111 (255)

2nd octet: 11111111 (255)

3rd octet: 11000000 (192)

4th octet: 00000000 (0)

Decimal:255.255.192.0

Calculation:

Bits: /18 = 2^14 hosts (16,384), minus 2 (network/broadcast) = 16,382 usable.

Range: 192.168.0.0–192.168.63.255 (3rd octet: 0–63, as 192 = 11000000 covers 6 bits).

Technical Details:

Subnet masks align on octet boundaries or mid-octet (e.g., 192 = 2^7 + 2^6).

Contrast: /24 = 255.255.255.0 (256 hosts), /16 = 255.255.0.0 (65,536 hosts).

Security Implications:Larger subnets (e.g., /18) increase broadcast domains, risking amplification attacks. CNSP likely teaches subnetting for segmentation (e.g., VLANs).

Why other options are incorrect:

A. 255.255.255.0:/24 (8 host bits), not /18.

B. 255.225.225.0:Invalid mask (225 = 11100001, non-contiguous 1s).

D. 255.225.192.0:Invalid (225 breaks binary sequence).

Real-World Context:Subnetting 192.168.0.0/18 isolates departments in enterprise networks.References:CNSP Official Documentation (IP Addressing); RFC 1918 (Private IP).

The prefix $2a$ identifies thebcrypthashing algorithm, which is based on the Blowfish symmetric encryption cipher (developed by Bruce Schneier). Bcrypt is purpose-built for password hashing, incorporating:

Salt:A random string (e.g., 22 Base64 characters) to thwart rainbow table attacks.

Work Factor:A cost parameter (e.g., $2a$10$ means 2^10 iterations), making it computationally expensive to brute-force.

Format:$2a$[cost]$[salt][hash]

Example: $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy

$2a$: Bcrypt variant (original is $2$; $2a$ fixes a minor bug).

$10$: 1024 iterations.

Next 22 characters: Salt.

Remaining: Hashed password.

Used in /etc/shadow on Linux, bcrypt’s adaptive nature ensures it remains secure as hardware improves. CNSP likely includes it in cryptography modules for its strength over older algorithms like MD5.

Why other options are incorrect:

B. SHA256:Part of the SHA-2 family, outputs a 64-character hexadecimal string (e.g., e3b0c442...), no $ prefix. It’s faster, less suited for passwords.

C. MD5:Produces a 32-character hex string (e.g., d41d8cd9...), no prefix. It’s cryptographically broken (collisions found).

D. SHA512:SHA-2 variant, 128-character hex (e.g., cf83e135...), no $ prefix, not salted by default.

Real-World Context:Bcrypt protects SSH keys and web app passwords (e.g., in PHP’s password_hash()).References:CNSP Official Documentation (Cryptography); Bcrypt Specification, RFC 1321 (MD5).

The Windows Registry is a hierarchical database storing configuration settings for the operating system, applications, and hardware. It’s physically stored ashive fileson disk, located in the directoryC:\Windows\System32\Config. These files are loaded into memory at boot time and managed by the Windows kernel. Key hive files include:

SYSTEM:Contains hardware and system configuration (e.g., drivers, services).

SOFTWARE:Stores software settings.

SAM:Security Accounts Manager data (e.g., local user accounts, passwords).

SECURITY:Security policies and permissions.

DEFAULT:Default user profile settings.

USERDIFFand user-specific hives (e.g., NTUSER.DAT in C:\Users) for individual profiles, though these are linked to Config indirectly.

Technical Details:

Path:C:\Windows\System32\Configis the primary location for system-wide hives. Files lack extensions (e.g., "SYSTEM" not "SYSTEM.DAT") and are backed by transaction logs (e.g., SYSTEM.LOG) for recovery.

Access: Direct file access is restricted while Windows runs, as the kernel locks them. Tools like reg save or offline forensic utilities (e.g., RegRipper) can extract them.

Backup: Copies may exist in C:\Windows\System32\config\RegBack (pre-Windows 10 1803) or repair folders (e.g., C:\Windows\Repair).

Security Implications:The registry is a prime target for attackers (e.g., persistence via Run keys) and malware (e.g., WannaCry modified registry entries). CNSP likely emphasizes securing this directory (e.g., NTFS permissions) and auditing changes (e.g., via Event Viewer, Event ID 4657). Compromising these files offline (e.g., via physical access) can extract password hashes from SAM.

Why other options are incorrect:

A. C:\Windows\debug:Used for debug logs (e.g., memory.dmp) or tools like DebugView, not registry hives. It’s unrelated to core configuration storage.

C. C:\Windows\security:Contains security-related files (e.g., audit logs, policy templates), but not the registry hives themselves.

D. All of the above:Only B is correct; including A and C dilutes accuracy.

Real-World Context:Forensic analysts target C:\Windows\System32\Config during investigations (e.g., parsing SAM with Mimikatz offline).References:CNSP Official Study Guide (Windows Security Architecture); Microsoft Windows Registry Documentation.

The EICAR test file is a standardized tool in security testing, designed for a specific purpose.

Why A is correct:The EICAR file (a 68-byte string) triggers antivirus detection without harm, testing response capabilities. CNSP recommends it for AV validation.

Why B is incorrect:It has no role in testing encryption; it’s solely for AV functionality.

References:CNSP "Antivirus Testing" (Section on EICAR) describes its use for AV response verification.

The LinuxFilesystem Hierarchy Standard (FHS), per FHS 3.0, defines directory purposes:

/mnt:Designated fortemporarily mounted filesystems, typically by system administrators.

Use: Mount points for removable media (e.g., USB drives: mount /dev/sdb1 /mnt/usb) or network shares (e.g., NFS).

Nature: Transient, user-managed, not persistent across reboots (unlike /etc/fstab mounts).

Contrast:

/media:Auto-mounts removable devices (e.g., by desktop environments like GNOME).

/mnt vs. /media:/mnt is manual, /media is system-driven.

Technical Details:

Empty by default; subdirectories (e.g., /mnt/usb) are created as needed.

Permissions: Typically root-owned (0755), requiring sudo for mounts.

Security Implications:Misconfigured /mnt mounts (e.g., world-writable) risk unauthorized access. CNSP likely covers mount security (e.g., nosuid option).

Why other options are incorrect:

B. System config/init scripts:Found in /etc (e.g., /etc/passwd, /etc/init.d).

C. Driver modules:Located in /lib/modules/.

D. Kernel state:Resides in /proc (e.g., /proc/cpuinfo).

Real-World Context:Admins mount ISOs at /mnt during server provisioning (e.g., mount -o loop image.iso /mnt).References:CNSP Official Study Guide (Linux Filesystems); FHS 3.0 Documentation.

Social engineeringexploits human psychology to manipulate individuals into divulging sensitive information, granting access, or performing actions that compromise security. Unlike technical exploits, it targets the "human factor," often bypassing technical defenses. The listed attacks fit this category:

Phishing:Mass, untargeted emails (e.g., fake bank alerts) trick users into entering credentials on spoofed sites. Uses tactics like urgency or trust (e.g., typosquatting domains).

Spear Phishing:Targeted phishing against specific individuals/organizations (e.g., CEO fraud), leveraging reconnaissance (e.g., LinkedIn data) for credibility.

Vishing (Voice Phishing):Phone-based attacks (e.g., fake tech support calls) extract info via verbal manipulation. Often spoofs caller ID.

Scareware:Fake alerts (e.g., “Your PC is infected!” pop-ups) scare users into installing malware or paying for bogus fixes. Exploits fear and urgency.

Watering Hole:Compromises trusted websites frequented by a target group (e.g., industry forums), infecting visitors via drive-by downloads. Relies on habitual trust.

Technical Details:

Delivery: Email (phishing), VoIP (vishing), web (watering hole/scareware).

Payloads: Credential theft, malware (e.g., trojans), or financial fraud.

Mitigation: User training, email filters (e.g., DMARC), endpoint protection.

Security Implications:Social engineering accounts for ~90% of breaches (e.g., Verizon DBIR 2023), as it exploits unpatchable human error. CNSP likely emphasizes awareness (e.g., phishing simulations) and layered defenses (e.g., MFA).

Why other options are incorrect:

A. Probes:Reconnaissance techniques (e.g., port scanning) to identify vulnerabilities, not manipulation-based like these attacks.

B. Insider threats:Malicious actions by authorized users (e.g., data theft by employees), not external human-targeting tactics.

D. Ransomware:A malware type (e.g., WannaCry) that encrypts data for ransom, not a manipulation method—though phishing often delivers it.

Real-World Context:The 2016 DNC hack used spear phishing to steal credentials, showing social engineering’s potency.References:CNSP Official Study Guide (Social Engineering Threats); NIST SP 800-50 (Security Awareness Training).

The net localgroup command manages local group memberships on Windows systems, with syntax dictating its action.

Why B is correct:net localgroup Sales Sales_domain /add adds the domain group Sales_domain to the local group Sales, granting its members local group privileges. CNSP covers this for privilege escalation testing.

Why other options are incorrect:

A:Displaying users requires net localgroup Sales without /add.

C:Adding a user requires a username, not a group name like Sales_domain.

D:The reverse (local to domain) uses net group, not net localgroup.

References:CNSP "Windows Group Management" (Section on net Commands) explains net localgroup for adding domain groups.